Papers
Topics
Authors
Recent
Search
2000 character limit reached

User-Group Separation (UG-Sep) Overview

Updated 5 July 2026
  • User-Group Separation (UG-Sep) is defined as the formal decomposition of system components into user-local and group-shared parts, enforcing explicit privacy, correctness, and efficiency constraints.
  • It is applied in diverse areas such as multi-user semantic communication, overloaded wireless scheduling, privacy-preserving aggregation, and reusable computation in recommendation models, ensuring controlled information flow.
  • Approaches range from namespace isolation in HPC environments, differential privacy mechanisms, to automata-theoretic separation, with empirical results showing notable performance and security improvements.

User-Group Separation (UG-Sep) denotes a family of domain-specific formalisms in which per-user information, authority, computation, or visibility is separated from group-level structure under explicit correctness, privacy, or efficiency constraints. The surveyed literature uses the term across multi-user semantic communication, overloaded wireless scheduling, recommender inference, privacy-preserving aggregation, anonymous group admission, HPC isolation, secure group management, multi-tenant observability stacks, and formal-language separation. A common pattern is the controlled decomposition of a system into user-local and group-shared components; however, the underlying objectives differ substantially, ranging from multicast/unicast semantic coding to information-theoretic hiding of other parties’ assignments, from local differential privacy of group membership to automata-theoretic separation by group languages.

1. Core meanings and formal definitions

Several papers make the UG-Sep objective explicit as a formal relation between users, groups, and observables. In the HPC security setting, let U={u1,u2,,un}U=\{u_1,u_2,\dots,u_n\} be users, G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\} project groups, and D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\} the resource domains. For each domain dDd\in D, a namespace mapping fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d) assigns the set of domain-objects a user may see or control, and UG-Sep requires that for any distinct users uvu\neq v, fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset unless uu and vv share membership in an approved project group that has been explicitly granted shared access in that domain (Prout et al., 2024).

In secure grouping, the object being separated is not a resource namespace but knowledge of the partition itself. Let P={1,2,,n}P=\{1,2,\dots,n\} be the parties. A grouping is a partition of G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}0 into disjoint nonempty subsets, with public constraints given by the number G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}1 of groups of size G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}2 and optional subset constraints G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}3. The goal is to generate a uniformly random grouping among those satisfying G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}4 such that each party learns exactly the identities of members in its own group and no additional information about how the remaining parties are divided. The paper describes this as a standalone information-theoretic realization of the User-Group Separation ideal functionality (Hashimoto et al., 2017).

In privacy-preserving multi-group aggregation, UG-Sep is formulated as hiding the user’s group while still enabling per-group estimation. There are G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}5 users, G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}6 sensitive groups, each user G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}7 belongs to one private group G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}8, and each user holds a discrete value G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}9. The server seeks the group sums D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}0, while the local mechanism D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}1 must be D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}2-locally differentially private with respect to the user’s group: for every D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}3, fixed query D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}4, and output D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}5, D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}6 (Naim et al., 2021).

This range of formalizations suggests that UG-Sep is not a single standardized primitive. Rather, it is a recurring design principle: isolate what is user-specific, keep group structure controllable or hidden as required, and expose only the minimum cross-user information needed for the target task.

2. Wireless UG-Sep: semantic splitting and user grouping

In multi-user semantic communication, UG-Sep appears as a decomposition of each user’s semantic representation into private and group-common components. The group-wise semantic splitting multiple access framework begins with a balanced clustering mechanism over D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}7 users. Each user’s semantic encoder produces D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}8, private features are extracted as D={proc,fs,net,acc}D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}9, and cosine distance to cluster centroids dDd\in D0 is defined by

dDd\in D1

Clustering is performed by first running K-means (Hartigan–Wong) on dDd\in D2, then solving the balanced assignment with the Hungarian algorithm to obtain groups dDd\in D3. A Transformer-based aggregator extracts group-common features

dDd\in D4

while the decomposition viewpoint is dDd\in D5. Training minimizes dDd\in D6, where the reconstruction term is Charbonnier loss and the repulsion term combines Euclidean repulsion, center regularization, and an angular repulsion enforcing an “equiangular” configuration on the unit sphere. Common features are multicasted and private features unicasted under AWGN, Rayleigh, and Rician channel models, with symbol-sharing ratio dDd\in D7. The reported setup uses CIFAR-10, ConvNeXt blocks for encoder/decoder, dDd\in D8Transformer with 4 heads for the common encoder, Adam with learning rate dDd\in D9, 1000 epochs, batch size 50, and training SNR uniformly sampled from fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)0. Metrics are PSNR and perceptual loss via a pre-trained VGG network. At 15 dB and 1024 symbols/image, Proposed-C(fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)1) achieves PSNR fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)2 dB versus fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)3 dB for JPEG-LDPC and fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)4 dB for Private-only. The abstract states “up to 3.26% performance improvement,” whereas the detailed summary states “up to 3.26× improvement in PSNR over the best baseline under moderate–high SNRs”; both statements appear in the source summary. Rician (fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)5) and Rayleigh channels yield gains of fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)6–fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)7 dB across SNR, and the stated limitation is that clustering is currently offline within each mini-batch (Koh et al., 26 Nov 2025).

A distinct wireless meaning of UG-Sep arises in overloaded IRS-aided multi-antenna SWIPT systems. Here an fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)8-antenna AP serves fd:U(Objectsd)f_d:U\to\wp(\mathrm{Objects}_d)9 single-antenna information users and uvu\neq v0 single-antenna energy users with an IRS of uvu\neq v1 passive elements, explicitly in overloaded scenarios where uvu\neq v2 and uvu\neq v3. User grouping partitions information users into at most uvu\neq v4 groups uvu\neq v5, served in orthogonal time-slots of duration uvu\neq v6, with non-overlapping UG enforcing uvu\neq v7 and overlapping UG enforcing uvu\neq v8. The optimization target is the max-min throughput uvu\neq v9 subject to energy harvesting, AP power, time allocation, IRS constraints, and grouping constraints. The average SINR in slot fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset0, throughput fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset1, and harvested energy fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset2 are defined explicitly through the effective average channel matrices fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset3 and fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset4, which incorporate uniform IRS phase errors via matrix fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset5. Because the resulting formulations are mixed-integer nonconvex, the solution combines big-fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset6 reformulation, a penalty method for relaxed binary constraints, block-coordinate descent, and successive convex approximation. Simulation trends reported in the summary are that both UG schemes outperform “no grouping” and random grouping, that non-overlapping UG is sufficient when fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset7 or EH constraints are tight, and that overlapping UG performs much better when fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset8 is small and EH constraints are not stringent. As fd(u)fd(v)=f_d(u)\cap f_d(v)=\emptyset9 increases, throughput first rises and then saturates or falls; as uu0 grows, UG advantage grows because the IRS affords more group-specific channel shaping (Gao et al., 2023).

3. UG-Sep for reusable computation in large recommendation models

In large recommendation models, UG-Sep is formulated as an architectural disentanglement of user-side and item-side information flow so that user-side computation can be reused across candidates. The motivating observation is that dense interaction architectures such as RankMixer, TokenMixer, and self-attention ranking entangle user and candidate features in every layer, unlike long-sequence models where KV caching can amortize prefix computation. The formal problem uses uu1 pure user tokens, uu2 pure group/item tokens, hidden dimension uu3, and token matrix uu4. A standard block is

uu5

and the goal is to reorganize these transformations so that all computation touching the uu6 tokens can be computed once per user and reused across all uu7 variants (Lu et al., 11 Feb 2026).

The masking mechanism introduces a binary mask uu8, uu9, with

vv0

thereby forbidding vv1 influence in the Mixup stage. In the masked computation, rows vv2 depend only on user-side inputs, enabling caching. The summary reports that unmasked dense linear Mixup costs vv3 per layer, whereas after masking the user rows cost vv4, with FLOPs saved per layer approximately vv5 and across vv6 layers approximately vv7. To compensate for lost expressiveness, an Information Compensation block projects vv8 with a learned matrix vv9, broadcasts the result back into the P={1,2,,n}P=\{1,2,\dots,n\}0 rows, and concatenates P={1,2,,n}P=\{1,2,\dots,n\}1 before the PFFN. The framework further applies W8A16 weight-only quantization, storing weights in 8-bit integers while keeping activations in FP16/BF16; the summary states that no retraining or fine-tuning is required and that typical on-chip dequantization cost is less than 5% of memory savings.

Implementation is organized around a per-user cache P={1,2,,n}P=\{1,2,\dots,n\}2. For each unique user, the system computes bottom P={1,2,,n}P=\{1,2,\dots,n\}3-token features, runs the UG-Sep layers over user tokens only, and stores the result; candidate embeddings are then combined with cached P={1,2,,n}P=\{1,2,\dots,n\}4 for the remaining per-candidate computation. Reported offline results use AUC and wall-clock latency on four industrial scenarios at ByteDance. The table in the summary gives P={1,2,,n}P=\{1,2,\dots,n\}5AUC and P={1,2,,n}P=\{1,2,\dots,n\}6latency for RankMixer + UG-Sep as follows: Douyin Feed, P={1,2,,n}P=\{1,2,\dots,n\}7, P={1,2,,n}P=\{1,2,\dots,n\}8 AUC and P={1,2,,n}P=\{1,2,\dots,n\}9 latency; Hongguo Feed, G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}00 and G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}01; Chuanshanjia Ads, G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}02 and G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}03; Qianchuan Ads, G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}04 and G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}05. Training speedup on Douyin is listed as G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}06 at G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}07, G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}08 at G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}09, and G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}10 at G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}11. W8A16 single-layer GEMM latency improves by G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}12 for G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}13 and G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}14 for G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}15, with similar G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}16–G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}17 speedup across shapes. The stated limitations are the need for a clear upstream G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}18 token split, residual accuracy loss at very high G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}19 ratios above G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}20, and additional memory for caching per-user G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}21 (Lu et al., 11 Feb 2026).

4. Privacy-preserving subgroup computation and anonymous group admission

For statistical aggregation under local differential privacy, the Query-and-Aggregate scheme treats the user’s group as the sensitive attribute that must remain hidden from the server. Each user is assigned a public matrix G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}22, drawn uniformly from the set of matrices whose every row is a permutation of G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}23. Optionally, the true value G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}24 is randomized to G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}25 with parameter G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}26. If the user belongs to group G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}27, the user returns the unique column index G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}28 such that G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}29. The server then reconstructs the entire column vector G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}30, where by construction G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}31 and every other coordinate is uniform over G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}32. The re-scaled estimator

G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}33

is unbiased for the true group sums. The worst-case privacy budget is

G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}34

Per-user communication is G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}35 bits. The mean-square error has the form G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}36, relative MSE G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}37, with G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}38 given explicitly in the summary, and for fixed G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}39 this scales as G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}40. The non-interactive Randomized Group baseline uploads G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}41 at cost G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}42 bits. The reported comparison is that Q&A typically outperforms RG in the high-privacy regime, while RG eventually wins in the low-privacy regime because Q&A cannot drive its noise below the G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}43 floor as G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}44 (Naim et al., 2021).

Attribute-Authenticated Continuous Group Key Agreement addresses a different privacy problem: authenticating admission to a dynamic MLS/CGKA-style group without revealing long-term identity. Users hold attribute-credentials G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}45, and the group maintains dynamic attribute requirements G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}46. A Presentation Package G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}47 contains a selective-disclosure credential presentation G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}48, where G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}49 binds a fresh signature key to the current challenge, and a CGKA KeyPackage signed under the fresh signing key. The zero-knowledge proof G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}50 demonstrates possession of a valid credential, inclusion of the disclosed attributes within the full attribute set, and correct binding of the header. Join, Leave, and Rekey proceed through the standard G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}51, G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}52, and G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}53 interfaces over the underlying CGKA state. The security definitions are Requirement Integrity, Unforgeability, and Unlinkability. The stated theorems are: if G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}54 is collision-resistant and G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}55 is EUF-CMA, then AA-CGKA satisfies Requirement Integrity; if CGKA is Key-Indistinguishable, G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}56 is EUF-CMA, and the ABC system is unforgeable, then AA-CGKA satisfies Unforgeability; and if the ABC scheme is unlinkable and G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}57 is one-way, then AA-CGKA satisfies Unlinkability. The source then states “UG-Sep via Unlinkability”: the only data presented at Join is G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}58, the proof reveals only that some credential satisfies the disclosure policy, the signature key G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}59 is session-specific, and ABC unlinkability prevents linking presentations across groups or sessions (Soler et al., 2024).

5. Enforced separation in shared infrastructure

In HPC security, MIT Lincoln Laboratory Supercomputing Center defines UG-Sep as enforced separation across processes, filesystem access, network traffic, and accelerators, under a threat model of a malicious insider or a compromised non-root account capable of executing untrusted code, scanning G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}60, filesystem, or network, launching MPI jobs, accessing shared RDMA channels, and interacting with GPUs. Process-level isolation is implemented by remounting procfs with hidepid=2, so that for any process G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}61 owned by user G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}62, /proc/pid is invisible to all other users. Visibility is formalized as G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}63. Privileged support uses a supplemental group pid_admin and the custom seepid tool. Scheduler-level controls set PrivateData=jobs,launch,step in Slurm, enforce whole-node scheduling, and restrict SSH into compute nodes via pam_slurm. Filesystem isolation uses user-private groups, top-level home ownership root:gp(u) with mode 750, an immutable kernel patch smask=007, and ACL restrictions so that users may only share with groups they belong to. Network isolation uses a user-based firewall that accepts a new flow iff owner_client = owner_server or owner_client ∈ primaryGroup(owner_server), formalized as G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}64. Accelerator isolation sets /dev/nvidiaX permissions according to scheduler allocation, chmods unallocated GPUs to 000, and invokes vendor reset commands such as nvidia-smi --gpu-reset --id=X in the Slurm epilog. Reported performance and security results are: hidepid=2 incurred zero measurable overhead on proc lookup times; the smask patch showed no change in Lustre file-write throughput beyond +0.2% variance; the user-based firewall added approximately 10 µs latency per new TCP connection; GPU reset added approximately 100 ms per job teardown; attempts to enumerate other users’ processes returned G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}65; TCP scans were confined to the user’s own ports; and GPU memory reads after job end returned zeroed pages (Prout et al., 2024).

A related multi-tenant interpretation appears in secure deployments of Kibana and Elasticsearch. The architecture places an Apache HTTPD reverse proxy with Kerberos authentication in front of Kibana, uses the Own Home plugin to multiplex a single Kibana instance into per-user or per-group tenants such as .kibana_user_<u> or .kibana_group_<g>, and deploys Search Guard on every Elasticsearch node to enforce user/group-based index-, type-, document-, and operation-level permissions. Authentication yields an active subject G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}66, and authorization is computed by assigned roles whose ACLs determine whether operation G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}67 on index G={g1,g2,,gm}G=\{g_1,g_2,\dots,g_m\}68 is allowed. The summary gives a dynamic Search Guard role using user.name</code>andadocumentlevelpolicythatfilters<code>logstash</code>by<code>researchgroup.keyword</code>.PerformanceevaluationwithElasticsearchRallyonthebuiltingeonamesscenarioused8.6milliondocuments,two<ahref="https://www.emergentmind.com/topics/averageminimumdistanceamd"title=""rel="nofollow"dataturbo="false"class="assistantlink"xdataxtooltip.raw="">AMD</a>Opteron2.6GHzmachineswith8coresand8GBRAM,Elasticsearch2.3.4,SearchGuard2.3.4,andRally0.3.1.Medianindexingthroughputfellfrom<code>17076</code>docs/sto<code>13659</code>docs/s,areported<code>20<h2class=paperheadingid=groupformationwithoutcentralvisibility>6.Groupformationwithoutcentralvisibility</h2><p>SecuregroupingwithadeckofcardsrealizesUGSepasaphysical,informationtheoreticallysecureprotocolexecutablewithoutatrustedthirdparty.Theprotocolfixesapublicbasepermutation{user.name}</code> and a document-level policy that filters <code>logstash-*</code> by <code>research_group.keyword</code>. Performance evaluation with Elasticsearch Rally on the built-in geonames scenario used 8.6 million documents, two <a href="https://www.emergentmind.com/topics/average-minimum-distance-amd" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">AMD</a> Opteron 2.6 GHz machines with 8 cores and 8 GB RAM, Elasticsearch 2.3.4, Search Guard 2.3.4, and Rally 0.3.1. Median indexing throughput fell from <code>17 076</code> docs/s to <code>13 659</code> docs/s, a reported <code>–20%</code> overhead. Query latency increased from <code>67.0</code> to <code>125.0</code> ms for the default query, from <code>3.8</code> to <code>65.5</code> ms for term queries, from <code>5.4</code> to <code>73.4</code> ms for phrase queries, from <code>292.1</code> to <code>357.4</code> ms for aggregation without cache, from <code>4.5</code> to <code>86.2</code> ms for aggregation with cache, from <code>58.9</code> to <code>190.3</code> ms for scroll, and from <code>510.3</code> to <code>592.0</code> ms for expression queries. The summary attributes these fixed latencies to the reverse-proxy hop, Kerberos/SPNEGO negotiation, LDAP lookups, and Search Guard checks per request (<a href="/papers/1706.10040" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Takase et al., 2017</a>).</p> <h2 class='paper-heading' id='group-formation-without-central-visibility'>6. Group formation without central visibility</h2> <p>Secure grouping with a deck of cards realizes UG-Sep as a physical, information-theoretically secure protocol executable without a trusted third party. The protocol fixes a public base permutation G=\{g_1,g_2,\dots,g_m\}$69 whose cycle decomposition encodes the required group-size multiset $G=\{g_1,g_2,\dots,g_m\}$70 and any fixed-subset constraints $G=\{g_1,g_2,\dots,g_m\}$71. A hidden permutation $G=\{g_1,g_2,\dots,g_m\}$72 is encoded by a face-down sequence $G=\{g_1,g_2,\dots,g_m\}$73 with $G=\{g_1,g_2,\dots,g_m\}$74 on the card fronts. The key algebraic step is to randomize $G=\{g_1,g_2,\dots,g_m\}$75 by conjugation, producing $G=\{g_1,g_2,\dots,g_m\}$76 for a uniformly random $G=\{g_1,g_2,\dots,g_m\}$77 that fixes the prescribed elements $G=\{g_1,g_2,\dots,g_m\}$78. The permutation-randomizing phase uses $G=\{g_1,g_2,\dots,g_m\}$79 identical rows of cards, a global Pile-Scramble-Shuffle, public application of powers $G=\{g_1,g_2,\dots,g_m\}$80, and a Permutation Division subprotocol to obtain committed rows for $G=\{g_1,g_2,\dots,g_m\}$81, where $G=\{g_1,g_2,\dots,g_m\}$82 is the maximum cycle length in $G=\{g_1,g_2,\dots,g_m\}$83. In the local extraction phase, party $G=\{g_1,g_2,\dots,g_m\}$84 takes the $G=\{g_1,g_2,\dots,g_m\}$85-th card from each row and reads values $G=\{g_1,g_2,\dots,g_m\}$86, thereby enumerating the members of its secret cycle. The paper’s security claim is that choosing $G=\{g_1,g_2,\dots,g_m\}$87 uniformly among permutations fixing $G=\{g_1,g_2,\dots,g_m\}$88 yields a uniformly random valid grouping, and that conditioned on a party’s own cycle permutation, all completions of $G=\{g_1,g_2,\dots,g_m\}$89 to the full allowed conjugacy class are equally likely. Resource usage is approximately $G=\{g_1,g_2,\dots,g_m\}$90 number cards, estimated by the authors as about $G=\{g_1,g_2,\dots,g_m\}$91, with $G=\{g_1,g_2,\dots,g_m\}$92 shuffle-rounds and $G=\{g_1,g_2,\dots,g_m\}$93 openings (Hashimoto et al., 2017).

Pretty Private Group Management addresses a similar privacy goal in a distributed hash table rather than with physical cards. A group $G=\{g_1,g_2,\dots,g_m\}$94 is represented by four self-protected DHT objects—root, member list, wall, and inbox—each controlled by its own public/private key pair, with the list and wall also protected by symmetric keys $G=\{g_1,g_2,\dots,g_m\}$95 and $G=\{g_1,g_2,\dots,g_m\}$96. Users may generate multiple principals $G=\{g_1,g_2,\dots,g_m\}$97, each with a public/private key pair $G=\{g_1,g_2,\dots,g_m\}$98 and an inbox address. DHT nodes are untrusted and possibly Byzantine but enforce capture/update through signature checks on stored values. Group creation captures addresses $G=\{g_1,g_2,\dots,g_m\}$99, $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$00, $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$01, and $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$02 using signed PUTs. Joining uses a fresh ephemeral key pair $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$03, a join request encrypted under the group inbox key $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$04, and a signed “once” token that prevents replay. If approved, an administrator updates the encrypted member list and sends a helo message encrypted to $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$05. Wall updates are signed under $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$06 and encrypt new wall contents under $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$07. To hide the source IP, inbox delivery can use Crowds-style probabilistic forwarding over random DHT addresses. The paper formalizes member anonymity and member unlinkability by negligible adversarial advantage, validates secrecy and weak authentication properties with AVISPA, and reports a Java prototype on the Vuze DHT. Reported performance includes about 16 s average for group creation, 1–2 s for wall read, 1–10 min for wall write depending on chunk count, and join processing growing from about 1 min to about 10 min as the member list grows toward ≈ 100 chunks (Heen et al., 2011).

7. Formal-language UG-Sep and decision complexity

In automata theory, UG-Sep refers to a separation problem for the class of group languages, where “group” denotes finite groups rather than collections of users. A group language is any regular language recognized by a morphism into a finite group, equivalently by a complete deterministic finite automaton in which each input letter induces a permutation of the state set. Given two NFAs $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$08 and $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$09 over a finite alphabet $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$10, the separation problem asks whether there exists a group language $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$11 such that

$D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$12

The paper proves the more general covering theorem: for NFAs $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$13, let $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$14 be auxiliary $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$15-NFAs built by adding formal inverses and a Dyck-like $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$16-closure. Then $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$17 is $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$18-coverable iff $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$19. For $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$20, UG-Sep therefore reduces to testing emptiness of $D=\{\mathrm{proc},\mathrm{fs},\mathrm{net},\mathrm{acc}\}$21. The paper states tight complexity bounds: UG-Sep for group languages is P-complete; alphabet modulo testable separation and covering are NP-complete; modulo-language separation is NL-complete; and modulo-language covering is coNP-complete. The contribution is characterized as the first purely automata-theoretic proof that separation and covering by group languages are decidable, replacing dependence on Ash’s algebraic theorem with a Dyck-closure construction and a combinatorial synchronizer argument (Place et al., 2022).

Across these lines of work, UG-Sep functions less as a single theorem or protocol family than as a recurring systems-and-theory motif. It may mean splitting latent semantics into group-common and user-private codes, masking dense token interactions so user-side representations can be cached, hiding the user’s sensitive group under local differential privacy, authenticating group entry by attributes rather than identity, enforcing namespace disjointness across shared infrastructure, revealing only one’s own group in secure grouping protocols, or separating regular languages by the class of group languages. What is shared is the insistence that group structure be exploited, constrained, or concealed in a principled way, with the exact notion of “separation” determined by the domain’s operational and security semantics.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to User-Group Separation (UG-Sep).