This work investigates communication mechanisms in hierarchical secure aggregation systems that simultaneously guarantee security against both relays and the central server, where U relays serve UV users and every G users share a distinct group key. For the regime 1 < G ≤ UV, the paper fully characterizes the optimal rate region, precisely identifying the minimal communication overhead and required group key rates, and establishes the infeasibility of the problem when G = 1. An explicit linear coding scheme based on structured precoding matrices is constructed, leveraging generic matrix designs over large fields to avoid symmetrization operations while ensuring correctness and satisfying dual security constraints. Matching achievability and converse bounds are theoretically derived, thereby exactly determining the fundamental trade-offs between minimal key consumption and communication rates under dual security requirements.

We study the hierarchical secure aggregation problem with groupwise keys. The problem consists of an aggregation server, $U$ relays, and $UV$ users, where each relay serves $V$ disjoint users, and each subset of $G$ users shares an independent groupwise key. Two security requirements are imposed: relay security and server security. Specifically, each relay must not learn any information about the users' inputs, and the server must not learn any additional information beyond the recovered sum of all inputs. We first show that the problem is infeasible when $G = 1$. For the feasible regime $1 < G \le UV$, we fully characterize the optimal rate region. In particular, we prove that both each user and each relay must transmit at least one symbol per input symbol. Furthermore, we characterize the minimum required groupwise key rate as $\max\left\{\frac{V}{\binom{UV}{G} - \binom{(U-1)V}{G}},\; \frac{U - 1}{\binom{UV}{G} - U \binom{V}{G}}\right\},$ where the two terms correspond to the constraints imposed by relay security and server security, respectively. For achievability, we propose an explicit linear coding scheme based on structured precoding matrices, and show that it satisfies both correctness and security requirements. The construction avoids permutation-based symmetrization by leveraging sufficiently generic matrix designs over large fields. Finally, we establish a matching converse, thereby characterizing the optimal rate region.