The problem of secret key agreement between two users was formulated close to thirty years ago in [2, 3], following a counter-intuitive result pointed out in  that two users can extract a longer secret key from their private observations by discussing in public. In particular, under the basic source model where two users observe i.i.d. sequences of the private correlated random sources, say and , respectively, the maximum secret key rate, referred to as the secrecy capacity, is equal to the mutual information between the correlated sources. If the users cannot discuss in public, the problem reduces to the one considered in , where the capacity is the entropy of the maximal common function of the correlated sources, referred to as the Gács–Körner common information . It should be mentioned that a more general setting considers a wiretapper with side information, say , in addition to listening to the entire public discussion, but there is hitherto no single-letter characterization of the capacity except in the special case when the discussion is one-way [3, Theorem 1]. Nevertheless, extensions of the model beyond the two-user case are of practical and theoretical interests because, as can been seen from the results in [6, 7, 1], the problem calls for multivariate extensions of various well-known information measures in the bivariate case, including Shannon’s mutual information, Gács–Körner common information and Wyner common information .
The simplest extension of secret key agreement beyond two users is by , which, in addition to the two active users who attempt to share a secret key, introduces a helper who can help discuss in public but need not share the secret key. The general multiterminal setting was subsequently formulated in , allowing arbitrary numbers of active users and helpers. There are also untrusted helpers whose observations may be leaked to the wiretapper. In the case without wiretapper’s side information, and when the public discussion is interactive and unlimited in rate, the secrecy capacity has a single-letter characterization in . The capacity was studied and proposed in [11, 6] as an extension of Shannon’s mutual information to the multivariate case, with application to data clustering in . A theoretically appealing characterization using the residual independence relation can be found in [6, Theorem 5.1]. The model in  considers a new scenario where a proper subset of active users are silent, i.e., not allowed to discuss in public, but the model does not have helpers. Similar to , the capacity was characterized  in the case with unlimited public discussion and without wiretapper’s side information. For the setting with helpers in addition to silent active users, the capacity is characterized in [14, Theorem 5.1] (the longer version of ). Once again, no characterization is known for the case with wiretapper’s side information. Even the case with two users remains unsolved beyond one-way discussion.
Another challenge is to characterize the capacity as a function of the public discussion rates. For the two-user case with one-way discussion, the capacity was characterized in [9, Theorem 2.6], extending the result in  for unlimited one-way discussion. A more explicit characterization was also derived for Gaussian sources in [15, 16]. When the discussion is asymptotically zero, the capacity reduces to the Gác–Körner common information in the two user case, which can be achieved with no discussion. The characterization also applies to the two-user case with interactive discussion as a consequence of the more general characterization of the capacity in  as a function of the public discussion rates. For the multiterminal case without helpers nor silent users, it was conjectured in  that the capacity is equal to a multivariate extension of the Gác–Körner common information, which can be achieved again without any discussion. However, the conjecture remains open except for the special finite linear source models .
In this work, we aim to resolve the conjecture and characterize the secrecy capacity for the general source model with interactive discussion at asymptotically zero discussion rate in the presence of wiretapper’s side information, helpers and silent users. The problem covers the case when no discussion is allowed, i.e., when all users are silent. To the best of our knowledge, no existing models or results directly cover the problem in such generality. In particular, the model in  and  do not cover the case where all users are silent as the proof technique relies on having at least one user with unbounded discussion rate. There is also no obvious multiterminal extension of the capacity characterizations in the case of two active users [3, 9, 17], especially the converse proofs that rely on the Csiszár-sum identity. Furthermore, the characterization  for interactive discussion does not involve wiretapper’s side information. The characterization in  is based on the idea of  that uses the interactive source coding result of 
. The characterization is hard to evaluate as it involves a large number of auxiliary random variables that grows in the number of rounds of interactive discussion, which may go unbounded. There are other bounding techniques for the multiterminal secrecy capacity such as the lamination bound in[20, Theorem 4.3] and the helper-set bound in [20, Theorem 4.1]. However, lamination does not extend beyond hypergraphical sources, while the helper-set bound was shown to be loose for a simple example in [20, Fig. 2] at asymptotically zero discussion rate. Despite all these challenges, we found that the capacity at asymptotically zero discussion has a simple characterization and resolved the previous conjecture in the affirmative as a special case.
Ii Problem formulation
We shall consider the multiterminal source model for secret key generation introduced in , which is specified by a finite set of users and a discrete memoryless multiple source
taking values in the finite alphabet , and distributed jointly according to . We remark here that we will be using the sans serif font for random variables and the normal font for their alphabet sets. The secret key agreement can be broken into a sequence of phases as follows.
In the private observation phase, each user observes i.i.d. samples of the th component source . In the private randomization phase, user can generate a private random variable independent of the private sources . Altogether
where .111The private randomization variables may be continuous. To agree upon a secret key, all users except for a subset of silent users are allowed to communicate interactively over a public noiseless channel during the public communication phase. This implies that the communication sent by some user may depend on its accumulated observations. More precisely, at the -th instant where for some chosen integer , some vocal user broadcasts a message as a function of the previous messages and the private observation of the user , i.e.,
For convenience, we denote the entire sequence of public messages by
The rate of the public communication is given by , where is the range of .
Following the public communication, a predetermined subset of users need to agree upon a secret key taking values in the set . We also assume that another predetermined subset , , of users are being tapped by the wiretapper. The set is referred to as the set of active users, the set is called the set of untrusted helpers, whereas the users in will be referred to as the trusted helpers. We remark that each user in must be able to recover from its accumulated observations. On the other hand, any wiretapper listening to the public communication and having access to the untrusted helpers’ observation, should be oblivious to . In other words, we want to be ‘almost independent’ of . More precisely, we need to satisfy the following recoverability and secrecy constraints: There exists some functions , for , such that
The rate of the secret key is defined to be . We define the secrecy capacity with a total communication rate by
We are interested in characterizing , namely, the secrecy capacity with asymptotically zero discussion rate. It is important to point out that our formulation covers the model with wiretapper’s side information by the sources of the silent untrusted helpers. This is because having a wiretapper observe some side information directly is equivalent to having the wiretapper observe it through the source of a silent untrusted helper. Since a silent untrusted user cannot discuss, its knowledge of the side information cannot affect the secrecy capacity. The formulation also cover the case with no discussion by allowing to be the entire set , unlike [13, 14] which require the to be a proper subset of .
We should remark here that the secrecy constraint appearing in (2b) is referred to as weak secrecy in the literature. Several works including  study a stronger secrecy criteria, referred to as strong secrecy, obtained by removing the term from (2b). Our results are valid for both the weak secrecy and the strong secrecy criteria. We choose to define secrecy using the weak secrecy criteria since the main bottleneck in our proof is the converse part, i.e., obtaining an upper bound on . Noting that a key satisfying strong secrecy will by default satisfy weak secrecy, an upper bound on defined using weak secrecy will therefore automatically translate to an upper bound on defined using strong secrecy.
Iii Main results
The main result is the following single-letter characterization of the secrecy capacity at asymptotically zero discussion rate, in the presence of active users , trusted helpers , untrusted helpers and silent users :
The secrecy capacity at asymptotically zero discussion rate is
where is a solution to
Furthermore, the capacity can be achieved with no discussion.
Note that the capacity does not depend on , i.e., the capacity remains unchanged whether a user is silent or not. This is consistent with the fact that the capacity can be achieved without discussion. Furthermore, notice that the capacity does not depend on the sources of the trusted helpers because the solution to (2) depends only on the sources of the active users. In other words, the capacity remains unchanged even if the trusted helpers were removed, i.e., with reassigned as . This is expected because, according to the secret key agreement protocol, helpers need not share the secret key but may help improve the secrecy capacity via public discussion. However, the fact that the capacity can be achieved with no discussion means that the trusted helpers cannot improve the capacity by discussion. Similarly, untrusted helpers cannot increase the capacity by discussion but their presence may diminish the capacity because the capacity with untrusted helpers is no larger than the capacity without untrusted helpers. This is again expected because the sources of the untrusted helpers are leaked to the wiretapper, and so the common randomness between and cannot be used for the secret key.
in (2) is a multivariate extension of the Gács-Körner common information first introduced by Gács and Körner in  for the case of two users. The optimal is unique up to bijections and referred to as the maximal common function (m.c.f.) of for . The fact is called a common function is because the constraint in (2) implies for some function . It is called maximal because, if there exists another common function that is not a function of , i.e., , then , leading to the contradiction that is a strictly better solution to (2). Once again, the fact that the capacity can be achieved with no discussion is consistent with its characterization via the maximal common function that every active user can compute from their source without discussion. We remark that, while it is obvious the characterization of the capacity is achievable with no discussion, proving that the characterization is the best achievable rate is non-trivial, especially when public discussion, albeit of zero rate, is allowed. We will give the proof of the main result in Appendix A, and an alternative proof for the case with no discussion in Appendix C to explain the non-triviality involved in handling the case with public discussion.
While a single-letter characterization is widely accepted as a computable solution in Information Theory, the computation is often very difficult due to optimization over auxiliary random variables such as the maximal common function in our case. For the characterization to be useful, it is important to be able to compute it efficiently. Fortunately, there does exist a systematic method called the ergodic decomposition to compute the Gác–Körner common information , and such a method can be directly extended to the multivariate case using an inductive argument, similar to the inductive proofs in the appendix. However, the computation is exponential in the number of random variables, and it is hard to give an explicit expression for the Gác–Körner common information for large networks. For the remainder of this section, we introduce a broad class of correlated random sources, called the finite linear source model, and give a polynomial-time computable expression for the maximal common function and therefore the secrecy capacity.
Definition 1 ()
A source is said to be a finite linear source if its component can be written up to bijections222Two random variables and are said to be bijections of each other iff . as
is a uniform random vector with elements taking values from some finite field, and is a deterministic matrix with elements from .
For finite linear sources, the solution to (2), i.e., the m.c.f. of for , is given by
where is a matrix whose column space is
namely the intersection of the column spaces of all for . is also the maximum common subspace equal to .
Therefore, the Gác–Körner common information is given by
namely the dimension of the maximum common subspace in bits.
where is a matrix whose column space satisfies (5). We conclude this section by giving an example of a finite linear source and computing its Gác–Körner common information.
Let , , and be uniformly random and independent bits. Consider (), and set
This is a finite linear source because, with ,
is uniformly distributed over. Note also that by (1).
Before computing in (4), notice that does not have full column rank because the last column is the sum of the first two. We may remove the last column and consider instead
To compute , note that the null space of is spanned by with . Therefore, the matrix
spans the desired intersection . Hence, . Hence, by (6), we have .
The primary goal of multiterminal secret key agreement is to understand how users should discuss to share a secret key not known to a wiretapper. By characterizing the secrecy capacity as a function of the public discussion rates of individual users, we gained valuable insights of the theoretical limits and the achieving schemes. The characterization of upper and lower bounds also inspired meaningful information measures and their properties applicable to other related problems. Despite the challenges of characterizing the capacity in the two-user case under the basic source model, we obtained a simple and meaningful characterization by requiring the discussion rate to go to zero asymptotically. The characterization is a result of a better understanding of the Gács–Körner common information and its appropriate multivariate extension.
In contrast to the result  that public discussion improves the secret key rate, our work conveys the opposite message that one cannot improve the secret key rate by public discussion at asymptotically zero discussion rate. Despite such a negative result, our work demonstrates how one can characterize the secrecy capacity in the multiterminal case with public discussion at limited rate. While this work focuses on asymptotically zero discussion rate, the proof techniques can be extended to the case with strictly positive discussion rate. There are various existing bounds on the secret capacity for positive discussion rate but they have obvious limitations. For the multiterminal setting, the best upper bounds are the helper-set bound and lamination bounds in [20, 21]. While the helper-set bound is tight for a special class of pairwise independent networks (PIN) [20, Theorem 4.2], it is loose for a simple PIN [20, Fig. 2] at zero discussion rate. Our result is expected to improve the helper-set bound strictly because it characterizes the capacity at zero discussion rate. Even though the basic lamination bound [20, Theorem 4.3] is already tight for the general PIN model [20, Theorem 4.4], the lamination bound makes use of seemingly different techniques [21, Lemma A.1] that do not apply beyond hypergraphical sources, even to finite linear sources. Our result is expected to improve the helper-set bound for general sources. It may potentially lead to a unified bound that covers the lamination bound for hypergraphical sources and also the lower bound for communication complexity in  via the Wyner common information.
It difficult to extend our result to give a single-letter characterization for positive discussion rates as the two-user case remains unsolved . However, we believe it is possible to resolve the conjecture in  that the decremental secret key agreement scheme in  achieves the capacity for hypergraphical sources. In particular, the resulting characterization of the communication complexity may be viewed as an asymptotic counter-part of that of  for non-asymptotic hypergraphical sources, but without the assumption that the discussion is linear. Note that the decremental secret key agreement scheme can be extended to the compressed secret key agreement scheme in . Therefore, a more general result applicable beyond hypergraphical sources would be an optimality condition for compressed secret key agreement that can be satisfied for any hypergraphical sources using decremental secret key agreement. We remark that the capacity was characterized for the PIN model [20, Theorem 4.4] only in the case without helpers, as the achieving scheme uses the tree-packing protocol , which is not optimal in the case with helpers. Hence, a less ambitious goal is to characterize the capacity for the PIN model with helpers.
Appendix A Proof of Theorem 1
In this section, we derive the characterization (1) of the secrecy capacity at asymptotically zero discussion rate and show that the capacity can be achieved with neither discussion nor private randomization. We first show the achievability, i.e., one can choose the secret key at rate with no public discussion while satisfying the recoverability and secrecy constraints in (II). By the balanced coloring Lemma [10, Lemma B.3]333We set , , and in [10, Lemma B.3] to , and a constant function respectively., there exists a choice of satisfying the conditions
The first equality implies the secrecy constraint (2b) while the recoverability constraint (2a) follows from the fact that is a common function computable by the active users with no discussion. The last equality implies that the secret key rate is as desired. This completes the proof of achievability.
For the converse proof, it suffices to consider the case without silent users, i.e., , because the bound for this case also applies to the case with silent users. Compared to the proof of achievability, the converse proof is more complicated and will be broken into two steps: We first prove for the case without untrusted helpers that ; Then, we consider the case with untrusted users and extend the result to prove in (1). More precisely, to make use of the result for the case without untrusted helpers, we will consider a change of scenario that turns untrusted helpers into trusted helpers. Roughly speaking, if is a feasible secret key for the original scenario with untrusted helpers, it is also a feasible secret key for the modified scenario. Since the key rate for the modified scenario with no untrusted helper is upper bounded by Gác–Körner common information, we can argue that goes to , i.e., the randomness in is primarily from that of the m.c.f. . This will imply the desired capacity upper bound for the original scenario with untrusted helpers because the randomness in cannot be used for the secret key.
We remark that our approach is different from the converse proof in  that handles the wiretapper’s side information, or equivalently, the source of silent untrusted helpers by the Csiszár-sum identity. It appears that the technique using Csiszár-sum identity is limiting and does not extend to the multiterminal setting involving more than two active users.
A-a Proof of converse without untrusted helpers
The converse proof for the case with untrusted helpers follows a similar single-letterization technique as in  and uses the following property of the m.c.f.:
For , the Markov conditions
imply the Markov condition
where is the m.c.f. of for .
The Lemma can be viewed as a multivariate extension of the double Markov inequality [28, Problem 16.25], which is the special case when and .
The Markov conditions (A1) means that and are independent given for all , i.e.,
It follows that
Note that on the left is possibly random because is. The above condition means that is a common function of for , and so it must be a function of the maximal common function by . (See also the explanation below (2).) Hence,
which implies the desired Markov condition (A2). The first equality is because is a function of . The last equality is because is a function of .
For the desired converse proof, we will apply the above Lemma with . More precisely, we will show that
and so (A3) implies the desired bound .
It remains to prove (A3). Let be uniformly distributed over and independent of everything else, namely . Define
By the secrecy constraint (2b), we have
where we use to denote a sufficiently large non-negative real number going to sufficiently slow as . Next, we will bound and as follows: On one hand,
where the second equality is because , for all , by the memorylessness (1) of the source. On the other hand, assuming without the loss of generality,
which, after rearrangement, leads to (a); (b) follows from the fact that
by the recoverability constraint (2a); (c) is because conditioning cannot increase entropy, and (d) is by the assumption that the discussion rate is asymptotically zero, i.e., . Therefore,
Since the discussion rate is asymptotically zero, we have for any
) of the private randomization; the third equality follows from the chain rule expansion and by the memorylessness (1) of the source. Therefore,
The above maximization is over all possible choices of . The solution exists because, using the Carathéodory-Fenchel-Eggleston Theorem, it can be argued that the support of can be bounded uniformly for all . (See for example [28, Lemmas 3.4, 3.5].) is also continuous in by the continuity of the entropy function 
for discrete random variables with finite alphabet sets. Hence,
which gives (A3) as desired.
We remark that the above derivation does not invoke the Csiszár-sum identity. The auxiliary random variable comes from , which is obtained by simple chain-rule expansion of the i.i.d. samples of the sources. We found that the problem of extending the single-letterization in  using Csiszár-sum identity is that the Csiszár-sum identity involves expanding the sources in only two directions, which does not allow for a common definition of auxiliary random variable in the case with more than two active users.
A-B Proof of converse with untrusted helpers
In this section, we extend the above converse proof for the case without untrusted helpers to the case with untrusted helpers, i.e., . The proof relies on a technical Lemma [30, Lemma 3.1] similar to the proof of a rather different result [30, Theorem 3.2] that the secret key can be chosen purely as a function of the source of any single active user.
Consider any feasible secret key and discussion at asymptotically zero rate satisfying the recoverability and secrecy constraints (II). Furthermore, assume without loss of generality and let
be the secret key estimate generated by user. It follows from the recoverability constraint (2a) and Fano’s inequality that
Again, we use to denote a non-negative real number that is sufficiently large and that goes to sufficiently slowly as goes to infinity.
Next, we modify the scenario by setting . , , , and remain unchanged. Instead of using to denote the block length, we will use as the block length where is a positive integer. To distinguish the modified scenario from the original scenario, we will denote the secrecy capacity of the modified scenario by instead of . Similarly, we will use and to denote the secret key and public discussion for the modified scenario. By the converse proof in the previous section, we have
We will show using the above bound that
and so, by the secrecy constraint (2b),
which implies , thereby establishing the desired result.
It remains to show (A9), which means that the randomness in comes primarily from the m.c.f. . Consider the modified scenario with . We first show that there exists a public discussion at asymptotically zero rate such that can be recovered by every active user asymptotically in , i.e.,
for some decoding functions . In particular, we choose where is the discussion in the original scenario, and is some additional discussion by user at asymptotically zero rate. Existence of such follows from [30, Lemma 3.1] by (A6).444We set , , and in [30, Lemma 3.1] to , , and respectively.
Note that is also recoverable by every active user since is their common function. We can then extract a secret key for the modified scenario from at rate . More precisely, by the balanced coloring Lemma [10, Lemma B.3], there exists a function of satisfying
where the first inequality implies the desired secrecy constraint for the modified scenario. By the last inequality and the capacity bound (A8) for the case without untrusted helpers, we have
We can further lower bound by , where the last inequality is because has zero rate asymptotically in . Rearranging the terms and letting goes to infinity, we have
Appendix B Proof of Theorem 2
To prove Theorem 2, we shall make use of the following technical Lemma.
For any finite linear , we have
where is a matrix satisfying .
By standard arguments in linear algebra, there exists matrices and such that
for . It follows that there is a bijection between and . To prove the Lemma, i.e., (B1), it suffices to show that
We will argue the stronger claim that , , and are mutually independent. Since is uniformly random by Definition 1, it suffices to show
The first equality implies is independent of , while the second equality means that is independent of as desired. The first equality holds by the construction of . The second equality holds because, otherwise, some column of is in but not in , contradicting the fact that
This completes the proof of the Lemma.
A interesting Corollary of the above Lemma is the following equivalence of bivariate Gác–Körner common information, Shannon mutual information, and Wyner common information.
It was shown in  that (B2) holds with equalities replaced by in general for any sources. For the finite linear source, the reverse inequalities will follow by showing that in Lemma B1 is a solution to both (B3) and (B4) because that implies and . is a solution to (B3) because it is a common function of and . is a solution to (B4) by (B1).