Upper Bounds via Lamination on the Constrained Secrecy Capacity of Hypergraphical Sources

05/03/2018 ∙ by Chung Chan, et al. ∙ City University of Hong Kong Télécom ParisTech indian institute of science 0

Hypergraphical sources are a natural class of sources for secret key generation, within which different subsets of terminals sharing secrets are allowed to discuss publicly in order to agree upon a global secret key. While their secrecy capacity, i.e., the maximum rate of a secret key that can be agreed upon by the entire set of terminals, is well-understood, what remains open is the maximum rate of a secret key that can be generated when there is a restriction on the overall rate of public discussion allowed. In this work, we obtain a family of explicitly computable upper bounds on the number of bits of secret key that can be generated per bit of public discussion. These upper bounds are derived using a lamination technique based on the submodularity of the entropy function. In particular, a specific instance of these upper bounds, called the edge-partition bound, is shown to be tight for the pairwise independent network model, a special case of the hypergraphical source. The secret key generation scheme achieving this upper bound is the tree-packing protocol of Nitinawarat et al., thereby resolving in the affirmative the discussion rate optimality of the tree packing protocol.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

The problem of secret key generation between a pair of terminals was independently proposed by Maurer [2], and Ahlswede and Csiszár [3]. The pair of terminals are allowed to interactively discuss in public over a noiseless broadcast channel in order to agree upon a secret key, which is to be secured from a passive eavesdropper who monitors the communication sent over the public channel. The problem was later extended to the case of multiple terminals observing correlated sources by Csiszár and Narayan [4]. The quantity of interest in all of these works was the secrecy capacity, i.e., the maximum rate of a secret key that can be agreed upon by all the terminals. However, these works treated communication as a free resource, an assumption which does not hold in practical scenarios. In fact, Csiszár and Narayan [4] showed using some examples that their communication for omniscience strategy used to achieve secrecy capacity may require strictly more communication than needed.

The first work to consider the effects of rate-limited communication on the secret key generation problem is due to Csiszár and Narayan [5]. The authors derived a complete characterization of the key-rate versus communication-rate tradeoff for the two-terminal scenario where only one-way discussion is allowed. Later, Tyagi [6] looked at the problem of characterizing the communication complexity, i.e., the minimum rate of interactive communication needed to achieve the secrecy capacity, for two-terminal sources. He obtained a multi-letter expression for the communication complexity using the interactive common information, a quantity related to the Wyner common information [7], of the two sources. Tyagi left open the question of characterizing the key-rate versus interactive communication-rate tradeoff for two-terminal sources. This question was later partially addressed by Liu et al. [8], who gave a complete characterization of the key-rate versus communication-rate tradeoff for a fixed number of communication rounds, using the ideas of interactive source coding developed by Kaspi [9]. A complete and computable characterization of the key-rate versus communication-rate tradeoff for two-terminal sources with no restriction on the number of communication rounds is still open. Liu et al. also studied the quantity , where is the maximum rate of secret-key with the rate of public discussion restricted to . Using the notion of a symmetric strong data processing constant, the authors derived the behaviour of the ratio in two regimes, when goes to , and when

is close to the secrecy capacity. While the above mentioned works all involve sources with finite alphabets, the case with Gaussian sources have also been considered. The characterization of the key-rate versus communication-rate tradeoff for two-terminal scalar and vector Gaussian sources has been carried out by Watanabe and Oohama in

[10] and [11].

While the problem for two-terminal sources has received a fair bit of attention, literature on the multiterminal scenario is scant. Attempts have been made to obtain bounds on the communication complexity for multiterminal sources in [12] and [13]. In [12], a lower bound on communication complexity has been derived by extending Tyagi’s definition of interactive common information to a multiterminal scenario. Upper bounds on communication complexity have been developed in [13] using the idea of decremental secret key agreement [14]. Another direction of investigation has been characterizing multiterminal sources, for which the communication for omniscience protocol of Csiszár and Narayan is communication-rate-optimal for achieving secrecy capacity. A sufficient condition to check the optimality of the communication for omniscience was derived in [15], and extensions of this result to sources involving helpers, untrusted terminals, and silent terminals was carried out in [16]. While the above mentioned works look at the near secrecy capacity regime, the zero communication-rate regime has been investigated in [17] for the special case of finite linear sources.

In this paper, we study the key-rate versus communication-rate tradeoff for multiterminal sources. At the outset we must mention that a study of general multiterminal sources is difficult, and hence, we shall restrict our attention to a specific class of sources, namely, the hypergraphical source [18]. To explain our choice, consider the following natural scenario for secret key agreement. Certain subsets of terminals already possess secrets shared locally among themselves, and the terminals must agree upon a globally shared secret through public discussion. Let us ask this simple question: How many bits of globally shared secret can be generated using locally shared secrets?

The scenario described can be viewed as a hypergraphical source. The hypergraphical source consists of certain subsets of terminals observing i.i.d. sequences of random variables, which can be thought of as the local secrets. Therefore, the answer to the question posed earlier is simply the secrecy capacity of the hypergraphical source. Hypergraphical sources also appeared in the

coded cooperative data exchange (CCDE) problem [19], [20].

The main contribution of this work is obtaining upper bounds on the ratio for hypergraphical sources. Unlike earlier works on the two-terminal scenario, our results are not restricted to any particular regime and hold for every possible communication rate . The upper bounds on studied here are based on the fact that entropy is a submodular set function [21]. Along with the specialized structure of the hypergraphical source, the submodularity of entropy enables us to define a ‘lamination’ procedure which serves as the key ingredient to derive our bounds. The lamination procedure we use essentially boils down to minimizing a weighted sum of submodular functions using Edmonds’ Greedy Algorithm [22, Theorem 44.3]. In particular, we obtain three different upper bounds to by laminating three different sums of entropies. The first of these bounds, which we shall call the edge-partition (EP) bound, gives us an exact characterization of the key-rate versus communication-rate tradeoff for the so-called pairwise independent network (PIN) model [23], [24], which is a special case of the hypergraphical source. The tightness of the EP bound for the PIN model is shown using the tree-packing protocol of Nitinawarat and Narayan [24]. We would like to highlight that this is the first result which completely characterizes the key-rate versus communication-rate tradeoff for a large class of sources, without any restriction on the number of rounds of interactive communication. Also, the tradeoff does not involve any auxiliary random variables, and in fact, it can be expressed simply in terms of the size of the network. While the EP bound gives tight results for the PIN model, we show using an example that it can be loose for certain hypergraphical sources. To circumvent this issue, we derive our second upper bound, which we call the vertex-packing (VP) bound. Although, the VP bound is tight for certain examples where the EP bound is loose, there are examples where the VP bound is loose but the EP bound is tight as well. To get the best of both the VP and EP bounds, we generalize them to obtain a third bound which we simply call the lamination bound.

The paper is organized as follows. Section II introduces the hypergraphical source and states the necessary definitions. Section III describes the tree-packing protocol for the PIN model. The main results of the paper, which include the EP bound, the VP bound, and the lamination bound are presented in Section IV. The contributions made by the paper, as well as future directions of research are summarized in Section V. The proofs of some of the technical results appear in the appendices.

Ii Problem Formulation

We consider the basic source model for multiterminal secret key agreement in [4] but with no helpers and wiretapper’s side information. It involves a finite set of at least users. Without loss of generality, we can set to be with . The users have access to a private (discrete memoryless multiple) source, which is denoted by the random vector

We assume that the random vector takes values from a finite set denoted by

Note that we use capital letters in sans serif font for random variables and the corresponding capital letters in the usual math italic font for the alphabet sets if there is no ambiguity.

denotes the joint distribution of the

’s.

The users want to agree on a secret key via public discussion. As in [4], the protocol is divided into the following phases: Private observation: Each user observes an -sequence

i.i.d. generated from the source for some block length .

Private randomization: Each user generates a random variable independent of the private source, i.e.,

(2.1)

For convenience, we denote the entire private observation of user as

(2.2)

Public discussion: Using a public authenticated noiseless channel, each user broadcasts a message in round for some positive integer number of rounds. The message is chosen as

(2.3a)

which is a function of the accumulated observations of user , namely, his private observation defined in (2.2), and the previous discussion

(2.3b)

where the first part consists of the previous messages broadcast in the same round, and the second part denotes the messages broadcast in the previous rounds. Without loss of generality, we have assumed that the interactive discussion is conducted in the ascending order of user indices. For convenience, we also write

(2.3c)
(2.3d)

to denote, respectively, the aggregate message from user and the aggregation of the messages from all users. Key generation: A random variable , called the secret key, is required to satisfy the recoverability constraint that

(2.1)

for some function , and the secrecy constraint that

(2.2)

where denotes the finite alphabet set of possible key values.

It is desirable to have a large secret key rate but a small public discussion rate . Our goal is to characterize the optimal tradeoff between the secret key rate and the total discussion rate:

Definition 2.1

The (total-discussion-rate-)constrained secrecy capacity is defined for as

(2.3)

where the supremum is taken over all possible sequences of that satisfies the sum rate constraint on the public discussion

(2.4)

in addition to (2.1) and (2.2).

The curve for exists and is well-behaved with the following basic properties.

Proposition 2.1

is continuous, non-decreasing and concave for .

Proof

Continuity is because the and in (2.4) always exist, since is bounded within . The monotonicity is obvious, and concavity follows from the usual time sharing argument.

As motivated in the introduction, we will restrict to the hypergraphical source model defined below:

Definition 2.2 (Definition 2.4 of [18])

is a hypergraphical source with respect to a hypergraph with edge set and edge function iff, for some mutually independent (hyper)edge (random) variables for , we can write

(2.5)

The weight function of a hypergraphical source is defined as

(2.6a)
(2.6b)

For convenience, we further make some mild assumptions on the hypergraphical sources we will consider:

  1. Every edge variable is non-trivial, i.e., for all .

  2. There exists at least one edge variable, i.e., .

  3. No edge covers the entire set, i.e., for all .

The first assumption is without loss of generality, the second is to avoid triviality. The last assumption is for simplicity.111It is possible to extend the results of this work to allow for edges covering the entire set: The corresponding edge variables can be used directly as the secret key after simple source compression, without any additional public discussion. Note also that the two-user case is also trivial, with , and so we focus on the case .

An example of a hypergraphical source is as follows.

Example 2.1

1

2

3

4

5

1

2

3

4

5
Fig. 1: The hypergraph corresponding to the hypergraphical source defined in (2.1). Each edge corresponds to an independent edge variable in the private observation associated with each incident node (user) .

Let and be four uniformly random and independent bits. With , define

This is a hypergraphical source, illustrated in Fig. 1 with edge set , and edge function

The weight function has for equal to any of the subsets above, which form the support of , i.e., .

A simpler source model we shall also consider is the special hypergraphical source model when the hypergraph corresponds to a graph:

Definition 2.3 ([24, 23])

is a pairwise independent network (PIN) iff it is hypergraphical with edge function satisfying for all .

Example 2.2

Fig. 2: The graphical representation of the PIN in (2.1).

With , define

(2.1)

where are independent uniformly random bits. The private source is a PIN illustrated in Fig. 2 with edge set , edge function satisfying

and weight function

and otherwise. Hence, the support of is .

Iii Preliminaries

If there is no limit on the public discussion rate, the secrecy capacity, referred to as the unconstrained secrecy capacity, is defined and characterized in [4] as

(3.1)
(3.2)

where is the smallest rate of communication for omniscience, characterized in [4]

by the linear program

(3.3a)
(3.3b)

where we have used for notational convenience that

The inequalities in (3.3b) consist of the usual Slepian-Wolf constraints for source networks. The capacity-achieving scheme in [4] requires all users to recover the entire source (i.e., attain omniscience) by public discussion at the smallest total rate , and then extract the secret key from their recovered source at rate . Despite having exponentially many constraints, the linear program (III) can be computed in (strongly) polynomial-time [25, 26], and hence, so can .

However, it was also mentioned in [4] that the unconstrained capacity can be attained by a possibly smaller discussion rate, referred later in [12] as the communication complexity

(3.1)

For the PIN model, in particular, there is a protocol in [23, Proof of Theorem 3.3] that achieves the unconstrained secrecy capacity [23, (15),(17)] possibly with smaller discussion rate.

Proposition 3.1 ([23, 24])

For a PIN,

(3.2a)

where is a non-negative integer; is a non-negative real number; is a spanning tree with edge set satisfying

(3.2b)

Furthermore, the lower bound in (3.2a) achieves the unconstrained secrecy capacity.

Note that the feasible solutions to the lower bound in (3.2a) are called fractional tree packings because the constraint (3.2b) requires the total weights of all the trees covering each set to not exceed the weight . The achieving scheme is therefore called the tree-packing protocol. The unconstrained secrecy capacity is the fractional tree packing number.

It was left as an open problem in [24] whether the tree-packing protocol achieves the communication complexity . One may further ask whether the scheme achieves the constrained secrecy capacity for all . We resolve this in the affirmative in Theorem 4.2 by providing a matching converse. This idea can be motivated more concretely with the following example.

Example 3.1

Consider the PIN model defined in (2.1). If user 2 reveals in public so that everyone can observe it, then user 3 can recover as . is a secret key bit generated by the public discussion because not only is recoverable by all users, with the recoverability constraint (2.1) being satisfied, but it is also uniformly random and independent of the public discussion , thus satisfying the secrecy constraint (2.2).

The above secret key agreement scheme is indeed a tree packing protocol. There is only one possible spanning tree, namely with . To satisfy the weight constraint (3.2b), we can set . Hence, it follows from (3.2a) that, for ,

or equivalently

(3.1)

It is easy to see that the capacity cannot exceed  bit since user 1 observes at most  bit in private, and  bit of secret key is achievable by the above discussion scheme. The smallest rate of communication for omniscience is because there are  bits of randomness in the source but user  only gets to observe  bit in private. It can be checked that the formula (3.2) relating and holds, and that the linear program (III) for is solved by the rate tuple for any . The bound (3.1) on communication complexity is . However, this bound is loose because the earlier capacity-achieving discussion is only  bit, i.e., we have . It can be shown that the best existing lower bound from [12, 15] is , which is trivial. Hence, the existing result are not sufficient to characterize , let alone the constrained secrecy capacity .

It turns out that the lower bound (3.1) on for the current example is tight, which implies . Proving the reverse inequality is non-trivial and is the motivation of the techniques introduced in this work.

Iv Main results

Unless otherwise stated, all the results apply to the hypergraphical source model in Definition 2.2 with the additional assumptions stated after that. We will also consider the non-trivial case involving users. For ease of understanding, we will present the most general result towards the end of this section, after introducing some of its simpler variants which already give tight characterizations of the capacities for simple hypergraphical sources.

Iv-a Edge-partition bound

Let be the collection of partitions of into at least two non-empty disjoint sets.

Theorem 4.1 (EP bound)

For any partition , an upper bound on the constrained secrecy capacity (2.3) is given by

(4.1a)
(4.1b)

This is called the edge-partition (EP) bound.

Proof

See Appendix A

Note that we did not incorporate the obvious upper bound into (4.1) to avoid distraction. This obvious upper bound will also be implicit in the subsequent results. The name “edge-partition bound” is because the critical component of the bound is obtained by partitioning the edges of the hypergraph. More precisely, in the numerator of in (4.1b), the expression is the collection of subsets in the partition that intersects the incident nodes of an edge . The size of this collection minus is the number of times cuts across the edge . Therefore, the numerator of is the maximum number of times can cut across an edge of the hypergraphical source. The denominator is the number of cuts across the entire vertex set . Hence, is a ratio no larger than , with equality if there is an edge that covers the entire vertex set, i.e., .

An example that illustrates the EP bound is as follows.

Example 4.1

Consider the hypergraphical source defined in (2.1). (See Fig. 1.) We will compute the tightest EP bound among all possible values of the partition . Consider the case , namely, the singleton partition . The following matrix lists the non-zero values of the indicator function for different edges and blocks of the partition.

sum

The last row gives the column sums, which corresponds to the values of . The maximum value is , and so

For with , there are possible partitions. The values of can be computed similarly. It can be checked that and so

This gives a looser EP bound compared to the previous case with as it can be observed from the EP bound (4.1) that a smaller value of gives a tighter bound.

Similarly, for with , it can be shown that and so , which again cannot give a better EP bound than the case with . Hence, with , we have the tightest EP bound

which gives .

Although the EP bound can be computed efficiently given a particular choice of the partition , it is unclear how to efficiently compute the optimal partition that gives the tightest EP bound. As we shall see in next section, the EP bound is also loose for the above example.

Nevertheless, when restricted to the PIN model in Definition 2.3, the optimal partition turns out to be the partition into singletons. The tightest EP bound gives a complete and surprisingly simple characterization of the constrained secrecy capacity, which is also achieved by the tree-packing protocol described in Proposition 3.1 and illustrated in Example 3.1.

Theorem 4.2

For the PIN model, the constrained secrecy capacity is

(4.1)

for the case of interest when . It follows that the communication complexity defined in (3.1) is .

Remark 4.1

The optimal tradeoff is irrelevant to the topology of the PIN model, and is characterized simply by the size of the network.

Proof

Note that the lower bound of (4.1) directly follows from (3.2a) in Proposition 3.1. Furthermore, equals the fractional tree-packing number.

The converse follows from (4.1) with . More precisely, the maximization in the numerator of is always equal to as it is the number of incident nodes of an edge. Hence, , and so, the EP bound gives

which completes the proof of (4.1). The formula for is obtained easily by equating the two terms in the minimization in (4.1).

For the PIN defined in (2.1), for instance, the bound (3.1) of is the precise characterization given by the above equation (4.1). As discussed, the tradeoff is irrelevant to the topology. To illustrate, another -user example is as follows.

Example 4.2

Fig. 3: The triangle PIN defined in (4.2).

Consider a triangle PIN with and

(4.2)

where are independent uniformly random bits. This is a PIN with correlation represented by a triangle as shown in Fig. 3. It follows from (3.1), (III) and (3.1) that

The capacity is achievable by the tree-packing protocol with the following fractional solution

Applying (4.1), we have

The tradeoff is the same as the PIN defined in (2.1). Note that unlike Example 3.1, the characterization of for this example can be obtained using an existing technique in [15] by showing the optimality of omniscience.

Iv-B Vertex-packing bound

Although the EP bound is tight for the PIN model, with , it can be loose in general. In particular, the following result will give a tighter upper bound on for the hypergraphical source considered earlier in Example 4.1.

Theorem 4.3 (VP bound)

For any ,

(4.3a)
(4.3b)

This is called the vertex-packing (VP) bound.

Proof

See Appendix B.

Note that the name of the bound comes from the fact that the feasible solution to the above linear program (4.3b) is a fractional collection of the vertices that can be packed into the hyperedges. We will show below that the VP bound can be tighter than the tightest EP bound obtained in Example 4.1. Note also that the VP bound can be computed more efficiently than the tightest EP bound.

Example 4.3

Consider the previous hypergraphical source defined in (2.1). The constraints of (4.3b) are

The optimal solution to (4.3b) is given uniquely by

Hence, by (4.3), , or equivalently, . This bound is not only tighter than the tightest EP bound , but it can also be shown to be achievable, i.e., it can be shown that up to the unconstrained capacity . Consider two independent realizations of the source, i.e., let be the independent bits at time . User  reveals in public. Then, the users can agree on  bits of secret key, namely , which are independent of the discussion. Since  bits of secret key can be agreed by  bits of discussion for every  units of time, we have . By the usual time-sharing argument, as desired. Therefore, the VP bound is tight for this example.

Note that the VP bound is not always better than the EP bound, i.e., it is possible for the EP bound to be strictly tighter than the VP bound, as the following example shows.

Example 4.4

Consider the PIN model on a complete graph, i.e., with . (See the triangle PIN in Example 4.2 for .) Note that

Then, by (4.3), the VP bound is

which is worse than the EP bound in the non-trivial case .

Iv-C Lamination Bound

It is possible that both the EP and VP bounds are loose. Indeed, the bounds can be unified and improved to a more general bound, called lamination bound below:

Theorem 4.4 (Lamination Bound)

For all ,

(4.1a)

where

(4.1b)
(4.1c)

The parameter and set functions are chosen such that

(4.1a)
(4.1b)

and so is a fractional packing of according to (4.1a).

Proof

See Appendix C.

Corollary 4.1

The lamination bound (4.4) covers the EP bound (4.1) and VP bound (4.3) as special cases.

Proof

See Appendix D.

The following example illustrates the above lamination bound and shows that it can be strictly better than the EP and VP bounds.

Example 4.5

Consider the following hypergraphical source, illustrated in Fig. 4:

Compared to the source defined in (2.1) and illustrated in Fig. 1, the difference is that the edge connects node  to node  instead of node .

1

2

3

4

5

1

2

3

4

5
Fig. 4: The hypergraphical source defined in (4.5).

We can calculate the tightest EP bound as in Example 4.1:

  • For ;

  • For ;

  • For ;

  • For .

Therefore, the tightest EP bound (4.1) is , which was given by the smallest .

For the VP bound, the constraints of (4.3b) are

It can be show that , with and . Therefore, the VP bound (4.3) is .

Computing the tightest lamination bound is not easy due to its generality. For this example, however, the lamination bound turns out to be achievable (and therefore tight) for following choice of parameters:

It is straight-forward to check that and satisfy the constraints (4.4). By (4.1b) and (4.1c), we have . The lamination bound (4.1a) is , which is strictly better than the EP and VP bounds.

To show that the bound is tight up to the unconstrained secrecy capacity, consider independent realizations of the private source, i.e., let be the independent bits at time . If user 1 and user 2 reveal in public and , respectively, then all users can recover perfectly. Let be the secret key, which is independent of the discussion . Since the users can agree on  bits of secret key by