Secret key-based Authentication with a Privacy Constraint
aa r X i v : . [ c s . CR ] A p r Secret key-based Authentication with a PrivacyConstraint
Kittipong Kittichokechai and Giuseppe Caire
Technische Universit¨at Berlin
Abstract —We consider problems of authentication using secretkey generation under a privacy constraint on the enrolled sourcedata. An adversary who has access to the stored description andcorrelated side information tries to deceive the authenticationas well as learn about the source. We characterize the optimaltradeoff between the compression rate of the stored description,the leakage rate of the source data, and the exponent of theadversary’s maximum false acceptance probability. The relatedproblem of secret key generation with a privacy constraint isalso studied where the optimal tradeoff between the compressionrate, leakage rate, and secret key rate is characterized. It revealsa connection between the optimal secret key rate and security ofthe authentication system.
I. I
NTRODUCTION
We consider the problem of authentication based on secretkey generation. In the enrollment stage, a user provides thesource sequence X n to the system. The source is compressedinto a description M which is stored as a helping message.Meanwhile, the secret key message S is generated based on thesource and will be used as a reference for authentication. Inthe authentication stage, the user provides an authenticationsequence Y n which could be a noisy measurement of theenrolled source sequence. Based on M and Y n , the secretkey is estimated as ˆ S and compared with the reference S . Theuser is successfully authenticated if ˆ S = S .The system described above can be relevant in severalapplications including those involving access control, secure,and trustworthy communication. One important class of po-tential applications is related to using biometric data such asfingerprint, iris scans, and DNA sequences for authentication(see, e.g., [1] and references therein). Unlike passwords,the biometric data inherently belong to users and provide aconvenient and seemingly more secure way for authentication.However, it is crucial that privacy of the enrolled data mustbe protected from any inference of an adversary. The privacyrisk in this case is of potentially high impact since thebiometric data is commonly tied to the person identity. If itis compromised, it cannot be reverted or changed like in thecase of using passwords.In this work, we consider the secret-key based authenti-cation problem in the presence of an adversary, who hasaccess to the stored description M as well as correlated sideinformation Z n , as shown in Fig. 1. The adversary tries todeceive the authentication using its own sequence ˜ y n and isalso interested in learning about the enrolled source data X n .We call the event where the legitimate user fails during theauthentication as a false rejection, and the event where thePSfrag replacements X n Y n Z n S M, rate R ˆ S, Pr ( ˆ S = S ) ≤ δ Encoder DecoderAdversary ˜ y n n I ( X n ; M, Z n ) ≤ L + δ ˜ S ˜ y n Pr ( ˜ S ˜ y n = S ) ≤ − n ( E − δ ) Fig. 1. Secret key-based authentication system with a privacy constraint. system accepts the adversary as a false acceptance. As forthe privacy constraint, normalized mutual information betweenthe enrolled source data X n and all information availableat the adversary, e.g., ( M, Z n ) , is used as a measure ofinformation leakage rate. We wish to design an authenticationsystem that achieves negligible false rejection probability andat the same time minimizes 1) the compression rate of thestored description, 2) the leakage rate of the enrolled source,and 3) the maximum false acceptance probability (mFAP) exponentially . In general, there exists a tradeoff between thecompression rate, the information leakage rate, and the mFAPexponent. For example, to obtain a large mFAP exponentwhile achieving reliable authentication for the legitimate user,a “high quality” description M may need to be stored whichin turn can lead to high amount of information leakage. Themain result of this work is a single-letter characterizationof the fundamental tradeoff between the compression rate,information leakage rate, and mFAP exponent for discretememoryless sources.Closely related to the setting described above, we consideralso the problem of secret key generation (for authentication)with a privacy constraint where, apart from reliable recon-struction of the secret key, we wish to maximize the secretkey rate as well as ensuring that the leakage rate of the keyis negligible. Also in this case, the optimal tradeoff betweenthe compression rate, leakage rate of the source, and secretkey rate is characterized. In particular, the optimal secret keyrate is shown to be equivalent to the optimal mFAP exponentderived in the first problem. Related Work
Authentication problems from an information theoretic per-spective have been studied in several directions. Maurer in [2]considered the message authentication problem in connectionwith the hypothesis testing problem where the underlyingessage probability distributions of the legitimate user andadversary are assumed to be different. Martinian et al. [3]considered authentication with a distortion criteria. More re-cently, works appear to consider authentication problems basedon secret key generation [4]. These include for example works[5], [6], [7] which focused on biometric authentication systemswhere privacy of the enrolled data is also taken into account.Analysis of deception probability in the authentication systemfrom an adversary’s perspective was also considered in [8].Closely related to the secret key-based authentication problemwith privacy constraint are the problems of source codingwith privacy constraint, e.g., [9], [10], where the goals are toreconstruct the source reliably while preserving the privacy ofthe source or the reconstruction sequences from any inferenceof an eavesdropper. In this work, we extend the problem in [6]to a more general case where the adversary has correlated sideinformation. Moreover, we provide a complete characterizationof the problem studied in [7]. Standard notations in [11] areused.II. S
ECRET KEY - BASED A UTHENTICATION S YSTEM
A. Problem Formulation
Let us consider a secret key-based authentication systemshown in Fig. 1. Source and side information alphabets, X , Y , Z are assumed to be finite. Let ( X n , Y n , Z n ) be n -length sequences which are i.i.d. according to P X,Y,Z .In the enrollment stage, based on the user’s source sequence X n , an “encoder” generates a rate-limited description M ∈M ( n ) and a secret key message S ∈ S ( n ) . For authentication,the user provides a (noisy) authentication sequence Y n tothe system. Based on Y n and the stored description M , a“decoder” generates ˆ S as an estimate of the secret key. Theuser will be positively authenticated if ˆ S = S .The information leakage rate at the adversary who hasaccess to the stored description M and side information Z n ,correlated with X n , is measured by the normalized mutualinformation I ( X n ; M, Z n ) /n . The adversary, based on M and Z n , also chooses a sequence ˜ y n ( M, Z n ) ∈ Y n for authen-tication. The maximum false acceptance probability (mFAP)is defined as mFAP , max ˜ y n ( M,Z n ) ∈Y n Pr ( ˜ S ˜ y n = S ) , where ˜ S ˜ y n is the estimate resulting from M and ˜ y n . We are interestedin characterizing the optimal tradeoff between the compressionrate, information leakage rate, and mFAP exponent. Definition 1:
A code for secret key-based authenticationwith a privacy constraint consists of • an encoder f ( n ) m : X n → M ( n ) , • an encoder f ( n ) s : X n → S ( n ) , • a decoder g ( n ) : M ( n ) × Y n → S ( n ) ,where M ( n ) and S ( n ) are finite sets. Definition 2:
A compression-leakage-mFAP exponent tuple ( R, L, E ) ∈ R is said to be achievable if for any δ > andall sufficiently large n there exists a code above such thatPr ( ˆ S = S ) ≤ δ, (1) n log (cid:12)(cid:12) M ( n ) (cid:12)(cid:12) ≤ R + δ, (2) n I ( X n ; M, Z n ) ≤ L + δ, (3)and n log 1 mFAP ≥ E − δ. (4)The compression-leakage-mFAP exponent region R is the setof all achievable tuples. B. ResultTheorem 1:
The compression-leakage-mFAP exponent re-gion R for the problem depicted in Fig. 1 is given by a setof all tuples ( R, L, E ) ∈ R such that R ≥ I ( X ; V | Y ) , (5) L ≥ I ( X ; V, Y ) − I ( X ; Y | U ) + I ( X ; Z | U ) , (6) E ≤ I ( V ; Y | U ) − I ( V ; Z | U ) , (7)for some joint distributions of the form P X,Y,Z P V | X P U | V with |U| ≤ |X | + 3 , |V| ≤ ( |X | + 3)( |X | + 2) . Remark 1 (Randomized encoder):
Theorem 1 holds alsofor a more general setting which allows randomized encoders,i.e., M and S are randomly generated according to p ( m | x n ) and p ( s | x n ) , respectively. This can be seen from the converseproof of Theorem 1 that no assumption regarding the deter-ministic encoders was made. Remark 2 (Special cases): i) When side information at the adversary is degraded, i.e., X − Y − Z forms a Markov chain, the compression-leakage-mFAP exponent region is reduced to the set R ,X − Y − Z consisting of all tuples ( R, L, E ) such that R ≥ I ( X ; V | Y ) ,L ≥ I ( X ; Z ) + I ( X ; V | Y ) ,E ≤ I ( V ; Y | Z ) , for some joint distributions of the form P X,Y P Z | Y P V | X . Weobtain this region from R by setting U constant. The converseproof is modified slightly and is provided in Appendix A.ii) When the adversary has no side information, the resultin Theorem 1 reduces to that in [6]. For example, by setting Z and U equal to constants and R = H ( X ) , we recover [6,Theorem 4]. Proof of Theorem 1:
The sketch of achievability proofis given below based on a random coding argument where weuse the definitions and properties of ǫ -typicality as in [11].Our achievable scheme utilizes layered coding and binning,while the converse proof for the information leakage rate isinspired by that of the secure source coding problem [9]. Achievability : Fix P V | X and P U | V . Let ǫ and δ ǫ be pos-itive real numbers where δ ǫ → as ǫ → . Assume that I ( V ; Y | U ) − I ( V ; Z | U ) > . The case where I ( V ; Y | U ) − I ( V ; Z | U ) ≤ is trivial since the encoder can just set thesecret key message to be constant and does not transmit at all,implying that ( R, L, E ) = (0 , I ( X ; Z ) , is achievable.1) Codebook generation:
Randomly and independently gen-erate n ( I ( X ; U )+ δ ǫ ) u n ( j ) sequences, each i.i.d. accordingto Q ni =1 P U ( u i ) , j ∈ [1 : 2 n ( I ( X ; U )+ δ ǫ ) ] . Then distributethem uniformly at random into n ( I ( X ; U | Y )+2 δ ǫ ) bins b U ( m ) , ∈ [1 : 2 nI ( X ; U | Y )+2 δ ǫ ] . For each j , randomly andconditionally independently generate n ( I ( X ; V | U )+ δ ǫ ) v n ( j, k ) sequences, each i.i.d. according to Q ni =1 P V | U ( v i | u i ) , k ∈ [1 : 2 n ( I ( X ; V | U )+ δ ǫ ) ] , and distribute these sequences uniformlyat random into n ( I ( X ; V | U,Y )+3 δ ǫ ) bins b V ( j, m ) , m ∈ [1 : 2 nI ( X ; V | U,Y )+3 δ ǫ ] . Moreover, in each bin b V ( j, m ) , wedistribute sequences v n uniformly at random into subbins,indexed by s , where s ∈ [1 : 2 n ( I ( V ; Y | U ) − I ( V ; Z | U ) − δ ǫ ) ] . Theindex s here represents a subbin index of the second-layeredbin. In each subbin, there are n ( I ( V ; Z | U ) − δ ǫ ) sequences v n ,each indexed by s ′ . Note that k = ( m , s, s ′ ) here. Thecodebooks are then revealed to all parties.2) Enrollment:
Given x n , the encoder looks for u n ( j ) and v n ( j, k ) that are jointly typical with x n . From the coveringlemma [11], with high probability, there exist such codewordpairs. If there are more than one pairs, the encoder selects oneof them uniformly at random, and then sends the correspond-ing bin indices m and m to the decoder. The total rate is thusequal to I ( X ; U | Y )+ I ( X ; V | U, Y )+5 δ ǫ = I ( X ; V | Y )+5 δ ǫ .The secret key is set to be the subbin index s in which thechosen sequence v n ∈ b V ( j, m ) falls.3) Authentication:
The decoder looks for u n ( j ) and v n ( j, k ) in the bins ( m , m ) which are jointly typical with y n . Fromthe packing lemma [11], with high probability, it will findthe unique sequence u n ( j ) ∈ b U ( m ) which is jointly typicalwith y n . Then, with high probability, it will find the unique v n ( j, k ) ∈ b V ( j, m ) which is jointly typical with y n and thedecoded u n ( j ) . Finally, it puts out the corresponding subbinindex of the decoded v n as an estimate of the secret key which,with high probability, will be equal to the generated one.Let U n ( J ) and V n ( J, K ) be the codewords chosen at theencoder in the enrollment stage, and ( M , M ) be the corre-sponding indices of the bins to which U n ( J ) and V n ( J, K ) belong. Note that ( M , M ) can be determined from ( J, K ) .From the enrollment stage, the sources andselected codewords are jointly typical, i.e., ( X n , U n ( J ) , V n ( J, K ) , Y n , Z n ) ∈ T ( n ) ǫ , with highprobability. We have the following lemma. Lemma 1:
The following bound holds, H ( Z n | J ) ≤ n ( H ( Z | U ) + δ ǫ ) . Proof:
The proof is given in Appendix B.Then, the information leakage averaged over all possiblecodebooks can be bounded as follows. I ( X n ; M , M , Z n ) = H ( X n ) − H ( X n | M , M , Z n ) ≤ nH ( X ) − H ( X n | J, Z n ) + H ( M ) ≤ nH ( X ) − H ( X n , Z n ) + H ( J ) + H ( Z n | J ) + H ( M ) ( a ) ≤ − nH ( Z | X ) + n ( I ( X ; U ) + δ ǫ ) + n ( H ( Z | U ) + δ ǫ )+ n ( I ( X ; V | U, Y ) + 3 δ ǫ ) ( b ) ≤ n ( I ( X ; U, Z ) + I ( X ; V | U, Y ) + δ ′ ǫ ) ( c ) = n ( I ( X ; V, Y ) − I ( X ; Y | U ) + I ( X ; Z | U ) + δ ′ ǫ ) ≤ n ( L + δ ′ ǫ ) , if L ≥ I ( X ; V, Y ) − I ( X ; Y | U ) + I ( X ; Z | U ) , where ( a ) follows from the memoryless property of the sources, from thecodebook generation, and from bounding the term H ( Z n | J ) as in Lemma 1, ( b ) from the Markov chain U − X − Z for some δ ′ ǫ ≥ δ ǫ , and ( c ) from the Markov chain U − V − X − ( Y, Z ) .As for an achievable mFAP exponent, we consider theadversary who knows m = ( m , m ) and side information z n and tries to select a sequence ˜ y n ( m, z n ) that results in theestimated key ˜ S ˜ y n equal to the original key S of the person itclaims to be. From our achievable scheme, the secret key S ischosen from the subbin index of the selected codeword V n .Thus, the adversary only needs to consider ˜ S ˜ y n that resultsfrom sequences V n which are jointly typical with X n . Thereare in total n ( I ( X ; U,V )+2 δ ǫ ) such sequences generated.Similarly as in [6], from the binning scheme with uniformbin and subbin index assignment, we have that the jointprobability that a description m is selected and a certain secretkey s is chosen is equal to a total number of jointly typicalsequences v n with corresponding indices m and s divided bya total number of jointly typical sequences v n . That is,Pr ( M = m, S = s ) ≤ l Pr ( M = m ) · n ( I ( X ; U,V )+2 δǫ ) |S| m n ( I ( X ; U,V )+2 δ ǫ ) . (8)Let g ( · ) denote the decoding function used for estimatingthe secret key message in the achievability scheme. ThenmFAP = max ˜ y n ( M,Z n ) ∈Y n Pr ( ˜ S ˜ y n = S )= max ˜ y n ( M,Z n ) ∈Y n Pr ( g ( M, ˜ y n ( M, Z n )) = S ) ≤ X m =1 ,..., |M| X z n max ˜ y n ( m,z n ) ∈Y n Pr ( M = m, Z n = z n ,g ( m, ˜ y n ( m, z n )) = S )= X m X z n max ˜ y n ( m,z n ) ∈Y n Pr ( M = m, S = g ( m, ˜ y n ( m, z n ))) · Pr ( Z n = z n | M = m, S = g ( m, ˜ y n ( m, z n ))) ( a ) ≤ X m l Pr ( M = m ) · n ( I ( X ; U,V )+2 δ ǫ ) |S| m · n ( I ( X ; U,V )+2 δ ǫ ) ≤ X m (cid:16) Pr ( M = m ) · n ( I ( X ; U,V )+2 δ ǫ ) |S| + 1 (cid:17) · n ( I ( X ; U,V )+2 δ ǫ )( b ) = 2 − n ( I ( V ; Y | U ) − I ( V ; Z | U ) − δ ǫ ) + 2 − n ( I ( V ; Y ) − δ ǫ )( c ) ≤ − n ( I ( V ; Y | U ) − I ( V ; Z | U ) − δ ′ ǫ ) , where ( a ) follows from the uniform bin and subbin in-dex assignment in the achievable scheme and the boundin (8), ( b ) follows from the code construction where |S| = 2 n ( I ( V ; Y | U ) − I ( V ; Z | U ) − δ ǫ ) and |M| = |M ||M | =2 n ( I ( X ; V | Y )+5 δ ǫ ) , and ( c ) follows from the Markov chain U − V − Y which results in I ( V ; Y ) ≥ I ( V ; Y | U ) .That is, we have n log 1 mFAP ≥ I ( V ; Y | U ) − I ( V ; Z | U ) − δ ′ ǫ ≥ E − δ ′ ǫ , f E ≤ I ( V ; Y | U ) − I ( V ; Z | U ) . Converse : Let U i , ( M, Y ni +1 , Z i − ) and V i , ( M, S, Y ni +1 , Z i − ) which satisfy U i − V i − X i − ( Y i , Z i ) for all i = 1 , . . . , n as U i is included in V i and ( Y i , Z i ) isindependent of V i given X i due to the memoryless propertyof the side information channel P Y,Z | X . For any achievabletuple ( R, L, E ) ∈ R , it follows that n ( R + δ n ) ≥ H ( M ) ≥ H ( M | Y n ) − H ( M, S | X n , Y n , Z n )= H ( M, S | Y n ) − H ( S | M, Y n ) − H ( M, S | X n , Y n , Z n ) ( a ) ≥ I ( M, S ; X n , Z n | Y n ) − nǫ n ( b ) ≥ n X i =1 H ( X i , Z i | Y i ) − H ( X i , Z i | V i , Y i ) − nǫ n ≥ n X i =1 I ( X i ; V i | Y i ) − nǫ n , where ( a ) follows from Fano’s inequality H ( S | M, Y n ) ≤ nǫ n and ( b ) follows from the definition of V i and that conditioningreduces entropy.The information leakage can be bounded as follows. n ( L + δ n ) ≥ I ( X n ; M, Z n ) = I ( X n ; M, S, Y n ) − I ( X n ; S | M, Y n ) − I ( X n ; Y n | M ) + I ( X n ; Z n | M ) ( a ) ≥ I ( X n ; M, S, Y n ) − nǫ n − I ( X n ; Y n | M ) + I ( X n ; Z n | M )= n X i =1 H ( X i ) − H ( X i | M, S, X i − , Y n ) − H ( Y i | M, Y ni +1 )+ H ( Y i | M, Y ni +1 , X n ) + H ( Z i | M, Z i − ) − H ( Z i | M, Z i − , X n ) − nǫ n ( b ) ≥ n X i =1 H ( X i ) − H ( X i | M, S, X i − , Y n , Z i − ) − I ( Y i ; X i )+ I ( Y i ; M, Y ni +1 ) + I ( Z i ; X i ) − I ( Z i ; M, Z i − ) − nǫ n ( c ) ≥ n X i =1 I ( X i ; M, S, Y ni , Z i − ) − I ( Y i ; X i ) + I ( Z i ; X i )+ I ( Y i ; M, Z i − , Y ni +1 ) − I ( Z i ; M, Z i − , Y ni +1 ) − nǫ n ( d ) = n X i =1 I ( X i ; V i , Y i ) − I ( Y i ; X i | U i ) + I ( Z i ; X i | U i ) − nǫ n , where ( a ) follows from Fano’s inequality, ( b ) follows fromthe Markov chains X i − ( M, S, X i − , Y n ) − Z i − and ( Y i , Z i ) − X i − ( M, Y ni +1 , Z i − , X n \ i ) , ( c ) follows fromthe Csisz´ar’s sum identity [12], P ni =1 I ( Y i ; Z i − | M, Y ni +1 ) − I ( Z i ; Y ni +1 | M, Z i − ) = 0 , ( d ) follows from the definitions of U i and V i and the Markov chain U i − X i − ( Y i , Z i ) .Lastly, the bound on mFAP exponent n ( E − δ n ) ≤ P ni =1 I ( V i ; Y i | U i ) − I ( V i ; Z i | U i ) can be shown similarly as in[6] with some modification. This part of the proof is providedin Appendix C. The proof ends with the standard steps forsingle letterization using a time-sharing random variable andletting δ n , ǫ n → as n → ∞ . The cardinality bounds on thesets U and V can be proved using the support lemma [12],and is shown in Appendix D. PSfrag replacements X n Y n Z n S, rate R s M, rate R ˆ S, Pr ( ˆ S = S ) ≤ δ Encoder DecoderAdversary n I ( X n ; M, Z n ) ≤ L + δ n I ( S ; M, Z n ) ≤ δ Fig. 2. Secret key generation for authentication with a privacy constraint.
C. Binary Example
To demonstrate the derived tradeoff, let us consider asimple binary example of the special case in Remark 2i). Let X ∼ Bern (1 / , Y is an erased version of X with erasureprobability p , and Z is an erased version of Y with erasureprobability q . The region R ,X − Y − Z in Remark 2i) reducesto the set of all ( R, L, E ) such that R ≥ p (1 − h ( α )) ,L ≥ (1 − q )(1 − p ) + p (1 − h ( α )) ,E ≤ q (1 − p )(1 − h ( α )) , for some α ∈ [0 , / . The proof is given in Appendix E.We can see for example that there is a tradeoff between themFAP exponent and the leakage rate, i.e., in order to increasethe mFAP exponent, we need to allow some more leakage.III. S ECRET K EY G ENERATION WITH P RIVACY C ONSTRAINT
In this section, we consider a related problem settingdepicted in Fig. 2 where, instead of maximizing the mFAPexponent, we are interested in maximizing the secret key rategenerated at the enrollment stage as well as protecting thesecret key from any inference of an adversary who has accessto the description M and side information Z n . This settingwithout the compression rate constraint was studied in [7]where the authors characterized inner and outer bounds to theleakage-key rate region. Moreover, it is closely related to theone-way secret key generation with rate constraint in [13]. A. Problem Formulation
The problem setting follows similarly as that in Sec-tion II-A, except that the mFAP constraint in (4) is replacedby the key rate and key leakage constraints.
Definition 3:
A tuple ( R, L, R s ) ∈ R is said to be achiev-able if for any δ > and all sufficiently large n there exists acode consisting of encoders and a decoder (as in Definition 1)such that (1)-(3) hold and n H ( S ) ≥ R s − δ, (9) n I ( S ; M, Z n ) ≤ δ. (10)The compression-leakage-key rate region R is the set of allachievable tuples. . ResultTheorem 2: The compression-leakage-key rate region R for the problem in Fig. 2 is given by a set of all tuples ( R, L, R s ) ∈ R such that R ≥ I ( X ; V | Y ) , (11) L ≥ I ( X ; V, Y ) − I ( X ; Y | U ) + I ( X ; Z | U ) , (12) R s ≤ I ( V ; Y | U ) − I ( V ; Z | U ) , (13)for some joint distributions of the form P X,Y,Z P V | X P U | V with |U| ≤ |X | + 3 , |V| ≤ ( |X | + 3)( |X | + 2) . Remark 3:
Although different achievable schemes wereused, the inner bound in [7] coincides with the compression-leakage-key rate region R where R = H ( X ) . Here we pro-vide the complete result by establishing a matching converse.In addition, the extra compression rate constraint is consideredwhere the layered binning scheme is shown to be optimal. Remark 4:
The regions specified in Theorems 1 and 2 havethe same form. In particular, the maximum secret key rate inTheorem 2 is equal to the maximum mFAP exponent presentedin Theorem 1. Intuitively, this follows from the fact thatthe coding scheme used to prove Theorem 1 also achievesnegligible key leakage rate, implying that the adversary hasno useful knowledge about the key. It can then only guessthe key from possible values in the set S whose cardinalityis at least H ( S ) . A similar observation for the case withoutadversary’s side information was noted in [6]. Proof of Theorem 2:
Proofs for the compression rate R and leakage rate L remain the same as those of Theorem 1.Here we only provide the proof of the secret key rate. Achievability : With the same achievable scheme as in theproof of Theorem 1, it follows that H ( S ) ≥ H ( S | J, M , S ′ ) = H ( S, J, M , S ′ ) − H ( J, M , S ′ ) ( a ) ≥ H ( U n , V n ) − H ( J ) − H ( M ) − H ( S ′ ) ( b ) ≥ n ( I ( X ; U, V ) − δ ǫ ) − n ( I ( X ; U ) + δ ǫ ) − n ( I ( X ; V | U, Y ) + 3 δ ǫ ) − ( I ( V ; Z | U ) − δ ǫ ) ≥ n ( I ( Y ; V | U ) − I ( Z ; V | U ) − δ ′ ǫ ) ≥ n ( R s − δ ′ ǫ ) , if R s ≤ I ( Y ; V | U ) − I ( Z ; V | U ) , where ( a ) follows since ( U n , V n ) are functions of ( J, K ) = (
J, M , S, S ′ ) given thecodebook, and ( b ) follows from the codebook generation andthe properties of jointly typical sequences, i.e., p ( u n , v n ) ≤ P x n ∈T ( n ) ǫ ( X | u n ,v n ) p ( x n ) ≤ − n ( I ( X ; U,V ) − δ ǫ ) .The key leakage averaged over all possible codebooks canbe bounded as follows. I ( S ; M , M , Z n ) ≤ H ( S ) − H ( S | J, M , Z n )= H ( S ) − H ( S, J, M , Z n ) + H ( J, M , Z n ) ≤ H ( S ) − H ( S, J, M , Z n , S ′ ) + H ( S ′ | S, J, M , Z n )+ H ( J ) + H ( M ) + H ( Z n | J ) ( a ) ≤ H ( S ) − H ( U n , V n , Z n ) + nǫ n + H ( J )+ H ( M ) + H ( Z n | J ) ( b ) ≤ H ( S ) − n ( I ( X ; U, V ) + H ( Z | U, V ) − δ ǫ )+ nǫ n + n ( I ( X ; U ) + δ ǫ ) + n ( I ( X ; V | U, Y ) + 3 δ ǫ )+ n ( H ( Z | U ) + δ ǫ ) ( c ) ≤ nδ ′′ ǫ , where ( a ) follows since ( U n , V n ) are functions of ( J, K ) =(
J, M , S, S ′ ) given the codebook, and from the Fano’sinequality H ( S ′ | S, J, M , Z n ) ≤ nǫ n (this is due to thecodebook generation in which the size of S ′ for a given ( J, M , S ) is less than nI ( V ; Z | U ) and therefore with highprobability S ′ can be decoded given ( S, J, M , Z n ) ), ( b ) follows from bounding the term H ( U n , V n , Z n ) using prop-erties of jointly typical sequences, i.e., p ( u n , v n , z n ) ≤ − n ( H ( Z )+ I ( X ; U,V | Z ) − δ ǫ ) = 2 − n ( I ( X ; U,V )+ H ( Z | U,V ) − δ ǫ ) ,from the code construction, and from Lemma 1, and ( c ) fromthe code construction that S ∈ [1 : 2 n ( I ( Y ; V | U ) − I ( Z ; V | U ) − δ ǫ ) ] . Converse : U i and V i are defined as in the converse proofof Theorem 1. For any achievable R s , it follows that n ( R s − δ n ) ≤ H ( S ) = H ( S | M, Z n ) + I ( S ; M, Z n ) ( a ) ≤ H ( S | M, Z n ) + nδ n ( b ) ≤ n X i =1 I ( V i ; Y i | U i ) − I ( V i ; Z i | U i ) + nδ n + nǫ n , where ( a ) follows from the key leakage constraint and ( b ) follows from the steps from (16) to (17).R EFERENCES[1] S. Rane, Y. Wang, S. Draper, and P. Ishwar, “Secure biometrics: concepts,authentication architectures, and challenges,”
IEEE Signal ProcessingMagazine , vol.30, no.5, pp.51-64, Sept. 2013.[2] U. M. Maurer, “Authentication theory and hypothesis testing,”
IEEETrans. Inf. Theory , vol.46, no.4, pp.1350-1356, July 2000.[3] E. Martinian, G. W. Wornell, and B. Chen, “Authentication with distortioncriteria,”
IEEE Trans. Inf. Theory , vol.51, no.7, pp.2523-2542, July 2005.[4] R. Ahlswede and I. Csisz´ar, “Common randomness in information theoryand cryptography- part I: secret sharing,”
IEEE Trans. Inf. Theory , vol.39,no.4, pp.1121-1132, July 1993.[5] T. Ignatenko and F. M. J. Willems,
Biometric Security from anInformation-Theoretical Perspective . Found. Trends Commun. Inf. The-ory: Vol. 7: No. 2-3, pp. 135-316, Feb. 2012.[6] F. M. J. Willems and T. Ignatenko, “Authentication based on secret-keygeneration,” in
Proc. IEEE ISIT , 2012.[7] L. Lai, S.-W. Ho, and V. Poor, “Privacy-security trade-offs in biometricsecurity systems-part I: single use case,”
IEEE Trans. on InformationForensics and Security , vol.6, no.1, pp.122-139, Mar. 2011.[8] W. Kang, D. Cao, and N. Liu, “Authentication with side information,” in
Proc. IEEE ISIT , 2014.[9] J. Villard and P. Piantanida, “Secure multiterminal source coding withside information at the eavesdropper,”
IEEE Trans. Inf. Theory , vol. 59,no. 6, June 2013.[10] K. Kittichokechai, T. J. Oechtering, and M. Skoglund, “Lossy sourcecoding with reconstruction privacy,” in
Proc. IEEE ISIT , 2014.[11] A. El Gamal and Y.-H. Kim,
Network Information Theory , CambridgeUniversity Press, 2011.[12] I. Csisz´ar and J. K¨orner.
Information Theory: Coding Theorems forDiscrete Memoryless Systems . Cambridge University Press, 2011.[13] I. Csisz´ar and P. Narayan, “Common randomness and secret key gener-ation with a helper,”
IEEE Trans. Inf. Theory , vol.46, no.2, pp.344-366,Mar. 2000.[14] D. Williams,
Probability with Martingales , Cambridge University Press,1991.
PPENDIX AC ONVERSE P ROOF OF R EGION R ,X − Y − Z Let V i , ( M, S, Y ni +1 , Z n \ i ) which satisfies V i − X i − Y i − Z i for all i = 1 , . . . , n . For any achievable tuple ( R, L, E ) , itfollows that n ( R + δ n ) ≥ H ( M ) ≥ H ( M | Y n , Z n ) − H ( M, S | X n , Y n , Z n )= H ( M, S | Y n , Z n ) − H ( S | M, Y n , Z n ) − H ( M, S | X n , Y n , Z n ) ( a ) ≥ I ( M, S ; X n | Y n , Z n ) − nǫ n ( b ) ≥ n X i =1 I ( X i ; V i | Y i ) − nǫ n , where ( a ) follows from Fano’s inequality H ( S | M, Y n ) ≤ nǫ n and ( b ) follows from the Markov chain X i − Y i − Z i , thedefinition of V i , and that conditioning reduces entropy.The information leakage, n ( L + δ n ) ≥ I ( X n ; M, Z n ) = I ( X n ; Z n ) + I ( X n ; M | Z n ) ( a ) ≥ I ( X n ; Z n ) + H ( M | Z n , Y n ) − H ( M | X n , Y n , Z n ) ( b ) ≥ I ( X n ; Z n ) + H ( M, S | Z n , Y n ) − nǫ n − H ( M, S | X n , Y n , Z n ) ( c ) ≥ n X i =1 I ( X i ; Z i ) + H ( X i | Y i ) − H ( X i | V i , Y i ) − nǫ n , where ( a ) follows from the Markov chain M − ( X n , Z n ) − Y n , ( b ) follows from Fano’s inequality, ( c ) follows from theMarkov chains X i − Y i − Z i and the definition of V i .The bound on mFAP exponent follows similarly as in theconverse proof of Theorem 1, except that the steps from (16)to (17) are replaced by H ( S | M, Z n ) ( a ) ≤ H ( S | M, Z n ) − H ( S | M, Y n ) + nǫ n ( b ) = H ( S | M, Z n ) − H ( S | M, Y n , Z n ) + nǫ n ( c ) ≤ n X i =1 H ( Y i | Z i ) − H ( Y i | V i , Z i ) + nǫ n , where ( a ) from Fano’s inequality, ( b ) from the Markov chain ( S, M ) − Y n − Z n , and ( c ) from the definition of V i .A PPENDIX BP ROOF OF L EMMA E be a binary random variable taking value if ( X n , U n ( J ) , V n ( J, K ) , Y n , Z n ) ∈ T ( n ) ǫ , and otherwise.Since ( X n , U n ( J ) , V n ( J, K ) , Y n , Z n ) ∈ T ( n ) ǫ with highprobability, we have Pr ( E = 1) ≤ δ ǫ . It follows that H ( Z n | J ) ≤ H ( Z n | U n , E ) + H ( E ) ≤ Pr ( E = 0) H ( Z n | U n , E = 0)+ Pr ( E = 1) H ( Z n | U n , E = 1) + h ( δ ǫ ) ≤ H ( Z n | U n , E = 0) + δ ǫ H ( Z n ) + h ( δ ǫ ) ≤ H ( Z n | U n , E = 0) + nδ ǫ log |Z| + h ( δ ǫ )= X u n ∈T ( n ) ǫ p ( u n | E = 0) H ( Z n | U n = u n , E = 0)+ nδ ǫ log |Z| + h ( δ ǫ ) ≤ X u n ∈T ( n ) ǫ p ( u n | E = 0) log |T ( n ) ǫ ( Z | u n ) | + nδ ǫ log |Z| + h ( δ ǫ ) ≤ n ( H ( Z | U ) + δ ′ ǫ ) , where h ( · ) is the binary entropy function, and the last inequal-ity follows from the property of jointly typical set [11] with δ ǫ , δ ′ ǫ → as ǫ → , and ǫ → as n → ∞ .A PPENDIX CC ONVERSE P ROOF OF THE M
FAP E
XPONENT B OUND
Similarly as in [6], let us define the set of secret keymessages that can be reconstructed from m , i.e., C ( m ) = { s : there exists a sequence y n ∈ Y n s.t. g ( n ) ( m, y n ) = s } . Also,let C ( s, m ) = 1 for s ∈ C ( m ) , and otherwise. We have that δ n ≥ Pr ( ˆ S = S ) ≥ P m Pr ( M = m, S / ∈ C ( m )) = Pr ( C =0) . An adversary who knows m and z n can choose a sequence ˜ y n that results in the MAP estimate, i.e., ˜ s ( m, z n ) = arg max s ∈C ( m ) p ( s | m, z n ) , (14)and achievesFAP = X m,z n Pr (˜ s = S, M = m, Z n = z n ) ( a ) = X m,z n p ( m, z n ) max s ∈C ( m ) p ( s | m, z n ) ≥ X m,z n p ( m, z n ) max s ∈C ( m ) p ( s, C = 1 | m, z n ) ≥ X m,z n p ( m, z n ) p ( C = 1 | m, z n ) max s ∈C ( m ) p ( s | m, z n , C = 1) , (15)where ( a ) follows from (14). Then for any achievable E , itfollows that n ( E − δ n ) ≤ log (cid:16) mFAP (cid:17) ≤ log (cid:16) FAP (cid:17) ( a ) ≤ − log (cid:0) Pr ( C = 1) (cid:1) − log (cid:0) X m,z n p ( m, z n | C = 1) max s ∈C ( m ) p ( s | m, z n , C = 1) (cid:1) ( b ) ≤ − log(1 − δ n ) − X m,z n p ( m, z n | C = 1) log (cid:0) max s ∈C ( m ) p ( s | m, z n , C = 1) (cid:1) ≤ − log(1 − δ n ) − X m,z n p ( m, z n | C = 1) · X s ∈C ( m ) p ( s | m, z n , C = 1) log( p ( s | m, z n , C = 1))= − log(1 − δ n ) + H ( S | M, Z n , C = 1) , here ( a ) follows from (15) and ( b ) follows from Pr ( C =1) ≥ − δ n and Jensen’s inequality [14].Continuing the chain of inequalities where (1 − δ n ) H ( S | M, Z n , C = 1) ≤ Pr ( C = 1) H ( S | M, Z n , C =1) ≤ H ( S | M, Z n ) , we get (1 − δ n ) · [ n ( E − δ n ) + log(1 − δ n )] ≤ H ( S | M, Z n ) (16) ( a ) ≤ H ( S | M, Z n ) − H ( S | M, Y n ) + nǫ n = n X i =1 I ( S ; Y i | M, Y ni +1 ) − I ( S ; Z i | M, Z i − ) + nǫ n ( b ) = n X i =1 I ( S, Z i − ; Y i | M, Y ni +1 ) − I ( S, Y ni +1 ; Z i | M, Z i − )+ nǫ n ( c ) = n X i =1 I ( S ; Y i | M, Y ni +1 , Z i − ) − I ( S ; Z i | M, Y ni +1 , Z i − )+ nǫ n ( d ) = n X i =1 I ( V i ; Y i | U i ) − I ( V i ; Z i | U i ) + nǫ n , (17)where ( a ) follows from Fano’s inequality, and ( b ) and ( c ) fromthe Csisz´ar’s sum identity P ni =1 I ( Z i − ; Y i | M, S, Y ni +1 ) − I ( Y ni +1 ; Z i | M, S, Z i − ) = 0 = P ni =1 I ( Z i − ; Y i | M, Y ni +1 ) − I ( Y ni +1 ; Z i | M, Z i − ) , and ( d ) from the definitions U i , ( M, Y ni +1 , Z i − ) and V i , ( M, S, Y ni +1 , Z i − ) .A PPENDIX DC ARDINALITY B OUNDS OF T HE S ETS U AND V IN T HEOREM R in Theorem 1: R ≥ I ( X ; V | Y ) ,L ≥ I ( X ; V, Y ) − I ( X ; Y | U ) + I ( X ; Z | U ) ,E ≤ I ( V ; Y | U ) − I ( V ; Z | U ) , for some U ∈ U , V ∈ V such that U − V − X − ( Y, Z ) formsa Markov chain.We can rewrite some mutual information terms in theexpression above as R ≥ H ( X | Y ) − H ( X, Y | V ) + H ( Y | V ) ,L ≥ H ( X ) − H ( X, Y | V ) + H ( Y | V ) − H ( Y | U ) + H ( Y | X )+ H ( Z | U ) − H ( Z | X ) ,E ≤ H ( Y | U ) − H ( Y | V ) − H ( Z | U ) + H ( Z | V ) . We will show that the random variables U and V maybe replaced by new ones, satisfying |U| ≤ |X | + 3 , |V| ≤ ( |X | + 3)( |X | + 2) , and preserving the terms H ( X, Y | V ) , H ( Y | V ) , H ( Z | V ) , and H ( Y | U ) − H ( Z | U ) . First, we bound the cardinality of the set U . Let us definethe following |X | + 3 continuous functions of p ( v | u ) , v ∈ V , f j ( p ( v | u )) = X v ∈V p ( v | u ) p ( x | u, v ) , j = 1 , . . . , |X | − ,f |X | ( p ( v | u )) = H ( X, Y | V, U = u )= H ( X, Y, V | U = u ) − H ( V | U = u ) ,f |X | +1 ( p ( v | u )) = H ( Y | V, U = u )= H ( Y, V | U = u ) − H ( V | U = u ) ,f |X | +2 ( p ( v | u )) = H ( Z | V, U = u )= H ( Z, V | U = u ) − H ( V | U = u ) ,f |X | +3 ( p ( v | u )) = H ( Y | U = u ) − H ( Z | U = u ) . The corresponding averages are X u ∈U p ( u ) f j ( p ( v | u )) = P X ( x ) , j = 1 , . . . , |X | − , X u ∈U p ( u ) f |X | ( p ( v | u )) = H ( X, Y, V | U ) − H ( V | U ) , X u ∈U p ( u ) f |X | +1 ( p ( v | u )) = H ( Y, V | U ) − H ( V | U ) , X u ∈U p ( u ) f |X | +2 ( p ( v | u )) = H ( Z, V | U ) − H ( V | U ) , X u ∈U p ( u ) f |X | +3 ( p ( v | u )) = H ( Y | U ) − H ( Z | U ) . According to the support lemma [12], we can deduce thatthere exists a new random variable U ′ jointly distributed with ( X, Y, Z, V ) whose alphabet size is |U ′ | = |X | + 3 , andnumbers α i ≥ with P |X | +3 i =1 α i = 1 that satisfy |X | +3 X i =1 α i f j ( P V | U ′ ( v | i )) = P X ( x ) , j = 1 , . . . , |X | − , |X | +3 X i =1 α i f |X | ( P V | U ′ ( v | i )) = H ( X, Y, V | U ′ ) − H ( V | U ′ ) , |X | +3 X i =1 α i f |X | +1 ( P V | U ′ ( v | i )) = H ( Y, V | U ′ ) − H ( V | U ′ ) , |X | +3 X i =1 α i f |X | +2 ( P V | U ′ ( v | i )) = H ( Z, V | U ′ ) − H ( V | U ′ ) , |X | +3 X i =1 α i f |X | +3 ( P V | U ′ ( v | i )) = H ( Y | U ′ ) − H ( Z | U ′ ) . Note that we have H ( X, Y, V | U ′ ) − H ( V | U ′ )= H ( X, Y, V | U ) − H ( V | U ) ( a ) = H ( X, Y | V ) , where ( a ) follows from the Markov chain U − V − X − ( Y, Z ) . Similarly, from the Markov chain U − V − X − ( Y, Z ) , we have that H ( Y, V | U ′ ) − H ( V | U ′ ) = H ( Y, V | U ) − H ( V | U ) = H ( Y | V ) , and H ( Z, V | U ′ ) − ( V | U ′ ) = H ( Z, V | U ) − H ( V | U ) = H ( Z | V ) . Since P X ( x ) is preserved, P X,Y,Z ( x, y, z ) is also preserved. Thus, H ( X | Y ) , H ( Y | X ) , H ( Z | X ) are preserved.Next we bound the cardinality of the set V . For each u ′ ∈U ′ , we define the following |X | + 2 continuous functions of p ( x | u ′ , v ) , x ∈ X , f j ( p ( x | u ′ , v )) = p ( x | u ′ , v ) , j = 1 , . . . , |X | − ,f |X | ( p ( x | u ′ , v )) = H ( X, Y | U ′ = u ′ , V = v ) ,f |X | +1 ( p ( x | u ′ , v )) = H ( Y | U ′ = u ′ , V = v ) ,f |X | +2 ( p ( x | u ′ , v )) = H ( Z | U ′ = u ′ , V = v ) . Similarly to the previous part in bounding |U| , there existsa new random variable V ′ |{ U ′ = u ′ } ∼ p ( v ′ | u ′ ) such that |V ′ | = |X | + 2 and p ( x | u ′ ) , H ( X, Y | U ′ = u ′ , V ) , H ( Y | U ′ = u ′ , V ) , and H ( Z | U ′ = u ′ , V ) are preserved.By setting V ′′ = ( V ′ , U ′ ) where V ′′ = V ′ × U ′ , we havethat U ′ − V ′′ − X − ( Y, Z ) forms a Markov chain.Furthermore, we have the following preservations by V ′′ , H ( X, Y | V ′′ )= H ( X, Y | V ′ , U ′ ) ( a ) = H ( X, Y | V, U ′ ) ( b ) = H ( X, Y | V, U ) ( c ) = H ( X, Y | V ) , where ( a ) follows from preservation by V ′ , ( b ) follows frompreservation by U ′ , and ( c ) follows from the Markov chain U − V − X − ( Y, Z ) . Similarly, from preservation by U ′ and V ′ , and the Markov chain U − V − X − ( Y, Z ) , we havethat H ( Y | V ′′ ) = H ( Y | V ′ , U ′ ) = H ( Y | V ) and H ( Z | V ′′ ) = H ( Z | V ′ , U ′ ) = H ( Z | V ) .Therefore, we have shown that U ∈ U and V ∈ V may bereplaced by U ′ ∈ U ′ and V ′′ ∈ V ′′ satisfying |U ′ | = |X | + 3 , |V ′′ | = |U ′ ||V ′ | = ( |X | + 3)( |X | + 2) , and preserving the terms H ( X, Y | V ) , H ( Y | V ) , H ( Z | V ) , and H ( Y | U ) − H ( Z | U ) . A PPENDIX EP ROOF OF THE C OMPRESSION - LEAKAGE - M FAPE
XPONENT R EGION IN THE B INARY E XAMPLE
Achievability:
Let V be an output of a BSC( α ) with input X . Then it follows from the expression of R ,X − Y − Z that R ≥ I ( X ; V | Y ) ( a ) = p · ( H ( X ) − H ( X | V )) ( b ) = p · (1 − h ( α )) , where ( a ) follows since Y = e with probability p , otherwise Y = X , and ( b ) follows from the choice of V , L ≥ I ( X ; Z ) + I ( X ; V | Y ) ( a ) = 1 − H ( X | Z ) + p · (1 − h ( α )) ( b ) = 1 − ((1 − p ) q + p ) + p · (1 − h ( α ))= (1 − q )(1 − p ) + p · (1 − h ( α )) , where ( a ) follows from the bound on R and ( b ) follows since Z = e with probability (1 − p ) q + p , otherwise Z = X . E ≤ I ( Y ; V | Z ) ( a ) = I ( X ; V | Z ) − I ( X ; V | Y ) ( b ) = ((1 − p ) q + p ) · I ( X ; V ) − p · (1 − h ( α ))= q (1 − p )(1 − h ( α )) , where ( a ) follows from the Markov chain V − X − Y − Z and ( b ) follows since Z = e with probability (1 − p ) q + p ,otherwise Z = X . Converse:
Let ( R, L, E ) be an achievable tuple. We nowprove that there exist α ∈ [0 , / satisfying the inequalitiesshown in the achievability above. From R ,X − Y − Z , we havethe following bound on the compression rate R . R ≥ I ( X ; V | Y )= p · I ( X ; V )= p · (1 − H ( X | V )) . Since ≤ H ( X | V ) ≤ H ( X ) = 1 , and h ( · ) is a continuousone-to-one mapping from [0 , / to [0 , , there exists α ∈ [0 , / s.t. H ( X | V ) = h ( α ) , and thus R ≥ p · (1 − h ( α )) .The bounds on L and E readily follow from H ( X | V ) = h ( α ))