Deterministic Privacy Preservation in
Static Average Consensus Problem

This paper considers the problem of privacy preservation in the in-network average consensus (PrivCon) problem, where the objective is to enable a group of $\mathcal{V}\!=\!\{1,\cdots,N\}$ communicating agents interacting over a strongly connected and weight-balanced digraph $\mathcal{G}(\mathcal{V},\mathcal{E},\boldsymbol{\mathbf{\mathsf{A}}})$¹¹1For graph theoretic definitions used hereafter see Section 2., see Fig. 1, to calculate $\mathsf{r}^{\text{avg}}\!=\!\frac{1}{N}\sum_{j=1}^{N}\mathsf{r}^{j}$ using local interactions but without disclosing their local reference value $\mathsf{r}^{i}$, $i\!\in\!\mathcal{V}$, to each other. The privacy preservation for average consensus is normally formalized as concealing the reference value of each agent from a malicious agent that is defined as follows.

The solutions to the PrivCon problem in the literature mainly center around designing privacy preservation augmentation mechanisms for the popular average consensus algorithm

which with proper choice of stepsize $\Delta$ guarantees $x^{i}\!\to\!\mathsf{r}^{\text{avg}}$, $i\in\mathcal{V}$, as $k\!\to\!\infty$ [1]. In a weighted digraph, $\boldsymbol{\mathbf{\mathsf{a}}}_{ij}>0$ if there is an edge from agent $i$ to agent $j$, i.e., agent $i$ can obtain information from agent $j$, otherwise $\boldsymbol{\mathbf{\mathsf{a}}}_{ij}=0$. Thus, algorithm (1) requires each agent $i\in\mathcal{V}$ to share its reference value $\mathsf{r}^{i}$ with its in-neighbors (agents that receive messages from $i$) in the first step of the algorithm, resulting in a trivial breach of privacy. Standard observability analysis [2] shows also that when the adjacency matrix $\boldsymbol{\mathbf{\mathsf{A}}}=[\boldsymbol{\mathbf{\mathsf{a}}}_{ij}]$ of the network topology is known to an agent $i\in\mathcal{V}$, agent $i$ can obtain the initial condition of algorithm (1), and consequently, the reference value of all or some of the other agents of the network; see [3] for details.

A popular approach explored to induce privacy preservation to algorithm (1) is the encryption where either a trusted third-party generates the public-key [4] or agents share their keys in which the network is restricted to a point-to-point or tagged undirected communication framework [5, 6]. Also, [5] requires extra communication channels for key generation purposes. Moreover, in [5, 6], the network should be connected at the first step of communication and therefore, it does not have robustness to possible switching in the topology. Differential privacy [7, 8, 9] and additive obfuscation noise methods [10, 11, 12] are other popular techniques to conceal the exact reference value of the agents, but the malicious agent can obtain an estimate on the reference value using a stochastic estimator. In addition, final convergence is perturbed in [7, 8, 9, 10] and convergence rate is altered in [11]. Moreover, these classes of privacy preserving measures cause noisy transient response for the algorithm, which results in excessive energy expenditure if agents use local controls to track the consensus trajectory as a reference input. Lastly, the guarantees established in all the methods discussed above are only for connected undirected graphs. Interested reader can also find privacy preservation methods for the continuous-time implementation of algorithm (1) in [13] and [14].

In this paper, we focus on a solution for PrivCon problem that does not perturb the final convergence value. We address the PrivCon problem by proposing to use an alternative algorithm (see algorithm (2)) that yields similar transient and convergence performance to that of algorithm (1). We analyze the privacy preservation of this algorithm carefully and show that this algorithm intrinsically yields exactly the same privacy preservation guarantees as in [10, 11, 12] in terms of which agents’ privacy can be preserved. More precisely, we show that similar to the results in [10, 11, 12] the privacy of any agent that has at least one out-neighbor that is not the out-neighbor of the malicious agent is preserved. In comparison to the privacy preservation by use of the additive obfuscation noise methods [10, 11, 12], however, algorithm (2) offers a deterministic and stronger sense of privacy preservation, i.e., it meets the privacy preservation definition given below.

To show that the privacy of an agent $i$ is preserved in the sense of Definition 2, we show that there exists other values of $\mathsf{r}^{i}$, arbitrarily different from the true one, that give the same trajectory for the information the malicious agent receives from its out-neighbors. Therefore, the malicious agent cannot distinguish between the true reference value and the arbitrary alternatives. This, in essence, is a stronger notion of privacy preservation than that of the $\epsilon$-differential privacy [15] or that of [11] where even though the malicious agent cannot obtain the exact reference value of the agents but it obtains an estimate on the reference value.

In our demonstration study in Section 4, we compare in particular our suggested PrivCon problem solution to the additive obfuscation noise method of [11]. [11] is a prominent solution in the class of additive obfuscation noise methods that guarantees exact convergence while not allowing a malicious agent to obtain the exact reference value of the agents under the connectivity condition stated earlier. However, in the framework of [11] there are disclosure of information about the reference value in two levels. First, as shown in [11], the malicious agent can employ a stochastic observer to obtain an estimate on the reference value of other agents. The normalized variance of this estimator can be very small compared to the size of the reference value of the agents. Moreover, in [11] agents need to coordinate to choose a common parameter $\phi$ in their noise generator and also use a common variance. The knowledge about the noise parameters also is another level of disclosure of an estimate on the reference value of the agents, as the transmit message of each agent at the initial step of the algorithm is the reference value plus a value generated by their local noise whose variance is the same for all the agents. Moreover, in choosing the variance value for the noise, agents need to consider the size of their local reference values to yield meaningful obfuscation. We note that using a noise with large variance results in a more perturbed transient response and a slower convergence. The advantage of our proposed solution is to meet the privacy preservation as given in Definition 1 while rendering a similar transient and convergence behavior to that of algorithm (1), having no need for coordination to choose the parameters of the algorithm, and no extra computations. Our notation is standard, though certain pieces of notation are defined as need arises.

Our graph theoretic definitions follow [16]. A weighted digraph is a triplet $\mathcal{G}(\mathcal{V},\mathcal{E},\boldsymbol{\mathbf{\mathsf{A}}})$ where $\mathcal{V}$ is the node set, $\mathcal{E}\subset\mathcal{V}\times\mathcal{V}$ is the edge set and $\boldsymbol{\mathbf{\mathsf{A}}})=[\boldsymbol{\mathbf{\mathsf{a}}}_{ij}]$ is the weighted adjacency matrix defined such that $\boldsymbol{\mathbf{\mathsf{a}}}_{ij}>0$ if $(i,j)\in\mathcal{E}$, otherwise $\boldsymbol{\mathbf{\mathsf{a}}}_{ij}=0$. Given an edge $(i,j)$, $i$ is called an in-neighbor of $j$, and $j$ is called an out-neighbor of $i$. The (weighted) in-degree and out-degree of each node $i\in\mathcal{V}$ are respectively are $\mathsf{d}_{\text{out}}^{i}=\sum_{j=1}^{N}\boldsymbol{\mathbf{\mathsf{a}}}_{ij}$ and $\mathsf{d}_{\text{in}}^{i}=\sum_{j=1}^{N}\boldsymbol{\mathbf{\mathsf{a}}}_{ji}$. A weighted digraph is undirected if $\boldsymbol{\mathbf{\mathsf{a}}}_{ij}=\boldsymbol{\mathbf{\mathsf{a}}}_{ji}$ for all $i,j\in\mathcal{V}$. A digraph is weight-balanced if at every node $i\in\mathcal{V}$, $\mathsf{d}_{\text{out}}^{i}=\mathsf{d}_{\text{in}}^{i}$. A digraph is strongly connected if there is a directed path from every node to every other node. The Laplacian matrix of a digraph $\mathcal{G}$ is $\boldsymbol{\mathbf{\mathsf{L}}}\!=\!\operatorname{Diag}(\mathsf{d}_{\text{out}}^{1},\cdots,\mathsf{d}_{\text{out}}^{N})\!-\!\boldsymbol{\mathbf{\mathsf{A}}}$.

Let the interaction topology of the agents be a strongly connected and weight-balanced digraph $\mathcal{G}\!=\!(\mathcal{V},\mathcal{E},\boldsymbol{\mathbf{\mathsf{A}}})$. We consider the average consensus algorithm

proposed in [17], as a solution for privacy preserving average consensus algorithm over $\mathcal{G}$. As discussed in [18],  (2) yields a similar transient response to that of algorithm (1). In our analysis, the privacy preservation in the sense of Definition 2 is against a malicious agent defined as in Definition 1. Our study is different than the privacy preservation study in [17] where the continuous-time representation of algorithm (2) is considered and the reference values are assumed to be dynamic time-varying signals. The guarantees provided crucially depend on the time varyingness of the reference values.

Let $\boldsymbol{\mathbf{x}}=(x^{1},\cdots,x^{N})$, $\boldsymbol{\mathbf{v}}=(v^{1},\cdots,v^{N})$, $\boldsymbol{\mathbf{\Pi}}=\textbf{I}_{N}-\frac{1}{N}\boldsymbol{\mathbf{\mathsf{1}}}_{N}\boldsymbol{\mathbf{\mathsf{1}}}_{N}^{\top}$, and $\bar{\boldsymbol{\mathbf{\mathsf{r}}}}=\mathsf{r}^{\text{avg}}\boldsymbol{\mathbf{\mathsf{1}}}_{N}$. Moreover, let $\boldsymbol{\mathbf{\mathfrak{r}}}=\frac{1}{\sqrt{N}}\boldsymbol{\mathbf{1}}_{N}$, and $\boldsymbol{\mathbf{\mathsf{\mathfrak{R}}}}$ such that

Then, using the change of variable

algorithm (1) reads as

and algorithm (2) as

where $\boldsymbol{\mathbf{\mathsf{L}}}^{+}\!=\!\boldsymbol{\mathbf{\mathsf{\mathfrak{R}}}}^{\top}\boldsymbol{\mathbf{L}}\boldsymbol{\mathbf{\mathsf{\mathfrak{R}}}}$. These equivalent representations show the connection between the internal dynamics of algorithms (1) and (2). For a strongly connected and weight-balanced digraph, $\boldsymbol{\mathbf{\mathsf{L}}}$ has a simple zero eigenvalue and the rest of the eigenvalues $\{\lambda_{i}\}_{i=2}^{N}$ have non-zero positive real parts. Then, the eigenvalues of $\boldsymbol{\mathbf{\mathsf{L}}}^{+}$ are $\{\lambda_{i}\}_{i=2}^{N}$. By invoking [18, Lemma S1], we note that the exponential stability of (1) and (2) is guaranteed, respectively, for any $\Delta\!\in\!(0,\bar{\Delta})$ and $\Delta\!\in\!(0,\min\{2,\bar{\Delta}\})$, where $\bar{\Delta}\!=\!\min\big{\{}2\frac{\operatorname{Re}(\lambda_{i})}{|\lambda_{i}|^{2}}\big{\}}_{i=2}^{N}$. Given a similar performance, an immediate appeal of algorithm (2) over algorithm (1) is that the reference value of agents is not trivially transmit to the in-neighbors. The question that we address in the subsequent section is whether the malicious agent can use its knowledge set to compute the reference values of other agents when agents implement algorithm (2).

In this section we show that algorithm (2) intrinsically yields the same privacy preservation guarantees as in [10, 11, 12] in terms of which agents’ privacy can be preserved. However, the guarantees of algorithm (2) are valid also for strongly connected and weight-balanced digraphs. Moreover, unlike the privacy preservation of [10, 11, 12] which is obtained by using additive noises and comes with disclosure of a stochastic estimate on the private value of the agents, algorithm (2) offers a deterministic and stronger sense of privacy preservation, i.e., it meets the privacy preservation objective defined in Definition 2. In what follows without loss of generality we assume that agent $1$ is the malicious agent. The initialization condition $\sum_{i=1}^{N}v^{i}(0)=0$ is trivially satisfied when every agent $i\in\mathcal{V}$ uses $v^{i}(0)\!=\!0$. Other choices need coordination among agents with no strong guarantee that the choices are private. Thus , we assume that $v^{i}(0)=0$, $i\in\mathcal{V}$ and is known to the malicious agent. Moreover, $\mathcal{N}_{\text{in}}^{i}$ and $\mathcal{N}_{\text{out}}^{i}$ are, respectively, the set of in-neighbors and out-neighbors of agent $i$. We also define $\mathcal{N}_{\text{in}}^{i+}=\mathcal{N}_{\text{in}}^{i}\cup\{i\}$.

Our next result shows that when the malicious agent has access to the messages transmitted to and from an agent $i$, similar to the methods proposed in [10, 11, 12], the privacy of agent $i$ is not preserved. To establish this result we show that the malicious agent can implement an observer to obtain $\mathsf{r}^{i}$.

Lemma 3.1 and 3.2 gives us the following main statement on the privacy preservation guarantees of Algorithm (2).

So far, we have shown the intrinsic privacy property of Algorithm (2). Now the natural question is whether we can loosen the topology restriction of Theorem 3.3 using additive perturbation signals and preserve privacy for agents whose all communication signals (in-coming and out-going) are available to the malicious agent. Herein, we show that this mechanism has no contribution and the malicious agent can still derive local information asymptotically. A comprehensive protection via perturbation signals suggests adding a signal $g^{i}(k):\mathbb{Z}_{\geq 0}\to\real$ to the transmitted message of every agent $i\in\mathcal{V}$, and additive signal $f_{1}^{i}(k):\mathbb{Z}_{\geq 0}\to\real$ and $f_{2}^{i}(k):\mathbb{Z}_{\geq 0}\to\real$ to the right hand side of (2a) and (2b), respectively. However, without loss of generality, the effect of all these signals can be captured via adding only a dynamic perturbation signal $f^{i}(k):\mathbb{Z}_{\geq 0}\to\real$, $i\in\mathcal{V}$ to the right hand side of (2b) as follows,

Instead of using a particular perturbation signal as in [10, 11, 12], we follow the approach in [19] and first investigate for what set of perturbation signals, which we call admissible perturbation signals, the final convergence point of the algorithm is not perturbed. It is natural that any necessary condition defining the admissible perturbation signal is known to all the agents. Then, we show that by knowing a necessary condition on the perturbation, the malicious agent can employ an observer to obtain the reference input regardless of what the exact additive admissible perturbation signal the agent uses.

In our next statement, we investigate whether a malicious agent can derive the local reference value of an agent if it knows condition (13) and all the transmitted messages to and from the agent.

We proved that an additive perturbation signal has no contribution in the level of privacy provided by algorithm (2).

To provide a context to appreciate the implications of our privacy preserving solution for average consensus problem versus the method of [11], we consider an optimal power dispatch (OPD) problem over the undirected connected graph in Fig. 1(b). [11] is a representative of the common method of privacy preservation via additive noises for algorithm (1). We conduct our study over an undirected connected graph since the results in [11] are established only for such graphs. In our OPD problem a group of generators interacting over the graph of Fig. 1(b) are expected to meet the demand of $\mathcal{P}_{D}=1500$ MW ($p^{1}+\cdots+p^{5}=1500$) while minimizing their collective cost $\sum_{i=1}^{5}f^{i}(p^{i})$. The parameters of the local cost $f^{i}(p^{i})=\frac{1}{2\beta^{i}}(p^{i}+\alpha^{i})^{2}+\gamma^{i}$, $i\in\{1,\cdots,5\}$, are chosen from the IEEE bus 118 generator list according to corresponding components of $\{\alpha^{i}\}_{i=1}^{4}=\{188.3,592.5,2567.2,1793.3,2567.2\}$, $\{\beta^{i}\}_{i=1}^{5}=\{7.17,45.9,208.2,166.6,208.2\}$. Here $\alpha^{i}$ and $\beta^{i}$ are supposed to be the private value of each agent $i\in\mathcal{V}$. The optimal solution of this problem for each agent $i\in\{1,\cdots,5\}$ is given by $p^{i\star}=\beta^{i}\frac{\mathcal{P}_{D}+\sum_{i=1}^{N}\alpha^{i}}{\sum_{i}^{N}\beta^{i}}-\alpha^{i}$ [20]. To generate this solution in a distributed manner, let us assume that these $N=5$ agents employ two static average consensus algorithms to obtain $\bar{\alpha}=\frac{1}{N}\sum_{i=1}^{N}\alpha^{i}$ and $\bar{\beta}=\frac{1}{N}\sum_{i}^{N}\beta^{i}$.

Then, by knowing $N$ and $\mathcal{P}_{D}$, agents have all the information to obtain $p^{i\star}$. Fig. 1(b) is used in the numerical example of [11] where agent $5$ is the malicious agent, so as we assume here. The privacy of agents $\{1,2,3\}$ is preserved if agents use algorithm (1) augmented by the additive noise method of [11, Corollary 1] (hereafter referred to as method M1) or algorithm (2) (see Theorem 3.3). Let us assume that when using the method M1, the agents use the same $\phi=0.9$ as [11, Section VI] and given the value of their parameters, they agree to use an additive Gaussian noise with mean $0$ and standard deviation $\sigma=100$. Note that these values should be common for all agents, and thus agents need to coordinate to choose them. Fig. 2 shows the trajectories generated by method M1 for two different executions (each uses a different noise realization) overlaid over the trajectories generated by Algorithm (2). As seen, the trajectories of method M1 are quite noisy and convergence is slower. Using method M1, malicious agent $5$ cannot obtain the exact value of $\{\alpha^{i}\}_{i=1}^{3}$ and $\{\beta^{i}\}_{i=1}^{3}$ because as shown in [11, Fig.4] the covariance of a maximum likelihood estimator that agent $5$ uses to obtain the private reference value of $\{1,2,3\}$ has a steady state non-vanishing value, see Fig. 3. However, agent $5$ knows that in $99.7$% of the times ($3\sigma$ rule) the error rate to obtain each $\{\alpha^{i}\}_{i=1}^{3}$ and $\{\beta^{i}\}_{i=1}^{3}$ is respectively $(0.972\%,0.618\%,0.071\%)$ and $(25.512\%,7.972\%,0.879\%)$ according to the computed normalized covariances $P_{ii}$ as in Fig. 3. Given the numerical values of these parameters, this level of protection gives a good approximate value of the optimal operating point of the supposedly private agents $\{1,2,3\}$ to the malicious agent. On the other hand, the privacy preservation guarantees that algorithm (2) provides for agents $\{1,2,3\}$ is stronger, as the malicious agent cannot obtain any estimate on the private values of the agent. See Fig. 4 for an example scenario, where two alternative cases of reference input signals for $\alpha^{i}$ denoted by $\{\alpha_{2}^{i}\}_{i=1}^{5}\!=\!\{-1311.6,3592.5,1067.2,1793.3,2567.2\}$, and $\{\alpha_{3}^{i}\}_{i=1}^{5}\!=\!\{1688.3,-2407.4,4067.2,1793.3,2567.2\}$. where $\frac{1}{N}\sum_{i=1}^{5}\!{\alpha}_{j}^{i}\!=\!\frac{1}{N}\sum_{i=1}^{5}\!\alpha_{1}^{i}$, $j\!\in\!\{2,3\}$ result in exactly the same transmit message to the malicious agent $5$. Therefore, agent $5$ cannot distinguish between these different references for agents $\{1,2,3\}$. Here, $\{\alpha_{1}^{i}\}_{i=1}^{5}$ are the actual inputs given in the OPD problem definition earlier.

We considered the problem of privacy preservation in the static average consensus problem. This problem normally is solved by proposing privacy preservation mechanism that are added to the popular first order Laplacian-based algorithm. These mechanisms come with computational overheads or pre-coordinating among the agents to choose the parameters of the algorithm. They also alter the transient response of the algorithm. In this paper we showed that an alternative algorithm that is proposed in the literature in the context of dynamic average consensus problem can be a simple solution for privacy preservation for average consensus problem. The advantage of our proposed solution over existing results in the literature was to provide a stronger notion of privacy while rendering a similar transient and convergence behavior to that of the well-known Laplacian average consensus algorithm, having no need for coordination to choose the parameters of the algorithm, and no extra computations.