The problem of secret key generation between a pair of terminals was independently proposed by Maurer , and Ahlswede and Csiszár . The pair of terminals are allowed to interactively discuss in public over a noiseless broadcast channel in order to agree upon a secret key, which is to be secured from a passive eavesdropper who monitors the communication sent over the public channel. The problem was later extended to the case of multiple terminals observing correlated sources by Csiszár and Narayan . The quantity of interest in all of these works was the secrecy capacity, i.e., the maximum rate of a secret key that can be agreed upon by all the terminals. However, these works treated communication as a free resource, an assumption which does not hold in practical scenarios. In fact, Csiszár and Narayan  showed using some examples that their communication for omniscience strategy used to achieve secrecy capacity may require strictly more communication than needed.
The first work to consider the effects of rate-limited communication on the secret key generation problem is due to Csiszár and Narayan . The authors derived a complete characterization of the key-rate versus communication-rate tradeoff for the two-terminal scenario where only one-way discussion is allowed. Later, Tyagi  looked at the problem of characterizing the communication complexity, i.e., the minimum rate of interactive communication needed to achieve the secrecy capacity, for two-terminal sources. He obtained a multi-letter expression for the communication complexity using the interactive common information, a quantity related to the Wyner common information , of the two sources. Tyagi left open the question of characterizing the key-rate versus interactive communication-rate tradeoff for two-terminal sources. This question was later partially addressed by Liu et al. , who gave a complete characterization of the key-rate versus communication-rate tradeoff for a fixed number of communication rounds, using the ideas of interactive source coding developed by Kaspi . A complete and computable characterization of the key-rate versus communication-rate tradeoff for two-terminal sources with no restriction on the number of communication rounds is still open. Liu et al. also studied the quantity , where is the maximum rate of secret-key with the rate of public discussion restricted to . Using the notion of a symmetric strong data processing constant, the authors derived the behaviour of the ratio in two regimes, when goes to , and when
is close to the secrecy capacity. While the above mentioned works all involve sources with finite alphabets, the case with Gaussian sources have also been considered. The characterization of the key-rate versus communication-rate tradeoff for two-terminal scalar and vector Gaussian sources has been carried out by Watanabe and Oohama in and .
While the problem for two-terminal sources has received a fair bit of attention, literature on the multiterminal scenario is scant. Attempts have been made to obtain bounds on the communication complexity for multiterminal sources in  and . In , a lower bound on communication complexity has been derived by extending Tyagi’s definition of interactive common information to a multiterminal scenario. Upper bounds on communication complexity have been developed in  using the idea of decremental secret key agreement . Another direction of investigation has been characterizing multiterminal sources, for which the communication for omniscience protocol of Csiszár and Narayan is communication-rate-optimal for achieving secrecy capacity. A sufficient condition to check the optimality of the communication for omniscience was derived in , and extensions of this result to sources involving helpers, untrusted terminals, and silent terminals was carried out in . While the above mentioned works look at the near secrecy capacity regime, the zero communication-rate regime has been investigated in  for the special case of finite linear sources.
In this paper, we study the key-rate versus communication-rate tradeoff for multiterminal sources. At the outset we must mention that a study of general multiterminal sources is difficult, and hence, we shall restrict our attention to a specific class of sources, namely, the hypergraphical source . To explain our choice, consider the following natural scenario for secret key agreement. Certain subsets of terminals already possess secrets shared locally among themselves, and the terminals must agree upon a globally shared secret through public discussion. Let us ask this simple question: How many bits of globally shared secret can be generated using locally shared secrets?
The scenario described can be viewed as a hypergraphical source. The hypergraphical source consists of certain subsets of terminals observing i.i.d. sequences of random variables, which can be thought of as the local secrets. Therefore, the answer to the question posed earlier is simply the secrecy capacity of the hypergraphical source. Hypergraphical sources also appeared in thecoded cooperative data exchange (CCDE) problem , .
The main contribution of this work is obtaining upper bounds on the ratio for hypergraphical sources. Unlike earlier works on the two-terminal scenario, our results are not restricted to any particular regime and hold for every possible communication rate . The upper bounds on studied here are based on the fact that entropy is a submodular set function . Along with the specialized structure of the hypergraphical source, the submodularity of entropy enables us to define a ‘lamination’ procedure which serves as the key ingredient to derive our bounds. The lamination procedure we use essentially boils down to minimizing a weighted sum of submodular functions using Edmonds’ Greedy Algorithm [22, Theorem 44.3]. In particular, we obtain three different upper bounds to by laminating three different sums of entropies. The first of these bounds, which we shall call the edge-partition (EP) bound, gives us an exact characterization of the key-rate versus communication-rate tradeoff for the so-called pairwise independent network (PIN) model , , which is a special case of the hypergraphical source. The tightness of the EP bound for the PIN model is shown using the tree-packing protocol of Nitinawarat and Narayan . We would like to highlight that this is the first result which completely characterizes the key-rate versus communication-rate tradeoff for a large class of sources, without any restriction on the number of rounds of interactive communication. Also, the tradeoff does not involve any auxiliary random variables, and in fact, it can be expressed simply in terms of the size of the network. While the EP bound gives tight results for the PIN model, we show using an example that it can be loose for certain hypergraphical sources. To circumvent this issue, we derive our second upper bound, which we call the vertex-packing (VP) bound. Although, the VP bound is tight for certain examples where the EP bound is loose, there are examples where the VP bound is loose but the EP bound is tight as well. To get the best of both the VP and EP bounds, we generalize them to obtain a third bound which we simply call the lamination bound.
The paper is organized as follows. Section II introduces the hypergraphical source and states the necessary definitions. Section III describes the tree-packing protocol for the PIN model. The main results of the paper, which include the EP bound, the VP bound, and the lamination bound are presented in Section IV. The contributions made by the paper, as well as future directions of research are summarized in Section V. The proofs of some of the technical results appear in the appendices.
Ii Problem Formulation
We consider the basic source model for multiterminal secret key agreement in  but with no helpers and wiretapper’s side information. It involves a finite set of at least users. Without loss of generality, we can set to be with . The users have access to a private (discrete memoryless multiple) source, which is denoted by the random vector
We assume that the random vector takes values from a finite set denoted by
Note that we use capital letters in sans serif font for random variables and the corresponding capital letters in the usual math italic font for the alphabet sets if there is no ambiguity.
denotes the joint distribution of the’s.
The users want to agree on a secret key via public discussion. As in , the protocol is divided into the following phases: Private observation: Each user observes an -sequence
i.i.d. generated from the source for some block length .
Private randomization: Each user generates a random variable independent of the private source, i.e.,
For convenience, we denote the entire private observation of user as
Public discussion: Using a public authenticated noiseless channel, each user broadcasts a message in round for some positive integer number of rounds. The message is chosen as
which is a function of the accumulated observations of user , namely, his private observation defined in (2.2), and the previous discussion
where the first part consists of the previous messages broadcast in the same round, and the second part denotes the messages broadcast in the previous rounds. Without loss of generality, we have assumed that the interactive discussion is conducted in the ascending order of user indices. For convenience, we also write
to denote, respectively, the aggregate message from user and the aggregation of the messages from all users. Key generation: A random variable , called the secret key, is required to satisfy the recoverability constraint that
for some function , and the secrecy constraint that
where denotes the finite alphabet set of possible key values.
It is desirable to have a large secret key rate but a small public discussion rate . Our goal is to characterize the optimal tradeoff between the secret key rate and the total discussion rate:
The curve for exists and is well-behaved with the following basic properties.
is continuous, non-decreasing and concave for .
Continuity is because the and in (2.4) always exist, since is bounded within . The monotonicity is obvious, and concavity follows from the usual time sharing argument.
As motivated in the introduction, we will restrict to the hypergraphical source model defined below:
Definition 2.2 (Definition 2.4 of )
is a hypergraphical source with respect to a hypergraph with edge set and edge function iff, for some mutually independent (hyper)edge (random) variables for , we can write
The weight function of a hypergraphical source is defined as
For convenience, we further make some mild assumptions on the hypergraphical sources we will consider:
Every edge variable is non-trivial, i.e., for all .
There exists at least one edge variable, i.e., .
No edge covers the entire set, i.e., for all .
The first assumption is without loss of generality, the second is to avoid triviality. The last assumption is for simplicity.111It is possible to extend the results of this work to allow for edges covering the entire set: The corresponding edge variables can be used directly as the secret key after simple source compression, without any additional public discussion. Note also that the two-user case is also trivial, with , and so we focus on the case .
An example of a hypergraphical source is as follows.
Let and be four uniformly random and independent bits. With , define
This is a hypergraphical source, illustrated in Fig. 1 with edge set , and edge function
The weight function has for equal to any of the subsets above, which form the support of , i.e., .
A simpler source model we shall also consider is the special hypergraphical source model when the hypergraph corresponds to a graph:
is a pairwise independent network (PIN) iff it is hypergraphical with edge function satisfying for all .
With , define
where are independent uniformly random bits. The private source is a PIN illustrated in Fig. 2 with edge set , edge function satisfying
and weight function
and otherwise. Hence, the support of is .
If there is no limit on the public discussion rate, the secrecy capacity, referred to as the unconstrained secrecy capacity, is defined and characterized in  as
where is the smallest rate of communication for omniscience, characterized in 
by the linear program
where we have used for notational convenience that
The inequalities in (3.3b) consist of the usual Slepian-Wolf constraints for source networks. The capacity-achieving scheme in  requires all users to recover the entire source (i.e., attain omniscience) by public discussion at the smallest total rate , and then extract the secret key from their recovered source at rate . Despite having exponentially many constraints, the linear program (III) can be computed in (strongly) polynomial-time [25, 26], and hence, so can .
For a PIN,
where is a non-negative integer; is a non-negative real number; is a spanning tree with edge set satisfying
Furthermore, the lower bound in (3.2a) achieves the unconstrained secrecy capacity.
Note that the feasible solutions to the lower bound in (3.2a) are called fractional tree packings because the constraint (3.2b) requires the total weights of all the trees covering each set to not exceed the weight . The achieving scheme is therefore called the tree-packing protocol. The unconstrained secrecy capacity is the fractional tree packing number.
It was left as an open problem in  whether the tree-packing protocol achieves the communication complexity . One may further ask whether the scheme achieves the constrained secrecy capacity for all . We resolve this in the affirmative in Theorem 4.2 by providing a matching converse. This idea can be motivated more concretely with the following example.
Consider the PIN model defined in (2.1). If user 2 reveals in public so that everyone can observe it, then user 3 can recover as . is a secret key bit generated by the public discussion because not only is recoverable by all users, with the recoverability constraint (2.1) being satisfied, but it is also uniformly random and independent of the public discussion , thus satisfying the secrecy constraint (2.2).
The above secret key agreement scheme is indeed a tree packing protocol. There is only one possible spanning tree, namely with . To satisfy the weight constraint (3.2b), we can set . Hence, it follows from (3.2a) that, for ,
It is easy to see that the capacity cannot exceed bit since user 1 observes at most bit in private, and bit of secret key is achievable by the above discussion scheme. The smallest rate of communication for omniscience is because there are bits of randomness in the source but user only gets to observe bit in private. It can be checked that the formula (3.2) relating and holds, and that the linear program (III) for is solved by the rate tuple for any . The bound (3.1) on communication complexity is . However, this bound is loose because the earlier capacity-achieving discussion is only bit, i.e., we have . It can be shown that the best existing lower bound from [12, 15] is , which is trivial. Hence, the existing result are not sufficient to characterize , let alone the constrained secrecy capacity .
It turns out that the lower bound (3.1) on for the current example is tight, which implies . Proving the reverse inequality is non-trivial and is the motivation of the techniques introduced in this work.
Iv Main results
Unless otherwise stated, all the results apply to the hypergraphical source model in Definition 2.2 with the additional assumptions stated after that. We will also consider the non-trivial case involving users. For ease of understanding, we will present the most general result towards the end of this section, after introducing some of its simpler variants which already give tight characterizations of the capacities for simple hypergraphical sources.
Iv-a Edge-partition bound
Let be the collection of partitions of into at least two non-empty disjoint sets.
Theorem 4.1 (EP bound)
For any partition , an upper bound on the constrained secrecy capacity (2.3) is given by
This is called the edge-partition (EP) bound.
See Appendix A
Note that we did not incorporate the obvious upper bound into (4.1) to avoid distraction. This obvious upper bound will also be implicit in the subsequent results. The name “edge-partition bound” is because the critical component of the bound is obtained by partitioning the edges of the hypergraph. More precisely, in the numerator of in (4.1b), the expression is the collection of subsets in the partition that intersects the incident nodes of an edge . The size of this collection minus is the number of times cuts across the edge . Therefore, the numerator of is the maximum number of times can cut across an edge of the hypergraphical source. The denominator is the number of cuts across the entire vertex set . Hence, is a ratio no larger than , with equality if there is an edge that covers the entire vertex set, i.e., .
An example that illustrates the EP bound is as follows.
Consider the hypergraphical source defined in (2.1). (See Fig. 1.) We will compute the tightest EP bound among all possible values of the partition . Consider the case , namely, the singleton partition . The following matrix lists the non-zero values of the indicator function for different edges and blocks of the partition.
The last row gives the column sums, which corresponds to the values of . The maximum value is , and so
For with , there are possible partitions. The values of can be computed similarly. It can be checked that and so
This gives a looser EP bound compared to the previous case with as it can be observed from the EP bound (4.1) that a smaller value of gives a tighter bound.
Similarly, for with , it can be shown that and so , which again cannot give a better EP bound than the case with . Hence, with , we have the tightest EP bound
which gives .
Although the EP bound can be computed efficiently given a particular choice of the partition , it is unclear how to efficiently compute the optimal partition that gives the tightest EP bound. As we shall see in next section, the EP bound is also loose for the above example.
Nevertheless, when restricted to the PIN model in Definition 2.3, the optimal partition turns out to be the partition into singletons. The tightest EP bound gives a complete and surprisingly simple characterization of the constrained secrecy capacity, which is also achieved by the tree-packing protocol described in Proposition 3.1 and illustrated in Example 3.1.
For the PIN model, the constrained secrecy capacity is
for the case of interest when . It follows that the communication complexity defined in (3.1) is .
The optimal tradeoff is irrelevant to the topology of the PIN model, and is characterized simply by the size of the network.
The converse follows from (4.1) with . More precisely, the maximization in the numerator of is always equal to as it is the number of incident nodes of an edge. Hence, , and so, the EP bound gives
For the PIN defined in (2.1), for instance, the bound (3.1) of is the precise characterization given by the above equation (4.1). As discussed, the tradeoff is irrelevant to the topology. To illustrate, another -user example is as follows.
Consider a triangle PIN with and
The capacity is achievable by the tree-packing protocol with the following fractional solution
Applying (4.1), we have
The tradeoff is the same as the PIN defined in (2.1). Note that unlike Example 3.1, the characterization of for this example can be obtained using an existing technique in  by showing the optimality of omniscience.
Iv-B Vertex-packing bound
Although the EP bound is tight for the PIN model, with , it can be loose in general. In particular, the following result will give a tighter upper bound on for the hypergraphical source considered earlier in Example 4.1.
Theorem 4.3 (VP bound)
For any ,
This is called the vertex-packing (VP) bound.
See Appendix B.
Note that the name of the bound comes from the fact that the feasible solution to the above linear program (4.3b) is a fractional collection of the vertices that can be packed into the hyperedges. We will show below that the VP bound can be tighter than the tightest EP bound obtained in Example 4.1. Note also that the VP bound can be computed more efficiently than the tightest EP bound.
The optimal solution to (4.3b) is given uniquely by
Hence, by (4.3), , or equivalently, . This bound is not only tighter than the tightest EP bound , but it can also be shown to be achievable, i.e., it can be shown that up to the unconstrained capacity . Consider two independent realizations of the source, i.e., let be the independent bits at time . User reveals in public. Then, the users can agree on bits of secret key, namely , which are independent of the discussion. Since bits of secret key can be agreed by bits of discussion for every units of time, we have . By the usual time-sharing argument, as desired. Therefore, the VP bound is tight for this example.
Note that the VP bound is not always better than the EP bound, i.e., it is possible for the EP bound to be strictly tighter than the VP bound, as the following example shows.
Iv-C Lamination Bound
It is possible that both the EP and VP bounds are loose. Indeed, the bounds can be unified and improved to a more general bound, called lamination bound below:
Theorem 4.4 (Lamination Bound)
For all ,
The parameter and set functions are chosen such that
and so is a fractional packing of according to (4.1a).
See Appendix C.
See Appendix D.
The following example illustrates the above lamination bound and shows that it can be strictly better than the EP and VP bounds.
Consider the following hypergraphical source, illustrated in Fig. 4:
We can calculate the tightest EP bound as in Example 4.1:
Therefore, the tightest EP bound (4.1) is , which was given by the smallest .
For the VP bound, the constraints of (4.3b) are
It can be show that , with and . Therefore, the VP bound (4.3) is .
Computing the tightest lamination bound is not easy due to its generality. For this example, however, the lamination bound turns out to be achievable (and therefore tight) for following choice of parameters:
To show that the bound is tight up to the unconstrained secrecy capacity, consider independent realizations of the private source, i.e., let be the independent bits at time . If user 1 and user 2 reveal in public and , respectively, then all users can recover perfectly. Let be the secret key, which is independent of the discussion . Since the users can agree on bits of secret key by