ML Security PapersInformation-Theoretic Decentralized Secure Aggregation with Collusion Resilience
Xiang Zhang 1, Zhou Li 2, Shuangyang Li 1, Kai Wan 3, Derrick Wing Kwan Ng 4, Giuseppe Caire 1
Published on arXiv
2508.00596
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Characterizes the optimal rate region for DSA, proving that to securely compute one input-sum symbol, each of K users must transmit ≥1 symbol, hold ≥1 key symbol, and the system requires ≥K−1 independent key symbols in total.
Decentralized Secure Aggregation (DSA)
Novel technique introduced
In decentralized federated learning (FL), multiple clients collaboratively learn a shared machine learning (ML) model by leveraging their privately held datasets distributed across the network, through interactive exchange of the intermediate model updates. To ensure data security, cryptographic techniques are commonly employed to protect model updates during aggregation. Despite growing interest in secure aggregation, existing works predominantly focus on protocol design and computational guarantees, with limited understanding of the fundamental information-theoretic limits of such systems. Moreover, optimal bounds on communication and key usage remain unknown in decentralized settings, where no central aggregator is available. Motivated by these gaps, we study the problem of decentralized secure aggregation (DSA) from an information-theoretic perspective. Specifically, we consider a network of $K$ fully-connected users, each holding a private input -- an abstraction of local training data -- who aim to securely compute the sum of all inputs. The security constraint requires that no user learns anything beyond the input sum, even when colluding with up to $T$ other users. We characterize the optimal rate region, which specifies the minimum achievable communication and secret key rates for DSA. In particular, we show that to securely compute one symbol of the desired input sum, each user must (i) transmit at least one symbol to others, (ii) hold at least one symbol of secret key, and (iii) all users must collectively hold no fewer than $K - 1$ independent key symbols. Our results establish the fundamental performance limits of DSA, providing insights for the design of provably secure and communication-efficient protocols in distributed learning systems.
Key Contributions
- First information-theoretic characterization of the optimal rate region (communication + secret key rates) for decentralized secure aggregation with up to T colluding users, with no central aggregator
- Proves tight lower bounds: each user must transmit ≥1 symbol to others, hold ≥1 secret key symbol, and all users collectively must hold ≥K−1 independent key symbols per input symbol
- Provides a matching achievable scheme establishing these bounds are simultaneously optimal, giving provably minimal resource usage for perfectly secure DSA
🛡️ Threat Analysis
Characterizes fundamental limits of secure aggregation protocols in federated learning that prevent colluding users from inferring private training data (model inputs) from observed model update messages — the explicit adversary is up to T colluding users attempting to reconstruct others' private inputs, which is gradient/model leakage in FL. The ML03 guideline explicitly includes secure aggregation protocols for FL defending against gradient leakage.