Secure Summation: Capacity Region, Groupwise Key, and Feasibility

TL;DR

This paper investigates the capacity and feasibility of secure summation among users with various key-sharing structures, establishing fundamental limits and conditions for secure computation under collusion.

Contribution

It provides new capacity bounds for secure summation with groupwise keys and characterizes feasibility conditions for arbitrary key-sharing and collusion scenarios.

Findings

Secure summation requires at least 1 bit per user and key for 1-bit sum.

Feasibility depends on group size G relative to K and T, with G > K-T being infeasible.

Connectivity of a hypergraph determines feasibility in general key-sharing and collusion settings.

Abstract

The secure summation problem is considered, where $K$ users, each holds an input, wish to compute the sum of their inputs at a server securely, i.e., without revealing any information beyond the sum even if the server may collude with any set of up to $T$ users. First, we prove a folklore result for secure summation - to compute $1$ bit of the sum securely, each user needs to send at least $1$ bit to the server, each user needs to hold a key of at least $1$ bit, and all users need to hold collectively some key variables of at least $K-1$ bits. Next, we focus on the symmetric groupwise key setting, where every group of $G$ users share an independent key. We show that for symmetric groupwise keys with group size $G$, when $G > K-T$, the secure summation problem is not feasible; when $G \leq K-T$, to compute $1$ bit of the sum securely, each user needs to send at least $1$ bit to the server and the size of each groupwise key is at least $(K-T-1)/\binom{K-T}{G}$ bits. Finally, we relax the symmetry assumption on the groupwise keys and the colluding user sets; we allow any arbitrary group of users to share an independent key and any arbitrary group of users to collude with the server. For such a general groupwise key and colluding user setting, we show that secure summation is feasible if and only if the hypergraph, where each node is a user and each edge is a group of users sharing the same key, is connected after removing the nodes corresponding to any colluding set of users and their incident edges.