An Upper Bound for Wiretap Multi-way Channels
aa r X i v : . [ c s . I T ] S e p An Upper Bound for Wiretap Multi-way Channels
Amin Gohari and Gerhard Kramer
Abstract
A general model for wiretap multi-way channels is introduced that includes several previouslystudied models in information theoretic security as special cases. A new upper bound is developedthat generalizes and unifies previous bounds. We also introduce a multivariate dependencebalance bound which is of independent interest.
A wiretap multi-way channel (WiMWC) with k transceiver terminals and an eavesdropper is de-fined by p ( y [ k ] , z | x [ k ] ) where x i and y i are the respective channel inputs and outputs of the i -thlegitimate transmitter, and z is the eavesdropper channel output. Let [ k ] = { , , · · · , k } and x [ k ] = ( x , · · · , x k ). Extra public or private discussion/feedback links can be included by L parallelchannels q ℓ ( y [ k ] , z | x [ k ] ), ℓ ∈ [ L ], that the legitimate terminals can use in addition to the main chan-nel p ( y [ k ] , z | x [ k ] ). For instance, to model a noiseless public channel one may add a parallel channel Y = Y = · · · = Y k = Z = X [ k ] .A WiMWC code of length n is defined as follows: at time instance j ∈ [ n ], the i -th legitimateterminal uses local (private) random strings W i and transmits the symbol X ij = f ij ( W i , Y i [ j − ) , j ∈ [ n ] (1)over the main channel p ( y [ k ] , z | x [ k ] ) or over one of the parallel channels q i ( y [ k ] , z | x [ k ] ). Here, n isthe number of transmissions and f ij ( · ) is the encoding function at terminal i for time j , and Y ij isthe channel output symbols seen by terminal i at time j . Random variable Y i [ j − (also sometimesdenoted by Y j − i in the paper) is the collection of past outputs of terminal i at time j . Suppose thatthe main channel is used m ≤ n times during the n transmissions, while the channel q ℓ ( y [ k ] , z | x [ k ] )is used m ℓ times for ℓ = 1 , , · · · , L . Thus, m + P Lℓ =1 m ℓ = n .After transmission, a subset of the terminals – without loss of generality assumed to be the first r terminals – generate the secret keys S i = g i ( W i , Y i [ n ] ) , i ∈ [ r ]where S i ∈ [2 mR s ] for some R s >
0. In an ( n, ǫ ) code, the generated keys satisfy1 m H ( S ) ≥ R s − ǫ, P [ S = S = · · · = S r ] ≥ − ǫ, m I ( S ; Z n ) ≤ ǫ. The number R s is called the secret key rate, and α ℓ = m ℓ m (2)1s the rate of channel use for q ℓ ( y [ k ] , z | x [ k ] ). Given α ℓ ≥ ℓ ∈ [ L ], we are interested in thesupremum of rates R s that can be achieved for any ǫ > m tends to infinity.Observe that while terminals r + 1 , r + 2 , · · · , k do not generate secret keys, they have channelinputs and can participate as helper terminals . If the secret key generated by the first r terminalsmust be kept private from a collection of helper terminals, then the outputs of these terminals canbe included as part of the eavesdropper’s output variable Z .The WiMWC includes several models as special cases. • Source model: consider k = 2 and set X , X to be constant in the main channel p ( y , y , z | x , x ).Take an extra channel to allow for public discussion, and let α (as defined in (2)) tend toinfinity. Similarly, the multiuser case studied in [1] is a special case of the WiMWC model. • Channel model: consider k = 2 and set Y and X to be constant in the main channel p ( y , y , z | x , x ). Take an extra channel to allow for public discussion and let α tend toinfinity. Similarly, the multiaccess channel model ( [2, 3]) for which each legitimate terminalis either a receiver or transmitter can be enforced by choosing the alphabets of either X i or Y i to have only one element. As shown in [2, 3], the secret key capacity is related to MACswith feedback for the special cases considered in these works. Our result provides connectionsbetween the key agreement problem and MACs with feedback in a more general setting. • Wiretap channels with or without (private or public) feedback: For instance, for a secure rate-limited feedback link as in [4], we can set k = 2 and consider a parallel channel where Y and Z are constant while Y = X with the desired feedback rate. The Gaussian wiretap two-waychannel [5] is obtained when we do not have any parallel channels and k = 2. Similarly, onecan obtain the models considered in [6–9] as special cases of the WiMWC model. The channelmodel of [10] also reduces to the model considered here if the parallel channels model a publicchannel available to all parties. Definition 1 (Fractional Partition) . Let B be the set of all non-empty proper subsets of [ k ] . Afractional partition of [ k ] is a collection of non-negative weights associated to non-empty propersubsets of [ k ] , i.e., λ B for every B ∈ B such that X B : i ∈B λ B = 1 , ∀ i ∈ [ k ] . (3) Definition 2 (Multivariate Mutual Information) . Let ( λ B : B ∈ B ) be an arbitrary fractionalpartition of [ k ] . The λ -mutual information among variables X i , i ∈ [ k ] conditioned on anotherrandom variable T is I λ ( X ; X ; · · · ; X k | T ) = H ( X [ k ] | T ) − X B λ B H ( X B | X B c , T ) . The above definition first appeared in [1, Equation 6]. Observe that when k = 2 and λ { } = λ { } = 1, the λ -mutual information reduces to the ordinary conditional mutual information. Basicproperties of I λ are discussed in Appendix A. In particular, a dependence balance lemma for I λ isgiven in Appendix C.Take some arbitrary alphabet set T and an auxiliary random variable T ∈ T defined by aconditional distribution q ( t | y [ k ] , z, x [ k ] ). We call T an auxiliary receiver.2 efinition 3. Given a fractional partition λ , a multiway wiretap channel q ( y [ k ] , z | x [ k ] ) and anauxiliary receiver T described by q ( t | y [ k ] , z, x [ k ] ) , let V λ ( q ) = max I λ ( X Y ; X Y ; · · · ; X k Y k | T ) − I λ ( X ; X ; · · · ; X k ) + I ( V ; T | U ) − I ( V ; Z | U ) where the maximum is over all p ( x [ k ] , u, v, y [ k ] , z, t ) of the form: p ( x [ k ] , u, v, y [ k ] , z, t ) = p ( x [ k ] ) q ( y [ k ] , z, t | x [ k ] ) p ( u, v | x [ k ] , y [ k ] ) . Theorem 4.
Take an arbitrary fractional partition such that λ B = 0 when [ r ] ⊂ B . Then, forany arbitrary auxiliary receiver q T | X [ k ] ,Y [ k ] ,Z , the secret key capacity of the multiway wiretap channel q ( y [ k ] , z | x [ k ] ) is bounded from above by V (cid:0) p ( y [ k ] , z, t | x [ k ] ) q ( t | x [ k ] , y [ k ] , z ) (cid:1) + L X ℓ =1 α ℓ V (cid:0) q ℓ ( y [ k ] , z, t | x [ k ] ) q ( t | x [ k ] , y [ k ] , z ) (cid:1) , where α ℓ is defined in (2) . Remark 5.
This converse recovers the best known upper bound for the source and channel modelsas special cases (for this special case, V (cid:0) q ℓ ( y [ k ] , z, t | x [ k ] ) q ( t | x [ k ] , y [ k ] , z ) (cid:1) vanishes) [11, 12], and alsorecovers the converse for the result in [4]. If we set T = Z , we get a bound that can be also deducedfrom Theorem 3.1 of [13]. The converse utilizes an auxiliary receiver T . See [14] for some furtherapplications of auxiliary receivers.Proof. Take some arbitrary q ( t | x [ k ] , y [ k ] , z ). Take some arbitrary code and let T n be defined bypassing X [ k ] j , Y [ k ] j , Z j through the memoryless channel q ( t | x [ k ] , y [ k ] , z ) for j ∈ [ n ].Let S i for i ∈ [ r ] be the key produced by the first r terminals. Set S i for r < i ≤ k to beconstants. We have H ( S ) − nk ( ǫ ) ≤ H ( S ) − I ( S ; Z n ) (4)= H ( S | T n ) + I ( S ; T n ) − I ( S ; Z n ) − nk ( ǫ ) (5)where k ( ǫ ) and k ( ǫ ) are functions that tend to zero as ǫ tends to zero. Observe that I ( S ; T n ) − I ( S ; Z n ) = X i I ( S ; T j | Z nj +1 , T j − ) − I ( S ; Z j | Z nj +1 , T j − ) (6)= X j I ( V j ; T j | U j T j ) − I ( V j ; Z j | U j T j ) (7)where V j = S , U j = Z nj +1 and T j = T j − . Observe that U j V j T j → X [ k ] j Y [ k ] j → T j Z j forms a Markov chain. Next, we have H ( S | T n ) − nk ( ǫ ) ≤ I λ ( S ; S ; · · · ; S k | T n ) (8) ≤ I λ ( W Y n ; W Y n ; · · · ; W k Y nk | T n ) (9)= I λ ( W Y n ; W Y n ; · · · ; W k Y nk | T n ) − I λ ( W ; W ; · · · ; W k ) (10)3 n X j =1 I λ ( X j Y j ; X j Y j ; · · · ; X kj Y kj | T j , T j − ) − n X i =1 I λ ( X j ; X j ; · · · ; X kj | T j − ) (11)where (8) and (9) follow from the Fano and data processing inequalities for I λ , as shown in Propo-sition 6 in Appendix A, and (11) follows from Lemma 9 in Appendix C, and k ( ǫ ) is a function thattends to zero as ǫ tends to zero.Collecting the above results, we obtain H ( S ) − nk ( ǫ ) − nk ( ǫ ) ≤ n X j =1 (cid:18) I λ ( X j Y j ; X j Y j ; · · · ; X kj Y kj | T j , T j ) − I λ ( X j ; X j ; · · · ; X kj | T j )+ I ( V j ; T j | U j T j ) − I ( V j ; Z j | U j T j ) (cid:19) . (12)Finally, observe that if at time j , the main channel p ( y [ k ] , z, t | x [ k ] ) is used, the expression insideparenthesis in (12) is bounded from above by V (cid:0) p ( y [ k ] , z, t | x [ k ] ) q ( t | x [ k ] , y [ k ] , k ) (cid:1) while if the q ℓ ( y [ k ] , z, t | x [ k ] ) is used, the expression inside parenthesis in (12) is bounded from aboveby V (cid:0) q ℓ ( y [ k ] , z, t | x [ k ] ) q ( t | x [ k ] , y [ k ] , k ) (cid:1) . This completes the proof.
Appendices
A Properties of λ - k -mutual information The properties in the following proposition essentially follow from the arguments in [1]. We includetheir proofs for completeness.
Proposition 6. λ - k -mutual information satisfies the following properties: • (Nonnegativity): I λ ( X ; X ; · · · ; X k ) ≥ • (Fano): Let A = { i , i , · · · , i r } be an arbitrary subset of [ k ] . Assume that X j is constantwhen j / ∈ A , and P [ X i = X i = · · · = X i r ] ≥ − ǫ. Take a fractional partition such that λ B = 0 when A ⊂ B . Then I λ ( X ; X ; · · · ; X k ) ≥ H ( X A ) − X B λ B ! H ( ǫ ) + ǫ X i ∈A log( |X i | ) ! , where H ( · ) is the binary entropy function. (Data processing): if we locally produce Y i from X i , then I λ ( X ; X ; · · · ; X k ) ≥ I λ ( Y ; Y ; · · · ; Y k ) . Proof.
For non-negativity, we have H ( X X · · · X k ) = X i H ( X i | X i − )= X i ( X B : i ∈B λ B ) H ( X i | X i − )= X B X i ∈B λ B H ( X i | X i − ) ≥ X B X i ∈B λ B H ( X i | X [ i − ∩ B X B c )= X B λ B H ( X B | X B c ) . To show the Fano’s property, observe that λ B = 0 implies B c ∩ A 6 = ∅ . Using Fano’s inequalitywe have H ( X B | X B c ) ≤ H ( X B | X B c ∩A ) ≤ H ( ǫ ) + ǫ X i ∈ [ k ] log( |X i | ) . Finally, we show the data processing property: since adding private noise to variables does notchange the λ -k-information, it suffices to show this claim when Y i is a function of X i . In this case,we have I λ ( X ; X ; · · · ; X k ) = H ( X [ k ] ) − X B λ B H ( X B | X B c )= H ( Y [ k ] ) − X B λ B H ( Y B | Y B c X B c )+ H ( X [ k ] | Y [ k ] ) − X B λ B H ( X B | Y B X B c )= H ( Y [ k ] ) − X B λ B H ( Y B | Y B c ) + X B λ B I ( Y B ; X B c | Y B c )+ H ( X [ k ] | Y [ k ] ) − X B λ B H ( X B | Y [ k ] X B c )= I λ ( Y ; Y ; · · · ; Y k ) + I λ ( X ; X ; · · · ; X k | Y [ k ] ) + X B λ B I ( Y B ; X B c | Y B c ) ≥ I λ ( Y ; Y ; · · · ; Y k ) . where I λ ( X ; X ; · · · ; X k | Y [ k ] ) = X y [ k ] p ( y [ k ] ) I λ ( X ; X ; · · · ; X k | Y [ k ] = y [ k ] )is defined just like the ordinary mutual information.It is further shown in [1, Lemma A.1] that I λ ( X ; X ; · · · ; X k ) is concave in p ( x ) for a fixed p ( x , x , · · · , x k | x ). An interactive communication property of I λ can be also deduced from Lemma6 of [3]. 5 Relation to another definition of k -mutual information Define the k -mutual information for the random variables X , X , · · · , X k as J ( X ; X ; · · · ; X k ) = − H ( X · · · X k ) + X i H ( X i ) . Example 7.
Let λ B = 0 if |B| 6 = k − , and λ B = k − otherwise. We have I λ ( X ; X ; · · · ; X k ) = H ( X X · · · X k ) − k − X i H ( X i | X [ k ] − i ) (13)= 1 k − − H ( X · · · X k ) + X i H ( X i ) ! (14)= 1 k − J ( X ; X ; · · · ; X k ) . (15) Next, let
Π = ( P , P , · · · , P r ) be a partition of [ k ] into r ≥ sets. Let λ B = r − if B = [ k ] − P i for some i ∈ [ r ] , and λ B = 0 otherwise. We have I λ ( X ; X ; · · · ; X k ) = 1 r − J ( X P ; X P ; · · · ; X P r ) . (16)The following theorem complements Example 7. Theorem 8. [15, Theorem 4.1] For any fractional partition λ B and any X , X , · · · , X k , we have I λ ( X ; X ; · · · ; X k ) ≥ min Π r − J ( X P ; X P ; · · · ; X P r ) where the minimum is over all r ≥ and over all partitions Π = ( P , P , · · · , P r ) of [ k ] into r sets. C A Dependence Balance Bound for I λ Lemma 9.
Given random variables W i , X ij , Y ij and Z j for i ∈ [ k ] , j ∈ [ n ] satisfying X ij = f ij ( W i , Y i [ j − ) , i ∈ [ k ] , j ∈ [ n ] (17) and the Markov chain W [ k ] Y j − k ] Z j − → X [ k ] j → Z j Y [ k ] j , j ∈ [ n ] we have I λ ( W Y n ; W Y n ; · · · ; W k Y nk | Z n ) − I λ ( W ; W ; · · · ; W k ) ≤ n X j =1 I λ ( X j Y j ; X j Y j ; · · · ; X kj Y kj | Z j , Z j − ) − n X j =1 I λ ( X j ; X j ; · · · ; X kj | Z j − ) . roof. We have I λ ( W Y n ; W Y n ; · · · ; W k Y nk | Z n ) − I λ ( W ; W ; · · · ; W k )= n X j =1 (cid:20) I λ ( W Y j ; W Y j ; · · · ; W k Y jk | Z j ) − I λ ( W Y j − ; W Y j − ; · · · ; W k Y j − k | Z j − ) (cid:21) = n X j =1 (cid:20) (1 − X B λ B ) (cid:18) H ( W [ k ] Y j [ k ] | Z j ) − H ( W [ k ] Y j − k ] | Z j − ) (cid:19) + X B λ B (cid:18) H ( W B c Y j B c | Z j ) − H ( W B c Y j − B c | Z j − ) (cid:19)(cid:21) = n X j =1 (cid:20) (1 − X B λ B ) (cid:18) H ( Y [ k ] ,j | X [ k ] ,j Z j ) − I ( Z j ; X [ k ] ,j | Z j − ) (cid:19) + X B λ B (cid:18) H ( Y B c ,j | X B c ,j W B c Y j − B c Z j ) − I ( Z j ; X B c ,j W B c Y j − B c | Z j − ) (cid:19)(cid:21) ≤ n X j =1 (cid:20) (1 − X B λ B ) (cid:18) H ( Y [ k ] ,j | X [ k ] ,j Z j ) − I ( Z j ; X [ k ] ,j | Z j − ) (cid:19) + X B λ B (cid:18) H ( Y B c ,j | X B c ,j Z j ) − I ( Z j ; X B c ,j | Z j − ) (cid:19)(cid:21) = n X j =1 (cid:20) (1 − X B λ B ) (cid:18) H ( X [ k ] ,j Y [ k ] ,j | Z j ) − H ( X [ k ] ,j | Z j − ) (cid:19) + X B λ B (cid:18) H ( X B c ,j Y B c ,j | Z j ) − H ( X B c ,j | Z j − ) (cid:19)(cid:21) = n X j =1 (cid:20) I λ ( X j Y j ; X j Y j ; · · · ; X kj Y kj | Z j , Z j − ) − I λ ( X j ; X j ; · · · ; X kj | Z j − ) (cid:21) . Even though we use Lemma 9 in the context of key agreement rate, it is of independent interest.For example, one can apply Lemma 9 to a k -user MAC with generalized feedback p ( y F , y F , · · · , y F k , y | x , x , · · · , x k ) . Here the X i ’s are channel inputs and the Y F i ’s are the noisy feedback that they receive. The receiversees Y . Suppose first that Y F i = Y for all i which gives an ordinary MAC with feedback. In thiscase, Lemma 9 recovers the “refined dependence balance equations” of [16] as we vary λ . Lemma 9also implies the following outer bound: Theorem 10.
Consider a MAC with two-users with generalized feedback of the form Y F = ( Y, ˜ Y F ) and Y F = ( Y, ˜ Y F ) . Then, any achievable rate pair ( R , R ) satisfies (cid:8) ( R , R ) : R ≤ I ( X ; Y, ˜ Y F | X , T , T ) (18) R ≤ I ( X ; Y, ˜ Y F | X , T , T ) (19) R + R ≤ I ( X , X ; Y, ˜ Y F , ˜ Y F | T , T ) (20) R + R ≤ I ( X , X ; Y | T ) (cid:9) (21)7 or some p ( t , t , x , x ) satisfying I ( X ; X | T , T ) ≤ I ( X ; X | Y, ˜ Y F , ˜ Y F , T , T ) (22) I ( X ; X | T ) ≤ I ( X , ˜ Y F ; X , ˜ Y F | T , Y ) (23) Moreover, one can assume that |T | ≤ and |T | ≤ |X ||X | + 3 . This bound reduces to the bound given in Theorem 1 of [17] if we drop the constraint (23). Thebound is proved by choosing T = ( Q, Y Q − ) and T = ( ˜ Y Q − F , ˜ Y Q − F ) where Q is the time-sharingvariable. Equations (18)-(20) and (22) follow from Theorem 1 of [17]. Equations (21) and (23)are new. We show these two equations for an arbitrary k -user MAC. Let M i be the message oftransmitter i . Then, Lemma 9 implies0 ≤ I λ ( M Y nF ; M Y nF ; · · · ; M k Y nF k | Y n ) − I λ ( M ; M ; · · · ; M k ) ≤ n X j =1 I λ ( X j Y F j ; X j Y F j ; · · · ; X kj Y F k j | Y j , Y j − ) − n X j =1 I λ ( X j ; X j ; · · · ; X kj | Y j − )Next, we also have n k X i =1 R i = H ( M [ k ] ) (24)= I ( M [ k ] ; Y n ) + nk ( ǫ ) (25)= n X j =1 I ( M [ k ] ; Y j | Y j − ) (26) ≤ n X j =1 I ( M [ k ] Y j − F [ k ] ; Y j | Y j − ) (27)= n X j =1 I ( M [ k ] Y j − F [ k ] X [ k ] ; Y j | Y j − ) (28)= n X j =1 I ( X [ k ] ; Y j | Y j − ) (29)Letting T = ( Q, Y Q − ) for a time sharing variable Q gives the desired bound. References [1] I. Csisz´ar and P. Narayan, “Secrecy capacities for multiterminal channel models,”
IEEE Trans-actions on Information Theory , vol. 54, no. 6, pp. 2437–2452, 2008.[2] ——, “Secrecy generation for multiaccess channel models,”
IEEE transactions on informationtheory , vol. 59, no. 1, pp. 17–31, 2012.[3] H. Tyagi and S. Watanabe, “Secret key capacity for multipleaccess channel with public feed-back,” in . IEEE, 2013, pp. 1–7. 84] E. Ardestanizadeh, M. Franceschetti, T. Javidi, and Y.-H. Kim, “Wiretap channel with securerate-limited feedback,”
IEEE Transactions on Information Theory , vol. 55, no. 12, pp. 5353–5361, 2009.[5] E. Tekin and A. Yener, “The general gaussian multiple-access and two-way wiretap chan-nels: Achievable rates and cooperative jamming,”
IEEE Transactions on Information Theory ,vol. 54, no. 6, pp. 2735–2751, 2008.[6] L. Lai, H. El Gamal, and H. V. Poor, “The wiretap channel with feedback: Encryption overthe channel,”
IEEE Transactions on Information Theory , vol. 54, no. 11, pp. 5059–5067, 2008.[7] A. J. Pierrot and M. R. Bloch, “Strongly secure communications over the two-way wiretapchannel,”
IEEE Transactions on Information Forensics and Security , vol. 6, no. 3, pp. 595–605, 2011.[8] A. El Gamal, O. O. Koyluoglu, M. Youssef, and H. El Gamal, “Achievable secrecy rate regionsfor the two-way wiretap channel,”
IEEE Transactions on Information Theory , vol. 59, no. 12,pp. 8099–8114, 2013.[9] X. He and A. Yener, “The role of feedback in two-way secure communications,”
IEEE Trans-actions on Information Theory , vol. 59, no. 12, pp. 8115–8130, 2013.[10] A. Poostindouz and R. Safavi-Naini, “A channel model of transceivers for multiterminal secretkey agreement,” arXiv:2008.02977 .[11] A. Gohari and V. Anantharam, “Information-theoretic key agreement of multiple terminalsparti,”
IEEE Transactions on Information Theory , vol. 56, no. 8, pp. 3973–3996, 2010.[12] ——, “Information-theoretic key agreement of multiple terminalspart ii: Channel model,”
IEEE Transactions on Information Theory , vol. 56, no. 8, pp. 3997–4010, 2010.[13] C. Chan and L. Zheng, “Multiterminal secret key agreement,”
IEEE transactions on informa-tion theory , vol. 60, no. 6, pp. 3379–3412, 2014.[14] A. Gohari and C. Nair, “Outer bounds for multiuser settings: the auxiliary receiver approach.”[Online]. Available: http://chandra.ie.cuhk.edu.hk/pub/papers/NIT/Auxiliary-Receiver.pdf[15] C. Chan, A. Al-Bashabsheh, J. B. Ebrahimi, T. Kaced, and T. Liu, “Multivariate mutualinformation inspired by secret-key agreement,”
Proceedings of the IEEE , vol. 103, no. 10, pp.1883–1913, 2015.[16] G. Kramer and M. Gastpar, “Dependence balance and the gaussian multiaccess channel withfeedback,” in . IEEE, 2006,pp. 198–202.[17] R. Tandon and S. Ulukus, “Dependence balance based outer bounds for gaussian networkswith cooperation and feedback,”