Secret Key Agreement Using Conferencing in State- Dependent Multiple Access Channels with An Eavesdropper
Mohsen Bahrami, Ali Bereyhi, Mahtab Mirmohseni, Mohammad Reza Aref
SSecret Key Agreement Using Conferencing in State-Dependent Multiple Access Channels with AnEavesdropper
Mohsen Bahrami, Ali Bereyhi, Mahtab Mirmohseni and Mohammad Reza Aref
Information Systems and Security Lab (ISSL),Sharif University of Technology, Tehran, Iran,Email: { bahramy, bereyhi } @ee.sharif.edu, [email protected], [email protected] Abstract —In this paper, the problem of secret key agreementin state-dependent multiple access channels with an eavesdropperis studied. For this model, the channel state information is non-causally available at the transmitters; furthermore, a legitimatereceiver observes a degraded version of the channel state in-formation. The transmitters can partially cooperate with eachother using a conferencing link with a limited rate. In addition,a backward public channel is assumed between the terminals.The problem of secret key sharing consists of two rounds. Inthe first round, the transmitters wish to share a common keywith the legitimate receiver. Lower and upper bounds on thecommon key capacity are established. In a special case, thecapacity of the common key is obtained. In the second round,the legitimate receiver agrees on two independent private keyswith the corresponding transmitters using the public channel.Inner and outer bounds on the private key capacity region arecharacterized. In a special case, the inner bound coincides withthe outer bound. We provide some examples to illustrate ourresults.
Index Terms —Information theoretic security, multiple accesschannel, state-dependent, secret key sharing, common and privatekey capacity region.
I. I
NTRODUCTION
Secure communication in a network is possible when legit-imate users have access to some secret keys. In [1], Shannondemonstrated that the perfect secrecy condition can be satisfiedif: H ( K ) ≥ H ( M ) , where, H ( K ) and H ( M ) are the entropies of the messageand the key, respectively. Secret key generation in a networkrequires the existence of common randomness between users.A simple model for common randomness, in the informa-tion theory context, is distributed correlated sources. Thismodel was first studied by Ahlswede and Csiszar [2], wherelegitimate users utilize two correlated sources as commonrandomness to share a secret key in a noiseless network thatmust be concealed from an eavesdropper. In [3], new boundson the secret key capacity over a multiterminal network withpublic channel were established by Gohari and Anantharam. This work was partially supported by Iranian NSF under contract no. / − . In their model, there are M legitimate terminals and aneavesdropper that have access to correlated sources. Only someof the legitimate terminals can transmit over the channel. Allthe legitimate terminals intend to agree on a common key thatmust be kept secret from the eavesdropper. In a noisy channel,common randomness can be obtained by implementing thechannel distribution. This model is useful when illegal usershave no access to the common randomness or a part ofit. But if the legitimate users do not have any advantagescompared to the illegal users, this common randomness isnot beneficial for secret key sharing any more. Maurer solvedthis problem using a backward public channel in the wiretapmodel [4]. The backward public channel is a noiseless channelused by the receivers to transmit messages to the transmitterswhere the messages can be observed by an eavesdropper. In[2], Ahlswede and Csiszar showed that a forward noiselesschannel does not help to solve the problem. In addition to theMaurer’s solution, the problem can be solved when correlatedsources are distributed between legitimate users in a noisynetwork. This idea was recently developed by Khisti et al. inthe wiretap channel where the transmitter and the legitimatereceiver have access to correlated sources [5]. Salimi andSkoglund, in another recent work, investigated the problemof secret key agreement over generalized multiple accesschannels using correlated sources [6]. In this channel, each oftransmitters intends to agree on a private key with a receiver.Furthermore, when a forward public channel is available, thesecret key sharing problem was studied by Salimi et al. [7].In their model, the transmitters intend to share private keysover the generalized multiple access channel with the receiverusing the public channel. The authors established examplesto show that the forward public channel can improve thesecret key capacity. In addition, they showed that using theforward public channel for key sharing is more effective thancompress and forward strategy which was proposed in [8]. Instate-dependent noisy networks, the Channel State Information(CSI) can be used as common randomness when illegal usershave limited access to the CSI. In these networks, the CSImay be available causally or non-causally at the legitimateusers. Khisti et al. studied the problem of secret key agreementover 2-receiver broadcast channels with causal or non-causalCSI where the transmitter upon observing the CSI generates a a r X i v : . [ c s . CR ] J a n ecret key and sends the required information over the channeland the legitimate receiver estimates the secret key [9]-[11].Cooperation can be effective for common key sharing in anetwork where there are more than one transmitter. Conferenc-ing is one of the schemes that can be utilized to provide coop-eration. In most cases, a noiseless channel with a limited rateis used to establish the conferencing scheme. In [12], Willemsused the conferencing scheme in a multiple access channelwhere there is an interactive noiseless channel with a limitedrate between the transmitters. Upon receiving sequences fromthe noiseless channel, each transmitter determines the channelinput as a function of its message and the observed sequences. Main Contributions and Organization
Consider a multiterminal network with n + 1 users, whereone of them acts as a Trusted Center (TC) and others actas End Nodes (ENs). In addition, there is an illegal user inthe network which wishes to eavesdrop. In this network, theENs try to establish a confidential connection with the TC.Therefore, they first need to agree on some keys with the TCto announce themselves as trusted users. For transmitting theconfidential message, the TC needs to generate n independentprivate keys and share them with each of the ENs. Theseprivate keys provide an ability of multiplexing in the network.The eavesdropper tries to find the keys and attack thenetwork. Motivated by the above scenario, we define oursystem model. As Fig. 1 illustrates, we consider a three-usernetwork with an eavesdropper, in which two ENs and a TCare modeled as two transmitters and a legitimate receiver,respectively. The transmitters and the legitimate receiver areconnected by a State-Dependent Multiple Access Channel(SD-MAC) where a conferencing link is available betweenthe transmitters. In addition, the eavesdropper observesthe channel. An insecure backward public channel with anunlimited capacity is available between all the terminals. Inorder to achieve a secure connection; at first, the transmittersintend to share a common key over the SD-MAC with thelegitimate receiver using the conferencing scheme. Then, thelegitimate receiver shares an independent private key witheach of the transmitters over the public channel.In this model, we investigate the problem of secret keyagreement in two rounds. In the first round, we establishthe lower and upper bounds on the common key capacity.The intuition behind the lower bound comes from thesuperposition coding and random binning. The state isutilized to generate the common key by means of the hybridjoint source channel coding. In the second round, the innerand outer bounds are derived on the private key capacityregion. The double random binning is used to satisfy thesecrecy constrains. In this round, the private key capacity isobtained for some special cases. Different systems can bemodeled as the SD-MAC with an eavesdropper. For example,we consider a binary memory with stuck at faults in whichtwo end nodes utilize this memory to share a common key ENC 1ENC 2 DECEVE R C S n p ( t ∣ s ) p ( y , z ∣ x , x , s ) Y n Z n X n X n k , ̂ k k , ̂ k n H ( K ∣ X n ,S n ) n H ( K ∣ X n , S n ) n H ( K , K , K ∣ Z n )̂ k ,k , k ψ , ψ Public Channel
Fig. 1. The state-dependent multiple access channel with an eavesdropper. with a trusted center where an eavesdropper has access to thememory. As another example, we discuss the key agreementin the modulo-additive SD-MAC with an eavesdropper.The rest of the paper is organized as follows. In Section II,the problem definition is described. In Section III, our mainresults and the intuitions behind them are given. In SectionIV, examples are provided. Finally, proofs are presented inSection V. II. P
ROBLEM D EFINITION
Throughout the paper, we denote a discrete random variablewith an upper case letter (e.g., X ) and its realization by thelower case letter (e.g., x ). We denote the probability densityfunction of X over X with p ( x ) and the conditional probabilitydensity function of Y given X by p ( y | x ) . Finally, we use Y n to indicate vector ( Y , Y , . . . , Y n ) .A discrete memoryless SD-MAC with an eavesdropper isdefined by a channel input alphabet X × X , a channel statealphabet S , a channel output alphabet Y , an eavesdropper’soutput alphabet Z and a transition probability function p ( y, z | x , x , s ) where X , X , Y , Z and S are finite sets. AsFig. 1 illustrates, the transmitters have access to the exactCSI while the legitimate receiver has access to the degradedversion of the CSI non-causally.We consider the interactive key agreement in the SD-MAC with an eavesdropper where a backward public channelwith unlimited capacity is available from the receivers to thetransmitters. We assume that a noiseless channel, with limitedrate R C , is available between the encoders which can beused for conferencing. The interactive key agreement schemeconsists of two rounds. In the first round, the transmittersgenerate a common key using conferencing and transmitrequired information for common key sharing to the legitimatereceiver via the SD-MAC. In the second round, the legitimatereceiver agrees on a private key with each transmitter usinghe public channel. In the following we clarify the schemeswith details. A. The First Round
In the first round, as Fig. 1 illustrates, the first transmitter,upon observing s n , generates k ∈ [1 : 2 nR ) as a commonkey and sends the required information to the second trans-mitter over the noiseless channel with limited rate R C . Thesecond transmitter generates k ∈ [1 : 2 nR ) , as a functionof received information and s n , to share with the legitimatereceiver. Then, the transmitters determine x i and x i for i ∈ [1 : n ] , as deterministic functions of the correspondingcommon keys and s n , and transmit x n and x n over the SD-MAC with an eavesdropper. The legitimate receiver observesthe channel output y n and reconstructs the common key ˆ k . The sequence z n is received from the SD-MAC by theeavesdropper. Definition 1:
In the first round, a rate R is said to beachievable if for every (cid:15) > and sufficiently large n , thereexists a protocol such that Pr { K (cid:54) = K } < (cid:15) (1) Pr {∪ i =1 { ˆ K (cid:54) = K i }} < (cid:15) (2) n I ( K ; Z n ) < (cid:15) (3) n log | K | < n H ( K ) + (cid:15) (4) n H ( K ) > R − (cid:15) (5)Equation (1) investigates conferencing achievement. Equation(2) is the reliability condition of the common key. Equation (3)implies that the eavesdropper has effectively no informationabout the common key. Finally, the set of equations (4) and(5) investigate the uniformity conditions. Definition 2:
The common key capacity is the set of allachievable rates R . B. The Second Round
In the second round, as Fig. 1 illustrates, the legitimatereceiver, upon observing Y n and T n , determines two inde-pendent private keys k ∈ [1 : 2 nR ) and k ∈ [1 : 2 nR ) forsharing with the first and second transmitter, respectively. Thelegitimate receiver transmits ψ = ψ ( k ) and ψ = ψ ( k ) over the backward public channel. For i = 1 , , the i th trans-mitter estimates its private key ˆ k i . The eavesdropper utilizes z n , ψ and ψ for eavesdropping. Definition 3:
In the second round, a rate pair ( R , R ) isan achievable private key rate pairs if for every (cid:15) > andsufficiently large n there exists a protocol such that Pr { K i (cid:54) = ˆ K i } < (cid:15) (6) n I ( K i ; Z n , ψ , ψ ) < (cid:15) (7) n I ( K i ; X ni c , K i c , S n , ψ , ψ ) < (cid:15) (8) n log | K i | < n H ( K i ) + (cid:15) (9) n H ( K i ) > R i − (cid:15) (10)for i = 1 , , where i c is i ’s complement, i.e., { i c , i } = { , } .Equation (6) is the reliability conditions. Equations (7) and(8) mean that the eavesdropper and each transmitter haveefficiently no information about the other transmitter’s privatekey. Finally, the set of equations (9) and (10), investigate theuniformity conditions. Definition 4:
The private key capacity region is the set ofall achievable rate pairs ( R , R ) .III. M AIN R ESULTS
Here, we provide inner and outer bounds on the secret keycapacity region of the SD-MAC with an eavesdropper, in twosub-sections. In sub-section III-A, we discuss the lower andupper bounds on the common key capacity. The inner andthe outer bounds on the private capacity region are given insub-section III-B.
A. The First Round
In this sub-section, we present two theorems. Theorem 1states a lower bound on the common key capacity.
Theorem 1 (Common Key Lower Bound):
The commonkey rate R is achievable for the first round if R ≤ [ I ( V ; Y, T | U ) − I ( V ; Z | U )] + (11)subject to the constraints: I ( U ; Y | T ) ≤ I ( U ; S ) (12) I ( V ; Y, T | U ) ≤ I ( V ; S | U ) (13) R C ≥ H ( U, V | S ) (14)for some input distribution: p ( s, t, u, v, x , x , y, z ) = p ( s ) p ( t | s ) p ( u | s ) p ( v | u, s ) p ( x | u, v, s ) p ( x | u, v, s ) p ( y, z | x , x , s ) , (15)where [ x ] + = max { x, } . Outline of the Proof:
The achievability follows by speci-fying the sequence U n as a description of S n . V n is generatedover U n using the superposition coding. The U n and V n areshared between the transmitters by utilizing the conferencinglink. The random binning is applied to satisfy the secrecyconstrains. Upon observing T n and Y n , the legitimate receiverestimates the common key by means of joint typicality decod-ing. The proof is provided in section V-A.Theorem 2 states an upper bound on the common keycapacity. Theorem 2 (Common Key Upper Bound):
For the commonkey sharing, any rate R must satisfy R ≤ I ( X , X , S ; Y, T | Z ) (16) Proof : See Section V-B.In the following, we establish the common key capacity fora special case. orollary 1:
If the random variables
U, V, Y and Z formthe Markov chain, ( U, V ) → Y → Z , i.e., the illegal output Z is the degraded version of Y , the common key capacityreduces to: R ≤ I ( V ; Y, T | U, Z ) (17)subject to the constraints: I ( U ; Y | T ) ≤ I ( U ; S ) (18) I ( V ; Y, T | U ) ≤ I ( V ; S | U ) (19) R C ≥ H ( U, V | S ) (20) Proof : See section V-C.
B. The Second Round
Now, the bounds on the private key capacity region aregiven. Theorem 3 states an inner bound on the private keycapacity region.
Theorem 3 (Private Key Inner Bound):
The private keyrate pair ( R , R ) is achievable for the second round if R ≤ [min { I ( T ; X , S | T ) − I ( T ; X , S | T ) ,I ( T ; X , S | T ) − I ( T ; Z ) } ] + (21) R ≤ [min { I ( T ; X , S | T ) − I ( T ; X , S | T ) ,I ( T ; X , S | T ) − I ( T ; Z ) } ] + (22)subject to the constraints: I ( T ; X , S | T ) ≤ I ( T ; Y | T ) (23) I ( T ; X , S | T ) ≤ I ( T ; Y | T ) (24)for some input distribution: p ( s, t, t , t , x , x , y, z ) = p ( s ) p ( x , x | s ) p ( y, z | x , x , s ) p ( t ) p ( t | t ) p ( t | t ) . (25) Outline of the Proof:
In order to achieve the inner bound,two conditionally independent sequences T n and T n aregenerated with probability distribution p ( t | t ) p ( t | t ) . Then,we use the double random binning to satisfy the secrecyconstrains. The proof is given in section V-D.Theorem 4 states an outer bound on the private key capacityregion. Theorem 4 (Private Key Outer Bound):
For the private keysharing, any rate pair ( R , R ) must satisfy: R ≤ min { I ( T ; X , S | Z ) , I ( T ; X | X , S ) } (26) R ≤ min { I ( T ; X , S | Z ) , I ( T ; X | X , S ) } (27)This bound can be directly deduced from Theorem 1 in [2].In the following, we obtain the private key capacity region fora special case. Corollary 2:
If the inputs and output of the SD-MAC withan eavesdropper form a Markov chain as ( X , T ) → ( S, T ) → ( X , T ) → Z , the private key capacity region reduces to: R ≤ I ( T ; X | S, X ) (28) R ≤ I ( T ; X | S, X ) (29) subject to the constraints: I ( T ; X , S | T ) ≤ I ( T ; Y | T ) (30) I ( T ; X , S | T ) ≤ I ( T ; Y | T ) (31) Proof : The achievability follows from Theorem 3 where wehave: R ≥ I ( T ; X , S | T ) − max { I ( T ; X , S | T ) , I ( T ; Z ) } ( a ) = I ( T ; X , S | T ) − I ( T ; X , S | T ) = I ( T ; X | S, T ) − I ( T ; X | S, T ) = I ( T ; X , X | S, T ) − I ( T ; X | X , S, T ) − I ( T ; X | S, T ) ( b ) = I ( T ; X | S, T ) + I ( T ; X | X , S, T ) − I ( T ; X | S, T )= I ( T ; X | X , S, T ) ( c ) = I ( T ; X | X , S ) , (32)where ( a ) , ( b ) and ( c ) can be deduced from the Markov chain, ( X , T ) → S → T → ( X , T ) → Z . The proof of conversecan be obtained from the outer bound of Theorem 4.IV. E XAMPLES
Different examples can be established to illustrate ourproposed model. In this section, we present some examplesto explain our results.
A. Binary Memory with Stuck at Faults
Consider a network where two ENs intend to share acommon key k ∈ [1 : 2 nR ) with the TC. In this network,a binary memory with stuck at faults is available wherethe eavesdropper has access to this memory. Suppose onlythe ENs have access to the defect information. For thekey agreement, the ENs utilize the fault pattern to sharethe required information with the TC. The binary memorywith stuck at faults can be modeled as the state-dependentmemoryless channel where each of the memory cells sticks at with a probability p , likewise, sticks at 1 with a probability p and behaves as a noiseless binary channel with a probability − p [13]. For the described example, the following argumentshows that a lower bound on the common key capacity is R ≤ p bits subject to the constraint H ( V | S ) ≤ − p .We propose a protocol for the common key agreement: Fixdistribution p ( v, s ) such that H ( V | S ) ≤ − p . Generate a setof n binary sequences v n ( m v ) , m v ∈ [1 : 2 n ) according to aBernoulli distribution with success probability where thereare roughly n (1 − p ) sequences v n that match any given faultpattern. Partition them into nR equal size subsets. Choosethe sequence v n such that v n and s n are jointly typical respectto p ( v, s ) . Set the subset index of chosen v n as the commonkey. By using the above protocol and Theorem 1, we prove R ≤ p . Proof:
By setting U = T = ∅ in Theorem 1, we have: R ≤ I ( V ; Y ) − I ( V ; Z ) = H ( V | Z ) − H ( V | Y ) ≤ H ( V ) − H ( V | Y ) = 1 − (1 − p ) = p bitsnd for the constraint we have: I ( V ; Y ) ≤ I ( V ; S ) ⇒ H ( V | S ) ≤ H ( V | Y ) ⇒ H ( V | S ) ≤ − p bitsIn fact, the ENs utilize the fault pattern for common keysharing with the TC. Therefore, the common key rate isbounded by error probability p . B. The Modulo-Additive SD-MAC
Consider the binary SD-MAC with channel output Y = X ⊕ X ⊕ S ⊕ N and eavesdropper’s output Z = X ⊕ X ⊕ S ⊕ N where N ∼ Bern ( p ) , N ∼ Bern ( p ) , ≤ p ≤ p ≤ and the channel state S has a Bernoullidistribution with success probability p S . In proposed model,the transmitters intend to share a common key k ∈ [1 : 2 nR ) with the legitimate receiver Y using conferencing with limitedrate R C . A lower bound on the common key capacity of themodulo-additive SD-MAC with eavesdropper is R ≤ H b (( α ∗ p S ) ∗ p ) + H b ( p S ∗ p ) − H b (( α ∗ p S ) ∗ p ) − H b ( p S ∗ p ) subject to the constraint: H ( V | S ) ≤ min { H b ( α ) + H b ( α ∗ p ) − H b (( α ∗ p S ) ∗ p ) , R C } Proof:
In order to prove the lower bound, we set U = T = ∅ and X = X = V ∼ Bern ( α ) , using the conferencing link,in Theorem 1 such that R ≤ I ( V ; Y ) − I ( V ; Z ) = H ( Y ) + H ( Z | V ) − H ( Z ) − H ( Y | V ) = H ( V ⊕ S ⊕ N ) + H ( V ⊕ S ⊕ N | V ) − H ( V ⊕ S ⊕ N ) − H ( V ⊕ S ⊕ N | V )= H ( V ⊕ S ⊕ N ) + H ( S ⊕ N ) − H ( V ⊕ S ⊕ N ) − H ( S ⊕ N ) = H b (( α ∗ p S ) ∗ p )+ H b ( p S ∗ p ) − H b (( α ∗ p S ) ∗ p ) − H b ( p S ∗ p ) for the constraint we have: I ( V ; Y ) ≤ I ( V ; S ) ⇒ H ( Y ) − H ( Y | V ) ≤ H ( V ) − H ( V | S ) H b (( α ∗ p S ) ∗ p ) − H b ( α ∗ p ) ≤ H b ( α ) − H ( V | S ) H ( V | S ) ≤ H b ( α ) + H b ( α ∗ p ) − H b (( α ∗ p S ) ∗ p ) . and R C ≥ H ( V | S ) where a ∗ b = a (1 − b ) + (1 − a ) b and H b ( x ) = − x log( x ) − (1 − x ) log(1 − x ) . V. P ROOFS
In this section, we present proofs of the main results. Inorder to prove Theorem 1, we employ the superposition coding[14] and random binning [15]. The intuition behind the proofof Theorem 3 comes from the Slepian & Wolf coding [16] andthe double random binning. The proofs of the outer boundsare similar to [2].
A. Proof of Theorem 1
Fix probability distribution p ( x i , u, v | s ) for i = 1 , , Codebook Generation : Randomly and independently gen-erate nR U sequences U n ( m u ) , m u ∈ [1 : 2 nR U ) each ac-cording to (cid:81) ni =1 p ( u i ) . The set of all sequences U n is repre-sented by C U . For each U n ( m u ) , randomly and conditionallyindependently generate n ˜ R V , sequences V n ( m v ) , m v ∈ [1 : 2 n ˜ R V ) , each according to (cid:81) ni =1 p ( v i | u i ) and randomlypartition them into nR V bins. Consequently, each bin con-sists of n ( ˜ R V − R V ) sequences V n in average. Codebook C U contains of nR U sub-codebooks where sub-codebook m u isrepresented by C V ( m u ) . Encoding : The first encoder, ENC 1, upon observing CSI s n chooses a pair ( m u , m v ) such that, ( s n , u n ( m u ) , v n ( m v )) ∈ T ( n ) (cid:15) ( S, U, V ) . (33)If there is no such pair, ENC 1 sets ( m u , m v ) = (1 , .If there are more than one pair, ENC 1 randomly chooses m u and m v . Then, ENC 1 sends pair ( m u , m v ) over thenoiseless channel with limited rate R C . ENC 2 reconstructs u n ( m u ) and v n ( m v ) , using the codebook. The reconstructioncan be done successfully if: R C ≥ max m u { n log( (cid:107) A ( U ) ∩ C U (cid:107) × (cid:107) A ( V ) ∩ C V ( m u ) (cid:107) ) } (34)the sets A ( U ) and A ( V ) are defined as below: A ( U ) = { u n |∃ s n (cid:51) ( u n , s n ) ∈ T ( n ) (cid:15) ( S, U ) }A ( V ) = { v n |∃ s n , u n (cid:51) ( v n , u n , s n ) ∈ T ( n ) (cid:15) ( S, U, V ) } . where (cid:107) A ( U ) ∩ C U (cid:107) and (cid:107) A ( V ) ∩ C V ( m u ) (cid:107) indicate thenumber of sequences U n in C U and V n in C V ( m u ) , m u ∈ [1 : 2 nR U ) that are jointly typical with S n , respectively. It canbe shown that condition (34) is satisfied by R C ≥ H ( U, V | S ) .Simply, we can consider R C = R U + ˜ R V .ENC j transmits x ji = x ji ( s i , u i ( m u ) , v i ( m v )) for i ∈ [1 : n ] , j = 1 , over the SD-MAC. This can be done with anarbitrarily small probability of error as n → ∞ if: R U ≥ I ( U ; S ) (35) ˜ R V ≥ I ( V ; S | U ) (36)The above conditions can be deduced from the covering lemma[17]. Remark 1 : According to the channel distribution, the outputdistribution p ( y ) can be written as p ( y ) = (cid:88) x ,x ,s p ( y | x , x ) p ( x , x , s ) . In order to cover the probability space of variables X , X and S completely, we must generate the codewords X n and X n as functions of S n . Common Key Generation : The transmitters choose the binindex of v n ( m v ) as the common key to share with thelegitimate receiver. ecoding : The legitimate decoder, upon observing the chan-nel output y n , estimates u n ( ˆ m u ) such that ( y n , t n , u n ( ˆ m u )) ∈ T ( n ) (cid:15) ( Y, T, U ) (37)and recovers v n ( ˆ m v ) ∈ C V ( ˆ m u ) such that ( y n , t n , u n ( ˆ m u ) , v n ( ˆ m v )) ∈ T ( n ) (cid:15) ( Y, T, U, V ) . (38)If an error occurs, the legitimate decoder sets ( ˆ m u , ˆ m v ) =(1 , . By using the packing lemma and mutual packing lemma[18], the probability of error tends to zero as n → ∞ if: R U ≤ I ( U ; Y | T ) (39) ˜ R V ≤ I ( V ; Y, T | U ) (40) R U + ˜ R V ≤ I ( U, V ; Y | T ) (41) Secrecy Analysis : In order to check the security conditionon the common key rate averaged over the random codebookassignments C V , we have: I ( K ; Z n |C V ) ≤ I ( K ; Z n , U n |C V ) = H ( K |C V ) − H ( K | Z n , U n , C V ) = H ( K |C V ) − H ( K , V n | Z n , U n , C V )+ H ( V n | K , Z n , U n , C V ) = nR V − H ( V n | Z n , U n , C V ) − H ( K | Z n , U n , V n , C V ) + H ( V n | K , Z n , U n , C V ) ( a ) = nR V − H ( V n | Z n , U n , C V ) + H ( V n | K , Z n , U n , C V ) ( b ) ≤ nR V − n ˜ R V + nI ( V ; Z | U ) + n ˜ R V − nR V − nI ( V ; Z | U ) + n(cid:15) = n(cid:15) (42)where ( a ) follows from the fact that K is the bin index of V n and the equality H ( K | Z n , U n , V n , C V ) = 0 holds. ( b ) canbe deduced from inequalities H ( V n | Z n , U n , C V ) ≤ n ˜ R V − nI ( V ; Z | U ) + n(cid:15) and H ( V n | K , Z n , U n , C V ) ≤ n ˜ R V − nR V − nI ( V ; Z | U )+ n(cid:15) if R ≤ I ( V ; Y, T | U ) − I ( V ; Z | U )+ (cid:15) ,the proof is similar to [18, Lemma 22.3]. B. Proof of Theorem 2
In our described model, the legitimate receiver should beable to estimate the common key K correctly, therefore, ac-cording to the Fano’s inequality we have n H ( K | Y n , T n ) ≤ (cid:15) and also, the security condition n I ( K ; Z n ) ≤ (cid:15) must besatisfied. We obtain an upper bound on R , nR = H ( K ) = I ( K ; Z n ) + H ( K | Z n ) ( a ) ≤ H ( K | Z n ) + n(cid:15) = I ( K ; Y n , T n | Z n )+ H ( K | Y n , T n , Z n ) + n(cid:15) ( b ) ≤ I ( K ; Y n , T n | Z n ) + 2 n(cid:15) ≤ I ( K , X n , X n , S n ; Y n , T n | Z n ) + 2 n(cid:15) ( c ) = I ( X n , X n , S n ; Y n , T n | Z n ) + 2 n(cid:15) ≤ n (cid:88) i =1 I ( X i , X i , S i ; Y i , T i | Z i ) + 2 n(cid:15) ( d ) = nI ( X Q , X Q , S Q ; Y Q , T Q | Z Q , Q ) + 2 n(cid:15) = nI ( X Q , X Q , S Q ; Y Q , T Q | Z Q ) + 2 n(cid:15) (43) where ( a ) deduces from the security condition, ( b ) followsfrom the Fano’s inequality, ( c ) can be derived from the Markovchain K → ( X n , X n ) → ( Y n , Z n ) . ( d ) can be obtained byconsidering Q as a uniform variable over [1 : n ] . C. Proof of Corollary 1
The achievability follows from Theorem 1 where we have: R ≥ I ( V ; Y, T | U ) − I ( V ; Z | U ) = I ( V ; Y, T, Z | U ) − I ( V ; Z | U, Y, T ) − I ( V ; Z | U ) ( a ) = I ( V ; Z | U )+ I ( V ; Y, T | Z, U ) − I ( V ; Z | U ) = I ( V ; Y, T | Z, U ) (44)where ( a ) comes from the Markovity. For the converse proof,we have: nR = H ( K ) = I ( K ; Z n ) + H ( K | Z n ) ( a ) ≤ H ( K | Z n ) + n(cid:15) = I ( K ; Y n , T n | Z n )+ H ( K | Y n , T n , Z n ) + n(cid:15) ( b ) ≤ I ( K ; Y n , T n | Z n ) + 2 n(cid:15) ≤ I ( K , X n , X n , S n ; Y n , T n | Z n ) + 2 n(cid:15) ( c ) ≤ n (cid:88) i =1 I ( K , X n , X n , S n ; Y i , T i | Z i , Y ni +1 , T ni +1 ) + 2 n(cid:15) ( d ) = n (cid:88) i =1 I ( K , X n , X n , S i ; Y i , T i | Z i , Y ni +1 , T ni +1 , S i − )+ 2 n(cid:15) ( e ) = n (cid:88) i =1 I ( V i ; Y i , T i | Z i , U i ) + 2 n(cid:15) ( f ) = nI ( V Q ; Y Q , T Q | Z Q , U Q , Q ) + 2 n(cid:15) = nI ( V Q ; Y Q , T Q | Z Q , U Q ) + 2 n(cid:15) (45)where ( a ) follows from the security condition I ( K ; Z n ) ≤ n(cid:15) , ( b ) comes from the Fano’s inequality H ( K | Y n , T n ) ≤ n(cid:15) . ( c ) and ( d ) can be deduced from the Markovchains, ( K , X n , X n , S n ) → ( T ni +1 , Y ni +1 ) → Z ni +1 and ( K , X n , X n ) → S i − → Z i − , respectively. By defining V i = ( K , X n , X n , S i ) and U i = ( Y ni +1 , T ni +1 , S i − ) , ( e ) isobtained. ( f ) can be established by considering Q as a uniformvariable over [1 : n ] . D. Proof of Theorem 3
Fix probability distribution p ( t , t , t ) = p ( t ) p ( t | t ) p ( t | t ) Codebook Generation : For i = 1 , , randomly generate nR Ti sequences T ni ( m t i ) , m t i ∈ [1 : 2 nR Ti ) each accordingto (cid:81) nj =1 p ( t ij | t ) and partition them into nR (cid:48) Ti bins and nR (cid:48)(cid:48) Ti sub-bins using the double random binning. Therefore, there are n ( R Ti − R (cid:48) Ti ) sequences T ni in each bin and n ( R Ti − R (cid:48) Ti − R (cid:48)(cid:48) Ti ) sequences T ni in each sub-bin in average. C T i indicates thecoodebook containing all T ni . The bin m (cid:48) t i and sub-bin m (cid:48)(cid:48) t i are represented by B (cid:48) ( m (cid:48) t i ) and B (cid:48)(cid:48) ( m (cid:48)(cid:48) t i ) , respectively. Private Key Generation : For i = 1 , , the legitimate re-ceiver, Y , upon observing the channel output y n , chooses t ni ( m t i ) such that ( t ni ( m t i ) , y n ) ∈ T ( n ) (cid:15) ( T i , Y ) (46)nd sets m (cid:48)(cid:48) t i , t ni ( m t i ) ∈ B (cid:48)(cid:48) ( m (cid:48)(cid:48) t i ) , as private key k i to sharewith the i th transmitter. This can be done with an arbitrarilysmall probability of error if: R T i ≥ I ( T i ; Y | T ) . (47)The above conditions can be deduced directly from the cov-ering lemma. Use of Public Channel : The legitimate receiver, Y , transmits m (cid:48) t i , t ni ( m t i ) ∈ B (cid:48) ( m (cid:48) t i ) for i = 1 , over the backward publicchannel. Key Reconstruction : The i th transmitter, upon receiving m (cid:48) t i ,estimates ˆ m t i such that t ni ( ˆ m t i ) ∈ B (cid:48) ( m (cid:48) t i ) , (48) ( x ni , s n , t ni ( ˆ m t i )) ∈ T ( n ) (cid:15) ( X i , S, T i ) , (49)and finds k i such that t ni ( ˆ m t i ) ∈ B (cid:48)(cid:48) ( k i ) .This can be done with an arbitrarily small probability of errorif: R T i − R (cid:48) T i ≤ I ( X i , S ; T i | T ) for i = 1 , . (50)The above conditions can be deduced directly from the pack-ing lemma. Secrecy Analysis : In order to check the security conditionon the private key rate R averaged over the random codebookassignments C T , we have: I ( K ; Z n , ψ , ψ |C T ) = H ( K |C T ) − H ( K | Z n , ψ , ψ , C T )= H ( K |C T ) − H ( K , T n | Z n , ψ , ψ , C T )+ H ( T n | K , Z n , ψ , ψ , C T ) = nR (cid:48)(cid:48) T − H ( T n | Z n , ψ , ψ , C T ) − H ( K | Z n , T n , ψ , ψ , C T )+ H ( T n | K , Z n , ψ , ψ , C T ) ( a ) = nR (cid:48)(cid:48) T + H ( T n | K , Z n , ψ , ψ , C T ) − H ( T n | Z n , ψ , ψ , C T ) ( b ) ≤ nR (cid:48)(cid:48) T − nR T + nR (cid:48) T + nI ( T ; Z )+ nR T − nR (cid:48) T − nR (cid:48)(cid:48) T − nI ( T ; Z ) + n(cid:15) = n(cid:15) (51)where ( a ) follows from the fact that K is the sub-bin indexof T n and the equality H ( K | Z n , T n , ψ , ψ , C T ) = 0 holds. ( b ) can be obtained from the inequalities H ( T n | Z n , ψ , ψ , C T ) ≤ nR T − nR (cid:48) T − nI ( T ; Z ) + n(cid:15) and H ( T n | K , Z n , ψ , ψ , C T ) ≤ nR T − nR (cid:48) T − nR (cid:48)(cid:48) T − nI ( T ; Z ) + n(cid:15) if R ≤ I ( T ; X , S | T ) − I ( T ; Z ) + (cid:15) , theproof is similar to [18, Lemma 22.3]. And, I ( K ; K , X n , S n , ψ , ψ |C T ) ≤ I ( K ; K , X n , S n , T n , ψ , ψ |C T )= H ( K |C T ) − H ( K | K , X n , S n , T n , ψ , ψ , C T ) = H ( K |C T ) − H ( K , T n | K , X n , S n , T n , ψ , ψ , C T )+ H ( T n | K , K , X n , S n , T n , ψ , ψ , C T )= nR (cid:48)(cid:48) T − H ( T n | K , X n , S n , T n , ψ , ψ , C T ) − H ( K | K , X n , S n , T n , T n , ψ , ψ , C T )+ H ( T n | K , K , X n , S n , T n , ψ , ψ , C T )= ( a ) nR (cid:48)(cid:48) T − H ( T n | K , X n , S n , T n , ψ , ψ , C T )+ H ( T n | K , K , X n , S n , T n , ψ , ψ , C T ) ≤ ( b ) nR (cid:48)(cid:48) T − nR T + nR (cid:48) T + nI ( T ; X , S | T )+ nR T − nR (cid:48) T − nR (cid:48)(cid:48) T − nI ( T ; X , S | T ) + n(cid:15) = n(cid:15) (52)where ( a ) follows from the fact that K is the sub-bin index of T n and the equality H ( K | K , X n , S n , T n , T n , ψ , ψ , C T )= 0 holds. ( b ) can be deduced from the inequalities H ( T n | K , X n , S n , T n , ψ , ψ , C T ) ≤ nR T − nR (cid:48) T − nI ( T ; X , S | T ) + n(cid:15) and H ( T n | K , K , X n , S n , T n , ψ , ψ , C T ) ≤ nR T − nR (cid:48) T − nR (cid:48)(cid:48) T − nI ( T ; X , S | T ) + n(cid:15) if R ≤ I ( T ; X , S | T ) − I ( T ; X , S | T ) + (cid:15) , the proof is similar to[18, Lemma 22.3]. Finally, we have: R ≤ min { I ( T ; X , S | T ) − I ( T ; X , S | T ) ,I ( T ; X , S | T ) − I ( T ; Z ) } Similarly, we can check the security conditions for K .VI. C ONCLUSION
In this paper, we investigated the problem of interactive se-cret key sharing over a state-dependent multiple access channelwith an eavesdropper. In our proposed model, the transmittersshare a common key with the receiver over multiple accesschannel in the first round. The conferencing scheme has abeneficial role in the common key sharing. In the secondround, the receiver agrees on two independent private keyswith the corresponding transmitters using the public channel.The inner and outer bounds on the capacity region have beenestablished for the common and the private keys capacityregion. R
EFERENCES[1] C. E. Shannon, “ Communication theory of secrecy systems,”
BellSystem Technical Journal vol. 28, pp. 656-715, 1949.[2] R. Ahlswede and I. Csiszr,“Common randomness in information theoryand cryptography Part I: Secret sharing,
IEEE Trans. Inf. Theory , vol. 39,no. 4, pp. 1121-1132, Jul. 1993.[3] A. A. Gohari and V. Anantharam, “Information-theoretic key agreementof multiple-terminals Part I: Source model,”
IEEE Trans. Inf. Theory ,vol. 56, no. 8, pp. 3973-3996, Aug. 2010.[4] U. M. Maurer, “Secret key agreement by public discussion from commoninformation,”
IEEE Trans. Inf. Theory , vol. 39, no. 3, pp. 733-742, May1993.[5] A. Khisti, S. Diggavi, and G. Wornell, “Secret-key generation usingcorrelated sources and channels,”
IEEE Trans. Inf. Theory , vol. 58, no. 2,pp. 652-670, Feb. 2012.[6] S. Salimi and M. Skoglund, “Secret key agreement using correlatedsources over the generalized multiple access channel,”
Arxiv preprint ,arXiv: 1204.2922v1, Apr. 2012.[7] S. Salimi, M. Salmasizadeh, M. R. Aref, and Jovan Dj Golic, “Keyagreement over multiple access channel,”
IEEE Trans. on InformationForensics and Security , vol. 6, Issue 3, pp. 775-790, Sep. 2011.8] E. Ekrem and S. Ulukus, “Effects of cooperation on the secrecy ofmultiple access channels with generalized feedback,” in
Proc. 42ndAnn. Conf. Information Sciences and Systems (CISS) , Princeton, NJ,pp. 791-796, Mar. 2008.[9] A. Khisti, “Secret key agreement on wiretap channel with transmitterside information,” in
Proc. Eur. Wireless , Lucca, Italy, pp. 802-809, Apr.2010.[10] A. Khisti, S. Diggavi, and G. Wornell, “Secret key agreement withchannel state information at the transmitter,”
IEEE Trans. on InformationForensics and Security , vol. 6, no. 3, pp. 672-681, Sep. 2011.[11] A. Khisti, S. Diggavi, and G. Wornell, “Secret key agreement usingasymmetry in channel state knowledge,” in
Proc. Int. Symp. Inf. Theory ,Seoul, Korea, pp. 2286-2290, Jun.-Jul. 2009.[12] F. Willems, “The discrete memoryless multiple channel with partiallycooperating encoders,”
IEEE Trans. Inf. Theory , vol. 29, no. 3, pp. 441-445, May. 1983.[13] C. Heegard and A. El Gammal, “On the capacity of computer memorywith defects,”
IEEE Trans. Inf. Theory , vol. 29, no. 5, pp. 731-739, Sept.1983.[14] T. M. Cover, “Broadcast channels,”
IEEE Trans. Inf. Theory , vol. 18,no. 1, pp. 2-14, Jan. 1972.[15] T. M. Cover, “A proof of the data compression theorem of Slepianand Wolf for ergodic sources,”
IEEE Trans. Inf. Theory , vol. 21, no. 2,pp. 226-228, Mar. 1975.[16] D. Slepian and J. K. Wolf, “Noiseless coding of correlated informationsources,”
IEEE Trans. Inf. Theory , vol. 19, no. 4, pp. 471-480, Jul. 1973.[17] T. M. Cover and J. A. Thomas,
Elements of Information Theory , 2nded. Hoboken, NJ: Wiley, 2006.[18] A. El Gamal and Y. H. Kim,