Privacy-Preserving Average Consensus via State Decomposition

arXiv:1902.09576v2 [math.OC] 2 Mar 2019

Yongqiang Wang1

Abstract—Average consensus underpins key functionalities of
distributed systems ranging from distributed information fusion,
decision-making, distributed optimization, to load balancing and
decentralized control. Existing distributed average consensus
algorithms require each node to exchange and disclose state
information to its neighbors, which is undesirable in cases where
the state is private or contains sensitive information. In this paper,
we propose a novel approach that avoids disclosing individual
state information in average consensus by letting each node
decompose its state into two sub-states. For each node, one
of the two sub-states involves in computation and inter-node
interactions as if it were the original state, while the other substate interacts only with the first sub-state of the same node,
being completely invisible to other nodes. The initial values of
the two sub-states are chosen randomly but with their mean fixed
to the initial value of the original state, which is key to guarantee
convergence to the desired consensus value. In direct contrast to
differential-privacy based privacy-preserving average-consensus
approaches which enable privacy by compromising accuracy
in the consensus value, the proposed approach can guarantee
convergence to the exact desired value without any error. Not
only is the proposed approach able to prevent the disclosure of
a node’s initial state to honest-but-curious neighbors, it can also
provide protection against inference by external eavesdroppers
able to wiretap communication links. Numerical simulations
demonstrate the effectiveness of the approach and its advantages
over state-of-the-art counterparts.

I. I NTRODUCTION
As a building block of distributed computing, average consensus has been an active research topic in computer science
and optimization for decades [1], [2]. In recent years, with the
advances of wireless communications and embedded systems,
particularly the advent of wireless sensor networks and the
Internet-of-Things, average consensus is finding increased
applications in fields as diverse as automatic control, signal
processing, social sciences, robotics, and optimization [3].
Conventional average consensus approaches rely on the
exchange of explicit state values among neighboring nodes to
reach agreement on distributed computation. Such a disclosure
of state information has two potential problems. First, it
breaches the privacy of participating nodes who may not want
to disclose their state values containing sensitive and private
information. For example, a group of individuals using average
consensus to compute a common opinion may want to keep
each individual’s opinion secret [4]. Another example is power
systems where multiple generators want to reach agreement
on cost while keeping their individual generation information
private since the generation information is sensitive in bidding
The work was supported in part by the National Science Foundation under
Grants 1824014 and 1738902.
1 Yongqiang Wang is with the Department of Electrical and Computer Engineering, Clemson University, Clemson, SC 29634, USA

yongqiw@clemson.edu

the right for energy selling [5]. Secondly, exchanging information through wireless or wired communications is vulnerable
to eavesdroppers which try to steal information by tapping
communication links. With the increased number of reported
attack events, preserving data privacy has become an urgent
need in many social and engineering applications.
To address the pressing need for privacy-preserving average consensus, one may resort to conventional secure multiparty computation approaches such as Yao’s Garbled Circuit
[6], Shamir’s Secret Sharing algorithm [7], or many other
recent advances [8]. However, such general-purpose privacy
protecting approaches are both computationally and communicationally too heavy for systems with fast-evolving behaviors
particularly cyber-physical systems which are subject to hard
real-time constraints. For example, Yao’s Garbled Circuit has a
computational latency on the order of seconds [9], whereas the
tolerable computational latency is on the order of milliseconds
for the real-time control of connected automated vehicles [10]
and unmanned aerial vehicles [11]. Recently, several dedicated
privacy-preserving solutions have been proposed for average
consensus [12], [13], [14], [15], [16], [17], [18]. Most of
these approaches rely on the idea of obfuscation to mask
true state values by injecting carefully-designed noise on the
states. One commonly used tool is differential privacy from the
database literature in computer science [13], [14], [16], [17],
[18]. However, obfuscation under differential privacy affects
the accuracy of average consensus, preventing convergence
to the exact desired value. Another tool emerged recently is
the correlated-noise based obfuscation [15], [12], which can
guarantee the accuracy of average consensus. Observability
based approaches have also been discussed in the dynamics and control community to protect the privacy of multiagent networks. The basic idea is to design the interaction
topology to minimize the observability from a certain node,
which amounts to minimizing the node’s ability to infer the
initial states of other nodes in the network [19], [20], [21].
However, both the correlated-noise based and the observability
based approaches are vulnerable to adversary nodes which are
directly connected to a target node as well as all its neighbors
[22].
To improve resilience to privacy attacks, another common
approach is to employ cryptography. However, although cryptography based approaches can easily enable privacy preservation with the assistance of an aggregator or third-party
[23], like in cloud-based control or computation [24], [25],
[26], their extension to the completely decentralized average
consensus problem in the absence of an aggregator or thirdparty is extremely hard due to the difficulties in decentralized
key management. In fact, to our knowledge, except our recent
result [27], [22], existing efforts ([28], [29]) incorporate cryptography into decentralized average consensus without giving

participating nodes access to the final consensus value (note
that in [29] individual participating nodes do not have access
to the decryption key to decrypt the final consensus value
which is obtained in the encrypted form, otherwise they will
be able to decrypt intermediate computations to access other
nodes’ states). Furthermore, cryptography based approaches
will also significantly increase communication and computation overhead (please see e.g., [30] for detailed discussions),
which is not appropriate for systems with limited resources or
systems with fast evolving behaviors or subject to hard realtime constraints.
In this paper, we propose a state-decomposition based
approach that can guarantee the privacy of all participating
nodes in average consensus without compromising accuracy.
Our basic idea is to let each node decompose its state into two
sub-states with random initial values. One sub-state succeeds
the role of the original state in inter-node interactions while
the other sub-state only interacts with the first sub-state in
the same node and thus is completely invisible to outside
nodes. To ensure consensus to the right average value, the
initial values of the two sub-states are randomly chosen but
with their mean fixed to the initial value of the original
state. Different from existing differential-privacy based approaches which sacrifice accuracy for privacy, our approach
can guarantee convergence to the exact average consensus
value. Unlike correlated-noise based or observability based
approaches which require a node to have at least one neighbor
that is not directly connected to the adversary to maintain
privacy, our approach can guarantee privacy of a node even
when the node and all its neighbors are directly connected
to the adversary. Furthermore, the approach is completely
decentralized and light-weight in computation, which makes
it easily applicable to resource-restricted systems. Numerical
simulation results are given to verify the results.

II. BACKGROUND
A. Average Consensus
We first review the average consensus problem. Following
the convention in [3], we represent a network of M nodes as a
graph G = (V, E, A) with node set V = {v1 , v2 , · · · , vM },
edge
set

 E ⊂ V × V , and the adjacency matrix A =
aij [k] denoting coupling weights which satisfy aij [k] > 0 if
(vi , vj ) ∈ E and 0 otherwise. Here k is time index, denoting
that aij [k] could be time-varying. The set of neighbors of a
node vi is denoted as Ni = {vj ∈ V |(vi , vj ) ∈ E} and its
cardinality is denoted as |Ni |.
Throughout this paper we make the following assumption:
Assumption 1: We assume that the graph is undirected and
connected, i.e., aij [k] = aji [k] holds for all k ≥ 0 and there
exists a (multi-hop) path between any pair of nodes.
We represent the state variable of a node i as xi [k]. For the
sake of simplicity, we assume scalar states. But as commented
later in Remark 5, the results are easily extendable to the case
where the state is a vector. To achieve average consensus,
namely convergence of all states xi [k] (i = 1, 2, · · · , M ) to

PM

x [0]

the average of initial values, i.e., i=1M i , the update rule is
formulated as [31]
X
aij [k](xj [k] − xi [k])
(1)
xi [k + 1] = xi [k] + ε
vj ∈Ni
1
where ε resides in the range (0, ∆
] with ∆ defined as

∆,

max

i=1,2,··· ,M

|Ni |

(2)

It has been well known that average consensus can be
achieved if the network is connected and there exists some
η > 0 such that η < aij [k] < 1 holds for all k ≥ 0 [32].
B. Attack Model
In the paper, we consider two types of adversaries:
An honest-but-curious adversary is a node who follows all
protocol steps correctly but is curious and collects received
data in an attempt to learn some information about other
participating nodes.
An eavesdropper is an external attacker who knows the
network topology, and is able to wiretap communication links
and access exchanged messages.
Generally speaking, an eavesdropper is more disruptive than
an honest-but-curious node in terms of information breaches
because it can snoop messages exchanged on many channels
whereas the latter can only access the messages destined to it.
However, an honest-but-curious node does have one piece of
information that is unknown to an external eavesdropper, i.e.,
the internal initial state xi [0] is available if node i is an honestbut-curious node. We will systematically analyze the enabled
privacy strength of our approach against both adversaries.
III. P RIVACY-P RESERVING A PPROACH
The key idea of our approach is a decomposition mechanism:
Decomposition Mechanism: We let each node decompose
β
its state xi into two sub-states xα
i and xi , with the initial
β
values xα
i [0] and xi [0] randomly chosen from the set of all
β
real numbers under the constraint xα
i [0] + xi [0] = 2xi [0] (cf.
Fig. 1). The sub-state xα
i succeeds the role of the original
state xi in inter-node interactions and it is in fact the only state
value from node i that can be seen by its neighbors. The other
sub-state xβi also involves in the distributed interaction by (and
β
only by) interacting with xα
i . So the existence of xi is invisible
to neighboring nodes of node i, although it directly affects the
α
evolution of xα
i . Taking node 1 in Fig. 1(b) for example, x1
acts as if it were x1 in the inter-node interactions while xβ1
is invisible to nodes other than node 1, although it affects the
evolution of xα
1 . The coupling weight between the two subβ
states xα
i and xi is symmetric and denoted as ai,αβ [k]. It is
a design parameter and will be elaborated later in the Weight
Mechanism.
Under the state-decomposition approach, the overall dynamics become
X
 α
α
α
x
[k
+
1]
=
x
[k]
+
ε
aij [k](xα

i
i
j [k] − xi [k])



vj ∈Ni
(3)

+ εai,αβ [k](xβi [k] − xα
i [k])


 β
β
xi [k + 1] = xβi [k] + εai,αβ [k](xα
i [k] − xi [k])

Node 1
Node 1

x1α

x1

x1β

Node 2

Node 2

x2α

x2

xM
Node M

xαM


Node 3

xMβ



(a)

Node 3

x3α

Node M

x3

x2β

x3β

(b)

Fig. 1. State-decomposition based privacy-preserving average consensus. (a) Before state decomposition (b) After state decomposition

β
subject to xα
i [0] + xi [0] = 2xi [0].
Remark 1: Compared with (1), since every “visible” substate’s number of neighbors is increased by 1, the upper bound
1
1
on ε is reduced from ∆
to ∆+1
with ∆ defined in (2).
In conventional average consensus algorithms, the coupling
weights are required to be within (0, 1), which restricts the
strength of achievable privacy (as will be clear from the proof
of Theorem 2). We introduce the following weight mechanism
to enable strong privacy:
Weight Mechanism: For k = 0, we allow all weights aij [0]
and ai,αβ [0] to be arbitrarily chosen from the set of all real
numbers under the constraint aij [0] = aji [0]; For k = 1, 2, · · · ,
we require that there exists a scalar 0 < η < 1 such that all
nonzero aij [k] satisfy η ≤ aij [k] < 1 and all ai,αβ [k] satisfy
η ≤ ai,αβ [k] < 1.
In the following, we first prove that under the approach, i.e.,
the Decomposition Mechanism and the Weight Mechanism, all
β
states xα
i and xi will converge to the same average consensus
value as in the conventional case (1). Then we rigorously
analyze the privacy of participating nodes enabled by the
proposed approach in the presence of an eavesdropper or
honest-but-curious node.
Theorem 1: Under Assumption 1 and the Weight Mechanism, all sub-states in (3) converge to the average consensus
value of (1), i.e.,
M

β
lim xα
i [k] = lim xi [k] =

k→∞

k→∞

1 X
xj [0]
M j=1

(4)

Proof : Under the symmetric weight assumption aij [k] =
aji [k] and ai,αβ [k], one can easily obtain that for the network
after decomposition, the sum of all sub-states are always
time-invariant. Therefore, even the weights are allowed to be
arbitrarily chosen from the set of all real numbers for k = 0,
we always have
M
M
1 X α
1 X α
(xj [0] + xβj [0]) =
(x [1] + xβj [1])
2M j=1
2M j=1 j

(5)

Starting from k = 1, as all coupling weights aij [k] = aji [k]
compose a connected graph, the Decomposition Mechanism
and the Weight Mechanism guarantee that all sub-states also
compose a connected graph. According to the result on average

xαj



Node j

x βj

xiα
xiβ

Honest-but-curious node i

xmα
xmβ

Node m


Fig. 2. Connection configuration example for Theorem 2.

consensus under time-varying weights [32], average consensus
β
can still be achieved, i.e., all sub-states xα
i and xi will
PM
β
1
α
converge to 2M j=1 (xj [1] + xj [1]), which is equal to
PM
β
1
α
j=1 (xj [0] + xj [0]) according to (5). Further making
2M
α
use of the fact xi [0] + xβi [0] = 2xi [0] leads to the conclusion
PM
1

that all sub-states converge to M
j=1 xj [0].
Remark 2: For the purpose of privacy-preservation, the
values of ai,αβ [k] should be private to node i.
Next we rigorously analyze the enabled privacy against
an honest-but-curious adversary or an external eavesdropping
adversary. To this end, we first give a definition of privacy.
Definition 1: The privacy of the initial value xi [0] of node i
is preserved if an adversary cannot estimate the value of xi [0]
with any guaranteed accuracy.
Definition 1 requires that an adversary cannot even find a
range for a private value and thus is more stringent than the
privacy preservation definition considered in [12], [15] which
defines privacy preservation as the inability of an adversary
to uniquely determine the protected value. Next we show
that even by carefully observing a node’s communication for
multiple steps, an adversary cannot infer the node’s initial state
with any guaranteed accuracy.
Theorem 2: Under the Decomposition Mechanism and the
Weight Mechanism, an honest-but-curious node i cannot infer
the initial state xj [0] of node j with any guaranteed accuracy
if node j has at least one neighboring node m who does not
collude with node i to infer xj [0] (cf. Fig. 2 for an illustrative
example).
Proof :
To prove that node i cannot estimate xj [0] with

any guaranteed accuracy, we show that any arbitrary
variation of xj [0] is indistinguishable to node i, i.e.,
the information accessible to node i can be exactly the
same even if xj [0] were changed to an arbitrary value
x̄j [0] 6= xj [0]. We define the information accessible to
the honest-but-curious node i at iteration k as Ii [k] =

β
α
aip [k] v ∈N , xα
p [k] vp ∈Ni , xi [k], xi [k], xi [k], ai,αβ [k] .
p
i
So as time evolves, the cumulated S
information accessible to
∞
node i can be summarized as Ii = k=0 Ii [k].
To show that the privacy of the initial value xj [0] can be
preserved against node i, i.e., node i cannot estimate the value
of xj [0] with any guaranteed accuracy, it suffices to show
that under any initial value x̄j [0] 6= xj [0] the information
accessible to node i, i.e., I¯i could be exactly the same as Ii ,
the cumulated information accessible to node i under xj [0].
This is because the only information available for node i to
infer the initial value xj [0] is Ii , and if Ii could be the outcome
under any initial values of xj [0], then node i has no way to
even find a range for the initial value xj [0]. Therefore, we
only need to prove that for any x̄j [0] 6= xj [0], I¯i = Ii could
hold.
Next we show that there exist initial values of xm [0] and
coupling weights satisfying the requirements of the Weight
Mechanism that make I¯i = Ii hold under x̄j [0] 6= xj [0]. (Note
that the alternative initial values of xm [0] should guarantee
that the agents still converge to the original average value
after xj [0] is altered to x̄j [0].) More specifically, under the
following initial condition
x̄m [0] = xj [0] + xm [0] − x̄j [0]
β
α
α
x̄α
j [0] = xj [0], x̄j [0] = 2x̄j [0] − xj [0]
α
β
α
x̄α
m [0] = xm [0], x̄m [0] = 2x̄m [0] − xm [0]

(6)

α
β
β
x̄q [0] = xq [0], x̄α
q [0] = xq [0], x̄q [0] = xq [0],

∀vq ∈ V \ {vj , vm }
and coupling weights
āj,αβ [0] =
ām,αβ [0] =
ājm [0] =

β
xβj [0] − x̄βj [0] + εaj,αβ [0](xα
j [0] − xj [0])
β
ε(x̄α
j [0] − x̄j [0])
β
xβm [0] − x̄βm [0] + εam,αβ [0](xα
m [0] − xm [0])
β
ε(x̄α
m [0] − x̄m [0])
α
xβj [0] − x̄βj [0] + εajm [0](xα
m [0] − xj [0])
α
ε(x̄α
m [0] − x̄j [0])

āj,αβ [k] = aj,αβ [k], k = 1, 2 · · ·

the initial state of node j based on accessible information if
node j is also connected to another node m that does not
collude with node i to infer xj [0] (note that node m is allowed
to exchange information with the honest-but-curious node i
following the protocol, as illustrated in Fig. 2).

Remark 3: In the derivation, the choice of coupling weights
āj,αβ [0], ām,αβ [0], and ājm [0] in (7) guarantees that starting
from k = 1, all sub-states under the alternative initial value
x̄j [0] will be the same as those under the original initial
value xj [0], and hence all coupling weights can be the same
starting from k = 1 under the two different initial value
conditions. Depending on the value of x̄j [0], the weights
āj,αβ [0], ām,αβ [0], and ājm [0] could be outside the range
[η, 1), which corroborates the necessity of allowing weights
at k = 0 to be arbitrarily chosen from the set of all real
numbers in the Weight Mechanism. Note that since the subα
α
α
states x̄α
j [0] = xj [0] and x̄m [0] = xm [0] are also arbitrarily
chosen from the set of all real numbers, the possibility of them
making the denominators in (7) equal to zero is negligible.
Remark 4: Our approach can protect the privacy of node j
even when node j and all its neighbors are directly connected
to the honest-but-curious neighbor i (cf. Fig. 2), which is
not allowed in the privacy-preserving approaches in [12],
[15]. This illustrates the advantage of the proposed statedecomposition based approach.
Similar results can be obtained for the eavesdropping adversary case:
Theorem 3: Under the Decomposition Mechanism and the
Weight Mechanism, an eavesdropper cannot infer the initial
state xj [0] of any node j with any guaranteed accuracy if
node j has at least one neighboring node m whose interaction
weight ajm [0] with node j is inaccessible to the eavesdropper.
Proof : Following the line of reasoning in Theorem 2, we
can obtain that any change in the initial value xj [0] can be
completely compensated by changes in ajm [0], aj,αβ [0], and
am,αβ [0] that are invisible to the eavesdropper. Therefore, the
accessible information to the eavesdropper can be exactly the
same even when xj [0] were changed arbitrarily and hence the
eavesdropper cannot infer the initial value of node j based on
accessible information.

Remark 5: The results are also applicable in the vectorstate case. In fact, as long as the scalar state elements in the
vector state have independent coupling weights, privacy can be
naturally enabled in the vector-state case by applying results
in this paper to individual scalar state elements.

ām,αβ [k] = am,αβ [k], k = 1, 2 · · ·
ājm [k] = ajm [k], k = 1, 2 · · ·
āq,αβ [k] = aq,αβ [k], ∀vq ∈ V \ {vj , vm }, k = 0, 1, 2 · · ·
āpq [k] = apq [k], ∀vp , vq ∈ V, {vp , vq } =
6 {vj , vm },
k = 0, 1, 2 · · ·
(7)
where “\” represents set subtraction, it can be easily verified
that I¯i = Ii holds for any x̄j [0] 6= xj [0]. Note that the first
equation in (6) is used to guarantee that the consensus value
does not change under the alternative initial values x̄j [0] and
x̄m [0]. Therefore, the honest-but-curious node i cannot learn

IV. N UMERICAL C OMPARISON WITH E XISTING R ESULTS
In this section, we numerically compare our statedecomposition based privacy-preserving approach with existing state-of-the-art counterparts [12], [15], [18] to confirm its
advantages.
For the convenience in comparison, we represent the internal
state of node i as xi and its obfuscated version (used in
state exchange with neighbors) in existing obfuscation based
approaches as x+
i . We considered a network of five nodes with

7

7

x [k]

x1[k]

1

x [k]
2

6

x2[k]

6

x [k]

x3[k]

3

x [k]
4

5

x [k]

5

Avg x[0]
x [0]

4

x4[k]
x5[k]

5

1

4

Avg x[0]
x1[0]
z[k]

z[k]
3

3

2

2

1

1

0

0
−1

−1

0

5

10

15

20

25
30
Time step

35

40

45

50
−2

0

5

10

15

20

25
Time step

30

35

40

45

50

Fig. 3. An eavesdropper can infer the initial state of node 1 under the privacy
protocol in [12].
Fig. 4. An eavesdropper can infer the initial state of node 1 under the privacy
protocol in [15].

interaction topology and weights given in [12], which, under
our formulation framework translate into ε = 13 and


0 1 0 0 1
1 0 1 0 0



A = 0.75 
(8)
0 1 0 0 1
0 0 0 0 1
1 0 1 1 0

10
xα[k]
1

xα
[k]
2

8

α

x3 [k]
xα
[k]
4

6

α

x5 [k]

4

Without loss of generality, we suppose that an external
eavesdropper is interested in obtaining the initial state of node
1 and constructs the following observer to infer x1 [0]:

1

xα[0]

2

1

z[k]
0

z[k + 1] = z[k] + x+
[k + 1]
 1
−  x+
1 [k] + ε

Avg x[0]
x [0]


X

−2

+

a1j (x+
j [k] − x1 [k])

vj ∈N1

(9)
where the initial observer state is set to z[0] = x+
[0].
We
1
assume that the eavesdropper has access to all weights except
a12 [0] which was set to a random value 0.7 in the k = 0 step
of the observer.
Fig. 3 gives the evolution of the network states as well as
the eavesdropper’s observer state under the privacy-preserving
approach in [12]. The initial states of five nodes were set to
{1, 2, 3, 4, 5}. It can be seen that although convergence to
the right average value is achieved, the initial internal state of
node 1, i.e., x1 [0], can also be inferred by the eavesdropper’s
observer z[k].
Similar results were obtained using the approach in [15],
which guaranteed accurate average consensus but not the
privacy of x1 [0] (cf. Fig. 4).
Based on the same setup, we also simulated the proposed
state-decomposition based privacy-preserving approach. The
coupling weights at k = 0 were randomly chosen from
[−20, 20]. The results are given in Fig. 5, which confirms that

−4

−6

0

5

10

15

20

25
30
Time step

35

40

45

50

Fig. 5. The proposed approach can achieve accurate average consensus while
avoiding an eavesdropper from inferring the initial state x1 [0] of node 1.

the proposed approach can protect the privacy of all nodes’
initial values against an eavesdropper while achieving accurate
average consensus.
It is worth noting that although differential-privacy based
approaches such as [18] can also protect the privacy of
participating nodes’ initial values, they also lead to errors
in the final consensus value, as confirmed by the simulation
results in Fig. 6. In such approaches, due to the trade-off
between privacy and accuracy, when an application calls for
higher accuracy of the consensus result, the risk of disclosing
one’s initial state also becomes higher.

2
Avg Err
Est Err

1.5

1

0.5

0

-0.5
0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

Noise level c

Fig. 6. Although by using a high level of noise, the differential privacy
approach in [18] can avoid an eavesdropper from accurately estimating the
initial state of node 1 (with large estimation error Est Err), its achievable
accuracy in average consensus also deteriorates with an increased noise level,
as reflected by a larger consensus error Avg Err.

V. C ONCLUSIONS
In this paper, we proposed a privacy-preserving approach for
the network average consensus problem based on state decomposition. In contrast to differential-privacy based approaches
which are subject to a fundamental trade-off between enabled
privacy and achievable consensus accuracy, the approach is
able to enable privacy preservation while guaranteeing accurate average consensus. It is also superior to correlated-noise
based obfuscation approaches which can guarantee accurate
average consensus but not resilience to adversaries which are
directly connected to a target node as well as all its neighbors.
Simulation results confirmed the theoretical predictions.
R EFERENCES
[1] M. H. Degroot. Reaching a consensus. Journal of the American
Statistical Association, 69(345):118–121, 1974.
[2] N. A. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers
Inc., San Francisco, CA, USA, 1996.
[3] R. Olfati-Saber, J. A. Fax, and R. M. Murray. Consensus and cooperation
in networked multi-agent systems. Proceedings of the IEEE, 95(1):215–
233, 2007.
[4] J. N. Tsitsiklis. Problems in decentralized decision making and computation. PhD thesis, 1984.
[5] X. Fang, S. Misra, G. Xue, and D. Yang. Smart grid – the new
and improved power grid: A survey. IEEE communications surveys
& tutorials, 14(4):944–980, 2012.
[6] A. C. Yao. Protocols for secure computations. In Proceedings of the
23rd Annual Symposium on Foundations of Computer Science, pages
160–164, 1982.
[7] A. Shamir. How to share a secret. Communications of the ACM, pages
612–613, 1979.
[8] M. Prabhakaran and A. Sahai (eds). Secure Multi-party Computation.
IOS press, 2013.
[9] B. Kreuter, A. Shelat, and C. Shen. Billion-gate secure computation
with malicious adversaries. In USENIX Security Symposium, volume 12,
pages 285–300, 2012.
[10] L. P. Clare, J. L. Gao, E. H. Jennings, and C. Okino. A network
architecture for precision formation flying using the IEEE 802.11 MAC
protocol. In Proceedings of 2005 IEEE Aerospace conference, pages
1335–1347, 2005.

[11] W. Chen and S. Cai. Ad hoc peer-to-peer network architecture for
vehicle safety communications. IEEE Communications Magazine,
43(4):100–107, 2005.
[12] Y. Mo and R. M. Murray. Privacy preserving average consensus. IEEE
Transactions on Automatic Control, 62(2):753–765, Feb 2017.
[13] E. Nozari, P. Tallapragada, and J. Cortés. Differentially private average
consensus with optimal noise selection. IFAC-PapersOnLine, 48(22):203
– 208, 2015.
[14] Z. Huang, S. Mitra, and N. Vaidya. Differentially private distributed
optimization. In Proceedings of the 2015 International Conference on
Distributed Computing and Networking, ICDCN ’15, New York, NY,
USA, 2015. ACM.
[15] N. E. Manitara and C. N. Hadjicostis. Privacy-preserving asymptotic
average consensus. In 2013 European Control Conference (ECC), pages
760–765, July 2013.
[16] E. Nozari, P. Tallapragada, and J. Cortés. Differentially private average consensus: obstructions, trade-offs, and optimal algorithm design.
Automatica, 81(7):221–231, 2017.
[17] V. Katewa, F. Pasqualetti, and V. Gupta. On privacy vs cooperation in
multi-agent systems. International Journal of Control, (accepted):1–20,
2017.
[18] Z. Huang, S. Mitra, and G. Dullerud. Differentially private iterative
synchronous consensus. In Proceedings of the 2012 ACM workshop on
Privacy in the electronic society, pages 81–90. ACM, 2012.
[19] S. S Kia, J. Cortés, and S. Martı́nez. Dynamic average consensus under
limited control authority and privacy requirements. International Journal
of Robust and Nonlinear Control, 25(13):1941–1966, 2015.
[20] S. Pequito, S. Kar, S. Sundaram, and A. P. Aguiar. Design of communication networks for distributed computation with privacy guarantees.
In In Decision and Control (CDC), 2014 IEEE 53rd Annual Conference
on, pages 1370–1376, 2014.
[21] A. Alaeddini, K. Morgansen, and M. Mesbah. Adaptive communication
networks with privacy guarantees. In Proceedings of 2017 American
Control Conference, pages 4460–4465, 2017.
[22] M. Ruan, H. Gao, and Y. Q. Wang. Secure and privacy-preserving
consensus. IEEE Transactions on Automatic Control, in press, 2019.
[23] N. Gupta and N. Chopra. Confidentiality in distributed average information consensus. In 2016 IEEE 55th Conference on Decision and Control
(CDC), pages 6709–6714, Dec 2016.
[24] K. Kogiso and T. Fujita. Cyber-security enhancement of networked
control systems using homomorphic encryption. In Proceedings of the
54th IEEE International Conference on Decision and Control, pages
6836–6843, 2015.
[25] Y. Shoukry, G. Konstantinos, A. Alanwar, G. J. Pappas, S. A. Seshia,
M. Srivastava, and P. Tabuada. Privacy-aware quadratic optimization
using partially homomorphic encryption. In Proceedings of the 55th
IEEE International Conference on Decision and Control, pages 5053–
5058, 2016.
[26] R. L. Lagendijk, Z. Erkin, and M. Barni. Encrypted signal processing for
privacy protection: Conveying the utility of homomorphic encryption and
multiparty computation. IEEE Signal Processing Magazine, 30(1):82–
105, Jan 2013.
[27] M. Ruan, M. Ahmad, and Y. Q. Wang. Secure and privacy-preserving
average consensus. In Proceedings of the 2017 Workshop on CyberPhysical Systems Security and PrivaCy, pages 123–129. ACM, 2017.
[28] Moreno Ambrosin, Paolo Braca, Mauro Conti, and Riccardo Lazzeretti.
ODIN: Obfuscation-based privacy-preserving consensus algorithm for
decentralized information fusion in smart device networks. ACM
Transactions on Internet Technology, 18(1):6, 2017.
[29] N. M. Freris and P. Patrinos. Distributed computing over encrypted data.
In 2016 54th Annual Allerton Conference on Communication, Control,
and Computing (Allerton), pages 1116–1122, Sept 2016.
[30] C. Zhang, M. Ahmad, and Y. Q. Wang. ADMM based privacy-preserving
decentralized optimization. IEEE Transactions on Information Forensics
and Security, 14(3):565–580, 2019.
[31] Reza Olfati-Saber, J Alex Fax, and Richard M Murray. Consensus and
cooperation in networked multi-agent systems. Proceedings of the IEEE,
95(1):215–233, 2007.
[32] A. Nedic, A. Ozdaglar, and P. A. Parrilo. Constrained consensus and
optimization in multi-agent networks. IEEE Transactions on Automatic
Control, 55(4):922–938, 2010.

