Ferkans — Interactive Telecom Tutor

The Privacy of the Superposition

Part III (Chapters 10–12) built up secure aggregation with pairwise masks, Shamir sharing, and sparse graphs — all to hide individual gradients from an honest-but-curious server. The resulting schemes pay $O(n)$ to $O(n^2)$ per-round communication.

AirComp's MAC superposition already hides individual contributions — with no cryptographic machinery. The receiver sees $\sum_k h_k b_k s_k + \mathbf{w}$ and has no direct algebraic inverse. But how much privacy does the MAC really provide? The golden thread — privacy, robustness, communication efficiency — reappears sharply. AirComp gets privacy for free in communication, but at the cost of a specific threat model (single-antenna receiver, random channel fading, tight synchronization) that must be carefully stated. This section quantifies.

,

Theorem: Native AirComp Privacy

Consider AirComp over a Gaussian MAC with $n$ users, independent Gaussian source values $s_k \sim \mathcal{N}(0, \sigma_s^2)$ , channel gains $h_k$ with $|h_k| > 0$ , and a single-antenna receiver observing $r = \sum_k h_k b_k s_k + \mathbf{w}$ with $\mathbf{w} \sim \mathcal{CN}(0, \sigma^2)$ . Under magnitude alignment ( $b_k h_k = \eta$ ) and i.i.d.\ sources, for any individual gradient $s_j$ , $I(s_j;\, r) \;\leq\; \frac{1}{2}\log\!\left(1 + \frac{|\eta|^2 \sigma_s^2}{(n-1)|\eta|^2\sigma_s^2 + \sigma^2}\right).$ As $n \to \infty$ (with $\sigma_s^2$ fixed), the mutual information $\to 0$ — the server's observation becomes asymptotically independent of any individual $s_j$ .

Proof

Signal decomposition

Write $r = \eta s_j + \eta \sum_{k \neq j} s_k + \mathbf{w}$ . The interference term $\eta \sum_{k \neq j} s_k \sim \mathcal{CN}(0, |\eta|^2 (n-1) \sigma_s^2)$ has variance that scales linearly with $n$ .

SNR of $s_j$

From $s_j$ 's perspective, everything except $\eta s_j$ is noise with total variance $|\eta|^2(n-1)\sigma_s^2 + \sigma^2$ . The per-user effective SNR is $|\eta|^2 \sigma_s^2 / ((n-1)|\eta|^2\sigma_s^2 + \sigma^2)$ .

Gaussian MI bound

For jointly Gaussian inputs, $I(s_j; r) = \tfrac{1}{2} \log(1 + \text{SNR})$ . Substituting the per-user effective SNR gives the stated bound.

Limit

As $n \to \infty$ , SNR $\to 1/(n-1) \cdot 1$ (the noise term becomes negligible relative to user interference), so $I(s_j; r) \to \tfrac{1}{2}\log(1 + O(1/n)) \to 0$ .

Operational interpretation

The more users participate, the more thoroughly each individual is hidden in the crowd. For $n = 100$ , the per-user MI bound is already below $0.01$ nat — about $1\%$ of the bits of an individual $s_j$ leak to the server via the AirComp aggregate.

What AirComp Privacy Does and Does Not Guarantee

Theorem 16.4.1's privacy guarantee is conditional on several assumptions:

Single-antenna receiver. A multi-antenna receiver can beamform to extract individual $s_k$ — it effectively performs MIMO decoding. Privacy collapses.
I.i.d.\ Gaussian sources. The bound uses Gaussian MI. Structured or correlated sources can leak more.
Honest-but-curious receiver. An active receiver that injects its own signal or manipulates the channel violates the model.
No prior on $s_k$ . If the server has a strong prior on $s_j$ (e.g., from auxiliary data), the posterior $p(s_j | r)$ can concentrate even when $I(s_j; r)$ is small.
Symmetric power control. Asymmetric power allocation ( $P_k$ uneven) disturbs the anonymity — the high-power users dominate the superposition.

The pragmatic picture: AirComp provides weak-asymptotic privacy in a single-antenna honest-but-curious setting. For stronger guarantees, stack additional mechanisms — differential privacy via Gaussian dither (see below), pairwise masking (Chapter 10), or SPIR-style protocols (Chapter 14). AirComp is not a cryptographic silver bullet; it is a communication-efficient privacy primitive with a well-defined threat model.

,

Theorem: Differential-Privacy Amplification by AirComp

Suppose each user perturbs their pre-processed symbol with i.i.d.\ Gaussian dither $z_k \sim \mathcal{CN}(0, \sigma_z^2)$ before transmission. The receiver observes $r = \eta \sum_k s_k + \eta \sum_k z_k + \mathbf{w}$ . The effective dither seen by the post-processor has variance $|\eta|^2 n \sigma_z^2$ — amplified by $n$ . Any single-user Gaussian dither scheme that achieves $(\varepsilon, \delta)$ -DP at a single user achieves $(\varepsilon/\sqrt{n}, \delta)$ -DP after AirComp summation.

Proof

Individual user DP

For user $k$ in isolation with Gaussian dither $z_k \sim \mathcal{CN}(0, \sigma_z^2)$ , the Gaussian mechanism gives $(\varepsilon, \delta)$ -DP with $\sigma_z = \Delta f \sqrt{2\ln(1.25/\delta)}/\varepsilon$ where $\Delta f$ is the query sensitivity.

Aggregation amplifies

After MAC summation, the aggregate dither $\sum_k z_k \sim \mathcal{CN}(0, n\sigma_z^2)$ . Relative to the aggregated signal, the noise-to-signal ratio is $n$ times larger — equivalent to using $\sqrt{n} \sigma_z$ per user for the same aggregate-level DP.

DP amplification

Equivalently: the per-user $\sigma_z$ needed for aggregate-level $(\varepsilon, \delta)$ -DP is $\sigma_z^{\text{agg}}/\sqrt{n}$ . Each user's own dither is $\sqrt{n}$ times smaller than without AirComp, a $\sqrt{n}$ -factor privacy-utility improvement over digital mean-of-noisy-gradients.

Operational

AirComp is naturally friendly to differential privacy: the MAC superposition amplifies the aggregated dither without the designer having to do anything. This is a structural advantage over digital FL, where amplification requires careful scheduling or subsampling.

,

Theorem: MSE Under Carrier-Phase Misalignment

Suppose users have imperfect CSIT, so $b_k h_k = \eta e^{j\phi_k}$ for random phases $\phi_k \sim \text{Uniform}[-\phi_{\max}, \phi_{\max}]$ . The aggregation MSE with zero-forcing post-processing is $\mathsf{MSE}_{\text{mis}} \;=\; \underbrace{\frac{\sigma^2}{|\eta|^2}}_{\text{noise}} \;+\; \underbrace{\sigma_s^2 \left(1 - \left(\frac{\sin\phi_{\max}}{\phi_{\max}}\right)^2\right)}_{\text{misalignment}}.$ The misalignment term is SNR-independent: it does not vanish as $P \to \infty$ . It is an irreducible MSE floor.

Proof

Per-user contribution

Misaligned user $k$ contributes $\eta e^{j\phi_k} s_k$ to the received signal. The receiver post-processes by dividing by $\eta$ : the contribution appears as $e^{j\phi_k} s_k$ where ideal AirComp would have $s_k$ . The per-user error is $(e^{j\phi_k} - 1) s_k$ .

MSE calculation

$\mathbb{E}[|e^{j\phi_k} - 1|^2] = 2(1 - \mathbb{E}[\cos\phi_k]) = 2 - 2 \cdot (\sin\phi_{\max}/\phi_{\max})$ (for uniform $\phi_k$ ). Scaling by $\sigma_s^2$ gives the per-user misalignment MSE. Summing independently gives the aggregate misalignment term.

SNR independence

Because the phase error is multiplicative, no amount of transmit power alleviates it. High-SNR asymptotics exhibit an MSE floor.

Engineering bottom line

For a $3$ -dB MSE floor (doubling above the AWGN-limited MSE), $\phi_{\max} \lesssim 0.3$ rad ( $17°$ ) — a challenging but achievable phase-synchronization target.

AirComp Trade-offs: Power, MSE, Privacy

Jointly explore how AirComp MSE, per-user mutual-information leakage, and misalignment MSE depend on transmit power and user count. Three curves: (i) zero-forcing MSE with aligned channels, (ii) per-user MI leakage bound (Theorem 16.4.1), (iii) misalignment MSE floor for a given phase spread $\phi_{\max}$ . The golden thread — privacy vs. communication efficiency — is visible: as $n$ grows, MSE increases but privacy strengthens.

Parameters

n_{\max}

— maximum users50

P

(dB) — transmit power20

\phi_{\max}

(deg) — phase error10

AirComp vs. Classical Secure Aggregation

Property	Classical SecAgg (Ch. 10)	AirComp (Ch. 16)
Communication per round	$O(n^2)$ key exchanges + $O(n)$ uploads	$O(1)$ MAC channel uses
Aggregate fidelity	Exact (digital)	MSE $= \sigma^2/\|\eta\|^2$
Privacy guarantee	IT-secure under $T$ -collusion	Weak-asymptotic; requires single-antenna RX
DP composition	Post-processed digital noise	$\sqrt{n}$ -factor amplification
Byzantine robustness	None (needs extension)	None (needs extension; Ch. 17)
Synchronization	Symbol-level	Symbol + carrier-phase
CSIT requirement	None	Yes

🚨Critical Engineering Note

Deploying AirComp in an FL System

A production AirComp-enabled FL deployment should specify:

Threat model. Is the server honest-but-curious with a single RX antenna? If the RX is MIMO, AirComp gives no inherent privacy. Plan accordingly.
Synchronization budget. Target carrier-phase error below $17°$ (for $3$ -dB MSE floor). Use GPS-disciplined oscillators or network-time-protocol aided clocks.
CSIT accuracy. Each user needs channel estimates within $10\%$ of the true gain to stay within $0.5$ dB of ideal MSE. Use pilot-based estimation; budget $\sim 5$ - $10$ % of the round for pilots.
Power control policy. Zero-forcing ( $b_k = \eta/h_k$ ) is the default. MMSE gives a small ( $\sim 1$ dB) improvement at low SNR and introduces bias that may confuse downstream FL optimization. Threshold-drop weak users for heterogeneous channels.
DP dither level. Add Gaussian dither $z_k \sim \mathcal{CN}(0, \sigma_z^2)$ at each user for aggregate $(\varepsilon, \delta)$ -DP. The AirComp amplification gives $\sqrt{n}$ reduction in per-user dither vs. digital FL.
Integrity. AirComp gives no integrity: a malicious user's bogus $s_k$ simply adds to the superposition with no way to detect it. Pair with ByzSecAgg (Chapter 11) or with robust aggregation (Chapter 17) for Byzantine tolerance.

Practical Constraints

•
Single-antenna RX for privacy claim
•
Carrier-phase error $\leq 17°$ for $3$ dB floor
•
CSIT error $\leq 10\%$ for $0.5$ dB MSE loss
•
DP dither: per-user $\sigma_z^{\text{agg}}/\sqrt{n}$
•
No integrity — pair with Byzantine protection

📋 Ref: Yang-Jiang-Shi 2020; Liu-Yang 2021; §16.4 model

,

Common Mistake: 'The Channel Adds; Therefore It's Secure'

Mistake:

Deploy AirComp and claim information-theoretic privacy without explicitly stating the threat model and verifying each assumption.

Correction:

AirComp's privacy is specific: single receive antenna, Gaussian sources, honest-but-curious server, tight synchronization. Any deviation from these — MIMO receiver, active adversary, non-Gaussian sources, prior information — weakens or breaks the guarantee. Always write the threat model explicitly in the deployment document. When in doubt, stack a cryptographic aggregation layer (Bonawitz, ByzSecAgg) on top of AirComp for defense in depth.

Key Takeaway

AirComp offers a structured trade-off: $\Theta(1)$ channel uses and weak-asymptotic privacy against a single-antenna honest-but-curious receiver, at the cost of tight synchronization, CSIT, and a specific threat model. The MAC superposition also naturally amplifies Gaussian dither by $\sqrt{n}$ , enabling communication-efficient differential privacy. Misalignment produces an irreducible MSE floor. Chapter 17 combines these ingredients for wireless federated learning — the end-to-end FL problem over real channels.

Why This Matters: Looking Ahead: AirComp in Wireless FL

AirComp is the enabling physical-layer aggregation primitive for wireless federated learning (Chapter 17). The Wan-Tuninetti-Caire group's CommIT contribution on information-theoretically secure federated representation learning combines AirComp-style aggregation with an additional IT-privacy layer — Chapter 17 §17.3 develops this. Chapter 18 then surveys the open problems at the intersection of coded computing, secure aggregation, PIR, and wireless FL — closing the book by marking the frontier.

Quick Check

The per-user mutual-information leak bound in Theorem 16.4.1 decays how with the number of users $n$ ?

Not at all — privacy is independent of $n$ .

As $1/n$ in the leading term.

Exponentially in $n$ .

As $1/\sqrt{n}$ .

Correction:

As

1/n

in the leading term.

For large $n$ , the effective SNR of $s_j$ against the interfering $\sum_{k \neq j} s_k$ scales as $1/(n-1)$ , so $\tfrac{1}{2}\log(1 + 1/(n-1)) = O(1/n)$ .

Privacy, Misalignment, and Tradeoffs

The Privacy of the Superposition

Theorem: Native AirComp Privacy

Signal decomposition

SNR of $s_j$

Gaussian MI bound

Limit

Operational interpretation

What AirComp Privacy Does and Does Not Guarantee

Theorem: Differential-Privacy Amplification by AirComp

Individual user DP

Aggregation amplifies

DP amplification

Operational

Theorem: MSE Under Carrier-Phase Misalignment

Per-user contribution

MSE calculation

SNR independence

Engineering bottom line

AirComp Trade-offs: Power, MSE, Privacy

Parameters

AirComp vs. Classical Secure Aggregation

Deploying AirComp in an FL System

Common Mistake: 'The Channel Adds; Therefore It's Secure'

Key Takeaway

Why This Matters: Looking Ahead: AirComp in Wireless FL

Quick Check