arX

iv:2

112.

0039

4v1

[cs

.IT

] 1

Dec

202

11

Wiretap Secret Key Agreement

Via Secure OmnisciencePraneeth Kumar Vippathalla, Chung Chan, Navin Kashyap and Qiaoqiao Zhou

Abstract—In this paper, we explore the connection betweensecret key agreement and secure omniscience within the settingof the multiterminal source model with a wiretapper who has sideinformation. While the secret key agreement problem considersthe generation of a maximum-rate secret key through publicdiscussion, the secure omniscience problem is concerned withcommunication protocols for omniscience that minimize the rateof information leakage to the wiretapper. The starting point ofour work is a lower bound on the minimum leakage rate foromniscience, RL, in terms of the wiretap secret key capacity,CW. Our interest is in identifying broad classes of sources forwhich this lower bound is met with equality, in which casewe say that there is a duality between secure omniscience andsecret key agreement. We show that this duality holds in thecase of certain finite linear source (FLS) models, such as two-terminal FLS models and pairwise independent network modelson trees with a linear wiretapper. Duality also holds for any FLSmodel in which CW is achieved by a perfect linear secret keyagreement scheme. We conjecture that the duality in fact holdsunconditionally for any FLS model. On the negative side, we givean example of a (non-FLS) source model for which duality doesnot hold if we limit ourselves to communication-for-omniscienceprotocols with at most two (interactive) communications. Finally,we demonstrate the usefulness of our lower bound on RL by usingit to derive equivalent conditions for the positivity of CW in themultiterminal model. This extends a recent result of Gohari,Gunlu and Kramer (2020) obtained for the two-user setting.

Index Terms—Information theoretic security, secret key gener-ation, secure omniscience, leakage rate for omniscience, tree-PINmodel, finite linear sources

I. INTRODUCTION

In the setting of the multiterminal source model for secure

computation, users who privately observe correlated random

variables from a source try to compute functions of these

private observations through interactive public discussion. The

goal of the users is to keep these computed functions secure

from a wiretapper who has some side information (a random

variable possibly correlated with the source), and noiseless

N. Kashyap (nkashyap@iisc.ac.in) and Praneeth Kumar V. (pra-neethv@iisc.ac.in) are with the Department of Electrical CommunicationEngineering, Indian Institute of Science, Bangalore 560012. Their work wassupported in part by a Swarnajayanti Fellowship awarded to N. Kashyap bythe Department of Science & Technology (DST), Government of India.

C. Chan (email: chung.chan@cityu.edu.hk) is with the Department ofComputer Science, City University of Hong Kong. His work is supportedby a grant from the University Grants Committee of the Hong Kong SpecialAdministrative Region, China (Project No. 21203318).

Q. Zhou (email: zhouqq@comp.nus.edu.sg) is with the Department ofComputer Science, National University of Singapore.

Corresponding author: C. ChanThis work was presented in part at the 2020 IEEE International Symposium

on Information Theory, and in part at the 2021 IEEE International Symposiumon Information Theory.

access to the public discussion. A well-studied problem within

this model is that of secret key agreement, where users try to

agree on a key that is kept secure from the wiretapper. In

other words, users try to compute a common function that is

independent of the public discussion and the wiretapper’s side

information.

The secret key agreement problem was first studied for two

users by Maurer [1], and Ahlswede and Csiszar [2]. These

works attempted to characterize the wiretap secret key capacity

CW, which is defined as the maximum secret key rate possible

with unlimited public discussion. They were able to do this in

certain special cases, for instance, in the case when only one

user is allowed to communicate [2, Theorem 1], and in the

case when the wiretapper’s side information is conditionally

independent of one user’s private information, given that of

the other user [1, Theorems 2 and 3]. In particular, when

the wiretapper has no side information, CW was shown to be

equal to the mutual information between the random variables

observed by the two users. But, for the two-user setting

without additional assumptions, only upper and lower bounds

on CW were given. Subsequently, there have been multiple

efforts, notably [3–5], to strengthen and extend these bounds

to the general setting of two or more users, but finding a single-

letter expression remains a fundamental open problem in this

domain.

In the course of extending the earlier results to the setting

of multiple users, Csiszar and Narayan [4] gave a single-

letter expression for the secret key capacity in the case when

the wiretapper has no side information. They did this by

establishing an equivalence or “duality” between the secret

key agreement problem and the source coding problem of

communication for omniscience, which is attained when each

user is able to recover (with high probability) the private

observations of all the other users. They observed that a secret

key of maximum rate can be extracted from a protocol that

involves public discussion at the minimum rate required to

attain omniscience. They were thus able to relate the secret key

capacity to RCO, the minimum rate of communication required

for omniscience, which can be obtained as the solution to a

relatively simple linear program.

Subsequently, Gohari and Anantharam [5] succeeded in

establishing a similar duality in the more general setting

of a wiretapper having side information. They showed an

equivalence between the wiretap secret key agreement problem

(in the presence of a wiretapper having side information) and

a problem of communication for omniscience at a neutral

observer. In the latter problem, there is (in addition to the users

and the wiretapper) a neutral observer who is given access to

2

the wiretapper’s side information. The goal here is for the

users to communicate in public to create a shared random

variable which when provided to the neutral observer, allows

the observer to reconstruct all the users’ private observations.

Theorem 3 of [5] relates CW to the minimum rate of public

communication required for omniscience at the neutral ob-

server. However, this does not lead to a single-letter expression

for CW, as it is not known how to compute the minimum rate

of communication for omniscience at the neutral observer.

Motivated in part by the results of [4] and [5], we explore

the possibility of an alternative duality existing between the

wiretap secret key problem and a certain secure omniscience

problem, in the hope of obtaining additional insight on CW,

potentially leading to its evaluation in settings where it still

remains unknown. In the secure omniscience problem we con-

sider, we stay within the original setting of the multiterminal

source model with a wiretapper having side information. The

users communicate interactively in public so as to attain om-

niscience, but now the aim is not necessarily to minimize the

rate of communication needed for this. Instead, the goal is to

minimize the rate at which the communication for omniscience

leaks information about the source to the wiretapper. We give

the formal definition of RL, the minimum information leakage

rate of any communication for omniscience, in Section II.

A. Main Contributions

The starting point of our paper is an inequality that relates

the wiretap secret key capacity and the minimum leakage

rate for omniscience for a source (ZV ,Zw). Here, V :={1, . . . ,m} denotes the set of users, ZV := (Zi | i ∈ V )is the collection of user observations, and Zw denotes the

wiretapper’s side information. We then have

H(ZV |Zw)− CW ≤ RL. (1)

The inequality follows from a standard argument: once the

users attain omniscience via a communication protocol that

achieves the minimum leakage rate RL, they can extract a

secret key of rate H(ZV |Zw)−RL from the reconstruction of

ZV available to each of them.

If the inequality in (1) holds with equality, then we refer

to it as a duality between secure omniscience and wiretap

secret key agreement. Essentially, whenever this duality holds,

a secret key of maximum rate can be extracted from a

communication for omniscience protocol that minimizes the

leakage rate. Note that equality in (1) yields an expression for

CW in terms of RL, but its utility towards computing CW is

unclear, as it is not known whether RL admits a single-letter

expression.

We first address the question of whether there is always

a duality between secure omniscience and wiretap secret key

agreement for any multiterminal source model with wiretapper.

Note that if equality holds in (1), then it must be the case

that CW = 0 iff RL = H(ZV |Zw). Now, it is easily shown

that, for any multiterminal source model, CW = 0 implies

RL = H(ZV |Zw). This follows directly from (1) and the upper

bound RL ≤ H(ZV |Zw), which always holds, as is easily seen

from the definition of RL — see Theorem 1 in Section II.

It is not so clear whether the converse is also true, namely,

that RL = H(ZV |Zw) implies CW = 0. We conjecture that

the converse does not always hold, i.e., there are sources for

which RL = H(ZV |Zw), yet CW > 0. We make partial

progress in this direction by showing that this is the case if we

restrict ourselves to omniscience protocols in which at most

two communications are allowed. We give an example of a

two-user source model for which CW > 0, but the leakage rate

equals H(ZV |Zw) for any omniscience protocol involving at

most two messages. While our example does not definitively

resolve the issue of duality between secure omniscience and

wiretap secret key agreement, it seems to indicate that this

duality may not always hold.

Next, we consider a broad class of sources, namely, finite

linear sources, for which we believe the duality must hold. In

a finite linear source (FLS) model, each user’s observations, as

well as the wiretapper’s side information, is given by a linear

transformation of an underlying random vector consisting of

finitely many i.i.d. uniform random variables. This class of

sources has received some prior attention [6–8]. We prove

that (1) holds with equality for FLS models in which the

wiretap secret key capacity CW is achieved by a perfect

key agreement protocol involving public communications that

are linear functions of the users’ observations. It is an open

question as to whether CW can always be achieved through

linear communication protocols for any FLS model, but it

is reasonable to expect that this is the case. We also give

two unconditionally positive results: duality holds in the

case of two-user FLS models, and in the case of pairwise

independent network (PIN) models on trees [9, 10] in which

the wiretapper’s side information is a linear function of the

source. In both these cases, we obtain explicit expressions for

RL and CW. In fact, in the case of tree-PIN models with

a linear wiretapper, we are able to explicitly determine the

maximum secret key rate achievable when the total rate of

public communication is constrained to be at most R.

Finally, we show that the inequality in (1) can be useful on

its own. We use it to extend to the multi-user setting a recent

result of Gohari, Gunlu and Kramer [11] that gives several

equivalent conditions for the positivity of CW in a two-user

source model.

B. Related Work

Our work is closely related to that of Prabhakaran and

Ramchandran [12]. In their work, they considered the problem

of secure source coding in a two-user model with a wiretapper

where only one user is allowed to communicate to the other.

This kind of communication is commonly referred to as one-

way communication. The goal here is to communicate in such

a way that the receiving user recovers the observations of

the transmitting user while minimizing the rate of information

leaked to the wiretapper about the transmitting user’s source.

In this case, they obtained a single-letter characterization of the

minimum leakage rate for recovering one terminal’s observa-

tion by the other terminal by using conventional information-

theoretic techniques. Moreover, they used this quantity to

lower bound the wiretap secret key capacity. Our work, in fact,

3

generalizes this result by considering the minimum leakage

rate for omniscience instead in the multi-user setting where

interactive communication is allowed.

The secure source coding problem considered in [12], has

been generalized and studied extensively in the direction of

characterizing the minimum rate of leakage of transmitter’s

source [13, 14] by incorporating various constraints. For

instance, Villard and Piantanida [14] considered a similar

model as in [12], but the receiving user observes coded side

information from a third party. Since uncoded side information

is a special case of coded side information, this framework

subsumes the model of [12]. For this model, they studied the

problem in a broad generality by considering a lossy recovery

of the transmitter’s observations at the receiving terminal in

the presence of a wiretapper. They gave a characterization

of the rate-distortion-leakage rate region which is the set of

all achievable tuples of communication rate, distortion and

leakage rate.

Recently, in [15], Tu and Lai have considered the same

model but studied the problem of lossy function computation

by the receiving terminal, which is a further generalization of

the model of [14]. They considered even the privacy aspect

(leakage of the transmitting user’s source to the receiving

user) and studied it along with the rate-distortion-leakage rate

region. They were able to give an explicit characterization of

the entire achievable rate region.

This problem falls in the class of source coding for dis-

tributed function computation; see, for e.g., [15–19]. In this

problem, each user has access to a private random variable,

and they wish to compute functions of these private random

variables by communicating in public, possibly interactively

or/and in the presence of a wiretapper. For instance, in [18],

Ma and Ishwar have considered a two-user model without

a wiretapper, where users, after observing private random

variables, interactively communicate to compute functions of

these private random variables. They studied the interactive

communication rates needed for the computation of functions

and completely characterized the rate region. Subsequently,

this work has been extended by [20] for randomized function

computation in the two-user case. Recently, [21] has studied

the randomized function computation even by including pri-

vacy constraints on the users’ observation.

One work that studies the function computation in the

context of multi-user source model with a wiretapper is [19].

In their work, Tyagi, Narayan, and Gupta assumed that the

wiretapper has no side information and addressed the question:

when can a common function be computed securely? Here

we say a function is securely computable if it is kept asymp-

totically independent of the communication that is needed to

compute this function. It means that the wiretapper can gain

almost no knowledge of the function output even with access

to the communication. They answered this question by relating

it with the secret key capacity of the source model. The precise

result is that a common function is securely computable by all

the terminals if and only if the entropy of the function is less

than the secret key capacity.

Secure omniscience is also a problem of source coding

for distributed function computation. Here, all the users try

to recover the users’ source, and the quantity of interest

is the minimum rate of information about the source that

gets leaked to the wiretapper through the communication.

A problem that is closely related to secure omniscience is

the coded cooperative data exchange (CCDE) problem with a

secrecy constraint; see, for e.g., [22, 23]. In the problem of

CCDE, we consider a hypergraphical source and study one-

shot omniscience. The hypergraphical model generalizes the

PIN model within the class of FLSs. [23] studied the secret key

agreement in the CCDE context and characterized the number

of transmissions required versus the number of SKs generated.

On the other hand, [22] considered the same model but with

wiretapper side information and explored the leakage aspect

of an omniscience protocol. However, the security notion

considered therein does not allow the eavesdropper to recover

even one hyperedge of the source from the communication

except what is already available. However, the communication

scheme can still reveal information about the source. In this

paper, we are interested in minimizing the rate of information

leakage to the wiretapper. Though we consider the asymptotic

notion, the designed optimal communication scheme uses only

a finite number of realizations of the source. Hence our scheme

can find applications even in CCDE problems.

The role of omniscience in the multi-user secret key agree-

ment (with wiretapper side information) was highlighted in

the work of Csiszar and Narayan [4]. They showed that a

maximum key rate could be achieved by communicating at

a minimum rate for omniscience. This led to the question

of whether the omniscience is optimal even in terms of the

minimum communication rate needed to achieve secret key

capacity. The works [24, 25] have addressed this question by

giving sufficient conditions for general sources and equivalent

conditions for hypergraphical sources.

Though the characterization of secret key capacity (without

wiretapper side information) is known, and its connection with

omniscience is well studied, the characterization of wiretap

secret key capacity is still an open problem. Results are known

only in special sources [1, 2]. However, there has been some

progress in this direction in recent times. For instance, Gohari,

Gunlu and Kramer, in [11], sought for the characterization

of the class of two-user sources for which wiretap secret key

capacity is positive. They were able to find an equivalent char-

acterization in terms of Renyi divergence. Its usefulness has

been demonstrated on sources with an erasure model on the

wiretapper side information by deriving a sufficient condition

for the positivity of CW. In the direction of characterizing CW,

Poostindouz and Safavi-Naini, in [26], have made an effort

in the case of some special source models. In particular, they

considered tree-PIN models with a wiretapper side information

containing noisy versions of the edge random variables. They

obtained a characterization of CW in terms of the conditional

minimum rate of communication for omniscience which is a

solution to a certain linear program.

C. Organization

This paper is organized as follows. In Section II, we

introduce the problem and notations. In this section, we also

4

establish an inequality relating the minimum leakage rate

for omniscience and wiretap secret key capacity for general

source models. Section III contains an example showing that

the duality does not hold between secure omniscience and

secret key agreement in the case of limited interaction (with

two messages allowed). This result suggests that the duality

need not hold in the general case. In Section IV, we first

formally define the finite linear source models and prove a

duality result concerning linear protocols. Furthermore, we

establish an unconditional result in the two-user FLS. In

Section V, we prove the duality in the case of the tree-PIN

model with linear wiretapper. Moreover, for this model, we

determine the rate region containing all achievable secret key

rate and total communication rate pairs. In fact, we use a

secure omniscience scheme for a part of the source to obtain

this result. In Section VI, we obtain some equivalent conditions

for the positivity of CW for multi-user case using (1). This

generalizes the two-user result of [11]. Finally, we discuss

the open problems and challenges in establishing duality in

Section VII.

II. PROBLEM FORMULATION

In this section, we describe two different scenarios, namely

wiretap secret key agreement and secure omniscience, in the

context of the multiterminal source model. In this model, the

terminals communicate publicly using their correlated obser-

vations to compute functions securely from the eavesdropper,

who has access to the public communication along with some

side information. More precisely, let V = [m] := {1, . . . ,m}be the set of users, and let w denote the wiretapper. Let

Z1, . . . ,Zm and Zw be the random variables taking values in

finite alphabets Z1, . . . ,Zm and Zw respectively, and their

joint distribution is given by PZ1...ZmZw . Let ZV := (Zi :i ∈ V ) and Zn

i denote the n i.i.d. realizations of Zi. For

i ∈ V , user i has access to the random variable Zi, and the

wiretapper observes Zw. Upon observing n i.i.d. realizations,

the users communicate interactively using their observations,

and possibly independent private randomness, on the noiseless

and authenticated channel. In other words, the communication

made by a user in any round depends on all the previous

rounds’ communications and the user’s own observations. Let

F(n) denotes this interactive communication. We say F(n) is

non-interactive, if it is of the form (F(n)i : i ∈ V ), where F

(n)i

depends only on Zni and the private randomness of user i.

Note that the eavesdropper has access to the pair (F(n),Znw).

At the end of the communication, each user outputs a value in

a finite set using its observations and F(n). For example, user i

outputs E(n)i using (F(n),Zn

i ) and its private randomness. See

Fig. 1.

A. Secure Omniscience

In the secure omniscience scenario, each user tries to

recover the observations of all the users other than the wiretap-

per. We say that (F(n),E(n)1 , . . . ,E

(n)m )n≥1 is an omniscience

scheme if it satisfies the recoverability condition for omni-

science:

lim infn→∞

Pr(E(n)1 = · · · = E(n)

m = ZnV ) = 1. (2)

. . .

PZ1Z2...ZmZw

21 m w

F(n)

E(n)1 E

(n)2 E

(n)m

Zn1 Zn

2 Znm Zn

w

Fig. 1. Multiterminal source model with wiretapper side information. Theterminals interactively discuss over a public channel using their observationsfrom a correlated source to compute their respective functions.

The minimum leakage rate for omniscience is defined as

RL := inf

{lim supn→∞

1

nI(F(n) ∧ Zn

V |Znw)

}(3)

where the infimum is over all omniscience schemes. We

sometimes use RL(ZV ||Zw) instead of RL to make the source

explicit. When there is no wiretapper side information, then

the above notion coincides with the minimum rate of commu-

nication for omniscience, RCO [4]. The conditional minimum

rate of communication for omniscience, RCO(ZV |J), is used

in situations where all the users have access to a common

random variable Jn along with their private observations. This

means that user i observes (Jn,Zni ).

B. Wiretap Secret Key Agreement

In the wiretap secret key agreement, each user tries to

compute a common function, which is called a key, that is

kept secure from the wiretapper. Specifically, we say that

(F(n),E(n)1 , . . . ,E

(n)m )n≥1 is a wiretap secret key agreement

(SKA) scheme if there exists a sequence (K(n))n≥1 such that

lim infn→∞

Pr(E(n)1 = · · · = E(n)

m = K(n)) = 1,

lim supn→∞

[log |K(n)| −H(K(n)|F(n),Zn

w)]= 0,

(4a)

(4b)

where |K(n)| denotes the cardinality of the range of K(n). Con-

ditions (4a) and (4b) are referred to as the key recoverability

condition and the secrecy condition of the key, respectively.

The wiretap secret key capacity is defined as

CW := sup

{lim infn→∞

1

nlog |K(n)|

}(5)

where the supremum is over all SKA schemes. The quantity

CW is also sometimes written as CW(ZV ||Zw). In (5), we

use CS instead of CW, when the wiretap side information

is set to a constant. Similarly, we use CP(ZV |J) in the case

when wiretap side information is Zw = J and all the users

have the shared random variable J along with their private

observations Zi. The quantities CS and CP(ZV |J) are referred

to as secret key capacity of ZV , and private key capacity of

ZV with compromised-helper side information J respectively.

The following theorem gives a lower bound on the minimum

leakage rate for omniscience for a general source (ZV ,Zw).The lower bound on RL in terms of wiretap secret key capacity

5

is obtained by using the idea of privacy amplification on the

recovered source.

Theorem 1 For a general source (ZV ,Zw),

H(ZV |Zw)− CW ≤ RL ≤ H(ZV |Zw). (6)

PROOF Given a discussion scheme that achieves RL, one can

apply privacy amplification [4, Lemma B.2] to extract a secret

key of rate H(ZV |Zw)−RL from the recovered source. Since

the secret key rate thus achieved is bounded above by CW, we

obtain the lower bound on RL. The upper bound on RL follows

from (3), upon noting that 1nI(F

(n)∧ZnV |Zn

w) ≤ H(ZV |Zw).�

Remark 1 Note that the achievable key rate is intuitively the

total amount of randomness in the recovered source ZV that

is not in the wiretapper’s side information Zw nor revealed in

public. ✷

One can observe that for any source,

RL ≤ RCO, (7)

which follows easily from (3) as I(F(n) ∧ZnV |Zn

w) ≤ H(F(n))and F(n) is an omniscience scheme. Therefore, we have

RL ≤ max{RCO, H(ZV |Zw)}.

III. DUALITY BETWEEN SECURE OMNISCIENCE AND

WIRETAP SECRET KEY AGREEMENT: LIMITED

INTERACTION

In this section, we address the question of whether there

is always a duality between secure omniscience and wiretap

secret key agreement for any multiterminal source model with

wiretapper. We study this by considering a necessary condition

for duality, which is CW > 0 iff RL < H(ZV |Zw). One

direction that RL < H(ZV |Zw) implies CW > 0 holds for any

source follows from (6). For the other direction, intuitively, if

the users can generate a secret key that is independent of the

wiretapper’s side information, then they can use this advantage

to protect some information during an omniscience scheme.

However, we will prove that this need not be the case if we

limit the number of messages exchanged between the users.

To illustrate this result, let us consider a two-user setting

(m = 2) with source distribution PZ1Z2Zw . Let r be the

number of messages exchanged between the users, and let

C(r)W and R

(r)L denote the wiretap secret key capacity and

the minimum leakage rate for omniscience, respectively, when

we allow at most r messages to be exchanged among the

users. Note that we can ensure omniscience only if we allow

r ≥ 2 because omniscience is not guaranteed with one

message transmission. Moreover, omniscience can be obtained

using a non-interactive communication that involves only 2

messages. Here R(r)L < H(Z1,Z2|Zw) implies C

(r)W > 0,

because if the users can achieve omniscience using r messages

such that R(r)L < H(Z1,Z2|Zw), then they can apply privacy

amplification to recover a key with positive rate implying

C(r)W > 0. For the other direction, we show that C

(r)W > 0

does not imply R(r)L < H(Z1,Z2|Zw) if r = 2. This is stated

in the following proposition.

Proposition 1 If r = 2, then for any source PZ1Z2Zw ,

R(r)L < H(Z1,Z2|Zw) =⇒ C

(r)W > 0.

However, the converse need not hold.

To prove the converse, we first derive an upper bound

on R(2)L using the results from the one-way communication

setting. We then give a source in Lemma 3 that finally proves

the converse. In the rest of this section, we denote Z1,Z2 and

Zw by X,Y, and Z, respectively. The random variables X,Y,

and Z take values in finite sets X , Y , and Z , respectively.

A. One-way communication, i.e., r = 1

Before we address the problem completely, first, we con-

sider a model with only one message allowed. Since omni-

science requires a minimum of two messages between users,

we slightly modify the setup by letting only one of the users

recover the other user’s observations—see Fig. 2. We define

the minimum leakage rate for recovery of X by user 2 as

RowL := inf

{lim supn→∞

1

nI(F

(n)1 ∧ Xn|Zn)

},

where the infimum is over all one-way communication

schemes that allow user 2 to recover X. Furthermore, the

definition of one-way wiretap secret key capacity, denoted by

CowW , is the same as (5) with the exception that the supremum

is taken over all one-way SKA schemes.

1

Xn

2

Yn

WZn

E(n)1 E

(n)2

F1

Fig. 2. Only one message transfer is allowed. Since omniscience is, in general,not possible within this setup, we only allow user 2 to recover user 1’s

observations, i.e., E(n)1 is constant and E

(n)2 = X(n)

.

Ahlswede and Csiszar, in [2], studied the one-way wiretap

secret key agreement, and gave a single-letter expression [2,

Theorem 1] for secret key capacity:

CowW = max

V−U−X−(Y,Z)

[I(U ∧ Y|V) − I(U ∧ Z|V)

]. (8)

In the above optimization, it is enough to consider random

variables U and V (taking values in sets U and V , respectively)

such that |U| ≤ |X |2 and |V| ≤ |X |.On the other hand, the problem of one-way leakage rate

was studied in [12], but with a measure of leakage that only

differs from RowL by I(X ∧ Z). They gave a single-letter

characterization [12, Theorem 1] for the minimum leakage

rate for recovering X:

RowL = min

S−X−(Y,Z)[I(S ∧ X|Z) +H(X|S,Y)] , (9)

where the minimization is over random variable S taking

values in a set S such that |S| ≤ |X |.

6

We will make use of the following standard result on

broadcast channels to construct a source PXYZ with CowW > 0

and RowL = H(X|Z). Let h(q) denote the binary entropy

function, i.e, h(q) = −q log2 q − (1 − q) log2(1 − q), for

q ∈ (0, 1).

Lemma 1 ([27, p. 121]) Consider a discrete memoryless

broadcast channel PYZ|X with X ∈ {0, 1}, Y ∈ {0, 1} and

Z ∈ {0, 1,∆}, where the channel from X to Y is BSC(p),

p ∈ (0, 12 ), and the channel from X to Z is BEC(ǫ), ǫ ∈ (0, 1).

Then, for 4p(1− p) < ǫ ≤ h(p),

1) Z is more capable than Y, i.e., for every input distribution

PX,

I(X ∧ Z) ≥ I(X ∧ Y),

2) Z is not less noisy than Y, i.e., there exists a joint distri-

bution P ∗UX

where PUXYZ = P ∗UX

PYZ|X such that

I(U ∧ Z) < I(U ∧ Y).

In fact, a P ∗UX

that satisfies the above condition is obtained

by passing U ∼ Ber(12 ) through BSC(12 − δ

)with output

X, where δ > 0 is small enough, and depends on ǫ and p.

✷

Note that, for the distribution P ∗UX

in the above lemma, the

marginal distribution of X is Ber(12 ).

Lemma 2 There exists a source PXYZ such that CowW > 0 but

RowL = H(X|Z). ✷

PROOF Consider the source PXYZ = PXPY|XPZ|X where

X ∼ Ber(12 ), the channel from X to Y is BSC(p) and the

channel from X to Z is BEC(ǫ) such that 4p(1 − p) < ǫ ≤h(p). According to Lemma 1, Z is not less noisy than Y.

Therefore, I(U ∧ Z) < I(U ∧ Y) for some joint distribution

P ∗UX

= P ∗U|XPX where X ∼ Ber(12 ). The joint distribution

PUXYZ := P ∗U|XPXYZ = P ∗

UXPYZ|X satisfies the Markov chain

U− X− (Y,Z). It follows that

CowW = max

V−U−X−(Y,Z)

[I(U ∧ Y|V) − I(U ∧ Z|V)

]

(a)

≥ I(U ∧ Y)− I(U ∧ Z) > 0

where (a) is obtained by setting V to a constant. This proves

that wiretap secret key capacity is strictly positive.

The minimum leakage rate for one-way communication,

RowL = min

S−X−(Y,Z)

[I(S ∧ X|Z) +H(X|S,Y)

]

= minS−X−(Y,Z)

[H(X|Z) +H(X|S,Y)−H(X|S,Z)

]

is upper bounded by H(X|Z), which is obtained by setting

S := X. For H(X|Z) ≤ RowL , it is enough to prove that for any

S−X− (Y,Z), H(X|S,Y)−H(X|S,Z) = I(X∧Z|S)− I(X∧Y|S) ≥ 0. Observe that

I(X ∧ Z|S)− I(X ∧ Y|S) =∑

PS(s) [I(X ∧ Z|S = s)

−I(X ∧ Y|S = s)] .

For an s with PS(s) > 0, the term I(X ∧ Z|S = s) −I(X ∧ Y|S = s) is evaluated with respect to PX,Y,Z|S=s =PX|S=sPY,Z|X = PX|S=sPY|XPZ|X. So this term is equal to

I(Xs ∧ Z) − I(Xs ∧ Y), where Xs ∼ PX|S=s, and Y (resp.

Z) is obtained by passing Xs through BSC(p) (resp. BEC(ǫ)).Since Z is more capable than Y, I(Xs ∧ Z)− I(Xs ∧ Y) ≥ 0for every s. As a result, we have I(X∧Z|S)−I(X∧Y|S) ≥ 0,

which completes the proof. �

B. Two messages are allowed, i.e., r = 2

If we allow the users to exchange two messages inter-

actively (Fig. 3), then omniscience is possible as users 1

and 2 can communicate non-interactively at any rate larger

than H(X|Y) + H(Y|X) to recover each other’s source. Let

C(r)W and R

(r)L be defined as in (5) and (3) but with a

restriction to communication schemes involving only r = 2interactive messages. Here we do not impose the condition that

a particular user must transmit the first message. So any user

can initiate the protocol, but we allow at most two messages to

be exchanged. Even in this case, we can ask the same question:

Does C(2)W > 0 imply that R

(2)L < H(X,Y|Z) ?

1

Xn

2

Yn

WZn

E(n)1 E

(n)2

F

Fig. 3. Two messages are allowed. Here omniscience is feasible. If user 1initiates the communication, then F = (F1, F2) where F2, the communicationby user 2, depends on F1 . Similarly, if user 2 starts the communication, thenF = (F2,F1) and F1, the communication made by user 1, depends on F1.

It turns out that with two messages, the ability to generate

a positive secret key rate does not imply that the minimum

leakage rate for omniscience is strictly less than H(X,Y|Z).To show this, we will use the results from the one-way

communication setting. Let RowL (1 → 2) (resp. Row

L (2 → 1))denote the minimum leakage rate for recovery of X by user

2 when user 1 is the transmitter (resp. recovery of Y by user

1 when user 2 is the transmitter). Similarly, CowW (1 → 2) and

CowW (2 → 1) denote the one-way wiretap secret key capacities

when the communicator is user 1 and user 2, respectively. By

(9) and (8) , we have

RowL (1 → 2) = min

S−X−(Y,Z)[I(S ∧ X|Z) +H(X|S,Y)] ,

CowW (1 → 2) = max

V−U−X−(Y,Z)[I(U ∧ Y|V)− I(U ∧ Z|V)] ,

and

RowL (2 → 1) = min

S−Y−(X,Z)[I(S ∧ Y|Z) +H(Y|S,X)] ,

CowW (2 → 1) = max

V−U−Y−(X,Z)[I(U ∧ X|V)− I(U ∧ Z|V)] .

Since any one-way SKA scheme is also a valid SKA scheme

in the r = 2 case,

C(2)W ≥ max

{Cow

W (1 → 2), CowW (2 → 1)

}. (10)

7

We next prove the following lower bound on the minimum

leakage rate:

R(2)L ≥ min

{Row

L (1 → 2) +H(Y|Z,X),Row

L (2 → 1) +H(X|Z,Y)}, (11)

where each term corresponds to a lower bound on the leakage

rate when a particular user transmits first. This bound may

not be tight in general but will be enough for our purpose of

constructing a counterexample. To prove (11), first we will

show that R(2)L ≥ Row

L (1 → 2) + H(Y|Z,X) when user

1 starts the communication. Note that for any omniscience

scheme (F(n)1 ,F

(n)2 ), we have I(F

(n)1 ,F

(n)2 ∧ Xn,Yn|Zn) ≥

I(F(n)1 ∧Xn|Zn) + I(F

(n)2 ∧Yn|Zn,Xn) ≥ I(F

(n)1 ∧Xn|Zn) +

H(Yn|Zn,Xn) − nδn, where the last equality follows from

Fano’s inequality and the recoverability condition of Yn from

F(n)2 and Xn. Here, δn → 0 as n → ∞. Therefore, we have

lim supn→∞

1

nI(F

(n)1 ,F

(n)2 ∧ Xn,Yn|Zn)

≥ lim supn→∞

1

nI(F

(n)1 ∧ Xn|Zn) +H(Y|Z,X)

≥ RowL (1 → 2) +H(Y|Z,X)

Since the above inequality holds for any omniscience scheme

where user 1 initiates the communication, we can conclude

that R(2)L ≥ Row

L (1 → 2) + H(Y|Z,X). Similarly, for omni-

science schemes with user 2 starting the communication, we

have that R(2)L ≥ Row

L (2 → 1) + H(X|Z,Y). This completes

the proof of (11).

For a source distribution PXYZ = PXPYZ|X = PYPXZ|Y,

if Z is more capable than Y for the channel PYZ|X, then

minS−X−(Y,Z)

[I(X ∧ Z|S)− I(X ∧ Y|S)] ≥ 0, which can be ar-

gued as in the proof of Lemma 2. Therefore, we have

RowL (1 → 2) +H(Y|Z,X)

= minS−X−(Y,Z)

[I(S ∧ X|Z) +H(X|S,Y)] +H(Y|Z,X)

= H(X,Y|Z) + minS−X−(Y,Z)

[I(X ∧ Z|S)− I(X ∧ Y|S)]

≥ H(X,Y|Z).

Similarly, for the channel PXZ|Y, if Z is more capable than

X, then we have RowL (2 → 1) ≥ H(X,Y|Z). Thus R

(2)L =

H(X,Y|Z), which follows from (6) and (11).

In addition, if Z is not less noisy than Y

for PYZ|X then CowW (1 → 2) > 0 because

maxV−U−X−(Y,Z)

[I(U ∧ Y|V) − I(U ∧ Z|V)] > 0, which can

be argued as in the proof of Lemma 2. Similarly, if Z is

not less noisy than Y for PXZ|Y, then CowW (2 → 1) > 0. So,

whenever the “not less noisy condition” holds for at least

one of the channels, we have C(2)W > 0 by (10). The lemma

below identifies a source that satisfies the above conditions.

A source (X,Y,Z) is called a DSBE(p, ǫ) source if (X,Y)is a doubly symmetric binary source with parameter p, and

Z ∈ {0, 1}2 ∪ {∆} is obtained by passing (X,Y) through an

erasure channel with erasure probability ǫ. It means that for a

DSBE(p, ǫ) source (X,Y,Z), X ∼ Ber(12 ), the channel from

X to Y is a BSC(p), and the channel from (X,Y) to Z is

PZ|X,Y (z|x, y) =

1− ǫ, if z = (x, y),ǫ, if z = ∆,0, otherwise,

for every (x, y) ∈ {0, 1}2.

Lemma 3 For a DSBE(p, ǫ) source with p and ǫ chosen so

that 4p(1 − p) < ǫ ≤ h(p), we have C(2)W > 0 but R

(2)L =

H(X,Y|Z). ✷

PROOF Since a DSBE(p, ǫ) source is symmetrical in X and Y,

it is enough to show that the more capable and not less noisy

conditions hold for one user. In other words, it is sufficient to

show that for the channel PYZ|X, Z is more capable than Y,

and Z is not less noisy than Y.

For any binary input distribution PX= (P

X(0), P

X(1)) :=

(q, 1 − q), 0 ≤ q ≤ 1, to the channel PYZ|X, I(X ∧ Z) =h(p ∗ q) − h(p), where p ∗ q = p(1 − q) + (1 − p)q. Let

f(q) := (1−ǫ)h(q)−h(p∗q)+h(p) = I(X∧Z)−I(X∧Y). Note

that this difference is the same as that of the source considered

in Lemma 1. The proof of that lemma involves showing that

for 4p(1 − p) < ǫ ≤ h(p), f(q) is a non-negative function,

and moreover, f(q) is strictly convex around q = 12 , which are

equivalent to the more capable and not less noisy conditions,

respectively. Making use of these properties of f(q), we can

also conclude that for 4p(1−p) < ǫ ≤ h(p), Z is more capable

than Y, and Z is not less noisy than Y for PYZ|X.

Since Z is not less noisy than Y for PYZ|X, CowW (1 → 2)

is positive, and hence we have C(2)W > 0. And, the minimum

leakage rate R(2)L = H(X,Y|Z) because Z is more capable

than Y for the channel PYZ|X, and Z is more capable than X

for the channel PXZ|Y. �

For the source given in the above lemma, no user can gain

an advantage in terms of R(2)L over the other by starting the

communication. This completes the proof of Proposition 1.

This result seems to indicate that duality does not always

hold. We conjecture that for the DSBE source considered in the

above lemma, C(r)W > 0 need not imply R

(r)L < H(ZV |Zw),

r ≥ 2. Moreover, with no restriction on the number of

communications, CW > 0 need not imply RL < H(ZV |Zw).

IV. DUALITY FOR FINITE LINEAR SOURCE MODELS

In this section, we consider a broad class of sources, namely,

finite linear sources, for which we believe the duality between

secure omniscience and wiretap secret key agreement must

hold.

Definition 1 (Finite linear source [6]) A source (ZV ,Zw) is

said to be a finite linear source if we can express ZV and Zw

as

[ZV Zw

]=[Z1 · · · Zm Zw

]= X

[M 1 · · · Mm W

],

where X is a random row vector of some length l that is

uniformly distributed over a field Flq , and M1, . . . ,Mm,W

are some matrices over Fq with dimensions l × l1, . . . , l ×

8

lm, l× lw, respectively. Each terminal observes a collection of

linear combinations of the entries in X. ✷

In the context of FLS, we say a communication scheme F(n)

is linear if each user’s communication is a linear function of its

observations and the previous communication on the channel.

Without loss of generality [8, Sec. II], linear communication

can be assumed to be non-interactive. In the rest of the paper,

we consider only matrices over Fq unless otherwise specified.

The following notions related to Gacs-Korner common

information will play an important role in proving some of our

subsequent results. The Gacs-Korner common information of

X and Y with joint distribution PX,Y is defined as

JGK(X ∧ Y) := max {H(G) : H(G|X) = H(G|Y) = 0}(12)

A G that satisfies the constraint in (12) is called a common

function (c.f.) of X and Y. An optimal G in (12) is called

a maximal common function (m.c.f.) of X and Y, and is

denoted by mcf(X,Y). Similarly, for m random variables,

X1,X2, . . . ,Xm, we can extend these definitions by replacing

the condition in (12) with H(G|X1) = H(G|X2) = . . . =H(G|Xn) = 0. For a finite linear source pair (Z1,Z2), i.e.,

Z1 = XM1 and Z2 = XM 2 for some matrices M1 and M2

where X is a 1× l row vector uniformly distributed on Flq, it

was shown in [28] that the mcf(Z1,Z2) is a linear function of

each of Z1 and Z2. This means that there exists some matrices

Mz1 and Mz2 such that mcf(Z1,Z2) = Z1Mz1 = Z2Mz2 .

One can infer from this relation that if Z1 and Z2 are

independent, then mcf(Z1,Z2) is identically 0.

We prove results in this and the next section favoring the

following conjecture.

Conjecture 1 RL = H(ZV |Zw)− CW holds for finite linear

sources. ✷

The reason to believe Conjecture 1 comes from the follow-

ing two theorems. Since the source is linear, it is reasonable to

conjecture that linear schemes are optimal. Theorem 2 below

states that if a linear perfect SKA scheme is optimal in terms

of CW, then secure omniscience achieves wiretap secret key

capacity. Here, we call an SKA scheme perfect if there exists

a sequence of communication-key pairs (F(n),K(n))n≥1 such

that H(K(n)|F(n),Zni ) = 0 for all users i ∈ V (perfect key

recoverability condition), and log |K(n)| = H(K(n)|F(n),Znw)

(perfect secrecy condition).

Theorem 2 For a finite linear source (ZV ,Zw), if a linear

perfect SKA scheme achieves CW, then we have

RL = H(ZV |Zw)− CW.

PROOF See Appendix A. �

The next theorem shows the duality between secure omni-

science and wiretap secret key agreement for two-user FLS

without any restriction to linear schemes. It also provides

single-letter expressions for RL and CW.

Theorem 3 (Two-user finite linear source) For secure om-

niscience with V = {1, 2} and finite linear source ZV , we

have

RL = H(Z1,Z2|Zw)− CW,

CW = I(Z1 ∧ Z2|G)(13)

(14)

where G can be chosen to be G1, G2, or (G1,G2), with Gi

being the solution to

JGK(Zw ∧ Zi) := maxGi:H(Gi|Zw)=H(Gi|Zi)=0

H(Gi), (15)

for i ∈ V . ✷

PROOF See Appendix B. �

In the next section, we prove the duality between secure

omniscience and wiretap secret key agreement for tree-PIN

sources with linear wiretapper, a sub-class of FLS. Further-

more, we give single-letter expressions for RL and CW.

V. TREE-PIN SOURCE WITH LINEAR WIRETAPPER

A source ZV is said to be tree-PIN if there exists a tree

T = (V,E, ξ) and for each edge e ∈ E, there is a non-negative

integer ne and a random vector Ye = (Xe,1, . . . ,Xe,ne). We

assume that the collection of random variables X := (Xe,k :e ∈ E, k ∈ [ne]) are i.i.d. and each component is uniformly

distributed over a finite field, say Fq . For i ∈ V ,

Zi = (Ye : i ∈ ξ(e)) .

The linear wiretapper’s side information Zw is defined as

Zw = XW ,

where X is a 1× (∑

e∈E ne) vector and W is a (∑

e∈E ne)×nw full column-rank matrix over Fq . We sometimes refer to

X as the base vector. We refer to the pair (ZV ,Zw) defined as

above as a tree-PIN source with linear wiretapper. This is a

special case of an FLS.

A. Motivating example

The following example of a tree-PIN source with linear

wiretapper appeared in our earlier work [29], where we

constructed an optimal secure omniscience scheme. Let V ={1, 2, 3, 4} and

Zw = Xa + Xb + Xc,

Z1 = Xa, Z2 = (Xa,Xb), Z3 = (Xb,Xc), Z4 = Xc,

(16)

(17)

where Xa, Xb and Xc are uniformly random and independent

bits. The tree here is a path of length 3 (Fig. 4) and the

wiretapper observes the linear combination of all the edge

random variables. For secure omniscience, terminals 2 and 3,

using n = 2 i.i.d. realizations of the source, communicate

linear combinations of their observations. The communication

is of the form F(2) = (F(2)2 , F

(2)3 ), where F

(2)2 = X2

a +MX2b

and F(2)3 = (M + I)X2

b + X2c with M :=

[1 11 0

]. Since the

matrices M and M + I are invertible, all the terminals can

recover Z2V using this communication. For example, user 1 can

first recover X2b from (X2

a, F(2)2 ) as X2

b = (M +I)(X2a+ F

(2)2 ),

9

then X2b can be used along with F

(2)3 to recover X2

c as

X2c = (M +I)X2

b + F(2)3 . More interestingly, this communica-

tion is “aligned” with the eavesdropper’s observations, since

Z2w = F

(2)2 + F

(2)3 . This scheme achieves RL, which is 1 bit.

For minimizing leakage, this kind of alignment must hap-

pen. For example, if Z2w were not contained in the span of

F(2)2 and F

(2)3 , then the wiretapper could infer a lot more from

the communication. Ideally, if one wants zero leakage, then

F(n) must be within the span of Znw, which is not feasible in

many cases because, with that condition, the communication

might not achieve omniscience in the first place. Therefore

keeping this in mind, it is reasonable to assume that there

can be components of F(n) outside the span of Znw. But we

look for communication schemes that span as much of Zw

as possible. Such an alignment condition is used to control

the leakage. In this particular example, it turned out that an

omniscience communication that achieves RCO can be made

to align with the wiretapper side information completely, i.e.,

H(Znw|F(n)) = 0. Motivated by this example, we show that

it is always possible for some omniscience communication to

achieve complete alignment with the wiretapper’s observations

within the class of tree-PIN sources with linear wiretapper.

Theorem 4 For a tree-PIN source ZV with linear wiretapper

observing Zw,

CW = mine∈E

H(Ye|mcf(Ye,Zw)),

RL =

(∑

e∈E

ne − nw

)log2 q − CW bits.

In fact, a linear non-interactive scheme is sufficient to achieve

both CW and RL simultaneously. ✷

The theorem guarantees that we can achieve the wiretap

secret key capacity in the tree-PIN case with linear wiretapper

through a linear secure omniscience scheme, which establishes

the duality between the two problems. This illustrates that

omniscience can be helpful even beyond the case when there

is no wiretapper side information.

Our proof of Theorem 4 is through a reduction to the

particular subclass of irreducible sources, which we defined

next.

Definition 2 A tree-PIN source with linear wiretapper is said

to be irreducible if mcf(Ye,Zw) is a constant function for

every edge e ∈ E . ✷

Whenever there is an edge e such that Ge := mcf(Ye,Zw)is a non-constant function, the user corresponding to a vertex

incident on e can reveal Ge to the other users. This commu-

nication does not leak any additional information to the wire-

tapper because Ge is a function of Zw. Intuitively, for further

communication, Ge is not useful and hence can be removed

from the source. After the reduction, the m.c.f. corresponding

to e becomes a constant function. In fact, we can carry out

the reduction until the source becomes irreducible. This idea

of reduction is illustrated in the following example.

Example 1 Let us consider a source ZV defined on a path

of length 3, which is shown in Fig. 4. Let Ya = (Xa1,Xa2),

Yb = Xb1 and Yc = Xc1, where Xa1, Xa2, Xb1 and Xc1 are

uniformly random and independent bits. If Zw = Xb1 + Xc1,

1 2 3 4

a b c

Fig. 4. A path of length 3

then the source is irreducible because mcf(Ye,Zw) is a con-

stant function for all e ∈ {a, b, c}.

However if Zw = (Xa1 + Xa2,Xb1 + Xc1), then the source

is not irreducible, as mcf(Ya,Zw) = Xa1 + Xa2, which

is a non-constant function. An equivalent representation of

the source is Ya = (Xa1,Ga), Yb = Xb1, Yc = Xc1 and

Zw = (Ga,Xb1 +Xc1), where Ga = Xa1 +Xa2, which is also

a uniform bit independent of (Xa1,Xb1,Xc1). So, for omni-

science, user 2 initially can reveal Ga without affecting the

information leakage as it is completely aligned to Zw. Since

everyone has Ga, users can just communicate according to the

omniscience scheme corresponding to the source without Ga.

Note that this new source is irreducible. ✷

The next lemma shows that the kind of reduction to an

irreducible source used in the above example is indeed optimal

in terms of RL and CW for all tree-PIN sources with linear

wiretapper.

Lemma 4 If a tree-PIN source with linear wiretapper

(ZV ,Zw) is not irreducible then there exists an irreducible

source (ZV , Zw) such that

CW(ZV ||Zw) = CW(ZV ||Zw),

RL(ZV ||Zw) = RL(ZV ||Zw),

H(Ye|mcf(Ye,Zw)) = H(Ye),

for all e ∈ E. ✷

PROOF See Appendix C-A. �

Note that, in the above lemma, the scheme that achieves

RL(ZV ||Zw) involves revealing the reduced m.c.f. components

first and then communicating according to the scheme that

achieves RL(ZV ||Zw). As a consequence of Lemma 4, to

prove Theorem 4, it suffices to consider only irreducible

sources. For ease of reference, we re-state the theorem for

irreducible sources below.

Theorem 5 If a tree-PIN source ZV with linear wiretapper

Zw is irreducible then

CW = mine∈E

H(Ye) = CS,

RL =

(∑

e∈E

ne − nw

)log2 q − CW bits,

where CS is the secret key capacity of Tree-PIN source without

the wiretapper side information [4]. ✷

PROOF See Appendix C-B. �

Theorem 5 shows that, for irreducible sources, even when

the wiretapper has side information, the users can still extract

a key at rate CS. In terms of secret key generation, the users

10

are not really at a disadvantage if the wiretapper has linear

observations.

B. Constrained wiretap secret key capacity of tree-PIN source

with linear wiretapper

Secure omniscience in fact plays a role even in achieving the

constrained wiretap secret key capacity of tree-PIN source with

linear wiretapper. The constrained wiretap secret key capacity,

denoted by CW(R), is defined as in (5) but with the supremum

over all SKA schemes with lim sup 1n log |F (n)| < R where

F (n) is the alphabet of F(n). The following theorem gives

a single-letter expression for the constrained wiretap secret

key capacity whose form is reminiscent of the constrained

secret key capacity, [30, Theorem 4.2]. The proof involves a

construction of a secure omniscience communication scheme

for a part of the source.

Theorem 6 Given a tree-PIN source ZV with a linear wire-

tapper Zw, we have

CW(R) = min

{R

|E| − 1, CW

}

where R is the total discussion rate and CW =mine∈E H(Ye|mcf(Ye, Zw)), which is the unconstrained

wiretap secret key capacity. ✷

PROOF See Appendix D. �

VI. POSITIVITY OF CW

In this section, we will use the inequality H(ZV |Zw) −CW ≤ RL to establish an equivalent condition for the

positivity of CW. This result extends the two-user result of

[11, Theorem 4] to the multiuser case. In the two-user setting

[11], Gohari, Gunlu and Kramer have studied the positivity of

CW, and gave an equivalent characterization in terms of Renyi

divergence by using hypothesis testing and a coding scheme

that involves repetition with block-swapping. This coding idea

remains one of the main ingredients of our proof.

Another ingredient is the next lemma, which is in a similar

vein to [1, Lemma 3], that relates RL of a source (ZV ,Zw)to the source (ZV ,Zw) whose distribution is obtained by

conditioning the distribution of (ZV ,Zw) by a certain event.

Formally, given some non-empty sets A1 ⊆ Z1, . . . ,Am ⊆Zm, let E denote the event that ZV ∈ A1×· · ·×Am . Define

a new source (ZV ,Zw) taking values in the same alphabets

Z1, . . . ,Zm and Zw with the probability distribution

PZ1...ZmZw

(z1, . . . , zm, zw) :=PZ1...Zm,Zw(z1, . . . , zm, zw)

Pr(E)(18)

if (z1, . . . , zm) ∈ A1 × · · · × Am, and

PZ1...ZmZw

(z1, . . . , zm, zw) := 0 otherwise. It was shown in

[1, Lemma 3] that CW(ZV ||Zw) ≥ Pr(E)CW(ZV ||Zw).

Lemma 5 For sources (ZV ,Zw) and (ZV ,Zw), which is

defined as above for some event E := {ZV ∈ A1×· · ·×Am},

we have

H(ZV |Zw)−RL(ZV ||Zw)

≥ Pr(E)[H(ZV |Zw)−RL(ZV ||Zw)] (19)

PROOF Let F(n) be an omniscience scheme for the source ZV

that achieves RL(ZV ||Zw). We will construct an omniscience

scheme for the source ZV with the leakage rate H(ZV |Zw)−Pr(E)[H(ZV |Zw) − RL(ZV ||Zw)], which proves the lemma.

Fix a large enough n and consider n i.i.d. realizations of the

source (ZV ,Zw). In the first phase of communication, each

user reveals publicly the indices of those realizations that fall

in their corresponding set Ai to the other users. For instance,

user i transmits F1,i(Zni ) := (bij : bij = 1Ai

(Zij), 1 ≤ j ≤n), which is a sequence indicating the locations where Zij ∈Ai. This communication involves m message transmissions.

At the end of the first phase, through (F1,i : i ∈ V ), every

user knows the indices where the event E has occurred, i.e.,

E occurs at an index j if bij = 1 for all i ∈ V .

In the second phase of communication, users discuss in-

teractively based on the first phase of communication. Let Jdenote the set of indices for which E occurs. On the indices

in J c, users reveal their complete observations. For example,

user i communicates F2,i(Zni ,F1,1, . . . ,F1,m) := Zi,J c . And,

for the block corresponding to J , they communicate according

to F(J ), which is in general interactive. And, the corresponding

communication is F3 := F(J )(ZnV ), which acts only on the

block corresponding to J . Note that conditioning on a

realization J = J ⊂ 2[n], the distribution of (ZV,J ,Zw,J)is the same as that of |J | i.i.d. realizations of (ZV ,Zw).

Let (Cj : 1 ≤ j ≤ n) be a random sequence

where Cj = 1A1×···×Am(ZV,j), and observe that this is

an i.i.d. sequence. Using the strong typicality of this se-

quence, it is easy to verify that the communication F(n) :=(F1,1, . . . ,F1,m,F2,1, . . . ,F2,m,F3) satisfies the recoverability

condition (2) for omniscience. The leakage rate is

1

nI(Zn

V ∧ F(n) | Znw) = H(ZV | Zw)−

1

nH(Zn

V | F(n),Znw).

Consider the term 1nH(Zn

V | F(n),Znw) which is equal to

1nH(ZV,J | J , F(J ),Zw,J ) = 1

n [H(ZV,J | J ,Zw,J ) −I(ZV,J ∧ F(J ) | J ,Zw,J )]. It goes to Pr(E)[H(ZV |Zw) −RL(ZV ||Zw)] which follows from using again the strong

typicality of the sequence (Cj)nj=1. Thus we have

RL(ZV ||Zw) ≤ lim supn→∞

1

nI(Zn

V ∧ F(n) | Znw)

= H(ZV |Zw)

− Pr(E)[H(ZV |Zw)−RL(ZV ||Zw)].

This completes the proof. �

The following theorem gives necessary and sufficient con-

ditions for the positivity of secret key rate by using the

lower bound in Theorem 1 and Lemma 5. For two distri-

butions PX and PX

on a common alphabet X , the Renyi

divergence of order 1/2 between PX and PX

is given by

D 12(PX||PX

) := −2 log(∑

x∈X

√PX(x)PX

(x)), and the total

variation (TV) distance between PX and PX

is given by

||PX − PX||TV := 1

2

∑x∈X |PX(x) − P

X(x)|. To state the

theorem, let us define ∆(ZV ||Zw) := inf ||PK1,...,Km,F(n),Znw−

1

21K1=···=Km

.PF(n),Znw||TV where the infimum is over all

communication schemes and the possible binary keys (see [11,

Def. 8]).

11

Theorem 7 For a source (Z1, . . . ,Zm,Zw) with distribution

PZ1...ZmZw and m ≥ 2, the following statements are equiva-

lent:

1) There is an integer r and non-empty disjoint sets

A11,A12 ⊂ Zr1 , A21,A22 ⊂ Zr

2 , . . . ,Am1,Am2 ⊂ Zrm

such that

D 12

(PZr

w(.|E1,1,...,1)||PZr

w(.|E2,2,...,2)

)

< log

Pr(E1,...,1) Pr(E2,...,2)∑

(j1,...,jm)6∈{(1,...,1),(2,...,2)}

Pr(Ej1,...,jm) Pr(E3−j1,...,3−jm)

2

where Ej1,...,jm denotes the event Zr1 ∈ A1j1 , . . . ,Z

rm ∈

Amjm for (j1, . . . , jm) ∈ {1, 2}m.

2) CW(ZV ||Zw) > 0.

3) ∆(ZV ||Zw) = 0.

4) ∆(ZV ||Zw) < δ1 where δ1 is the smallest root of the

equation 16δ2 − (8 + 4√2m−1 − 1)δ + 1 = 0. (It can be

seen that δ1 is strictly positive for any m ≥ 2.) ✷

PROOF See Appendix E. �

VII. DISCUSSION

In this paper, we have explored the possibility of a duality

between the wiretap secret key agreement problem and the

secure omniscience problem. Though the problem of charac-

terizing the class of sources for which these two problems are

dual to each other is far from being solved completely, we

made some progress in the case of limited interaction (with

at most two communications allowed), and for the class of

finite linear sources. Furthermore, we have made use of (1)

to identify several equivalent conditions for the positivity of

CW in the multi-user case, which is an extension of a recent

two-user result of [11].

By limiting the number of messages to two, we showed that

for the source in Lemma 3, the duality does not hold. This

result seems to indicate that the duality does not always hold.

In particular, we believe that for the DSBE source considered

in Lemma 3, the duality does not hold even if we relax the

restriction on the number of messages (Conjecture 2). To prove

this result, we actually need a single-letter lower bound on RL

that strictly improves our current bound H(ZV |Zw) − CW.

However, it has turned out to be challenging to find a better

lower bound on RL.

Conjecture 1 RL = H(ZV |Zw)− CW holds for finite linear

sources. ✷

Conjecture 2 For r ≥ m, C(r)W > 0 need not imply R

(r)L <

H(ZV |Zw). Moreover, with no restriction on the number of

messages, CW > 0 need not imply RL < H(ZV |Zw). ✷

In our attempt to resolve the duality for finite linear sources

(Conjecture 1), we were able to prove it in the case of two-

user FLS models and in the case of tree-PIN models. The

proof construction mainly relies on the idea of aligning the

communication with the wiretapper side information. Specif-

ically, in the case of tree-PIN models, we used a reduction

to obtain an irreducible source on which we constructed an

RCO-achieving omniscience scheme that aligns perfectly with

the wiretapper side information. In fact, we have shown that

this construction is RL-achieving.

However, for more general PIN sources, this proof strategy

fails. The notion of irreducibility in Definition 2 can certainly

be extended to general PIN sources. However, it turns out

that this definition of irreducibility is not good enough. There

are irreducible PIN sources on graphs with cycles whose

RL is not achieved by an omniscience protocol of rate RCO

that is perfectly aligned with the wiretapper side information.

So, proving the duality conjecture for sources beyond the

tree-PIN model could be interesting as it will require new

communication strategies other than the ones we used in the

proof of the tree-PIN model with a linear wiretapper.

APPENDIX A

PROOF OF THEOREM 2

It suffices to show that CW can be achieved through

omniscience because then

nH(ZV |Zw) ≥ I(K(n),F(n) ∧ ZnV |Zn

w)

= I(F(n) ∧ ZnV |Zn

w) + I(K(n) ∧ ZnV |Zn

w,F(n))

≥ n(RL − δn) + I(K(n) ∧ ZnV |Zn

w,F(n))

≥ n(RL − δn) + n(CW − δn)

for some δn → 0, and the last inequality follows from the

fact an optimal key is recoverable from ZnV . Therefore, RL ≤

H(ZV |Zw)− CW.

Let (F(n),K(n)) be a communication-key pair of a linear

perfect SKA scheme that achieves CW, but F(n) need not

achieve omniscience. By [8, Theorem 1], we can assume that

F(n) is a linear function of ZnV alone (additional randomization

by any user is not needed) and the key is also a linear function

of ZnV .

If F(n) already attains omniscience, then we are done. If

not, for some i, j ∈ V , i 6= j, we have a component X ∈ Fq

of random vector Zni such that

H(X|F(n),Znj ) 6= 0.

We will show that there exists an additional discussion F′(n)

such that

H(X|F(n),F′(n),Znj ) = 0 (20)

and

I(K(n) ∧ F(n),F′(n),Znw) = 0. (21)

If (F(n),F′(n)) achieves omniscience, we are done; else, we

repeat the construction in our argument till we obtain the

desired omniscience-achieving communication.

So, consider the non-trivial case where H(X|F(n),Znj ) 6= 0

and I(K(n) ∧ F(n),X,Znw) 6= 0. (If I(K(n) ∧ F(n),X,Zn

w) = 0,

then user i transmits F′(n) := X which satisfies (20) and (21).)

Let L(n) be a common linear function, not identically 0, of

12

K(n) and (F(n),X,Znw)) taking values in Fq. Such a function

exists since I(K(n) ∧ F(n),X,Znw) 6= 0. So, we can write

L(n) = K(n)MK = aX+ F(n)

MF + ZnwMw (22)

for some non-zero element a ∈ Fq , and some column vectors

MK 6= 0,MF , and Mw over Fq . (Here, L(n),K(n),F(n)

and Znw are the random row vectors with entries uniformly

distributed over Fq.) Note the coefficient a in the above linear

combination must be a non-zero element in Fq. If not, then

L(n)(= K(n)MK = F(n)MF + ZnwMw) is a non-constant

common function of K(n) and (F(n),Znw). This contradicts the

secrecy condition I(K(n) ∧ F(n),Znw) = 0.

Define F′(n) := K(n)MK − aX. User i can compute F′(n),

as it is a function of K(n) and Zni , and transmit it publicly.

Let us verify that F′(n) satisfies (20) and (21). For (20),

observe that H(X|F(n),F′(n),Znj ) ≤ H(X|F′(n),K(n)) = 0,

the inequality following from H(K(n)|F(n),Znj ) = 0, and the

equality from the fact that X is recoverable from (F′(n),K(n)).For (21), I(K(n) ∧ F(n),F′(n),Zn

w) = I(K(n) ∧ F(n),Znw) = 0,

the first equality being a consequence of F′(n) also being

expressible as F(n)MF + ZnwMw, and the last equality from

the secrecy condition of the key, i.e., I(K(n) ∧ F(n),Znw) = 0.

This completes the proof.

APPENDIX B

PROOF OF THEOREM 3

PROOF Converse part. Note that G satisfies the Markov con-

dition G−Zw −ZV because G is a function of Zw whether it

is chosen to be G1, G2 or both. By (6), we have

RL ≥ H(ZV |Zw)− CW(ZV ||Zw)(a)

≥H(ZV |Zw)− CP(ZV |G)(b)=H(ZV |Zw)− I(Z1 ∧ Z2|G)

where (a) is because for W − Zw − ZV , CW(ZV ||Zw) ≤CP(ZV |W) [4, Theorem 4] and G forms the Markov

condition G − Zw − ZV , and we have used the fact that

CP(ZV |G) = I(Z1 ∧ Z2|G) [4, Theorem 2] in (b) .

Achievability part. It suffices to prove the reverse inequality

for G = G1, i.e.,

RL ≤ H(ZV |Zw)− I(Z1 ∧ Z2|G1)︸ ︷︷ ︸1,

(23)

because then the reverse inequality will also hold for G = G2

by symmetry, and for G = (G1,G2) since

I(Z1 ∧ Z2|G1,G2) ≤ I(Z1 ∧ Z2,G2|G1) = I(Z1 ∧ Z2|G1)

by the assumption that G2 is a function of Z2.

The desired reverse inequality (23) will follow from the

following upper bound with an appropriate choice of public

discussion F′ of block length 1, i.e.,

RL ≤ RCO(ZV |F′)︸ ︷︷ ︸=H(ZV |F′)−I(Z1∧Z2|F′)

+ I(ZV ∧ F′|Zw)︸ ︷︷ ︸=H(ZV |Zw)−H(ZV |Zw,F′)

= H(ZV |Zw) + I(ZV ∧ Zw|F′)︸ ︷︷ ︸2,

− I(Z1 ∧ Z2|F′)︸ ︷︷ ︸3,

.

The idea behind this upper bound involves splitting of the

leakage rate into two components after a discussion F′: one

component is the leakage rate due to F′, and the other one is

the residual leakage rate for subsequent omniscience, which is

upper bounded by RCO(ZV |F′). It suffices to give a feasible

F′ with 2, = 0 and 3, = 1,. We will construct this F′ by

decomposing the source (ZV ,Zw).We know from the proof of [28, Lemma 5.2] that a finite

linear source (X,Y) can be decomposed as

X = (X′,C),

Y = (Y′,C),

(24)

(25)

where X′ (resp. Y′) is a linear function of X (resp. Y) and C =mcf(X,Y) is a linear function of each of X and Y; altogether,

they satisfy the independence relation

H(X′,C,Y′) = H(X′) +H(C) +H(Y′). (26)

We call X′ the complement of Y in X, and denote it by X\Y.

For the source (X,Y) with X = (Z1,G1) and Y = (Z2,G1),the decomposition is as follows:

(Z1,G1) := (Xa,Xc),

(Z2,G1) := (Xb,Xc),

(27)

(28)

where Xa, Xb, and Xc = mcf((Z1,G1), (Z2,G1)) are uni-

formly random row vectors over some finite field, say Fq,

satisfying the independence relation

H(Xa,Xb,Xc) = H(Xa) +H(Xb) +H(Xc). (29)

Observe that G1 is a linear common function of (Z1,G1)and (Z2,G1). Using the decomposition (27) and (28), we

can write G1 = XaMa + XcM c = XbM b + XcM c for

some matrices Ma,M b,M c and M c. Therefore, we have

XaMa−XbM b+Xc(M c−M c) = 0. But, Xa, Xb, and Xc are

mutually independent, which implies (for finite linear sources)

that Ma = M b = M c − M c = 0 and G1 = XcM c. This

shows that G1 is a linear function of Xc. Let X′c := Xc \ G1.

So, we can write Xc = (X′c,G1), where X′

c is independent of

G1, and both are linear functions of Xc. Therefore, we can

further decompose the source in (27) and (28) as

(Z1,G1) = (Xa,X′c,G1),

(Z2,G1) = (Xb,X′c,G1),

(30)

(31)

where Xa, Xb, and X′c are uniformly random row vectors such

that

H(Xa,Xb,X′c,G1) = H(Xa) +H(Xb) +H(X′

c) +H(G1).

(32)

Note that (Xb,X′c) = Z2 \G1 which is a linear function of Z2.

Now consider the decomposition of the form (24) and (25)

for the source (ZV ,Zw):

ZV := (Z′V ,Gw),

Zw := (Z′w,Gw),

(33)

(34)

where Gw is the m.c.f. of ZV and Zw. As the components

(Z′V ,Gw,Z′

w) are mutually independent by (26), we have

I(ZV ∧ Zw|Gw) = 0. (35)

13

Moreover, using the fact that the m.c.f Gw is a linear function

of ZV , and (Xa,Xb,X′c,G1) is an invertible linear transforma-

tion of ZV (by (30) and (31)), we can write Gw as

Gw = XaA+ XbB + X′cC + G1D (36)

for some deterministic matrices A, B, C and D over Fq such

that [ATB

TC

TD

T]T is a full column-rank matrix. Since

G1 is a m.c.f of Z1 and Zw, it is a linear function of Gw, which

can also be argued along the same lines as the proof of G1 is

a linear function of Xc. So we can write (36) as

Gw = (XaA+ XbB + X′cC,G1) (37)

for some deterministic matrices A, B, and C over Fq such

that XaA+ XbB + X′cC = Gw \ G1.

Finally, by (30), (31), (34), (35) and (37), we can write the

decomposition of the source (ZV ,Zw) as

Z1 = (Xa,X′c,G1),

(Z2,G1) = (Xb,X′c,G1)

Zw = (Z′w,XaA+ XbB + X′

cC,G1),

(38)

(39)

(40)

where the components Xa,Xb,X′c,G1,Z

′w and XaA+XbB +

X′cC) satisfy the following independence relations:

1) (32) holds, i.e., Xa,Xb,X′c and G1 are mutually indepen-

dent;

2) Xa,X′c,G1,Z

′w and XaA+XbB+X′

cC are mutually inde-

pendent. �

To verify the second independence relation above, it is enough

to show that I(Xa,X′c ∧ G1,Z

′w,XaA + XbB + X′

cC) = 0because of (32),(34), and (37), which is equivalent to showing

I(Xa,X′c ∧ Z′

w,XaA + XbB + X′cC|G1) = 0 by (32). Note

that by (35), 0 = I(Z1 ∧ Zw|G1) = I(Z1,G1 ∧ Zw|G1) =I(Xa,X

′c,G1 ∧G1,Z

′w,XaA+XbB+X′

cC|G1) = I(Xa,X′c ∧

Z′w,XaA+ XbB + X′

cC|G1).

Let us construct a linear communication using the com-

ponents from the above decomposition. User 1 transmits

F′1 := (XaA,G1) using his source Z1 = (Xa,X

′c,G1). User

2 communicates F′2 := XbB+X′

cC using the source (Xb,X′c)

which is a function of Z2. Define F′ := (F′1,F

′2), a valid

discussion of block length n = 1.

By (35), we have 0 = I(ZV ∧ Zw|Gw) = I(ZV ,F′ ∧

Zw|Gw) = I(F′ ∧ Zw|Gw) + I(ZV ∧ Zw|Gw,F′) = I(ZV ∧Zw|F′), where the last equality follows from I(F′∧Zw|Gw) ≤I(ZV ∧Zw|Gw)

(35)= 0, and H(Gw|F′) = 0. Hence we conclude

that

2,= I(ZV ∧ Zw|F′) = 0 (41)

Let us show the remaining inequality 3, = 1,. By the

independence relation 1), we evidently have

I(XaA ∧ Xb,X′c|G1) = 0 (42)

Using the independence condition 2), we also obtain

I(Xa,X′c ∧ XbB + X′

cC|G1,XaA)

= I(Xa,X′c ∧ XaA+ XbB + X′

cC|G1,XaA)

= H(XaA+ XbB + X′cC|G1,XaA)

−H(XaA+ XbB + X′cC|G1,XaA,Xa,X

′c)

= H(XaA+ XbB + X′cC|G1,XaA)

−H(XaA+ XbB + X′cC|G1,Xa,X

′c)

= H(XaA+ XbB + X′cC)

−H(XaA+ XbB + X′cC)

= 0. (43)

It follows from (38) and (39) that

1,= I(Z1 ∧ Z2|G1)

= I(Z1 ∧ Z2,G1|G1)

= I(Xa,X′c,G1 ∧ Xb,X

′c,G1|G1)

= I(Xa,X′c ∧ Xb,X

′c|G1)

= I(Xa,X′c,XaA ∧ Xb,X

′c|G1)

= I(XaA ∧ Xb,X′c|G1) + I(Xa,X

′c ∧ Xb,X

′c|G1,XaA)

(42)= I(Xa,X

′c ∧ Xb,X

′c|G1,XaA)

= I(Xa,X′c ∧ Xb,X

′c,XbB + X′

cC|G1,XaA)

= I(Xa,X′c ∧ XbB + X′

cC|G1,XaA)

+ I(Xa,X′c ∧ Xb,X

′c|G1,XaA,XbB + X′

cC)(43)= I(Xa,X

′c ∧ Xb,X

′c|G1,XaA,XbB + X′

cC)

= I(Z1 ∧ Z2|F′) = 3,

This completes the proof.

APPENDIX C

PROOFS FROM SECTION V

A. Proof of Lemma 4

In this proof, we first identify an edge whose m.c.f. with

the wiretapper’s observations is a non-constant function. Then,

by appropriately transforming the source, we separate out the

m.c.f. from the random variables corresponding to the edge

and the wiretapper. Later we argue that the source can be

reduced by removing the m.c.f. component entirely without

affecting CW and RL. And we repeat this process until the

source becomes irreducible. At each stage, to show that the

reduction indeed leaves the m.c.f. related to the other edges

unchanged and makes the m.c.f. of the reduced edge a constant

function, we use the following lemma which is proved in

Appendix C-C.

Lemma 6 If (X,Y) is independent of Z, then

mcf(X, (Y,Z)) = mcf(X,Y) and mcf((X,Z), (Y,Z)) =(mcf(X,Y),Z). ✷

Since (ZV ,Zw) is not irreducible, there exists an edge e ∈ Esuch that Ge := mcf(Ye,Zw) is a non-constant function. By

using the result that the m.c.f. of a finite linear source is a

linear function [28], we can write Ge = YeM e = ZwMw for

some full column-rank matrices, Me and Mw over Fq.

14

We will appropriately transform the random vector Ye. Let

Ne be any matrix with full column-rank such that[M e | Ne

]

is invertible. Define Ye := YeNe, then[Xe,1, . . . ,Xe,ne

] [M e | N e

]= Ye

[Me | N e

]

=[Ge, Ye

]

=[Ge,1, . . . ,Ge,ℓ, Xe,1, . . . , Xe,ne

]

where Ye = [Xe,1, . . . , Xe,ne], Ge = [Ge,1, . . . ,Ge,ℓ], ℓ is the

length of the vector Ge and ne = ne − ℓ. Therefore, we can

obtain (Ge, Ye) by an invertible linear transformation of Ye.

Note that the components Ge,1, . . . ,Ge,ℓ, Xe,1, . . . , Xe,neare

also i.i.d. random variables that are uniformly distributed over

Fq, and they are independent of YE\{e} := (Yb : b ∈ E\{e})).Hence Ge is independent of Ye and YE\{e}.

Now we will express Zw in terms of Ge and Ye.

Zw = XW

= YeW e + YE\{e}WE\{e}

=[Ge Ye

] [Me N e

]−1W e + YE\{e}WE\{e}

= GeW′

e + YeW′′

e + YE\{e}WE\{e}

where the matrices W e and WE\{e} are sub-matrices

of W formed by rows corresponding to e and E \ {e}respectively. Also, the matrices W

′

e and W′′

e are sub-

matrices of[Me Ne

]−1W e formed by first ℓ rows

and last ne rows respectively. Define Zw := YeW′′

e +

YE\{e}WE\{e}. Since Zw =[Ge Zw

] [W ′

e

I

]and

[Ge Zw

]= Zw

[Mw I −MwW

′

e

],[Ge Zw

]can be

obtained by an invertible linear transformation of Zw.

Since the transformations are invertible, Ye and Zw can

equivalently be written as (Ge, Ye) and (Ge, Zw) respectively.

We will see that Ge can be removed from the source without

affecting CW and RL. Let us consider a new tree-PIN source

ZV , which is the same as ZV except that Ye and ne are

associated to the edge e, and the wiretapper side information

is Zw. Note that (ZV , Zw) is also a tree-PIN source with linear

wiretapper, and Ge is independent of (ZV , Zw).For the edge e, mcf(Ye, Zw) is a constant function.

Suppose if it were a non-constant function Ge w.p. 1,

which is indeed independent of Ge, then mcf(Ye,Zw) =mcf((Ge, Ye), (Ge, Zw)) = (Ge, Ge). The last equality

uses Lemma 6. Therefore, H(Ge) = H(mcf(Ye,Zw)) =H(Ge, Ge) > H(Ge), which is a contradiction. Moreover

H(Ye|mcf(Ye,Zw)) = H(Ye|Ge) = H(Ye,Ge|Ge) =H(Ye). For the other edges b 6= e, Yb = Yb and

mcf(Yb, Zw) = mcf(Yb, Zw) = mcf(Yb, (Ge, Zw)) =mcf(Yb,Zw), which follows from Lemma 6.

Now we will verify that CW and RL do not change.

First let us show that RL(ZV ||Zw) ≤ RL(ZV ||Zw) and

CW(ZV ||Zw) ≥ CW(ZV ||Zw). Let F(n) be an optimal

communication for RL(ZV ||Zw). We can make use of F(n)

to construct an omniscience communication for the source

(ZV ,Zw). Set F(n) = (Gne , F

(n)). This communication is made

as follows. Both the terminals incident on the edge e have

Yne or equivalently (Gn

e , Yne ). One of them communicates Gn

e .

In addition, all the terminals communicate according to F(n)

because for every user i, Zni is recoverable from Zn

i . It is

easy to verify that this is an omniscience communication for

(ZV ,Zw). The minimum rate of leakage for omniscience

RL(ZV ||Zw) ≤1

nI(Zn

V ∧ F(n)|Znw)

=1

nI(Zn

V ∧ Gne , F

(n)|Znw)

(a)=

1

nI(Zn

V ,Gne ∧ Gn

e , F(n)|Zn

w,Gne )

=1

nI(Zn

V ∧ F(n)|Znw,G

ne )

(b)=

1

nI(Zn

V ∧ F(n)|Znw)

(c)

≤RL(ZV ||Zw) + δn,

for some δn → 0. Here, (a) is due to the fact that (Ge, Zw)is obtained by a linear invertible transformation of Zw, (b)

follows from the independence of Ge and (ZV , Zw), and

(c) uses the fact that F(n) is an RL(ZV ||Zw)−achieving

communication. It shows that RL(ZV ||Zw) ≤ RL(ZV ||Zw).Similarly, let (F(n), K(n)) be a communication and key pair

which is optimal for CW(ZV ||Zw). By letting (F(n),K(n)) =(F(n), K(n)) for the source (ZV ,Zw), we can see that the

key recoverability condition is satisfied. Thus (F(n),K(n))constitute a valid SKA scheme for (ZV ,Zw) which implies

that CW(ZV ||Zw) ≥ CW(ZV ||Zw).To prove the reverse inequalities, RL(ZV ||Zw) ≥

RL(ZV ||Zw) and CW(ZV ||Zw) ≤ CW(ZV ||Zw), we use the

idea of simulating source (ZV ,Zw) from (ZV , Zw). Consider

the source (ZV , Zw) in which one of the terminals i incident

on the edge e, generates the randomness Ge that is independent

of the source and broadcasts it, after which the other terminal

j incident on e and the wiretapper has Ge. These two terminals

i and j simulate Ye from Ye and Ge, whereas the other

terminals observations are the same as those of ZV . Hence

they can communicate according to F(n) on the simulated

source ZV . If F(n) achieves omniscience for ZnV then so

does F(n) = (Gne ,F

(n)) for ZnV . Therefore the omniscience

recoverability condition is satisfied. Furthermore, if we choose

F(n) to be an RL(ZV ||Zw)−achieving communication, then

the minimum rate of leakage for omniscience,

RL(ZV ||Zw) ≤1

nI(Zn

V ∧ F(n)|Znw)

=1

nI(Zn

V ∧ Gne ,F

(n)|Znw)

=1

nI(Zn

V ∧ Gne |Zn

w) +1

nI(Zn

V ∧ F(n)|Znw,G

ne )

(a)=

1

nI(Zn

V ,Gne ∧ F(n)|Zn

w,Gne )

(b)=

1

nI(Zn

V ∧ F(n)|Znw)

(c)

≤RL(ZV ||Zw) + δn,

for some δn → 0. Here, (a) follows from the independence of

Ge and (ZV , Zw), (b) is because (Ge, Zw) can be obtained by a

linear invertible transformation of Zw, and (c) uses the fact that

F(n) is an RL(ZV ||Zw)-achieving communication. This shows

that RL(ZV ||Zw) ≥ RL(ZV ||Zw). Similarly, if (F(n),K(n))

15

is a communication and key pair for (ZV ,Zw) then termi-

nals can communicate according to F(n) = (Gne ,F

(n)) and

agree upon the key K(n) = K(n), which is possible due

to simulation. Hence the key recoverability is immediate.

The secrecy condition is also satisfied because I(K(n) ∧F(n), Zn

w) = I(K(n) ∧ F(n),Gne , Z

nw) = I(K(n) ∧ F(n),Zn

w).Hence (F(n), K(n)) forms a valid SKA scheme for (ZV , Zw)which implies that CW(ZV ||Zw) ≥ CW(ZV ||Zw).

We have shown that RL(ZV ||Zw) = RL(ZV ||Zw),CW(ZV ||Zw) = CW(ZV ||Zw) and for the

edge e, mcf(Ye, Zw) is a constant function and

H(Ye|mcf(Ye,Zw)) = H(Ye). Furthermore, we have

shown that this reduction does not change the m.c.f. of

Yb and Zw, when b 6= e. If the source (ZV , Zw) is not

irreducible, then we can apply the above reduction again

on (ZV , Zw) without affecting CW and RL. Note that the

cardinality of the set of all edges b such that mcf(Yb,Zw) is

a non-constant function reduces by one after each reduction

step. So, this process terminates after a finite number of steps

at an irreducible source, which completes the proof.

B. Proof of Theorem 5

Converse part. An upper bound on CW is CS because the

key generation ability of the users can only increase if the

wiretapper has no side information. It was shown in [4, Exam-

ple 5] that if the random variables of a source form a Markov

chain on a tree, then CS = min(i,j):{i,j}=ξ(e) I(Zi ∧ Zj). In

the tree-PIN case, which satisfies the Markov property, this

turns out to be CS = mine∈E H(Ye). As a consequence, we

have CW ≤ mine∈E H(Ye) and

RL

(a)

≥H(ZV |Zw)− CW

(b)=

(∑

e∈E

ne − nw

)log2 q − CW

≥(∑

e∈E

ne − nw

)log2 q −min

e∈EH(Ye)

(44)

where (a) follows from Theorem 1 and (b) is due to the full

column-rank assumption on W .

Achievability part. In this section, we will show the

existence of an omniscience scheme with leakage rate(∑e∈E ne − nw

)log2 q − mine∈E H(Ye). Hence RL ≤(∑

e∈E ne − nw

)log2 q − mine∈E H(Ye), which together

with the chain of inequalities (44) imply that CW =mine∈E H(Ye) = CS and RL =

(∑e∈E ne − nw

)log2 q −

CS. In particular, for achieving a secret key of rate CW =mine∈E H(Ye), the terminals use privacy amplification on the

recovered source.

In fact, the existence of an omniscience scheme is shown

by first constructing a template for the communication with

desired properties and then showing the existence of an

instance of it by a probabilistic argument. The following are

the key components involved in this construction.

1) Deterministic scheme: A scheme is said to be deterministic

if terminals are not allowed to use any locally generated

private randomness.

2) Perfect omniscience [10]: For a fixed n ∈ N, F(n) is said

to achieve perfect omniscience if terminals can recover

the source ZnV perfectly, i.e., H(Zn

V |F(n),Zni ) = 0 for all

i ∈ V . If we do not allow any private randomness, then

H(F(n)|ZnV ) = 0, which implies

1

nI(Zn

V ∧ F(n)|Znw) =

1

n

[H(F(n)|Zn

w)−H(F(n)|Znw,Z

nV )]

=1

nH(F(n)|Zn

w).

3) Perfect alignment: For an n ∈ N, we say that F(n) perfectly

aligns with Znw if H(Zn

w|F(n)) = 0. Note that Znw is

recoverable from F(n) but not the other way around. In

this case, H(F(n)|Znw) = H(F(n)) − H(Zn

w). In an FLS,

the wiretapper side information is Znw = XnW

(n) where

X is the base vector. Suppose the communication is of

the form F(n) = XnF(n), for some matrix F

(n), then the

condition of perfect alignment is equivalent to the condition

that the column space of F(n) contains the column space

of W (n). This is in turn equivalent to the condition that the

left nullspace of W (n) contains the left nullspace of F (n),

i.e., if yF (n) = 0 for some vector y then yW (n) = 0.

So we will construct a linear communication scheme (de-

terministic), for some fixed n, achieving both perfect omni-

science and perfect alignment. As a consequence, the leak-

age rate for omniscience is equal to 1nI(Z

nV ∧ F(n)|Zn

w) =1nH(F(n)|Zn

w) = 1n [H(F(n)) − H(Zn

w)] = 1nH(F(n)) −

nw log2 q. To show the desired rate, it is enough to have1nH(F(n)) =

(∑e∈E ne

)log2 q −mine∈E H(Ye).

We describe our construction first for the case of a PIN

model on a path of length L, and ne = s for all edges e ∈ E.

The essential ideas in this construction will serve as a road map

for other, more general, cases. The construction is extended

to the case of tree-PIN models, again with ne = s for all

edges e, using the the fact that there exists a unique path from

any vertex to a particular vertex designated as the root of the

tree. Finally, for tree-PIN models in which ne can be different

for distinct edges e, we give only a sketch of the proof; the

technical details required to fill in the sketch can be found in

[31].

1) Path of length L and ne = s for all e ∈ E: Let

V = {0, 1, . . . , L} be the set of vertices and E = {1, . . . , L}be the edge set such that edge i is incident on vertices i − 1and i (Fig. 5). Since ne = s, mine∈E H(Ye) = s log2 q.

Fix a positive integer n, such that n > logq(sL). With

n i.i.d. realizations of the source, the vector correspond-

ing to edge i can be expressed as Yni = [Xn

i,1 . . .Xni,s]

where Xni,j’s can be viewed as elements in Fqn . Hence

Yni ∈ (Fqn)

s. The goal is to construct a linear communi-

cation scheme F(n) that achieves both perfect omniscience

and perfect alignment simultaneously such that H(F(n)) =n[(∑

e∈E ne

)log2 q −mine∈E H(Ye)

]= n (sL− s) log2 q.

0 1 2· · ·

i− 1 i

· · ·

L− 1 L

1 2 i L

Fig. 5. Path of length L.

16

Now we will construct the communication as follows. Leaf

nodes 0 and L do not communicate. The internal node icommunicates F

(n)i = Yn

i + Yni+1Ai, where Ai is an s × s

matrix with elements from Fqn . This communication is of the

form

F(n) =[F(n)1 · · · F(n)

L−1

]

=[Yn1 · · ·Yn

L

]

I 0 · · · 0 0

A1 I · · · 0 0

0 A2 · · · 0 0

......

. . ....

...

0 0 · · · AL−2 I

0 0 · · · 0 AL−1

︸ ︷︷ ︸:=F (n)

Here F(n) is an sL× s(L− 1) matrix over Fqn . Observe that

rankFqn(F (n)) = s(L − 1), which implies that H(F(n)) =

(sL− s) log2 qn and the dimension of the left nullspace of

F(n) is s. Now the communication coefficients, (Ai : 1 ≤

i ≤ L − 1), have to be chosen such that F(n) achieves both

perfect omniscience and perfect alignment. Let us derive some

conditions on these matrices.

For perfect omniscience, it is sufficient for the Ai’s to be

invertible. This follows from the observation that for any i ∈V , [F (n) | Hi] is full rank, where H i is a block-column

vector with an s× s identity matrix at block-index i and all-

zero s × s matrix at the rest of the block-indices. In other

words, (Yn1 · · ·Yn

L) is recoverable from (F(n),Yni ) for any i ∈

E, hence achieving omniscience. So we assume that the Ai’s

are invertible.

For perfect alignment, we require that the left nullspace of

F(n) is contained in the left nullspace of W

(n), which is

the wiretapper matrix corresponding to n i.i.d. realizations.

Note that W(n) is a

(∑e∈E ne

)× nw matrix over Fqn

with entries W(n)(k, l) = W (k, l) ∈ Fq; since Fq ⊆ Fqn ,

W(n)(k, l) ∈ Fqn . As pointed out before, the dimension of

the left nullspace of F(n) is s whereas the dimension of

the left nullspace of W(n) is sL − nw. Since the source

is irreducible, it follows from Lemma 9 in Appendix C-D

that s ≤ sL − nw. Since the dimensions are appropriate,

the left nullspace inclusion condition is not impossible. Set

S := [S1 S2 · · · SL], where S1 is some invertible

matrix (over Fqn ) and Si+1 := (−1)iS1A−11 · · ·A−1

i for

1 ≤ i ≤ L − 1. Observe that SF (n) = 0. Note that the Si’s

are also invertible, and Ai = −S−1i+1Si for 1 ≤ i ≤ L−1. The

dimension of the left nullspace of F (n) is s, and all the s rows

of S are independent, so these rows span the left nullspace of

F(n). Therefore for the inclusion, we must have SW

(n) = 0.Thus, proving the existence of communication coefficients

Ai’s that achieve perfect omniscience and perfect alignment is

equivalent to proving the existence of Si’s that are invertible

and satisfy [S1 · · · SL]W(n) = 0. To do this, we use

the probabilistic method. Consider the system of equations

[y1 · · · ysL]W (n) = 0 in sL variables. Since the matrix W(n)

has full column rank, the solutions can be described in terms

of m := sL − nw free variables. As a result, any S that

satisfies SW(n) = 0 can be parametrized by ms variables.

Without loss of generality, we assume that the submatrix of S

formed by the first m columns has these independent variables,

(si,j : 1 ≤ i ≤ s, 1 ≤ j ≤ m). Knowing these entries will

determine the rest of the entries of S. So we choose si,j’s

independently and uniformly from Fqn . We would like to know

if there is any realization such that all the Si’s are invertible,

which is equivalent to the condition∏L

i=1 det(Si) 6= 0. Note

that∏L

i=1 det(Si) is a multivariate polynomial in the variables

si,j , 1 ≤ i ≤ s, 1 ≤ j ≤ m, with degree at most sL.

Furthermore the polynomial is not identically zero, which

follows from the irreducibility of W(n). A proof of this fact

is given in Lemma 10 in Appendix C-D. Therefore, applying

the Schwartz-Zippel lemma (Lemma 7 in Appendix C-D), we

have

Pr

{L∏

i=1

det(Si) 6= 0

}≥ 1− sL

qn(a)> 0

where (a) follows from the choice n > logq(sL). Since the

probability is strictly positive, there exists a realization of S

such that SW (n) = 0 and Si’s are invertible which in turn

shows the existence of a desired F(n).

2) Tree with L edges and ne = s for all e ∈ E: For tree-

PIN model, we essentially use the same kind of communica-

tion construction as that of the path model. Consider a PIN

model on a tree with L + 1 nodes and L edges. To describe

the linear communication, fix some leaf node as the root, ρ, of

the tree. For any internal node i of the tree, let Ei denote the

edges incident with i, and in particular, let e∗(i) ∈ Ei denote

the edge incident with i that is on the unique path between iand ρ. Fix a positive integer n, such that n > logq(sL). The

communication from an internal node i is (Yne∗(i) + Yn

eAi,e :e ∈ Ei \{e∗(i)}), where Ai,e is an s×s matrix. Each internal

node communicates s(di − 1) symbols from Fqn , where di is

the degree of the node i. Leaf nodes do not communicate. The

total number of Fqn -symbols communicated is∑

i s(di − 1),where the sum is over all nodes, including leaf nodes. The

contribution to the sum from leaf nodes is in fact 0, but

including all nodes in the sum allows us to evaluate the sum

as s[2× (number of edges)− (number of nodes)] = s(L− 1).Thus, we have the overall communication of the form

F(n) = YnF

(n)

where F (n) is a sL×s(L−1) matrix over Fqn and Yn = (Yne ).

The rows of F(n) correspond to the edges of the tree. The

aim is to choose the matrices Ai that achieves both per-

fect omniscience and perfect alignment simultaneously such

that H(F(n)) = n[(∑

e∈E ne

)log2 q −mine∈E H(Ye)

]=

n (sL− s) log2 q.

For perfect omniscience, it is sufficient for the Ai’s to be

invertible. First observe that all the leaf nodes are connected

to the root node ρ via paths. On each of these paths the

communication has exactly the same form as that of the path

model considered before. So when the Ai’s are invertible, the

root node can recover the entire source using Yneρ , where eρ

is the edge incident on ρ. Now take any node i, there is a

unique path from i to ρ. Again the form of the communication

restricted to this path is the same as that of the path model.

17

Hence node i, just using Yne∗(i) can recover Yn

eρ , which in

turn, along with the overall communication, allows node i to

recover the entire source. Indeed, only edge observations Yne

are used in the recovery process.

Because Yn is recoverable from (F(n),Yne ) for any e ∈ E,

[F (n) | He] is an invertible sL × sL matrix, where He is a

block-column vector with an s × s identity matrix at block-

index corresponding to edge e and all-zero s × s matrix at

the rest of the block-indices. Therefore F(n) is a full column-

rank matrix, i.e., rankFqn(F (n)) = s(L − 1), which implies

that H(F(n)) = (sL− s) log2 qn and the dimension of the left

nullspace of F (n) is s.

For perfect alignment, we require that the left nullspace of

F(n) is contained in the left nullspace of W

(n). So, let us

construct an S = (Se) such that SF (n) = 0 as follows. Let

S1 be an invertible matrix. Each edge e has two nodes incident

with it; let i∗(e) denote the node that is closer to the root ρ.

There is a unique path i∗(e) = i1 −→ i2 −→ · · · −→ iℓ = ρthat connects i∗(e) to ρ and let the edges along the path

in this order be (e = e1, e2, . . . , eℓ) — see Fig. 6. We set

i∗(e)

i

ρ

e = e∗(i)

e#

Fig. 6. Unique path between an internal node i and the root ρ

Se := (−1)ℓ−1S1A−1iℓ−1,eℓ−1

· · ·A−1i1,e1

for all edges e except

for the edge incident with ρ, to which we associate S1. Note

that the Se’s are invertible and Se = −Se#A−1i∗(e),e, where

e# is the edge adjacent to e on the unique path from i∗(e)to ρ. Let us now verify that SF

(n) = 0. The component

corresponding to the internal node i in SF(n) is of the

form (Se∗(i) + SeAi,e : e ∈ Ei \ {e∗(i)}). But for an

e ∈ Ei \ {e∗(i)}, i∗(e) = i and e# = e∗(i), thus SeAi,e =−Se#A

−1i∗(e),eAi,e = −Se∗(i)A

−1i,eAi,e = −Se∗(i). Hence we

have Se∗(i) + SeAi,e = 0 which implies SF(n) = 0. The

dimension of the left nullspace of F (n) is s and all the s rows

of S are independent, so these rows span the left nullspace of

F(n). Therefore, for the inclusion of one nullspace within the

other, we must have SW(n) = 0.

Finally, we can prove the existence of S such that SW (n) =0 and Si’s are invertible, using the probabilistic method

exactly as before. The details are omitted. This shows the

existence of a desired F(n).

3) Path and tree with L edges and arbitrary ne: In this

case, we define s := min{ne : e ∈ E}. We consider

a communication F(n) that consists of two parts. One part

involves the communication that is similar to that of the ne = s

case, where we use the first s random variables associated to

each edge e. And the other part involves revealing the rest of

the random variables on each edge, but this is done by linearly

combining them with the first s rvs.

For this kind of a communication structure, we can in fact

show, in a similar way as in the ne = s case, the existence of

an F(n) with the desired properties. The technical details are

omitted but they can be found in [31].

C. Proof of Lemma 6

Recall that we assume that Z is independent of (X,Y).Any common function (c.f.) of X and Y is also a common

function of X and (Y,Z). Let F be a c.f. of X and (Y,Z) which

means that H(F|X) = 0 = H(F|Y,Z). Note that H(F|Y) =H(Z|Y)+H(F|Y,Z)−H(Z|F,Y) = H(Z)−H(Z|F,Y). Also

we have H(Z|F,Y) ≥ H(Z|X,Y) which follows from the

fact that F is a function of X. Both these inequalities together

imply that 0 ≤ H(F|Y) ≤ H(Z) − H(Z|X,Y) = 0. So any

c.f. of X and (Y,Z) is also a c.f. of X and Y. Therefore

mcf(X, (Y,Z)) = mcf(X,Y).

We can see that (mcf(X,Y),Z) is a c.f. of (X,Z) and

(Y,Z). To show that mcf((X,Z), (Y,Z)) = (mcf(X,Y),Z),it is enough to show that H(mcf(X,Y),Z) ≥ H(G) for

any G satisfying H(G|X,Z) = 0 = H(G|Y,Z). Since∑z∈Z PZ(z)H(G|X,Z = z) = H(G|X,Z) = 0, for a

z ∈ supp(PZ), we have H(G|X,Z = z) = 0. Similarly,

H(G|Y,Z = z) = 0. Thus, for a fixed Z = z, G is a c.f.

of rvs X and Y jointly distributed according to PX,Y|Z=z. In

this case, let mcf(X,Y)Z=z denote the m.c.f. which indeed

depends on the conditional distribution. However, because

of the independence PX,Y|Z=z = PX,Y, the mcf(X,Y)Z=z

remains the same across all z, and is equal to mcf(X,Y).Therefore, from the optimality of m.c.f., we have H(G|Z =z) ≤ H(mcf(X,Y)Z=z|Z = z) = H(mcf(X,Y)|Z = z) =H(mcf(X,Y)), where the last equality follows from the in-

dependence of Z and (X,Y). As a consequence, we have

H(G|Z) =∑

z∈Z PZ(z)H(G|Z = z) ≤ H(mcf(X,Y)). The

desired inequality follows from H(G) ≤ H(G,Z) = H(G|Z)+H(Z) ≤ H(mcf(X,Y)) + H(Z) = H(mcf(X,Y),Z). This

proves that mcf((X,Z), (Y,Z)) = (mcf(X,Y),Z).

D. Useful Lemmas related to the proof of Theorem 5

Lemma 7 (Schwartz-Zippel lemma) Let P(X1, . . . ,Xn) be

a non-zero polynomial in n variables with degree d and

coefficients from a finite field Fq. Given a non-empty set

S ⊆ Fq , if we choose the n-tuple (x1, . . . , xn) uniformly from

Sn, then

Pr{(x1, . . . , xn) ∈ Sn : P(x1, . . . , xn) = 0} ≤ d

|S| .

Fix two positive integers m and s such that s ≤ m. Consider

the integral domain Fq [X11, . . . ,X1m, . . . ,Xs1, . . . ,Xsm],which is the set of all multivariate polynomials in indetermi-

18

nates X11, . . . ,X1m, . . . ,Xs1, . . . ,Xsm with coefficients from

a finite field Fq . Let us consider a matrix of the form

M =

L1(Y1) L2(Y1) · · · Ls(Y1)

L1(Y2) L2(Y2) · · · Ls(Y2)...

.... . .

...

L1(Ys) L2(Ys) · · · Ls(Ys)

s×s

, (45)

where Yk := [Xk1, . . . ,Xkm] for 1 ≤ k ≤ s and Li(Yk)denotes a linear combination over Fq of the indeterminates

Xk1, . . . ,Xkm. Note that row k depends only on Yk. Let

X := [YT1 , . . . ,Y

Ts ]

T , and let P(X) denote a polynomial

in the indeterminates X11, . . . ,X1m, . . . ,Xs1, . . . ,Xsm, with

coefficients from Fq .

It is a fact [32, p. 528] that for a general matrix M with

entries from Fq [X], det(M) = 0 if and only if there exist

polynomials Pk(X), 1 ≤ k ≤ s, not all zero, such that

M[P1(X), . . . ,Ps(X)

]T= 0.

But this does not guarantee a non-zero λ = [λ1, . . . , λs] ∈ Fsq

such that MλT = 0. However, the following lemma shows

that if the matrix is of the form (45), then this is the case.

Lemma 8 Let M be a matrix of the form (45). Then

det(M ) = 0 iff there exists a non-zero λ = [λ1, . . . , λs] ∈ Fsq

such that MλT = 0. ✷

PROOF The “if” part holds for any matrix M by the fact

stated above. For the “only if” part, suppose that det(M ) = 0.

We can write M as follows

M =

X11 X12 · · · X1m

X21 X22 · · · X2m

......

. . ....

Xs1 Xs2 · · · Xsm

︸ ︷︷ ︸=X

a11 a21 · · · as1a12 a22 · · · as2a13 a23 · · · as3

......

. . ....

a1m a2m · · · asm

︸ ︷︷ ︸:=A

.

for some A ∈ Fm×sq . Now consider the determinant of the

matrix M ,

det(M) =∑

σ∈Ss

sgn(σ) Lσ(1)(Y1) · · ·Lσ(s)(Ys)

=∑

σ∈Ss

sgn(σ)

m∑

j1=1

aσ(1)j1X1j1

· · ·

m∑

js=1

aσ(s)jsXsjs

=∑

σ∈Ss

sgn(σ)∑

j1,...,js∈[m]s

(aσ(1)j1 · · · aσ(s)js

)X1j1 · · ·Xsjs

=∑

j1,...,js∈[m]s

(∑

σ∈Ss

sgn(σ)aσ(1)j1 · · ·aσ(s)js

)X1j1 · · ·Xsjs

=∑

j1,...,js∈[m]s

det(Aj1...js)X1j1 · · ·Xsjs

where Aj1j2...js is the s × s submatrix of A formed by the

rows j1, j2, . . . , js. Since det(M ) = 0, det(Aj1j2...js) = 0for every collection of distinct indices j1, j2, . . . , js, which

implies that any s rows of A are linearly dependent over Fq.

This shows that the rankFq(A) < s, therefore the columns of

A are linearly dependent over Fq. Hence there exists a non-

zero λ = [λ1, . . . , λs] ∈ Fnq such that AλT = 0 ⇒ MλT =

0. �

Definition 3 Let W be a row-partitioned matrix of the form

W 1

W 2

...

W |E|

(46)

where W i is an ni × nw matrix over Fq . We say that the

matrix W is reducible if there exist an index i and a non-zero

row vector ri in Fniq such that the column span of W contains

the column vector [−0− | · · · | −ri− | · · · | −0−]T . If the

matrix W is not reducible then, we say it is irreducible. ✷

A tree-PIN source with linear wiretapper is irreducible iff the

wiretapper matrix W is irreducible.

Lemma 9 Let W be a (∑

e∈E ne)×nw wiretapper matrix in

the row-partitioned form (46). If the matrix W is irreducible

then nw ≤ (∑

e∈E ne)− s where s = min{ne : e ∈ E}. ✷

PROOF By elementary column operations and block-row

swapping, we can reduce W into the following form

W 11 0 · · · 0

W 21 W 22 · · · 0

......

. . ....

W k1 W k2 · · · W kk

......

. . ....

W |E|1 W |E|2 · · · W |E|k

where the diagonal matrices W jj are full column-rank ma-

trices. Since W is an irreducible matrix, k ≤ (|E| − 1). An

upper bound on the number of columns of W jj is nej , where

ej is the edge corresponding to the row j (after block-row

swapping). So,

nw ≤ max

{∑

j∈K

nej : K ⊆ [|E|], |K| ≤ (|E| − 1)

}

≤ max

{∑

j∈K

nej : |K| = (|E| − 1)

}

= max

{∑

e∈E

ne − ne′ : e′ ∈ E

}

=∑

e∈E

ne − s.

This completes the proof. �

The next lemma is about matrices over Fq [X] of the form

X11 · · · X1m L1(Y1) · · · Ll(Y1)X21 · · · X2m L1(Y2) · · · Ll(Y2)

.... . .

......

. . ....

Xs1 · · · Xsm L1(Ys) · · · Ll(Ys)

s×m+l

(47)

19

where Li(Yk) denotes a linear combination over Fq of entries

of Yk = [Xk1, . . . ,Xkm]. Let us denote a matrix whose entries

are the zero polynomials by 0.

Lemma 10 Let W be a (∑

e∈E ne)× nw wiretapper matrix

over Fq with full column-rank such that nw ≤ (∑

e∈E ne)−swhere s = min{ne : e ∈ E}. Let m :=

∑e∈E ne − nw.

Consider a matrix S := (Se,T e)e∈E over Fq [X] of the

form (47), where Se is an s × s matrix and T e is an

s × (ne − s) matrix. Furthermore, S satisfies SW = 0 . If

W is an irreducible matrix, then∏

e∈E det(Se) is a non-zero

polynomial. ✷

PROOF Suppose∏

e∈E det(Se) is the zero polynomial; then

det(Si) ≡ 0 for some i ∈ E. There are sm indeterminates in

S, where s ≤ m. Note that Si has the form similar to (45)

for some linear functions. By Lemma 8, det(Si) ≡ 0 implies

that there exists a non-zero λ = [λ1, . . . , λs] ∈ Fsq such that

SiλT = 0. Consider the block-column partitioned row vector

R such that the block corresponding to the edge i is Ri =[λ1, . . . , λs, 0, . . . , 0] and Rj = [−0−] for all j ∈ E \ {i}.

Then SRT = 0 .

Moreover, it is given that S satisfies SW = 0. Now, let the

m indeterminates in the first row of S take values in Fq so that

we get m linearly independent vectors in the left nullspace of

W . These vectors are also in the left nullspace of RT because

SRT = 0. Since W has full column-rank, this is possible only

if RT is in the column span of W , which implies that W is

reducible.

APPENDIX D

PROOF OF THEOREM 6

Similar to the unconstrained case, we first prove the result

for irreducible sources and then argue that the rate region of

a general source is the same as that of an irreducible source

that is obtained through reduction.

CW(R)

R

CW

(|E| − 1)CW

Fig. 7. CW(R) curve denoting the wiretap secret key capacity at a givenrate R

Theorem 8 Given an irreducible tree-PIN source ZV with a

linear wiretapper Zw, we have

CW(R) = min

{R

|E| − 1, CW

}

where R is the total discussion rate and CW =mine∈E H(Ye), which is the unconstrained wiretap secret key

capacity. ✷

PROOF Since the wiretapper side information can only reduce

the secret key rate, CW(R) ≤ CS(R). It follows from [30,

Theorem 4.2] that CS(R) = min{

R|E|−1 , CS

}. Therefore, we

have CW(R) ≤ min{

R|E|−1 , CW

}because CS = CW for an

irreducible tree-PIN source with linear wiretapper, which was

shown in Theorem 5.

For the achievability part, it is enough to show that the

point ((|E| − 1)CW, CW) is achievable because the rest of

the curve follows from the time sharing argument between

((|E| − 1)CW, CW) and (0, 0) — see Fig. 7.

Let s := CW = mine∈E H(Ye) = mine∈E ne, which is an

integer. We will construct our achievable scheme on a sub-

source Z′V of the tree-PIN source ZV by ignoring some edge

random variables. More precisely, Z′V is defined on the same

tree T with Y′e := (Xe,1, . . . ,Xe,s) for each edge e ∈ E,

and Z′i = (Y′

e : i ∈ ξ(e)) for i ∈ V . Note that all the edge

random vectors Y′e have s components. On the other hand,

the wiretapper side information Zw is the same as that of the

original source.

Let X′ := (Xe,k : e ∈ E, 1 ≤ k ≤ s) and X′′ :=(Xe,k : e ∈ E, s < k ≤ ne), which is a partition of

the underlying components X of the original source. This

gives rise to a partition of the observations of the wiretapper

into two parts: the first part contains observations involving

only linear combinations of X′, and the second part contains

linear observations with at least one component from X′′. This

means that Zw, after applying some suitable invertible linear

transformation, can be written as

Zw =[X′ X′′

] [A B

0 C

],

for some matrices A, B, and a full column-rank matrix C.

With Z′w = X′A and Z′′

w = X′B + X′′C , Zw =[Z′w Z′′

w

].

For a large n, users execute a linear secure omniscience

communication scheme F(n) on the sub-source Z′nV with re-

spect to the wiretapper side information Znw. Moreover, F(n)

has the following properties: it achieves perfect omniscience

at rate

1

nH(F(n)) = H(Z′

V )− s = H(X′)− s,

which is the minimum rate of omniscience RCO(Z′V ), and it

perfectly aligns with Z′nw , i.e., H(Z′n

w |F(n)) = 0. The existence

of such a communication scheme is guaranteed from the proof

of Theorem 5. After every user recovers the source Z′nV using

F(n), they agree on the key K(n) := Y′ne0 where e0 ∈ E is

an edge incident on a leaf node. It is clear that K(n) satisfies

the key recoverability condition because it is a function of the

recovered source Z′nV . It remains to show that K(n) satisfies

the secrecy condition.

Since K(n),Z′nw and F(n) are linear functions of X′, we

have (K(n),F(n),Z′nw ) − X′n − Z′′n

w . Note that Z′′nw is in-

dependent of X′ because C is a full column-rank matrix.

As a consequence, Z′′nw is independent of (K(n),F(n),Z′n

w ).Furthermore, Y′n

e0 is independent of F(n). This can be ob-

tained by combining the perfect omniscience condition, which

implies that H(Z′nV |Y′n

e0 ,F(n)) = 0 for the leaf node, and

the condition on the rate of the communication which is

H(F(n)) = H(Z′nV ) − ns = H(Z′n

V ) − H(Y′ne0 ). There-

fore, we have H(Y′ne0 |F(n)) = H(Y′n

e0 ,F(n)) − H(F(n)) =

20

H(Z′nV ,Y′n

e0 ,F(n))−H(F(n)) = H(Z′n

V )−H(F(n)) = H(Y′ne0).

The third equality is because Y′ne0 and F(n) are linear functions

of Z′nV . Finally,

H(K(n)|F(n),Znw) = H(K(n)|F(n),Z′n

w ,Z′′nw )

(a)=H(K(n)|F(n),Z′n

w )(b)=H(K(n)|F(n))

= H(Y′ne0 |F(n))

(c)=H(Y′n

e0)

= H(K(n))

where (a) follow from the independence of Z′′nw and

(K(n),F(n),Z′nw ), (b) is due that the fact that F(n) aligns

perfectly with Z′nw , i.e., H(Z′n

w |F(n)) = 0 and (c) is because

Y′ne0 is independent of F(n).

Thus we have shown that a secret key of rate 1nH(K(n)) =

1nH(Y′n

e0) = s is achievable with a communication of rate1nH(F(n)) = H(Z′

V ) − s = (|E| − 1)s. So the pair

((|E| − 1)CW, CW) = ((|E| − 1)s, s) is achievable, which

is as desired. �

To extend this result to the general tree-PIN case, we will

prove the following lemma, which allows us to carry out a

reduction to an irreducible source without changing CW(R).This lemma along with the above theorem on irreducible

sources proves Theorem 6.

Lemma 11 If a tree-PIN source with linear wiretapper

(ZV ,Zw) is not irreducible then there exists an irreducible

source (ZV , Zw) such that

CW(ZV ||Zw)(R) = CW(ZV ||Zw)(R),

H(Ye|mcf(Ye,Zw)) = H(Ye),

for all e ∈ E. ✷

PROOF Since (ZV ,Zw) is not irreducible, there exists an edge

e ∈ E such that Ge := mcf(Ye,Zw) is a non-constant

function. Similar to the proof of Lemma 11, we linearly

transform Ye and Zw to (Ge, Ye) and (Ge, Zw), respectively

where H(Ye) = H(Ye|mcf(Ye,Zw)). Let us consider a new

tree-PIN source ZV , which is the same as ZV except that Ye

and ne are associated to the edge e, and the wiretapper side

information is Zw. Note that (ZV , Zw) is also a tree-PIN source

with linear wiretapper, and Ge is independent of (ZV , Zw).Since any valid scheme on reduced model (ZV , Zw) can be

used as a valid scheme on original model (ZV ,Zw), we have

CW(ZV ||Zw)(R) ≥ CW(ZV ||Zw)(R).

To prove the reverse inequality, CW(ZV ||Zw)(R) ≤CW(ZV ||Zw)(R), let (F(n),K(n)) be an SKA scheme achiev-

ing CW(ZV ||Zw)(R) =: CW(R). It means that for ǫn → 0∣∣∣∣1

nH(F(n))−R

∣∣∣∣ < ǫn,

∣∣∣∣1

nH(K(n))− CW(R)

∣∣∣∣ < ǫn,

I(K(n) ∧ Znw,F

(n)) < ǫn,

Pr[∃j ∈ V s.t. K

(n)j 6= K

(n)1

]< ǫn.

Note that the condition I(K(n) ∧ Znw,G

ne ,F

(n)) = I(K(n) ∧Znw,F

(n)) < ǫn implies that I(K(n) ∧ Znw,F

(n)|Gne ) < ǫn and

I(K(n) ∧ Gne ) < ǫn, which in turn imply that H(K(n)) −

H(K(n)|Gne ) < ǫn and

∣∣ 1nH(K(n)|Gn

e )− CW(R)∣∣ < 2ǫn.

The last inequality follows from the triangle inequality. Since1nH(F(n)|Gn

e ) ≤ 1nH(F(n)) and 1

nH(F(n)) → R, we have

lim sup 1nH(F(n)|Gn

e ) ≤ R. We just restrict to the subsequence

whose limit achieves limsup and with an abuse of notation

we still index this sequence with n. Let lim 1nH(F(n)|Gn

e ) :=R− γ for some γ ≥ 0.

Now we will find a best realization of Gne for which the

SKA scheme (F(n),K(n)) has desired properties. From all the

above conditions, we have∣∣∣∣1

nH(F(n)|Gn

e )− (R − γ)

∣∣∣∣+∣∣∣∣1

nH(K(n)|Gn

e )− CW(R)

∣∣∣∣

+ I(K(n) ∧ Znw,F

(n)|Gne ) + Pr

[∃j ∈ V s.t. K

(n)j 6= K

(n)1

]

< 5ǫn.

We can rewrite it as

∑Pr(Gn

e = gne )

{∣∣∣∣1

nH(F(n)|Gn

e = gne )− (R − γ)

∣∣∣∣

+

∣∣∣∣1

nH(K(n)|Gn

e = gne )− CW(R)

∣∣∣∣+ I(K(n) ∧ Zn

w,F(n)|Gn

e = gne )

+Pr[∃j ∈ V s.t. K

(n)j 6= K

(n)1 |Gn

e = gne

]}< 5ǫn.

Since the average is less than 5ǫn, there exists a realization

Gne = gne such that∣∣∣∣1

nH(F(n)|Gn

e = gne )− (R − γ)

∣∣∣∣

+

∣∣∣∣1

nH(K(n)|Gn

e = gne )− CW(R)

∣∣∣∣+ I(K(n) ∧ Zn

w,F(n)|Gn

e = gne )

+ Pr[∃j ∈ V s.t. K

(n)j 6= K

(n)1 |Gn

e = gne

]< 5ǫn. (48)

Therefore, each term in the summation is less than 5ǫn. Now

we can use the scheme (F(n),K(n)) corresponding to a fixed

Gne = gne on the reduced model (ZV , Zw). From (48), we can

say that it is a valid SKA scheme on (ZV , Zw) with a key rate

of CW(R) and a communication rate of (R− γ). Thus,

CW(ZV ||Zw)(R) = CW(R)

≤ CW(ZV ||Zw)(R − γ)

≤ CW(ZV ||Zw)(R),

where the first inequality is due the fact that capacity is

the maximum of all the achievable rates at a communica-

tion rate of (R − γ), and the last inequality follows form

the monotonicity of the CW(R) curve. This shows that

CW(ZV ||Zw)(R) = CW(ZV ||Zw)(R). Therefore, we can re-

peat this process until the source becomes irreducible without

affecting CW(ZV ||Zw)(R). �

The result of Theorem 6 follows by putting the above lemma

and theorem together.

21

APPENDIX E

PROOF OF THEOREM 7

Some of the steps in the proof are analogous to the proof

for the two-user case, [11, Theorem 4]. The new component

of the theorem is the identification of a connection between

the positivity of CW and the non-maximality of RL of a

transformed source. Since most of the essential ideas of the

two-user setting work even in the multiuser case, we only

give proof sketches for these analogous steps. However, the

new arguments are described in detail.

we only provide new key arguments and give proof sketches

for the analogous arguments.

The statement 3) implies 4) is trivial. So it is enough to

show that 1) implies 2), 2) implies 3), and 4) implies 1).

1) implies 2): We prove this by following an approach that

is similar to that of the two-user case. First, using the sets

given in 1), we construct a new source (ZV , Zw) by applying

some functions to the user random variables of the source

(ZrV ,Z

rw). Then, we show that CW(ZV ||Zw) > 0 which in

turn implies that CW(ZV ||Zw) > 0 because any SKA scheme

on the source (ZV , Zw) is an SKA scheme on (ZV ,Zw). To

prove CW(ZV ||Zw) > 0 using condition 1), we use the lower

bound of Theorem 1 and Lemma 5 for the new source.

Let (Z1, . . . , Zm, Zw) be a function of (Zr1, . . . ,Z

rm,Zr

w)obtained by setting Zi = 1 if Zr

i ∈ Ai1, Zi = 2 if Zri ∈ Ai2

and Zi = 3 if Zri 6∈ Ai1 ∪ Ai2 for 1 ≤ i ≤ m, and Zw = Zr

w.

Let pj1...jm := Pr(Z1 = j1, . . . , Zm = jm) = Pr(Zr1 ∈

A1j1 , . . . , Zm ∈ Amjm) for all (j1, . . . , jm) ∈ {1, 2}m. The

condition in 1) is equivalent to the condition

D 12

(PZw

(.|Z1 = 1, . . . , Zm = 1)||PZw

(.|Z1 = 2, . . . , Zm = 2))

< log

p1,1,...,1p2,2,...,2∑

(j1,...,jm)6∈{(1,...,1),(2,...,2)}

pj1,...,jmp3−j1,...,3−jm

2

.

We will show that the above condition implies

H(ZnV |Zn

w, ZnV ∈ A1 × · · · × Am)

> RCO(ZnV |Zn

V ∈ A1 × · · · × Am) (49)

for some integer n, and a non-empty set A1 × · · · × Am,

where Ai ⊂ {1, 2}n for all i ∈ V . Because of the following

argument, inequality (49) implies that CW(ZV ||Zw) > 0which further implies that CW(ZV ||Zw) > 0. Suppose that

there is an integer n, and a non-empty set A1 × · · · × Am ⊂{1, 2}n × · · · × {1, 2}n such that (49) holds. Let ( Zn

V , Znw)

be the source as defined in (18) using the source (ZnV , Z

nw)

and the set A1 × · · · × Am. Condition (49) can be written as

H( ZnV |Zn

w) > RCO(ZnV ). For the new source, it follows from

(7) that

RL(ZnV ||Zn

w) ≤ RCO(ZnV ).

Therefore, we have H( ZnV |Zn

w) − RL(ZnV ||Zn

w) ≥H(ZnV |Zn

w) − RCO(ZnV ) > 0. By combining this

with Lemma 5, we get H(ZnV |Zn

w) − RL(ZnV ||Zn

w) ≥Pr(E)[H(

ZnV |Zn

w) − RL(ZnV ||Zn

w)] > 0. So we conclude that

H(ZV |Zw)−RL(ZV ||Zw) =1

n[H(Zn

V |Znw)−RL(Z

nV ||Zn

w)] >

0. Hence, it follows from the lower bound of Theorem 1 that if

RL(ZV ||Zw) < H(ZV |Zw) then CW(ZV ||Zw) > 0. Since the

source (ZV , Zw) is obtained by processing (deterministically)

each user observations of the source (ZrV ,Z

rw), any positive

rate secret key on (ZV , Zw) is also a positive rate secret

key on (ZrV ,Z

rw). Thus CW(ZV ||Zw) > 0 implies that

CW(ZV ||Zw) =1rCW(Zr

V ||Zrw) > 0.

Now we will show that condition 1) implies (49). Consider

the following repetition coding with block swapping: for an

even integer n, let

1 := 1 . . . 1︸ ︷︷ ︸n/2

2 . . . 2︸ ︷︷ ︸n/2

2 := 2 . . . 21 . . . 1

and Ai := {1,2}, for 1 ≤ i ≤ m. Let us define AV :=A1 × · · · ×Am. It is enough to show that for large enough n,

H(ZnV |Zn

w, ZnV ∈ AV ) > RCO(Z

nV |Zn

V ∈ AV ). (50)

Let B := 2V \{∅, V }, λ(n) be a fractional partition of B, i.e.,

λ(n) : B → R+ is such that

∑i∈B λ(n)(B) = 1 for every

i ∈ V ; and let Λ(n) be the set of all fractional partitions. The

minimum rate of communication for omniscience [4, Sec. V]

is given by

RCO(ZnV |Zn

V ∈ AV )

= maxλ(n)∈Λ(n)

∑

B∈B

λ(n)B H(Zn

B|ZnBc , Zn

V ∈ AV ).

Though the optimal fractional partition seems to depend on

n, because of the repetitive structure of the coding this

dependence disappears. We can upper bound RCO as

RCO(ZnV |Zn

V ∈ AV )

= maxλ(n)∈Λ(n)

∑

B∈B

λ(n)B H(Zn

B|ZnBc , Zn

V ∈ AV )

=∑

B∈B

λ∗(n)B H(Zn

B|ZnBc , Zn

V ∈ AV )

≤∑

B∈B

H(ZnB|Zn

Bc , ZnV ∈ AV )

≤ (2m − 2)maxi∈V

H(ZnV \i|Zn

i , ZnV ∈ AV ), (51)

where we used in the first inequality that the optimal

fractional partition λ∗(n)B is bounded above by 1

for all B ∈ B, and in the last inequality that

H(ZnB|Zn

Bc , ZnV ∈ AV ) ≤ max

i∈VH(Zn

V \i|Zni , Z

nV ∈ AV )

for all B ∈ B.

Let us further upper bound (2m−2)maxi∈V

H(ZnV \i|Zn

i , ZnV ∈

AV ) as follows. Consider the term H(ZnV \i0

|Zni0 , Z

nV ∈ AV )

for some i0 ∈ V . We know that

Pr[Zn1 = k1, . . . , Z

nm = km] = p

n/2k1...km

pn/23−k1...3−km

22

for all (k1, . . . ,km) ∈ {1,2}m, and for i ∈ V , ki denotes the

first symbol in the sequence ki. Therefore, we get

Pr[Zn1 = k1, . . . , Z

nm = km|Zn

V ∈ AV ]

=pn/2k1...km

pn/23−k1...3−km∑

(j1,...,jm)∈{1,2}m

pn/2j1...jm

pn/23−j1...3−jm

.

For i0 ∈ V and (k1, . . . ,km) ∈ {1,2}m, we have

Pr[ZnV \i0

= kV \i0 |Zni0 = ki0 , Z

nV ∈ AV ]

=pn/2k1...ki0 ...km

pn/23−k1...3−kj0 ...3−km

1

2

∑(j1,...,jm)∈{1,2}m

pn/2j1...jm

pn/23−j1...3−jm

where the equality follows from the symmetry in the probabili-

ties of the sequences (j1, . . . , ki0 , . . . , jm) and (3−j1, . . . , 3−ki0 , . . . , 3 − jm). To compute the entropies, we make use of

the grouping property of the entropy: For a probability vector

(q1, q2, . . . , qs), H(q1, q2, ....., qs) = H (q1, q2 + · · ·+ qs) +

(q2 + · · ·+ qs)H( q2q2 + · · ·+ qs

, . . . ,qs

q2 + · · ·+ qs

). If q1 ∈

[0.5, 1], then h(q1) ≤ −2(1− q1) log2(1 − q1) which implies

H(q1, q2, ....., qs) ≤ h(q1) + (1 − q1) log2(s − 1) ≤ (1 −q1) log2(s − 1) − 2(1 − q1) log2(1 − q1). Note that because

Renyi divergence is non-negative, the inequality in 1) implies

that

p1...1p2...2 >1

2

∑

(j1,...,jm)6∈{(1,...,1),(2,...,2)}

pj1,...,jmp3−j1,...,3−jm .

So, by setting

q(n)1 :=

pn/21...1p

n/22...2

1

2

∑(j1,...,jm)∈{1,2}m

pn/2j1...jm

pn/23−j1...3−jm

=pn/21...1p

n/22...2

pn/21...1p

n/22...2 +

1

2

∑(j1,...,jm)

6∈{(1,...,1),(2,...,2)}

pn/2j1...jm

pn/23−j1...3−jm

,

which is greater than 1/2, we have for any i0 ∈ V ,

H(ZnV \i0

|Zni0 , Z

nV ∈ AV )

≤ (1− q(n)1 )(log2(2

m−1 − 1)− 2 log2(1 − q(n)1 )). (52)

where we replaced s by 2m−1. Notice that the bound is

independent of i0. Therefore, from (51) and (52), we have

RCO(ZnV |Zn

V ∈ AV )

≤ (2m − 2)[(1− q(n)1 )(log2(2

m−1 − 1)− 2 log2(1 − q(n)1 ))].

Because of the above inequality, it is enough prove that

condition 1) implies

H(ZnV |Zn

w, ZnV ∈ AV )

> (2m − 2)[(1− q(n)1 )(log2(2

m−1 − 1)− 2 log2(1 − q(n)1 ))].

(53)

Now let us argue that condition 1) implies (53). Since

q(n)1 =

pn/21...1p

n/22...2

pn/21...1p

n/22...2 +

1

2

∑(k1,...,km) 6∈

{(1,...,1),(2,...,2)}

pn/2k1...km

pn/23−k1...3−km

≥ pn/21...1p

n/22...2

pn/21...1p

n/22...2 +

1

2

∑(k1,...,km) 6∈

{(1,...,1),(2,...,2)}

pk1...kmp3−k1...3−km

n2,

we have

limn→∞

(1−q(n)1 )

1n ≤

√√√√√√

1

2

∑(k1,...,km)

6∈{(1,...,1),(2,...,2)}

pk1...kmp3−k1...3−km

p1...1p2...2

and

limn→∞

(2m − 2)1/n[(1− q(n)1 )(log2(2

m−1 − 1)

− 2 log2(1− q(n)1 ))]1/n

≤

√√√√√√

1

2

∑(k1,...,km)

6∈{(1,...,1),(2,...,2)}

pk1...kmp3−k1...3−km

p1...1p2...2. (54)

For the asymptotics of the conditional entropy term, we can

use the same idea of hypothesis testing at the wiretapper

side with u1 = (1, . . . ,1) and u2 = (2, . . . ,2) used in [11,

Lemma 2] to get

lim infn→∞

H(ZnV |Zn

w, ZnV ∈ AV )

1n

≥ exp(− 1

2D 1

2

(PZw

(.|Z1 = 1, . . . , Zm = 1)

||PZw

(.|Z1 = 2, . . . , Zm = 2)))

. (55)

Since

D 12

(PZw

(.|Z1 = 1, . . . , Zm = 1)||PZw

(.|Z1 = 2, . . . , Zm = 2))

< log

p1,1,...,1p2,2,...,2∑

(i1,...,im)6∈{(1,...,1),(2,...,2)}

pi1,...,imp3−i1,...,3−im

2

,

we can conclude from (54) and (55) that for large enough n,

(53) holds. This completes the proof of 1) implies 2).

2) implies 3): Since the proof follows the same argument

as in two user case, we omit most of the details and give only

those steps that involve different constants. Following are the

multivariate analogues of [11, eq. (118) and eq. (124)]:

I(K1, . . . ,Km ∧ Znw,F

(n)) ≤ (m+ 1)δ + h(δ)

and

||PK1,...,Km,F(n),Znw− PK1,...,Km

.PF(n),Znw||TV

≤√

(m+ 1)δ + h(δ)

2.

23

Using the above inequalities, we get

||PK1,...,Km,F(n),Znw− 1

21K1=...=Km

.PF(n),Znw||TV

≤√

(m+ 1)δ + h(δ)

2+ 2δ

As δ can be made arbitrarily close to 0, the condition 3)

follows.

4) implies 1): To prove this, we need the multivariate

analogue of [11, Lemma 3]. It says that for some sets

A11,A12 ⊂ Zr1 , A21,A22 ⊂ Zr

2 , . . . ,Am1,Am2 ⊂ Zrm,

1

2D 1

2

(PZr

w(.|E1,1,...,1)||PZr

w(.|E2,2,...,2)

)≤ − log(1− 4δ),

1

2log

Pr(E1,...,1) Pr(E2,...,2)∑

(j1,...,jm)6∈{(1,...,1),(2,...,2)}

Pr(Ej1,...,jm) Pr(E3−j1,...,3−jm)

2

> log

((12 − 2δ)

2δ√2m−1 − 1

)

where Ej1,...,jm denotes the event Zr1 ∈ A1j1 , . . . ,Z

rm ∈ Amjm

for (j1, . . . , jm) ∈ {1, 2}m and δ := ||PK1,...,Km,F(r),Zrw−

1

21K1=···=Km

.PF(r),Zrw||TV . The proof is similar to the two-

user case with the following sets Aij = {zri : Ki(zri , f) = j}

for all 1 ≤ i ≤ m and j ∈ {1, 2} where F (r) = fis a realization of the public discussion such that δ >

||PK1,...,Km,Zrw|F(r)=f − 1

21K1=...=Km

.PZrw|F(r)=f ||TV .

Since the condition in 4) implies that any δ ≤ δ1 satisfies

− log(1 − 4δ) < log

((12 − 2δ)

2δ√2m−1 − 1

),

the condition 1) follows.

REFERENCES

[1] U. M. Maurer, “Secret key agreement by public discussion from commoninformation,” IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733–742, May1993.

[2] R. Ahlswede and I. Csiszar, “Common randomness in information theoryand cryptography—Part I: Secret sharing,” IEEE Trans. Inf. Theory,vol. 39, no. 4, pp. 1121–1132, Jul. 1993.

[3] R. Renner and S. Wolf, “New bounds in secret-key agreement: Thegap between formation and secrecy extraction,” in Proc. EUROCRYPT

(Lecture Notes in Computer Science), vol. 2656. Springer-Verlag, 2003,pp. 562–577.

[4] I. Csiszar and P. Narayan, “Secrecy capacities for multiple terminals,”IEEE Trans. Inf. Theory, vol. 50, no. 12, pp. 3047–3061, Dec. 2004.

[5] A. A. Gohari and V. Anantharam, “Information-theoretic key agreementof multiple terminals—Part I,” IEEE Trans. Inf. Theory, vol. 56, no. 8,pp. 3973–3996, Aug. 2010.

[6] C. Chan, “Linear perfect secret key agreement,” in Proc. IEEE Inf.Theory Workshop (ITW), Paraty, Brazil, Oct. 2011, pp. 723–726.

[7] ——, “Delay of linear perfect secret key agreement,” in Proc. 49th

Annu. Allerton Conf. Commun. Contr. Comput., Monticello, IL, USA,Sep. 2011, pp. 1128–1135.

[8] C. Chan, N. Kashyap, P. K. Vippathalla, and Q. Zhou, “One-shot perfectsecret key agreement for finite linear sources,” in Proc. IEEE Int. Symp.

Inf. Theory (ISIT), Paris, France, Jul. 2019, pp. 947–951.

[9] S. Nitinawarat, C. Ye, A. Barg, P. Narayan, and A. Reznik, “Secret keygeneration for a pairwise independent network model,” IEEE Trans. Inf.Theory, vol. 56, no. 12, pp. 6482–6489, Dec. 2010.

[10] S. Nitinawarat and P. Narayan, “Perfect omniscience, perfect secrecy,and Steiner tree packing,” IEEE Trans. Inf. Theory, vol. 56, no. 12, pp.6490–6500, Dec. 2010.

[11] A. Gohari, O. Gunlu, and G. Kramer, “Coding for positive rate in thesource model key agreement problem,” IEEE Trans. Inf. Theory, vol. 66,no. 10, pp. 6303–6323, Oct. 2020.

[12] V. Prabhakaran and K. Ramchandran, “On secure distributed sourcecoding,” in Proc. IEEE Inf. Theory Workshop (ITW), Tahoe City, CA,USA, Sep. 2007, pp. 442–447.

[13] D. Gunduz, E. Erkip, and H. V. Poor, “Lossless compression withsecurity constraints,” in Proc. IEEE Int. Symp. Inf. Theory (ISIT),Toronto, ON, Canada, Jul. 2008, pp. 111–115.

[14] J. Villard and P. Piantanida, “Secure multiterminal source coding withside information at the eavesdropper,” IEEE Trans. Inf. Theory, vol. 59,no. 6, pp. 3668–3692, Jun. 2013.

[15] W. Tu and L. Lai, “On function computation with privacy and secrecyconstraints,” IEEE Trans. Inf. Theory, vol. 65, no. 10, pp. 6716–6733,Oct. 2019.

[16] T. Han and K. Kobayashi, “A dichotomy of functions F (X, Y ) ofcorrelated sources (X, Y ) from the viewpoint of the achievable rateregion,” IEEE Trans. Inf. Theory, vol. 33, no. 1, pp. 69–76, Jan. 1987.

[17] A. Orlitsky and J. R. Roche, “Coding for computing,” IEEE Trans. Inf.

Theory, vol. 47, no. 3, pp. 903–917, Mar. 2001.[18] N. Ma and P. Ishwar, “Some results on distributed source coding for

interactive function computation,” IEEE Trans. Inf. Theory, vol. 57,no. 9, pp. 6180–6195, Sep. 2011.

[19] H. Tyagi, P. Narayan, and P. Gupta, “When is a function securelycomputable?” IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6337–6350,Oct. 2011.

[20] M. H. Yassaee, A. Gohari, and M. R. Aref, “Channel simulation viainteractive communications,” IEEE Trans. Inf. Theory, vol. 61, no. 6,pp. 2964–2982, Jun. 2015.

[21] D. Data, G. R. Kurri, J. Ravi, and V. M. Prabhakaran, “Interactive securefunction computation,” IEEE Trans. Inf. Theory, vol. 66, no. 9, pp. 5492–5521, Sep. 2020.

[22] M. Yan and A. Sprintson, “Algorithms for weakly secure data exchange,”in Proc. Int. Symp. Netw. Coding (NetCod), Calgary, AB, Canada, Jun.2013, pp. 1–6.

[23] T. A. Courtade and T. R. Halford, “Coded cooperative data exchange fora secret key,” IEEE Trans. Inf. Theory, vol. 62, no. 7, pp. 3785–3795,Jul. 2016.

[24] C. Chan, M. Mukherjee, N. Kashyap, and Q. Zhou, “On the optimality ofsecret key agreement via omniscience,” IEEE Trans. Inf. Theory, vol. 64,no. 4, pp. 2371–2389, Apr. 2018.

[25] M. Mukherjee, N. Kashyap, and Y. Sankarasubramaniam, “On the publiccommunication needed to achieve SK capacity in the multiterminalsource model,” IEEE Trans. Inf. Theory, vol. 62, no. 7, pp. 3811–3830,Jul. 2016.

[26] A. Poostindouz and R. Safavi-Naini, “Wiretap secret key capacity oftree-PIN,” in Proc. IEEE Int. Symp. Inf. Theory (ISIT), Paris, France,Jul. 2019, pp. 315–319.

[27] A. El Gamal and Y.-H. Kim, Network Information Theory. Cambridge,U.K.: Cambridge Univ. Press, 2011.

[28] C. Chan, M. Mukherjee, N. Kashyap, and Q. Zhou, “Multiterminal secretkey agreement at asymptotically zero discussion rate,” in Proc. IEEE Int.

Symp. Inf. Theory (ISIT), Vail, CO, USA, Jun. 2018, pp. 2654–2658.[29] C. Chan, N. Kashyap, P. K. Vippathalla, and Q. Zhou, “Secure informa-

tion exchange for omniscience,” in Proc. IEEE Int. Symp. Inf. Theory

(ISIT), Los Angeles, CA, USA, Jun. 2020, pp. 966–971.[30] C. Chan, M. Mukherjee, N. Kashyap, and Q. Zhou, “Upper bounds

via lamination on the constrained secrecy capacity of hypergraphicalsources,” IEEE Trans. Inf. Theory, vol. 65, no. 8, pp. 5080–5093, Aug.2019.

[31] P. K. Vippathalla, C. Chan, N. Kashyap, and Q. Zhou, “Secret keyagreement and secure omniscience of tree-PIN source with linearwiretapper,” 2021. [Online]. Available: https://arxiv.org/abs/2102.01771

[32] N. Bourbaki, Elements of Mathematics: Algebra I. Berlin, Germany:Springer-Verlag, 1989.