Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
arX
iv:2
112.
0039
4v1
[cs
.IT
] 1
Dec
202
11
Wiretap Secret Key Agreement
Via Secure OmnisciencePraneeth Kumar Vippathalla, Chung Chan, Navin Kashyap and Qiaoqiao Zhou
Abstract—In this paper, we explore the connection betweensecret key agreement and secure omniscience within the settingof the multiterminal source model with a wiretapper who has sideinformation. While the secret key agreement problem considersthe generation of a maximum-rate secret key through publicdiscussion, the secure omniscience problem is concerned withcommunication protocols for omniscience that minimize the rateof information leakage to the wiretapper. The starting point ofour work is a lower bound on the minimum leakage rate foromniscience, RL, in terms of the wiretap secret key capacity,CW. Our interest is in identifying broad classes of sources forwhich this lower bound is met with equality, in which casewe say that there is a duality between secure omniscience andsecret key agreement. We show that this duality holds in thecase of certain finite linear source (FLS) models, such as two-terminal FLS models and pairwise independent network modelson trees with a linear wiretapper. Duality also holds for any FLSmodel in which CW is achieved by a perfect linear secret keyagreement scheme. We conjecture that the duality in fact holdsunconditionally for any FLS model. On the negative side, we givean example of a (non-FLS) source model for which duality doesnot hold if we limit ourselves to communication-for-omniscienceprotocols with at most two (interactive) communications. Finally,we demonstrate the usefulness of our lower bound on RL by usingit to derive equivalent conditions for the positivity of CW in themultiterminal model. This extends a recent result of Gohari,Gunlu and Kramer (2020) obtained for the two-user setting.
Index Terms—Information theoretic security, secret key gener-ation, secure omniscience, leakage rate for omniscience, tree-PINmodel, finite linear sources
I. INTRODUCTION
In the setting of the multiterminal source model for secure
computation, users who privately observe correlated random
variables from a source try to compute functions of these
private observations through interactive public discussion. The
goal of the users is to keep these computed functions secure
from a wiretapper who has some side information (a random
variable possibly correlated with the source), and noiseless
N. Kashyap ([email protected]) and Praneeth Kumar V. ([email protected]) are with the Department of Electrical CommunicationEngineering, Indian Institute of Science, Bangalore 560012. Their work wassupported in part by a Swarnajayanti Fellowship awarded to N. Kashyap bythe Department of Science & Technology (DST), Government of India.
C. Chan (email: [email protected]) is with the Department ofComputer Science, City University of Hong Kong. His work is supportedby a grant from the University Grants Committee of the Hong Kong SpecialAdministrative Region, China (Project No. 21203318).
Q. Zhou (email: [email protected]) is with the Department ofComputer Science, National University of Singapore.
Corresponding author: C. ChanThis work was presented in part at the 2020 IEEE International Symposium
on Information Theory, and in part at the 2021 IEEE International Symposiumon Information Theory.
access to the public discussion. A well-studied problem within
this model is that of secret key agreement, where users try to
agree on a key that is kept secure from the wiretapper. In
other words, users try to compute a common function that is
independent of the public discussion and the wiretapper’s side
information.
The secret key agreement problem was first studied for two
users by Maurer [1], and Ahlswede and Csiszar [2]. These
works attempted to characterize the wiretap secret key capacity
CW, which is defined as the maximum secret key rate possible
with unlimited public discussion. They were able to do this in
certain special cases, for instance, in the case when only one
user is allowed to communicate [2, Theorem 1], and in the
case when the wiretapper’s side information is conditionally
independent of one user’s private information, given that of
the other user [1, Theorems 2 and 3]. In particular, when
the wiretapper has no side information, CW was shown to be
equal to the mutual information between the random variables
observed by the two users. But, for the two-user setting
without additional assumptions, only upper and lower bounds
on CW were given. Subsequently, there have been multiple
efforts, notably [3–5], to strengthen and extend these bounds
to the general setting of two or more users, but finding a single-
letter expression remains a fundamental open problem in this
domain.
In the course of extending the earlier results to the setting
of multiple users, Csiszar and Narayan [4] gave a single-
letter expression for the secret key capacity in the case when
the wiretapper has no side information. They did this by
establishing an equivalence or “duality” between the secret
key agreement problem and the source coding problem of
communication for omniscience, which is attained when each
user is able to recover (with high probability) the private
observations of all the other users. They observed that a secret
key of maximum rate can be extracted from a protocol that
involves public discussion at the minimum rate required to
attain omniscience. They were thus able to relate the secret key
capacity to RCO, the minimum rate of communication required
for omniscience, which can be obtained as the solution to a
relatively simple linear program.
Subsequently, Gohari and Anantharam [5] succeeded in
establishing a similar duality in the more general setting
of a wiretapper having side information. They showed an
equivalence between the wiretap secret key agreement problem
(in the presence of a wiretapper having side information) and
a problem of communication for omniscience at a neutral
observer. In the latter problem, there is (in addition to the users
and the wiretapper) a neutral observer who is given access to
2
the wiretapper’s side information. The goal here is for the
users to communicate in public to create a shared random
variable which when provided to the neutral observer, allows
the observer to reconstruct all the users’ private observations.
Theorem 3 of [5] relates CW to the minimum rate of public
communication required for omniscience at the neutral ob-
server. However, this does not lead to a single-letter expression
for CW, as it is not known how to compute the minimum rate
of communication for omniscience at the neutral observer.
Motivated in part by the results of [4] and [5], we explore
the possibility of an alternative duality existing between the
wiretap secret key problem and a certain secure omniscience
problem, in the hope of obtaining additional insight on CW,
potentially leading to its evaluation in settings where it still
remains unknown. In the secure omniscience problem we con-
sider, we stay within the original setting of the multiterminal
source model with a wiretapper having side information. The
users communicate interactively in public so as to attain om-
niscience, but now the aim is not necessarily to minimize the
rate of communication needed for this. Instead, the goal is to
minimize the rate at which the communication for omniscience
leaks information about the source to the wiretapper. We give
the formal definition of RL, the minimum information leakage
rate of any communication for omniscience, in Section II.
A. Main Contributions
The starting point of our paper is an inequality that relates
the wiretap secret key capacity and the minimum leakage
rate for omniscience for a source (ZV ,Zw). Here, V :={1, . . . ,m} denotes the set of users, ZV := (Zi | i ∈ V )is the collection of user observations, and Zw denotes the
wiretapper’s side information. We then have
H(ZV |Zw)− CW ≤ RL. (1)
The inequality follows from a standard argument: once the
users attain omniscience via a communication protocol that
achieves the minimum leakage rate RL, they can extract a
secret key of rate H(ZV |Zw)−RL from the reconstruction of
ZV available to each of them.
If the inequality in (1) holds with equality, then we refer
to it as a duality between secure omniscience and wiretap
secret key agreement. Essentially, whenever this duality holds,
a secret key of maximum rate can be extracted from a
communication for omniscience protocol that minimizes the
leakage rate. Note that equality in (1) yields an expression for
CW in terms of RL, but its utility towards computing CW is
unclear, as it is not known whether RL admits a single-letter
expression.
We first address the question of whether there is always
a duality between secure omniscience and wiretap secret key
agreement for any multiterminal source model with wiretapper.
Note that if equality holds in (1), then it must be the case
that CW = 0 iff RL = H(ZV |Zw). Now, it is easily shown
that, for any multiterminal source model, CW = 0 implies
RL = H(ZV |Zw). This follows directly from (1) and the upper
bound RL ≤ H(ZV |Zw), which always holds, as is easily seen
from the definition of RL — see Theorem 1 in Section II.
It is not so clear whether the converse is also true, namely,
that RL = H(ZV |Zw) implies CW = 0. We conjecture that
the converse does not always hold, i.e., there are sources for
which RL = H(ZV |Zw), yet CW > 0. We make partial
progress in this direction by showing that this is the case if we
restrict ourselves to omniscience protocols in which at most
two communications are allowed. We give an example of a
two-user source model for which CW > 0, but the leakage rate
equals H(ZV |Zw) for any omniscience protocol involving at
most two messages. While our example does not definitively
resolve the issue of duality between secure omniscience and
wiretap secret key agreement, it seems to indicate that this
duality may not always hold.
Next, we consider a broad class of sources, namely, finite
linear sources, for which we believe the duality must hold. In
a finite linear source (FLS) model, each user’s observations, as
well as the wiretapper’s side information, is given by a linear
transformation of an underlying random vector consisting of
finitely many i.i.d. uniform random variables. This class of
sources has received some prior attention [6–8]. We prove
that (1) holds with equality for FLS models in which the
wiretap secret key capacity CW is achieved by a perfect
key agreement protocol involving public communications that
are linear functions of the users’ observations. It is an open
question as to whether CW can always be achieved through
linear communication protocols for any FLS model, but it
is reasonable to expect that this is the case. We also give
two unconditionally positive results: duality holds in the
case of two-user FLS models, and in the case of pairwise
independent network (PIN) models on trees [9, 10] in which
the wiretapper’s side information is a linear function of the
source. In both these cases, we obtain explicit expressions for
RL and CW. In fact, in the case of tree-PIN models with
a linear wiretapper, we are able to explicitly determine the
maximum secret key rate achievable when the total rate of
public communication is constrained to be at most R.
Finally, we show that the inequality in (1) can be useful on
its own. We use it to extend to the multi-user setting a recent
result of Gohari, Gunlu and Kramer [11] that gives several
equivalent conditions for the positivity of CW in a two-user
source model.
B. Related Work
Our work is closely related to that of Prabhakaran and
Ramchandran [12]. In their work, they considered the problem
of secure source coding in a two-user model with a wiretapper
where only one user is allowed to communicate to the other.
This kind of communication is commonly referred to as one-
way communication. The goal here is to communicate in such
a way that the receiving user recovers the observations of
the transmitting user while minimizing the rate of information
leaked to the wiretapper about the transmitting user’s source.
In this case, they obtained a single-letter characterization of the
minimum leakage rate for recovering one terminal’s observa-
tion by the other terminal by using conventional information-
theoretic techniques. Moreover, they used this quantity to
lower bound the wiretap secret key capacity. Our work, in fact,
3
generalizes this result by considering the minimum leakage
rate for omniscience instead in the multi-user setting where
interactive communication is allowed.
The secure source coding problem considered in [12], has
been generalized and studied extensively in the direction of
characterizing the minimum rate of leakage of transmitter’s
source [13, 14] by incorporating various constraints. For
instance, Villard and Piantanida [14] considered a similar
model as in [12], but the receiving user observes coded side
information from a third party. Since uncoded side information
is a special case of coded side information, this framework
subsumes the model of [12]. For this model, they studied the
problem in a broad generality by considering a lossy recovery
of the transmitter’s observations at the receiving terminal in
the presence of a wiretapper. They gave a characterization
of the rate-distortion-leakage rate region which is the set of
all achievable tuples of communication rate, distortion and
leakage rate.
Recently, in [15], Tu and Lai have considered the same
model but studied the problem of lossy function computation
by the receiving terminal, which is a further generalization of
the model of [14]. They considered even the privacy aspect
(leakage of the transmitting user’s source to the receiving
user) and studied it along with the rate-distortion-leakage rate
region. They were able to give an explicit characterization of
the entire achievable rate region.
This problem falls in the class of source coding for dis-
tributed function computation; see, for e.g., [15–19]. In this
problem, each user has access to a private random variable,
and they wish to compute functions of these private random
variables by communicating in public, possibly interactively
or/and in the presence of a wiretapper. For instance, in [18],
Ma and Ishwar have considered a two-user model without
a wiretapper, where users, after observing private random
variables, interactively communicate to compute functions of
these private random variables. They studied the interactive
communication rates needed for the computation of functions
and completely characterized the rate region. Subsequently,
this work has been extended by [20] for randomized function
computation in the two-user case. Recently, [21] has studied
the randomized function computation even by including pri-
vacy constraints on the users’ observation.
One work that studies the function computation in the
context of multi-user source model with a wiretapper is [19].
In their work, Tyagi, Narayan, and Gupta assumed that the
wiretapper has no side information and addressed the question:
when can a common function be computed securely? Here
we say a function is securely computable if it is kept asymp-
totically independent of the communication that is needed to
compute this function. It means that the wiretapper can gain
almost no knowledge of the function output even with access
to the communication. They answered this question by relating
it with the secret key capacity of the source model. The precise
result is that a common function is securely computable by all
the terminals if and only if the entropy of the function is less
than the secret key capacity.
Secure omniscience is also a problem of source coding
for distributed function computation. Here, all the users try
to recover the users’ source, and the quantity of interest
is the minimum rate of information about the source that
gets leaked to the wiretapper through the communication.
A problem that is closely related to secure omniscience is
the coded cooperative data exchange (CCDE) problem with a
secrecy constraint; see, for e.g., [22, 23]. In the problem of
CCDE, we consider a hypergraphical source and study one-
shot omniscience. The hypergraphical model generalizes the
PIN model within the class of FLSs. [23] studied the secret key
agreement in the CCDE context and characterized the number
of transmissions required versus the number of SKs generated.
On the other hand, [22] considered the same model but with
wiretapper side information and explored the leakage aspect
of an omniscience protocol. However, the security notion
considered therein does not allow the eavesdropper to recover
even one hyperedge of the source from the communication
except what is already available. However, the communication
scheme can still reveal information about the source. In this
paper, we are interested in minimizing the rate of information
leakage to the wiretapper. Though we consider the asymptotic
notion, the designed optimal communication scheme uses only
a finite number of realizations of the source. Hence our scheme
can find applications even in CCDE problems.
The role of omniscience in the multi-user secret key agree-
ment (with wiretapper side information) was highlighted in
the work of Csiszar and Narayan [4]. They showed that a
maximum key rate could be achieved by communicating at
a minimum rate for omniscience. This led to the question
of whether the omniscience is optimal even in terms of the
minimum communication rate needed to achieve secret key
capacity. The works [24, 25] have addressed this question by
giving sufficient conditions for general sources and equivalent
conditions for hypergraphical sources.
Though the characterization of secret key capacity (without
wiretapper side information) is known, and its connection with
omniscience is well studied, the characterization of wiretap
secret key capacity is still an open problem. Results are known
only in special sources [1, 2]. However, there has been some
progress in this direction in recent times. For instance, Gohari,
Gunlu and Kramer, in [11], sought for the characterization
of the class of two-user sources for which wiretap secret key
capacity is positive. They were able to find an equivalent char-
acterization in terms of Renyi divergence. Its usefulness has
been demonstrated on sources with an erasure model on the
wiretapper side information by deriving a sufficient condition
for the positivity of CW. In the direction of characterizing CW,
Poostindouz and Safavi-Naini, in [26], have made an effort
in the case of some special source models. In particular, they
considered tree-PIN models with a wiretapper side information
containing noisy versions of the edge random variables. They
obtained a characterization of CW in terms of the conditional
minimum rate of communication for omniscience which is a
solution to a certain linear program.
C. Organization
This paper is organized as follows. In Section II, we
introduce the problem and notations. In this section, we also
4
establish an inequality relating the minimum leakage rate
for omniscience and wiretap secret key capacity for general
source models. Section III contains an example showing that
the duality does not hold between secure omniscience and
secret key agreement in the case of limited interaction (with
two messages allowed). This result suggests that the duality
need not hold in the general case. In Section IV, we first
formally define the finite linear source models and prove a
duality result concerning linear protocols. Furthermore, we
establish an unconditional result in the two-user FLS. In
Section V, we prove the duality in the case of the tree-PIN
model with linear wiretapper. Moreover, for this model, we
determine the rate region containing all achievable secret key
rate and total communication rate pairs. In fact, we use a
secure omniscience scheme for a part of the source to obtain
this result. In Section VI, we obtain some equivalent conditions
for the positivity of CW for multi-user case using (1). This
generalizes the two-user result of [11]. Finally, we discuss
the open problems and challenges in establishing duality in
Section VII.
II. PROBLEM FORMULATION
In this section, we describe two different scenarios, namely
wiretap secret key agreement and secure omniscience, in the
context of the multiterminal source model. In this model, the
terminals communicate publicly using their correlated obser-
vations to compute functions securely from the eavesdropper,
who has access to the public communication along with some
side information. More precisely, let V = [m] := {1, . . . ,m}be the set of users, and let w denote the wiretapper. Let
Z1, . . . ,Zm and Zw be the random variables taking values in
finite alphabets Z1, . . . ,Zm and Zw respectively, and their
joint distribution is given by PZ1...ZmZw . Let ZV := (Zi :i ∈ V ) and Zn
i denote the n i.i.d. realizations of Zi. For
i ∈ V , user i has access to the random variable Zi, and the
wiretapper observes Zw. Upon observing n i.i.d. realizations,
the users communicate interactively using their observations,
and possibly independent private randomness, on the noiseless
and authenticated channel. In other words, the communication
made by a user in any round depends on all the previous
rounds’ communications and the user’s own observations. Let
F(n) denotes this interactive communication. We say F(n) is
non-interactive, if it is of the form (F(n)i : i ∈ V ), where F
(n)i
depends only on Zni and the private randomness of user i.
Note that the eavesdropper has access to the pair (F(n),Znw).
At the end of the communication, each user outputs a value in
a finite set using its observations and F(n). For example, user i
outputs E(n)i using (F(n),Zn
i ) and its private randomness. See
Fig. 1.
A. Secure Omniscience
In the secure omniscience scenario, each user tries to
recover the observations of all the users other than the wiretap-
per. We say that (F(n),E(n)1 , . . . ,E
(n)m )n≥1 is an omniscience
scheme if it satisfies the recoverability condition for omni-
science:
lim infn→∞
Pr(E(n)1 = · · · = E(n)
m = ZnV ) = 1. (2)
. . .
PZ1Z2...ZmZw
21 m w
F(n)
E(n)1 E
(n)2 E
(n)m
Zn1 Zn
2 Znm Zn
w
Fig. 1. Multiterminal source model with wiretapper side information. Theterminals interactively discuss over a public channel using their observationsfrom a correlated source to compute their respective functions.
The minimum leakage rate for omniscience is defined as
RL := inf
{lim supn→∞
1
nI(F(n) ∧ Zn
V |Znw)
}(3)
where the infimum is over all omniscience schemes. We
sometimes use RL(ZV ||Zw) instead of RL to make the source
explicit. When there is no wiretapper side information, then
the above notion coincides with the minimum rate of commu-
nication for omniscience, RCO [4]. The conditional minimum
rate of communication for omniscience, RCO(ZV |J), is used
in situations where all the users have access to a common
random variable Jn along with their private observations. This
means that user i observes (Jn,Zni ).
B. Wiretap Secret Key Agreement
In the wiretap secret key agreement, each user tries to
compute a common function, which is called a key, that is
kept secure from the wiretapper. Specifically, we say that
(F(n),E(n)1 , . . . ,E
(n)m )n≥1 is a wiretap secret key agreement
(SKA) scheme if there exists a sequence (K(n))n≥1 such that
lim infn→∞
Pr(E(n)1 = · · · = E(n)
m = K(n)) = 1,
lim supn→∞
[log |K(n)| −H(K(n)|F(n),Zn
w)]= 0,
(4a)
(4b)
where |K(n)| denotes the cardinality of the range of K(n). Con-
ditions (4a) and (4b) are referred to as the key recoverability
condition and the secrecy condition of the key, respectively.
The wiretap secret key capacity is defined as
CW := sup
{lim infn→∞
1
nlog |K(n)|
}(5)
where the supremum is over all SKA schemes. The quantity
CW is also sometimes written as CW(ZV ||Zw). In (5), we
use CS instead of CW, when the wiretap side information
is set to a constant. Similarly, we use CP(ZV |J) in the case
when wiretap side information is Zw = J and all the users
have the shared random variable J along with their private
observations Zi. The quantities CS and CP(ZV |J) are referred
to as secret key capacity of ZV , and private key capacity of
ZV with compromised-helper side information J respectively.
The following theorem gives a lower bound on the minimum
leakage rate for omniscience for a general source (ZV ,Zw).The lower bound on RL in terms of wiretap secret key capacity
5
is obtained by using the idea of privacy amplification on the
recovered source.
Theorem 1 For a general source (ZV ,Zw),
H(ZV |Zw)− CW ≤ RL ≤ H(ZV |Zw). (6)
PROOF Given a discussion scheme that achieves RL, one can
apply privacy amplification [4, Lemma B.2] to extract a secret
key of rate H(ZV |Zw)−RL from the recovered source. Since
the secret key rate thus achieved is bounded above by CW, we
obtain the lower bound on RL. The upper bound on RL follows
from (3), upon noting that 1nI(F
(n)∧ZnV |Zn
w) ≤ H(ZV |Zw).�
Remark 1 Note that the achievable key rate is intuitively the
total amount of randomness in the recovered source ZV that
is not in the wiretapper’s side information Zw nor revealed in
public. ✷
One can observe that for any source,
RL ≤ RCO, (7)
which follows easily from (3) as I(F(n) ∧ZnV |Zn
w) ≤ H(F(n))and F(n) is an omniscience scheme. Therefore, we have
RL ≤ max{RCO, H(ZV |Zw)}.
III. DUALITY BETWEEN SECURE OMNISCIENCE AND
WIRETAP SECRET KEY AGREEMENT: LIMITED
INTERACTION
In this section, we address the question of whether there
is always a duality between secure omniscience and wiretap
secret key agreement for any multiterminal source model with
wiretapper. We study this by considering a necessary condition
for duality, which is CW > 0 iff RL < H(ZV |Zw). One
direction that RL < H(ZV |Zw) implies CW > 0 holds for any
source follows from (6). For the other direction, intuitively, if
the users can generate a secret key that is independent of the
wiretapper’s side information, then they can use this advantage
to protect some information during an omniscience scheme.
However, we will prove that this need not be the case if we
limit the number of messages exchanged between the users.
To illustrate this result, let us consider a two-user setting
(m = 2) with source distribution PZ1Z2Zw . Let r be the
number of messages exchanged between the users, and let
C(r)W and R
(r)L denote the wiretap secret key capacity and
the minimum leakage rate for omniscience, respectively, when
we allow at most r messages to be exchanged among the
users. Note that we can ensure omniscience only if we allow
r ≥ 2 because omniscience is not guaranteed with one
message transmission. Moreover, omniscience can be obtained
using a non-interactive communication that involves only 2
messages. Here R(r)L < H(Z1,Z2|Zw) implies C
(r)W > 0,
because if the users can achieve omniscience using r messages
such that R(r)L < H(Z1,Z2|Zw), then they can apply privacy
amplification to recover a key with positive rate implying
C(r)W > 0. For the other direction, we show that C
(r)W > 0
does not imply R(r)L < H(Z1,Z2|Zw) if r = 2. This is stated
in the following proposition.
Proposition 1 If r = 2, then for any source PZ1Z2Zw ,
R(r)L < H(Z1,Z2|Zw) =⇒ C
(r)W > 0.
However, the converse need not hold.
To prove the converse, we first derive an upper bound
on R(2)L using the results from the one-way communication
setting. We then give a source in Lemma 3 that finally proves
the converse. In the rest of this section, we denote Z1,Z2 and
Zw by X,Y, and Z, respectively. The random variables X,Y,
and Z take values in finite sets X , Y , and Z , respectively.
A. One-way communication, i.e., r = 1
Before we address the problem completely, first, we con-
sider a model with only one message allowed. Since omni-
science requires a minimum of two messages between users,
we slightly modify the setup by letting only one of the users
recover the other user’s observations—see Fig. 2. We define
the minimum leakage rate for recovery of X by user 2 as
RowL := inf
{lim supn→∞
1
nI(F
(n)1 ∧ Xn|Zn)
},
where the infimum is over all one-way communication
schemes that allow user 2 to recover X. Furthermore, the
definition of one-way wiretap secret key capacity, denoted by
CowW , is the same as (5) with the exception that the supremum
is taken over all one-way SKA schemes.
1
Xn
2
Yn
WZn
E(n)1 E
(n)2
F1
Fig. 2. Only one message transfer is allowed. Since omniscience is, in general,not possible within this setup, we only allow user 2 to recover user 1’s
observations, i.e., E(n)1 is constant and E
(n)2 = X(n)
.
Ahlswede and Csiszar, in [2], studied the one-way wiretap
secret key agreement, and gave a single-letter expression [2,
Theorem 1] for secret key capacity:
CowW = max
V−U−X−(Y,Z)
[I(U ∧ Y|V) − I(U ∧ Z|V)
]. (8)
In the above optimization, it is enough to consider random
variables U and V (taking values in sets U and V , respectively)
such that |U| ≤ |X |2 and |V| ≤ |X |.On the other hand, the problem of one-way leakage rate
was studied in [12], but with a measure of leakage that only
differs from RowL by I(X ∧ Z). They gave a single-letter
characterization [12, Theorem 1] for the minimum leakage
rate for recovering X:
RowL = min
S−X−(Y,Z)[I(S ∧ X|Z) +H(X|S,Y)] , (9)
where the minimization is over random variable S taking
values in a set S such that |S| ≤ |X |.
6
We will make use of the following standard result on
broadcast channels to construct a source PXYZ with CowW > 0
and RowL = H(X|Z). Let h(q) denote the binary entropy
function, i.e, h(q) = −q log2 q − (1 − q) log2(1 − q), for
q ∈ (0, 1).
Lemma 1 ([27, p. 121]) Consider a discrete memoryless
broadcast channel PYZ|X with X ∈ {0, 1}, Y ∈ {0, 1} and
Z ∈ {0, 1,∆}, where the channel from X to Y is BSC(p),
p ∈ (0, 12 ), and the channel from X to Z is BEC(ǫ), ǫ ∈ (0, 1).
Then, for 4p(1− p) < ǫ ≤ h(p),
1) Z is more capable than Y, i.e., for every input distribution
PX,
I(X ∧ Z) ≥ I(X ∧ Y),
2) Z is not less noisy than Y, i.e., there exists a joint distri-
bution P ∗UX
where PUXYZ = P ∗UX
PYZ|X such that
I(U ∧ Z) < I(U ∧ Y).
In fact, a P ∗UX
that satisfies the above condition is obtained
by passing U ∼ Ber(12 ) through BSC(12 − δ
)with output
X, where δ > 0 is small enough, and depends on ǫ and p.
✷
Note that, for the distribution P ∗UX
in the above lemma, the
marginal distribution of X is Ber(12 ).
Lemma 2 There exists a source PXYZ such that CowW > 0 but
RowL = H(X|Z). ✷
PROOF Consider the source PXYZ = PXPY|XPZ|X where
X ∼ Ber(12 ), the channel from X to Y is BSC(p) and the
channel from X to Z is BEC(ǫ) such that 4p(1 − p) < ǫ ≤h(p). According to Lemma 1, Z is not less noisy than Y.
Therefore, I(U ∧ Z) < I(U ∧ Y) for some joint distribution
P ∗UX
= P ∗U|XPX where X ∼ Ber(12 ). The joint distribution
PUXYZ := P ∗U|XPXYZ = P ∗
UXPYZ|X satisfies the Markov chain
U− X− (Y,Z). It follows that
CowW = max
V−U−X−(Y,Z)
[I(U ∧ Y|V) − I(U ∧ Z|V)
]
(a)
≥ I(U ∧ Y)− I(U ∧ Z) > 0
where (a) is obtained by setting V to a constant. This proves
that wiretap secret key capacity is strictly positive.
The minimum leakage rate for one-way communication,
RowL = min
S−X−(Y,Z)
[I(S ∧ X|Z) +H(X|S,Y)
]
= minS−X−(Y,Z)
[H(X|Z) +H(X|S,Y)−H(X|S,Z)
]
is upper bounded by H(X|Z), which is obtained by setting
S := X. For H(X|Z) ≤ RowL , it is enough to prove that for any
S−X− (Y,Z), H(X|S,Y)−H(X|S,Z) = I(X∧Z|S)− I(X∧Y|S) ≥ 0. Observe that
I(X ∧ Z|S)− I(X ∧ Y|S) =∑
PS(s) [I(X ∧ Z|S = s)
−I(X ∧ Y|S = s)] .
For an s with PS(s) > 0, the term I(X ∧ Z|S = s) −I(X ∧ Y|S = s) is evaluated with respect to PX,Y,Z|S=s =PX|S=sPY,Z|X = PX|S=sPY|XPZ|X. So this term is equal to
I(Xs ∧ Z) − I(Xs ∧ Y), where Xs ∼ PX|S=s, and Y (resp.
Z) is obtained by passing Xs through BSC(p) (resp. BEC(ǫ)).Since Z is more capable than Y, I(Xs ∧ Z)− I(Xs ∧ Y) ≥ 0for every s. As a result, we have I(X∧Z|S)−I(X∧Y|S) ≥ 0,
which completes the proof. �
B. Two messages are allowed, i.e., r = 2
If we allow the users to exchange two messages inter-
actively (Fig. 3), then omniscience is possible as users 1
and 2 can communicate non-interactively at any rate larger
than H(X|Y) + H(Y|X) to recover each other’s source. Let
C(r)W and R
(r)L be defined as in (5) and (3) but with a
restriction to communication schemes involving only r = 2interactive messages. Here we do not impose the condition that
a particular user must transmit the first message. So any user
can initiate the protocol, but we allow at most two messages to
be exchanged. Even in this case, we can ask the same question:
Does C(2)W > 0 imply that R
(2)L < H(X,Y|Z) ?
1
Xn
2
Yn
WZn
E(n)1 E
(n)2
F
Fig. 3. Two messages are allowed. Here omniscience is feasible. If user 1initiates the communication, then F = (F1, F2) where F2, the communicationby user 2, depends on F1 . Similarly, if user 2 starts the communication, thenF = (F2,F1) and F1, the communication made by user 1, depends on F1.
It turns out that with two messages, the ability to generate
a positive secret key rate does not imply that the minimum
leakage rate for omniscience is strictly less than H(X,Y|Z).To show this, we will use the results from the one-way
communication setting. Let RowL (1 → 2) (resp. Row
L (2 → 1))denote the minimum leakage rate for recovery of X by user
2 when user 1 is the transmitter (resp. recovery of Y by user
1 when user 2 is the transmitter). Similarly, CowW (1 → 2) and
CowW (2 → 1) denote the one-way wiretap secret key capacities
when the communicator is user 1 and user 2, respectively. By
(9) and (8) , we have
RowL (1 → 2) = min
S−X−(Y,Z)[I(S ∧ X|Z) +H(X|S,Y)] ,
CowW (1 → 2) = max
V−U−X−(Y,Z)[I(U ∧ Y|V)− I(U ∧ Z|V)] ,
and
RowL (2 → 1) = min
S−Y−(X,Z)[I(S ∧ Y|Z) +H(Y|S,X)] ,
CowW (2 → 1) = max
V−U−Y−(X,Z)[I(U ∧ X|V)− I(U ∧ Z|V)] .
Since any one-way SKA scheme is also a valid SKA scheme
in the r = 2 case,
C(2)W ≥ max
{Cow
W (1 → 2), CowW (2 → 1)
}. (10)
7
We next prove the following lower bound on the minimum
leakage rate:
R(2)L ≥ min
{Row
L (1 → 2) +H(Y|Z,X),Row
L (2 → 1) +H(X|Z,Y)}, (11)
where each term corresponds to a lower bound on the leakage
rate when a particular user transmits first. This bound may
not be tight in general but will be enough for our purpose of
constructing a counterexample. To prove (11), first we will
show that R(2)L ≥ Row
L (1 → 2) + H(Y|Z,X) when user
1 starts the communication. Note that for any omniscience
scheme (F(n)1 ,F
(n)2 ), we have I(F
(n)1 ,F
(n)2 ∧ Xn,Yn|Zn) ≥
I(F(n)1 ∧Xn|Zn) + I(F
(n)2 ∧Yn|Zn,Xn) ≥ I(F
(n)1 ∧Xn|Zn) +
H(Yn|Zn,Xn) − nδn, where the last equality follows from
Fano’s inequality and the recoverability condition of Yn from
F(n)2 and Xn. Here, δn → 0 as n → ∞. Therefore, we have
lim supn→∞
1
nI(F
(n)1 ,F
(n)2 ∧ Xn,Yn|Zn)
≥ lim supn→∞
1
nI(F
(n)1 ∧ Xn|Zn) +H(Y|Z,X)
≥ RowL (1 → 2) +H(Y|Z,X)
Since the above inequality holds for any omniscience scheme
where user 1 initiates the communication, we can conclude
that R(2)L ≥ Row
L (1 → 2) + H(Y|Z,X). Similarly, for omni-
science schemes with user 2 starting the communication, we
have that R(2)L ≥ Row
L (2 → 1) + H(X|Z,Y). This completes
the proof of (11).
For a source distribution PXYZ = PXPYZ|X = PYPXZ|Y,
if Z is more capable than Y for the channel PYZ|X, then
minS−X−(Y,Z)
[I(X ∧ Z|S)− I(X ∧ Y|S)] ≥ 0, which can be ar-
gued as in the proof of Lemma 2. Therefore, we have
RowL (1 → 2) +H(Y|Z,X)
= minS−X−(Y,Z)
[I(S ∧ X|Z) +H(X|S,Y)] +H(Y|Z,X)
= H(X,Y|Z) + minS−X−(Y,Z)
[I(X ∧ Z|S)− I(X ∧ Y|S)]
≥ H(X,Y|Z).
Similarly, for the channel PXZ|Y, if Z is more capable than
X, then we have RowL (2 → 1) ≥ H(X,Y|Z). Thus R
(2)L =
H(X,Y|Z), which follows from (6) and (11).
In addition, if Z is not less noisy than Y
for PYZ|X then CowW (1 → 2) > 0 because
maxV−U−X−(Y,Z)
[I(U ∧ Y|V) − I(U ∧ Z|V)] > 0, which can
be argued as in the proof of Lemma 2. Similarly, if Z is
not less noisy than Y for PXZ|Y, then CowW (2 → 1) > 0. So,
whenever the “not less noisy condition” holds for at least
one of the channels, we have C(2)W > 0 by (10). The lemma
below identifies a source that satisfies the above conditions.
A source (X,Y,Z) is called a DSBE(p, ǫ) source if (X,Y)is a doubly symmetric binary source with parameter p, and
Z ∈ {0, 1}2 ∪ {∆} is obtained by passing (X,Y) through an
erasure channel with erasure probability ǫ. It means that for a
DSBE(p, ǫ) source (X,Y,Z), X ∼ Ber(12 ), the channel from
X to Y is a BSC(p), and the channel from (X,Y) to Z is
PZ|X,Y (z|x, y) =
1− ǫ, if z = (x, y),ǫ, if z = ∆,0, otherwise,
for every (x, y) ∈ {0, 1}2.
Lemma 3 For a DSBE(p, ǫ) source with p and ǫ chosen so
that 4p(1 − p) < ǫ ≤ h(p), we have C(2)W > 0 but R
(2)L =
H(X,Y|Z). ✷
PROOF Since a DSBE(p, ǫ) source is symmetrical in X and Y,
it is enough to show that the more capable and not less noisy
conditions hold for one user. In other words, it is sufficient to
show that for the channel PYZ|X, Z is more capable than Y,
and Z is not less noisy than Y.
For any binary input distribution PX= (P
X(0), P
X(1)) :=
(q, 1 − q), 0 ≤ q ≤ 1, to the channel PYZ|X, I(X ∧ Z) =h(p ∗ q) − h(p), where p ∗ q = p(1 − q) + (1 − p)q. Let
f(q) := (1−ǫ)h(q)−h(p∗q)+h(p) = I(X∧Z)−I(X∧Y). Note
that this difference is the same as that of the source considered
in Lemma 1. The proof of that lemma involves showing that
for 4p(1 − p) < ǫ ≤ h(p), f(q) is a non-negative function,
and moreover, f(q) is strictly convex around q = 12 , which are
equivalent to the more capable and not less noisy conditions,
respectively. Making use of these properties of f(q), we can
also conclude that for 4p(1−p) < ǫ ≤ h(p), Z is more capable
than Y, and Z is not less noisy than Y for PYZ|X.
Since Z is not less noisy than Y for PYZ|X, CowW (1 → 2)
is positive, and hence we have C(2)W > 0. And, the minimum
leakage rate R(2)L = H(X,Y|Z) because Z is more capable
than Y for the channel PYZ|X, and Z is more capable than X
for the channel PXZ|Y. �
For the source given in the above lemma, no user can gain
an advantage in terms of R(2)L over the other by starting the
communication. This completes the proof of Proposition 1.
This result seems to indicate that duality does not always
hold. We conjecture that for the DSBE source considered in the
above lemma, C(r)W > 0 need not imply R
(r)L < H(ZV |Zw),
r ≥ 2. Moreover, with no restriction on the number of
communications, CW > 0 need not imply RL < H(ZV |Zw).
IV. DUALITY FOR FINITE LINEAR SOURCE MODELS
In this section, we consider a broad class of sources, namely,
finite linear sources, for which we believe the duality between
secure omniscience and wiretap secret key agreement must
hold.
Definition 1 (Finite linear source [6]) A source (ZV ,Zw) is
said to be a finite linear source if we can express ZV and Zw
as
[ZV Zw
]=[Z1 · · · Zm Zw
]= X
[M 1 · · · Mm W
],
where X is a random row vector of some length l that is
uniformly distributed over a field Flq , and M1, . . . ,Mm,W
are some matrices over Fq with dimensions l × l1, . . . , l ×
8
lm, l× lw, respectively. Each terminal observes a collection of
linear combinations of the entries in X. ✷
In the context of FLS, we say a communication scheme F(n)
is linear if each user’s communication is a linear function of its
observations and the previous communication on the channel.
Without loss of generality [8, Sec. II], linear communication
can be assumed to be non-interactive. In the rest of the paper,
we consider only matrices over Fq unless otherwise specified.
The following notions related to Gacs-Korner common
information will play an important role in proving some of our
subsequent results. The Gacs-Korner common information of
X and Y with joint distribution PX,Y is defined as
JGK(X ∧ Y) := max {H(G) : H(G|X) = H(G|Y) = 0}(12)
A G that satisfies the constraint in (12) is called a common
function (c.f.) of X and Y. An optimal G in (12) is called
a maximal common function (m.c.f.) of X and Y, and is
denoted by mcf(X,Y). Similarly, for m random variables,
X1,X2, . . . ,Xm, we can extend these definitions by replacing
the condition in (12) with H(G|X1) = H(G|X2) = . . . =H(G|Xn) = 0. For a finite linear source pair (Z1,Z2), i.e.,
Z1 = XM1 and Z2 = XM 2 for some matrices M1 and M2
where X is a 1× l row vector uniformly distributed on Flq, it
was shown in [28] that the mcf(Z1,Z2) is a linear function of
each of Z1 and Z2. This means that there exists some matrices
Mz1 and Mz2 such that mcf(Z1,Z2) = Z1Mz1 = Z2Mz2 .
One can infer from this relation that if Z1 and Z2 are
independent, then mcf(Z1,Z2) is identically 0.
We prove results in this and the next section favoring the
following conjecture.
Conjecture 1 RL = H(ZV |Zw)− CW holds for finite linear
sources. ✷
The reason to believe Conjecture 1 comes from the follow-
ing two theorems. Since the source is linear, it is reasonable to
conjecture that linear schemes are optimal. Theorem 2 below
states that if a linear perfect SKA scheme is optimal in terms
of CW, then secure omniscience achieves wiretap secret key
capacity. Here, we call an SKA scheme perfect if there exists
a sequence of communication-key pairs (F(n),K(n))n≥1 such
that H(K(n)|F(n),Zni ) = 0 for all users i ∈ V (perfect key
recoverability condition), and log |K(n)| = H(K(n)|F(n),Znw)
(perfect secrecy condition).
Theorem 2 For a finite linear source (ZV ,Zw), if a linear
perfect SKA scheme achieves CW, then we have
RL = H(ZV |Zw)− CW.
PROOF See Appendix A. �
The next theorem shows the duality between secure omni-
science and wiretap secret key agreement for two-user FLS
without any restriction to linear schemes. It also provides
single-letter expressions for RL and CW.
Theorem 3 (Two-user finite linear source) For secure om-
niscience with V = {1, 2} and finite linear source ZV , we
have
RL = H(Z1,Z2|Zw)− CW,
CW = I(Z1 ∧ Z2|G)(13)
(14)
where G can be chosen to be G1, G2, or (G1,G2), with Gi
being the solution to
JGK(Zw ∧ Zi) := maxGi:H(Gi|Zw)=H(Gi|Zi)=0
H(Gi), (15)
for i ∈ V . ✷
PROOF See Appendix B. �
In the next section, we prove the duality between secure
omniscience and wiretap secret key agreement for tree-PIN
sources with linear wiretapper, a sub-class of FLS. Further-
more, we give single-letter expressions for RL and CW.
V. TREE-PIN SOURCE WITH LINEAR WIRETAPPER
A source ZV is said to be tree-PIN if there exists a tree
T = (V,E, ξ) and for each edge e ∈ E, there is a non-negative
integer ne and a random vector Ye = (Xe,1, . . . ,Xe,ne). We
assume that the collection of random variables X := (Xe,k :e ∈ E, k ∈ [ne]) are i.i.d. and each component is uniformly
distributed over a finite field, say Fq . For i ∈ V ,
Zi = (Ye : i ∈ ξ(e)) .
The linear wiretapper’s side information Zw is defined as
Zw = XW ,
where X is a 1× (∑
e∈E ne) vector and W is a (∑
e∈E ne)×nw full column-rank matrix over Fq . We sometimes refer to
X as the base vector. We refer to the pair (ZV ,Zw) defined as
above as a tree-PIN source with linear wiretapper. This is a
special case of an FLS.
A. Motivating example
The following example of a tree-PIN source with linear
wiretapper appeared in our earlier work [29], where we
constructed an optimal secure omniscience scheme. Let V ={1, 2, 3, 4} and
Zw = Xa + Xb + Xc,
Z1 = Xa, Z2 = (Xa,Xb), Z3 = (Xb,Xc), Z4 = Xc,
(16)
(17)
where Xa, Xb and Xc are uniformly random and independent
bits. The tree here is a path of length 3 (Fig. 4) and the
wiretapper observes the linear combination of all the edge
random variables. For secure omniscience, terminals 2 and 3,
using n = 2 i.i.d. realizations of the source, communicate
linear combinations of their observations. The communication
is of the form F(2) = (F(2)2 , F
(2)3 ), where F
(2)2 = X2
a +MX2b
and F(2)3 = (M + I)X2
b + X2c with M :=
[1 11 0
]. Since the
matrices M and M + I are invertible, all the terminals can
recover Z2V using this communication. For example, user 1 can
first recover X2b from (X2
a, F(2)2 ) as X2
b = (M +I)(X2a+ F
(2)2 ),
9
then X2b can be used along with F
(2)3 to recover X2
c as
X2c = (M +I)X2
b + F(2)3 . More interestingly, this communica-
tion is “aligned” with the eavesdropper’s observations, since
Z2w = F
(2)2 + F
(2)3 . This scheme achieves RL, which is 1 bit.
For minimizing leakage, this kind of alignment must hap-
pen. For example, if Z2w were not contained in the span of
F(2)2 and F
(2)3 , then the wiretapper could infer a lot more from
the communication. Ideally, if one wants zero leakage, then
F(n) must be within the span of Znw, which is not feasible in
many cases because, with that condition, the communication
might not achieve omniscience in the first place. Therefore
keeping this in mind, it is reasonable to assume that there
can be components of F(n) outside the span of Znw. But we
look for communication schemes that span as much of Zw
as possible. Such an alignment condition is used to control
the leakage. In this particular example, it turned out that an
omniscience communication that achieves RCO can be made
to align with the wiretapper side information completely, i.e.,
H(Znw|F(n)) = 0. Motivated by this example, we show that
it is always possible for some omniscience communication to
achieve complete alignment with the wiretapper’s observations
within the class of tree-PIN sources with linear wiretapper.
Theorem 4 For a tree-PIN source ZV with linear wiretapper
observing Zw,
CW = mine∈E
H(Ye|mcf(Ye,Zw)),
RL =
(∑
e∈E
ne − nw
)log2 q − CW bits.
In fact, a linear non-interactive scheme is sufficient to achieve
both CW and RL simultaneously. ✷
The theorem guarantees that we can achieve the wiretap
secret key capacity in the tree-PIN case with linear wiretapper
through a linear secure omniscience scheme, which establishes
the duality between the two problems. This illustrates that
omniscience can be helpful even beyond the case when there
is no wiretapper side information.
Our proof of Theorem 4 is through a reduction to the
particular subclass of irreducible sources, which we defined
next.
Definition 2 A tree-PIN source with linear wiretapper is said
to be irreducible if mcf(Ye,Zw) is a constant function for
every edge e ∈ E . ✷
Whenever there is an edge e such that Ge := mcf(Ye,Zw)is a non-constant function, the user corresponding to a vertex
incident on e can reveal Ge to the other users. This commu-
nication does not leak any additional information to the wire-
tapper because Ge is a function of Zw. Intuitively, for further
communication, Ge is not useful and hence can be removed
from the source. After the reduction, the m.c.f. corresponding
to e becomes a constant function. In fact, we can carry out
the reduction until the source becomes irreducible. This idea
of reduction is illustrated in the following example.
Example 1 Let us consider a source ZV defined on a path
of length 3, which is shown in Fig. 4. Let Ya = (Xa1,Xa2),
Yb = Xb1 and Yc = Xc1, where Xa1, Xa2, Xb1 and Xc1 are
uniformly random and independent bits. If Zw = Xb1 + Xc1,
1 2 3 4
a b c
Fig. 4. A path of length 3
then the source is irreducible because mcf(Ye,Zw) is a con-
stant function for all e ∈ {a, b, c}.
However if Zw = (Xa1 + Xa2,Xb1 + Xc1), then the source
is not irreducible, as mcf(Ya,Zw) = Xa1 + Xa2, which
is a non-constant function. An equivalent representation of
the source is Ya = (Xa1,Ga), Yb = Xb1, Yc = Xc1 and
Zw = (Ga,Xb1 +Xc1), where Ga = Xa1 +Xa2, which is also
a uniform bit independent of (Xa1,Xb1,Xc1). So, for omni-
science, user 2 initially can reveal Ga without affecting the
information leakage as it is completely aligned to Zw. Since
everyone has Ga, users can just communicate according to the
omniscience scheme corresponding to the source without Ga.
Note that this new source is irreducible. ✷
The next lemma shows that the kind of reduction to an
irreducible source used in the above example is indeed optimal
in terms of RL and CW for all tree-PIN sources with linear
wiretapper.
Lemma 4 If a tree-PIN source with linear wiretapper
(ZV ,Zw) is not irreducible then there exists an irreducible
source (ZV , Zw) such that
CW(ZV ||Zw) = CW(ZV ||Zw),
RL(ZV ||Zw) = RL(ZV ||Zw),
H(Ye|mcf(Ye,Zw)) = H(Ye),
for all e ∈ E. ✷
PROOF See Appendix C-A. �
Note that, in the above lemma, the scheme that achieves
RL(ZV ||Zw) involves revealing the reduced m.c.f. components
first and then communicating according to the scheme that
achieves RL(ZV ||Zw). As a consequence of Lemma 4, to
prove Theorem 4, it suffices to consider only irreducible
sources. For ease of reference, we re-state the theorem for
irreducible sources below.
Theorem 5 If a tree-PIN source ZV with linear wiretapper
Zw is irreducible then
CW = mine∈E
H(Ye) = CS,
RL =
(∑
e∈E
ne − nw
)log2 q − CW bits,
where CS is the secret key capacity of Tree-PIN source without
the wiretapper side information [4]. ✷
PROOF See Appendix C-B. �
Theorem 5 shows that, for irreducible sources, even when
the wiretapper has side information, the users can still extract
a key at rate CS. In terms of secret key generation, the users
10
are not really at a disadvantage if the wiretapper has linear
observations.
B. Constrained wiretap secret key capacity of tree-PIN source
with linear wiretapper
Secure omniscience in fact plays a role even in achieving the
constrained wiretap secret key capacity of tree-PIN source with
linear wiretapper. The constrained wiretap secret key capacity,
denoted by CW(R), is defined as in (5) but with the supremum
over all SKA schemes with lim sup 1n log |F (n)| < R where
F (n) is the alphabet of F(n). The following theorem gives
a single-letter expression for the constrained wiretap secret
key capacity whose form is reminiscent of the constrained
secret key capacity, [30, Theorem 4.2]. The proof involves a
construction of a secure omniscience communication scheme
for a part of the source.
Theorem 6 Given a tree-PIN source ZV with a linear wire-
tapper Zw, we have
CW(R) = min
{R
|E| − 1, CW
}
where R is the total discussion rate and CW =mine∈E H(Ye|mcf(Ye, Zw)), which is the unconstrained
wiretap secret key capacity. ✷
PROOF See Appendix D. �
VI. POSITIVITY OF CW
In this section, we will use the inequality H(ZV |Zw) −CW ≤ RL to establish an equivalent condition for the
positivity of CW. This result extends the two-user result of
[11, Theorem 4] to the multiuser case. In the two-user setting
[11], Gohari, Gunlu and Kramer have studied the positivity of
CW, and gave an equivalent characterization in terms of Renyi
divergence by using hypothesis testing and a coding scheme
that involves repetition with block-swapping. This coding idea
remains one of the main ingredients of our proof.
Another ingredient is the next lemma, which is in a similar
vein to [1, Lemma 3], that relates RL of a source (ZV ,Zw)to the source (ZV ,Zw) whose distribution is obtained by
conditioning the distribution of (ZV ,Zw) by a certain event.
Formally, given some non-empty sets A1 ⊆ Z1, . . . ,Am ⊆Zm, let E denote the event that ZV ∈ A1×· · ·×Am . Define
a new source (ZV ,Zw) taking values in the same alphabets
Z1, . . . ,Zm and Zw with the probability distribution
PZ1...ZmZw
(z1, . . . , zm, zw) :=PZ1...Zm,Zw(z1, . . . , zm, zw)
Pr(E)(18)
if (z1, . . . , zm) ∈ A1 × · · · × Am, and
PZ1...ZmZw
(z1, . . . , zm, zw) := 0 otherwise. It was shown in
[1, Lemma 3] that CW(ZV ||Zw) ≥ Pr(E)CW(ZV ||Zw).
Lemma 5 For sources (ZV ,Zw) and (ZV ,Zw), which is
defined as above for some event E := {ZV ∈ A1×· · ·×Am},
we have
H(ZV |Zw)−RL(ZV ||Zw)
≥ Pr(E)[H(ZV |Zw)−RL(ZV ||Zw)] (19)
PROOF Let F(n) be an omniscience scheme for the source ZV
that achieves RL(ZV ||Zw). We will construct an omniscience
scheme for the source ZV with the leakage rate H(ZV |Zw)−Pr(E)[H(ZV |Zw) − RL(ZV ||Zw)], which proves the lemma.
Fix a large enough n and consider n i.i.d. realizations of the
source (ZV ,Zw). In the first phase of communication, each
user reveals publicly the indices of those realizations that fall
in their corresponding set Ai to the other users. For instance,
user i transmits F1,i(Zni ) := (bij : bij = 1Ai
(Zij), 1 ≤ j ≤n), which is a sequence indicating the locations where Zij ∈Ai. This communication involves m message transmissions.
At the end of the first phase, through (F1,i : i ∈ V ), every
user knows the indices where the event E has occurred, i.e.,
E occurs at an index j if bij = 1 for all i ∈ V .
In the second phase of communication, users discuss in-
teractively based on the first phase of communication. Let Jdenote the set of indices for which E occurs. On the indices
in J c, users reveal their complete observations. For example,
user i communicates F2,i(Zni ,F1,1, . . . ,F1,m) := Zi,J c . And,
for the block corresponding to J , they communicate according
to F(J ), which is in general interactive. And, the corresponding
communication is F3 := F(J )(ZnV ), which acts only on the
block corresponding to J . Note that conditioning on a
realization J = J ⊂ 2[n], the distribution of (ZV,J ,Zw,J)is the same as that of |J | i.i.d. realizations of (ZV ,Zw).
Let (Cj : 1 ≤ j ≤ n) be a random sequence
where Cj = 1A1×···×Am(ZV,j), and observe that this is
an i.i.d. sequence. Using the strong typicality of this se-
quence, it is easy to verify that the communication F(n) :=(F1,1, . . . ,F1,m,F2,1, . . . ,F2,m,F3) satisfies the recoverability
condition (2) for omniscience. The leakage rate is
1
nI(Zn
V ∧ F(n) | Znw) = H(ZV | Zw)−
1
nH(Zn
V | F(n),Znw).
Consider the term 1nH(Zn
V | F(n),Znw) which is equal to
1nH(ZV,J | J , F(J ),Zw,J ) = 1
n [H(ZV,J | J ,Zw,J ) −I(ZV,J ∧ F(J ) | J ,Zw,J )]. It goes to Pr(E)[H(ZV |Zw) −RL(ZV ||Zw)] which follows from using again the strong
typicality of the sequence (Cj)nj=1. Thus we have
RL(ZV ||Zw) ≤ lim supn→∞
1
nI(Zn
V ∧ F(n) | Znw)
= H(ZV |Zw)
− Pr(E)[H(ZV |Zw)−RL(ZV ||Zw)].
This completes the proof. �
The following theorem gives necessary and sufficient con-
ditions for the positivity of secret key rate by using the
lower bound in Theorem 1 and Lemma 5. For two distri-
butions PX and PX
on a common alphabet X , the Renyi
divergence of order 1/2 between PX and PX
is given by
D 12(PX||PX
) := −2 log(∑
x∈X
√PX(x)PX
(x)), and the total
variation (TV) distance between PX and PX
is given by
||PX − PX||TV := 1
2
∑x∈X |PX(x) − P
X(x)|. To state the
theorem, let us define ∆(ZV ||Zw) := inf ||PK1,...,Km,F(n),Znw−
1
21K1=···=Km
.PF(n),Znw||TV where the infimum is over all
communication schemes and the possible binary keys (see [11,
Def. 8]).
11
Theorem 7 For a source (Z1, . . . ,Zm,Zw) with distribution
PZ1...ZmZw and m ≥ 2, the following statements are equiva-
lent:
1) There is an integer r and non-empty disjoint sets
A11,A12 ⊂ Zr1 , A21,A22 ⊂ Zr
2 , . . . ,Am1,Am2 ⊂ Zrm
such that
D 12
(PZr
w(.|E1,1,...,1)||PZr
w(.|E2,2,...,2)
)
< log
Pr(E1,...,1) Pr(E2,...,2)∑
(j1,...,jm)6∈{(1,...,1),(2,...,2)}
Pr(Ej1,...,jm) Pr(E3−j1,...,3−jm)
2
where Ej1,...,jm denotes the event Zr1 ∈ A1j1 , . . . ,Z
rm ∈
Amjm for (j1, . . . , jm) ∈ {1, 2}m.
2) CW(ZV ||Zw) > 0.
3) ∆(ZV ||Zw) = 0.
4) ∆(ZV ||Zw) < δ1 where δ1 is the smallest root of the
equation 16δ2 − (8 + 4√2m−1 − 1)δ + 1 = 0. (It can be
seen that δ1 is strictly positive for any m ≥ 2.) ✷
PROOF See Appendix E. �
VII. DISCUSSION
In this paper, we have explored the possibility of a duality
between the wiretap secret key agreement problem and the
secure omniscience problem. Though the problem of charac-
terizing the class of sources for which these two problems are
dual to each other is far from being solved completely, we
made some progress in the case of limited interaction (with
at most two communications allowed), and for the class of
finite linear sources. Furthermore, we have made use of (1)
to identify several equivalent conditions for the positivity of
CW in the multi-user case, which is an extension of a recent
two-user result of [11].
By limiting the number of messages to two, we showed that
for the source in Lemma 3, the duality does not hold. This
result seems to indicate that the duality does not always hold.
In particular, we believe that for the DSBE source considered
in Lemma 3, the duality does not hold even if we relax the
restriction on the number of messages (Conjecture 2). To prove
this result, we actually need a single-letter lower bound on RL
that strictly improves our current bound H(ZV |Zw) − CW.
However, it has turned out to be challenging to find a better
lower bound on RL.
Conjecture 1 RL = H(ZV |Zw)− CW holds for finite linear
sources. ✷
Conjecture 2 For r ≥ m, C(r)W > 0 need not imply R
(r)L <
H(ZV |Zw). Moreover, with no restriction on the number of
messages, CW > 0 need not imply RL < H(ZV |Zw). ✷
In our attempt to resolve the duality for finite linear sources
(Conjecture 1), we were able to prove it in the case of two-
user FLS models and in the case of tree-PIN models. The
proof construction mainly relies on the idea of aligning the
communication with the wiretapper side information. Specif-
ically, in the case of tree-PIN models, we used a reduction
to obtain an irreducible source on which we constructed an
RCO-achieving omniscience scheme that aligns perfectly with
the wiretapper side information. In fact, we have shown that
this construction is RL-achieving.
However, for more general PIN sources, this proof strategy
fails. The notion of irreducibility in Definition 2 can certainly
be extended to general PIN sources. However, it turns out
that this definition of irreducibility is not good enough. There
are irreducible PIN sources on graphs with cycles whose
RL is not achieved by an omniscience protocol of rate RCO
that is perfectly aligned with the wiretapper side information.
So, proving the duality conjecture for sources beyond the
tree-PIN model could be interesting as it will require new
communication strategies other than the ones we used in the
proof of the tree-PIN model with a linear wiretapper.
APPENDIX A
PROOF OF THEOREM 2
It suffices to show that CW can be achieved through
omniscience because then
nH(ZV |Zw) ≥ I(K(n),F(n) ∧ ZnV |Zn
w)
= I(F(n) ∧ ZnV |Zn
w) + I(K(n) ∧ ZnV |Zn
w,F(n))
≥ n(RL − δn) + I(K(n) ∧ ZnV |Zn
w,F(n))
≥ n(RL − δn) + n(CW − δn)
for some δn → 0, and the last inequality follows from the
fact an optimal key is recoverable from ZnV . Therefore, RL ≤
H(ZV |Zw)− CW.
Let (F(n),K(n)) be a communication-key pair of a linear
perfect SKA scheme that achieves CW, but F(n) need not
achieve omniscience. By [8, Theorem 1], we can assume that
F(n) is a linear function of ZnV alone (additional randomization
by any user is not needed) and the key is also a linear function
of ZnV .
If F(n) already attains omniscience, then we are done. If
not, for some i, j ∈ V , i 6= j, we have a component X ∈ Fq
of random vector Zni such that
H(X|F(n),Znj ) 6= 0.
We will show that there exists an additional discussion F′(n)
such that
H(X|F(n),F′(n),Znj ) = 0 (20)
and
I(K(n) ∧ F(n),F′(n),Znw) = 0. (21)
If (F(n),F′(n)) achieves omniscience, we are done; else, we
repeat the construction in our argument till we obtain the
desired omniscience-achieving communication.
So, consider the non-trivial case where H(X|F(n),Znj ) 6= 0
and I(K(n) ∧ F(n),X,Znw) 6= 0. (If I(K(n) ∧ F(n),X,Zn
w) = 0,
then user i transmits F′(n) := X which satisfies (20) and (21).)
Let L(n) be a common linear function, not identically 0, of
12
K(n) and (F(n),X,Znw)) taking values in Fq. Such a function
exists since I(K(n) ∧ F(n),X,Znw) 6= 0. So, we can write
L(n) = K(n)MK = aX+ F(n)
MF + ZnwMw (22)
for some non-zero element a ∈ Fq , and some column vectors
MK 6= 0,MF , and Mw over Fq . (Here, L(n),K(n),F(n)
and Znw are the random row vectors with entries uniformly
distributed over Fq.) Note the coefficient a in the above linear
combination must be a non-zero element in Fq. If not, then
L(n)(= K(n)MK = F(n)MF + ZnwMw) is a non-constant
common function of K(n) and (F(n),Znw). This contradicts the
secrecy condition I(K(n) ∧ F(n),Znw) = 0.
Define F′(n) := K(n)MK − aX. User i can compute F′(n),
as it is a function of K(n) and Zni , and transmit it publicly.
Let us verify that F′(n) satisfies (20) and (21). For (20),
observe that H(X|F(n),F′(n),Znj ) ≤ H(X|F′(n),K(n)) = 0,
the inequality following from H(K(n)|F(n),Znj ) = 0, and the
equality from the fact that X is recoverable from (F′(n),K(n)).For (21), I(K(n) ∧ F(n),F′(n),Zn
w) = I(K(n) ∧ F(n),Znw) = 0,
the first equality being a consequence of F′(n) also being
expressible as F(n)MF + ZnwMw, and the last equality from
the secrecy condition of the key, i.e., I(K(n) ∧ F(n),Znw) = 0.
This completes the proof.
APPENDIX B
PROOF OF THEOREM 3
PROOF Converse part. Note that G satisfies the Markov con-
dition G−Zw −ZV because G is a function of Zw whether it
is chosen to be G1, G2 or both. By (6), we have
RL ≥ H(ZV |Zw)− CW(ZV ||Zw)(a)
≥H(ZV |Zw)− CP(ZV |G)(b)=H(ZV |Zw)− I(Z1 ∧ Z2|G)
where (a) is because for W − Zw − ZV , CW(ZV ||Zw) ≤CP(ZV |W) [4, Theorem 4] and G forms the Markov
condition G − Zw − ZV , and we have used the fact that
CP(ZV |G) = I(Z1 ∧ Z2|G) [4, Theorem 2] in (b) .
Achievability part. It suffices to prove the reverse inequality
for G = G1, i.e.,
RL ≤ H(ZV |Zw)− I(Z1 ∧ Z2|G1)︸ ︷︷ ︸1,
(23)
because then the reverse inequality will also hold for G = G2
by symmetry, and for G = (G1,G2) since
I(Z1 ∧ Z2|G1,G2) ≤ I(Z1 ∧ Z2,G2|G1) = I(Z1 ∧ Z2|G1)
by the assumption that G2 is a function of Z2.
The desired reverse inequality (23) will follow from the
following upper bound with an appropriate choice of public
discussion F′ of block length 1, i.e.,
RL ≤ RCO(ZV |F′)︸ ︷︷ ︸=H(ZV |F′)−I(Z1∧Z2|F′)
+ I(ZV ∧ F′|Zw)︸ ︷︷ ︸=H(ZV |Zw)−H(ZV |Zw,F′)
= H(ZV |Zw) + I(ZV ∧ Zw|F′)︸ ︷︷ ︸2,
− I(Z1 ∧ Z2|F′)︸ ︷︷ ︸3,
.
The idea behind this upper bound involves splitting of the
leakage rate into two components after a discussion F′: one
component is the leakage rate due to F′, and the other one is
the residual leakage rate for subsequent omniscience, which is
upper bounded by RCO(ZV |F′). It suffices to give a feasible
F′ with 2, = 0 and 3, = 1,. We will construct this F′ by
decomposing the source (ZV ,Zw).We know from the proof of [28, Lemma 5.2] that a finite
linear source (X,Y) can be decomposed as
X = (X′,C),
Y = (Y′,C),
(24)
(25)
where X′ (resp. Y′) is a linear function of X (resp. Y) and C =mcf(X,Y) is a linear function of each of X and Y; altogether,
they satisfy the independence relation
H(X′,C,Y′) = H(X′) +H(C) +H(Y′). (26)
We call X′ the complement of Y in X, and denote it by X\Y.
For the source (X,Y) with X = (Z1,G1) and Y = (Z2,G1),the decomposition is as follows:
(Z1,G1) := (Xa,Xc),
(Z2,G1) := (Xb,Xc),
(27)
(28)
where Xa, Xb, and Xc = mcf((Z1,G1), (Z2,G1)) are uni-
formly random row vectors over some finite field, say Fq,
satisfying the independence relation
H(Xa,Xb,Xc) = H(Xa) +H(Xb) +H(Xc). (29)
Observe that G1 is a linear common function of (Z1,G1)and (Z2,G1). Using the decomposition (27) and (28), we
can write G1 = XaMa + XcM c = XbM b + XcM c for
some matrices Ma,M b,M c and M c. Therefore, we have
XaMa−XbM b+Xc(M c−M c) = 0. But, Xa, Xb, and Xc are
mutually independent, which implies (for finite linear sources)
that Ma = M b = M c − M c = 0 and G1 = XcM c. This
shows that G1 is a linear function of Xc. Let X′c := Xc \ G1.
So, we can write Xc = (X′c,G1), where X′
c is independent of
G1, and both are linear functions of Xc. Therefore, we can
further decompose the source in (27) and (28) as
(Z1,G1) = (Xa,X′c,G1),
(Z2,G1) = (Xb,X′c,G1),
(30)
(31)
where Xa, Xb, and X′c are uniformly random row vectors such
that
H(Xa,Xb,X′c,G1) = H(Xa) +H(Xb) +H(X′
c) +H(G1).
(32)
Note that (Xb,X′c) = Z2 \G1 which is a linear function of Z2.
Now consider the decomposition of the form (24) and (25)
for the source (ZV ,Zw):
ZV := (Z′V ,Gw),
Zw := (Z′w,Gw),
(33)
(34)
where Gw is the m.c.f. of ZV and Zw. As the components
(Z′V ,Gw,Z′
w) are mutually independent by (26), we have
I(ZV ∧ Zw|Gw) = 0. (35)
13
Moreover, using the fact that the m.c.f Gw is a linear function
of ZV , and (Xa,Xb,X′c,G1) is an invertible linear transforma-
tion of ZV (by (30) and (31)), we can write Gw as
Gw = XaA+ XbB + X′cC + G1D (36)
for some deterministic matrices A, B, C and D over Fq such
that [ATB
TC
TD
T]T is a full column-rank matrix. Since
G1 is a m.c.f of Z1 and Zw, it is a linear function of Gw, which
can also be argued along the same lines as the proof of G1 is
a linear function of Xc. So we can write (36) as
Gw = (XaA+ XbB + X′cC,G1) (37)
for some deterministic matrices A, B, and C over Fq such
that XaA+ XbB + X′cC = Gw \ G1.
Finally, by (30), (31), (34), (35) and (37), we can write the
decomposition of the source (ZV ,Zw) as
Z1 = (Xa,X′c,G1),
(Z2,G1) = (Xb,X′c,G1)
Zw = (Z′w,XaA+ XbB + X′
cC,G1),
(38)
(39)
(40)
where the components Xa,Xb,X′c,G1,Z
′w and XaA+XbB +
X′cC) satisfy the following independence relations:
1) (32) holds, i.e., Xa,Xb,X′c and G1 are mutually indepen-
dent;
2) Xa,X′c,G1,Z
′w and XaA+XbB+X′
cC are mutually inde-
pendent. �
To verify the second independence relation above, it is enough
to show that I(Xa,X′c ∧ G1,Z
′w,XaA + XbB + X′
cC) = 0because of (32),(34), and (37), which is equivalent to showing
I(Xa,X′c ∧ Z′
w,XaA + XbB + X′cC|G1) = 0 by (32). Note
that by (35), 0 = I(Z1 ∧ Zw|G1) = I(Z1,G1 ∧ Zw|G1) =I(Xa,X
′c,G1 ∧G1,Z
′w,XaA+XbB+X′
cC|G1) = I(Xa,X′c ∧
Z′w,XaA+ XbB + X′
cC|G1).
Let us construct a linear communication using the com-
ponents from the above decomposition. User 1 transmits
F′1 := (XaA,G1) using his source Z1 = (Xa,X
′c,G1). User
2 communicates F′2 := XbB+X′
cC using the source (Xb,X′c)
which is a function of Z2. Define F′ := (F′1,F
′2), a valid
discussion of block length n = 1.
By (35), we have 0 = I(ZV ∧ Zw|Gw) = I(ZV ,F′ ∧
Zw|Gw) = I(F′ ∧ Zw|Gw) + I(ZV ∧ Zw|Gw,F′) = I(ZV ∧Zw|F′), where the last equality follows from I(F′∧Zw|Gw) ≤I(ZV ∧Zw|Gw)
(35)= 0, and H(Gw|F′) = 0. Hence we conclude
that
2,= I(ZV ∧ Zw|F′) = 0 (41)
Let us show the remaining inequality 3, = 1,. By the
independence relation 1), we evidently have
I(XaA ∧ Xb,X′c|G1) = 0 (42)
Using the independence condition 2), we also obtain
I(Xa,X′c ∧ XbB + X′
cC|G1,XaA)
= I(Xa,X′c ∧ XaA+ XbB + X′
cC|G1,XaA)
= H(XaA+ XbB + X′cC|G1,XaA)
−H(XaA+ XbB + X′cC|G1,XaA,Xa,X
′c)
= H(XaA+ XbB + X′cC|G1,XaA)
−H(XaA+ XbB + X′cC|G1,Xa,X
′c)
= H(XaA+ XbB + X′cC)
−H(XaA+ XbB + X′cC)
= 0. (43)
It follows from (38) and (39) that
1,= I(Z1 ∧ Z2|G1)
= I(Z1 ∧ Z2,G1|G1)
= I(Xa,X′c,G1 ∧ Xb,X
′c,G1|G1)
= I(Xa,X′c ∧ Xb,X
′c|G1)
= I(Xa,X′c,XaA ∧ Xb,X
′c|G1)
= I(XaA ∧ Xb,X′c|G1) + I(Xa,X
′c ∧ Xb,X
′c|G1,XaA)
(42)= I(Xa,X
′c ∧ Xb,X
′c|G1,XaA)
= I(Xa,X′c ∧ Xb,X
′c,XbB + X′
cC|G1,XaA)
= I(Xa,X′c ∧ XbB + X′
cC|G1,XaA)
+ I(Xa,X′c ∧ Xb,X
′c|G1,XaA,XbB + X′
cC)(43)= I(Xa,X
′c ∧ Xb,X
′c|G1,XaA,XbB + X′
cC)
= I(Z1 ∧ Z2|F′) = 3,
This completes the proof.
APPENDIX C
PROOFS FROM SECTION V
A. Proof of Lemma 4
In this proof, we first identify an edge whose m.c.f. with
the wiretapper’s observations is a non-constant function. Then,
by appropriately transforming the source, we separate out the
m.c.f. from the random variables corresponding to the edge
and the wiretapper. Later we argue that the source can be
reduced by removing the m.c.f. component entirely without
affecting CW and RL. And we repeat this process until the
source becomes irreducible. At each stage, to show that the
reduction indeed leaves the m.c.f. related to the other edges
unchanged and makes the m.c.f. of the reduced edge a constant
function, we use the following lemma which is proved in
Appendix C-C.
Lemma 6 If (X,Y) is independent of Z, then
mcf(X, (Y,Z)) = mcf(X,Y) and mcf((X,Z), (Y,Z)) =(mcf(X,Y),Z). ✷
Since (ZV ,Zw) is not irreducible, there exists an edge e ∈ Esuch that Ge := mcf(Ye,Zw) is a non-constant function. By
using the result that the m.c.f. of a finite linear source is a
linear function [28], we can write Ge = YeM e = ZwMw for
some full column-rank matrices, Me and Mw over Fq.
14
We will appropriately transform the random vector Ye. Let
Ne be any matrix with full column-rank such that[M e | Ne
]
is invertible. Define Ye := YeNe, then[Xe,1, . . . ,Xe,ne
] [M e | N e
]= Ye
[Me | N e
]
=[Ge, Ye
]
=[Ge,1, . . . ,Ge,ℓ, Xe,1, . . . , Xe,ne
]
where Ye = [Xe,1, . . . , Xe,ne], Ge = [Ge,1, . . . ,Ge,ℓ], ℓ is the
length of the vector Ge and ne = ne − ℓ. Therefore, we can
obtain (Ge, Ye) by an invertible linear transformation of Ye.
Note that the components Ge,1, . . . ,Ge,ℓ, Xe,1, . . . , Xe,neare
also i.i.d. random variables that are uniformly distributed over
Fq, and they are independent of YE\{e} := (Yb : b ∈ E\{e})).Hence Ge is independent of Ye and YE\{e}.
Now we will express Zw in terms of Ge and Ye.
Zw = XW
= YeW e + YE\{e}WE\{e}
=[Ge Ye
] [Me N e
]−1W e + YE\{e}WE\{e}
= GeW′
e + YeW′′
e + YE\{e}WE\{e}
where the matrices W e and WE\{e} are sub-matrices
of W formed by rows corresponding to e and E \ {e}respectively. Also, the matrices W
′
e and W′′
e are sub-
matrices of[Me Ne
]−1W e formed by first ℓ rows
and last ne rows respectively. Define Zw := YeW′′
e +
YE\{e}WE\{e}. Since Zw =[Ge Zw
] [W ′
e
I
]and
[Ge Zw
]= Zw
[Mw I −MwW
′
e
],[Ge Zw
]can be
obtained by an invertible linear transformation of Zw.
Since the transformations are invertible, Ye and Zw can
equivalently be written as (Ge, Ye) and (Ge, Zw) respectively.
We will see that Ge can be removed from the source without
affecting CW and RL. Let us consider a new tree-PIN source
ZV , which is the same as ZV except that Ye and ne are
associated to the edge e, and the wiretapper side information
is Zw. Note that (ZV , Zw) is also a tree-PIN source with linear
wiretapper, and Ge is independent of (ZV , Zw).For the edge e, mcf(Ye, Zw) is a constant function.
Suppose if it were a non-constant function Ge w.p. 1,
which is indeed independent of Ge, then mcf(Ye,Zw) =mcf((Ge, Ye), (Ge, Zw)) = (Ge, Ge). The last equality
uses Lemma 6. Therefore, H(Ge) = H(mcf(Ye,Zw)) =H(Ge, Ge) > H(Ge), which is a contradiction. Moreover
H(Ye|mcf(Ye,Zw)) = H(Ye|Ge) = H(Ye,Ge|Ge) =H(Ye). For the other edges b 6= e, Yb = Yb and
mcf(Yb, Zw) = mcf(Yb, Zw) = mcf(Yb, (Ge, Zw)) =mcf(Yb,Zw), which follows from Lemma 6.
Now we will verify that CW and RL do not change.
First let us show that RL(ZV ||Zw) ≤ RL(ZV ||Zw) and
CW(ZV ||Zw) ≥ CW(ZV ||Zw). Let F(n) be an optimal
communication for RL(ZV ||Zw). We can make use of F(n)
to construct an omniscience communication for the source
(ZV ,Zw). Set F(n) = (Gne , F
(n)). This communication is made
as follows. Both the terminals incident on the edge e have
Yne or equivalently (Gn
e , Yne ). One of them communicates Gn
e .
In addition, all the terminals communicate according to F(n)
because for every user i, Zni is recoverable from Zn
i . It is
easy to verify that this is an omniscience communication for
(ZV ,Zw). The minimum rate of leakage for omniscience
RL(ZV ||Zw) ≤1
nI(Zn
V ∧ F(n)|Znw)
=1
nI(Zn
V ∧ Gne , F
(n)|Znw)
(a)=
1
nI(Zn
V ,Gne ∧ Gn
e , F(n)|Zn
w,Gne )
=1
nI(Zn
V ∧ F(n)|Znw,G
ne )
(b)=
1
nI(Zn
V ∧ F(n)|Znw)
(c)
≤RL(ZV ||Zw) + δn,
for some δn → 0. Here, (a) is due to the fact that (Ge, Zw)is obtained by a linear invertible transformation of Zw, (b)
follows from the independence of Ge and (ZV , Zw), and
(c) uses the fact that F(n) is an RL(ZV ||Zw)−achieving
communication. It shows that RL(ZV ||Zw) ≤ RL(ZV ||Zw).Similarly, let (F(n), K(n)) be a communication and key pair
which is optimal for CW(ZV ||Zw). By letting (F(n),K(n)) =(F(n), K(n)) for the source (ZV ,Zw), we can see that the
key recoverability condition is satisfied. Thus (F(n),K(n))constitute a valid SKA scheme for (ZV ,Zw) which implies
that CW(ZV ||Zw) ≥ CW(ZV ||Zw).To prove the reverse inequalities, RL(ZV ||Zw) ≥
RL(ZV ||Zw) and CW(ZV ||Zw) ≤ CW(ZV ||Zw), we use the
idea of simulating source (ZV ,Zw) from (ZV , Zw). Consider
the source (ZV , Zw) in which one of the terminals i incident
on the edge e, generates the randomness Ge that is independent
of the source and broadcasts it, after which the other terminal
j incident on e and the wiretapper has Ge. These two terminals
i and j simulate Ye from Ye and Ge, whereas the other
terminals observations are the same as those of ZV . Hence
they can communicate according to F(n) on the simulated
source ZV . If F(n) achieves omniscience for ZnV then so
does F(n) = (Gne ,F
(n)) for ZnV . Therefore the omniscience
recoverability condition is satisfied. Furthermore, if we choose
F(n) to be an RL(ZV ||Zw)−achieving communication, then
the minimum rate of leakage for omniscience,
RL(ZV ||Zw) ≤1
nI(Zn
V ∧ F(n)|Znw)
=1
nI(Zn
V ∧ Gne ,F
(n)|Znw)
=1
nI(Zn
V ∧ Gne |Zn
w) +1
nI(Zn
V ∧ F(n)|Znw,G
ne )
(a)=
1
nI(Zn
V ,Gne ∧ F(n)|Zn
w,Gne )
(b)=
1
nI(Zn
V ∧ F(n)|Znw)
(c)
≤RL(ZV ||Zw) + δn,
for some δn → 0. Here, (a) follows from the independence of
Ge and (ZV , Zw), (b) is because (Ge, Zw) can be obtained by a
linear invertible transformation of Zw, and (c) uses the fact that
F(n) is an RL(ZV ||Zw)-achieving communication. This shows
that RL(ZV ||Zw) ≥ RL(ZV ||Zw). Similarly, if (F(n),K(n))
15
is a communication and key pair for (ZV ,Zw) then termi-
nals can communicate according to F(n) = (Gne ,F
(n)) and
agree upon the key K(n) = K(n), which is possible due
to simulation. Hence the key recoverability is immediate.
The secrecy condition is also satisfied because I(K(n) ∧F(n), Zn
w) = I(K(n) ∧ F(n),Gne , Z
nw) = I(K(n) ∧ F(n),Zn
w).Hence (F(n), K(n)) forms a valid SKA scheme for (ZV , Zw)which implies that CW(ZV ||Zw) ≥ CW(ZV ||Zw).
We have shown that RL(ZV ||Zw) = RL(ZV ||Zw),CW(ZV ||Zw) = CW(ZV ||Zw) and for the
edge e, mcf(Ye, Zw) is a constant function and
H(Ye|mcf(Ye,Zw)) = H(Ye). Furthermore, we have
shown that this reduction does not change the m.c.f. of
Yb and Zw, when b 6= e. If the source (ZV , Zw) is not
irreducible, then we can apply the above reduction again
on (ZV , Zw) without affecting CW and RL. Note that the
cardinality of the set of all edges b such that mcf(Yb,Zw) is
a non-constant function reduces by one after each reduction
step. So, this process terminates after a finite number of steps
at an irreducible source, which completes the proof.
B. Proof of Theorem 5
Converse part. An upper bound on CW is CS because the
key generation ability of the users can only increase if the
wiretapper has no side information. It was shown in [4, Exam-
ple 5] that if the random variables of a source form a Markov
chain on a tree, then CS = min(i,j):{i,j}=ξ(e) I(Zi ∧ Zj). In
the tree-PIN case, which satisfies the Markov property, this
turns out to be CS = mine∈E H(Ye). As a consequence, we
have CW ≤ mine∈E H(Ye) and
RL
(a)
≥H(ZV |Zw)− CW
(b)=
(∑
e∈E
ne − nw
)log2 q − CW
≥(∑
e∈E
ne − nw
)log2 q −min
e∈EH(Ye)
(44)
where (a) follows from Theorem 1 and (b) is due to the full
column-rank assumption on W .
Achievability part. In this section, we will show the
existence of an omniscience scheme with leakage rate(∑e∈E ne − nw
)log2 q − mine∈E H(Ye). Hence RL ≤(∑
e∈E ne − nw
)log2 q − mine∈E H(Ye), which together
with the chain of inequalities (44) imply that CW =mine∈E H(Ye) = CS and RL =
(∑e∈E ne − nw
)log2 q −
CS. In particular, for achieving a secret key of rate CW =mine∈E H(Ye), the terminals use privacy amplification on the
recovered source.
In fact, the existence of an omniscience scheme is shown
by first constructing a template for the communication with
desired properties and then showing the existence of an
instance of it by a probabilistic argument. The following are
the key components involved in this construction.
1) Deterministic scheme: A scheme is said to be deterministic
if terminals are not allowed to use any locally generated
private randomness.
2) Perfect omniscience [10]: For a fixed n ∈ N, F(n) is said
to achieve perfect omniscience if terminals can recover
the source ZnV perfectly, i.e., H(Zn
V |F(n),Zni ) = 0 for all
i ∈ V . If we do not allow any private randomness, then
H(F(n)|ZnV ) = 0, which implies
1
nI(Zn
V ∧ F(n)|Znw) =
1
n
[H(F(n)|Zn
w)−H(F(n)|Znw,Z
nV )]
=1
nH(F(n)|Zn
w).
3) Perfect alignment: For an n ∈ N, we say that F(n) perfectly
aligns with Znw if H(Zn
w|F(n)) = 0. Note that Znw is
recoverable from F(n) but not the other way around. In
this case, H(F(n)|Znw) = H(F(n)) − H(Zn
w). In an FLS,
the wiretapper side information is Znw = XnW
(n) where
X is the base vector. Suppose the communication is of
the form F(n) = XnF(n), for some matrix F
(n), then the
condition of perfect alignment is equivalent to the condition
that the column space of F(n) contains the column space
of W (n). This is in turn equivalent to the condition that the
left nullspace of W (n) contains the left nullspace of F (n),
i.e., if yF (n) = 0 for some vector y then yW (n) = 0.
So we will construct a linear communication scheme (de-
terministic), for some fixed n, achieving both perfect omni-
science and perfect alignment. As a consequence, the leak-
age rate for omniscience is equal to 1nI(Z
nV ∧ F(n)|Zn
w) =1nH(F(n)|Zn
w) = 1n [H(F(n)) − H(Zn
w)] = 1nH(F(n)) −
nw log2 q. To show the desired rate, it is enough to have1nH(F(n)) =
(∑e∈E ne
)log2 q −mine∈E H(Ye).
We describe our construction first for the case of a PIN
model on a path of length L, and ne = s for all edges e ∈ E.
The essential ideas in this construction will serve as a road map
for other, more general, cases. The construction is extended
to the case of tree-PIN models, again with ne = s for all
edges e, using the the fact that there exists a unique path from
any vertex to a particular vertex designated as the root of the
tree. Finally, for tree-PIN models in which ne can be different
for distinct edges e, we give only a sketch of the proof; the
technical details required to fill in the sketch can be found in
[31].
1) Path of length L and ne = s for all e ∈ E: Let
V = {0, 1, . . . , L} be the set of vertices and E = {1, . . . , L}be the edge set such that edge i is incident on vertices i − 1and i (Fig. 5). Since ne = s, mine∈E H(Ye) = s log2 q.
Fix a positive integer n, such that n > logq(sL). With
n i.i.d. realizations of the source, the vector correspond-
ing to edge i can be expressed as Yni = [Xn
i,1 . . .Xni,s]
where Xni,j’s can be viewed as elements in Fqn . Hence
Yni ∈ (Fqn)
s. The goal is to construct a linear communi-
cation scheme F(n) that achieves both perfect omniscience
and perfect alignment simultaneously such that H(F(n)) =n[(∑
e∈E ne
)log2 q −mine∈E H(Ye)
]= n (sL− s) log2 q.
0 1 2· · ·
i− 1 i
· · ·
L− 1 L
1 2 i L
Fig. 5. Path of length L.
16
Now we will construct the communication as follows. Leaf
nodes 0 and L do not communicate. The internal node icommunicates F
(n)i = Yn
i + Yni+1Ai, where Ai is an s × s
matrix with elements from Fqn . This communication is of the
form
F(n) =[F(n)1 · · · F(n)
L−1
]
=[Yn1 · · ·Yn
L
]
I 0 · · · 0 0
A1 I · · · 0 0
0 A2 · · · 0 0
......
. . ....
...
0 0 · · · AL−2 I
0 0 · · · 0 AL−1
︸ ︷︷ ︸:=F (n)
Here F(n) is an sL× s(L− 1) matrix over Fqn . Observe that
rankFqn(F (n)) = s(L − 1), which implies that H(F(n)) =
(sL− s) log2 qn and the dimension of the left nullspace of
F(n) is s. Now the communication coefficients, (Ai : 1 ≤
i ≤ L − 1), have to be chosen such that F(n) achieves both
perfect omniscience and perfect alignment. Let us derive some
conditions on these matrices.
For perfect omniscience, it is sufficient for the Ai’s to be
invertible. This follows from the observation that for any i ∈V , [F (n) | Hi] is full rank, where H i is a block-column
vector with an s× s identity matrix at block-index i and all-
zero s × s matrix at the rest of the block-indices. In other
words, (Yn1 · · ·Yn
L) is recoverable from (F(n),Yni ) for any i ∈
E, hence achieving omniscience. So we assume that the Ai’s
are invertible.
For perfect alignment, we require that the left nullspace of
F(n) is contained in the left nullspace of W
(n), which is
the wiretapper matrix corresponding to n i.i.d. realizations.
Note that W(n) is a
(∑e∈E ne
)× nw matrix over Fqn
with entries W(n)(k, l) = W (k, l) ∈ Fq; since Fq ⊆ Fqn ,
W(n)(k, l) ∈ Fqn . As pointed out before, the dimension of
the left nullspace of F(n) is s whereas the dimension of
the left nullspace of W(n) is sL − nw. Since the source
is irreducible, it follows from Lemma 9 in Appendix C-D
that s ≤ sL − nw. Since the dimensions are appropriate,
the left nullspace inclusion condition is not impossible. Set
S := [S1 S2 · · · SL], where S1 is some invertible
matrix (over Fqn ) and Si+1 := (−1)iS1A−11 · · ·A−1
i for
1 ≤ i ≤ L − 1. Observe that SF (n) = 0. Note that the Si’s
are also invertible, and Ai = −S−1i+1Si for 1 ≤ i ≤ L−1. The
dimension of the left nullspace of F (n) is s, and all the s rows
of S are independent, so these rows span the left nullspace of
F(n). Therefore for the inclusion, we must have SW
(n) = 0.Thus, proving the existence of communication coefficients
Ai’s that achieve perfect omniscience and perfect alignment is
equivalent to proving the existence of Si’s that are invertible
and satisfy [S1 · · · SL]W(n) = 0. To do this, we use
the probabilistic method. Consider the system of equations
[y1 · · · ysL]W (n) = 0 in sL variables. Since the matrix W(n)
has full column rank, the solutions can be described in terms
of m := sL − nw free variables. As a result, any S that
satisfies SW(n) = 0 can be parametrized by ms variables.
Without loss of generality, we assume that the submatrix of S
formed by the first m columns has these independent variables,
(si,j : 1 ≤ i ≤ s, 1 ≤ j ≤ m). Knowing these entries will
determine the rest of the entries of S. So we choose si,j’s
independently and uniformly from Fqn . We would like to know
if there is any realization such that all the Si’s are invertible,
which is equivalent to the condition∏L
i=1 det(Si) 6= 0. Note
that∏L
i=1 det(Si) is a multivariate polynomial in the variables
si,j , 1 ≤ i ≤ s, 1 ≤ j ≤ m, with degree at most sL.
Furthermore the polynomial is not identically zero, which
follows from the irreducibility of W(n). A proof of this fact
is given in Lemma 10 in Appendix C-D. Therefore, applying
the Schwartz-Zippel lemma (Lemma 7 in Appendix C-D), we
have
Pr
{L∏
i=1
det(Si) 6= 0
}≥ 1− sL
qn(a)> 0
where (a) follows from the choice n > logq(sL). Since the
probability is strictly positive, there exists a realization of S
such that SW (n) = 0 and Si’s are invertible which in turn
shows the existence of a desired F(n).
2) Tree with L edges and ne = s for all e ∈ E: For tree-
PIN model, we essentially use the same kind of communica-
tion construction as that of the path model. Consider a PIN
model on a tree with L + 1 nodes and L edges. To describe
the linear communication, fix some leaf node as the root, ρ, of
the tree. For any internal node i of the tree, let Ei denote the
edges incident with i, and in particular, let e∗(i) ∈ Ei denote
the edge incident with i that is on the unique path between iand ρ. Fix a positive integer n, such that n > logq(sL). The
communication from an internal node i is (Yne∗(i) + Yn
eAi,e :e ∈ Ei \{e∗(i)}), where Ai,e is an s×s matrix. Each internal
node communicates s(di − 1) symbols from Fqn , where di is
the degree of the node i. Leaf nodes do not communicate. The
total number of Fqn -symbols communicated is∑
i s(di − 1),where the sum is over all nodes, including leaf nodes. The
contribution to the sum from leaf nodes is in fact 0, but
including all nodes in the sum allows us to evaluate the sum
as s[2× (number of edges)− (number of nodes)] = s(L− 1).Thus, we have the overall communication of the form
F(n) = YnF
(n)
where F (n) is a sL×s(L−1) matrix over Fqn and Yn = (Yne ).
The rows of F(n) correspond to the edges of the tree. The
aim is to choose the matrices Ai that achieves both per-
fect omniscience and perfect alignment simultaneously such
that H(F(n)) = n[(∑
e∈E ne
)log2 q −mine∈E H(Ye)
]=
n (sL− s) log2 q.
For perfect omniscience, it is sufficient for the Ai’s to be
invertible. First observe that all the leaf nodes are connected
to the root node ρ via paths. On each of these paths the
communication has exactly the same form as that of the path
model considered before. So when the Ai’s are invertible, the
root node can recover the entire source using Yneρ , where eρ
is the edge incident on ρ. Now take any node i, there is a
unique path from i to ρ. Again the form of the communication
restricted to this path is the same as that of the path model.
17
Hence node i, just using Yne∗(i) can recover Yn
eρ , which in
turn, along with the overall communication, allows node i to
recover the entire source. Indeed, only edge observations Yne
are used in the recovery process.
Because Yn is recoverable from (F(n),Yne ) for any e ∈ E,
[F (n) | He] is an invertible sL × sL matrix, where He is a
block-column vector with an s × s identity matrix at block-
index corresponding to edge e and all-zero s × s matrix at
the rest of the block-indices. Therefore F(n) is a full column-
rank matrix, i.e., rankFqn(F (n)) = s(L − 1), which implies
that H(F(n)) = (sL− s) log2 qn and the dimension of the left
nullspace of F (n) is s.
For perfect alignment, we require that the left nullspace of
F(n) is contained in the left nullspace of W
(n). So, let us
construct an S = (Se) such that SF (n) = 0 as follows. Let
S1 be an invertible matrix. Each edge e has two nodes incident
with it; let i∗(e) denote the node that is closer to the root ρ.
There is a unique path i∗(e) = i1 −→ i2 −→ · · · −→ iℓ = ρthat connects i∗(e) to ρ and let the edges along the path
in this order be (e = e1, e2, . . . , eℓ) — see Fig. 6. We set
i∗(e)
i
ρ
e = e∗(i)
e#
Fig. 6. Unique path between an internal node i and the root ρ
Se := (−1)ℓ−1S1A−1iℓ−1,eℓ−1
· · ·A−1i1,e1
for all edges e except
for the edge incident with ρ, to which we associate S1. Note
that the Se’s are invertible and Se = −Se#A−1i∗(e),e, where
e# is the edge adjacent to e on the unique path from i∗(e)to ρ. Let us now verify that SF
(n) = 0. The component
corresponding to the internal node i in SF(n) is of the
form (Se∗(i) + SeAi,e : e ∈ Ei \ {e∗(i)}). But for an
e ∈ Ei \ {e∗(i)}, i∗(e) = i and e# = e∗(i), thus SeAi,e =−Se#A
−1i∗(e),eAi,e = −Se∗(i)A
−1i,eAi,e = −Se∗(i). Hence we
have Se∗(i) + SeAi,e = 0 which implies SF(n) = 0. The
dimension of the left nullspace of F (n) is s and all the s rows
of S are independent, so these rows span the left nullspace of
F(n). Therefore, for the inclusion of one nullspace within the
other, we must have SW(n) = 0.
Finally, we can prove the existence of S such that SW (n) =0 and Si’s are invertible, using the probabilistic method
exactly as before. The details are omitted. This shows the
existence of a desired F(n).
3) Path and tree with L edges and arbitrary ne: In this
case, we define s := min{ne : e ∈ E}. We consider
a communication F(n) that consists of two parts. One part
involves the communication that is similar to that of the ne = s
case, where we use the first s random variables associated to
each edge e. And the other part involves revealing the rest of
the random variables on each edge, but this is done by linearly
combining them with the first s rvs.
For this kind of a communication structure, we can in fact
show, in a similar way as in the ne = s case, the existence of
an F(n) with the desired properties. The technical details are
omitted but they can be found in [31].
C. Proof of Lemma 6
Recall that we assume that Z is independent of (X,Y).Any common function (c.f.) of X and Y is also a common
function of X and (Y,Z). Let F be a c.f. of X and (Y,Z) which
means that H(F|X) = 0 = H(F|Y,Z). Note that H(F|Y) =H(Z|Y)+H(F|Y,Z)−H(Z|F,Y) = H(Z)−H(Z|F,Y). Also
we have H(Z|F,Y) ≥ H(Z|X,Y) which follows from the
fact that F is a function of X. Both these inequalities together
imply that 0 ≤ H(F|Y) ≤ H(Z) − H(Z|X,Y) = 0. So any
c.f. of X and (Y,Z) is also a c.f. of X and Y. Therefore
mcf(X, (Y,Z)) = mcf(X,Y).
We can see that (mcf(X,Y),Z) is a c.f. of (X,Z) and
(Y,Z). To show that mcf((X,Z), (Y,Z)) = (mcf(X,Y),Z),it is enough to show that H(mcf(X,Y),Z) ≥ H(G) for
any G satisfying H(G|X,Z) = 0 = H(G|Y,Z). Since∑z∈Z PZ(z)H(G|X,Z = z) = H(G|X,Z) = 0, for a
z ∈ supp(PZ), we have H(G|X,Z = z) = 0. Similarly,
H(G|Y,Z = z) = 0. Thus, for a fixed Z = z, G is a c.f.
of rvs X and Y jointly distributed according to PX,Y|Z=z. In
this case, let mcf(X,Y)Z=z denote the m.c.f. which indeed
depends on the conditional distribution. However, because
of the independence PX,Y|Z=z = PX,Y, the mcf(X,Y)Z=z
remains the same across all z, and is equal to mcf(X,Y).Therefore, from the optimality of m.c.f., we have H(G|Z =z) ≤ H(mcf(X,Y)Z=z|Z = z) = H(mcf(X,Y)|Z = z) =H(mcf(X,Y)), where the last equality follows from the in-
dependence of Z and (X,Y). As a consequence, we have
H(G|Z) =∑
z∈Z PZ(z)H(G|Z = z) ≤ H(mcf(X,Y)). The
desired inequality follows from H(G) ≤ H(G,Z) = H(G|Z)+H(Z) ≤ H(mcf(X,Y)) + H(Z) = H(mcf(X,Y),Z). This
proves that mcf((X,Z), (Y,Z)) = (mcf(X,Y),Z).
D. Useful Lemmas related to the proof of Theorem 5
Lemma 7 (Schwartz-Zippel lemma) Let P(X1, . . . ,Xn) be
a non-zero polynomial in n variables with degree d and
coefficients from a finite field Fq. Given a non-empty set
S ⊆ Fq , if we choose the n-tuple (x1, . . . , xn) uniformly from
Sn, then
Pr{(x1, . . . , xn) ∈ Sn : P(x1, . . . , xn) = 0} ≤ d
|S| .
Fix two positive integers m and s such that s ≤ m. Consider
the integral domain Fq [X11, . . . ,X1m, . . . ,Xs1, . . . ,Xsm],which is the set of all multivariate polynomials in indetermi-
18
nates X11, . . . ,X1m, . . . ,Xs1, . . . ,Xsm with coefficients from
a finite field Fq . Let us consider a matrix of the form
M =
L1(Y1) L2(Y1) · · · Ls(Y1)
L1(Y2) L2(Y2) · · · Ls(Y2)...
.... . .
...
L1(Ys) L2(Ys) · · · Ls(Ys)
s×s
, (45)
where Yk := [Xk1, . . . ,Xkm] for 1 ≤ k ≤ s and Li(Yk)denotes a linear combination over Fq of the indeterminates
Xk1, . . . ,Xkm. Note that row k depends only on Yk. Let
X := [YT1 , . . . ,Y
Ts ]
T , and let P(X) denote a polynomial
in the indeterminates X11, . . . ,X1m, . . . ,Xs1, . . . ,Xsm, with
coefficients from Fq .
It is a fact [32, p. 528] that for a general matrix M with
entries from Fq [X], det(M) = 0 if and only if there exist
polynomials Pk(X), 1 ≤ k ≤ s, not all zero, such that
M[P1(X), . . . ,Ps(X)
]T= 0.
But this does not guarantee a non-zero λ = [λ1, . . . , λs] ∈ Fsq
such that MλT = 0. However, the following lemma shows
that if the matrix is of the form (45), then this is the case.
Lemma 8 Let M be a matrix of the form (45). Then
det(M ) = 0 iff there exists a non-zero λ = [λ1, . . . , λs] ∈ Fsq
such that MλT = 0. ✷
PROOF The “if” part holds for any matrix M by the fact
stated above. For the “only if” part, suppose that det(M ) = 0.
We can write M as follows
M =
X11 X12 · · · X1m
X21 X22 · · · X2m
......
. . ....
Xs1 Xs2 · · · Xsm
︸ ︷︷ ︸=X
a11 a21 · · · as1a12 a22 · · · as2a13 a23 · · · as3
......
. . ....
a1m a2m · · · asm
︸ ︷︷ ︸:=A
.
for some A ∈ Fm×sq . Now consider the determinant of the
matrix M ,
det(M) =∑
σ∈Ss
sgn(σ) Lσ(1)(Y1) · · ·Lσ(s)(Ys)
=∑
σ∈Ss
sgn(σ)
m∑
j1=1
aσ(1)j1X1j1
· · ·
m∑
js=1
aσ(s)jsXsjs
=∑
σ∈Ss
sgn(σ)∑
j1,...,js∈[m]s
(aσ(1)j1 · · · aσ(s)js
)X1j1 · · ·Xsjs
=∑
j1,...,js∈[m]s
(∑
σ∈Ss
sgn(σ)aσ(1)j1 · · ·aσ(s)js
)X1j1 · · ·Xsjs
=∑
j1,...,js∈[m]s
det(Aj1...js)X1j1 · · ·Xsjs
where Aj1j2...js is the s × s submatrix of A formed by the
rows j1, j2, . . . , js. Since det(M ) = 0, det(Aj1j2...js) = 0for every collection of distinct indices j1, j2, . . . , js, which
implies that any s rows of A are linearly dependent over Fq.
This shows that the rankFq(A) < s, therefore the columns of
A are linearly dependent over Fq. Hence there exists a non-
zero λ = [λ1, . . . , λs] ∈ Fnq such that AλT = 0 ⇒ MλT =
0. �
Definition 3 Let W be a row-partitioned matrix of the form
W 1
W 2
...
W |E|
(46)
where W i is an ni × nw matrix over Fq . We say that the
matrix W is reducible if there exist an index i and a non-zero
row vector ri in Fniq such that the column span of W contains
the column vector [−0− | · · · | −ri− | · · · | −0−]T . If the
matrix W is not reducible then, we say it is irreducible. ✷
A tree-PIN source with linear wiretapper is irreducible iff the
wiretapper matrix W is irreducible.
Lemma 9 Let W be a (∑
e∈E ne)×nw wiretapper matrix in
the row-partitioned form (46). If the matrix W is irreducible
then nw ≤ (∑
e∈E ne)− s where s = min{ne : e ∈ E}. ✷
PROOF By elementary column operations and block-row
swapping, we can reduce W into the following form
W 11 0 · · · 0
W 21 W 22 · · · 0
......
. . ....
W k1 W k2 · · · W kk
......
. . ....
W |E|1 W |E|2 · · · W |E|k
where the diagonal matrices W jj are full column-rank ma-
trices. Since W is an irreducible matrix, k ≤ (|E| − 1). An
upper bound on the number of columns of W jj is nej , where
ej is the edge corresponding to the row j (after block-row
swapping). So,
nw ≤ max
{∑
j∈K
nej : K ⊆ [|E|], |K| ≤ (|E| − 1)
}
≤ max
{∑
j∈K
nej : |K| = (|E| − 1)
}
= max
{∑
e∈E
ne − ne′ : e′ ∈ E
}
=∑
e∈E
ne − s.
This completes the proof. �
The next lemma is about matrices over Fq [X] of the form
X11 · · · X1m L1(Y1) · · · Ll(Y1)X21 · · · X2m L1(Y2) · · · Ll(Y2)
.... . .
......
. . ....
Xs1 · · · Xsm L1(Ys) · · · Ll(Ys)
s×m+l
(47)
19
where Li(Yk) denotes a linear combination over Fq of entries
of Yk = [Xk1, . . . ,Xkm]. Let us denote a matrix whose entries
are the zero polynomials by 0.
Lemma 10 Let W be a (∑
e∈E ne)× nw wiretapper matrix
over Fq with full column-rank such that nw ≤ (∑
e∈E ne)−swhere s = min{ne : e ∈ E}. Let m :=
∑e∈E ne − nw.
Consider a matrix S := (Se,T e)e∈E over Fq [X] of the
form (47), where Se is an s × s matrix and T e is an
s × (ne − s) matrix. Furthermore, S satisfies SW = 0 . If
W is an irreducible matrix, then∏
e∈E det(Se) is a non-zero
polynomial. ✷
PROOF Suppose∏
e∈E det(Se) is the zero polynomial; then
det(Si) ≡ 0 for some i ∈ E. There are sm indeterminates in
S, where s ≤ m. Note that Si has the form similar to (45)
for some linear functions. By Lemma 8, det(Si) ≡ 0 implies
that there exists a non-zero λ = [λ1, . . . , λs] ∈ Fsq such that
SiλT = 0. Consider the block-column partitioned row vector
R such that the block corresponding to the edge i is Ri =[λ1, . . . , λs, 0, . . . , 0] and Rj = [−0−] for all j ∈ E \ {i}.
Then SRT = 0 .
Moreover, it is given that S satisfies SW = 0. Now, let the
m indeterminates in the first row of S take values in Fq so that
we get m linearly independent vectors in the left nullspace of
W . These vectors are also in the left nullspace of RT because
SRT = 0. Since W has full column-rank, this is possible only
if RT is in the column span of W , which implies that W is
reducible.
APPENDIX D
PROOF OF THEOREM 6
Similar to the unconstrained case, we first prove the result
for irreducible sources and then argue that the rate region of
a general source is the same as that of an irreducible source
that is obtained through reduction.
CW(R)
R
CW
(|E| − 1)CW
Fig. 7. CW(R) curve denoting the wiretap secret key capacity at a givenrate R
Theorem 8 Given an irreducible tree-PIN source ZV with a
linear wiretapper Zw, we have
CW(R) = min
{R
|E| − 1, CW
}
where R is the total discussion rate and CW =mine∈E H(Ye), which is the unconstrained wiretap secret key
capacity. ✷
PROOF Since the wiretapper side information can only reduce
the secret key rate, CW(R) ≤ CS(R). It follows from [30,
Theorem 4.2] that CS(R) = min{
R|E|−1 , CS
}. Therefore, we
have CW(R) ≤ min{
R|E|−1 , CW
}because CS = CW for an
irreducible tree-PIN source with linear wiretapper, which was
shown in Theorem 5.
For the achievability part, it is enough to show that the
point ((|E| − 1)CW, CW) is achievable because the rest of
the curve follows from the time sharing argument between
((|E| − 1)CW, CW) and (0, 0) — see Fig. 7.
Let s := CW = mine∈E H(Ye) = mine∈E ne, which is an
integer. We will construct our achievable scheme on a sub-
source Z′V of the tree-PIN source ZV by ignoring some edge
random variables. More precisely, Z′V is defined on the same
tree T with Y′e := (Xe,1, . . . ,Xe,s) for each edge e ∈ E,
and Z′i = (Y′
e : i ∈ ξ(e)) for i ∈ V . Note that all the edge
random vectors Y′e have s components. On the other hand,
the wiretapper side information Zw is the same as that of the
original source.
Let X′ := (Xe,k : e ∈ E, 1 ≤ k ≤ s) and X′′ :=(Xe,k : e ∈ E, s < k ≤ ne), which is a partition of
the underlying components X of the original source. This
gives rise to a partition of the observations of the wiretapper
into two parts: the first part contains observations involving
only linear combinations of X′, and the second part contains
linear observations with at least one component from X′′. This
means that Zw, after applying some suitable invertible linear
transformation, can be written as
Zw =[X′ X′′
] [A B
0 C
],
for some matrices A, B, and a full column-rank matrix C.
With Z′w = X′A and Z′′
w = X′B + X′′C , Zw =[Z′w Z′′
w
].
For a large n, users execute a linear secure omniscience
communication scheme F(n) on the sub-source Z′nV with re-
spect to the wiretapper side information Znw. Moreover, F(n)
has the following properties: it achieves perfect omniscience
at rate
1
nH(F(n)) = H(Z′
V )− s = H(X′)− s,
which is the minimum rate of omniscience RCO(Z′V ), and it
perfectly aligns with Z′nw , i.e., H(Z′n
w |F(n)) = 0. The existence
of such a communication scheme is guaranteed from the proof
of Theorem 5. After every user recovers the source Z′nV using
F(n), they agree on the key K(n) := Y′ne0 where e0 ∈ E is
an edge incident on a leaf node. It is clear that K(n) satisfies
the key recoverability condition because it is a function of the
recovered source Z′nV . It remains to show that K(n) satisfies
the secrecy condition.
Since K(n),Z′nw and F(n) are linear functions of X′, we
have (K(n),F(n),Z′nw ) − X′n − Z′′n
w . Note that Z′′nw is in-
dependent of X′ because C is a full column-rank matrix.
As a consequence, Z′′nw is independent of (K(n),F(n),Z′n
w ).Furthermore, Y′n
e0 is independent of F(n). This can be ob-
tained by combining the perfect omniscience condition, which
implies that H(Z′nV |Y′n
e0 ,F(n)) = 0 for the leaf node, and
the condition on the rate of the communication which is
H(F(n)) = H(Z′nV ) − ns = H(Z′n
V ) − H(Y′ne0 ). There-
fore, we have H(Y′ne0 |F(n)) = H(Y′n
e0 ,F(n)) − H(F(n)) =
20
H(Z′nV ,Y′n
e0 ,F(n))−H(F(n)) = H(Z′n
V )−H(F(n)) = H(Y′ne0).
The third equality is because Y′ne0 and F(n) are linear functions
of Z′nV . Finally,
H(K(n)|F(n),Znw) = H(K(n)|F(n),Z′n
w ,Z′′nw )
(a)=H(K(n)|F(n),Z′n
w )(b)=H(K(n)|F(n))
= H(Y′ne0 |F(n))
(c)=H(Y′n
e0)
= H(K(n))
where (a) follow from the independence of Z′′nw and
(K(n),F(n),Z′nw ), (b) is due that the fact that F(n) aligns
perfectly with Z′nw , i.e., H(Z′n
w |F(n)) = 0 and (c) is because
Y′ne0 is independent of F(n).
Thus we have shown that a secret key of rate 1nH(K(n)) =
1nH(Y′n
e0) = s is achievable with a communication of rate1nH(F(n)) = H(Z′
V ) − s = (|E| − 1)s. So the pair
((|E| − 1)CW, CW) = ((|E| − 1)s, s) is achievable, which
is as desired. �
To extend this result to the general tree-PIN case, we will
prove the following lemma, which allows us to carry out a
reduction to an irreducible source without changing CW(R).This lemma along with the above theorem on irreducible
sources proves Theorem 6.
Lemma 11 If a tree-PIN source with linear wiretapper
(ZV ,Zw) is not irreducible then there exists an irreducible
source (ZV , Zw) such that
CW(ZV ||Zw)(R) = CW(ZV ||Zw)(R),
H(Ye|mcf(Ye,Zw)) = H(Ye),
for all e ∈ E. ✷
PROOF Since (ZV ,Zw) is not irreducible, there exists an edge
e ∈ E such that Ge := mcf(Ye,Zw) is a non-constant
function. Similar to the proof of Lemma 11, we linearly
transform Ye and Zw to (Ge, Ye) and (Ge, Zw), respectively
where H(Ye) = H(Ye|mcf(Ye,Zw)). Let us consider a new
tree-PIN source ZV , which is the same as ZV except that Ye
and ne are associated to the edge e, and the wiretapper side
information is Zw. Note that (ZV , Zw) is also a tree-PIN source
with linear wiretapper, and Ge is independent of (ZV , Zw).Since any valid scheme on reduced model (ZV , Zw) can be
used as a valid scheme on original model (ZV ,Zw), we have
CW(ZV ||Zw)(R) ≥ CW(ZV ||Zw)(R).
To prove the reverse inequality, CW(ZV ||Zw)(R) ≤CW(ZV ||Zw)(R), let (F(n),K(n)) be an SKA scheme achiev-
ing CW(ZV ||Zw)(R) =: CW(R). It means that for ǫn → 0∣∣∣∣1
nH(F(n))−R
∣∣∣∣ < ǫn,
∣∣∣∣1
nH(K(n))− CW(R)
∣∣∣∣ < ǫn,
I(K(n) ∧ Znw,F
(n)) < ǫn,
Pr[∃j ∈ V s.t. K
(n)j 6= K
(n)1
]< ǫn.
Note that the condition I(K(n) ∧ Znw,G
ne ,F
(n)) = I(K(n) ∧Znw,F
(n)) < ǫn implies that I(K(n) ∧ Znw,F
(n)|Gne ) < ǫn and
I(K(n) ∧ Gne ) < ǫn, which in turn imply that H(K(n)) −
H(K(n)|Gne ) < ǫn and
∣∣ 1nH(K(n)|Gn
e )− CW(R)∣∣ < 2ǫn.
The last inequality follows from the triangle inequality. Since1nH(F(n)|Gn
e ) ≤ 1nH(F(n)) and 1
nH(F(n)) → R, we have
lim sup 1nH(F(n)|Gn
e ) ≤ R. We just restrict to the subsequence
whose limit achieves limsup and with an abuse of notation
we still index this sequence with n. Let lim 1nH(F(n)|Gn
e ) :=R− γ for some γ ≥ 0.
Now we will find a best realization of Gne for which the
SKA scheme (F(n),K(n)) has desired properties. From all the
above conditions, we have∣∣∣∣1
nH(F(n)|Gn
e )− (R − γ)
∣∣∣∣+∣∣∣∣1
nH(K(n)|Gn
e )− CW(R)
∣∣∣∣
+ I(K(n) ∧ Znw,F
(n)|Gne ) + Pr
[∃j ∈ V s.t. K
(n)j 6= K
(n)1
]
< 5ǫn.
We can rewrite it as
∑Pr(Gn
e = gne )
{∣∣∣∣1
nH(F(n)|Gn
e = gne )− (R − γ)
∣∣∣∣
+
∣∣∣∣1
nH(K(n)|Gn
e = gne )− CW(R)
∣∣∣∣+ I(K(n) ∧ Zn
w,F(n)|Gn
e = gne )
+Pr[∃j ∈ V s.t. K
(n)j 6= K
(n)1 |Gn
e = gne
]}< 5ǫn.
Since the average is less than 5ǫn, there exists a realization
Gne = gne such that∣∣∣∣1
nH(F(n)|Gn
e = gne )− (R − γ)
∣∣∣∣
+
∣∣∣∣1
nH(K(n)|Gn
e = gne )− CW(R)
∣∣∣∣+ I(K(n) ∧ Zn
w,F(n)|Gn
e = gne )
+ Pr[∃j ∈ V s.t. K
(n)j 6= K
(n)1 |Gn
e = gne
]< 5ǫn. (48)
Therefore, each term in the summation is less than 5ǫn. Now
we can use the scheme (F(n),K(n)) corresponding to a fixed
Gne = gne on the reduced model (ZV , Zw). From (48), we can
say that it is a valid SKA scheme on (ZV , Zw) with a key rate
of CW(R) and a communication rate of (R− γ). Thus,
CW(ZV ||Zw)(R) = CW(R)
≤ CW(ZV ||Zw)(R − γ)
≤ CW(ZV ||Zw)(R),
where the first inequality is due the fact that capacity is
the maximum of all the achievable rates at a communica-
tion rate of (R − γ), and the last inequality follows form
the monotonicity of the CW(R) curve. This shows that
CW(ZV ||Zw)(R) = CW(ZV ||Zw)(R). Therefore, we can re-
peat this process until the source becomes irreducible without
affecting CW(ZV ||Zw)(R). �
The result of Theorem 6 follows by putting the above lemma
and theorem together.
21
APPENDIX E
PROOF OF THEOREM 7
Some of the steps in the proof are analogous to the proof
for the two-user case, [11, Theorem 4]. The new component
of the theorem is the identification of a connection between
the positivity of CW and the non-maximality of RL of a
transformed source. Since most of the essential ideas of the
two-user setting work even in the multiuser case, we only
give proof sketches for these analogous steps. However, the
new arguments are described in detail.
we only provide new key arguments and give proof sketches
for the analogous arguments.
The statement 3) implies 4) is trivial. So it is enough to
show that 1) implies 2), 2) implies 3), and 4) implies 1).
1) implies 2): We prove this by following an approach that
is similar to that of the two-user case. First, using the sets
given in 1), we construct a new source (ZV , Zw) by applying
some functions to the user random variables of the source
(ZrV ,Z
rw). Then, we show that CW(ZV ||Zw) > 0 which in
turn implies that CW(ZV ||Zw) > 0 because any SKA scheme
on the source (ZV , Zw) is an SKA scheme on (ZV ,Zw). To
prove CW(ZV ||Zw) > 0 using condition 1), we use the lower
bound of Theorem 1 and Lemma 5 for the new source.
Let (Z1, . . . , Zm, Zw) be a function of (Zr1, . . . ,Z
rm,Zr
w)obtained by setting Zi = 1 if Zr
i ∈ Ai1, Zi = 2 if Zri ∈ Ai2
and Zi = 3 if Zri 6∈ Ai1 ∪ Ai2 for 1 ≤ i ≤ m, and Zw = Zr
w.
Let pj1...jm := Pr(Z1 = j1, . . . , Zm = jm) = Pr(Zr1 ∈
A1j1 , . . . , Zm ∈ Amjm) for all (j1, . . . , jm) ∈ {1, 2}m. The
condition in 1) is equivalent to the condition
D 12
(PZw
(.|Z1 = 1, . . . , Zm = 1)||PZw
(.|Z1 = 2, . . . , Zm = 2))
< log
p1,1,...,1p2,2,...,2∑
(j1,...,jm)6∈{(1,...,1),(2,...,2)}
pj1,...,jmp3−j1,...,3−jm
2
.
We will show that the above condition implies
H(ZnV |Zn
w, ZnV ∈ A1 × · · · × Am)
> RCO(ZnV |Zn
V ∈ A1 × · · · × Am) (49)
for some integer n, and a non-empty set A1 × · · · × Am,
where Ai ⊂ {1, 2}n for all i ∈ V . Because of the following
argument, inequality (49) implies that CW(ZV ||Zw) > 0which further implies that CW(ZV ||Zw) > 0. Suppose that
there is an integer n, and a non-empty set A1 × · · · × Am ⊂{1, 2}n × · · · × {1, 2}n such that (49) holds. Let ( Zn
V , Znw)
be the source as defined in (18) using the source (ZnV , Z
nw)
and the set A1 × · · · × Am. Condition (49) can be written as
H( ZnV |Zn
w) > RCO(ZnV ). For the new source, it follows from
(7) that
RL(ZnV ||Zn
w) ≤ RCO(ZnV ).
Therefore, we have H( ZnV |Zn
w) − RL(ZnV ||Zn
w) ≥H(ZnV |Zn
w) − RCO(ZnV ) > 0. By combining this
with Lemma 5, we get H(ZnV |Zn
w) − RL(ZnV ||Zn
w) ≥Pr(E)[H(
ZnV |Zn
w) − RL(ZnV ||Zn
w)] > 0. So we conclude that
H(ZV |Zw)−RL(ZV ||Zw) =1
n[H(Zn
V |Znw)−RL(Z
nV ||Zn
w)] >
0. Hence, it follows from the lower bound of Theorem 1 that if
RL(ZV ||Zw) < H(ZV |Zw) then CW(ZV ||Zw) > 0. Since the
source (ZV , Zw) is obtained by processing (deterministically)
each user observations of the source (ZrV ,Z
rw), any positive
rate secret key on (ZV , Zw) is also a positive rate secret
key on (ZrV ,Z
rw). Thus CW(ZV ||Zw) > 0 implies that
CW(ZV ||Zw) =1rCW(Zr
V ||Zrw) > 0.
Now we will show that condition 1) implies (49). Consider
the following repetition coding with block swapping: for an
even integer n, let
1 := 1 . . . 1︸ ︷︷ ︸n/2
2 . . . 2︸ ︷︷ ︸n/2
2 := 2 . . . 21 . . . 1
and Ai := {1,2}, for 1 ≤ i ≤ m. Let us define AV :=A1 × · · · ×Am. It is enough to show that for large enough n,
H(ZnV |Zn
w, ZnV ∈ AV ) > RCO(Z
nV |Zn
V ∈ AV ). (50)
Let B := 2V \{∅, V }, λ(n) be a fractional partition of B, i.e.,
λ(n) : B → R+ is such that
∑i∈B λ(n)(B) = 1 for every
i ∈ V ; and let Λ(n) be the set of all fractional partitions. The
minimum rate of communication for omniscience [4, Sec. V]
is given by
RCO(ZnV |Zn
V ∈ AV )
= maxλ(n)∈Λ(n)
∑
B∈B
λ(n)B H(Zn
B|ZnBc , Zn
V ∈ AV ).
Though the optimal fractional partition seems to depend on
n, because of the repetitive structure of the coding this
dependence disappears. We can upper bound RCO as
RCO(ZnV |Zn
V ∈ AV )
= maxλ(n)∈Λ(n)
∑
B∈B
λ(n)B H(Zn
B|ZnBc , Zn
V ∈ AV )
=∑
B∈B
λ∗(n)B H(Zn
B|ZnBc , Zn
V ∈ AV )
≤∑
B∈B
H(ZnB|Zn
Bc , ZnV ∈ AV )
≤ (2m − 2)maxi∈V
H(ZnV \i|Zn
i , ZnV ∈ AV ), (51)
where we used in the first inequality that the optimal
fractional partition λ∗(n)B is bounded above by 1
for all B ∈ B, and in the last inequality that
H(ZnB|Zn
Bc , ZnV ∈ AV ) ≤ max
i∈VH(Zn
V \i|Zni , Z
nV ∈ AV )
for all B ∈ B.
Let us further upper bound (2m−2)maxi∈V
H(ZnV \i|Zn
i , ZnV ∈
AV ) as follows. Consider the term H(ZnV \i0
|Zni0 , Z
nV ∈ AV )
for some i0 ∈ V . We know that
Pr[Zn1 = k1, . . . , Z
nm = km] = p
n/2k1...km
pn/23−k1...3−km
22
for all (k1, . . . ,km) ∈ {1,2}m, and for i ∈ V , ki denotes the
first symbol in the sequence ki. Therefore, we get
Pr[Zn1 = k1, . . . , Z
nm = km|Zn
V ∈ AV ]
=pn/2k1...km
pn/23−k1...3−km∑
(j1,...,jm)∈{1,2}m
pn/2j1...jm
pn/23−j1...3−jm
.
For i0 ∈ V and (k1, . . . ,km) ∈ {1,2}m, we have
Pr[ZnV \i0
= kV \i0 |Zni0 = ki0 , Z
nV ∈ AV ]
=pn/2k1...ki0 ...km
pn/23−k1...3−kj0 ...3−km
1
2
∑(j1,...,jm)∈{1,2}m
pn/2j1...jm
pn/23−j1...3−jm
where the equality follows from the symmetry in the probabili-
ties of the sequences (j1, . . . , ki0 , . . . , jm) and (3−j1, . . . , 3−ki0 , . . . , 3 − jm). To compute the entropies, we make use of
the grouping property of the entropy: For a probability vector
(q1, q2, . . . , qs), H(q1, q2, ....., qs) = H (q1, q2 + · · ·+ qs) +
(q2 + · · ·+ qs)H( q2q2 + · · ·+ qs
, . . . ,qs
q2 + · · ·+ qs
). If q1 ∈
[0.5, 1], then h(q1) ≤ −2(1− q1) log2(1 − q1) which implies
H(q1, q2, ....., qs) ≤ h(q1) + (1 − q1) log2(s − 1) ≤ (1 −q1) log2(s − 1) − 2(1 − q1) log2(1 − q1). Note that because
Renyi divergence is non-negative, the inequality in 1) implies
that
p1...1p2...2 >1
2
∑
(j1,...,jm)6∈{(1,...,1),(2,...,2)}
pj1,...,jmp3−j1,...,3−jm .
So, by setting
q(n)1 :=
pn/21...1p
n/22...2
1
2
∑(j1,...,jm)∈{1,2}m
pn/2j1...jm
pn/23−j1...3−jm
=pn/21...1p
n/22...2
pn/21...1p
n/22...2 +
1
2
∑(j1,...,jm)
6∈{(1,...,1),(2,...,2)}
pn/2j1...jm
pn/23−j1...3−jm
,
which is greater than 1/2, we have for any i0 ∈ V ,
H(ZnV \i0
|Zni0 , Z
nV ∈ AV )
≤ (1− q(n)1 )(log2(2
m−1 − 1)− 2 log2(1 − q(n)1 )). (52)
where we replaced s by 2m−1. Notice that the bound is
independent of i0. Therefore, from (51) and (52), we have
RCO(ZnV |Zn
V ∈ AV )
≤ (2m − 2)[(1− q(n)1 )(log2(2
m−1 − 1)− 2 log2(1 − q(n)1 ))].
Because of the above inequality, it is enough prove that
condition 1) implies
H(ZnV |Zn
w, ZnV ∈ AV )
> (2m − 2)[(1− q(n)1 )(log2(2
m−1 − 1)− 2 log2(1 − q(n)1 ))].
(53)
Now let us argue that condition 1) implies (53). Since
q(n)1 =
pn/21...1p
n/22...2
pn/21...1p
n/22...2 +
1
2
∑(k1,...,km) 6∈
{(1,...,1),(2,...,2)}
pn/2k1...km
pn/23−k1...3−km
≥ pn/21...1p
n/22...2
pn/21...1p
n/22...2 +
1
2
∑(k1,...,km) 6∈
{(1,...,1),(2,...,2)}
pk1...kmp3−k1...3−km
n2,
we have
limn→∞
(1−q(n)1 )
1n ≤
√√√√√√
1
2
∑(k1,...,km)
6∈{(1,...,1),(2,...,2)}
pk1...kmp3−k1...3−km
p1...1p2...2
and
limn→∞
(2m − 2)1/n[(1− q(n)1 )(log2(2
m−1 − 1)
− 2 log2(1− q(n)1 ))]1/n
≤
√√√√√√
1
2
∑(k1,...,km)
6∈{(1,...,1),(2,...,2)}
pk1...kmp3−k1...3−km
p1...1p2...2. (54)
For the asymptotics of the conditional entropy term, we can
use the same idea of hypothesis testing at the wiretapper
side with u1 = (1, . . . ,1) and u2 = (2, . . . ,2) used in [11,
Lemma 2] to get
lim infn→∞
H(ZnV |Zn
w, ZnV ∈ AV )
1n
≥ exp(− 1
2D 1
2
(PZw
(.|Z1 = 1, . . . , Zm = 1)
||PZw
(.|Z1 = 2, . . . , Zm = 2)))
. (55)
Since
D 12
(PZw
(.|Z1 = 1, . . . , Zm = 1)||PZw
(.|Z1 = 2, . . . , Zm = 2))
< log
p1,1,...,1p2,2,...,2∑
(i1,...,im)6∈{(1,...,1),(2,...,2)}
pi1,...,imp3−i1,...,3−im
2
,
we can conclude from (54) and (55) that for large enough n,
(53) holds. This completes the proof of 1) implies 2).
2) implies 3): Since the proof follows the same argument
as in two user case, we omit most of the details and give only
those steps that involve different constants. Following are the
multivariate analogues of [11, eq. (118) and eq. (124)]:
I(K1, . . . ,Km ∧ Znw,F
(n)) ≤ (m+ 1)δ + h(δ)
and
||PK1,...,Km,F(n),Znw− PK1,...,Km
.PF(n),Znw||TV
≤√
(m+ 1)δ + h(δ)
2.
23
Using the above inequalities, we get
||PK1,...,Km,F(n),Znw− 1
21K1=...=Km
.PF(n),Znw||TV
≤√
(m+ 1)δ + h(δ)
2+ 2δ
As δ can be made arbitrarily close to 0, the condition 3)
follows.
4) implies 1): To prove this, we need the multivariate
analogue of [11, Lemma 3]. It says that for some sets
A11,A12 ⊂ Zr1 , A21,A22 ⊂ Zr
2 , . . . ,Am1,Am2 ⊂ Zrm,
1
2D 1
2
(PZr
w(.|E1,1,...,1)||PZr
w(.|E2,2,...,2)
)≤ − log(1− 4δ),
1
2log
Pr(E1,...,1) Pr(E2,...,2)∑
(j1,...,jm)6∈{(1,...,1),(2,...,2)}
Pr(Ej1,...,jm) Pr(E3−j1,...,3−jm)
2
> log
((12 − 2δ)
2δ√2m−1 − 1
)
where Ej1,...,jm denotes the event Zr1 ∈ A1j1 , . . . ,Z
rm ∈ Amjm
for (j1, . . . , jm) ∈ {1, 2}m and δ := ||PK1,...,Km,F(r),Zrw−
1
21K1=···=Km
.PF(r),Zrw||TV . The proof is similar to the two-
user case with the following sets Aij = {zri : Ki(zri , f) = j}
for all 1 ≤ i ≤ m and j ∈ {1, 2} where F (r) = fis a realization of the public discussion such that δ >
||PK1,...,Km,Zrw|F(r)=f − 1
21K1=...=Km
.PZrw|F(r)=f ||TV .
Since the condition in 4) implies that any δ ≤ δ1 satisfies
− log(1 − 4δ) < log
((12 − 2δ)
2δ√2m−1 − 1
),
the condition 1) follows.
REFERENCES
[1] U. M. Maurer, “Secret key agreement by public discussion from commoninformation,” IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733–742, May1993.
[2] R. Ahlswede and I. Csiszar, “Common randomness in information theoryand cryptography—Part I: Secret sharing,” IEEE Trans. Inf. Theory,vol. 39, no. 4, pp. 1121–1132, Jul. 1993.
[3] R. Renner and S. Wolf, “New bounds in secret-key agreement: Thegap between formation and secrecy extraction,” in Proc. EUROCRYPT
(Lecture Notes in Computer Science), vol. 2656. Springer-Verlag, 2003,pp. 562–577.
[4] I. Csiszar and P. Narayan, “Secrecy capacities for multiple terminals,”IEEE Trans. Inf. Theory, vol. 50, no. 12, pp. 3047–3061, Dec. 2004.
[5] A. A. Gohari and V. Anantharam, “Information-theoretic key agreementof multiple terminals—Part I,” IEEE Trans. Inf. Theory, vol. 56, no. 8,pp. 3973–3996, Aug. 2010.
[6] C. Chan, “Linear perfect secret key agreement,” in Proc. IEEE Inf.Theory Workshop (ITW), Paraty, Brazil, Oct. 2011, pp. 723–726.
[7] ——, “Delay of linear perfect secret key agreement,” in Proc. 49th
Annu. Allerton Conf. Commun. Contr. Comput., Monticello, IL, USA,Sep. 2011, pp. 1128–1135.
[8] C. Chan, N. Kashyap, P. K. Vippathalla, and Q. Zhou, “One-shot perfectsecret key agreement for finite linear sources,” in Proc. IEEE Int. Symp.
Inf. Theory (ISIT), Paris, France, Jul. 2019, pp. 947–951.
[9] S. Nitinawarat, C. Ye, A. Barg, P. Narayan, and A. Reznik, “Secret keygeneration for a pairwise independent network model,” IEEE Trans. Inf.Theory, vol. 56, no. 12, pp. 6482–6489, Dec. 2010.
[10] S. Nitinawarat and P. Narayan, “Perfect omniscience, perfect secrecy,and Steiner tree packing,” IEEE Trans. Inf. Theory, vol. 56, no. 12, pp.6490–6500, Dec. 2010.
[11] A. Gohari, O. Gunlu, and G. Kramer, “Coding for positive rate in thesource model key agreement problem,” IEEE Trans. Inf. Theory, vol. 66,no. 10, pp. 6303–6323, Oct. 2020.
[12] V. Prabhakaran and K. Ramchandran, “On secure distributed sourcecoding,” in Proc. IEEE Inf. Theory Workshop (ITW), Tahoe City, CA,USA, Sep. 2007, pp. 442–447.
[13] D. Gunduz, E. Erkip, and H. V. Poor, “Lossless compression withsecurity constraints,” in Proc. IEEE Int. Symp. Inf. Theory (ISIT),Toronto, ON, Canada, Jul. 2008, pp. 111–115.
[14] J. Villard and P. Piantanida, “Secure multiterminal source coding withside information at the eavesdropper,” IEEE Trans. Inf. Theory, vol. 59,no. 6, pp. 3668–3692, Jun. 2013.
[15] W. Tu and L. Lai, “On function computation with privacy and secrecyconstraints,” IEEE Trans. Inf. Theory, vol. 65, no. 10, pp. 6716–6733,Oct. 2019.
[16] T. Han and K. Kobayashi, “A dichotomy of functions F (X, Y ) ofcorrelated sources (X, Y ) from the viewpoint of the achievable rateregion,” IEEE Trans. Inf. Theory, vol. 33, no. 1, pp. 69–76, Jan. 1987.
[17] A. Orlitsky and J. R. Roche, “Coding for computing,” IEEE Trans. Inf.
Theory, vol. 47, no. 3, pp. 903–917, Mar. 2001.[18] N. Ma and P. Ishwar, “Some results on distributed source coding for
interactive function computation,” IEEE Trans. Inf. Theory, vol. 57,no. 9, pp. 6180–6195, Sep. 2011.
[19] H. Tyagi, P. Narayan, and P. Gupta, “When is a function securelycomputable?” IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6337–6350,Oct. 2011.
[20] M. H. Yassaee, A. Gohari, and M. R. Aref, “Channel simulation viainteractive communications,” IEEE Trans. Inf. Theory, vol. 61, no. 6,pp. 2964–2982, Jun. 2015.
[21] D. Data, G. R. Kurri, J. Ravi, and V. M. Prabhakaran, “Interactive securefunction computation,” IEEE Trans. Inf. Theory, vol. 66, no. 9, pp. 5492–5521, Sep. 2020.
[22] M. Yan and A. Sprintson, “Algorithms for weakly secure data exchange,”in Proc. Int. Symp. Netw. Coding (NetCod), Calgary, AB, Canada, Jun.2013, pp. 1–6.
[23] T. A. Courtade and T. R. Halford, “Coded cooperative data exchange fora secret key,” IEEE Trans. Inf. Theory, vol. 62, no. 7, pp. 3785–3795,Jul. 2016.
[24] C. Chan, M. Mukherjee, N. Kashyap, and Q. Zhou, “On the optimality ofsecret key agreement via omniscience,” IEEE Trans. Inf. Theory, vol. 64,no. 4, pp. 2371–2389, Apr. 2018.
[25] M. Mukherjee, N. Kashyap, and Y. Sankarasubramaniam, “On the publiccommunication needed to achieve SK capacity in the multiterminalsource model,” IEEE Trans. Inf. Theory, vol. 62, no. 7, pp. 3811–3830,Jul. 2016.
[26] A. Poostindouz and R. Safavi-Naini, “Wiretap secret key capacity oftree-PIN,” in Proc. IEEE Int. Symp. Inf. Theory (ISIT), Paris, France,Jul. 2019, pp. 315–319.
[27] A. El Gamal and Y.-H. Kim, Network Information Theory. Cambridge,U.K.: Cambridge Univ. Press, 2011.
[28] C. Chan, M. Mukherjee, N. Kashyap, and Q. Zhou, “Multiterminal secretkey agreement at asymptotically zero discussion rate,” in Proc. IEEE Int.
Symp. Inf. Theory (ISIT), Vail, CO, USA, Jun. 2018, pp. 2654–2658.[29] C. Chan, N. Kashyap, P. K. Vippathalla, and Q. Zhou, “Secure informa-
tion exchange for omniscience,” in Proc. IEEE Int. Symp. Inf. Theory
(ISIT), Los Angeles, CA, USA, Jun. 2020, pp. 966–971.[30] C. Chan, M. Mukherjee, N. Kashyap, and Q. Zhou, “Upper bounds
via lamination on the constrained secrecy capacity of hypergraphicalsources,” IEEE Trans. Inf. Theory, vol. 65, no. 8, pp. 5080–5093, Aug.2019.
[31] P. K. Vippathalla, C. Chan, N. Kashyap, and Q. Zhou, “Secret keyagreement and secure omniscience of tree-PIN source with linearwiretapper,” 2021. [Online]. Available: https://arxiv.org/abs/2102.01771
[32] N. Bourbaki, Elements of Mathematics: Algebra I. Berlin, Germany:Springer-Verlag, 1989.