The Capacity of Collusion-Resilient Decentralized Secure Aggregation with Groupwise Keys

TL;DR

This paper characterizes the fundamental limits of decentralized secure aggregation with groupwise keys, balancing communication efficiency and security against collusion in distributed learning systems.

Contribution

It provides the first information-theoretic rate region for secure aggregation with groupwise keys, revealing feasibility conditions and key size requirements.

Findings

Secure aggregation is infeasible for G=1 or G≥K−T.

Minimum broadcast rate per user is one symbol.

Group key size must be at least (K−T−2)/binomial(K−T−1,G).

Abstract

This paper investigates the information-theoretic decentralized secure aggregation (DSA) problem under practical groupwise secret keys and collusion resilience. In DSA, $K$ users are interconnected through error-free broadcast channels. Each user holds a private input and aims to compute the sum of all other users' inputs, while satisfying the security constraint that no user, even when colluding with up to $T$ other users, can infer any information about the inputs beyond the recovered sum. To ensure security, users are equipped with secret keys to mask their inputs. Motivated by recent advances in efficient group-based key generation protocols, we consider the symmetric groupwise key setting, where every subset of $G$ users shares a group key that is independent of all other group keys. The problem is challenging because the recovery and security constraints must hold simultaneously for all users, and the structural constraints on the secret keys limit the flexibility of key correlations. We characterize the optimal rate region consisting of all achievable pairs of per-user broadcast communication rate and groupwise key rate. In particular, we show that DSA with groupwise keys is infeasible when $G=1$ or $G\ge K-T$. Otherwise, when $2\le G<K-T$, to securely compute one symbol of the desired sum, each user must broadcast at least one symbol, and each group key must contain at least $(K-T-2)/\binom{K-T-1}{G}$ independent symbols. Our results establish the fundamental limits of DSA with groupwise keys and provide design insights for communication- and key-efficient secure aggregation in decentralized learning systems.