Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hierarchical Secure Aggregation with Heterogeneous Security Constraints and Arbitrary User Collusion

Zhou Li, Xiang Zhang, Jiawen Lv, Jihao Fan, Haiqiang Chen, Giuseppe Caire

TL;DR

This paper considers scenarios where the inputs of certain groups of users must remain information-theoretically secure against inference by the server or any relay, even if the server or any relay colludes with an arbitrary subset of other users.

Abstract

In hierarchical secure aggregation (HSA), a server communicates with clustered users through an intermediate layer of relays to compute the sum of users' inputs under two security requirements -- server security and relay security. Server security requires that the server learns nothing beyond the desired sum even when colluding with a subset of users, while relay security requires that each relay remains oblivious to the users' inputs under collusion. Existing work on HSA enforces homogeneous security where \tit{all} inputs must be protected against \tit{any} subset of potential colluding users with sizes up to a predefined threshold. Such a \homo formulation cannot capture scenarios with \tit{\het} \secty \reqs where \diff users may demand various levels of protection. In this paper, we study hierarchical secure aggregation (HSA) with heterogeneous security requirements and arbitrary user collusion. Specifically, we consider scenarios where the inputs of certain groups of users must remain information-theoretically secure against inference by the server or any relay, even if the server or any relay colludes with an arbitrary subset of other users. Under server security, the server learns nothing about these protected inputs beyond the prescribed aggregate sum, despite any such collusion. Under relay security, each relay similarly obtains no information about the protected inputs under the same collusion model. We characterize the optimal communication rates achievable across all layers for all parameter regimes. Furthermore, we study the minimum source keys required at the users to ensure security. For this source key requirement, we provide tight characterizations in two broad regimes determined by the security and collusion constraints, and establish a general information-theoretic lower bound together with a bounded-gap achievable scheme for the remaining regime.

Hierarchical Secure Aggregation with Heterogeneous Security Constraints and Arbitrary User Collusion

TL;DR

This paper considers scenarios where the inputs of certain groups of users must remain information-theoretically secure against inference by the server or any relay, even if the server or any relay colludes with an arbitrary subset of other users.

Abstract

In hierarchical secure aggregation (HSA), a server communicates with clustered users through an intermediate layer of relays to compute the sum of users' inputs under two security requirements -- server security and relay security. Server security requires that the server learns nothing beyond the desired sum even when colluding with a subset of users, while relay security requires that each relay remains oblivious to the users' inputs under collusion. Existing work on HSA enforces homogeneous security where \tit{all} inputs must be protected against \tit{any} subset of potential colluding users with sizes up to a predefined threshold. Such a \homo formulation cannot capture scenarios with \tit{\het} \secty \reqs where \diff users may demand various levels of protection. In this paper, we study hierarchical secure aggregation (HSA) with heterogeneous security requirements and arbitrary user collusion. Specifically, we consider scenarios where the inputs of certain groups of users must remain information-theoretically secure against inference by the server or any relay, even if the server or any relay colludes with an arbitrary subset of other users. Under server security, the server learns nothing about these protected inputs beyond the prescribed aggregate sum, despite any such collusion. Under relay security, each relay similarly obtains no information about the protected inputs under the same collusion model. We characterize the optimal communication rates achievable across all layers for all parameter regimes. Furthermore, we study the minimum source keys required at the users to ensure security. For this source key requirement, we provide tight characterizations in two broad regimes determined by the security and collusion constraints, and establish a general information-theoretic lower bound together with a bounded-gap achievable scheme for the remaining regime.

Paper Structure

This paper contains 25 sections, 12 theorems, 144 equations, 4 figures.

Table of Contents

  1. Introduction
  2. Summary of Contributions
  3. Problem Statement
  4. Network Model
  5. Security Model
  6. Auxiliary Definitions
  7. Main Results
  8. Proof of Theorem \ref{['thm:1']}
  9. Converse Proof of Example \ref{['ex1']}
  10. Achievable Scheme of Example \ref{['ex1']}
  11. Infeasibility Proof of $R_{Z_{\Sigma}}$ under Condition 1, Case 1)
  12. General Converse Proof under Condition 1, Cases 2), 3), and 4)
  13. General Achievable Scheme under Condition 1, Case 2)
  14. General Achievable Scheme under Condition 1, Case 3)
  15. General Achievable Scheme under Condition 1, Case 4)
  16. ...and 10 more sections

Key Result

Theorem 1

Given any security input sets ${\bm{{\cal S}}}= \{\mathcal{S}_m\}_{m =1}^M$ and collusion sets ${\bm{{\cal T}}}=\{\mathcal{T}_n\}_{n =1}^N$, the proposed HSA problem is infeasible if $a^*=K$ (Condition 1, Case 1)). For the remaining cases in Condition 1, the optimal rate region is given by where

Figures (4)

  • Figure 1: Client-edge-cloud architecture in FL. Shaded circles represent users.
  • Figure 2: Hierarchical network with $U$ relays where each relay is associated with a disjoint cluster of users. The aggregation server aims to compute the sum of inputs $W_{1,1}+W_{1,2}+\cdots+W_{U,V_U}$ of all users.
  • Figure 3: Summary of results based on parameter regimes. The cases covered by Theorem \ref{['thm:1']}, Theorem \ref{['thm:2']} and Theorem \ref{['thm:3']} are marked by green, blue and orange boxes, respectively.
  • Figure 4: Network with $U=3$ relays, each serving $V=2$ users. Security input sets are groups of users (in green) connected by green dashed links, while collusion sets are groups (in red) connected by red dashed links.

Theorems & Definitions (28)

  • Definition 1: Protected Input Set
  • Definition 2: Colluding User Set
  • Remark 1
  • Remark 2: Key Distribution Overhead
  • Definition 3: Security relay sets $\mathcal{U}^{(m,n)}$ and $\mathcal{F}^{(m,n)}$
  • Example 1
  • Definition 4: Implicit Security Input Set $\mathcal{S}_I$
  • Definition 5: Total Security Input Set $\overline{\mathcal{S}}$
  • Definition 6: $\mathcal{A}_{u,m,n}$ and $\mathcal{E}_{m,n}$
  • Definition 7: Maximal Summation cardinality of $\mathcal{U}^{(m,n)}$ and $\mathcal{T}_n\cap\overline{\mathcal{S}}$
  • ...and 18 more