Distributed Source Coding with Encryption Using Correlated Keys
aa r X i v : . [ c s . I T ] F e b Distributed Source Coding with Encryption UsingCorrelated Keys
Yasutada Oohama and Bagus Santoso
University of Electro-Communications, Tokyo, JapanEmail: {oohama,santoso.bagus}@uec.ac.jp
Abstract —We pose and investigate the distributed securesource coding based on the common key cryptosystem. Thiscryptosystem includes the secrecy amplification problem fordistributed encrypted sources with correlated keys using post-encryption-compression, which was posed investigated by Santosoand Oohama. In this paper we propose another new security cri-terion which is generally more strict compared to the commonlyused security criterion which is based on the upper-bound ofmutual information between the plaintext and the ciphertext.Under this criterion, we establish the necessary and sufficientcondition for the secure transmission of correlated sources.
I. I
NTRODUCTION
In this paper we pose and investigate the distributed securesource coding based on the common key cryptosystem. Thiscryptosystem includes the secrecy amplification problem fordistributed encrypted sources with correlated keys using post-encryption-compression (PEC), which was posed investigatedby Santoso and Oohama in [1], [2]. In this paper we proposeanother new security criterion which is generally more strictcompared with the commonly used security criterion whichis based on the upper-bound of mutual information betweenthe plaintext and the ciphertext. Under this criterion, weestablish the necessary and sufficient condition for the securetransmission of correlated sources.Our results yields that the sufficient condition for the securetransmission derived by Santoso and Oohama [1], [2] is tight.Our study in this paper has a closely related to several previousworks on the PEC, e.g., Johnson et al. [3], Klinc et al. [4].Our study also has a close connection with several previousworks on the Shannon cipher system, e.g. [5], [6] [7].II. S
ECURE S OURCE C ODING P ROBLEM
A. Preliminaries
In this subsection, we show the basic notations and relatedconsensus used in this paper.
Random Sources of Information and Keys:
Let ( X , X ) be a pair of random variables from a finite set X ×X . Let { ( X ,t , X ,t ) } ∞ t =1 be a stationary discrete memo-ryless source (DMS) such that for each t = 1 , , . . . , thepair ( X ,t , X ,t ) takes values in finite set X × X andobeys the same distribution as that of ( X , X ) denoted by p X X = { p X X ( x , x ) } ( x ,x ) ∈X ×X . The stationary DMS { ( X ,t , X ,t ) } ∞ t =1 is specified with p X X . Also, let ( K , K ) be a pair of random variables taken from the same finite set X × X representing the pair of keys used for encryptionat two separate terminals, of which the detailed descriptionwill be presented later. Similarly, let { ( K ,t , K ,t ) } ∞ t =1 bea stationary discrete memoryless source such that for each t = 1 , , . . . , the pair ( K ,t , K ,t ) takes values in finite set X × X and obeys the same distribution as that of ( K , K ) denoted by p K K = { p K K ( k , k ) } ( k ,k ) ∈X ×X . Thestationary DMS { ( K ,t , K ,t ) } ∞ t =1 is specified with p K K . Random Variables and Sequences:
We write the sequence ofrandom variables with length n from the information source asfollows: X := X , X , · · · X ,n , X := X , X , · · · X ,n .Similarly, the strings with length n of X n and X n are writtenas x := x , x , · · · x ,n ∈ X n and x := x , x , · · · x ,n ∈X n respectively. For ( x , x ) ∈ X n × X n , p X X ( x , x ) stands for the probability of the occurrence of ( x , x ) . Whenthe information source is memoryless specified with p X X ,we have the following equation holds: p X X ( x , x ) = Q nt =1 p X X ( x ,t , x ,t ) . In this case we write p X X ( x , x ) as p nX X ( x , x ) . Similar notations are used for other randomvariables and sequences. Consensus and Notations:
Without loss of generality, through-out this paper, we assume that X and X are finite fields. Thenotation ⊕ is used to denote the field addition operation, whilethe notation ⊖ is used to denote the field subtraction operation,i.e., a ⊖ b = a ⊕ ( − b ) for any elements a, b of a same finitefield. For the sake of simplicity, we use the same notation forfield addition and subtraction for both X and X . Throughoutthis paper all logarithms are taken to the base 2. B. Basic System Description
First, let the information sources and keys be generatedindependently by different parties S gen and K gen respectively.In our setting, we assume the followings. • The random keys K and K are generated by K gen . • The key K is correlated to K . • The sources X and X are generated by S gen and arecorrelated to each other. • The sources are independent to the keys.
Source coding without encryption:
The two correlated ran-dom sources X and X from S gen be sent to two separatednodes E and E respectively. Further settings of the systemare described as follows. Those are also shown in Fig. 1. ) n X X X X X X n ( ) n n ( ) n ( n ( ) XX Fig. 1. Distributed source coding without encryption. n () n ( X X X X KK X X n ( )( Φ n (2 n ( )( Φ KK Ψ n (( Ψ n ( )( Fig. 2. Distributed source coding with encryption. Encoding Process:
For each i = 1 , , at the node E i ,the encoder function φ ( n ) i : X ni → X m i i observes X i togenerate ˜ X m i i = φ ( n ) i ( X i ) . Without loss of generalitywe may assume that φ ( n ) i is surjective .2) Transmission:
Next, the encoded sources ˜ X m i i , i = 1 , are sent to the information processing center D throughtwo noiseless channels.3) Decoding Process: In D , the decoder function observes ˜ X m i , i = 1 , to output ( c X , c X ) , using the one-to-one mapping ψ ( n ) defined by ψ ( n ) : X m × X m →X n × X n . Here we set ( c X , c X ) := ψ ( n ) ( ˜ X m , ˜ X m )= ψ ( n ) (cid:16) φ ( n )1 ( X ) , φ ( n )2 ( X ) (cid:17) . More concretely, the decoder outputs the unique pair ( c X , c X ) from ( φ ( n )1 ) − ( ˜ X m ) × ( φ ( n )2 ) − ( ˜ X m ) in aproper manner.For the above ( φ ( n )1 , φ ( n )2 , ψ ( n ) ) , we define the set D ( n ) ofcorrect decoding by D ( n ) := { ( x , x ) ∈ X n × X n : ψ ( n ) ( ϕ ( n )1 ( x ) , ϕ ( n )2 ( x )) = ( x , x ) } . On |D ( n ) | , we have the following property. Property 1:
We have the following. |D ( n ) | = |X m ||X m | . (1)Proof of Property 1 is given in Appendix A. Distributed source coding with encryption:
The two correlated random sources X and X from S gen are sent to two separated nodes L and L , respectively. Thetwo random keys K and K from K gen , are also sent to L and and L , respectively. Further settings of our system aredescribed as follows. Those are also shown in Fig. 2.1) Source Processing:
For each i = 1 , , at the node i , X i is encrypted with the key K i using the encryption func-tion Φ ( n ) i : X ni × X ni → X m i i . For each i = 1 , , the ci-phertext C m i i of X i is given by C m i i = Φ ( n ) i ( K i , X i ) .On the encryption function Φ ( n ) i , i = 1 , , we use thefolloiwng notation: Φ ( n ) i ( K i , X i ) = Φ ( n ) i, K i ( X i ) = Φ ( n ) i, X i ( K i ) . Transmission:
Next, the ciphertext C m i i , i = 1 , aresent to the information processing center D throughtwo public communication channels. Meanwhile, thekey K i , i = 1 , , are sent to D through two private communication channels.3) Sink Node Processing: In D , we decrypt the ciphertext ( c X , c X ) from C m i i , i = 1 , , using the key K i , i =1 , , through the corresponding decryption procedure Ψ ( n ) defined by Ψ ( n ) : X n × X n × X m × X m →X n × X n . Here we set ( c X , c X ) := Ψ ( n ) ( K , K , C m , C m ) . More concretely, the decoder outputs the unique pair ( c X , c X ) from (Φ ( n )1 , K ) − ( C m ) × (Φ ( n )2 , K ) − ( C m ) in a proper manner. On the decryption function Ψ ( n ) ,we use the following notation: Ψ ( n ) ( K , K , C m , C m ) = Ψ ( n ) K , K ( C m , C m )= Ψ ( n ) C m ,C m ( K , K ) . Fix any ( K , K ) = ( k , k ) ∈ X n × X n . For this ( K , K ) and for (Φ ( n )1 , Φ ( n )2 , Ψ ( n ) ) , we define the set D ( n ) k , k of correct decoding by D ( n ) k , k := { ( x , x ) ∈ X n × X n :Ψ ( n ) (Φ ( n )1 ( k , x ) , (Φ ( n )2 ( k , x )) = ( x , x ) } . We require that the cryptosystem (Φ ( n )1 , Φ ( n )2 , Ψ ( n ) ) mustsatisfy the following condition. Condition:
For each distributed source encryption sysytem (Φ ( n )1 , Φ ( n )2 , Ψ ( n ) ) , there exists a distributed source coding sys-tem ( φ ( n )1 , φ ( n )2 , ψ ( n ) ) such that for any ( k , k ) ∈ X n × X n and for any ( k , k ) ∈ X n × X n , Ψ ( n ) k , k (Φ ( n )1 , k ( x ) , Φ ( n )2 , k ( x ))= ψ ( n ) ( φ ( n )1 ( x ) , φ ( n )2 ( x )) . The above condition implies that D ( n ) = D ( n ) k , k , ∀ ( k , k ) ∈ X n × X n . We have the following properties on D ( n ) . Property 2: ) If ( x , x ) , ( x ′ , x ′ ) ∈ D ( n ) and ( x , x ) = ( x ′ , x ′ ) ,then (Φ ( n )1 , k ( x ) , Φ ( n )2 , k ( x )) = (Φ ( n )1 , k ( x ′ ) , Φ ( n )2 , k ( x ′ )) . b) ∀ ( k , k ) and ∀ ( c m , c m ) , ∃ ( x , x ) ∈ D ( n ) such that (Φ ( n )1 , k ( x ) , Φ ( n )2 , k ( x )) = ( c m , c m ) . Proof of Property 2 is given in Appendix B. From Property2, we have the following result, which is a key result of thispaper.
Lemma 1: ∀ ( c m , c m ) ∈ X m × X m , we have X ( x , x ) ∈D ( n ) p C m C m | X X ( c m , c m | x , x ) = 1 . Proof of Lemma 1 is given in Appendix C. Let ( ˇ C m , ˇ C m , ˇ X n , ˇ X n ) be a quadruple of random variables. Weassume that p ˇ C m ˇ C m | ˇ X ˇ X = p C m C m | X X . We furtherassume that p ˇ X ˇ X is the uniform distribution over D ( n ) . Thenby Lemma 1 we have that X ( x , x ) ∈D ( n ) p ˇ C m ˇ C m ˇ X ˇ X ( c m , c m , x , x ) = 1 |X m ||X m | . Hence p ˇ C m ˇ C m is the uniform distribution over X m × X m .III. M AIN R ESULTS
A. Proposed Security Criterion
In this section, we introduce our proposed security criterion.We first, provide several definitions.
Definitions of Random variables:
For each i = 1 , , let C x i be a random variable with having a distribution p m i C i | X i ( ·| x i ) . We assume that for ( x , x ) ∈ X n ×X n , thepair ( C m , x , C m , x ) has a joint distribution p C m C m | X X ( · , ·| x , x ) . Definition 1:
For any ( x , x ) ∈ X n × X n , we define thefollowing: ∆ ( n ) ( x , x ) := X ( c m ,c m ) ∈X m ×X m p C m C m | X X ( c m , c m | x , x ) × log p C m C m | X X ( c m , c m | x , x ) p ˇ C m ˇ C m ( c m , c m )= D ( C m x C m x || ˇ C m ˇ C m )= D ( p C m C m | X X ( · , ·| x , x ) || p ˇ C m ˇ C m ) . Furthermore define: ∆ ( n ) := X ( x , x ) ∈X n ×X n p X X ( x , x )∆ ( n ) ( x , x )= D ( p C m C m | X X k p ˇ C m ˇ C m | p X X ) . We have the following property on ∆ ( n ) . Property 3: a) If I ( C m C m ; X X ) = 0 , then, we have ∆ ( n ) = 0 .This implies that the quantity ∆ ( n ) is valid as a measureof information leakage. b) By the definition of ∆ ( n ) , we have ∆ ( n ) = I ( C m C m ; X X ) + D ( p C m C m || p ˇ C m ˇ C m ) ≥ I ( C m C m ; X X ) . This implies that the security measure ∆ ( n ) is strongerthan the mutual information security measure ∆ ( n )MI := I ( C m C m ; X X ) . Defining Reliability and Security:
The decoding process is successful if ( c X , c X ) = ( X , X ) holds. Hence the decoding error probability is given by Pr[Ψ ( n ) ( K , K , φ ( n )1 ( K , X ) , φ ( n )2 ( K , X )) = ( X , X )]= Pr[Ψ ( n ) K , K (Φ ( n )1 , K ( X ) , Φ ( n )2 , K ( X )) = ( X , X )]= Pr[ ψ ( n ) ( φ ( n )1 ( X ) , φ ( n )2 ( X )) = ( X , X )]= Pr[( X , X ) / ∈ D ( n ) )] . Since the above quantity depends only on ( φ ( n )1 , φ ( n )2 , ψ ( n ) ) ,we wirte the error probability p e of decoding as p e = p e ( φ ( n )1 , φ ( n )2 , ψ ( n ) | p nX X , p nK K ):= Pr[( X , X ) / ∈ D ( n ) )] . Since ∆ ( n ) depends on (Φ ( n )1 , Φ ( n )2 , Ψ ( n ) ) , we write thisquantity as ∆ ( n ) = ∆ ( n ) (Φ ( n )1 , Φ ( n )2 , Ψ ( n ) | p nX X , p nK K ) . Definition 2:
We fix some positive constant ε . For a fixedpair ( ε, δ ) ∈ [0 , ε ] × (0 , , ( R , R ) is ( ε, δ ) -admissible ifthere exists a sequence { (Φ ( n )1 , Φ ( n )2 , Ψ ( n ) ) } n ≥ such that ∀ γ > , ∃ n = n ( γ ) ∈ N , ∀ n ≥ n , we have n log |X m i i | = m i n log |X i | ∈ [ R i − γ, R i + γ ] , i = 1 , ,p e ( φ ( n )1 , φ ( n )2 , ψ ( n ) | p nX X , p nK K ) ≤ δ, ∆ ( n ) (Φ ( n )1 , Φ ( n )2 , Ψ ( n ) | p nX X , p nK K ) ≤ ε. Definition 3: (Reliable and Secure Rate Set)
Let R ( ε,δ | p X X , p K K ) denote the set of all ( R , R ) such that ( R ,R ) is ( ε, δ ) -admissible. Furthermore, set R ( p X X , p K K ) := \ ( ε,δ ) ∈ (0 ,ε ] × (0 , R ( ε, δ | p X X , p K K ) We call R ( p X X , p K K ) the reliable and secure rate set. B. Strong Converse for the Distributed Source Encryption
To state our results on R ( ε, δ | p X X , p K K ) for ( ε, δ ) ∈ [0 , ε ] × (0 , , define the following two regions: R sw ( p X X ) := { ( R , R ) : R ≥ H ( X | X ) ,R ≥ H ( X | X ) ,R + R ≥ H ( X X ) } , R key ( p K K ) := { ( R , R ) : R ≤ H ( K ) , R ≤ H ( K ) ,R + R ≤ H ( K K ) } . antoso and Oohama [1], [2] proved that the bound R key ( p K K ) ∩ R sw ( p X X ) serves as an inner bound of R ( p X X , p K K ) in the case where the security criterionis measured by the mutual information ∆ ( n )MI . By a simpleobservation we can see that their post encryption compressionscheme yields the same bound in the present case of securitycriterion mesured by ∆ ( n ) . Hence we have the followingtheorem: Theorem 1:
For each ( ε, δ ) ∈ (0 , ε ] × (0 , , we have R key ( p K K ) ∩ R sw ( p X X ) ⊆ R ( p X X , p K K ) ⊆ R ( ε, δ | p X X , p K K ) . Outline of the proof of this theorem will be given in thenext section. We next derive one outer bound by a simpleobservation based on previous works on the distributed sourcecoding for correlted sources. From the communication schemewe can see that the common key cryptosysytem can beregarded as the data compression system, where for each i = 1 , , the encoder Φ ( n ) i and the decoder Ψ ( n ) can use thecommon side information K i . By the strong converse codingtheorem for this data compression system [8], we have that if R < H ( X | X K K ) = H ( X | X ) or R < H ( X | X K K ) = H ( X | X ) or R + R < H ( X X | K K ) = H ( X X ) then ∀ τ ∈ (0 , , ∀ γ > , and ∀{ ( φ ( n )1 , φ ( n )2 , ψ ( n ) ) } n ≥ , ∃ n = n ( τ, γ ) ∈ N , ∀ n ≥ n , we have the following: mn log |X i | ≤ R i + γ, i = 1 , ,p e ( φ ( n )1 , φ ( n )2 , ψ ( n ) | p nX X , p nK K ) ≥ − τ. Hence we have the following theorem.
Theorem 2:
For each ( ε, δ ) ∈ (0 , ε ] × (0 , , we have R ( ε, δ | p X X , p K K ) ⊆ R sw ( p X X ) . In this paper we prove that for some ε > , the set R key ( p K K ) serves as an outer bound of R ( ε, δ | p X X , p K K ) for ( ε, δ ) ∈ (0 , ε ] × (0 , . The following is the key lemmato derive the above result. Lemma 2: max { m log |X | − nH ( K ) , m log |X | − nH ( K ) ,m log |X | + m log |X | − nH ( K K ) }≤ ∆ ( n ) . (2)Proof of this lemma is given in Appendix D. As an imme-diate consequence of the above lemma, we have the followingproposition. Proposition 1: If ( R , R ) ∈ R ( ε, δ | p X X , p K K ) , thenwe have that ∀ γ > , ∃ n ( γ ) , ∀ n ≥ n ( γ ) , we have R i ≤ H ( K i ) + γ + εn , i = 1 , ,R + R ≤ H ( K K ) + γ + εn . From this proposition we have the following theorem.
Theorem 3:
For each ( ε, δ ) ∈ (0 , ε ] × (0 , , we have R ( ε, δ | p X X , p K K ) ⊆ R key ( p K K ) . Combining Theorems 1, 2, and 3, we establish the follow-ing:
Theorem 4:
For each ( ε, δ ) ∈ (0 , ε ] × (0 , , we have R key ( p K K ) ∩ R sw ( p X X )= R ( p X X , p K K ) = R ( ε, δ | p X X , p K K ) . IV. O
UTLINE OF THE P ROOF OF T HEOREM (Φ ( n )1 , Φ ( n )2 , Ψ ( n ) ) is the same as that of Santosoand Oohama [1], [2] for the post encryption commpressionscheme.Let φ ( n ) := ( φ ( n )1 , φ ( n )2 ) be a pair of linear mappings φ ( n )1 : X n → X m and φ ( n )2 : X n → X m . For each i = 1 , , wedefine the mapping φ ( n ) i X ni → X m i i by φ ( n ) i ( x i ) = x i A i for x i ∈ X ni , (3)where A i is a matrix with n rows and m i columns. For each i = 1 , , entries of A i are from X i . We fix b m i i ∈ X m i i , i =1 , . For each i = 1 , , define the mapping ϕ ( n ) i : X ni → X m i i by ϕ ( n ) i ( k i ) := φ ( n ) i ( k i ) ⊕ b m i i = k i A i ⊕ b m i i , (4)for k i ∈ X ni . For each i = 1 , , the mapping ϕ ( n ) i is calledthe affine mapping induced by the linear mapping φ ( n ) i andconstant vector b m i i ∈ X m i . For each i = 1 , , define Φ ( n ) i by Φ ( n ) i ( k i , x i ) = ϕ ( n ) i ( k i ⊕ x i ) . By the definition (4) of ϕ ( n ) i , i = 1 , , we have Φ ( n ) i ( k i , x i ) = ϕ ( n ) i ( x i ⊕ k i )= ( x i ⊕ k i ) A i ⊕ b m i i = x i A i ⊕ ( k i A i ⊕ b m i i )= φ ( n ) i ( x i ) ⊕ ϕ ( n ) i ( k i ) , for x i , k i ∈ X ni . (5)Set ϕ ( n ) := ( ϕ ( n )1 , ϕ ( n )2 ) . Next, let ψ ( n ) be the correspondingjoint decoder for φ ( n ) such that ψ ( n ) : X m × X m → X n ×X n . Note that ψ ( n ) does not have a linear structure in general. Description of Proposed procedure :
We describe the pro-cedure of our privacy amplified system as follows.1)
Encoding of Ciphertexts:
First, we use ϕ ( n )1 and ϕ ( n )2 toencode the ciphertexts X ⊕ K and X ⊕ K . Let C m i i = ϕ ( n ) i ( X i ⊕ K i ) for i = 1 , . By the affinestructure (5) of encoders we have that for each i = 1 , , Φ ( n ) i ( K i ) , X i ) = C m i i = ϕ ( n ) i ( X i ⊕ K i )= φ ( n ) i ( X i ) ⊕ ϕ ( n ) i ( K i ) = e X m i i ⊕ e K m i i , (6)where e X m i i := φ ( n ) i ( X i ) , e K m i i := ϕ ( n ) i ( K i ) . Decoding at Joint Sink Node D : First, using the pairof linear encoders ( ϕ ( n )1 , ϕ ( n )2 ) , D encodes the keys ( K , K ) which are received through private channelinto ( e K m , e K m ) = ( ϕ ( n )1 ( K ) , ϕ ( n )2 ( K )) . Receiving n ( ) n ( ) KXK
X X
X KK n ( ) n ( ) X n ( ) X n ( ) n ( ) n ( n ( X X ) n ( ) X K X n ( ) n ( ) n KX n ( ) Fig. 3. Our proposed solution: linear encoders as privacy amplifiers. ( C m , C m ) from public communication channel, D computes e X m i i , i = 1 , in the following way. From (6),we have that for each i = 1 , , the decoder D can obtain e X m i i = φ ( n ) i ( X i ) by subtracting e K m i i = ϕ ( n ) i ( K i ) from C m i i . Finally, D outputs ( c X , c X ) by applyingthe joint decoder ψ ( n ) to ( e X m , e X m ) as follows: ( c X , c X ) = ( ψ ( n ) ( e X m , e X m ))= ( ψ ( n ) ( φ ( n )1 ( X ) , φ ( n )2 ( X )) . (7)We summarize the above argument. For ( K , K ) and ( C m , C m ) , define Ψ ( n ) by Ψ ( n ) ( K , K , C m , C m ) = Ψ ( n ) K , K ( C m , C m ):= ψ ( n ) ( C m ⊖ e K m , C m ⊖ e K m )= ψ ( n ) ( e X m , e X m ) . By the above definition and C m i i = Φ ( n ) i, K i ( X i ) , i = 1 , , we have Ψ ( n ) K , K (Φ ( n )1 , K ( X ) , Φ ( n )2 , K ( X ))= ψ ( n ) ( e X m , e X m ) = ψ ( n ) ( φ ( n )1 ( X ) , φ ( n )2 ( X )) . Hence we have the condition which (Φ ( n )1 , Φ ( n )2 , Ψ ( n ) ) must satisfy.In this paper, we use the minimum entropy decoder for ourjoint decoder ψ ( n ) . Minimum Entropy Decoder:
For φ ( n ) i ( x i ) = e x m i i , i = 1 , , ψ ( n ) : X m × X m → X n × X n is defined as follows: ψ ( n ) ( e x m , e x m ):= ( b x , b x ) if φ ( n ) i ( b x i ) = e x m i i , i = 1 , , and H ( b x b x ) < H (ˇ x ˇ x ) for all (ˇ x , ˇ x ) such that φ ( n ) i (ˇ x i ) = e x m i i , i = 1 , , and (ˇ x , ˇ x ) = ( b x , b x ) , arbitrary if there is no such ( b x , b x ) ∈ X n × X n . Our privacy amplified system described above is illustrated inFig. 3.
Evaluations of the reliablility and security:
On the errorprobability p e of decoding we have p e = Pr[Ψ ( n ) ( K , K , φ ( n )1 ( K , X ) , φ ( n )2 ( K , X )) = ( X , X )]= Pr[Ψ ( n ) K , K (Φ ( n )1 , K ( X ) , Φ ( n )2 , K ( X )) = ( X , X )]= Pr[ ψ ( n ) ( φ ( n )1 ( X ) , φ ( n )2 ( X )) = ( X , X )] . Computing ∆ ( n ) , we have ∆ ( n ) = D ( p C m C m | X X k p ˇ C m ˇ C m | p X X )= m log |X | + m log |X | − H ( C m C m | X X )= m log |X | + m log |X |− H ( e K m ⊕ e X m , e K m ⊕ e X m | X X )= m log |X | + m log |X | − H ( e K m e K m )= D ( p e K m e K m k p U m U m ) . Here p U m U m is the uniform distribution over X m ×X m . According to Santoso and Oohama [2], ∃{ (Φ ( n )1 , Φ ( n )2 , ( n ) ) } n ≥ such that for any ( p X X , p K K ) satisfying (cid:16) m n log |X | , m n log |X | (cid:17) ∈ R key ( p K K ) ∩ R sw ( p X X ) , the two quantities Pr[ ψ ( n ) ( φ ( n )1 ( X ) , φ ( n )2 ( X )) = ( X , X )] and D ( p e K m e K m k p U m U m ) decay exponentially as n tends to infinity. Hence we haveTheorem 1. A PPENDIX
A. Proof of Property 1Proof of Property 1:
We have the following: D ( n ) (a) = { ( x , x ) = ψ ( n ) (˜ x m , ˜ x m ) :(˜ x m , ˜ x m ) ∈ φ ( n )1 ( X n ) × φ ( n )2 ( X n ) } (b) = { ( x , x ) = ψ ( n ) (˜ x m , ˜ x m ) :(˜ x m , ˜ x m ) ∈ X m × X m } . (8)Step (a) follows from that every pair (˜ x m , ˜ x m ) ∈ φ ( n )1 ( X n ) × φ ( n )2 ( X n ) } uniquely determines ( x , x ) ∈ D ( n ) .Step (b) follows from that φ ( n ) i , i = 1 , are surjective. Since ψ ( n ) : X m × X m → X n × X n is a one-to-one mapping and(8), we have |D ( n ) | = |X m ||X m | . B. Proof of Property 2
We frist prove the part a) and next prove the part b).
Proof of Property 2 part a):
Under ( x , x ) , ( x ′ , x ′ ) ∈D ( n ) and ( x , x ) = ( x ′ , x ′ ) , we assume that (Φ ( n )1 , k ( x ) , Φ ( n )2 , k ( x )) = (Φ ( n )1 , k ( x ′ ) , Φ ( n )2 , k ( x ′ )) . (9)Then we have the following ( x , x ) (a) = ψ ( n ) ( φ ( n )1 ( k ) , φ ( n )2 ( k ) , (b) = Ψ ( n ) k , k (Φ ( n )1 , k ( x ) , Φ ( n )2 , k ( x )) (c) = Ψ ( n ) k , k (Φ ( n )1 , k ( x ′ ) , Φ ( n )2 , k ( x ′ )) (d) = ψ ( n ) ( φ ( n )1 ( x ′ ) , φ ( n )2 ( x ′ )) (e) = ( x ′ , x ′ ) . (10)Steps (a) and (e) follow from the definition of D ( n ) . Step (c)follows from 9. Steps (b) and (d) follow from the relationshipbetween ( φ ( n )1 , φ ( n )2 , ψ ( n ) ) and (Φ ( n )1 , k , Φ ( n )2 , k , Ψ ( n ) k , k ) . Theequality (10) contradics the first assumption. Hence we musthave Property 2 part a).
Proof of Property 2 part b):
We assume that ∃ ( k , k ) and ∃ ( c m , c m ) such that ∀ ( x , x ) ∈ D ( n ) , (Φ ( n )1 , k ( x ) , Φ ( n )2 , k ( x )) = ( c m , c m ) . Set B := n (Φ ( n )1 , k ( x ) , Φ ( n )2 , x ( x )) : ( x , x ) ∈ D ( n ) o . Then by the above assumption we have
B ⊆ X m × X m − { ( c m , c m ) } . (11) On the other hand we have Ψ ( n ) k , k ( B )= n Ψ ( n ) k , k (Φ ( n )1 , k ( x ) , Φ ( n )2 , k ( x )) : ( x , x ) ∈ D ( n ) o = n ψ ( n ) ( φ ( n )1 ( x ) , φ ( n )2 ( x )) : ( x , x ) ∈ D ( n ) o = D ( n ) , which together with that Ψ ( n ) k , k : X m × X m → X n × X n is a one-to-one mapping yields that |B| = | Ψ ( n ) k , k ( B ) | = |D ( n ) | = |X m ||X m | . The above equality contradicts (11). Hence we must havethat ∀ ( k , k ) , ∀ ( c m , c m ) , ∃ ( x , x ) ∈ D ( n ) such that Φ ( n ) i, k i ( x i ) = c m i i , i = 1 , . C. Proof of Lemma 1
We first define a set necessary for the proof. For ( x , x ) ∈X n × X n , we set A x , x ( c m , c m ):= n ( k , k ) : Φ ( n ) i, x i ( k i ) = c m i i , i = 1 , o . Proof of Lemma 1:
By definition we have p C m C m | X X ( c m , c m | x , x )= Pr n ( K , K ) ∈ A x , x ( c m , c m ) (cid:12)(cid:12)(cid:12) X = x , X = x o (a) = Pr { ( K , K ) ∈ A x , x ( c m , c m ) } . (12)Step (a) follows from ( K , K ) ⊥ ( X , X ) . On the otherhand, Property 2 part a) implies that A x , x ( c m , c m ) ∩ A x ′ , x ′ ( c m , c m ) = ∅ for ( x , x ) = ( x ′ , x ′ ) ∈ D ( n ) . (13)Furthermore, Property 2 part b) implies that [ ( x , x ) ∈D ( n ) A x , x ( c m , c m ) = X n × X n . (14)From (12), we have the following chain of equalities: X ( x , x ) ∈D ( n ) p C m C m | X X ( c m , c m | x , x ) (a) = Pr ( K , K ) ∈ [ ( x , x ) ∈D ( n ) A x , x ( c m , c m ) (b) = 1 . Step (a) follows from (13). Step (b) follows from (14).
D. Proof of Lemma 2
In this appendix we prove Lemma 2. We first definequantities necessary for the proof. For each i = 1 , and x i ∈ X ni , we define the following: ∆ ( n ) i ( x i ) := X c mii ∈X mii log p C mii | X i ( c m i i | x i ) p ˇ C mii ( c m i i )= D ( C m i x i || ˇ C m i i ) = D ( p C mii | X i ( ·| x i ) || p ˇ C mii ) . urthermore for each i = 1 , , define ∆ ( n ) i := X x i ∈X ni p X i ( x i )∆ ( n ) i ( x i ) = D ( p C mi | X i || p ˇ C mi | p X i ) . It is obvious that ∆ ( n ) ≥ ∆ ( n ) i , i = 1 , . Proof of Lemma 2:
By the definition of C m i x i , i = 1 , ,we have for i = 1 , , Pr (cid:8) C m i i, x i = c m i i (cid:9) = Pr { C m i i = c m i i | X i = x i } = Pr n Φ ( n ) i, x i ( K i ) = c m i i (cid:12)(cid:12)(cid:12) X i = x i o (a) = Pr n Φ ( n ) i, x i ( K i ) = c m i i o . (15)Step (a) follows from that K i ⊥ X i , i = 1 , . Then for i =1 , , we have the following: ∆ ( n ) i ( x i ) = m i log |X i | − H ( C m i x i ) (a) = m i log |X i | − H (Φ ( n ) i, x i ( K i )) (b) ≥ m i log |X i | − H ( K i ) = m i log |X i | − nH ( K i ) . (16)Step (a) follows from (15). Step (b) follows from the dataprocessing inequality. Hence from (16), we have ∆ ( n ) i ≥ m i log |X i | − nH ( K i ) for i = 1 , . (17)Furthermore, we have Pr (cid:8) C m x = c m , C m x = c m (cid:9) = Pr { C m = c m , C m = c m | X = x , X = x } = Pr n Φ ( n )1 , x ( K ) = c m , Φ ( n )2 , x ( K ) = c m (cid:12)(cid:12)(cid:12) X = x , X = x o (a) = Pr n Φ ( n )1 , x ( K ) = c m , Φ ( n )2 , x ( K ) = c m o . (18)Step (a) follows from that ( K , K ) ⊥ ( X , X ) . Then, wehave the following: ∆ ( n ) ( x , x ) = m log |X | + m log |X | − H ( C m x C m x )= m log |X | + m log |X | − H (Φ ( n )1 , x ( K )Φ ( n )2 , x ( K )) (b) ≥ m log |X | + m log |X | − H ( K K )= m log |X | + m log |X | − nH ( K K ) . (19)Step (a) follows from (18). Step (b) follows from the dataprocessing inequality. Hence from (19), we have ∆ ( n ) ≥ m log |X | + m log |X | − nH ( K K ) . (20)From (17) and (20), we have the bound (2) in Lemma 2.R EFERENCES[1] B. Santoso and Y. Oohama, “Privacy amplification of distributed en-crypted sources with correlated keys,” in . IEEE, 2017, pp. 958–962.[2] ——, “Secrecy amplification of distributed encrypted sources with corre-lated keys using post-encryption-compression,”
IEEE Trans. InformationForensics and Security , vol. 14, no. 11, pp. 3042–3056, November 2019. [3] M. Johnson, P. Ishwar, V. Prabhakaran, D. Schonberg, and K. Ramchan-dran, “On compressing encrypted data,”
IEEE Transactions on SignalProcessing , vol. 52, no. 10, pp. 2992–3006, Oct 2004.[4] D. Klinc, C. Hazay, A. Jagmohan, H. Krawczyk, and T. Rabin,“On compression of data encrypted with block ciphers,”
IEEE Trans.Information Theory , vol. 58, no. 11, pp. 6989–7001, 2012. [Online].Available: https://doi.org/10.1109/TIT.2012.2210752[5] C. E. Shannon, “A mathematical theory of communication,”
Bell SystemTechnical Journal , vol. 27, pp. 379–423, 623–656, July, October 1948.[6] H. Yamamoto, “Information theory in cryptology,”
IEICE Transactions ,vol. E.74, no. 9, pp. 2456–2464, September 1991.[7] M. Iwamoto, K. Ohta, and J. Shikata, “Security formalizations and theirrelationships for encryption and key agreement in information-theoreticcryptography,”
IEEE Trans. Inf. Theory , vol. 64, no. 1, pp. 654–685,2018. [Online]. Available: https://doi.org/10.1109/TIT.2017.2744650[8] Y. Oohama and T. S. Han, “Universal coding for the Slepian-Wolfdata compression system and the strong converse theorem,”