On the Simulatability Condition in Key Generation Over a Non-authenticated Public Channel
aa r X i v : . [ c s . CR ] S e p On the Simulatability Condition in KeyGeneration Over a Non-authenticated PublicChannel
Wenwen Tu and Lifeng Lai
Abstract
Simulatability condition is a fundamental concept in studying key generation over a non-authenticatedpublic channel, in which Eve is active and can intercept, modify and falsify messages exchanged over thenon-authenticated public channel. Using this condition, Maurer and Wolf showed a remarkable “all ornothing” result: if the simulatability condition does not hold, the key capacity over the non-authenticatedpublic channel will be the same as that of the case with a passive Eve, while the key capacity over thenon-authenticated channel will be zero if the simulatability condition holds. However, two questionsremain open so far: 1) For a given joint probability mass function (PMF), are there efficient algorithms(polynomial complexity algorithms) for checking whether the simulatability condition holds or not?;and 2) If the simulatability condition holds, are there efficient algorithms for finding the correspondingattack strategy? In this paper, we answer these two open questions affirmatively. In particular, for agiven joint PMF, we construct a linear programming (LP) problem and show that the simulatabilitycondition holds if and only if the optimal value obtained from the constructed LP is zero. Furthermore,we construct another LP and show that the minimizer of the newly constructed LP is a valid attackstrategy. Both LPs can be solved with a polynomial complexity.
Index Terms
Active adversary, Computational complexity, Farkas’ lemma, Linear programming, Non-authenticatedchannel, Simulatability condition.
W. Tu and L. Lai are with Department of Electrical and Computer Engineering, Worcester Polytechnic Institute, Worcester,MA. Email: { wtu, llai } @wpi.edu. The work of W. Tu and L. Lai was supported by the National Science Foundation CAREERAward under Grant CCF-1318980 and by the National Science Foundation under Grant CNS-1321223. July 9, 2018 DRAFT . I
NTRODUCTION
The problem of secret key generation via public discussion under both source and channelmodels has attracted significant research interests [1]–[11]. Under the source model, users observecorrelated sources generated from a certain joint probability mass function (PMF), and candiscuss with each other via a noiseless public channel. Any discussion over the public channelwill be overheard by Eve. Furthermore, the public channel can either be authenticated or non-authenticated. An authenticated public channel implies that Eve is a passive listener. On the otherhand, a non-authenticated public channel implies that Eve is active and can intercept, modify orfalsify any message exchanged through the public channel.Clearly, the secret key rate that can be generated using the non-authenticated public channelis no larger than that can be generated using the authenticated pulic channel. In [8]–[11], Maurerand Wolf introduced a concept of simulatability condition (this condition will be defined preciselyin the sequel) and established a remarkable “all or nothing” result. In particular, they showed thatfor the secret key generation via a non-authenticated public channel with two legitimate terminalsin the presence of an active adversary: 1) if the simulatability condition holds, the two legitimateterminals will not be able to establish a secret key, and hence the key capacity is 0; and 2) ifthe simulatability condition does not hold, the two legitimate terminals can establish a secretkey and furthermore the key capacity will be the same as that of the case when Eve is passive.Intuitively speaking, if the simulatability condition holds, from its own source observations, Evecan generate fake messages that are indistinguishable from messages generated from legitimateusers. On the other hand, if the simulatability condition does not hold, the legitimate users willbe able to detect modifications made by Eve.It is clear that the simulatability condition is a fundamental concept for the key generation viaa non-authenticated public channel, and hence it is important to design efficient algorithms tocheck whether the simulatability condition holds or not. Using ideas from mechanical models,[10] made significant progress in designing efficient algorithms. In particular, [10] proposedto represent PMFs as mass constellations in a coordinate, and showed that the simulatabilitycondition holds if and only if one mass constellation can be transformed into another massconstellation using a finite number of basic mass operations. Furthermore, [10] introduced anothernotion of one mass constellation being “more centered” than another constellation and designed a2ow-complexity algorithm to check this “more centered” condition. For some important specialcases, which will be described precisely in Section II, [10] showed that the “more centered”condition is necessary and sufficient for the mass constellation transformation problem (andhence is necessary and sufficient condition for the simulatability condition for these specialcases). However, in the general case, the “more centered” condition is a necessary but notsufficient condition for the mass constellation transformation problem. Hence, whether thereexists efficient algorithms for the mass constellation transformation problem (and hence thesimulatability condition) in the general case is still an open question.As the result, despite the significant progress made in [10], the following two questions remainopen regarding the simulatability condition for the general case:1) For a given joint PMF, are there efficient algorithms (polynomial complexity algorithms)for checking whether the simulatability condition holds or not?2) If the simulatability condition holds, are there efficient algorithms for finding the corre-sponding Eve’s attack strategy?In this paper, we answer these two open questions affirmatively.To answer the first open question, we construct a linear programming (LP) problem andshow that the simulatability condition holds if and only if the optimal value obtained fromthis LP is zero. We establish our result in three main steps. We first show that, after somebasic transformations, checking whether the simulatability condition holds or not is equivalentto checking whether there exists a nonnegative solution to a specially constructed system oflinear equations. We then use a basic result from linear algebra to show that whether thereexists a nonnegative solution to the constructed system of linear equations is equivalent towhether there is a solution (not necessarily nonnegative) to a related system of inequalities ornot. Finally, we use Farkas’ lemma [12], a fundamental result in linear programming and otheroptimization problems, to show that whether the system of inequalities has a solution or notis equivalent to whether the optimal value of a specially constructed LP is zero or not. Sincethere exists polynomial complexity algorithms for solving LP problems [13]–[15], we thus finda polynomial complexity algorithm for checking the simulatability condition for a general PMF.To answer the second open question, we construct another LP and show that the minimizerof this LP is a valid attack strategy. The proposed approach is very flexible in the sense that onecan simply modify the cost function of the constructed LP to obtain different attack strategies.3urthermore, the cost function can be modified to satisfy various design criteria. For example,a simple cost function can be constructed to minimize the amount of modifications Eve needsto perform during the attack. All these optimization problems with different cost functions canbe solved with a polynomial complexity.The remainder of the paper is organized as follows. In Section II, we introduce some prelim-inaries and the problem setup. In Section III, we present our main results. In Section IV, we usenumerical examples to illustrate the proposed algorithm. In Section V, we present an approachto further reduce the computational complexity. In Section VI, we offer our concluding remarks.II. P
RELIMINARIES AND P ROBLEM S ETUP
Let X = { , · · · , |X |} , Y = { , · · · , |Y |} and Z = { , · · · , |Z|} be three finite sets. Considerthree correlated random variables ( X, Y, Z ) , taking values from X × Y × Z , with joint PMF P XY Z , the simulatability condition is defined as follows:
Definition 1. ( [8]) For a given P XY Z , we say X is simulatable by Z with respect to Y , denotedby Sim Y ( Z → X ) , if there exists a conditional PMF P ¯ X | Z such that P Y ¯ X = P Y X , with P Y ¯ X ( y, x ) = X z ∈Z P Y Z ( y, z ) · P ¯ X | Z ( x | z ) , (1) in which P Y X and P Y Z are the joint PMFs of ( Y, X ) and ( Y, Z ) under P XY Z respectively.
One can also define Sim X ( Z → Y ) in the same manner. This concept of simulatability,first defined in [8], is a fundamental concept in the problem of secret key generation over anon-authenticated public channel [9]–[11], in which two terminals Alice and Bob would liketo establish a secret key in the presence of an adversary Eve. These three terminals observesequences X N , Y N and Z N generated according to P X N Y N Z N ( x N , y N , z N ) = N Y i =1 P XY Z ( x i , y i , z i ) . (2)Alice and Bob can discuss with each other via a public non-authenticated noiseless channel,which means that Eve not only has full access to the channel but can also interrupt, modifyand falsify messages exchanged over this public channel. The largest key rate that Alice andBob can generate with the presence of the active attacker is denoted as S ∗ ( X ; Y || Z ) . Let Please see [9]–[11] for precise definitions. ( X ; Y || Z ) denote the largest key rate that Alice and Bob can generate when Eve is passive, i.e.,when the public channel is authenticated. Clearly, S ( X ; Y || Z ) ≥ S ∗ ( X ; Y || Z ) . Although a fullcharacterization of S ( X ; Y || Z ) is unknown in general, [9] established the following remarkable“all or nothing” result: Theorem 1. ( [9]) If Sim Y ( Z → X ) or Sim X ( Z → Y ) , then S ∗ ( X ; Y || Z ) = 0 . Otherwise, S ∗ ( X ; Y || Z ) = S ( X ; Y || Z ) . This significant result implies that, if the simulatability condition does not hold, one cangenerate a key with the same rate as if Eve were passive. On the other hand, if the simulatabilitycondition holds, the key rate will be zero. Intuitively speaking, if Sim Y ( Z → X ) holds, thenafter observing Z N , Eve can generate ¯ X N by passing Z N through a channel defined by P ¯ X | Z .Then ( ¯ X N , Y N ) has the same statistics as ( X N , Y N ) . Hence by knowing only Y N , Bob cannotdistinguish ¯ X N and X N , and hence cannot distinguish Alice or Eve.As mentioned in the introduction, [10] has made important progress in developing low-complexity algorithms for checking whether Sim Y ( Z → X ) (or Sim X ( Z → Y ) ) holds or not.In particular, [10] developed an efficient algorithm to check a related condition called “morecentered” condition. When |Y | = 2 , that is when Y is a binary random variable, this “morecentered” condition is shown to be necessary and sufficient for Sim Y ( Z → X ) . Hence, [10] hasfound an efficient algorithm to check Sim Y ( Z → X ) for the special case of Y being binary (thealgorithm is also effective in checking Sim X ( Z → Y ) when X is binary). However, when Y is not binary, the “more centered” condition is only a necessary condition for Sim Y ( Z → X ) .Hence, two questions remain open:1) For a general given P XY Z , are there efficient algorithms (polynomial complexity algo-rithms) for checking whether Sim Y ( Z → X ) (or Sim X ( Z → Y ) ) holds or not?2) If Sim Y ( Z → X ) (or Sim X ( Z → Y ) ) holds, are there efficient algorithms for finding thecorresponding P ¯ X | Z (or P ¯ Y | Z )?In this paper, we answer these two open questions affirmatively. Notations:
Throughout this paper, we use boldface uppercase letters to denote matrices,boldface lowercase letters to denote vectors. We also use , and I , unless stated otherwise, todenote all ones column vector, all zeros column vector and the identity matrix, respectively. Inaddition, we denote the vectorization of a matrix by Vec ( · ) . Specifically, for an m × n matrix5 , Vec ( A ) is an mn × column vector:Vec ( A ) = [ a , · · · , a m , · · · , a n , · · · , a mn ] T , (3)in which [ · ] T is the transpose of the matrix. And vice versa can be done by A = Reshape ( Vec ( A ) , [ m, n ]) .We use A ⊗ B to denote the Kronecker product of matrices A and B . Specifically, assume A is an m × n matrix, then A ⊗ B = a B · · · a n B ... . . . ... a m B · · · a mn B . (4)All matrices and vectors in this paper are real.III. M AIN R ESULTS
In this paper, we focus on Sim Y ( Z → X ) . The developed algorithm can be easily modifiedto check Sim X ( Z → Y ) . We rewrite (1) in the following matrix form C = AQ , (5)in which C = [ c ij ] is a |Y | × |X | matrix with c ij = P Y X ( i, j ) , A = [ a ik ] is a |Y | × |Z| matrixwith a ik = P Y Z ( i, k ) , and Q = [ q kj ] is a |Z| × |X | matrix with q kj = P ¯ X | Z ( j | k ) if such P ¯ X | Z exists.Checking whether Sim Y ( Z → X ) holds or not is equivalent to checking whether there existsa transition matrix Q such that (5) holds. As Q is a transition matrix, its entries q kj s must satisfy q kj ≥ , ∀ k ∈ [1 : |Z| ] , j ∈ [1 : |X | ] , (6) |X | X j =1 q kj = 1 , ∀ k ∈ [1 : |Z| ] . (7)We note that if q kj s satisfy (6) and (7), they will automatically satisfy q kj ≤ . Hence, we don’tneed to state this requirement here.If there exists at least one transition matrix Q satisfying (5), (6) and (7) simultaneously, wecan conclude that the simulatability condition Sim Y ( Z → X ) holds.(7) can be written in the matrix form |Z|× = Q1 |X |× , (8)6hen, (5) and (8) can be written in the following compact form: Vec ( C T ) |Z|× = a I a I · · · a |Z| I ... ... . . . ... a |Y| I a |Y| I · · · a |Y||Z| I1 0 · · ·
00 1 . . . ...... . . . . . . ... · · · Vec ( Q T )= A ⊗ II |Z| ⊗ Vec ( Q T ) , (9)in which the sizes for I , and are |X | × |X | , × |X | and × |X | , respectively.For notational convenience, we define c , Vec ( C T ) |Z|× , (10) A , A ⊗ II |Z| ⊗ , (11) q , Vec ( Q T ) . (12)From (9), it is clear that c is an m × vector, A is an m × n matrix, and q is an n × vector,in which m = |Y ||X | + |Z| , (13) n = |Z||X | . (14)With these notation and combining (9) with (6), the original problem of checking whetherSim Y ( Z → X ) holds or not is equivalent to checking whether there exists nonnegative solutions q for the system A q = c . (15)7n the following, we check whether there exists at least a nonnegative solution for the systemdefined by (15). There are two main steps: 1) whether the system is consistent or not; 2) if it isconsistent, whether there exists a nonnegative solution or not. Checking the consistency of (15)is straightforward: a necessary and sufficient condition for a system of non-homogenous linearequations to be consistent is Rank ( A ) = Rank (( A | c )) , (16)where ( A | c ) is the augmented matrix of A . If (16) is not satisfied, it can be concluded thatSim Y ( Z → X ) does not hold. If (16) is satisfied, we need to further check whether there existsa nonnegative solution to (15) or not.To proceed further, we will need the following definition of generalized inverse (g-inverse) ofa matrix G . Definition 2. ( [16]) For a given m × n real matrix G , an n × m real matrix G g is called ag-inverse of G if GG g G = G . The g-inverse G g is generally not unique (If n = m and G is full rank, then G g is uniqueand equal to the inverse matrix G − ). A particular choice of g-inverse is called the Moore-Penrose pseudoinverse G + , which can be computed using multiple different approaches. Oneapproach is to use the singular value decomposition (SVD): by SVD, for a given G and its SVDdecomposition G = UΣV T , (17)then, G + can be obtained as G + = VΣ + U T , (18)in which Σ + is obtained by taking the reciprocal of each non-zero element on the diagonal ofthe diagonal matrix Σ , leaving the zeros in place. One can easily check that the Moore-Penrosepseudoinverse G + obtained by SVD satisfies the g-inverse matrix definition and hence is a validg-inverse.With the concept of g-inverse, we are ready to state our main result regarding the first openquestion. 8 heorem 2. Let A g be any given g-inverse of A (e.g., it can be chosen as the Moore-Penrosepseudoinverse A + ), and h ∗ be obtained by the following LP h ∗ = min t { t T A g c } , (19) s. t. t (cid:23) , ( I − A g A ) T t = . Then Sim Y ( Z → X ) holds, if and only if h ∗ = 0 and (16) holds.Proof: If (16) does not hold, then there is no solution to (15), and hence Sim Y ( Z → X ) does not hold.In the remainder of the proof, we assume that (16) holds. If (16) holds, the general solutionto (15) can be written in the following form (see, e.g., Theorem 2 a.(d) of [17]) q = A g c + ( A g A − I ) p , (20)in which A g can be any given g-inverse of A , and p is an arbitrary length- n vector.As the result, the problem of whether there exists a nonnegative solution to (15) (i.e., q (cid:23) )is equivalent to the problem of whether there exists a solution p for the following system definedby ( I − A g A ) p (cid:22) A g c . (21)To check whether the system defined by (21) has a solution, we use Farkas’ lemma, a fundamentallemma in linear programming and related area in optimization. For completeness, we state theform of Farkas’ lemma used in our proof in Appendix A. To use Farkas’ lemma, we first writea LP related to the system defined in (21) h ∗ = min t { t T A g c } , s.t. t (cid:23) , ( I − A g A ) T t = . The above LP is always feasible since t = is a vector that satisfies the constraints, whichresults in t T A g c = 0 . Hence the optimal value h ∗ ≤ . Using Farkas’ lemma, we have that (21)has a solution if and if h ∗ = 0 . More specifically, if h ∗ = 0 , then there exists at least a9olution p for (21), which further implies that there is a nonnegative solution to (15), and henceSim Y ( Z → X ) holds. On the other hand, if h ∗ < , then there is no solution p for (21), whichfurther implies that there is no nonnegative solution to (15), and hence Sim Y ( Z → X ) does nothold.As mentioned above, if Rank ( A ) = m = n holds, then A g = A − is unique. For other cases, A g might not be unique. One may wonder whether different choices of A g will affect the resultin Theorem 2 or not. The following proposition answers this question. Proposition 1.
Different choices of A g will not affect the result on whether h ∗ equals 0 or not.Proof: Let A g and A g be two different g-inverses of A , and let h ∗ and h ∗ be the valuesobtained using A g and A g in (19) respectively. It suffices to show that if h ∗ = 0 , then h ∗ = 0 .Assuming that h ∗ = 0 , then there exists a vector p satisfying ( I − A g A ) p (cid:22) A g c , we willshow that there exists a vector p satisfying ( I − A g A ) p (cid:22) A g c , which then implies h ∗ = 0 .First, we know that A g c and A g c are two solutions to the system A q = c , which can be easilyverified by setting A g as A g and A g in (20) respectively and setting p = . This implies that A ( A g c − A g c ) = , (22)and hence A g c − A g c is a solution to the system A q = .Second, we know that any solution to the system A q = can be written in the form ( I − A g A ) p [17]. As A g c − A g c is a solution to system A q = , there must exist a p such that ( I − A g A ) p = A g c − A g c . (23)In addition, it is easy to check that ( I − A g A ) p + ( I − A g A ) p is also a solution to the system A q = . Thus, there exists a p such that ( I − A g A ) p = ( I − A g A ) p + ( I − A g A ) p . (24)Plugging (23) into (24), we have ( I − A g A ) p = ( I − A g A ) p + ( I − A g A ) p = ( I − A g A ) p + A g c − A g c (25) (cid:22) A g c , (26)10n which the last inequality comes from the assumption that ( I − A g A ) p (cid:22) A g c . Hence, wehave found a p , such that ( I − A g A ) p (cid:22) A g c . This implies that h ∗ = 0 . Remark 1.
The proposed algorithm for checking whether Sim Y ( Z → X ) holds or not hasa polynomial complexity. Among all operations required, computing the g-inverse and solvingthe LP defined by (19) require most computations. The complexity to obtain A g is of order O ( n ) [18]. Furthermore, there exists polynomial complexity algorithms to solve the LP definedby (19) . For example, [14] provided an algorithm to solve LP using O ( n L ) operations, where L is number of binary bits needed to store input data of the problem (one can refer to Chapter8 in [15] for more details about the complexity of algorithms for solving LP). Hence, the totaloperations of our algorithm for checking Sim Y ( Z → X ) is of order O ( n L ) . In addition, wenote that we can terminate the LP algorithm earlier once the algorithm finds a t such that t A g c < , as this indicates that h ∗ < . This can potentially further reduce the computationalcomplexity. Thus, we can conclude that the proposed algorithm can check whether Sim Y ( Z → X ) holdsor not with a polynomial complexity. Algorithm 1 summarizes the main steps involved in ouralgorithm. In the following algorithm, we use Res = 0 to denote that Sim Y ( Z → X ) does nothold and Res = 1 to denote that Sim Y ( Z → X ) holds.In the following, we provide our answer to the second open question, i.e., if Sim Y ( Z → X ) holds, how to find P ¯ X | Z efficiently. Theorem 3.
Let e be any n × vector with e ≻ , and q ∗ be the obtained from the followingLP: min q f ( q ) = e T q , (27) s.t. q (cid:23) , A q = c . If Sim Y ( Z → X ) holds, then Q ∗ = Reshape ( q ∗ , [ |X | , |Z| ]) T is a valid choice for P ¯ X | Z .Proof: By assumption, Sim Y ( Z → X ) holds, which implies that the system defined by (15)11 lgorithm 1 Checking Sim Y ( Z → X ) Input:
PMF P XY Z ; Initiate: a. Calculate matrices A and C ; b. Construct c and A using (10) and (11) respectively; c. Set Res = 0 ; if (Rank ( A ) = Rank ( A | c ) ) then break; else d. Find a A g , and calculate A g c , I − A g A ; e. Solve LP (19) and obtain h ∗ ; if ( h ∗ == 0 ) then Res = 1 ; else break; end if end if Output:
Res.is consistent and it has nonnegative solutions. Hence, the following LP is feasible min q f ( q ) = e T q , (28)s.t. q (cid:23) , A q = c , where e ≻ . Hence, the minimizer q ∗ is nonnegative and satisfies A q ∗ = c . We can thenreshape q ∗ into matrix Q ∗ (see (12)). Q ∗ is a valid choice for P ¯ X | Z . Remark 2.
Since finding a suitable P ¯ X | Z using our approach is equivalent to solving a LP, the omplexity is of polynomial order. Remark 3.
For a given distribution P XY Z , there may be more than one possible P ¯ X | Z suchthat (1) holds. Different choices of e in (27) give different values for P ¯ X | Z . Remark 4.
The objective function f ( q ) can be further modified to satisfy various design criteriaof Eve. For example, let ˜ q = Vec ( ˜ Q [˜ q kj ] T ) with ˜ q kj = P X | Z ( k | j ) , then setting f ( q ) = || q − ˜ q || will minimize the amount of changes in the conditional PMF in the l norm sense. This is aquadratic programming, which can still be solved efficiently. IV. N
UMERICAL E XAMPLES
In this section, we provide several examples to illustrate the proposed algorithm. We also usesome of the examples used in [10] to compare our proposed algorithm with the method in [10].
Example 1:
Let P XY Z with ranges X = { x , x } , Y = { y , y } and Z = { z , z , z } be: P XY Z ( x , y , z ) = 6 / ,P XY Z ( x , y , z ) = 4 / ,P XY Z ( x , y , z ) = 9 / ,P XY Z ( x , y , z ) = 6 / ,P XY Z ( x , y , z ) = 15 / ,P XY Z ( x , y , z ) = 10 / ,P XY Z ( x , y , z ) = 36 / ,P XY Z ( x , y , z ) = 4 / ,P XY Z ( x , y , z ) = 9 / ,P XY Z ( x , y , z ) = 1 / ,P XY Z ( x , y , z ) = 0 ,P XY Z ( x , y , z ) = 0 .
13o use our algorithm, we have the following steps:
Step 1:
Compute P Y Z and P Y X , and write them in the matrix form A and C : A = . .
15 0 . . . , C = . . .
45 0 . . (29) Step 2:
Construct A and c using (10) and (11) respectively: A = . .
15 0 0 .
25 00 0 . .
15 0 0 . . . . . , (30) c = [0 . , . , . , . , , , T . (31) Step 3:
Check the ranks of A and ( A | c ) :We get Rank ( A ) = Rank (( A | c )) = 5 . (32) Step 4:
Choose the g-inverse to be the Moore-Penrose pseudoinverse A + and calculate A + c and I − A + A : A + c = . . . . . . , (33) I − A + A = . − . − . . . − . − . . . − . − . . − . . . − . − . . . − . − . . . − . . − . − . − . . − . − . . . − . − . . . (34)14 tep 5: Solve LP (19). Using the above data, we obtain h ∗ = 0 , which implies that Sim Y ( Z → X ) holds. Step 6:
Obtain a possible P ¯ X | Z . We construct the LP defined in (27) with e = [2 , , , , , T ,and get q ∗ = [1 , , / , / , / , / T . Thus the simulatability channel is P ¯ X | Z = / / / / , (35)which is consistent with the result obtained from the criterion proposed in [10]. If we set e =[1 , , , , , T , we get q ∗ = [0 . , . , . , . , . , . T , which implies that another valid choice is P ¯ X | Z = . . . . . . . (36) Example 2:
In this example, we consider a case in which Y is not binary. To represent thejoint PMF concisely, we follow the same approach in [10] and use M UV = ( P U ( u ) , ( P V | U = u ( v ) , · · · , P V | U = u ( v |V|− ))) u ∈U to represent the joint PMF P UV . For this example, we set M ZY = (0 . , (0 , , (0 . , (0 . , , (0 . , (0 . , √ / , (0 . , (0 . , √ / ,M XY = (0 . , (0 . , , (0 . , (0 . , √ / , (0 . , (0 . , √ / . , (0 . , √ / . , (0 . , √ / . (37)15n step 1, we write P Y Z and P Y X in the matrix form A and C : A = . . . . . . . . . , C = . . . . . . . . . . . . . . . To make the paper concise, we do not list the values of A , c and following steps in details.Steps , , are similar to those in Example . But in Step , we obtain that h ∗ < , whichindicates that Sim Y ( Z → X ) does not hold. This result is also consistent with the conclusionin [10], which is obtained by an analysis that exploits the special mass constellation structure ofthe data. We note that the mechanical model based “more centered” criterion in [10] does notwork for this example, as Y is not binary anymore, although the mass constellation representationof PMFs can still be used to exploit the special structure that this set of data has.Next, we provide an example for which the mass constellation presentation does not workwhile our algorithm can easily obtain the answers. Example 3:
In this example, we consider
X, Y, Z with larger dimensions, in particular, weset |X | = 4 , |Y | = 4 , and |Z| = 6 . Again to represent the joint PMF concisely, we use the samemethod as that used in Example to represent P XY Z . For this example, we randomly set M ZY =(0 . , (0 . , . , . , (0 . , (0 . , . , . , (0 . , (0 . , . , . , (0 . , (0 . , . , . , (0 . , (0 . , . , . , (0 . , (0 . , . , . M XY =(0 . , (0 . , . , . , (0 . , (0 . , . , . , (0 . , (0 . , . , . , (0 . , (0 . , . , . .
16e denote the above PMF with following two matrices A = . . . . . . . . . . . . . . . . . . . . . . . . , C = . . . . . . . . . . . . . . . . . (38)Following the same steps as those in Example 1, we obtain that h ∗ = 0 , which means Sim Y ( Z → X ) holds. Furthermore, by setting e = × in (27), we obtain one possible P ¯ X | Z , denoted bymatrix Q ∗ : Q ∗ = . . . . . . . . . . . . . . . . . . . . . . . . . (39)One can easily check that AQ ∗ = C holds. We note that, because of the lack of special datastructure and the high dimensions, it is difficult to use the mass constellation structure of [10]to check whether Sim Y ( Z → X ) holds or not in this example. Example 4:
In this example, we consider the following PMF P XY : P XY ( x, y ) = − α , if x = y ; α , if x = y, and Z is generated by [ X, Y ] via an erasure channel with erasure probability − γ , i.e., Z =( X, Y ) with a probability γ and Z = φ with probability − γ . It was shown in [10] thatsim Y ( Z → X ) and sim X ( Z → Y ) hold if and only if γ ≥ − α . In the following, we use ouralgorithm to verify the obtained result. 17s above, in step 1, we compute P Y Z and write P Y Z and P Y X in matrix form A and C : A = (1 − α ) γ αγ − γ αγ − α ) γ − γ , C = − α α α − α . In step 2, we calculate matrices A and c : A = (1 − α ) γ αγ − γ (1 − α ) γ αγ − γ αγ (1 − α ) γ − γ
00 0 0 0 0 αγ (1 − α ) γ − γ , c = [1 − α, α, α, − α, , , , , T . The following steps are similar to those in Examples 1 and 2. Using our algorithm, we canfind that, for any given values α and γ , as long as γ ≥ − α , h ∗ = 0 , and the simulatabilitycondition holds. We can also obtain a possible simulatability channel P ¯ X | Z that Eve may use,following the same steps as in Example 1. On the other side, if γ < − α , we obtained h ∗ < ,and hence the simulatability condition does not hold.V. C OMPLEXITY R EDUCTION
In Proposition 1, we show that different choices of A g will not affect the result on whether h ∗ equals zero or not. However, different choices of A g may affect the amount of computationneeded. Primal-dual path-following method is one of the best methods for solving LP of the18ollowing form [15]: min t t T b s.t. t (cid:23) , Bt = d , in which B is a matrix of size m × n . The complexity is related to the size of B . In particular,in terms of m and n , the complexity is O (( nm + n . m ) L ) [19], [20]. In LP (19) constructed inthe proof of Theorem 2, B = ( I − A g A ) T , which is an n × n matrix, and hence the complexityis O ( n L ) as mentioned in Section III.In the following, we show that if we choose the g-inverse of A to be A + , the Moore-Penroseinverse, the problem size can be reduced by some further transformations. Let the SVD of A be UΣV T . Then A + = VΣ + U T . Suppose rank ( Σ m × n ) = r and set s = n − r .We have A + A = VΣ + U T UΣV T = V I r r × s s × r s × s V T . (40)As discussed in the proof of Theorem 2, checking Sim Y ( Z → X ) holds or not is equivalentto checking whether ( I − A + A ) p (cid:22) A + c (41)has a solution or not. We now perform some transformations on (41). First we have I − A + A = V I r r × s s × r I s V T − V I r r × s s × r s × s V T = V r × r r × s s × r I s V T . (42)Hence, (41) is equivalent to V r × r r × s s × r I s V T p (cid:22) A + c . (43) V can be split into four blocks as V = V r × r V r × s V s × r V s × s . (44)19e use w to denote the n × column vector V T p , i.e., w = V T p . (45)Note that p ↔ w is a reversible bijection, since V T is a full rank matrix.Then (43) is equivalent to r × r V r × s s × r V s × s w r × w s × (cid:22) A + c , (46)which is equivalent to V r × s V s × s h w s × i (cid:22) A + c . (47)Hence, checking whether (41) has a solution or not is equivalent to checking whether (47) has asolution or not. To check whether (47) has a solution or not, we can construct a new LP for (47)in the same way as in the proof in Theorem 2. However, the size of the newly constructed LPwill be smaller than that of (19) constructed in the proof of Theorem 2. The complexity forthe newly constructed LP will be O (( ns + n . s ) L ) . Since s is always less than or equal to n (sometimes, s can be much less than n ) and that L doesn’t change, compared with the LP (19),the computational complexity for this new LP will be reduced.VI. C ONCLUSION
In this paper, we have proposed an efficient algorithm to check the simulatability condition,an important condition in the problems of secret key generation using a non-authenticated publicchannel. We have also proposed a simple and flexible method to calculate a possible simulata-bility channel if the simulatability condition holds. The proposed algorithms have polynomialcomplexities. We have presented numerical examples to show the efficiency of the protocol.Finally, we have proposed an approach to further reduce the computational complexity.A
PPENDIX AF ARKAS ’ L
EMMA
There are several equivalent forms of the Farkas’ lemma [12]. Here, we state a form that willbe used in our proof.
Lemma 1. (Farkas’ Lemma [12]) Let B be a matrix, and b be a vector, then the system specifiedby Bp (cid:22) b , has a solution p , if and only if t T b ≥ for each column vector t (cid:23) with B T t = . EFERENCES [1] U. Maurer, “Secret key agreement by public discussion from common information,”
IEEE Trans. Inform. Theory , vol. 39,pp. 733–742, May 1993.[2] R. Ahlswede and I. Csisz ´ ar, “Common randomness in information theory and cryptography, Part I: Secret sharing,” IEEETrans. Inform. Theory , vol. 39, pp. 1121–1132, July 1993.[3] I. Csisz ´ ar and P. Narayan, “Common randomness and secret key generation with a helper,” IEEE Trans. Inform. Theory ,vol. 46, pp. 344–366, Mar. 2000.[4] S. Nitinawarat, C. Ye, A. Barg, P. Narayan, and A. Reznik, “Secret key generation for a pairwise independent networkmodel,”
IEEE Trans. Inform. Theory , vol. 56, pp. 6482–6489, Dec. 2010.[5] C. Chan and L. Zheng, “Network coding for secret key agreement,”
IEEE Trans. Inform. Theory , 2010. Submitted.[6] I. Csisz ´ ar and P. Narayan, “Secrecy capacities for multiple terminals,” IEEE Trans. Inform. Theory , vol. 50, pp. 3047–3061,Dec. 2004.[7] C. Ye and P. Narayan, “Secret key and private key constructions for simple multiterminal source models,”
IEEE Trans.Inform. Theory , vol. 58, pp. 639–651, Feb. 2012.[8] U. Maurer, “Information-theoretically secure secret-key agreement by not authenticated public discussion,” in
Advances inCryptologyEurocrypt97 , pp. 209–225, Springer, 1997.[9] U. M. Maurer and S. Wolf, “Secret key agreement over a non-authenticated channel - Part I: Definitions and bounds,”
IEEE Trans. Inform. Theory , vol. 49, pp. 822–831, Apr. 2003.[10] U. M. Maurer and S. Wolf, “Secret key agreement over a non-authenticated channel - Part II: The simulatability condition,”
IEEE Trans. Inform. Theory , vol. 49, pp. 832–838, Apr. 2003.[11] U. M. Maurer and S. Wolf, “Secret key agreement over a non-authenticated channel - Part III: Privacy amplification,”
IEEE Trans. Inform. Theory , vol. 49, pp. 839–851, Apr. 2003.[12] A. Schrijver,
Theory of linear and integer programming . New York: John Wiley & Sons, 1998.[13] N. Karmarkar, “A new polynomial-time algorithm for linear programming,” in
Proceedings of the sixteenth annual ACMsymposium on Theory of computing , pp. 302–311, ACM, 1984.[14] C. C. Gonzaga,
An algorithm for solving linear programming problems in O ( n L ) operations . New York: Springer, 1989.[15] M. S. Bazaraa, J. J. Jarvis, and H. D. Sherali, Linear programming and network flows . New York: John Wiley & Sons,2011.[16] C. R. Rao and S. K. Mitra,
Generalized inverse of matrices and its applications . New York: John Wiley & Sons, 1971.[17] C. R. Rao, “Calculus of generalized inverses of matrices Part I: General theory,”
Sankhy¯a: The Indian Journal of Statistics,Series A , pp. 317–342, 1967.[18] H.-M. M¨oller,
Exact Computation of the Generalized Inverse and the Least-squares Solution . Techn. Univ., Fak. f¨urMathematik, 1999.[19] R. D. Monteiro and I. Adler, “Interior path following primal-dual algorithms. Part I: Linear programming,”
MathematicalProgramming , vol. 44, pp. 27–41, 1989.[20] R. D. Monteiro and I. Adler, “Interior path following primal-dual algorithms. Part II: Convex quadratic programming,”
Mathematical Programming , vol. 44, pp. 43–66, 1989., vol. 44, pp. 43–66, 1989.