On the Communication–Key Rate Region of Hierarchical Vector Linear Secure Aggregation

Abstract

Motivated by heterogeneous data distributions and task-dependent aggregation requirements in federated learning, we study information-theoretic secure aggregation of linear functions over a two-hop hierarchical network. The system comprises an aggregation server, an intermediate layer of U relays, and $UV$ users, where each relay serves a disjoint cluster of V users. Each relay observes all uplink transmissions within its cluster and forwards a coded message to the server. The server is authorized to compute a prescribed linear function F of the users’ inputs with zero error, while being prevented from learning any additional information about an unauthorized linear function G. Moreover, each relay must obtain no information about any non-trivial linear function $B_u$ of the inputs in its own cluster. We define the communication rates on both hops as the number of transmitted symbols per input symbol. By deriving matching information-theoretic converse and achievability bounds, we fully characterize the optimal communication rates and propose an explicit linear coding scheme that achieves the resulting optimal region. Our results demonstrate that hierarchical architectures can attain optimal communication rates while substantially reducing the server-side masking burden, thereby enabling scalable secure aggregation of authorized linear functions.

1. Introduction

With the rapid proliferation of machine learning and data analytics applications, massive amounts of data are continuously generated by geographically distributed users and devices. In many practical scenarios, such as healthcare analytics, intelligent transportation, and personalized recommendation systems, these data are highly sensitive. Directly collecting or centrally storing raw user data therefore poses significant privacy risks and regulatory challenges. Secure aggregation has emerged as a fundamental primitive to address this tension, enabling an aggregator to compute desired statistics over distributed data while preventing the disclosure of individual user information.

From an information-theoretic perspective, secure aggregation inherently incurs simultaneous costs in communication efficiency and randomness consumption. A classical starting point is secure aggregation, where each of K users holds a private input and transmits a masked message to a server. The server is required to recover the sum of all inputs with zero error while learning no additional information. Prior work [1] has shown that achieving perfect secure inevitably requires a nontrivial amount of randomness, and that reducing communication cost typically increases the required key rate. This communication and randomness relationship has been fully characterized for secure aggregation and several of its variants, establishing randomness as a fundamental resource rather than a mere implementation detail.

As distributed learning systems evolve, secure aggregation alone is insufficient to capture practical requirements. First, the desired computation is often more general than a scalar sum and can be modeled as an arbitrary linear transformation of the users’ data. Second, security requirements are frequently function-specific: while the server is authorized to learn a prescribed linear function F of the users’ data, it must be prevented from inferring other sensitive linear functions, denoted by G. This motivates the formulation of vector linear secure aggregation, in which the security cost is no longer determined solely by the number of users, but also by the algebraic relationship between the authorized function F and the protected functions G. In particular, the additional information contained in G beyond what is revealed by F is quantified by the conditional rank $\mathrm{rank}(G\mid F)$, which directly determines the minimum amount of randomness required for security.

Most existing information-theoretic results on vector linear secure aggregation focus on single-hop network architectures [2,3], where all users communicate directly with a central server. While such models are analytically convenient, they do not fully reflect the structure of large-scale practical systems. In real deployments, direct communication between a server and a massive number of users can lead to scalability and access limitations. As a result, hierarchical or edge-assisted architectures are widely adopted, in which users first communicate with nearby relays or gateways, and the relays subsequently forward aggregated messages to the server.

Introducing a hierarchical architecture fundamentally changes the secure aggregation problem [4]. Unlike the classical single-hop setting, where only the server’s inference needs to be controlled, a two-hop network creates an additional inference layer: each relay observes all transmissions from users in its cluster and may infer extra intra-cluster linear information unless properly constrained. Meanwhile, the server should recover only a prescribed global linear function of the cluster aggregates and remain ignorant of other unauthorized linear combinations.

Information-theoretic secure aggregation has been extended to a variety of settings, including user dropout [5,6], secure aggregation with user selection [7], designs resilient to user collusion [8,9,10], schemes employing groupwise keys [11,12], secure aggregation with oblivious servers [13], secure aggregation under unreliable communication [14], and hierarchical secure aggregation [15,16,17,18,19]. Other related works on secure aggregation from different perspectives can be found in [20,21,22,23].

However, existing works do not characterize the vector linear two-hop hierarchical setting within a unified information-theoretic framework, where relay-side protection against unauthorized intra-cluster linear inference and server-side recovery of only a prescribed global function must be enforced simultaneously. Our contribution is not only to unify hierarchical secure aggregation and vector linear secure aggregation within a single information-theoretic model, but also to show that the resulting two-hop formulation exhibits genuinely coupled relay-side and server-side security constraints, leading to a new optimal key-rate characterization and requiring a joint algebraic coding design.

To further clarify the distinction from prior single-hop vector linear secure aggregation schemes,

Table 1. Comparison between representative single-hop vector linear schemes and the proposed two-hop hierarchical scheme.

Aspect	Representative Single-Hop Vector Linear Schemes	Proposed Two-Hop Hierarchical Scheme
Architecture	Single-hop	Two-hop hierarchical
Trust model	Honest-but-curious server	Semi-trusted relays and honest-but-curious server
Security target	Server-side target-function privacy	Relay-side $B_u$-function privacy and server-side target-function privacy
Communication efficiency	Optimal communication rate: $R_X=1$	Optimal communication rates on both hops: $R_X=1,R_Y=1$
Technical challenge	Single-layer code design	Unified linear design under coupled relay/server security constraints

summarizes the main differences between those formulations and the proposed two-hop hierarchical setting.

In this work, we study information-theoretic vector linear secure aggregation over a two-hop hierarchical network consisting of U relays, each serving a disjoint cluster of V users. The server is required to recover, with zero error, a prescribed linear function F of the cluster aggregates while learning no additional information about an unauthorized linear function G. At the same time, each relay may assist local aggregation but must remain ignorant of the unauthorized intra-cluster linear functions characterized by $B_u$ within its own cluster. Our goal is to completely characterize the fundamental communication and randomness limits of this problem.

We prove that, in the unified hierarchical vector linear secure aggregation model, the communication optimality remains unchanged compared with the single-hop setting: the first-hop rate still satisfies $R_X=1$, and the second-hop rate can still achieve $R_Y=1$ even after introducing an additional relay layer. However, the minimum source key rate changes from depending only on $\mathrm{rank}(G\mid F)$ in the single-hop model to being jointly determined by the relay-side intra-cluster protection requirement $K_u$ and the server-side protection constraint $\mathrm{rank}(G\mid F)$. This shows that, although the hierarchical structure does not increase the communication cost, it introduces a coupling between relay-side security and server-side function security in the key design.

From a technical standpoint, establishing the fundamental limits is challenging because both the converse and the achievability must simultaneously account for relay-side intra-cluster secrecy and server-side function authorization. In particular, the converse requires a joint information-theoretic argument for the two levels of security, while the achievability calls for a unified linear coding design that preserves local privacy, enables authorized global recovery, and maintains optimal communication rates over both hops.

We further provide an explicit linear coding scheme that achieves these fundamental limits.

2. Problem Statement

Consider a three-layer hierarchical secure aggregation system consisting of an aggregation server, an intermediate layer of $U\ge 2$ relays, and a bottom layer of $UV$ users. The network operates over two hops, where the server communicates with all relays and each relay serves a disjoint cluster of exactly V users, as illustrated in Figure 1. All communication links are assumed to be error-free. We consider a static system model with fixed cluster size, where no user dropout occurs during the protocol. We further assume that no collusion takes place among users, relays, and the server, and that all entities follow the prescribed protocol without adversarial or Byzantine behavior. The v-th user associated with the u-th relay is indexed by $(u,v)\in \left[U\right]\times \left[V\right]$. Each user $(u,v)$ holds a private input $W_{u,v}$ over a finite field ${\mathbb{F}}_q$ with entropy $H\left(W_{u,v}\right)=L$ measured in q-ary units, and the inputs are assumed to be independent and uniformly distributed across users. In addition, each user $(u,v)$ is equipped with a local key variable $Z_{u,v}$, satisfying $H\left(Z_{u,v}\right)=L_Z$. The collection of individual keys $Z_{\left[U\right]\times \left[V\right]}\triangleq {\left\{Z_{u,v}\right\}}_{u\in \left[U\right],v\in \left[V\right]}$ is deterministically generated from a common source key variable $Z_{\Sigma }$, where $H\left(Z_{\Sigma }\right)=L_{Z_{\Sigma }}$. The source key $Z_{\Sigma }$ is generated and securely distributed by a trusted third-party entity. The key variables $Z_{\left[U\right]\times \left[V\right]}$ are statistically independent of the user inputs $W_{\left[U\right]\times \left[V\right]}\triangleq {\left\{W_{u,v}\right\}}_{u\in \left[U\right],v\in \left[V\right]}$.

$$\begin{array}{cc}\hfill & H\left(Z_{\left[U\right]\times \left[V\right]},W_{\left[U\right]\times \left[V\right]}\right)=H\left(Z_{\left[U\right]\times \left[V\right]}\right)+\sum _{u\in \left[U\right],v\in \left[V\right]}H\left(W_{u,v}\right),\hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill & H\left(Z_{\left[U\right]\times \left[V\right]}|Z_{\Sigma }\right)=0.\hfill \end{array}$$

(2)

The system adopts a two-hop communication protocol. In the first hop, User $(u,v)$ transmits a message $X_{u,v}$ to its associated relay. The message $X_{u,v}$ is generated as a function of the local input $W_{u,v}$ and the local key $Z_{u,v}$, and consists of $L_X$ symbols. In the second hop, relay u transmits a message $Y_u$ to the aggregation server. The message $Y_u$ consists of $L_Y$ symbols and is generated as a function of the received messages ${\left\{X_{u,v}\right\}}_{v\in \left[V\right]}$ from Users in cluster u.

$$\begin{array}{ccc}& & H\left(X_{u,v}\mid W_{u,v},Z_{u,v}\right)=0,\forall (u,v)\in \left[U\right]\times \left[V\right],\hfill \end{array}$$

(3)

$$\begin{array}{ccc}& & H\left(Y_u\mid {\left\{X_{u,v}\right\}}_{v\in \left[V\right]}\right)=0,\forall u\in \left[U\right].\hfill \end{array}$$

(4)

We define the cluster aggregate at relay u as the sum of the users’ inputs within cluster u, i.e.,

$$\begin{array}{c}\hfill S_u\triangleq \sum _{v\in \left[V\right]}{W}_{u,v},u\in \left[U\right].\end{array}$$

(5)

In general, the relay message $Y_u$ can be an arbitrary function of the received messages ${\left\{X_{u,v}\right\}}_{v\in \left[V\right]}$. Specifically, in this work, we restrict attention to schemes in which the relay message $Y_u$ is a deterministic function of the cluster aggregate $S_u$ and the local keys ${\left\{Z_{u,v}\right\}}_{v\in \left[V\right]}$, i.e.,

$$\begin{array}{c}\hfill H\left(Y_u\mid S_u,{\left\{Z_{u,v}\right\}}_{v\in \left[V\right]}\right)=0,\forall u\in \left[U\right].\end{array}$$

(6)

From the relay messages, the aggregation server aims to recover an authorized linear function F while revealing no information about an unauthorized linear function G in the information-theoretic sense. Define $\mathbf{S}\triangleq [S_1;\dots ;S_U]\in {\mathbb{F}}_q^{U\times L}.$ The functions F and G are given by

$$\begin{array}{c}\hfill F=\mathbf{F}\mathbf{S}\in {\mathbb{F}}_q^{M\times L},G=\mathbf{G}\mathbf{S}\in {\mathbb{F}}_q^{N\times L},\end{array}$$

(7)

where $\mathbf{F}\in {\mathbb{F}}_q^{M\times U}$ and $\mathbf{G}\in {\mathbb{F}}_q^{N\times U}$ are assumed to have full row rank, i.e., $M=\mathrm{rank}\left(\mathbf{F}\right)$ and $N=\mathrm{rank}\left(\mathbf{G}\right)$, without loss of generality.

To prevent trivial cases, we assume that $\mathbf{F}$ contains no zero columns. A zero column associated with $S_u$ would indicate that $S_u$ has no effect on the computation of F and could thus be excluded without affecting the problem.

From the relay’s messages, the server should be able to recover the desired linear function F, i.e.,

$$\begin{array}{c}\hfill \left[\mathrm{Correctness}\right]H\left(F|{\left\{Y_u\right\}}_{u\in \left[U\right]}\right)=0.\end{array}$$

(8)

The security constraints require that each relay should not gain any information about any unauthorized linear function $B_u$ from the messages transmitted by its associated users. Specifically, let ${\mathbf{W}}_u\triangleq [W_{u,1};\dots ;W_{u,V}]\in {\mathbb{F}}_q^{V\times L},$ and define the unauthorized function

$$B_u={\mathbf{B}}_u{\mathbf{W}}_u\in {\mathbb{F}}_q^{K_u\times L},$$

(9)

where ${\mathbf{B}}_u\in {\mathbb{F}}_q^{K_u\times V}$ is assumed to have full row rank without loss of generality, i.e., $K_u=\mathrm{rank}\left({\mathbf{B}}_u\right),u\in \left[U\right]$. The relay security constraint can then be expressed as

$$\begin{array}{c}\hfill I\left(B_u;{\left\{X_{u,v}\right\}}_{v\in \left[V\right]}\right)=0,\forall u\in \left[U\right].\end{array}$$

(10)

In addition, the server must not learn any information about the unauthorized function G beyond what is already contained in the authorized function F. This server security constraint is written as

$$\begin{array}{c}\hfill I\left(G;{\left\{Y_u\right\}}_{u\in \left[U\right]}\mid F\right)=0.\end{array}$$

(11)

The communication rates $R_X$ and $R_Y$ are defined as the numbers of symbols in each transmitted message $X_{u,v}$ and $Y_u$, respectively, normalized by the input length L. Similarly, the source key rate $R_{Z_{\Sigma }}$ represents the number of symbols in the key variable $Z_{\Sigma }$ per input symbol. Formally,

$$\begin{array}{c}\hfill R_X\triangleq {\displaystyle \frac{L_X}{L}},R_Y\triangleq {\displaystyle \frac{L_Y}{L}},R_{Z_{\Sigma }}\triangleq {\displaystyle \frac{L_{Z_{\Sigma }}}{L}}.\end{array}$$

(12)

A rate tuple $(R_X,R_Y,R_{Z_{\Sigma }})$ is said to be achievable if there exists a secure aggregation scheme, specified by the key variable $Z_{\Sigma }$, and the transmitted messages ${\left\{X_{u,v}\right\}}_{(u,v)\in \left[U\right]\times \left[V\right]}$ and ${\left\{Y_u\right\}}_{u\in \left[U\right]}$, satisfying (3) and (4), such that the communication and key rates are $(R_X,R_Y,R_{Z_{\Sigma }})$ and the correctness constraint (8) together with the security constraints (10) and (11) are all met. The optimal rate region ${\mathcal{R}}^{\ast }$ is defined as the closure of the set of all achievable rate tuples.

3. Main Results

In this section, we present the main results of this work. The optimal vector linear communication and key rate region for the hierarchical vector linear secure aggregation problem is characterized in Theorem 1.

Theorem 1.

For the hierarchical vector linear secure aggregation problem described above, the optimal vector linear communication and key rate region is

$$\begin{array}{cc}\hfill {\mathcal{R}}^{\ast }=& \left\{(R_X,R_Y,R_{Z_{\Sigma }})|R_X\ge 1,R_Y\ge 1,R_{Z_{\Sigma }}\ge max\left\{\underset{u\in \left[U\right]}{max}{K}_u,rank(\mathbf{G}\mid \mathbf{F})\right\}\right\},\hfill \end{array}$$

(13)

where

$$rank(\mathbf{G}\mid \mathbf{F})=rank\left([\mathbf{F};\mathbf{G}]\right)-rank\left(\mathbf{F}\right).$$

(14)

Moreover, the converse holds under the stated model, and the above region is achievable by a vector linear coding scheme over sufficiently large finite fields.

4. Motivating Example (U = 4, V = 3, M = 2, N = 1)

Prior to describing the general achievability scheme in Theorem 1, we introduce a representative example to convey the key principles behind the proposed hierarchical vector linear secure aggregation problem. These examples serve to build intuition for the design, after which the complete construction is presented.

Consider a two-hop hierarchical system with $U=4$ relays and $V=3$ users per cluster. In the first hop, each relay aggregates the messages from users in its corresponding cluster while being prevented from learning any information about the linear function ${\mathbf{B}}_u\mathbf{W}$, where $\mathbf{W}\triangleq {[W_{u,1},W_{u,2},W_{u,3}]}^{\mathsf{T}}\in {\mathbb{F}}_7^{3\times 1},$ and ${\mathbf{B}}_u$ is specified as follows.

$$\begin{array}{cc}\hfill {\mathbf{B}}_1& =\left[\begin{array}{ccc}2& 4& 6\end{array}\right],{\mathbf{B}}_2=\left[\begin{array}{ccc}3& 5& 1\end{array}\right],\hfill \\ \hfill {\mathbf{B}}_3& =\left[\begin{array}{ccc}1& 3& 2\\ 3& 6& 1\end{array}\right]\stackrel{\mathrm{row}/\mathrm{column} \mathrm{operations}}{\to }\left[\begin{array}{ccc}1& 0& 4\\ 0& 1& 4\end{array}\right],\hfill \\ \hfill {\mathbf{B}}_4& =\left[\begin{array}{ccc}1& 2& 3\\ 4& 5& 6\\ 5& 0& 2\end{array}\right]\stackrel{\mathrm{row}/\mathrm{column} \mathrm{operations}}{\to }\left[\begin{array}{ccc}1& 0& 6\\ 0& 1& 2\\ 0& 0& 0\end{array}\right].\hfill \end{array}$$

(15)

In the second hop, the server aims to recover $\mathbf{F}\mathbf{S}$ from the messages uploaded by all relays with zero error, where $\mathbf{S}\triangleq {[S_1,S_2,S_3,S_4]}^{\mathsf{T}}\in {\mathbb{F}}_7^{4\times 1}, S_u={\sum }_{v\in \left[3\right]}{W}_{u,v},u\in \left[4\right].$ Moreover, the server must not obtain any additional information about $\mathbf{G}\mathbf{S}$ beyond what is implied by $\mathbf{F}\mathbf{S}$.

$$\mathbf{F}=\left[\begin{array}{cccc}1& 2& 3& 4\\ 0& 1& 2& 3\end{array}\right],\mathbf{G}=\left[\begin{array}{cccc}3& 2& 0& 1\end{array}\right].$$

(16)

$$\mathbf{F}=\left[\begin{array}{cccc}1& 2& 3& 4\\ 0& 1& 2& 3\end{array}\right]\stackrel{\mathrm{row}/\mathrm{column}\mathrm{operations}}{\to }\left[\begin{array}{cccc}1& 0& 6& 5\\ 0& 1& 2& 3\end{array}\right].$$

(17)

Consequently, we have

$$\begin{array}{cc}\hfill \mathbf{F}\mathbf{S}& =\left[\begin{array}{c}{S}_1+2S_2+3S_3+4S_4\\ S_2+2S_3+3S_4\end{array}\right]\hfill \\ \hfill & =\left[\begin{array}{c}\sum _{v\in \left[3\right]}{W}_{1,v}+2\sum _{v\in \left[3\right]}{W}_{2,v}+3\sum _{v\in \left[3\right]}{W}_{3,v}+4\sum _{v\in \left[3\right]}{W}_{4,v}\\ \sum _{v\in \left[3\right]}{W}_{2,v}+2\sum _{v\in \left[3\right]}{W}_{3,v}+3\sum _{v\in \left[3\right]}{W}_{4,v}\end{array}\right],\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill \mathbf{G}\mathbf{S}& =3S_1+2S_2+S_4\hfill \\ \hfill & =3\sum _{v\in \left[3\right]}{W}_{1,v}+2\sum _{v\in \left[3\right]}{W}_{2,v}+\sum _{v\in \left[3\right]}{W}_{4,v}.\hfill \end{array}$$

(19)

where $\mathbf{G}\mathbf{S}$ is a scalar linear combination of the components of $\mathbf{S}$.

Consider the second hop and set $L=1$. Based on (17), suppose we have two independent and uniformly distributed noise variables $T_1,T_2$ over ${\mathbb{F}}_7$. Then we have

$$\begin{array}{cc}\hfill Y_1& =S_1-6T_1-5T_2=W_{1,1}+W_{1,2}+W_{1,3}-6T_1-5T_2,\hfill \\ \hfill Y_2& =S_2-2T_1-3T_2=W_{2,1}+W_{2,2}+W_{2,3}-2T_1-3T_2,\hfill \\ \hfill Y_3& =S_3+T_1=W_{3,1}+W_{3,2}+W_{3,3}+T_1,\hfill \\ \hfill Y_4& =S_4+T_2=W_{4,1}+W_{4,2}+W_{4,3}+T_2.\hfill \end{array}$$

(20)

For the server security constraint, only 1 key symbol is required. It turns out that $T_1$ and $T_2$ need not be independent; introducing correlation between them in the next step is the most technical part of the proof.

We then seek a $1\times 2$ matrix $\mathbf{Q}\in {\mathbb{F}}_q^{1\times 2}$ that characterizes the correlation between $(T_1,T_2)$, such that

$$\left[\begin{array}{ccccc}& \multicolumn{3}{c}{\mathbf{F}}& \\ & \multicolumn{3}{c}{\mathbf{G}}& \\ 0& 0& \multicolumn{2}{c}{\mathbf{Q}}\end{array}\right]\mathrm{has}\mathrm{full}\mathrm{rank}4.$$

(21)

Note that such a matrix $\mathbf{Q}$ exists since $rank\left(\right[\mathbf{F};\mathbf{G}\left]\right)=3$. Consequently, there always exists a nonzero $1\times 2$ vector $\mathbf{Q}$ that completes (21) to full rank. Any valid choice of $\mathbf{Q}$ suffices for our purpose.

We then compute the right null space of $\mathbf{Q}$, denoted by ${\mathbf{Q}}^{\perp }\in {\mathbb{F}}_q^{2\times 1}$, which satisfies

$$\mathbf{Q}=\left[\begin{array}{cc}1& 3\end{array}\right],{\mathbf{Q}}^{\perp }=\left[\begin{array}{c}4\\ 1\end{array}\right].$$

(22)

Then the key symbols $T_1$ and $T_2$ can be generated from a single uniformly distributed key symbol $P_1$ by precoding with ${\mathbf{Q}}^{\perp }$,

$$\left[\begin{array}{c}{T}_1\\ T_2\end{array}\right]={\mathbf{Q}}^{\perp }{P}_1=\left[\begin{array}{c}4P_1\\ P_1\end{array}\right].$$

(23)

We may write out the final message assignment using the single key symbol $P_1$:

$$\begin{array}{cc}\hfill Y_1& =W_{1,1}+W_{1,2}+W_{1,3}-P_1,Y_2=W_{2,1}+W_{2,2}+W_{2,3}-4P_1,\hfill \\ \hfill Y_3& =W_{3,1}+W_{3,2}+W_{3,3}+4P_1,Y_4=W_{4,1}+W_{4,2}+W_{4,3}+P_1.\hfill \end{array}$$

(24)

The signal observed at relay u can be expressed as

$$Y_u\triangleq S_u+Z_u^Y,$$

(25)

where $Z_u^Y$ denotes the key component embedded in $Y_u$.

In Example 1, this decomposition admits an explicit representation:

$$\left[\begin{array}{c}{Z}_1^Y\\ Z_2^Y\\ Z_3^Y\\ Z_4^Y\end{array}\right]=\left[\begin{array}{c}-1\\ -4\\ 4\\ 1\end{array}\right]P_1.$$

(26)

Next, we investigate the security of relay 4 under the proposed key assignment. Since $rank\left({\mathbf{B}}_4\right)=2$, relay 4 requires at least $K_4=2$ independent keys, denoted by $N_1$ and $N_2$. There exists a matrix $\mathbf{A}\in {\mathbb{F}}_q^{1\times 2}$ such that

$$P_1=\mathbf{A}\mathbf{N}=a_{11}{N}_1+a_{12}{N}_2.$$

Since the coefficients of $\mathbf{A}$ can be any nonzero values in ${\mathbb{F}}_q$, for simplicity we set $a_{11}=a_{12}=1$, yielding

$$P_1=N_1+N_2.$$

Therefore, the relay messages can be written as

$$\begin{array}{cccc}\hfill Y_1& =S_1-(N_1+N_2),\hfill & \hfill Y_2& =S_2-4(N_1+N_2),\hfill \\ \hfill Y_3& =S_3+4(N_1+N_2),\hfill & \hfill Y_4& =S_4+(N_1+N_2).\hfill \end{array}$$

(27)

To prevent relay 4 from obtaining any information regarding the linear function ${\mathbf{B}}_4\mathbf{X}$, we require

$${\mathbf{B}}_4\left[\begin{array}{c}{X}_1\\ X_2\\ X_3\end{array}\right]={\mathbf{B}}_4\left[\begin{array}{c}{W}_{4,1}\\ W_{4,2}\\ W_{4,3}\end{array}\right]+\underset{\ne \mathbf{0}}{\underbrace{{\mathbf{B}}_4\left[\begin{array}{c}{Z}_{4,1}\\ Z_{4,2}\\ Z_{4,3}\end{array}\right]}}.$$

(28)

Specifically, the interference term is constructed using the keys as

$${\mathbf{B}}_4\left[\begin{array}{c}{Z}_{4,1}\\ Z_{4,2}\\ Z_{4,3}\end{array}\right]=\underset{\ne \mathbf{0}}{\underbrace{{\mathbf{B}}_4{\mathbf{R}}_4}}\left[\begin{array}{c}{N}_1\\ N_2\end{array}\right],{\mathbf{R}}_4\in {\mathbb{F}}_q^{3\times 2}.$$

(29)

Equivalently, we can write

$$\left[\begin{array}{c}{Z}_{4,1}\\ Z_{4,2}\\ Z_{4,3}\end{array}\right]={\mathbf{R}}_4\left[\begin{array}{c}{N}_1\\ N_2\end{array}\right],{\mathbf{R}}_4\in {\mathbb{F}}_q^{3\times 2}.$$

(30)

To ensure that the noise term fully masks the signal space and cannot be nullified via linear projection, the product ${\mathbf{B}}_4{\mathbf{R}}_4$ must have full rank, i.e.,

$$rank\left({\mathbf{B}}_4{\mathbf{R}}_4\right)=2.$$

Specifically, we construct the first two rows of ${\mathbf{R}}_4$ as a full-rank block to ensure linear independence, and utilize the last row to satisfy the aggregation coefficient constraints. Consequently, as shown in (26), the aggregated interference term $Z_4^Y$ yields the summation of the keys:

$$Z_4^Y=1·P_1=\left[\begin{array}{cc}1& 1\end{array}\right]\left[\begin{array}{c}{N}_1\\ N_2\end{array}\right]=N_1+N_2.$$

(31)

The corresponding precoding matrix is

$${\mathbf{R}}_4=\left[\begin{array}{cc}-1& 0\\ 0& -1\\ 2& 2\end{array}\right]\in {\mathbb{F}}_q^{3\times 2}.$$

(32)

The left null space of ${\mathbf{R}}_4$ is

$${\mathbf{R}}_4^{\perp }=\left[\begin{array}{ccc}2& 2& 1\end{array}\right]\in {\mathbb{F}}_q^{1\times 3},\mathrm{with}{\mathbf{R}}_4^{\perp }{\mathbf{R}}_4=\mathbf{0}.$$

(33)

This construction ensures that ${\mathbf{R}}_4$ has full column rank, $\mathrm{rank}\left({\mathbf{R}}_4\right)=2$, satisfying the required rank condition.

Similarly, for relay 1, since $rank\left({\mathbf{B}}_1\right)=1$, it requires only one independent key, namely $(N_1+N_2)$. To satisfy the condition $rank\left({\mathbf{B}}_1{\mathbf{R}}_1\right)=1$, we construct ${\mathbf{R}}_1$ as follows:

$$Z_1^Y=-1·P_1=-1[N_1+N_2].$$

$${\mathbf{R}}_1=\left[\begin{array}{c}1\\ 1\\ -3\end{array}\right].$$

(34)

Consequently, the left null space of ${\mathbf{R}}_1$ is given by

$${\mathbf{R}}_1^{\perp }=\left[\begin{array}{ccc}6& 1& 0\\ 3& 0& 1\end{array}\right],\mathrm{satisfying}{\mathbf{R}}_1^{\perp }{\mathbf{R}}_1=\mathbf{0}.$$

(35)

Similarly, for the other relays 2 and 3, we construct ${\mathbf{R}}_2$ and ${\mathbf{R}}_3$, from which the individual user keys are obtained as follows:

$$\begin{array}{cccccc}\hfill Z_{1,1}& =N_1+N_2,\hfill & \hfill Z_{1,2}& =N_1+N_2,\hfill & \hfill Z_{1,3}& =-3N_1-3N_2,\hfill \\ \hfill Z_{2,1}& =N_1+N_2,\hfill & \hfill Z_{2,2}& =N_1+N_2,\hfill & \hfill Z_{2,3}& =-6N_1-6N_2,\hfill \\ \hfill Z_{3,1}& =N_1,\hfill & \hfill Z_{3,2}& =N_2,\hfill & \hfill Z_{3,3}& =3N_1+3N_2,\hfill \\ \hfill Z_{4,1}& =-N_1,\hfill & \hfill Z_{4,2}& =-N_2,\hfill & \hfill Z_{4,3}& =2N_1+2N_2.\hfill \end{array}$$

(36)

Since $L_X=L_Y=1$ and $L_{Z_{\Sigma }}=2$, the resulting rates are

$$R_X=R_Y=1,R_{Z_{\Sigma }}=2,$$

which match the converse bound established in Theorem 1.

• Correctness: From the received signals $Y_1,Y_2,Y_3,Y_4$, the server applies the linear transform $\mathbf{F}$ and successfully recovers

  $$F=\mathbf{F}\mathbf{S}$$

  with zero error.
• Relay security: From the transformation in (15), it follows that

  $$K_u=1\mathrm{for}u\in \{1,2\},K_u=2\mathrm{for}u\in \{3,4\}.$$

Since relays whose ${\mathbf{B}}_u$ have the same rank require the same total number of independent masking key symbols, it suffices to establish the security proof for relays 1 and 4; the cases of relays 2 and 3 follow by analogous arguments.

Consider relay 4, for example:

$$\begin{array}{cc}\hfill & I(\left\{B_4\right\};{\left\{X_{4,v}\right\}}_{v\in \left[3\right]})\hfill \end{array}$$

(37)

$$\begin{array}{cc}\hfill & =H(X_{4,1},X_{4,2},X_{4,3})-H\left(X_{4,1},X_{4,2},X_{4,3}\mid B_4\right)\hfill \end{array}$$

(38)

$$\begin{array}{cc}\hfill & \le 3-H\left(X_{4,1},X_{4,2},X_{4,3},{\mathbf{R}}_4^{\perp }[X_{4,1},X_{4,2},X_{4,3}]\mid B_4\right)\hfill \end{array}$$

(39)

$$\begin{array}{cc}\hfill & =3-H\left(X_{4,1},X_{4,2},X_{4,3},{\mathbf{R}}_4^{\perp }[W_{4,1},W_{4,2},W_{4,3}]\mid B_4\right)\hfill \end{array}$$

(40)

$$\begin{array}{cc}\hfill & =3-H\left({\mathbf{R}}_4^{\perp }[W_{4,1},W_{4,2},W_{4,3}]\mid B_4\right)-H\left(X_{4,1},X_{4,2},X_{4,3}\mid {\mathbf{R}}_4^{\perp }[W_{4,1},W_{4,2},W_{4,3}],B_4\right)\hfill \end{array}$$

(41)

$$\begin{array}{cc}\hfill & =3-rank\left({\mathbf{R}}_4^{\perp }\right)-H(N_1,N_2)\hfill \end{array}$$

(42)

$$\begin{array}{cc}\hfill & =3-1-2=0.\hfill \end{array}$$

(43)

In (40), we adopt a zero-forcing strategy by constructing the precoding matrix ${\mathbf{R}}_4^{\perp }$ so that the key components are perfectly eliminated in its left null space, i.e., ${\mathbf{R}}_4^{\perp }{\mathbf{R}}_4=\mathbf{0}.$ In (42), the second term holds because ${\mathbf{R}}_4^{\perp }{\mathbf{R}}_4=\mathbf{0},$ and ${\mathbf{R}}_4^{\perp }[W_{4,1},W_{4,2},W_{4,3}]$ is independent of $B_4$. Moreover, the matrix formed by ${\mathbf{R}}_4^{\perp }[W_{4,1},W_{4,2},W_{4,3}]$ and $B_4$ has full rank, and hence is invertible with respect to $W_{4,1},W_{4,2},W_{4,3}$.

Consider relay 1, for example:

$$\begin{array}{cc}\hfill & I(\left\{B_1\right\};{\left\{X_{1,v}\right\}}_{v\in \left[3\right]})\hfill \\ \hfill & =H(X_{1,1},X_{1,2},X_{1,3})-H\left(X_{1,1},X_{1,2},X_{1,3}\mid B_1\right)\hfill \end{array}$$

(44)

$$\begin{array}{cc}\hfill & \le 3-H\left(X_{1,1},X_{1,2},X_{1,3},{\mathbf{R}}_1^{\perp }[X_{1,1},X_{1,2},X_{1,3}]\mid B_1\right)\hfill \end{array}$$

(45)

$$\begin{array}{cc}\hfill & =3-H\left(X_{1,1},X_{1,2},X_{1,3},{\mathbf{R}}_1^{\perp }[W_{1,1},W_{1,2},W_{1,3}]\mid B_1\right)\hfill \end{array}$$

(46)

$$\begin{array}{cc}\hfill & \stackrel{\left(35\right)}{=}3-H\left({\mathbf{R}}_1^{\perp }[W_{1,1},W_{1,2},W_{1,3}]\mid B_1\right)-H\left(X_{1,1},X_{1,2},X_{1,3}\mid {\mathbf{R}}_1^{\perp }[W_{1,1},W_{1,2},W_{1,3}],B_1\right)\hfill \end{array}$$

(47)

$$\begin{array}{cc}\hfill & =3-rank\left({\mathbf{R}}_1^{\perp }\right)-H(N_1+N_2)\hfill \end{array}$$

(48)

$$\begin{array}{cc}\hfill & =3-2-1=0.\hfill \end{array}$$

(49)

In (46), we adopt a zero-forcing strategy by constructing the precoding matrix ${\mathbf{R}}_1^{\perp }$ so that the key components are perfectly eliminated in its left null space, i.e., ${\mathbf{R}}_1^{\perp }{\mathbf{R}}_1=\mathbf{0}.$ In (48), the second term holds because ${\mathbf{R}}_1^{\perp }{\mathbf{R}}_1=\mathbf{0},$ and ${\mathbf{R}}_1^{\perp }[W_{1,1},W_{1,2},W_{1,3}]$ is independent of $B_1$. Moreover, the matrix formed by ${\mathbf{R}}_1^{\perp }[W_{1,1},W_{1,2},W_{1,3}]$ and $B_1$ has full rank, and hence is invertible with respect to $W_{1,1},W_{1,2},W_{1,3}$.

We now proceed to present the security proof for the server.

$$\begin{array}{cc}\hfill & I(G;Y_1,Y_2,Y_3,Y_4\mid F)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & =H(Y_1,Y_2,Y_3,Y_4\mid F)-H(Y_1,Y_2,Y_3,Y_4\mid G,F)\hfill \end{array}$$

(50)

$$\begin{array}{cc}\hfill & =[H(Y_1,Y_2,Y_3,Y_4,F)-H\left(F\right)]-H(Y_1,Y_2,Y_3,Y_4,\mathbf{Q}[Y_3,Y_4]\mid G,F)\hfill \end{array}$$

(51)

$$\begin{array}{cc}\hfill & =[H(Y_1,Y_2,Y_3,Y_4,F)-H\left(F\right)]-H(Y_1,Y_2,Y_3,Y_4,\mathbf{Q}[S_3,S_4]\mid G,F)\hfill \end{array}$$

(52)

$$\begin{array}{cc}\hfill & \le (4-2)-H(\mathbf{Q}[S_3,S_4]\mid G,F)-H(Y_1,Y_2,Y_3,Y_4\mid \mathbf{Q}[S_3,S_4],G,F)\hfill \end{array}$$

(53)

$$\begin{array}{cc}\hfill & =2-1-H\left(P_1\right)\hfill \end{array}$$

(54)

$$\begin{array}{cc}\hfill & =2-1-H(N_1+N_2)=2-1-1=0,\hfill \end{array}$$

(55)

where (52) follows from the orthogonality $\mathbf{Q}{\mathbf{Q}}^{\perp }=\mathbf{0}$, which implies that the noise components precoded by ${\mathbf{Q}}^{\perp }$ are completely eliminated (zero-forced) when left-multiplied by $\mathbf{Q}$, cf. (22) and (23). Concerning (54), we leverage the full-rank properties of $\mathbf{Q}[S_3;S_4]$, $\mathbf{G}\mathbf{S}$, and $\mathbf{F}\mathbf{S}$, which ensure the unique solvability of $S_1,\dots ,S_4$ (see (21)).

5. General Achievability Proof of Theorem 1

5.1. Conceptual Overview of the Construction

Before introducing the detailed algebraic construction, we briefly explain the guiding idea of the scheme. Transforming $\mathbf{F}$ into systematic form makes its right null space explicit. For

$$\mathbf{F}=\left[\begin{array}{cc}{\mathbf{I}}_M& {\tilde{\mathbf{F}}}_{M\times (U-M)}\end{array}\right],\mathbf{F}\left[\begin{array}{c}-{\tilde{\mathbf{F}}}_{M\times (U-M)}\\ {\mathbf{I}}_{U-M}\end{array}\right]=\mathbf{0}.$$

Therefore, the systematic form of $\mathbf{F}$ explicitly characterizes all key-injection directions that preserve the authorized function $\mathbf{F}\mathbf{S}$, thereby ensuring correctness. The role of $\mathbf{Q}$ is then to further restrict key injection to a smaller effective subspace within $Null\left(\mathbf{F}\right)$, containing only the minimum number of directions needed to perfectly hide the unauthorized function $\mathbf{G}\mathbf{S}$ conditioned on $\mathbf{F}\mathbf{S}$.

At this stage, the aggregate noise $Z_u^Y$ at relay u has already been specified by the server-side design. It remains to assign user-level keys such that their aggregate equals $Z_u^Y$, while satisfying the relay-side privacy and aggregation constraints.

For the relay-side privacy requirement, writing ${\mathbf{B}}_u$ in systematic form enables a compatible canonical parametrization of the key-assignment matrix ${\mathbf{R}}_u$, under which the full-rank condition on ${\mathbf{B}}_u{\mathbf{R}}_u$ is reduced to an invertibility constraint on ${\mathbf{L}}_u$, as shown in (68)–(70); such a constraint is always feasible over a sufficiently large finite field. Meanwhile, enforcing ${\mathbf{1}}_V^{\top }{\mathbf{R}}_u={\mathbf{e}}_1^{\top }$ in (73), equivalently (74), ensures that the user-level noise aggregates precisely into the prescribed cluster-level noise $Z_u^Y$. Meanwhile, ${\mathbf{R}}_u^{\perp }$ is not part of the construction of ${\mathbf{R}}_u$ itself, but is introduced for the relay privacy proof, where its left-null-space property is used to zero-force the injected keys.

5.2. General Construction

We now present the general achievability scheme for the two-hop hierarchical vector linear secure aggregation problem. Building on the intuition provided by the motivating example, we construct a unified linear coding scheme and show that it simultaneously guarantees correctness, relay-side security, and server-side function authorization while achieving the claimed communication and key rates.

Given that $\mathbf{F}$ has full row rank, we may, without loss of generality, transform it into the following systematic form via column permutations and invertible row operations:

$$\mathbf{F}=\left[\begin{array}{cc}{\mathbf{I}}_M& {\tilde{\mathbf{F}}}_{M\times (U-M)}\end{array}\right],$$

(56)

where ${\mathbf{I}}_M$ denotes the $M\times M$ identity matrix, and $\tilde{\mathbf{F}}\in {\mathbb{F}}_q^{M\times (U-M)}$ represents the remaining submatrix.

The rows of $\mathbf{Q}$ are constructed to be linearly independent of the row space of $[\mathbf{F};\mathbf{G}]$, thereby completing a basis of ${\mathbb{F}}_q^U$. Specifically, we select any $U-rank\left(\right[\mathbf{F};\mathbf{G}\left]\right)$ row vectors that are linearly independent of $[\mathbf{F};\mathbf{G}]$, and then use the identity submatrix in the first M columns of $\mathbf{F}$ to linearly eliminate their first M components, yielding $\mathbf{Q}$.

The resulting $(U-rank([\mathbf{F};\mathbf{G}]\left)\right)\times (U-M)$ matrix $\mathbf{Q}$ satisfies

$$\left[\begin{array}{c}\mathbf{F}\\ \mathbf{G}\\ {\mathbf{0}}_{(U-rank([\mathbf{F};\mathbf{G}]\left)\right)\times M}& \mathbf{Q}\end{array}\right]\mathrm{has}\mathrm{full}\mathrm{rank}U,$$

(57)

which guarantees that the row spaces of $\mathbf{F}$, $\mathbf{G}$, and $\mathbf{Q}$ together span the entire ambient space ${\mathbb{F}}_q^U$.

Intuitively, $\mathbf{Q}$ selects and compresses the residual degrees of freedom that are linearly independent of the row space of $\mathbf{F}$ into lower-dimensional injection directions. This enables key injection without affecting the $\mathbf{F}$-related structure and avoids using degrees of freedom observable through $\mathbf{G}$. By reordering the columns if necessary, $\mathbf{Q}$ can be written in the following block form:

$$\begin{array}{cc}\hfill \mathbf{Q}& =\left[\begin{array}{cc}{\mathbf{I}}_{U-rank\left(\right[\mathbf{F};\mathbf{G}\left]\right)}& \tilde{\mathbf{Q}}\end{array}\right],\hfill \\ \hfill {\mathbf{Q}}^{\perp }& ={\left[\begin{array}{c}-\tilde{\mathbf{Q}}\\ {\mathbf{I}}_{rank\left(\right[\mathbf{F};\mathbf{G}\left]\right)-M}\end{array}\right]}_{(U-M)\times (rank([\mathbf{F};\mathbf{G}])-M)},\hfill \\ \hfill \mathbf{Q}{\mathbf{Q}}^{\perp }& =\mathbf{0}.\hfill \end{array}$$

(58)

We are now ready to describe the secure aggregation protocol. Set $L=1$ and define $L_{Z_{\Sigma }}\triangleq max\left\{{max}_{u\in \left[U\right]}{K}_u,rank(\mathbf{G}\mid \mathbf{F})\right\}.$ Let $\mathbf{N}\triangleq [N_1;\dots ;N_{L_{Z_{\Sigma }}}]$ consist of mutually independent and uniformly distributed key symbols.

We generate the key vector $\mathbf{P}=\mathbf{A}\mathbf{N}, \mathbf{P}\in {\mathbb{F}}_q^{rank(\mathbf{G}\mid \mathbf{F})\times 1},$ where $\mathbf{A}\in {\mathbb{F}}_q^{rank(\mathbf{G}\mid \mathbf{F})\times L_{Z_{\Sigma }}}$ is chosen to be full row rank over ${\mathbb{F}}_q$. The injected key symbols are then defined as

$$\mathbf{T}\triangleq [T_1;\dots ;T_{U-M}]={\mathbf{Q}}^{\perp }\mathbf{P}={\mathbf{Q}}^{\perp }\mathbf{A}\mathbf{N}.$$

(59)

The transmitted symbols are constructed as

$$\begin{array}{cc}\hfill [Y_1;\dots ;Y_M]& =[S_1;\dots ;S_M]-\tilde{\mathbf{F}}[T_1;\dots ;T_{U-M}],\hfill \\ \hfill Y_{M+1};\dots ;Y_U]& =[S_{M+1};\dots ;S_U]+[T_1;\dots ;T_{U-M}].\hfill \end{array}$$

(60)

Based on (60), the key design for each relay $Z_u^Y$ is constructed as follows:

$$\begin{array}{cc}\hfill \mathbf{T}\triangleq [T_1;\dots ;T_{U-M}]& ={\mathbf{Q}}^{\perp }\mathbf{P}={\mathbf{Q}}^{\perp }\mathbf{A}\mathbf{N}\hfill \\ \hfill [Z_1^Y;\dots ;Z_M^Y]& =-\tilde{\mathbf{F}}{\mathbf{Q}}^{\perp }\mathbf{P}=-\tilde{\mathbf{F}}{\mathbf{Q}}^{\perp }\mathbf{A}\mathbf{N}\hfill \\ \hfill [Z_{M+1}^Y;\dots ;Z_U^Y]& =[T_1;\dots ;T_{U-M}]={\mathbf{Q}}^{\perp }\mathbf{P}={\mathbf{Q}}^{\perp }\mathbf{A}\mathbf{N}.\hfill \end{array}$$

(61)

$$\left[\begin{array}{c}{Z}_1^Y\\ ⋮\\ Z_U^Y\end{array}\right]=\underset{\triangleq \Phi \in {\mathbb{F}}_q^{U\times L_{Z_{\Sigma }}}}{\underbrace{\left[\begin{array}{c}-\tilde{\mathbf{F}}\\ {\mathbf{I}}_{U-M}\end{array}\right]{\mathbf{Q}}^{\perp }\mathbf{A}}}\mathbf{N}.$$

(62)

Let ${\beta }_u^{\top }\in {\mathbb{F}}_q^{1\times L_{Z_{\Sigma }}}$ denote the u-th row of $\Phi$.

Thus, for each $u\in \left[U\right]$, we have

$$Z_u^Y={\beta }_u^{\top }\mathbf{N}.$$

(63)

Next, we extend the achievability to the general relay case. Without loss of generality, let ${\mathbf{B}}_u$ be represented in its systematic form:

$${\mathbf{B}}_u=\left[\begin{array}{cc}{\mathbf{I}}_{K_u}& {\tilde{\mathbf{B}}}_{K_u\times (V-K_u)}\end{array}\right],$$

(64)

as any ${\mathbf{B}}_u$ can be transformed into this form via column permutations and invertible row operations.

Let ${\mathbf{N}}^{\left(u\right)}\triangleq {\mathbf{D}}_u\mathbf{N}$, where ${\mathbf{D}}_u\in {\mathbb{F}}_q^{K_u\times L_{Z_{\Sigma }}}$ is a full-row-rank matrix that maps the global key vector to a relay-specific key vector ($rank\left({\mathbf{D}}_u\right)=K_u$).

At this stage, the noise $Z_u^Y$ has already been fixed by the server-side design. Moreover, ${\mathbf{D}}_u$ is chosen such that

$${\mathbf{e}}_1^{\top }{\mathbf{D}}_u={\beta }_u^{\top },$$

(65)

where ${\mathbf{e}}_1={[1,0,\dots ,0]}^{\top }\in {\mathbb{F}}_q^{K_u}$ selects the first row of ${\mathbf{D}}_u$. Hence,

$${\mathbf{e}}_1^{\top }{\mathbf{D}}_u\mathbf{N}={\beta }_u^{\top }\mathbf{N},$$

(66)

so that the first component of ${\mathbf{N}}^{\left(u\right)}$ coincides with the prescribed cluster-level aggregate noise, namely,

$$Z_u^Y={\beta }_u^{\top }\mathbf{N}={\mathbf{e}}_1^{\top }{\mathbf{D}}_u\mathbf{N}.$$

(67)

With ${\mathbf{B}}_u=\left[{\mathbf{I}}_{K_u}{\tilde{\mathbf{B}}}_u\right]\in {\mathbb{F}}_q^{K_u\times V}$, where ${\tilde{\mathbf{B}}}_u\in {\mathbb{F}}_q^{K_u\times (V-K_u)}$. Choose

$${\mathbf{R}}_u=\left[\begin{array}{c}{\mathbf{I}}_{K_u}\\ {\mathbf{L}}_u\end{array}\right],{\mathbf{L}}_u\in {\mathbb{F}}_q^{(V-K_u)\times K_u}.$$

(68)

Then

$${\mathbf{B}}_u{\mathbf{R}}_u=\left[{\mathbf{I}}_{K_u}{\tilde{\mathbf{B}}}_u\right]\left[\begin{array}{c}{\mathbf{I}}_{K_u}\\ {\mathbf{L}}_u\end{array}\right]={\mathbf{I}}_{K_u}+{\tilde{\mathbf{B}}}_u{\mathbf{L}}_u.$$

(69)

Since the right-hand side is a $K_u\times K_u$ square matrix, we have

$$rank\left({\mathbf{B}}_u{\mathbf{R}}_u\right)=K_u\iff det\left({\mathbf{I}}_{K_u}+{\tilde{\mathbf{B}}}_u{\mathbf{L}}_u\right)\ne 0.$$

(70)

Among all solutions of the linear constraint, we choose ${\mathbf{L}}_u$ such that ${\mathbf{I}}_{K_u}+{\tilde{\mathbf{B}}}_u{\mathbf{L}}_u$ is nonsingular; such a choice exists over a sufficiently large finite field ${\mathbb{F}}_q$.

Using a common user-level encoding matrix ${\mathbf{R}}_u$ for the V users in cluster u, define

$$\left[\begin{array}{c}{Z}_{u,1}\\ ⋮\\ Z_{u,V}\end{array}\right]\triangleq {\mathbf{R}}_u{\mathbf{N}}^{\left(u\right)}={\mathbf{R}}_u{\mathbf{D}}_u\mathbf{N}.$$

(71)

To ensure correctness after relay aggregation, we impose

$${\mathbf{1}}_V^{\top }\left[\begin{array}{c}{Z}_{u,1}\\ ⋮\\ Z_{u,V}\end{array}\right]=Z_u^Y={\mathbf{1}}_V^{\top }{\mathbf{R}}_u{\mathbf{N}}^{\left(u\right)}.$$

(72)

From (67) and (72), it follows that:

$${\mathbf{1}}_V^{\top }{\mathbf{R}}_u={\mathbf{e}}_1^{\top }.$$

(73)

Substituting ${\mathbf{R}}_u=\left[\begin{array}{c}{\mathbf{I}}_{K_u}\\ {\mathbf{L}}_u\end{array}\right]$ yields the equivalent condition

$${\mathbf{1}}_{V-K_u}^{\top }{\mathbf{L}}_u={\mathbf{e}}_1^{\top }-{\mathbf{1}}_{K_u}^{\top }.$$

(74)

Since rank$\left({\mathbf{R}}_u\right)=K_u$, the left null space of ${\mathbf{R}}_u$ has dimension $V-K_u$. Thus there exists a full-row-rank ${\mathbf{R}}_u^{\perp }\in {\mathbb{F}}_q^{(V-K_u)\times V}$ with ${\mathbf{R}}_u^{\perp }{\mathbf{R}}_u=\mathbf{0}.$

Let us prove the above scheme is correct and secure. For correctness (refer to (8)), we have

$$\begin{array}{cc}\hfill F=\mathbf{F}\mathbf{S}& \stackrel{\left(56\right)}{=}[S_1;\dots ;S_M]+\tilde{\mathbf{F}}[S_{M+1};\dots ;S_U]\hfill \\ & \stackrel{\left(60\right)}{=}[Y_1;\dots ;Y_M]+\tilde{\mathbf{F}}[Y_{M+1};\dots ;Y_U].\hfill \end{array}$$

(75)

so that $\mathbf{F}$ can be decoded correctly from ${\left(Y_u\right)}_{u\in \left[U\right]}$.

For relay security (refer to (10)), we have

$$\begin{array}{cc}& I(\left\{B_u\right\};{\left\{X_{u,v}\right\}}_{v\in \left[V\right]})\hfill \end{array}$$

(76)

$$\begin{array}{cc}& =H\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]}\right)-H\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]}\mid B_u\right)\hfill \end{array}$$

(77)

$$\begin{array}{cc}& \le V-H\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]},{\mathbf{R}}_u^{\perp }[X_{u,1};\dots ;X_{u,V}]\mid B_u\right)\hfill \end{array}$$

(78)

$$\begin{array}{cc}& =V-H\left({\mathbf{R}}_u^{\perp }[W_{u,1};\dots ;W_{u,V}]\mid B_u\right)-H\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]}\mid {\mathbf{R}}_u^{\perp }[W_{u,1};\dots ;W_{u,V}],B_u\right)\hfill \end{array}$$

(79)

$$\begin{array}{cc}& =V-(V-K_u)-H\left({\mathbf{N}}^{\left(u\right)}\right)\hfill \end{array}$$

(80)

$$\begin{array}{cc}& =V-V+K_u-K_u=0.\hfill \end{array}$$

(81)

In (79), ${\mathbf{R}}_u^{\perp }{\mathbf{R}}_u=\mathbf{0}$ guarantees that the injected keys are zero-forced in ${\mathbf{R}}_u^{\perp }[X_{u,1};\dots ;X_{u,V}]$, and the last equality follows from $rank\left({\mathbf{R}}_u^{\perp }\right)=V-K_u$ and $rank\left([{\mathbf{B}}_u;{\mathbf{R}}_u^{\perp }]\right)=V$.

For server security (refer to (11)), we have

$$\begin{array}{cc}\hfill I\left(G;{\left(Y_u\right)}_{u\in \left[U\right]}\mid F\right)& =H\left({\left(Y_u\right)}_{u\in \left[U\right]}\mid F\right)-H\left({\left(Y_u\right)}_{u\in \left[U\right]}\mid G,F\right)\hfill \end{array}$$

(82)

$$\begin{array}{cc}& =H\left({\left(Y_u\right)}_{u\in \left[U\right]},F\right)-H\left(F\right)-H\left({\left(Y_u\right)}_{u\in \left[U\right]},\mathbf{Q}[Y_{M+1};\dots ;Y_U]\mid G,F\right)\hfill \end{array}$$

(83)

$$\begin{array}{cc}& \stackrel{\left(8\right)\left(60\right)}{=}H\left({\left(Y_u\right)}_{u\in \left[U\right]}\right)-H\left(F\right)-H\left({\left(Y_u\right)}_{u\in \left[U\right]},\mathbf{Q}[S_{M+1};\dots ;S_U]\mid G,F\right)\hfill \\ & \le (U-M)-H\left(\mathbf{Q}[S_{M+1};\dots ;S_U]\mid G,F\right)\hfill \end{array}$$

(84)

$$\begin{array}{cc}& -H\left({\left(Y_u\right)}_{u\in \left[U\right]}\mid \mathbf{Q}[S_{M+1};\dots ;S_U],G,F\right)\hfill \end{array}$$

(85)

$$\begin{array}{cc}& \stackrel{\left(57\right)}{=}(U-M)-\left[U-rank\left(\right[\mathbf{F};\mathbf{G}\left]\right)\right]-H\left({\left(Y_u\right)}_{u\in \left[U\right]}\mid {\left(S_u\right)}_{u\in \left[U\right]}\right)\hfill \end{array}$$

(86)

$$\begin{array}{cc}& \stackrel{\left(60\right)}{=}rank\left([\mathbf{F};\mathbf{G}]\right)-M-H\left(\mathbf{T}\mid {\left(S_u\right)}_{u\in \left[U\right]}\right)\hfill \end{array}$$

(87)

$$\begin{array}{cc}& \stackrel{\left(60\right)}{=}rank\left([\mathbf{F};\mathbf{G}]\right)-M-H\left({\mathbf{Q}}^{\perp }\mathbf{P}\mid {\left(S_u\right)}_{u\in \left[U\right]}\right)\hfill \end{array}$$

(88)

$$\begin{array}{cc}& =rank\left([\mathbf{F};\mathbf{G}]\right)-M-H\left(\mathbf{P}\mid {\left(S_u\right)}_{u\in \left[U\right]}\right)\hfill \end{array}$$

(89)

$$\begin{array}{cc}& =rank\left([\mathbf{F};\mathbf{G}]\right)-M-H\left(\mathbf{A}\mathbf{N}\mid {\left(S_u\right)}_{u\in \left[U\right]}\right)\hfill \end{array}$$

(90)

$$\begin{array}{cc}& =rank\left(\right[\mathbf{F};\mathbf{G}\left]\right)-M-rank(\mathbf{G}\mid \mathbf{F})\hfill \end{array}$$

(91)

$$\begin{array}{cc}& =rank\left(\right[\mathbf{F};\mathbf{G}\left]\right)-M-[rank([\mathbf{F};\mathbf{G}])-M]=0.\hfill \end{array}$$

(92)

Fundamentally, our design methodology reconstructs the solution by working backward from the security requirement in (11). The condition of vanishing mutual information implies that the conditional entropy $H({\left(Y_u\right)}_{u\in \left[U\right]}\mid G,F)$ must saturate the value $U-M$. We accomplish this by utilizing $\mathbf{Q}$ to isolate a signal-bearing subspace independent of channel realizations and maximizing its rank. Consequently, the keys injection is projected exclusively onto ${\mathbf{Q}}^{\perp }$. This geometric arrangement ensures that the security threshold is satisfied with the minimum necessary keys dimensions.

6. Converse

We begin with a useful lemma. It states that each user message $X_{u,v}$ must contain at least L symbols of information, even when all other inputs are revealed. Similarly, each relay message $Y_u$ must carry at least L symbols whenever there exists at least one connected input $X_{u,v}$ that remains unknown.

Lemma 1.

For any $u\in \left[U\right],v\in \left[V\right]$, we have

$$\begin{array}{cc}\hfill H\left(X_{u,v}|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)& \ge L,\hfill \end{array}$$

(93)

$$\begin{array}{cc}\hfill H\left(Y_u|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)& \ge L.\hfill \end{array}$$

(94)

Proof. 

Consider (93), we have

$$\begin{array}{cc}& H\left(X_{u,v}|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)\hfill \end{array}$$

$$\begin{array}{cc}& \ge I\left(X_{u,v};F|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)\hfill \\ & =H\left(F|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)\hfill \end{array}$$

(95)

$$\begin{array}{cc}& -H\left(F|X_{u,v},{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)\hfill \\ & \stackrel{\left(3\right),\left(4\right)}{=}H\left(W_{u,v}|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)\hfill \end{array}$$

(96)

$$\begin{array}{cc}& -\underset{\stackrel{\left(8\right)}{=}0}{\underbrace{H\left(F|X_{u,v},{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}},Y_{\left[U\right]}\right)}}\hfill \end{array}$$

(97)

$$\begin{array}{cc}& \stackrel{\left(1\right)}{=}H\left(W_{u,v}\right)=L.\hfill \end{array}$$

(98)

where the last step is due to the independence of the inputs and the keys.

The proof of (94) is similar to that of (93):

$$\begin{array}{cc}& H\left(Y_u|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)\hfill \end{array}$$

$$\begin{array}{cc}& =I\left(Y_u;F|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)\hfill \\ & =H\left(F|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)\hfill \end{array}$$

(99)

$$\begin{array}{cc}& -\underset{\stackrel{\left(3\right),\left(4\right),\left(8\right)}{=}0}{\underbrace{H\left(F|Y_u,{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)}}\hfill \end{array}$$

(100)

$$\begin{array}{cc}& =H\left(W_{u,v}\right)=L.\hfill \end{array}$$

(101)

Note that in the proof of (93) and (94), only the correctness constraint (8) is imposed and the security constraints (10) and (11) are not used.

Lemma 2.

For any $u\in \left[U\right]$, we demonstrate that the messages must not disclose excessive information regarding the inputs, as doing so would violate the security constraint (10).

$$\begin{array}{cc}\hfill & I\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]};{\left\{W_{u,v}\right\}}_{v\in \left[V\right]}\right)\le \left(V-rank\left(B_u\right)\right)L.\forall u\in \left[U\right].\hfill \end{array}$$

(102)

Proof. 

$$\begin{array}{cc}\hfill & I\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]};{\left\{W_{u,v}\right\}}_{v\in \left[V\right]}\right)\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \le I\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]};{\left\{W_{u,v}\right\}}_{v\in \left[V\right]},B_u\right)\hfill \end{array}$$

(103)

$$\begin{array}{cc}\hfill & =\underset{\stackrel{\left(10\right)}{=}0}{\underbrace{I\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]};B_u\right)}}+I\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]};{\left\{W_{u,v}\right\}}_{v\in \left[V\right]}\mid B_u\right)\hfill \end{array}$$

(104)

$$\begin{array}{cc}\hfill & \le H\left({\left\{W_{u,v}\right\}}_{v\in \left[V\right]}\mid B_u\right)\hfill \end{array}$$

(105)

$$\begin{array}{cc}\hfill & \le H\left({\left\{W_{u,v}\right\}}_{v\in \left[V\right]},B_u\right)-H\left(B_u\right)\hfill \end{array}$$

(106)

$$\begin{array}{cc}\hfill & =\left(V-rank\left(B_u\right)\right)L.\hfill \end{array}$$

(107)

The first term in (104) is zero due to the relay security constraint (10).

Lemma 3.

Consider any G and F, the received signals must not reveal any information about the individual inputs beyond the aggregated result, as otherwise, the server security constraint (11) would be violated. we have

$$\begin{array}{c}\hfill I\left({\left\{Y_u\right\}}_{u\in \left[U\right]};{\left\{S_u\right\}}_{u\in \left[U\right]}\right)\le \left(U-rank(G\mid F)\right)L.\end{array}$$

(108)

Proof. 

$$\begin{array}{cc}\hfill & I\left({\left\{Y_u\right\}}_{u\in \left[U\right]};{\left\{S_u\right\}}_{u\in \left[U\right]}\right)\hfill \end{array}$$

(109)

$$\begin{array}{cc}\hfill & =I\left({\left\{Y_u\right\}}_{u\in \left[U\right]};{\left\{S_u\right\}}_{u\in \left[U\right]},G\right)\hfill \end{array}$$

(110)

$$\begin{array}{cc}\hfill & =I\left({\left\{Y_u\right\}}_{u\in \left[U\right]};G\right)+I\left({\left\{Y_u\right\}}_{u\in \left[U\right]};{\left\{S_u\right\}}_{u\in \left[U\right]}|G\right)\hfill \end{array}$$

(111)

$$\begin{array}{cc}\hfill & \le I\left({\left\{Y_u\right\}}_{u\in \left[U\right]},F;G\right)+H\left({\left\{S_u\right\}}_{u\in \left[U\right]}|G\right)\hfill \end{array}$$

(112)

$$\begin{array}{cc}\hfill & =I(F;G)+\underset{\stackrel{\left(11\right)}{=}0}{\underbrace{I\left(G;{\left\{Y_u\right\}}_{u\in \left[U\right]}|F\right)}}+H\left({\left\{S_u\right\}}_{u\in \left[U\right]},G\right)-H\left(G\right)\hfill \end{array}$$

(113)

$$\begin{array}{cc}\hfill & =H\left(G\right)-H\left(G\right|F)+H\left({\left\{S_u\right\}}_{u\in \left[U\right]},G\right)-H\left(G\right)\hfill \end{array}$$

(114)

$$\begin{array}{cc}\hfill & \le (rank(G)-rank(G\mid F\left)\right)L+(U-rank(G\left)\right)L\hfill \end{array}$$

(115)

$$\begin{array}{cc}\hfill & =(U-rank(G\mid F\left)\right)L.\hfill \end{array}$$

(116)

The third term in (113) is zero due to the server security constraint (11).

Proof of

$R_{Z_{\Sigma }}\ge max\left\{{max}_{u\in \left[U\right]}{K}_u,rank(G\mid F)\right\}.$ Building on the above lemmas, we complete the proof of the converse.

• First, we show that $R_{Z_{\Sigma }}\ge {max}_{u\in \left[U\right]}{K}_u$. By Lemma 2, we have

$$\begin{array}{cc}\hfill L_{Z_{\Sigma }}& \ge H\left(Z_{\Sigma }\right)\hfill \end{array}$$

(117)

$$\begin{array}{cc}\hfill & \ge H\left({\left\{Z_{u,v}\right\}}_{v\in \left[V\right]}\right)\hfill \end{array}$$

(118)

$$\begin{array}{cc}\hfill & \ge I\left({\left\{Z_{u,v}\right\}}_{v\in \left[V\right]};{\left\{X_{u,v}\right\}}_{v\in \left[V\right]}|{\left\{W_{u,v}\right\}}_{v\in \left[V\right]}\right)\hfill \end{array}$$

(119)

$$\begin{array}{cc}\hfill & =H\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]}|{\left\{W_{u,v}\right\}}_{v\in \left[V\right]}\right)\hfill \end{array}$$

(120)

$$\begin{array}{cc}\hfill & =H\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]}\right)-I\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]};{\left\{W_{u,v}\right\}}_{v\in \left[V\right]}\right)\hfill \end{array}$$

(121)

$$\begin{array}{cc}\hfill & \ge \sum _{v\in \left[V\right]}H\left(X_{u,v}|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,v\left)\right\}}\right)-I\left({\left\{X_{u,v}\right\}}_{v\in \left[V\right]};{\left\{W_{u,v}\right\}}_{v\in \left[V\right]}\right)\hfill \end{array}$$

(122)

$$\begin{array}{cc}\hfill & \stackrel{\left(93\right)\left(102\right)}{\ge }VL-\left(V-rank\left(B_u\right)\right)L=K_{u}L.\hfill \end{array}$$

(123)

Therefore,

$$R_{Z_{\Sigma }}={\displaystyle \frac{L_{Z_{\Sigma }}}{L}}\ge \underset{u\in \left[U\right]}{max}{K}_u.$$

(124)

Second, we show that $R_{Z_{\Sigma }}\ge rank(G\mid F)$. By Lemma 3, we have

$$\begin{array}{cc}\hfill L_{Z_{\Sigma }}& \ge H\left(Z_{\Sigma }\right)\hfill \end{array}$$

(125)

$$\begin{array}{cc}\hfill & \ge H\left(Z_{\left[U\right]\times \left[V\right]}\right)\hfill \end{array}$$

(126)

$$\begin{array}{cc}\hfill & \ge I\left(Z_{\left[U\right]\times \left[V\right]};{\left\{Y_u\right\}}_{u\in \left[U\right]}|{\left\{S_u\right\}}_{u\in \left[U\right]}\right)\hfill \end{array}$$

(127)

$$\begin{array}{cc}\hfill & =H\left({\left\{Y_u\right\}}_{u\in \left[U\right]}|{\left\{S_u\right\}}_{u\in \left[U\right]}\right)-\underset{\stackrel{\left(6\right)}{=}0}{\underbrace{H\left({\left\{Y_u\right\}}_{u\in \left[U\right]}|{\left\{S_u\right\}}_{u\in \left[U\right]},Z_{\left[U\right]\times \left[V\right]}\right)}}\hfill \end{array}$$

(128)

$$\begin{array}{cc}\hfill & =H\left({\left\{Y_u\right\}}_{u\in \left[U\right]}\right)-I\left({\left\{S_u\right\}}_{u\in \left[U\right]};{\left\{Y_u\right\}}_{u\in \left[U\right]}\right)\hfill \end{array}$$

(129)

$$\begin{array}{cc}\hfill & \ge \sum _{u=1}^{U}H\left(Y_u|{\{W_{i,j},Z_{i,j}\}}_{(i,j)\in \left[U\right]\times \left[V\right]\setminus \left\{\right(u,j):j\in [V\left]\right\}}\right)-I\left({\left\{S_u\right\}}_{u\in \left[U\right]};{\left\{Y_u\right\}}_{u\in \left[U\right]}\right)\hfill \end{array}$$

(130)

$$\begin{array}{cc}\hfill & \stackrel{\left(94\right)\left(108\right)}{\ge }UL-\left(U-rank(G\mid F)\right)L\hfill \end{array}$$

(131)

$$\begin{array}{cc}\hfill & =rank(G\mid F)L.\hfill \end{array}$$

(132)

Hence,

$$R_{Z_{\Sigma }}={\displaystyle \frac{L_{Z_{\Sigma }}}{L}}\ge rank(G\mid F).$$

(133)

Combining (124) and (133), we obtain

$$R_{Z_{\Sigma }}\ge max\left\{\underset{u\in \left[U\right]}{max}{K}_u,rank(G\mid F)\right\}.$$

7. Conclusions

This paper investigates information theoretic secure aggregation of linear functions over a two hop hierarchical network with relay-assisted communication. By jointly accounting for relay-level privacy constraints and server-side function-specific security requirements, we establish a unified framework for hierarchical vector linear secure aggregation.

Our main contribution is a complete characterization of the optimal communication key rate region. We show that both hops achieve the minimum possible communication rate of one symbol per input symbol, while the required source key rate is governed by the maximum of the intra-cluster security requirement and the conditional rank rank$(G\mid F)$. This result demonstrates that hierarchical architectures incur no additional communication cost compared to single hop systems, while substantially reducing the masking burden at the server through structured key injection.

To achieve these fundamental limits, we propose an explicit linear coding scheme based on systematic precoding, subspace alignment, and zero forcing. The scheme exploits the algebraic structure of the authorized and unauthorized functions to inject randomness exclusively into dimensions that do not interfere with the authorized computation. The achievability and converse proofs together establish that the derived rate region is information theoretically tight.

Overall, this work clarifies the fundamental role of hierarchy in secure aggregation and provides theoretical guidance for the design of scalable privacy preserving distributed learning systems. Future work includes extending the framework to scenarios with collusion among servers, relays, and users, as well as investigating robustness under user dropouts, heterogeneous cluster sizes, and asymmetric communication constraints.