Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Fundamental Limits of Hierarchical Secure Aggregation with Dropout and Collusion Resilience

Zhou Li, Yizhou Zhao, Xiang Zhang, Giuseppe Caire

Abstract

We study the fundamental communication limits of information-theoretic secure aggregation in a hierarchical network consisting of a server, multiple relays, and multiple users per relay. Communication proceeds over two rounds and two hops, and the system is subject to arbitrary user and relay dropouts. Up to $T$ users may collude with either the server or any single relay. The server aims to recover the sum of the inputs of all users that survive the first round, while learning no additional information beyond the aggregate sum and the inputs of the colluding users. Each relay, however, must learn nothing about the users' inputs except for the information revealed by the inputs of the colluding users under the same collusion model. We introduce a four-dimensional rate tuple that captures the communication cost across rounds and hops. Under a delayed message availability model, we establish necessary and sufficient conditions for feasibility and fully characterize the optimal first-round communication rates. For the second round, we characterize the optimal user-to-relay rate and derive lower and upper bounds on the relay-to-server rate. While these bounds do not coincide in general, they are tight in certain regimes of interest. Our results reveal a sharp threshold phenomenon: secure aggregation is feasible if and only if the total number of surviving users across surviving relays exceeds the collusion threshold. Achievability is established via a vector linear coding scheme with carefully structured correlated randomness exhibiting MDS-like properties, ensuring correctness and information-theoretic security under all possible dropout patterns. Entropic converse bounds are also derived.

On the Fundamental Limits of Hierarchical Secure Aggregation with Dropout and Collusion Resilience

Abstract

We study the fundamental communication limits of information-theoretic secure aggregation in a hierarchical network consisting of a server, multiple relays, and multiple users per relay. Communication proceeds over two rounds and two hops, and the system is subject to arbitrary user and relay dropouts. Up to users may collude with either the server or any single relay. The server aims to recover the sum of the inputs of all users that survive the first round, while learning no additional information beyond the aggregate sum and the inputs of the colluding users. Each relay, however, must learn nothing about the users' inputs except for the information revealed by the inputs of the colluding users under the same collusion model. We introduce a four-dimensional rate tuple that captures the communication cost across rounds and hops. Under a delayed message availability model, we establish necessary and sufficient conditions for feasibility and fully characterize the optimal first-round communication rates. For the second round, we characterize the optimal user-to-relay rate and derive lower and upper bounds on the relay-to-server rate. While these bounds do not coincide in general, they are tight in certain regimes of interest. Our results reveal a sharp threshold phenomenon: secure aggregation is feasible if and only if the total number of surviving users across surviving relays exceeds the collusion threshold. Achievability is established via a vector linear coding scheme with carefully structured correlated randomness exhibiting MDS-like properties, ensuring correctness and information-theoretic security under all possible dropout patterns. Entropic converse bounds are also derived.
Paper Structure (17 sections, 3 theorems, 58 equations, 1 figure)

This paper contains 17 sections, 3 theorems, 58 equations, 1 figure.

Table of Contents

  1. Introduction
  2. Summary of Contributions
  3. Problem Statement
  4. Communication Protocol
  5. Correctness and Security
  6. Communication Rates and Achievable Region
  7. Main Results
  8. Achievability Proof of Theorem \ref{['thm:main']}
  9. Example 1: $U = 2, V = 2, U_{0} = 2, V_{0} = 1, T = 0$
  10. Example 2: $U = 3, V = 3, U_{0} = 2, V_{0} = 2, T = 2$
  11. General Scheme for Arbitrary $U, V, U_{0}, V_{0}, T$
  12. Converse Proof of Theorem \ref{['thm:main']}
  13. Infeasibility Proof When $U_{0}V_{0} \leq T$
  14. Converse for $R^{(1)}_X \geq 1$ and $R^{(1)}_Y \geq 1$ When $U_{0}V_{0} > T$
  15. Converse for $R^{(2)}_X \geq \frac{1}{V_{0}U_{0}-T}$ When $U_{0}V_{0} > T$
  16. ...and 2 more sections

Key Result

Theorem 1

For hierarchical secure aggregation with $U$ relays, $V$ users per relay, dropout thresholds $V_0$ and $U_0$, and collusion threshold $T$, the optimal rate region ${\cal R}^*$ is given by where

Figures (1)

  • Figure 1: Example of robust secure aggregation with $U=2$ relays and $UV=4$ users. In Round 1, User $(1,2)$ drops out. During the signaling phase, the surviving relays report their surviving-user sets $\mathcal{V}^{(1)}$ to the server. The server then determines the first-round surviving-user set $\mathcal{S}^{(1)}$ and broadcasts it back to the surviving users via the surviving relays. This signaling phase is necessary because users must know the identities of the surviving users in the first round in order to generate subsequent messages. In Round 2, User $(2,1)$ drops out. The server aims to securely compute $W_{1,1} + W_{2,1} + W_{2,2}$.

Theorems & Definitions (6)

  • Remark 1
  • Remark 2: Delayed Message Availability Model at the Relays
  • Remark 3: Delayed Message Availability at the Server
  • Theorem 1
  • Lemma 1
  • Lemma 2