The Capacity of Collusion-Resilient Decentralized Secure Aggregation with Groupwise Keys
Zhou Li, Xiang Zhang, Yizhou Zhao, Haiqiang Chen, Jihao Fan, Giuseppe Caire
TL;DR
The paper addresses secure aggregation in a fully decentralized network with groupwise secret keys and collusion resilience. It derives the exact capacity region, showing infeasibility for extreme group sizes $G=1$ or $G\ge K-T$, and, for feasible regimes $2\le G<K-T$, establishes a tight tradeoff with $R_X\ge 1$ and $R_S\ge (K-T-2)/\binom{K-T-1}{G}$, alongside a constructive achievable scheme. The key-neutralization strategy uses structured linear masking with groupwise keys to ensure correct recovery of the global sum while preventing information leakage under any collusion of up to $T$ users. The results quantify fundamental limits on communication and key efficiency in decentralized secure aggregation, guiding the design of collision-resilient, bandwidth- and key-efficient decentralized learning systems.
Abstract
This paper investigates the information-theoretic decentralized secure aggregation (DSA) problem under practical groupwise secret keys and collusion resilience. In DSA, $K$ users are interconnected through error-free broadcast channels. Each user holds a private input and aims to compute the sum of all other users' inputs, while satisfying the security constraint that no user, even when colluding with up to $T$ other users, can infer any information about the inputs beyond the recovered sum. To ensure security, users are equipped with secret keys to mask their inputs. Motivated by recent advances in efficient group-based key generation protocols, we consider the symmetric groupwise key setting, where every subset of $G$ users shares a group key that is independent of all other group keys. The problem is challenging because the recovery and security constraints must hold simultaneously for all users, and the structural constraints on the secret keys limit the flexibility of key correlations. We characterize the optimal rate region consisting of all achievable pairs of per-user broadcast communication rate and groupwise key rate. In particular, we show that DSA with groupwise keys is infeasible when $G=1$ or $G\ge K-T$. Otherwise, when $2\le G<K-T$, to securely compute one symbol of the desired sum, each user must broadcast at least one symbol, and each group key must contain at least $(K-T-2)/\binom{K-T-1}{G}$ independent symbols. Our results establish the fundamental limits of DSA with groupwise keys and provide design insights for communication- and key-efficient secure aggregation in decentralized learning systems.