Security analysis of epsilon-almost dual universal2 hash functions: smoothing of min entropy vs. smoothing of Rényi entropy of order 2
aa r X i v : . [ c s . I T ] N ov Security analysis of ε -almost dual universal hashfunctions: smoothing of min entropy vs. smoothingof R ´enyi entropy of order 2 Masahito Hayashi
Abstract
Recently, ε -almost dual universal hash functions has been proposed as a new and wider class of hash functions. Using thisclass of hash functions, several efficient hash functions were proposed. This paper evaluates the security performance when weapply this kind of hash functions. We evaluate the security in several kinds of setting based on the L distinguishability criterionand the modified mutual information criterion. The obtained evaluation is based on smoothing of R´enyi entropy of order 2 and/ormin entropy. We clarify the difference between these two methods. Index Terms ε -almost dual universal hash function, secret key generation, exponential decreasing rate, single-shot setting, equivocationrate I. I
NTRODUCTION
A. Tight exponential evaluation of L distinguishability under ε -almost dual universality Secure key generation is an important problem in information theoretic security. When a part of keys are leaked to a thirdparty, we cannot use the key. In this case, we need to apply a hash function to the keys. Bennett et al. [4] and H˚astad et al. [15]proposed to use universal hash functions for privacy amplification and derived two universal hashing lemma, which providesan upper bound for leaked information based on R´enyi entropy of order . Two universal hashing lemma can guarantee thesecurity only when the length of the generated keys is less than R´enyi entropy of order . In order to resolve this drawback,Renner [16] attached the smoothing to min entropy, which is a lower bound of conditional R´enyi entropy of order . Thesmoothing is the method to replace the true distribution by a good distribution that approximates the true distribution. Thismethod works well when the security is evaluated variational distance between the real distribution and the ideal distribution,which is often called the L distinguishability criterion.Now, we consider the case when a random variable A leaked to the third party E is given as n -fold independent andidentical distribution [7], [6]. Under this setting, the optimal asymptotic secure key generation rate is the conditional entropy[7], [6]. The smoothing to min entropy shows that universal hash functions asymptotically achieves the conditional entropydate. When the key generation rate is smaller than the conditional entropy date, the L distinguishability criterion goes to zeroexponentially. The previous paper [12] derived an exponentially decreasing rate under the universality . Its tightness was alsoshown in [36]. Note that the importance of exponentially decreasing rate has been explained in the previous papers [12], [56].Recently, Tsurumaru et al.[14] proposed to use ε -almost dual universal hash functions, which is a generalization of lineruniversal hash functions, and obtained a different version of two universal hashing lemma for this class of hash functions.Further, the recent paper [33] proposed several practical hash functions under the condition of the ε -almost dual universality .The hash functions [33] have a smaller calculation amount and a smaller number of random variables than the concatenationof Toeplitz matrix and the identity matrix, which is a typical example of universal hash functions. Therefore, it is better toevaluate the security under the ε -almost dual universality rather than under the universality . However, the above results in[12], [36] were given under the universality . In this paper, we show that the above optimal exponential rate can be attainedby ε -almost dual universal hash functions. Indeed, although the previous paper [56] obtained a similar result in the quantumsetting, the exponent in [56] is strictly worse than the optimal exponent even in the commutative case. B. Evaluation of modified mutual information
When the key generation rate is larger than the conditional entropy date, it is helpful to evaluate how much information isleaked to the third party. In this case, the L distinguishability does not go to zero and does not reflect the amount of leakedinformation properly. The mutual information seems to work more properly. Indeed, many papers [50], [52], [7], [6], [53],[54], [24], [37], [38], [39], [40], [41], [42], [43], [44], [45], [46], [47], [48], [25] employ the mutual information as the securitycriterion. In the case of secure random number generation, we need to consider the uniformity as well as the independence. M. Hayashi is with Graduate School of Mathematics, Nagoya University, Furocho, Chikusaku, Nagoya, 464-8602, Japan, and Centre for QuantumTechnologies, National University of Singapore, 3 Science Drive 2, Singapore 117542. (e-mail: [email protected])
For this purpose, Csisz´ar and Narayan [51] modified the mutual information. Then, we call the criterion the modified mutualinformation [65], [56]. In the above situation, the amount of leaked information is expected to increase linearly. To reflectthis requirement, it is natural to surpass the chain rule for the criterion. In this paper, we show that only the modified mutualinformation satisfies several natural conditions for our security criteria including the chain rule. Since these natural conditionsfor our security criteria uniquely determine the security criterion, only the modified mutual information suits the situationwhen the key generation rate is larger than the conditional entropy date. Although the previous paper [56] gave a similarcharacterization in a quantum setting, the previous characterization [56] could not determine the security criterion uniquely.When the key generation rate is smaller than the conditional entropy date, the modified mutual information does not goto zero and increases in proportion to the number n . The linear coefficient reflects the amount of leaked information, and iscalled the equivocation rate. The previous paper [65] showed that the optimal equivocation rate can be attained by universal hash functions. However, it was not shown whether the optimal equivocation rate can be attained by ε -almost dual universal hash functions. In this paper, we show that the above optimal equivocation rate can be attained by ε -almost dual universal hash functions.Further, due to the Pinsker inequality, the modified mutual information goes to zero when the L distinguishability criteriongoes to zero. However, the exponential decreasing rate of the L distinguishability criterion cannot determine the exponentialdecreasing rate of the modified mutual information because the Pinsker inequality is not so tight. The previous paper [13] alsoderived an lower bound of the exponentially decreasing rate of the modified mutual information when we apply universal hash functions. In this paper, we show that the same lower bound can be attained even when we apply ε -almost dual universal hash functions. C. Smoothing of min entropy vs. smoothing of R´enyi entropy of order To discuss the asymptotic performance, the paper [16] applies the smoothing of the min entropy. The previous paper [12]applied the smoothing of Renyi entropy of order when the no leaked information. Since Renyi entropy of order gives abetter evaluation than the min entropy, the smoothing of the min entropy cannot surpass that of Renyi entropy of order .The previous paper [12] also showed that the smoothing of the min entropy cannot realize the optimal exponential decreasingrate of the L distinguishability criterion without any information leakage to the third party. However, the previous paper[12] did not discuss whether the smoothing of the min entropy can realize the optimal exponential decreasing rate of the L distinguishability criterion when a partial information is leaked to the third party. It is needed to clarify whether the smoothingof the min entropy can realize the optimal exponential decreasing rate of the L distinguishability criterion in this situationbecause this general situation is more important from the practical viewpoint and many people still believe the importance ofthe smoothing of min entropy.On the other hand, recently, many researchers are interested in second order analysis [18], [20], [22], [21], [19]. Since thepapers [20], [22] for second order analysis employ the method of information spectrum, which has been established by Hanand V´erdu in their seminal papers [57], [58], [59], [60], [26] and the book [23], many people are interested in how powerfulthe method of information spectrum is. As is explained in Section V, the smoothing of the min entropy is essentially the sameas the method of information spectrum . Hence, it is important to clarify the limit of the smoothing of the min entropy.In this paper, we show that the smoothing of the min entropy cannot realize the optimal exponential decreasing rate ofthe L distinguishability criterion even when a partial information leaked to the third party. Then, we arise another questionwhen the smoothing of the min entropy can realize the optimal asymptotic performance. To answer this question, we showthat the smoothing of the min entropy can attain the optimal second order key generation rate when the required the L distinguishability criterion is fixed although the same result with the fidelity distance was obtained in the previous paper [17].We also show that the smoothing of the min entropy can attain the optimal equivocation rate. Here, we should explain thatthe smoothing of the min entropy is almost same as the method of information spectrum, which is a powerful and generaltool for information theory. Information spectrum has been established by Han and V´erdu in their seminal papers [57], [58],[59], [60], [26] and the book [23]. This method can derive asymptotically tight bounds of the optimal performances of variousinformation processings.These obtained results are summarized as Table I. D. Significance from information theoretical viewpoint
Before describing the organization of this paper, we need to think the current situation of the study of information theoreticsecurity. Although the information theoretic security has information theoretic formulation, it has been mainly studied by thecommunity of cryptography not by information theory community. Further, many important papers [16], [27], [63], [65], [56],[17], [66], [10], [14] in this direction were written with the quantum terminology. Since the information theoretic security evenwith the non-quantum setting has a sufficient significance from the practical viewpoint and its formulation has a sufficient This argument is true even in the classical case. In the quantum case, there are several variants for information spectrum. Hence, we cannot say that thesmoothing of the min entropy is essentially the same as the method of information spectrum. Indeed, the previous paper [17] discussed this problem onlywith fidelity distance.
TABLE IS
UMMARY OF OBTAINED RESULTS .setting single-shot/asymptotic L MMIexponent (R´enyi 2) single-shot (53) in Theorem 15 (55) in Theorem 15(77) in Theorem 22 (78) in Theorem 23asymptotic (86) in Theorem 26 (87) in Theorem 26exponent (min) single-shot (66) in Theorem 18 (67) in Theorem 18(81) in Theorem 24 (82) in Theorem 24asymptotic (95) in Theorem 28 (96) in Theorem 28second order (min) single-shot (66) in Theorem 18 –(73) in Theorem 20 –asymptotic (86) in Theorem 25 –equivocation (min) single-shot – (101) in Theorem 30– (106) in Theorem 31asymptotic – (107) in Theorem 32 L is the L distinguishability criterion. MMI is the modified mutual information criterion. (min) means the result derived by the smoothing of min entropy.(R´enyi 2) means the results derived by the smoothing of R´enyi entropy of order . similarity to information theory, it should be studied from information theory more actively. Indeed, this paper deals witha non-quantum topic. So, non-quantum researchers should be contained in the reader of this paper. However, the abovementioned situation obstructs the non-quantum researchers to access the papers in the information theoretic security even withthe non-quantum setting. To resolve this situation, this paper needs to contain surveys of results originally obtained in quantuminformation, which should be written in the non-quantum terminology. E. Organization
The remaining part of this paper is organized as follows. Now, we give the outline of the preliminary parts. In Section II,we prepare the information quantities for evaluating the security and derive several useful inequalities for the quantum case.We also give a clear definition for security criteria. The contents in Section II except for Lemma 7 and Theorem 8 are known.However, since they are given in quantum terminology, these contents are not familiar for people in information theory. Forreaders in information theory, their proofs are given in Appendixes.In Section III, we introduce several class of hash functions (universal hash functions and ε -almost dual universal hashfunctions). We clarify the relation between ε -almost dual universal hash functions and δ -biased ensemble. We also derive an ε -almost dual universal version of two universal hashing lemma based on Lemma for δ -biased ensemble given by Dodis etal [9]. The latter preliminary parts are more technical and used for proofs of the main results. Although the contents are giventhe previous paper [14] with terminologies in quantum information, since they are necessary for the latter discussion, they arepresented in this paper with non-quantum terminologies.In Section IV, under the ε -almost dual universal condition, we evaluate the L distinguishability criterion and the modifiedmutual information based on the smoothing of min entropy and R´enyi entropy of order . These parts give the definitions forconcepts and quantities describing the main results. These parts are almost included in the papers [14], [56]. So, the largerpart of Sections II III, and IV are surveys with non-quantum terminology.Next, we outline the main results. In Section V, using the tail probability of a proper event, we evaluate upper boundsgiven by the smoothing of min entropy in Section IV with the single-shot setting. This tail probability plays a central role ininformation spectrum. The bounds obtained in this section have smaller complexity for calculation than those given in SectionIV. In Section VI, using the information quantities given in Section II, we evaluate upper bounds given in Section IV. Thebounds obtained in this section have smaller complexity for calculation than those given in Sections V and IV. In SectionVII, we derive an exponential decreasing rate for both criteria when we simply apply hash functions. In Section VIII, we alsodiscuss the case when the key generation rate is greater than the conditional entropy rate.II. P REPARATION
A. R´enyi relative entropy
In order to discuss the security problem, we prepare several information quantities for sub-distributions P A Q A on a space A . That is, these are assumed to satisfy the conditions P A ( a ) ≥ and P a P A ( a ) ≤ . R´enyi introduced R´enyi relative entropy D s ( P A k Q A ) := 1 s log X a ∈A P A ( a ) s Q A ( a ) − s (1)as a generalization of relative entropy D ( P A k Q A ) := X a ∈A P A ( a ) log P A ( a ) Q A ( a ) (2) When we apply a stochastic matrix Λ on A , the information processing inequalities D (Λ( P A ) k Λ( Q A )) ≤ D ( P A k Q A ) , D s (Λ( P A ) k Λ( Q A )) ≤ D s ( P A k Q A ) (3)hold for s ∈ (0 , . Since the map s sD s ( P A k Q A ) is convex, we have the following lemma. Lemma 1: D s ( P A k Q A ) is monotonically increasing for s in ( −∞ , ∪ (0 , ∞ ) .When P A and Q A are normalized distributions, we have sD s ( P A k Q A ) | s =0 = 0 . Hence, the concavity of s sD s ( P A k Q A ) implies lim s → D s ( P A k Q A ) = D ( P A k Q A ) . Then, Lemma 1 yields the following lemma. Lemma 2:
When P A and Q A are normalized distributions, D − s ( P A k Q A ) ≤ D ( P A k Q A ) ≤ D s ( P A k Q A ) (4)for s > . B. Conditional R´enyi entropy1) Case of joint sub-distribution:
Next, we prepare the conditional R´enyi entropy for a joint sub-distribution P A,E on subsets A and E . In the following discussion, the sub-distribution P A and P A,E is not necessarily normalized, and is assumed to satisfythe condition P a P A ( a ) ≤ or P a,e P A,E ( a, e ) ≤ . For the sub-distributions P A and P A,E , we define the normalized distribu-tions P A, normal and P A,E, normal by P A, normal ( a ) := P A ( a ) / P a P A ( a ) and P A,E, normal ( a, e ) := P A,E ( a, e ) / P a,e P A,E ( a, e ) .For a sub-distribution P A,E , we define the marginal sub-distribution P A on A by P A ( a ) := P e ∈E P A,E ( a, e ) . Then, we definethe conditional sub-distribution P A | E on A by P A | E ( a | e ) := P A,E ( a, e ) /P E, normal ( e ) . The conditional entropy is given as H ( A | E | P A,E ) := H ( A, E | P A,E ) − H ( E | P E, normal ) . When we replace P E, normal by another normalized distribution Q E on E , we can generalize the above quantities. H ( A | E | P A,E k Q E ) := log |A| − D ( P A,E k P mix , A × Q E )= − X a,e P A,E ( a, e ) log P A,E ( a, e ) Q E ( e )= H ( A | E | P A,E ) + D ( P E k Q E ) ≥ H ( A | E | P A,E ) , (5)where P mix , A is the uniform distribution on the set that the random variable A takes values in. By using the R´enyi relativeentropy, the conditional R´enyi entropies and the conditional min entropy are given in the way relative to Q E as H s ( A | E | P A,E k Q E ) := log |A| − D s ( P A,E k P mix , A × Q E )= − s log X a,e P A,E ( a, e ) s Q E ( e ) − s ,H min ( A | E | P A,E k Q E ) := − log max ( a,e ): Q E ( e ) > P A,E ( a, e ) Q E ( e ) . (6)Applying Lemma 1, we obtain the following lemma. Lemma 3:
The quantity H s ( A | E | P A,E k Q E ) is monotonically decreasing for s in ( −∞ , ∪ (0 , ∞ ) .Since P e P E, normal ( e ) P a P A | E ( a | e ) P A,E ( a, e ) s Q E ( e ) − s ≤ max a,e : P E ( e ) > P A,E ( a, e ) s Q E ( e ) − s for s > , we have H s ( A | E | P A,E k Q E ) ≥ H min ( A | E | P A,E k Q E ) . (7)Taking the limit, we obtain the equality lim s → + ∞ H s ( A | E | P A,E k Q E ) = H min ( A | E | P A,E k Q E ) . (8)Due to (3), when we apply an operation Λ on E , it does not act on the system A . Then, H ( A | E | Λ( P A,E ) k Λ( Q E )) ≥ H ( A | E | P A,E k Q E ) (9) H s ( A | E | Λ( P A,E ) k Λ( Q E )) ≥ H s ( A | E | P A,E k Q E ) . (10)In particular, the inequalities H ( A | E | Λ( P A,E )) ≥ H ( A | E | P A,E ) hold. Conversely, when we apply the function f to the random number a ∈ A , we have H ( f ( A ) | E | P A,E ) ≤ H ( A | E | P A,E ) . (11) Now, we introduce two kinds of conditional R´enyi entropies by specifying Q E . The first type is defined by substituting P E, normal into Q E as follows H ↓ s ( A | E | P A,E ) := H s ( A | E | P A,E k P E, normal )= − s log X e P E, normal ( e ) X a P A | E ( a | e ) s H ↓ min ( A | E | P A,E ) := H min ( A | E | P A,E k P E, normal )= − log max ( a,e ): P E, normal ( e ) > P A | E ( a | e ) with s ∈ R \ { } . Then, as a special case of (10), we have H ↓ s ( A | E | Λ( P A,E )) ≥ H ↓ s ( A | E | P A,E ) (12)The second type is defined as H ↑ s ( A | E | P A,E ) := max Q E H s ( A | E | P A,E k Q E ) (13)This quantity has another expression as follows. Lemma 4:
A joint sub-distribution P A,E satisfies the relation H ↑ s ( A | E | P A,E ) = − ss log X e ( X a P A,E ( a, e ) s ) s (14)for s ∈ [ − , ∞ ) \{ } . The maximum in (13) can be realized when Q E ( e ) = ( P a P A,E ( a, e ) s ) / (1+ s ) / P e ( P a P A,E ( a, e ) s ) / (1+ s ) .For reader’s convenience, the proof of Lemma 4 is given in Appendix A. In information theory, we often employ Gallager-type[8] function [12]: φ ( s | A | E | P A,E ) := log X e ( X a P A,E ( a, e ) / (1 − s ) ) − s = log X e P E ( e )( X a P A | E ( a | e ) / (1 − s ) ) − s . The quantity H ↑ s ( A | E | P A,E ) can be expressed as H ↑ s ( A | E | P A,E ) = − ss φ ( s s | A | E | P A,E ) . Although H ↑ s ( A | E | P A,E ) can be lowerly bounded by H ↓ s ( A | E | P A,E ) due to the definition, we have the oppositeinequality as follows. Lemma 5:
For s ∈ [ − , \ { } , a joint sub-distribution P A,E satisfies the relation H ↓ s ( A | E | P A,E ) ≥ H ↑ − s ( A | E | P A,E ) . (15)The equality holds only when P A | E = e is uniform distribution for all e ∈ E .Although Lemma 5 can be regarded as a special case of (47) or (48) of [66] , we give its proof in Appendix B for reader’sconvenience because the proof in [66] given in quantum terminology.
2) Case of joint normalized distribution:
When P A,E is a joint normalized distribution, the additional useful properties holdas follows. In this case, since lim s → sH ↓ s ( A | E | P A,E ) = 0 , we have lim s → H ↓ s ( A | E | P A,E ) = H ( A | E | P A,E ) (16)(17)Hence, we define H ↓ ( A | E | P A,E ) and H ↑ ( A | E | P A,E ) to be H ( A | E | P A,E ) . Further, applying Lemma 2, we obtain the followinglemma. Lemma 6:
When P A,E and Q E are normalized distributions, H − s ( A | E | P A,E k Q E ) ≥ H ( A | E | P A,E k Q E ) ≥ H s ( A | E | P A,E k Q E ) (18)for s > .Similar properties hold for H ↑ s ( A | E | P A,E ) as follows. Historically, the earlier version of this paper showed Lemma 5 at the first time. Then, the paper [66] extended this inequality to the quantum setting.
Lemma 7: lim s → H ↑ s ( A | E | P A,E ) = H ( A | E | P A,E ) . (19)The map s sH ↑ s ( A | E | P A,E ) is concave and then the map s H ↑ s ( A | E | P A,E ) is monotonically decreasing for s ∈ ( − , ∞ ) . In particular, when P A | E = e is not a uniform distribution for an element e ∈ E , the map s sH ↑ s ( A | E | P A,E ) is strictly concave and then the map s H ↑ s ( A | E | P A,E ) is strictly monotonically decreasing for s ∈ ( − , ∞ ) .Lemma 7 will be shown in Appendix C.Hence, we define H ↑ ( A | E | P A,E ) to be H ( A | E | P A,E ) . Then, the relations (19) and (13) hold even with s = 0 . Remark 1:
Iwamoto and Shikata [62] discussed conditional R´enyi entropies in the different notations. They denote H ↓ s ( A | E | P A,E ) by R H s ( A | E ) and H ↑ s ( A | E | P A,E ) by R A s ( A | E ) . They also compare these with other conditional R´enyi entropies. Muller-Lennert et al [63] denoted H ↑ s ( A | E | P A,E ) by H ↓ s ( P A,E | E ) in the quantum setting. Iwamoto and Shikata [62] pointedout that these quantities do not satisfy the chain rule. Instead, Muller-Lennert et al [63, Proposition 7] showed the inequality H ↑ s ( A | E, E ′ | P A,E,E ′ ) ≥ H ↑ s ( A, E ′ | E | P A,E,E ′ ) − log |E ′ | for s ∈ ( − , ∞ ) . Also, the paper [64, Corollary 77] shows theinequality H s (1 − s ) ( A | E | P A,E,E ′ ) ≥ H ↓ s ( A, E | P A,E,E ′ ) − log |E| for s ∈ [0 , . C. Criteria for secret random numbers1) Case of joint sub-distribution:
Next, we introduce criteria for the amount of the information leaked from the secretrandom number A to E for joint sub-distribution P A,E . Using the ℓ norm, we can evaluate the secrecy for the state P A,E asfollows: d ( A | E | P A,E ) := k P A,E − P A × P E k . (20)Taking into account the randomness, Renner [16] employed the L distinguishability criteria for security of the secret randomnumber A : d ′ ( A | E | P A,E ) := k P A,E − P mix , A × P E k , (21)which can be regarded as the difference between the true sub-distribution P A,E and the ideal sub-distribution P mix , A × P E . Itis known that the quantity is universally composable [28].Renner[16] defined the conditional L -distance from uniform of P A,E relative to a distribution Q E on E : d ( A | E | P A,E k Q E ):= X a,e ( P A,E ( a, e ) − P mix , A ( a ) P E ( e )) Q E ( e ) − = X a,e P A,E ( a, e ) Q E ( e ) − − |A| X e P E ( e ) Q E ( e ) − = e − H ( A | E | P A,E k Q E ) − |A| e D ( P A k Q E ) . Using this value and a normalized distribution Q E , we can evaluate d ′ ( A | E | P A,E ) as follows [16, Lemma 5.2.3]: d ′ ( A | E | P A,E ) ≤ p |A| q d ( A | E | P A,E k Q E ) . (22)
2) Case of joint normalized distribution:
In the remaining part of this subsection, we assume that P A,E is a normalizeddistribution. The correlation between A and E can be evaluated by the mutual information I ( A : E | P A,E ) := D ( P A,E k P A × P E ) . (23)By using the uniform distribution P mix , A on A , Csisz´ar and Narayan [51] modified the mutual information to I ′ ( A | E | P A,E ) := D ( P A,E k P mix , A × P E ) , (24)which is called the modified mutual information [56], [65] and satisfies I ′ ( A | E | P A,E ) = I ( A : E | P A,E ) + D ( P A k P mix , A ) (25)and H ( A | E | P A,E ) = − I ′ ( A | E | P A,E ) + log |A| . (26)Indeed, the quantity I ( A : E | P A,E ) represents the amount of information leaked by E , and the remaining quantity D ( P A k P mix , A ) describes the difference of the random number A from the uniform random number. So, if the quantity I ′ ( A | E | P A,E ) is small,we can conclude that the random number A has less correlation with E and is close to the uniform random number. Indeed, it is natural to adopt a quantity expressing the difference between the true distribution and the ideal distribution P mix , A × P E as a security criterion. However, there are several quantities expressing the difference between two distributions.Both d ′ ( A | E | P ) and I ′ ( A | E | P ) are characterized in this way. Here, we show that the modified mutual criterion I ′ ( A | E | P ) can be derived in a more natural way in the following sense.It is natural assume the following condition for the security criterion C ( A ; E | P ) as well as the the permutation invarianceon A and E . C1 Chain rule C ( A, B | E | P ) = C ( B | E | P ) + C ( A | B, E | P ) . C2 Linearity
When the supports of two marginal distributions P E, and P E, are disjoint as subsets of E , C ( A | E | λP +(1 − λ ) P ) = λC ( A | E | P ) + (1 − λ ) C ( A | E | P ) . C3 Range log |A| ≥ C ( A | E | P ) ≥ . C4 Ideal case C ( A | E | P mix , A ⊗ P E ) = 0 . C5 Normalization C ( A | E || a ih a | ⊗ P E ) = log |A| .Unfortunately, the L distinguishability does not satisfies C1 Chain rule. However, we have the following theorem.
Theorem 8: C ( A | E | P ) satisfies all of the above properties if and only if C ( A | E | P ) coincides with the modified mutualinformation criterion I ′ ( A | E | P ) = log |A| − H ( A | E | P ) .For a proof, see Appendix D. Hence, it is natural to adopt the modified mutual information criterion I ′ ( A | E | P ) as a securitycriterion. In particular, if one emphasizes C1 Chain rule rather than the universal composability, it is better to employ themodified mutual information criterion I ′ ( A | E | P ) .In particular, if the quantity I ′ ( A | E | P A,E ) goes to zero, d ′ ( A | E | P A,E ) also goes to zero as follows. Using Pinsker inequality,we obtain d ( A | E | P A,E ) ≤ I ( A | E | P A,E ) (27) d ′ ( A | E | P A,E ) ≤ I ′ ( A | E | P A,E ) . (28)Conversely, we can evaluate I ( A : E | P A,E ) and I ′ ( A | E | P A,E ) by using d ( A | E | P A,E ) and d ′ ( A | E | P A,E ) in the followingway. Applying the Fannes inequality, we obtain ≤ I ( A : E | P A,E ) = H ( A | P A ) + H ( E | P E ) − H ( A, E | P A,E )= H ( A, E | P A × P E ) − H ( A, E | P A,E )= X a P A ( a ) H ( E | P E ) − H ( E | P E | A = a ) ≤ X a P A ( a ) η ( k P E | A = a − P E k , log |E| )= η ( k P E,A − P A × P E k , log |E| )= η ( d ( A | E | P A,E ) , log |E| ) , (29)where η ( x, y ) := − x log x + xy . Similarly, we obtain ≤ I ′ ( A | E | P A,E )= H ( A | P mix , A ) + H ( E | P E ) − H ( A, E | P A,E )= H ( A, E | P mix , A × P E ) − H ( A, E | P A,E )= X e P E ( e )( H ( A | P mix , A ) − H ( A | P A | E = e )) ≤ X e P E ( e )( k P mix , A − H ( A | P A | E = e ) k , log |A| ) ≤ η ( k P mix , A × P E − P A,E k , log |A| )= η ( d ′ ( A | E | P A,E ) , log |A| ) . (30)III. R ANDOM H ASH FUNCTIONS
A. General random hash functions
In this section, we focus on a random function f X from A to B , where X is a random variable identifying the func-tion f X . In this case, the total information of Eve’s system is written as ( E, X ) . Then, by using P f X ( A ) ,E, X ( b, e, x ) := P a ∈ f − X ( b ) P A,E ( a, e ) P X ( x ) , the L distinguishability criterion is written as d ′ ( f X ( A ) | E, X | P f X ( A ) ,E, X )= k P f X ( A ) ,E, X − P mix , B × P E, X k = X x P X ( x ) k P f X = x ( A ) ,E − P mix , B × P E k =E X k P f X ( A ) ,E − P mix , B × P E k . (31)Also, the modified mutual information is written as I ′ ( f X ( A ) | E, X | P f X ( A ) ,E, X )= D ( P f X ( A ) ,E, X k P mix , B × P E, X )= X x P X ( x ) D ( P f X = x ( A ) ,E, X k P mix , B × P E )=E X D ( P f X ( A ) ,E, X k P mix , B × P E ) . (32)We say that a random function f X is ε -almost universal [1], [2], [14], if, for any pair of different inputs a , a , the collisionprobability of their outputs is upper bounded as Pr [ f X ( a ) = f X ( a )] ≤ ε |B| . (33)The parameter ε appearing in (33) is shown to be confined in the region ε ≥ |A| − |B||A| − , (34)and in particular, a random function f X with ε = 1 is simply called a universal function.Two important examples of universal hash function are the Toeplitz matrices (see, e.g., [3]), and multiplications over afinite field (see, e.g., [1], [4]). A modified form of the Toeplitz matrices is also shown to be universal , which is given by aconcatenation ( X, I ) of the Toeplitz matrix X and the identity matrix I [13]. The (modified) Toeplitz matrices are particularlyuseful in practice, because there exists an efficient multiplication algorithm using the fast Fourier transform algorithm withcomplexity O ( n log n ) (see, e.g., [5]).The following proposition holds for any universal function. Proposition 9 (Renner [16, Lemma 5.4.3]):
Given any joint sub-distribution P A,E on A× E and any normalized distribution Q E on E , any universal hash function f X from A to M := { , . . . , M } satisfies E X d ( f X ( A ) | E | P A,E k Q E ) ≤ e − H ( A | E | P A,E k Q E ) . (35)More precisely, the inequality E X e − H ( f X ( A ) | E | P A,E k Q E ) ≤ (1 − M ) e − H ( A | E | P A,E k Q E ) + 1 M e D ( P E k Q E ) (36)holds. B. Ensemble of linear hash functions
Tsurumaru and Hayashi[14] focus on linear functions over the finite field F . Now, we treat the case of linear functions overa finite field F q , where q is a power of a prime number p . We assume that sets A , B are F nq , F mq respectively with n ≥ m , and f are linear functions over F q . Note that, in this case, there is a kernel C corresponding to a given linear function f , which isa vector space of the dimension n − m or more. Conversely, when given a vector subspace C ⊂ F nq of the dimension n − m or more, we can always construct a linear function f C : F nq → F nq /C ∼ = F lq , l ≤ m. (37)That is, we can always identify a linear hash function f C and a code C .When C X = Ker f X , the definition of ε -universal function (33) takes the form ∀ x ∈ F nq \ { } , Pr [ f X ( x ) = 0] ≤ q − m ε, (38)which is equivalent with ∀ x ∈ F nq \ { } , Pr [ x ∈ C X ] ≤ q − m ε. (39) This shows that the kernel C X contains sufficient information for determining if a random function f X is ε -almost universal or not.For a given random code C X , we define its minimum (respectively, maximum) dimension as t min := min X dim C X (respectively, t max := max r ∈ I dim C X ). Then, we say that a linear random code C X of minimum (or maximum) dimension t is an ε -almost universal code if the following condition is satisfied ∀ x ∈ F nq \ { } , Pr [ x ∈ C X ] ≤ q t − n ε. (40)In particular, if ε = 1 , we call C X a universal code. C. Dual universality of a random code
Based on Tsurumaru and Hayashi[14], we define several variations of the universality of a error-correcting random codeand the linear function as follows. First, we define the dual random code C ⊥ X of a given linear random code C X as the dualcode of C X . We also introduce the notion of dual universality as follows. We say that a random code C X in F nq is ε -almostdual universal with minimum dimension t (with maximum dimension t ), if the dual random code C ⊥ X is ε -almost universal with maximum dimension n − t (with minimum dimension n − t ). Hence, we say that a linear random function f X from F nq to F mq is ε -almost dual universal , if the kernels C X of f X forms an ε -almost dual universal code with minimum dimension n − m . This condition is equivalent with the condition that the linear space spanned by the generating matrix of f X formsan ε -almost universal random code with maximum dimension m . An explicit example of a dual universal function (with ε = 1 ) can be given by the modified Toeplitz matrix mentioned earlier [11], i.e., a concatenation ( X, I ) of the Toeplitz matrix X and the identity matrix I . The modified Toeplitz matrix requires n − bits of random seeds R . This example is particularlyuseful in practice because it is both universal and dual universal , and also because there exists an efficient algorithm withcomplexity O ( n log n ) . When the random variable R is not the uniform random number, the modified Toeplitz matrix is q n − e − H ↓ min ( R ) -almost dual universal , as shown in [33]. Therefore, we can evaluate the security of the modified Toeplitzmatrix even with non-uniform random seeds. With these preliminaries, we present the following propositions in [14] withnon-quantum terminologies and a general prime power q : Proposition 10 ([14, Corollary 2]): An ε -almost universal surjective liner random hash function f X from F nq to F mq is q (1 − q m ε ) + ( ε − q n − m -almost dual universal liner random hash function.As a special case, we obtain the following. Corollary 11:
Any universal linear random function f X over a finite filed F q is a q -almost dual universal function. Proposition 12 ([14, Lemma 3]):
Given a joint sub-distribution P A,E on A × E and a normalized distribution Q E on E .When C X is an ε -almost dual universal code with minimum dimension t , the random hash function f C X satisfies E X d ( f C X ( A ) | E | P A,E k Q E ) ≤ εe − H ( A | E | P A,E k Q E ) . (41)More precisely, E X e − H ( f C X ( A ) | E | P A,E k Q E ) ≤ εe − H ( A | E | P A,E k Q E ) + 1 q n − t e D ( P E k Q E ) . (42)In other words, an ε -almost dual universal function f X from F n to F n − t satisfies (41) and (42).Since Proposition 12 plays an central role instead of Proposition 9 in this paper and the proof in the previous paper [14]is given with quantum terminologies and the special case q = 2 , we give its proof in Appendix E without use of quantumterminologies for reader’s convenience.IV. S ECURITY BOUNDS WITH
R ´
ENYI ENTROPY OF ORDER AND MIN ENTROPY
Firstly, we consider the secure key generation problem from a common random number A ∈ A which has been partiallyeavesdropped as an information by Eve. For this problem, it is assumed that Alice and Bob share a common random number A ∈ A , and Eve has a random number E correlated with the random number A , whose distribution is P E . The task is toextract a common random number f ( A ) from the random number A ∈ A , which is almost independent of Eve’s quantumstate. Here, Alice and Bob are only allowed to apply the same function f to the common random number A ∈ A . Now, wefocus on the random function f X from A to M = { , . . . , M } , where X denotes a random variable describing the stochasticbehavior of the function f X .Renner[16, Lemma 5.2.3] essentially evaluated E X d ′ ( f X ( A ) | E | P A,E ) by using E X d ( f X ( A ) | E | P A,E k Q E ) as follows. Lemma 13:
When a state Q E is a normalized distribution on E , any random hash function f X from A to { , . . . , M } satisfies E X d ′ ( f X ( A ) | E | P A,E ) ≤ M q E X d ( f X ( A ) | E | P A,E k Q E ) . Further, the inequalities used in proof of Renner[16, Corollary 5.6.1] imply that E X d ′ ( f X ( A ) | E | P A,E ) ≤ k P A,E − P ′ A,E k + E X d ′ ( f X ( A ) | E | P ′ A,E ) ≤ k P A,E − P ′ A,E k + M q E X d ( f X ( A ) | E | P ′ A,E k Q E ) . Applying the same discussion to Shannon entropy, we can evaluate the average of the modified mutual information criterionby using E X d ( f X ( A ) | E | P A,E k Q E ) as follows. Lemma 14:
Assume that P A,E is a normalized distribution on
A × E . Any random hash function f X from A to M = { , . . . , M } satisfies E X I ′ ( f X ( A ) | E | P A,E ) ≤ log(1 + M E X d ( f X ( A ) | E | P A,E )) (43) ≤ M E X d ( f X ( A ) | E | P A,E k P E ) . (44)Further, when a sub-distribution P ′ A,E satisfies P ′ E ( e ) ≤ P E ( e ) for any e ∈ E (we simplify this condition to P ′ E ≤ P E ), weobtain E X I ′ ( f X ( A ) | E | P A,E ) ≤ η ( k P A,E − P ′ A,E k , log M )+ log(1 + M E X d ( f X ( A ) | E | P ′ A,E k P E )) (45) ≤ η ( k P A,E − P ′ A,E k , log M )+ M E X d ( f X ( A ) | E | P ′ A,E k P E ) , (46)where η ( x, y ) := xy − x log x . Proof:
The inequality D ( P ′ E k P E ) ≤ holds due to the condition P ′ E ( e ) ≤ P E ( e ) . Since d ( f X ( A ) | E | P ′ A,E k P E )= e − H ( f X ( A ) | E | P ′ A,E k P E ) − M e D ( P ′ E k P E ) ≥ e − H ( f X ( A ) | E | P ′ A,E k P E ) − M , (47)we have e − H ( f X ( A ) | E | P ′ A,E k P E ) ≤ d ( f X ( A ) | E | P ′ A,E k P E ) + 1 M . Taking the logarithm, we obtain − log M + log(1 + M d ( f X ( A ) | E | P ′ A,E k P E )) ≥ − H ( f X ( A ) | E | P ′ A,E k P E ) ≥ − H ( f X ( A ) | E | P ′ A,E k P E ) . (48)Substituting P A,E to P ′ A,E , we obtain H ( f X ( A ) | E | P ′ A,E k P E ) = H ( f X ( A ) | E | P A,E ) and I ′ ( f X ( A ) | E | P A,E ) = log M − H ( f X ( A ) | E | P A,E ) ≤ log(1 + M d ( f X ( A ) | E | P A,E )) . Since the function x log(1 + x ) is concave, we obtain E X I ′ ( f X ( A ) | E | P A,E ) ≤ log(1 + M E X d ( f X ( A ) | E | P A,E )) , which implies (43). The inequality log(1 + x ) ≤ x and (43) yield (44).Due to Fannes inequality, the normalized distribution P A | E = e ( a ) := P A,E ( a,e ) P E ( e ) and the sub-distribution P ′ A | E = e ( a ) := P ′ A,E ( a,e ) P E ( e ) satisfy | H ( f X ( A ) | P A | E = e ) − H ( f X ( A ) | P ′ A | E = e ) |≤ η ( k P A | E = e − P ′ A | E = e k , log M ) . (49) Since P e P E ( e ) k P A | E = e − P ′ A | E = e k = k P A,E − P ′ A,E k , taking the average under the distribution P E , we obtain | H ( f X ( A ) | E | P A,E | P E ) − H ( f X ( A ) | E | P ′ A,E | P E ) | = | X e P E ( e )( H ( f X ( A ) | P A | E = e ) − H ( f X ( A ) | P ′ A | E = e )) |≤ X e P E ( e ) | H ( f X ( A ) | P A | E = e ) − H ( f X ( A ) | P ′ A | E = e ) |≤ X e P E ( e ) η ( k P A | E = e − P ′ A | E = e k , log M ) ≤ η ( X e P E ( e ) k P A | E = e − P ′ A | E = e k , log M )= η ( k P A,E − P ′ A,E k , log M ) . (50)Therefore, using (50) and (48), we obtain I ′ ( f X ( A ) | E | P A,E )= log M − H ( f X ( A ) | E | P A,E | P E ) ≤ η ( k P A,E − P ′ A,E k , log M )+ log M − H ( f X ( A ) | E | P ′ A,E | P E ) ≤ η ( k P A,E − P ′ A,E k , log M )+ log(1 + M d ( f X ( A ) | E | P ′ A,E k P E )) . Taking the expectation of X and using the concavity of functions x η ( x, log M ) and x log(1 + x ) , we obtain (45). Theinequality log(1 + x ) ≤ x yields (46). In this proof, the condition P E ( e ) ′ ≤ P E ( e ) is crucial because Inequality (47) cannotbe shown without this condition.Now, we evaluate the security by combining Proposition 12 and Lemmas 13 and 14. For this purpose, we introduce thequantities: ∆ d, ( M , ε | P A,E ) := min Q E min P ′ A,E k P A,E − P ′ A,E k + √ ε M e − H ( A | E | P ′ A,E k Q E ) = min Q E min ǫ > ǫ + √ ε M e − H ǫ ( A | E | P A,E k Q E ) = min Q E min R P ′ A,E : H ( A | E | P ′ A,E k Q E ) ≥ R k P A,E − P ′ A,E k + √ ε M e − R , ∆ I, ( M , ε | P A,E ) := min P ′ A,E : P ′ E ≤ P E η ( k P A,E − P ′ A,E k , log M ) + ε M e − H ( A | E | P ′ A,E k P E ) = min ǫ > η ( ǫ , log M ) + ε M e − H ↓ ,ǫ ( A | E | P A,E ) = min R η ( min P ′ A,E : P ′ E ≤ P E ,H ( A | E | P ′ A,E k P E ) ≥ R k P A,E − P ′ A,E k , log M ) + ε M e − R , where H ↓ ,ǫ ( A | E | P A,E k Q E ) := max P ′ A,E : k P A,E − P ′ A,E k ≤ ǫ H ( A | E | P ′ A,E k Q E ) (51) H ǫ ( A | E | P A,E ) := max P ′ A,E : k P A,E − P ′ A,E k ≤ ǫ ,P ′ E ≤ P E H ( A | E | P ′ A,E k P E ) . (52)Note that H ↓ ,ǫ ( A | E | P A,E ) is different from H ǫ ( A | E | P A,E k P E ) because the definition of H ↓ ,ǫ ( A | E | P A,E ) has additionalconstraints for P ′ A,E . Then, we can evaluate the averages of both security criteria under the ε -almost dual universal condition. Theorem 15:
Assume that Q E is a normalized distribution on E , P A,E is a sub-distribution on
A × E , and a linear randomhash function f X from A to M = { , . . . , M } is ε -almost dual universal . Then, the random hash function f X satisfies E X d ′ ( f X ( A ) | E | P A,E ) ≤√ ε M e − H ( A | E | P A,E k Q E ) , E X d ′ ( f X ( A ) | E | P A,E ) ≤ ∆ d, ( M , ε | P A,E ) . (53) When P A,E is a normalized joint distribution, it satisfies E X I ′ ( f X ( A ) | E | P A,E ) ≤ log(1 + ε M e − H ↓ ( A | E | P A,E ) ) ≤ ε M e − H ↓ ( A | E | P A,E ) (54) E X I ′ ( f X ( A ) | E | P A,E ) ≤ ∆ I, ( M , ε | P A,E ) . (55)While the same evaluations for the L distinguishability criterion under the universal condition has been shown in Renner[16,Corollary 5.6.1], those for the modified mutual information criterion have not been shown even under the universal condition.All of the above evaluations under the ε -almost dual universal condition have not been discussed in Renner.Since the function x η ( x, y ) is concave, combing Inequality (30), we obtain the following corollary. Corollary 16:
When a linear random hash function f X from A to M = { , . . . , M } is ε -almost dual universal , any jointsub-distribution P A,E on A and E satisfies E X I ′ ( f X ( A ) | E | P A,E ) ≤ η (∆ d, ( M , ε | P A,E ) , log |A| ) . (56)for s ∈ (0 , / .Since the function x
7→ √ x is concave, combing Inequality (28), we obtain the following corollary. Corollary 17:
When a linear random hash function f X from A to M = { , . . . , M } is ε -almost dual universal , any jointnormalized distribution P A,E on A × E satisfy E X d ′ ( f X ( A ) | E | P A,E ) ≤ q I, ( M , ε | P A,E ) (57)for s ∈ (0 , / .Further, in the case of the universal condition, Renner[16, Corollary 5.6.1] proposed to replace H ( A | E | P ′ A,E k Q E ) bythe min entropy H min ( A | E | P ′ A,E k Q E ) because H ( A | E | P ′ A,E k Q E ) ≥ H min ( A | E | P ′ A,E k Q E ) . Based on H min ( A | E | P k Q E ) ,Renner[16] introduced ǫ -smooth min entropy as H ǫ min ( A | E | P A,E k Q E ) := max k P A,E − P ′ A,E k ≤ ǫ H min ( A | E | P ′ A,E k Q E ) . (58)For the evaluation of E X I ′ ( f X ( A ) | E | P A,E ) , adding the condition P ′ E ≤ P E , we define H ↓ ,ǫ min ( A | E | P A,E ) := max k P A,E − P ′ A,E k ≤ ǫ ,P ′ E ≤ P E H min ( A | E | P ′ A,E k P E ) . (59)As is shown in Lemma 19, H ↓ ,ǫ min ( A | E | P A,E ) equals H ǫ min ( A | E | P A,E k P E ) while the former has an additional constraint.Defining the quantities ∆ d, min ( M , ε | P A,E ) := min Q E min P ′ A,E k P A,E − P ′ A,E k + √ ε M e − H min ( A | E | P ′ A,E k Q E ) (60) = min Q E min ǫ > ǫ + √ ε M e − H ǫ ( A | E | P A,E k Q E ) (61) = min Q E min R P ′ A,E : H min ( A | E | P ′ A,E k Q E ) ≥ R k P A,E − P ′ A,E k + √ ε M e − R , (62) ∆ I, min ( M , ε | P A,E ) := min Q E min P ′ A,E : P ′ E ≤ Q E , η ( k P A,E − P ′ A,E k , log M ) + ε M e − H min ( A | E | P ′ A,E k P E ) (63) = min ǫ > η ( ǫ , log M ) + ε M e − H ↓ ,ǫ ( A | E | P A,E ) (64) = min R η ( min P ′ A,E : P ′ E ≤ P E ,H min ( A | E | P ′ A,E k P E ) ≥ R k P A,E − P ′ A,E k , log M ) + ε M e − R , (65)we obtain the following theorem. Theorem 18:
Assume that Q E is a normalized distribution on E , P A,E is a sub-distribution on
A × E , and a linear randomhash function f X from A to M = { , . . . , M } is ε -almost dual universal . Then, the random hash function f X satisfies E X d ′ ( f X ( A ) | E | P A,E ) ≤ ∆ d, min ( M , ε | P A,E ) , (66) E X I ′ ( f X ( A ) | E | P A,E ) ≤ ∆ I, min ( M , ε | P A,E ) . (67)That is, ∆ d, min ( M , ε | P A,E ) and ∆ I, min ( M , ε | P A,E ) are upper bounds for leaked information in the respective criteria whenthe smoothing of min entropy is applied. V. R
ELATION WITH INFORMATION SPECTRUM
Information spectrum can derive asymptotically tight bounds of the optimal performances of various information processingsby using only the asymptotic behavior of the tail probability, e.g., P A,E { ( a, e ) | P A | E ( a | e ) ≥ e − R } . Hence, it can be appliedwithout any assumption for information sources. While information spectrum originally addresses the asymptotic setting, webound the performances in the single-shot setting by using the tail probability. We call these upper and lower bounds single-shotinformation spectrum bounds.In this section, we clarify the relation between the smoothing of min entropy and single-shot information spectrum bounds.In stead of the smooth min entropy H ↓ ,ǫ min ( A | E | P A,E ) , we consider the bounds ∆ d, min ( M , ε | P A,E ) and ∆ I, min ( M , ε | P A,E ) asfunctions of min P ′ A,E : H min ( A | E | P ′ A,E k Q E ) ≥ R k P A,E − P ′ A,E k or min P ′ A,E : P ′ E ≤ P E ,H min ( A | E | P ′ A,E k P E ) ≥ R k P A,E − P ′ A,E k . Thatis, we employ the formulas (62) and (65) rather than (61) and (64). Then, we give their relations with the tail probability, e.g., P A,E { ( a, e ) | P A | E ( a | e ) ≥ e − R } as follows. Lemma 19: min P ′ A,E : H min ( A | E | P ′ A,E k Q E ) ≥ R k P A,E − P ′ A,E k = min P ′ A,E : H min ( A | E | P ′ A,E k Q E ) ≥ R,P ′ A,E ≤ P A,E k P A,E − P ′ A,E k = P A,E { ( a, e ) | P A,E ( a, e ) > e − R Q E ( e ) } − e − R |A| P mix , A × Q E { ( a, e ) | P A,E ( a, e ) > e − R Q E ( e ) } . (68)and (1 − c ) P A,E { ( a, e ) | P A,E ( a, e ) > ce − R Q E ( e ) }≤ P A,E { ( a, e ) | P A,E ( a, e ) > e − R Q E ( e ) } − e − R |A| P mix , A × Q E { ( a, e ) | P A,E ( a, e ) > e − R Q E ( e ) }≤ P A,E { ( a, e ) | P A,E ( a, e ) > e − R Q E ( e ) } (69)for c > and R .Since the condition P ′ A,E ≤ P A,E is more restrictive than P ′ A ≤ P A , we see that H ↓ ,ǫ min ( A | E | P A,E ) = H ǫ min ( A | E | P A,E k P E ) . Proof:
The optimal sub-distribution P ′ A,E in the first line of (68) is given as P ′ A,E ( a, e ) = (cid:26) e − R Q E ( e ) if P A,E ( a, e ) > e − R Q E ( e ) P A,E ( a, e ) if P A,E ( a, e ) ≤ e − R Q E ( e ) (70)The sub-distribution is the optimal sub-distribution in the second line of (68). Substituting the above sub-distribution in to thefirst line, we obtain the third line of (68).Next, we show (69). Since cP A,E { ( a, e ) | P A,E ( a, e ) > ce − R Q E ( e ) } ≥ e − R |A| P mix , A × Q E { ( a, e ) | P A,E ( a, e ) > ce − R Q E ( e ) } ,we have (1 − c ) P A,E { ( a, e ) | P A,E ( a, e ) > ce − R Q E ( e ) } = P A,E { ( a, e ) | P A,E ( a, e ) > ce − R Q E ( e ) } − cP A,E { ( a, e ) | P A,E ( a, e ) > ce − R Q E ( e ) }≤ P A,E { ( a, e ) | P A,E ( a, e ) > ce − R Q E ( e ) } − e − R |A| P mix , A × Q E { ( a, e ) | P A,E ( a, e ) > ce − R Q E ( e ) }≤ P A,E { ( a, e ) | P A,E ( a, e ) > e − R Q E ( e ) } − e − R |A| P mix , A × Q E { ( a, e ) | P A,E ( a, e ) > e − R Q E ( e ) } (71) ≤ P A,E { ( a, e ) | P A,E ( a, e ) > e − R Q E ( e ) } , where the inequality (71) follows from the fact that the maximum max Ω P A,E (Ω) − e − R |A| P mix , A × Q E (Ω) can be realizedby the set { ( a, e ) | P A,E ( a, e ) > e − R Q E ( e ) } .Therefore, using the formulas (62) and (65), we obtain the following theorem. Theorem 20:
The upper bounds ∆ d, min ( M , ε | P A,E ) and ∆ I, min ( M , ε | P A,E ) of leaked information by the smoothing of minentropy can be evaluated as follows. − c ) min Q E min R ′ P A,E n ( a, e ) (cid:12)(cid:12)(cid:12) P A,E ( a, e ) Q E ( e ) > ce − R ′ o + √ ε M e − R ′ (72) ≤ ∆ d, min ( M , ε | P A,E ) ≤ min Q E min R ′ P A,E n ( a, e ) (cid:12)(cid:12)(cid:12) P A,E ( a, e ) Q E ( e ) > e − R ′ o + √ ε M e − R ′ , (73) (1 − c ) min R ′ η ( P A,E { ( a, e ) ∈ A × E| P A | E ( a | e ) ≥ ce − R ′ } , log M ) + ε M e − R ′ (74) ≤ ∆ I, min ( M , ε | P A,E ) ≤ min R ′ η ( P A,E { ( a, e ) ∈ A × E| P A | E ( a | e ) > e − R ′ } , log M ) + ε M e − R ′ (75)for c > . Theorem 20 explains that the bounds ∆ d, min ( M , ε | P A,E ) and ∆ I, min ( M , ε | P A,E ) by the smoothing of min entropy havealmost the same values as the single-shot information spectrum bounds. Using this characterization, we evaluate the bounds ∆ d, min ( M , ε | P A,E ) and ∆ I, min ( M , ε | P A,E ) in the latter sections. However, the bounds by the smoothing of R´enyi entropy oforder 2 can not be characterized in the same way. This fact seems to indicate the possibility of the smoothing of R´enyi entropyof order 2 beyond the smoothing of min entropy.VI. S ECRET KEY GENERATION : S
INGLE - SHOT CASE
In order to obtain useful upper bounds, we need to calculate or evaluate the quantities ∆ d, ( M , ε | P A,E ) / , ∆ I, ( M , ε | P A,E ) / , ∆ d, max ( M , ε | P A,E ) / , and ∆ I, max ( M , ε | P A,E ) / . We say that their exact value is the smoothing bound . Using the smoothingbound of R´enyi entropy of order 2, the paper [12] derived the following proposition. Proposition 21:
The inequality ∆ d, ( M , | P A,E ) ≤ M s e − sH ↑ − s ( A | E | P A,E ) (76)holds for s ∈ (0 , / .Using the same smoothing bound, we obtain the following evaluation. Lemma 22:
The inequality ∆ d, ( M , ε | P A,E ) ≤ (2 + √ ε ) M s e − sH ↑ − s ( A | E | P A,E ) (77)holds for s ∈ (0 , / .Similar to Theorem 15, we obtain an upper bound for ∆ I, ( M , ε | P A,E ) . Theorem 23:
The inequality ∆ I, ( M , ε | P A,E ) ≤ η ( M s e − sH ↓ s ( A | E | P A,E ) , ε + log M ) (78)holds for s ∈ (0 , . Proof:
For any integer M , we choose the subset Ω M := { P A | E ( a | e ) > M − } , and define the sub-distribution P A,E : M by P A,E : M ( a, e ) := (cid:26) if ( a, e ) ∈ Ω M P A,E ( a, e ) otherwise.For ≤ s ≤ , we can evaluate e − H ( A | E | P A,E : M k P E ) and d ( P A,E , P
A,E : M ) as e − H ( A | E | P A,E : M k P E ) = X ( a,e ) ∈ Ω c M P A,E ( a, e ) ( P E ( e )) − ≤ X ( a,e ) ∈ Ω c M P A,E ( a, e ) s ( P E ( e )) − s M − (1 − s ) ≤ X ( a,e ) P A,E ( a, e ) s ( P E ( e )) − s M − (1 − s ) = e − sH ↓ s ( A | E | P A,E ) M − (1 − s ) , (79) k P A,E − P A,E : M k = P A,E (Ω M ) = X ( a,e ) ∈ Ω M P A,E ( a, e ) ≤ X ( a,e ) ∈ Ω M ( P A,E ( a, e )) s M s ( P E ( e )) − s ≤ X ( a,e ) ( P A,E ( a, e )) s M s ( P E ( e )) − s = M s e − sH ↓ s ( A | E | P A,E ) . (80)Substituting (79) and (80) into (55), we obtain (57) because η ( M s e − sH ↓ s ( A | E | P A,E ) , ε + log M )= η ( M s e − sH ↓ s ( A | E | P A,E ) , log M ) + ε M s e − sH ↓ s ( A | E | P A,E ) . In the above proof, we choose P ′ A,E to be P A,E : M ( a, e ) , we call the smoothing with this particular choice the information-spectrum-smoothing bound because this type smoothing bound is used to derive the entropic information spectrum in [17].Indeed, the paper [12] also employed the information-spectrum-smoothing bound to derive Proposition 21.Further, ∆ d, min ( M , ε | P A,E ) and ∆ I, min ( M , ε | P A,E ) can be evaluated as follows. Theorem 24:
The upper bounds ∆ d, min ( M , ε | P A,E ) and ∆ I, min ( M , ε | P A,E ) of leaked information by the smoothing boundof min entropy can be evaluated as follows. ∆ d, min ( M , ε | P A,E ) ≤ (2 + √ ε ) min ≤ s e − sH ↑ s ( A | E | PA,E )+ sR s (81) ∆ I, min ( M , ε | P A,E ) ≤ η (min ≤ s e − sH ↓ s ( A | E | PA,E )+ sR s , ε + log M ) . (82)Theorem 24 gives upper bounds on ∆ d, min ( M , ε | P A,E ) and ∆ I, min ( M , ε | P A,E ) . The combination of Theorems 20 and24 shows the performance of the smoothing bound of min entropy. Using these bounds, we can show the tight exponentialdecreasing rates of ∆ d, min ( M , ε | P A,E ) and ∆ I, min ( M , ε | P A,E ) . Proof:
Since P A,E n ( a, e ) (cid:12)(cid:12)(cid:12) P A,E ( a, e ) Q E ( e ) > e − R ′ o = X ( a,e ): PA,E ( a,e ) QE ( e ) >e − R ′ P A,E ( a, e ) ≤ X ( a,e ): PA,E ( a,e ) QE ( e ) >e − R ′ P A,E ( a, e ) (cid:16) P A,E ( a, e ) Q E ( e ) e R ′ (cid:17) s ≤ X ( a,e ) P A,E ( a, e ) (cid:16) P A,E ( a, e ) Q E ( e ) e R ′ (cid:17) s = e − sH s ( A | E | P A,E | Q E )+ sR ′ , (83)choosing R ′ = log M +2 sH s ( A | E | P A,E | Q E )1+2 s , we have P A,E n ( a, e ) (cid:12)(cid:12)(cid:12) P A,E ( a, e ) Q E ( e ) > e − R ′ o + √ ε M e − R ′ ≤ e − sH s ( A | E | P A,E | Q E )+ sR ′ + √ ε M e − R ′ ≤ (2 + √ ε ) e − (1+ s ) sH s ( A | E | PA,E | QE )+ sR s . Since the above inequality holds for s ≥ , Lemma 4 yields that min Q E min R ′ P A,E n ( a, e ) (cid:12)(cid:12)(cid:12) P A,E ( a, e ) Q E ( e ) > e − R ′ o + √ ε M e − R ′ ≤ min ≤ s min Q E (2 + √ ε ) e − (1+ s ) sH s ( A | E | PA,E | QE )+ sR s =(2 + √ ε ) min ≤ s e − sH ↑ s ( A | E | PA,E )+ sR s Hence, combining (73), we obtain (81).Choosing R ′ = log M + sH ↓ s ( A | E | P A,E )1+ s , we have η ( P A,E n ( a, e ) (cid:12)(cid:12)(cid:12) P A | E ( a | e ) > e − R ′ o , log M ) + ε M e − R ′ ≤ η ( e − sH ↓ s ( A | E | P A,E )+ sR ′ , log M ) + ε M e − R ′ ≤ η ( e − sH ↓ s ( A | E | PA,E )+ sR s , log M ) + εe − sH ↓ s ( A | E | PA,E )+ sR s = η ( e − sH ↓ s ( A | E | PA,E )+ sR s , ε + log M ) . Since the above inequality holds for s ≥ , we have min R ′ η ( P A,E n ( a, e ) (cid:12)(cid:12)(cid:12) P A | E ( a | e ) > e − R ′ o , log M ) + ε M e − R ′ ≤ min ≤ s η ( e − sH ↓ s ( A | E | PA,E )+ sR s , ε + log M )= η (min ≤ s e − sH ↓ s ( A | E | PA,E )+ sR s , ε + log M ) , Hence, combining (75), we obtain (82).
Remark 2:
Here, we compare the calculation amount of obtained bounds in Sections IV, V, and VI. In order to calculatethe bounds ∆ d, ( M , ε | P A,E ) , ∆ I, ( M , ε | P A,E ) , ∆ d, min ( M , ε | P A,E ) , and ∆ I, min ( M , ε | P A,E ) based on the smoothing, we needcalculate the smooth entropies, which contains several optimizations. Hence, the calculation of these bounds requires at leastdouble optimization process. Then, they need higher calculation amounts. In particular, if the block size becomes larger, theircalculation amounts increase heavily.The bounds given in Section V are calculated from the tail probability. For example, the tail probability P A,E { ( a, e ) | P A | E ( a | e ) >e − R ′ } can be characterized as the tail probability with respect to the random variable log P A | E ( a | e ) because P A,E { ( a, e ) | P A | E ( a | e ) >e − R ′ } = P A,E { ( a, e ) | log P A | E ( a | e ) > − R ′ } . Hence, in the i.i.d. case, this probability can be calculated by using statisticalpackages. While the calculation amount increases with a rise in the block size, it is not as large as the above cases becausestatistical packages can be used.The calculation amounts of the bounds given in Section VI are quite small. In particular, in the i.i.d. case, the calculationamounts do not depend on the block size. These bounds have great advantages with respect to their calculation amounts.VII. S ECRET KEY GENERATION : A
SYMPTOTIC CASE
Next, we consider the case when the information source is given by the n -fold independent and identical distribution P nA,E of P A,E , i.e., P A n ,E n = P nA,E . In this case, Ahlswede and Csisz´ar [7] showed that the optimal generation rate G ( P AE ) := sup { ( f n , M n ) } (cid:26) lim n →∞ log M n n (cid:12)(cid:12)(cid:12)(cid:12) d ′ ( f n ( A n ) | E n | P nA,E ) → (cid:27) equals the conditional entropy H ( A | E ) , where f n is a function from A n to { , . . . , M n } . That is, when the generation rate R = lim n →∞ log M n n is smaller than H ( A | E ) , the quantity d ′ ( f n ( A n ) | E n | P nA,E ) goes to zero. In order to treat the speed ofthis convergence, we focus on the supremum of the exponential rate of decrease (exponent) for d ′ ( f n ( A n ) | E n | P nA,E ) and I ′ ( f n ( A n ) | E n | P nA,E ) = I ( f n ( A n ) : E n | P nA,E ) + D ( P f n ( A n ) k P mix ,f n ( A n ) ) for a given R .Due to (30), when d ′ ( f C n ( A n ) | E n | P nA,E ) goes to zero, I ′ ( f C n ( A n ) | E n | P nA,E ) goes to zero. Conversely, due to (28), when I ′ ( f C n ( A n ) | E n | P nA,E ) goes to zero, d ′ ( f C n ( A n ) | E n | P nA,E ) goes to zero. So, even if we replace the security criterion by I ′ ( f C n ( A n ) | E n | P nA,E ) , the optimal generation rate does not change.Now, we consider the case when the length of generated keys behaves as nH ( A | E | P )+ √ nR . It is known in [29, SubsectionII-D] that lim n →∞ min f d ′ ( f ( A n ) | E n | P nA,E ) = 2 Z R/ √ V ( P ) −∞ √ π e − x / dx. (84)Then, using Theorem 24, we obtain the following theorem. Theorem 25:
We choose a polynomial P ( n ) . When a random linear function f X n from A n to { , . . . , ⌊ e nH ( A | E | P )+ √ nR ⌋} is P ( n ) -almost dual universal , the relations lim n →∞ E X n d ′ ( f X n ( A n ) | E n | P nA,E ) = lim n →∞ min f d ′ ( f ( A n ) | E n | P nA,E ) = 2 Z R/ √ V ( P ) −∞ √ π e − x / dx (85)hold, where we take the minimum under the condition that f is a function from A n to { , . . . , ⌊ e nH ( A | E | P )+ √ nR ⌋} and V ( P ) := P a,e P A,E ( a, e )(log P A | E ( a | e ) − H ( A | E | P )) .Lemma 25 implies that any P ( n ) -almost dual universal hash function realizes the optimality in the sense of the secondorder asymptotics when we employ the L distinguishability criterion. This analysis is obtained from the smoothing boundof min entropy. That is, this analysis does not require the smoothing bound of R´enyi entropy of order 2. The second orderanalysis with the mutual information criterion is not so easy. This topic will be discussed in a future paper. Proof:
We applying (73) in Theorem 20 with R ′ = nH ( A | E | P )+ √ nR + n / . Then, the central limit theorem guaranteesthat E X n d ′ ( f X n ( A n ) | E n | P nA,E ) ≤ ∆ d, min ( e nH ( A | E | P )+ √ nR + n / , P ( n ) | P nA,E ) ≤ P nA,E { ( a, e ) | P nA | E ( a | e ) > e − nH ( A | E | P ) −√ nR − n / } + p P ( n ) e − n / / → Z R/ √ V ( P ) −∞ √ π e − x / dx. Since min f d ′ ( f ( A n ) | E n | P nA,E ) ≤ d ′ ( f X n ( A n ) | E n | P nA,E ) , combining (84), we obtain (85).Now, we proceed to the exponential decreasing rate when we choose the key generation rate R is greater than H ( A | E | P ) .Since the discussion for the exponential decreasing rate is more complex, more delicate treatment is required. First, we shouldremark that the exponential decreasing rate depends on the choice of the security criterion. Then, we obtain the followingtheorem. Theorem 26:
We choose a polynomial P ( n ) . When a linear random function f X n from A n to { , . . . , ⌊ e nR ⌋} is P ( n ) -almostdual universal , the relations lim inf n →∞ − n log E X n d ′ ( f X n ( A n ) | E n | P nA,E ) ≥ lim inf n →∞ − n log ∆ d, ( e nR , P ( n ) | P nA,E ) ≥ e d ( P A,E | R ) (86) lim inf n →∞ − n log E X n I ′ ( f X n ( A n ) | E n | P nA,E ) ≥ lim inf n →∞ − n log ∆ I, ( e nR , P ( n ) | P nA,E ) ≥ e I ( P A,E | R ) (87)hold, where e d ( P A,E | R ) := max ≤ t ≤ t ( H ↑ − t ( A | E | P A,E ) − R ) (88) e I ( P A,E | R ) := max ≤ s ≤ s ( H ↓ s ( A | E | P A,E ) − R ) . (89) Proof: (86) can be shown by Theorem 22. (87) can be shown by Theorem 23.As is shown in Appendix F-A, the following relation between two exponents e I ( P A,E | R ) and e d ( P A,E | R ) holds. Lemma 27: we obtain e I ( P A,E | R ) ≤ e d ( P A,E | R ) (90) e I ( P A,E | R ) ≥ e d ( P A,E | R ) . (91)First, we consider the tightness of Inequality (86). Corollary 17 yields the exponent e I ( P A,E | R )2 for the L distinguishabilitycriterion. Lemma 27 shows that the exponents by Theorem 22 is better than that by Corollary 17. Further, it is also shown in[36, Theorem 30] that there exists a sequence of universal functions f X n from A n to { , . . . , ⌊ e nR ⌋} such that lim sup n →∞ − n log E X n d ′ ( f X n ( A n ) | E n | P nA,E ) ≤ ¯ e d ( P A,E | R ) , (92)where ¯ e d ( P A,E | R ) := max ≤ t t ( H ↑ − t ( A | E | P A,E ) − R ) . (93)When the maximum max ≤ t t ( H ↑ − t ( A | E | P A,E ) − R ) is attained with t ∈ (0 , ] , we have e d ( P A,E | R ) = ¯ e d ( P A,E | R ) . Assumethat P ( n ) ≥ . Then, Since ∆ d, ( e nR , ≤ ∆ d, ( e nR , P ( n ) | P nA,E ) ≤ p P ( n )∆ d, ( e nR , | P nA,E ) , combining (76), (86), and(92) we have lim n →∞ − n log ∆ d, ( e nR , P ( n ) | P nA,E ) = lim n →∞ − n log ∆ d, ( e nR , | P nA,E ) = e d ( P A,E | R ) . (94)That is, our evaluation (86) for ∆ d, ( e nR , P ( n ) | P nA,E ) is sufficiently tight in the large deviation sense.Next, we consider the tightness of Inequality (87). Corollary 16 yields the exponent e d ( P A,E | R ) for the modified mutualinformation criterion. Lemma 27 shows that the exponent by Theorem 23 is better than that by Corollary 16. Further, the lowerbound of the exponent e d ( P A,E | R ) is the same as that given in the previous paper [13] under the universal condition. Sincethe bound given in [13] is the best lower bound of the exponent, our evaluation (87) for ∆ I, ( e nR , P ( n ) | P nA,E ) is as good asthe existing evaluation [13] in the large deviation sense.From the above discussion, we find that the exponents directly obtained by the smoothing bound of R´enyi entropy of order2 are better than the exponents derived from the combination of Inequality (28)/(30) and the exponent of the other criterion.This fact indicates that we need to choose the smoothing bound dependently of the security criterion. Remark 3:
Now, we consider the relation with the recent paper [27] discussing the quantum case as including the non-quantum case. When A = F q , we focus on a P ( n ) q − n + ⌊ nR ⌋ -almost universal surjective linear function f X n over the field F q from F nq to F ⌊ nR ⌋ q . Thanks to Proposition 10, the surjective linear random function f X n over the field F q is q + P ( n ) -almostdual universal . Hence, we obtain (86), which can recover a part of the result by [27] with the case of linear functions in thenon-quantum case. The paper [27] showed the security with an ǫ n -almost universal hash function when ǫ n approaches to .Since we assume the surjectivity, our method cannot recover the result by [27] with the linear hash function perfectly.Now, we clarify how better our smoothing bound of R´enyi entropy of order 2 is than the smoothing bound of min entropy.As is shown in Appendix G, we obtain the following theorem. Theorem 28:
The relations lim n →∞ − n log ∆ d, min ( e nR , ε | P nA,E )=˜ e d ( P A,E | R ) := max ≤ s s ( H ↑ s ( A | E | P A,E ) − R )1 + 2 s (95) lim n →∞ − n log ∆ I, min ( e nR , ε | P nA,E )=˜ e I ( P A,E | R ) := max ≤ s sH ↓ s ( A | E | P A,E ) − sR s (96)hold.For the comparison of the exponents by the smoothing bound of min entropy and R´enyi entropy of order 2, as is shown inAppendix F-B, we have the following lemma by using Theorem 24. Lemma 29:
The inequalities e d ( P A,E | R ) > ˜ e d ( P A,E | R ) (97) e I ( P A,E | R ) > ˜ e I ( P A,E | R ) (98)hold when P A | E = e is not a uniform distribution for an element e ∈ E . The equalities e d ( P A,E | R ) = ˜ e d ( P A,E | R ) and e I ( P A,E | R ) = ˜ e I ( P A,E | R ) hold when P A | E = e is a uniform distribution for any element e ∈ E .Theorem 28 and Lemma 29 show that the smoothing bound of min entropy cannot attain the exponents e d ( P A,E | R ) and e I ( P A,E | R ) . That is, the bounds ∆ d, ( e nR , ε | P nA,E ) and ∆ I, ( e nR , ε | P nA,E ) by the smoothing bound of R´enyi entropy of order2 are strictly better than the bounds ∆ d, min ( e nR , ε | P nA,E ) and ∆ I, min ( e nR , ε | P nA,E ) by the smoothing bound of min entropyin the sense of large deviation. This fact indicates the importance of smoothing bound of R´enyi entropy of order 2.In summary, while the smoothing bound of min entropy yields the tight bound in the sense of the second order asymptotics,the smoothing bound of min entropy cannot yield the tight bound in the sense of the exponential decreasing rate. Remark 4:
Here, we give the relation with the results in the quantum case [56]. The paper [56] showed that lim inf n →∞ − n log ∆ d, ( e nR , P ( n ) | P nA,E ) ≥ max ≤ t ≤ t − t ) ( H ↑ − t ( A | E | P A,E ) − R ) (99) lim inf n →∞ − n log ∆ I, ( e nR , P ( n ) | P nA,E ) ≥ max ≤ s ≤ s − s ( H ↓ s ( A | E | P A,E ) − R ) . (100)The RHSs of (99) and (100) are smaller than e d ( P A,E | R ) and e I ( P A,E | R ) , respectively. Hence, our result is better in thenon-quantum case. VIII. E QUIVOCATION RATE OF SECRET KEY GENERATION
When the key generation rate R is larger than the conditional entropy H ( A | E | P A,E ) , the leaked information does not go tozero. In this case, it is natural to consider the rate of the conditional entropy rate of generated keys or the rate of the modifiedmutual information [30]. The former rate is called the equivocation rate, and is known to be less than the conditional entropy H ( A | E | P A,E ) [30]. That is, the rate of the modified mutual information is larger than R − H ( A | E | P A,E ) . Now, we showthat the minimum rate of the modified mutual information R − H ( A | E | P A,E ) can be achieved by an ε -almost dual universal hash function. For this purpose, we employ (45) instead of (46). Then, we obtain a slightly stronger evaluation than Theorem18. Theorem 30:
Assume that Q E is a normalized distribution on E , P A,E is a sub-distribution on
A × E , and a linear randomhash function f X from A to M = { , . . . , M } is ε -almost dual universal . Then, the random hash function f X satisfies E X I ′ ( f X ( A ) | E | P A,E ) ≤ ∆ I, min ( M , ε | P A,E ) , (101) where ∆ I, min ( M , ε | P A,E ) := min Q E min P ′ A,E : P ′ E ≤ Q E , η ( k P A,E − P ′ A,E k , log M ) + log(1 + εM e − H min ( A | E | P ′ A,E k P E ) ) (102) = min ǫ > η ( ǫ , log M ) + log(1 + ε M e − H ↓ ,ǫ ( A | E | P A,E ) ) (103) = min R ′ η ( min P ′ A,E : P ′ E ≤ P E ,H min ( A | E | P ′ A,E k P E ) ≥ R k P A,E − P ′ A,E k , log M ) + log(1 + ε M e − R ′ ) . (104)Further, by using similar discussions as Sections V and VI, the upper bound ∆ I, min ( M , ε | P A,E | P A,E ) can be evaluated asfollows. Theorem 31: ∆ I, min ( M , ε | P A,E | P A,E ) ≤ min R ′ η ( P A,E { ( a, e ) | P A | E ( a | e ) > e − R ′ } , log M ) + log(1 + ε M e − R ′ ) (105) ≤ min R ′ η (min s ≥ e s ( R ′ − H ↓ s ( A | E | P A,E ) , log M ) + log(1 + ε M e − R ′ ) (106) Proof:
Inequality (105) follows from Lemma 19 and (104). Inequality (106) follows from (83) with Q E = P E .Now, we consider the asymptotic behavior of ∆ I, min ( ⌈ e nR ⌉ , ε | P nA,E ) . Theorem 32:
Any polynomial P ( n ) satisfies lim n →∞ n ∆ I, min ( ⌈ e nR ⌉ , P ( n ) | P nA,E ) = R − H ( A | E | P A,E ) (107)for R ≥ H ( A | E | P A,E ) .Theorem 32 shows that ε -almost dual universal hash functions realize the asymptotically optimal performance in the senseof equivocation rate. Further, Theorem 32 clarifies that the smoothing bound of min entropy yields the optimal evaluation inthe sense of equivocation rate. Proof:
It is known by [30] that any sequence of hash function from A to { , . . . , ⌈ e nR ⌉} satisfies lim inf n →∞ n E X ,n I ′ ( f X ,n ( A ) | E | P A,E ) ≥ R − H ( A | E | P A,E ) . (108)Hence, it is enough to show that lim sup n →∞ n ∆ I, min ( ⌈ e nR ⌉ , P ( n ) | P nA,E ) ≤ R − H ( A | E | P A,E ) . (109)We choose R ′ < H ( A | E | P A,E ) . Relation (106) implies that n ∆ I, min ( ⌈ e nR ⌉ , P ( n ) | P nA,E ) ≤ n η (min s ≥ e sn ( R ′ − H ↓ s ( A | E | P A,E ) , nR ) + 1 n log(1 + P ( n ) e n ( R − R ′ ) ) (110)Since R ′ < H ( A | E | P A,E ) , the value min s ≥ e sn ( R ′ − H ↓ s ( A | E | P A,E ) goes to zero exponentially. Hence, the term n η (min s ≥ e sn ( R ′ − H ↓ s ( A | E | P A,E ) , nR ) goes to zero. Since n log(1 + P ( n ) e n ( R − R ′ ) ) ≤ R − R ′ + n log(1 + P ( n )) → R − R ′ ,we have lim sup n →∞ n ∆ I, min ( ⌈ e nR ⌉ , P ( n ) | P nA,E ) ≤ R − R ′ . (111)Since R ′ is an arbitrary real number satisfying R ′ < H ( A | E | P A,E ) , we obtain (109).IX. C ONCLUSION
We have derived upper bounds for the leaked information in the modified mutual information criterion and the L distin-guishability criterion when we apply an ε -almost dual universal hash function for privacy amplification. (Theorems 23 and22 in Section VI). Then, we have derived lower bounds on their exponential decreasing rates in the i.i.d. setting. (Theorem 26in Section VII).We have rigorously compared the exponents by the smoothing bound of min-entropy and R´enyi entropy of order 2. That is,we have clarified the upper bounds of leaked information via the smoothing of min-entropy in the both criteria. That is, wehave compared ∆ d, ( M, ε | P A,E ) and ∆ d, min ( M, ε | P A,E ) for R´enyi entropy of order 2, and have done ∆ I, ( M, ε | P A,E ) and ∆ I, min ( M, ε | P A,E ) for modified mutual information criterion. We have derived the exponents of the upper bounds (Theorem28 in Section VI), and have shown that the exponents are strictly worse than the exponents by the smoothing bound of R´enyientropy of order 2 (Lemma 29 in Section VI). This fact shows the importance of the smoothing of R´enyi entropy of order 2.The obtained exponents are summarized in Table II.Due to Pinsker inequality and Inequality (30), the exponential convergence of one criterion yields the exponential convergenceof the other criterion. However, we have shown that better exponential decreasing rates can be obtained by separate derivations. For example, the smoothing of R´enyi entropy of order 2 yields the exponent e d ( P A,E | R ) for the L distinguishability criterion,which yields the exponent e d ( P A,E | R ) for the modified mutual information criterion by using Pinsker inequality. Similarly, thesmoothing of R´enyi entropy of order 2 yields the exponent e I ( P A,E | R ) for the modified mutual information criterion, whichyields the exponent e I ( P A,E | R )2 for the L distinguishability criterion by Inequality (30). Since e d ( P A,E | R ) ≥ e I ( P A,E | R )2 and e I ( P A,E | R ) ≥ e d ( P A,E | R ) , the exponents directly derived by the smoothing of R´enyi entropy of order 2 are better than theexponents derived from the combination of the exponent for the other criterion and the inequality. TABLE IIS
UMMARY OF OBTAINED LOWER BOUNDS ON EXPONENTS .Method L MMIsmooth R´enyi 2 e d ( P A,E | R ) e I ( P A,E | R ) smooth min ˜ e d ( P A,E | R ) ˜ e I ( P A,E | R ) smooth R´enyi 2 is the exponent for privacy amplification via the smoothing of R´enyi entropy of order 2. smooth min is the exponent for privacy amplificationvia the smoothing of min entropy. L2 is the L distinguishability criterion. MMI is the modified mutual information criterion. We have also shown that the application of ε -almost dual universal hash function attains the asymptotically optimalperformance in the sense of the second order asymptotics as well as in that of the asymptotic equivocation rate. Thesefacts have been shown by using the smoothing of min entropy. We can conclude that ε -almost dual universal hash functionsare very a useful class of hash functions. Further, these discussions show that the smoothing of min entropy is sufficientlypowerful except for the exponential decreasing rate. That is, the exponential decreasing rate requires more delicate evaluationthan other settings. A CKNOWLEDGMENTS
The author is grateful to Dr. Toyohiro Tsurumaru, Dr. Shun Watanabe, Dr. Marco Tomamichel, Dr. Mario Berta, Dr. WilliamHenry Rosgen, Dr. Li Ke, and Dr. Markus Grassl for a helpful comments. He is also grateful to the referee of the first version of[14] for informing the literatures [9], [10]. He is partially supported by a MEXT Grant-in-Aid for Scientific Research (A) No.23246071 and the National Institute of Information and Communication Technology (NICT), Japan. The Centre for QuantumTechnologies is funded by the Singapore Ministry of Education and the National Research Foundation as part of the ResearchCentres of Excellence programme. A
PPENDIX AP ROOF OF L EMMA X ( e ) and Y ( e ) , the reverse H¨older inequality [34] X e X ( e ) Y ( e ) ≥ ( X e X ( e ) / (1+ s ) ) s ( X e Y ( e ) − /s ) − s holds for s ∈ (0 , ∞ ] . Substituting P a P A,E ( a, e ) s and Q E ( e ) − s to X ( e ) and Y ( e ) , we obtain e − sH s ( A | E | P A,E k Q E ) = X e X a P A,E ( a, e ) s Q E ( e ) − s ≥ ( X e ( X a P A,E ( a, e ) s ) / (1+ s ) ) s ( X e Q E ( e ) − s ·− /s ) − s =( X e ( X a P A,E ( a, e ) s ) / (1+ s ) ) s =( X e ( X a P A,E ( a, e ) s ) s ) s for s ∈ (0 , ∞ ] . Since the equality holds when Q E ( e ) = ( P a P A,E ( a, e ) s ) / (1+ s ) / P e ( P a P A,E ( a, e ) s ) / (1+ s ) , we obtain e − sH ↑ s ( A | E | P A,E ) , = min Q E e − sH s ( A | E | P A,E k Q E ) = ( X e ( X a P A,E ( a, e ) s ) s ) s which implies (13) with s ∈ (0 , ∞ ] .For two non-negative functions X ( e ) and Y ( e ) , the H¨older inequality X e X ( e ) Y ( e ) ≤ ( X e X ( e ) / (1+ s ) ) s ( X e Y ( e ) − /s ) − s holds for s ∈ [ − , . The same substitution yields e − sH s ( A | E | P A,E k Q E ) ≤ ( X e ( X a P A,E ( a, e ) s ) s ) s for s ∈ [ − , . Hence, similarly we obtain (13) with s ∈ [ − , .A PPENDIX BP ROOF OF L EMMA s ∈ (0 , and two functions X ( a ) and Y ( a ) , the H¨older inequality X a X ( a ) Y ( a ) ≤ ( X a | X ( a ) | / (1 − s ) ) − s ( X a | Y ( a ) | /s ) s holds. The equality holds only when X ( a ) is a constant times of Y ( a ) . Substituting P A,E ( a, e ) and ( P A,E ( a,e ) P E ( e ) ) s to X ( a ) and Y ( a ) , we obtain e − sH ↓ s ( A | E | P A,E ) = X e X a P A,E ( a, e )( P A,E ( a, e ) P E ( e ) ) s ≤ X e ( X a P A,E ( a, e ) / (1 − s ) ) − s ( X a P A,E ( a, e ) P E, normal ( e ) ) s = X e ( X a P A,E ( a, e ) / (1 − s ) ) − s = e − sH ↑ − s ( A | E | P A,E ) for s ∈ (0 , because P a P A,E ( a,e ) P E, normal ( e ) = P E ( e ) P E, normal ( e ) ≤ . The equality condition holds only when P A | E = e is uniformdistribution for all e ∈ E .For s ∈ [ − , and two functions X ( a ) and Y ( a ) , the reverse H¨older inequality [34] X a X ( a ) Y ( a ) ≥ ( X a | X ( a ) | / (1 − s ) ) − s ( X a | Y ( a ) | /s ) s holds. The same substitution yields e − sH ↓ s ( A | E | P A,E ) ≥ e − sH ↑ − s ( A | E | P A,E ) for s ∈ [ − , because ( P a P A,E ( a,e ) P E, normal ( e ) ) s = ( P E ( e ) P E, normal ( e ) ) s ≥ . The equality condition holds only when P A | E = e is uniformdistribution for all e ∈ E . A PPENDIX CP ROOF OF L EMMA s → , we obtain H ( A | E | P A,E ) = − dφ ( s | A | E | P A,E ) ds | s =0 = − lim s → φ ( s | A | E | P A,E ) s = lim s → H ↑ s ( A | E | P A,E ) . (112)The remaining properties are shown by the following lemma. Lemma 33: − dds sH ↑ s ( A | E | P A,E )= X a,e P A,E ; s ( a, e ) (cid:16) log P A | E ( a | e ) −
11 + s log( X a P A | E ( a | e ) s ) (cid:17) + φ ( s s | A | E | P A,E ) , (113) − d ds sH ↑ s ( A | E | P A,E )=(1 + s ) X a,e P A,E ; s ( a, e ) (cid:16)
11 + s log P A | E ( a | e ) − s ) log( X a P A | E ( a | e ) s ) (cid:17) − (1 + s ) (cid:16)X a,e P A,E ; s ( a, e ) (cid:16)
11 + s log P A | E ( a | e ) − s ) log( X a P A | E ( a | e ) s ) (cid:17)(cid:17) . (114) Hence, when we regard H ↑ ( A | E | P A,E ) as H ( A | E | P A,E ) and P A | E = e is not a uniform distribution for an element e ∈ E ,the function s
7→ − sH ↑ s ( A | E | P A,E ) is strictly convex in ( − , ∞ ) . That is, the map s sH ↑ s ( A | E | P A,E ) is strictlyconcave and then the map s H ↑ s ( A | E | P A,E ) is strictly monotonically decreasing for s ∈ ( − , ∞ ) . Proof:
We define ϕ ( s ) := X e P E ( e )( X a P A | E ( a | e ) s ) s . Then, dϕ ( s ) ds = X a,e P A | E ( a | e ) s P E ( e )( P a P A | E ( a | e ) s ) s s ( P e P E ( e ) (cid:16)
11 + s log P A | E ( a | e ) − s ) log( X a P A | E ( a | e ) s ) (cid:17) = ϕ ( s ) X a,e P A,E ; s ( a, e ) (cid:16)
11 + s log P A | E ( a | e ) − s ) log( X a P A | E ( a | e ) s ) (cid:17) . Since − dds sH ↑ s ( A | E | P A,E )= φ ( s s | A | E | P A,E ) + (1 + s ) dϕ ( s ) ds ϕ ( s ) − , we obtain (113).Next, we show (114). Since d ϕ ( s ) ds = X a,e P A | E ( a | e ) s P E ( e )( P a P A | E ( a | e ) s ) s s ( P e P E ( e ) (cid:16)
11 + s log P A | E ( a | e ) − s ) log( X a P A | E ( a | e ) s ) (cid:17) + X a,e P A | E ( a | e ) s P E ( e )( P a P A | E ( a | e ) s ) s s ( P e P E ( e ) (cid:16) − s ) log P A | E ( a | e ) + 2(1 + s ) log( X a P A | E ( a | e ) s ) (cid:17) = ϕ ( s ) X a,e P A,E ; s ( a, e ) (cid:16)
11 + s log P A | E ( a | e ) − s ) log( X a P A | E ( a | e ) s ) (cid:17) − s ) dϕ ( s ) ds , we have d ds (1 + s ) φ ( s s | A | E | P A,E )=(1 + s ) d ds φ ( s s | A | E | P A,E ) + 2 dds φ ( s s | A | E | P A,E )=(1 + s ) ϕ ( s ) d ϕ ( s ) ds − dϕ ( s ) ds ϕ ( s ) + 2 dϕ ( s ) ds ϕ ( s )=(1 + s ) ϕ ( s ) d ϕ ( s ) ds − dϕ ( s ) ds ϕ ( s ) + 2 dϕ ( s ) ds ϕ ( s )=(1 + s ) X a,e P A,E ; s ( a, e ) (cid:16)
11 + s log P A | E ( a | e ) − s ) log( X a P A | E ( a | e ) s ) (cid:17) − (1 + s ) (cid:16)X a,e P A,E ; s ( a, e ) (cid:16)
11 + s log P A | E ( a | e ) − s ) log( X a P A | E ( a | e ) s ) (cid:17)(cid:17) , which implies (114). A PPENDIX DP ROOF OF T HEOREM I ′ ( A | E | P ) = log |A| − H ( A | E | P ) satisfies all of the aboveconditions. We can trivially check the conditions C4 Ideal case and C5 Normalization. We show other conditions. C1 Chainrule can be shown as follows. I ′ ( A, B | E | P ) = log |A| + log |B| − H ( A, B, E | P ) + H ( E | P )= log |A| + log |B| − H ( B, E | P ) + H ( E | P ) − H ( A, B, E | P ) + H ( B, E | P )= log |A| + log |B| − H ( B | E | P ) − H ( A | B, E | P ) = I ′ ( A | B, E | P ) + I ′ ( B | E | P ) . When two marginal distributions P E, and P E, are distinghuishable on E , I ′ ( A | E | λP + (1 − λ ) P ) = log |A| − H ( A, E | λP + (1 − λ ) P ) + H ( E | λP + (1 − λ ) P )= log |A| − λH ( A, E | P ) − (1 − λ ) H ( A, E | P ) − h ( λ ) + λH ( E | P ) + (1 − λ ) H ( E | P ) + h ( λ )= log |A| − λH ( A, E | P ) − (1 − λ ) H ( A, E | P ) + λH ( E | P ) + (1 − λ ) H ( E | P )= λI ′ ( A | E | P ) + (1 − λ ) I ′ ( A | E | P ) , which implies C2 Linearity. I ′ ( A | E | P ) = D ( P k P mix , A ⊗ P E ) ≥ . Since H ( A, E | P ) ≥ , I ′ ( A | E | P ) satisfies C3 Range.Thus, I ′ ( A | E | P ) satisfies all of the above properties.Next, we show that an quantity satisfying all of the above properties is the modified mutual information criterion I ′ ( A | E | P ) =log |A| − H ( A | E | P ) . For this purpose, we focus on ˜ H ( A | E | P ) := log |A| − C ( A | E | P ) . Due to C1 Linearity, we have ˜ H ( A | E | P ) = X e P E ( e ) ˜ H ( A | E | P A | E = e ) . Further, we see that the quantity ˜ H ( A | E | P A | E = e ) satisfies Khinchin’s axioms [55] for entropy because of the remaining prop-erties. Hence, we find that ˜ H ( A | E | P A | E = e ) = H ( P A | E = e ) . Thus, ˜ H ( A | E | P ) is equal to the conditional entropy H ( A | E | P ) .Hence, C ( A | E | P ) = I ′ ( A | E | P ) . A PPENDIX EP ROOF OF P ROPOSITION δ -biased ensemble, we make several preparations before starting the proof ofProposition 12. According to Dodis and Smith[9], we introduce δ -biased ensemble of random variables W X on a vector spaceover a general finite field F q , where q is the power of the prime p . First, we fix a non-degenerate bilinear form ( , ) from F q to F p . Then, we define ( x · y ) ∈ F p for x, y ∈ F nq as ( x · y ) := P nj =1 x j · y j . For a given δ > , an ensemble of randomvariables { W X } on F nq is called δ -biased when the inequality E X | E W X ω ( x · W X ) p | ≤ δ (115)holds for any x = 0 ∈ F nq , where ω p := e πip .We denote the random variable subject to the uniform distribution on a code C ∈ F nq , by W C . Then, E W C ω ( x · W C ) p = (cid:26) if x / ∈ C ⊥ if x ∈ C ⊥ . (116)Using the above relation, as is suggested in [9, Case 2], we obtain the following lemma. Lemma 34:
When a random code C X in F nq is ε -almost dual universal with minimum dimension t , the ensemble of randomvariables W C X in F nq is p εq − t -biased. Proof: C ⊥ X is ε -almost universal with maximum dimension n − t in F nq . Hence, for any x ∈ F nq , the probability Pr { x ∈ C ⊥ X } is less than εq − t . Thus, (116) guarantees that the ensemble of random variables W C X in F nq is p εq − t -biased.In the following, we treat the case of A = F nq . Given a joint sub-distribution P A,E on A × E and a normalized distribution P W on A , we define another joint sub-distribution P A,E ∗ P W ( a, e ) := P w P W ( w ) P A,E ( a − w, e ) . Using these concepts,Dodis and Smith[9] evaluated the average of d ( A | E | P A,E ∗ P W X k Q E ) as follows. Proposition 35 ([9, Lemma 4]):
For any joint sub-distribution P A,E on A × E and any normalized distribution Q E on E , a δ -biased ensemble of random variables { W X } on A = F nq satisfies E X d ( A | E | P A,E ∗ P W X k Q E ) ≤ δ e − H ( A | E | P A,E k Q E ) . (117)More precisely, E X d ( A | E | P A,E ∗ P W X k Q E ) ≤ δ d ( A | E | P A,E k Q E ) . (118) The original proof by Dodis and Smith[9] discussed in the case with q = 2 . Fehr and Schaffner [10] extended this lemmato the quantum setting in the case with q = 2 . Their proof is based on Fourier analysis and easy to understand. The proof witha general prime power q is given latter. by generalizing the idea by Fehr and Schaffner [10]. Dodis and Smith[9, Lemma 6]also considered the case with a general prime power q . They did not explicitly give Proposition 35 and the definition (115)with a general prime power q .Proposition 12 essentially coincides with Proposition 35. However, the concept “ δ -biased” does not concern a linear randomhash function while the concept “ ε -almost dual universality ” does it because the former is defined for the ensemble ofrandom variables. That is, the latter is a generalization of a universal linear hash function while the former does not. Hence,Proposition 35 cannot directly provide the performance of a linear random hash function. In contrast, Proposition 12 giveshow the privacy amplification by a linear hash function decreases the leaked information. Therefore, in the main part of thispaper, using Proposition 12, we treat the exponential decreasing rate when we apply the privacy amplification by an ε -almostdual universal linear hash function. Proof of Proposition 12:
Due to Lemma 34 and (117), we obtain E X d ( A | E | P A,E ∗ P W C X k Q E ) ≤ εq − t e − H ( A | E | P A,E k Q E ) . (119)Denoting the quotient class with respect to the subspace C with the representative a ∈ A by [ a ] , we obtain P A,E ∗ P W C ( a, e ) = X w ∈ C q − t P A,E ( a − w, e )= q − t P A,E ([ a ] , e ) . Now, we focus on the relation
A ∼ = A /C × C ∼ = f C ( A ) × C . Then, P A,E ∗ P W C X ( b, w, e ) = q − t P f C ( A ) ,E ( b, e ) . Thus, d ( A | E | P A,E ∗ P W C k Q E )= q − t d ( f C ( A ) | E | P f C ( A ) ,E k Q E )= q − t d ( f C ( A ) | E | P A,E k Q E ) . (120)Therefore, (119) implies E X q − t d ( f C X ( A ) | E | P A,E k Q E ) ≤ εq − t e − H ( A | E | P A,E k Q E ) , which implies (41).Similarly, Lemma 34, (118), and (120) imply that E X q − t d ( f C X ( A ) | E | P A,E k Q E ) ≤ εq − t e − H ( A | E | P A,E k Q E ) . Since E X d ( f C X ( A ) | E | P A,E k Q E ) = E X e − H ( f C X ( A ) | E | P A,E k Q E ) − q n − t e D ( P E k Q E ) , we have (42).To start our proof of Proposition 35, we make preparation before our proof of Proposition 35. First, remember that A is avector space F nq and E is a general discrete set. We define the ℓ norm over the space L ( A × E ) as k f k := X a ∈A ,e ∈E | f ( a, e ) | , ∀ f ∈ L ( A × E ) . (121)Then, we define the discrete Fourier transform F on L ( A × E ) as F ( f )( a ′ , e ) := q − n X a ∈A ω ( a ′ · a ) p f ( a, e ) , ∀ f ∈ L ( A × E ) , ∀ a ′ ∈ A , ∀ e ∈ E , (122)which satisfies kF f k = k f k . For ∀ f, g ∈ L ( A × E ) , the convolution f ∗ g : f ∗ g ( a, e ) := X a ′ ∈A f ( a − a ′ , e ) g ( a ′ , e ) . (123)satisfies F ( f ∗ g )( a, e ) = q n F ( f )( a, e ) F ( g )( a, e ) . (124)We prepare the following lemma. Lemma 36:
When f P A,E ,Q E ∈ L ( A × E ) is defined as f P A,E ,Q E ( a, e ) := P A,E ( a, e ) Q E ( e ) − , (125)we have k f P A,E ,Q E k = e − H ( A | E | P A,E k Q E ) (126) X e ∈E |F ( f P A,E ,Q E )(0 , e ) | = e D ( P E k Q E ) (127) X a =0 ∈A e ∈E |F ( f P A,E ,Q E )( a, e ) | = d ( A | E | P A,E k Q E ) . (128) Proof: (126) and (127) are shown as follows. k f P A,E ,Q E k = X a,e ( P A,E ( a, e ) Q E ( e ) − ) = e − H ( A | E | P A,E k Q E ) X e ∈E |F ( f P A,E ,Q E )(0 , e ) | = X e ( X a P A,E ( a, e ) Q E ( e ) − ) = X e ( P E ( e ) Q E ( e ) − ) = e D ( P E k Q E ) . (128) is shown as follows. X a =0 ∈A ,e ∈E |F ( f P A,E ,Q E )( a, e ) | = kF ( f P A,E ,Q E ) k − X e ∈E |F ( f P A,E ,Q E )(0 , e ) | = k f P A,E ,Q E k − X e ∈E |F ( f P A,E ,Q E )(0 , e ) | = e − H ( A | E | P A,E k Q E ) − e D ( P E k Q E ) = d ( A | E | P A,E k Q E ) . Proof of Proposition 35:
Now, we choose g X ∈ L ( A × E ) as g X ( a, e ) := P W X ( a ) . (129)Then, f P A,E ,Q E ∗ g X = f P A,E ∗ P W X ,Q E . (130)The assumption yields that E X |F ( g X )( a, e ) | = E X | q − n X a ∈A ω ( a ′ · a ) p P W X ( a ) | ≤ δ q − n (131)for a ′ = 0 ∈ A . Hence, E X d ( A | E | P A,E ∗ P W X k Q E ) ( a ) = E X X a =0 ∈A ,e ∈E |F ( f P A,E ∗ P W X ,Q E )( a, e ) | b ) = E X X a =0 ∈A ,e ∈E |F ( f P A,E ,Q E ∗ g X )( a, e ) | c ) = E X X a =0 ∈A ,e ∈E | q n F ( f P A,E ,Q E )( a, e ) F ( g X )( a, e ) | d ) ≤ δ E X X a =0 ,e |F ( f P A,E ,Q E )( a, e ) | e ) = δ d ( A | E | P A,E k Q E ) ≤ δ e − H ( A | E | P A,E k Q E ) , (132)which shows (117) and (118). Here, ( a ) , ( b ) , ( c ) , ( d ) , and ( e ) follow from (128), (130), (124), (131), and (128), respectively. A PPENDIX FP ROOFS OF COMPARISONS OF EXPONENTS
A. Proof of Lemma 27
Inequality (91) can be shown from (15). Lemma 4 yields that e I ( P A,E | R )= max ≤ s ≤ s H ↓ s ( A | E | P A,E ) − s R ≤ max ≤ s ≤ s H ↑ s ( A | E | P A,E ) − s R = max ≤ t ≤ / t − t ) ( H ↑ − t ( A | E | P A,E ) − R ) ≤ max ≤ t ≤ / t ( H ↑ − t ( A | E | P A,E ) − R ) (133) = e d ( P A,E | R ) , where t = s s , i.e., s = t − t . Inequality (133) follows from the non-negativity of the RHS of (133) and the inequality − t ) ≤ . B. Proof of Lemma 29
Lemma 7 implies that H ↑ − s ( A | E | P A,E ) < H ↑ s ( A | E | P A,E ) Choosing t = s s , we have max ≤ s s ( H ↑ s ( A | E | P A,E ) − R )1 + 2 s = max ≤ t ≤ t ( H ↑ − t ( A | E | P A,E ) − R )1 + t< max ≤ t ≤ t ( H ↑ t ( A | E | P A,E ) − R )1 + t , which implies (97). Similarly, since H t ( A | E | P A,E ) is strictly monotonically increasing with respect to t , max ≤ s sH ↓ s ( A | E | P A,E ) − sR s = max ≤ t ≤ tH − t ( A | E | P A,E ) − tR< max ≤ t ≤ tH t ( A | E | P A,E ) − tR, which implies (98).When P A | E = e is a uniform distribution for any element e ∈ E , H t ( A | E | P A,E ) and H ↑ t ( A | E | P A,E ) do not depend on t .Hence, we obtain max ≤ s s ( H ↑ s ( A | E | P A,E ) − R )1+2 s = max ≤ t ≤ t ( H ↑ t ( A | E | P A,E ) − R )1+ t = H ( A | E | P A,E ) − R and max ≤ s sH ↓ s ( A | E | P A,E ) − sR s =max ≤ t ≤ tH t ( A | E | P A,E ) − tR = H ( A | E | P A,E ) − R , which imply the equalities e d ( P A,E | R ) = ˜ e d ( P A,E | R ) and e I ( P A,E | R ) =˜ e I ( P A,E | R ) . A PPENDIX GS MOOTHING BOUND OF MIN ENTROPY
A. Proof of (96) of Theorem 28
First, ∆ I, min ( e nR , ε | P nA,E ) is the upper bound by the smoothing of min entropy in the modified mutual information criterionas is mentioned in (67). Using the relation (82) in Theorem 24, we obtain lim inf n →∞ − n log ∆ I, min ( e nR , ε | P nA,E ) ≥ max ≤ s sH ↓ s ( A | E | P A,E ) − sR s . (134) Now, we show the opposite inequality. Applying the Cram´er Theorem [35], we obtain lim n →∞ − n log P nA,E { ( a, e ) ∈ A n × E n | P nA | E ( a | e ) ≥ e − nR ′ } = max ≤ s sH ↓ s ( A | E | P A,E ) − sR ′ . (135)Since sH ↓ s ( A | E | P A,E ) − sR ′ is monotone decreasing with respect to R ′ and R ′ − R is monotone increasing with respectto R ′ , we have max R ′ min { sH ↓ s ( A | E | P A,E ) − sR ′ , R ′ − R } = sH ↓ s ( A | E | P A,E ) − sR s . (136)because the solution of sH ↓ s ( A | E | P A,E ) − sR ′ = R ′ − R with respect to R ′ is sH ↓ s ( A | E | P A,E )+ R s .Using the lower bound (74) in Theorem 20 with c = 2 , (135), and (136), we have lim n →∞ − n log min ε> ( η ( ε, nR ) + e nR − H ↓ ,ε min ( A | E | P nA,E ) ) ≤ lim n →∞ − n log min R ′ η (2 P nA,E { ( a, e ) ∈ A n × E n | P nA | E ( a | e ) ≥ e − n R ′ } , log e nR ) + e nR e − nR ′ = max R ′ lim n →∞ − n log η (2 P nA,E { ( a, e ) ∈ A n × E n | P nA | E ( a | e ) ≥ e − n R ′ } , log e nR ) + e n ( R − R ′ ) = max R ′ min { lim n →∞ − n log η (2 P nA,E { ( a, e ) ∈ A n × E n | P nA | E ( a | e ) ≥ e − n R ′ } , log e nR ) , R ′ − R } = max R ′ min { max ≤ s sH ↓ s ( A | E | P A,E ) − sR ′ , R ′ − R } = max R ′ max ≤ s min { sH ↓ s ( A | E | P A,E ) − sR ′ , R ′ − R } = max ≤ s max R ′ min { sH ↓ s ( A | E | P A,E ) − sR ′ , R ′ − R } = max ≤ s sH ↓ s ( A | E | P A,E ) − sR s . (137)Hence, we obtain (96). B. Proof of (95) of Theorem 28
The quantity ∆ d, min ( e nR , ε | P nA,E ) is the upper bound by smoothing of min entropy in the L distinguishability criterion asis mentioned in (66). Using the relation (81) in Theorem 24, we obtain lim inf n →∞ − n log ∆ d, min ( e nR , ε | P nA,E ) ≥ max ≤ s sH ↑ s ( A | E | P A,E ) − sR s . (138)We show the opposite inequality in (95) by using the following lemma. The proof of Lemma 37 will be shown latter. Lemma 37:
The following inequality lim n →∞ − n log min Q E,n P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) Q E,n ( e ) ≥ e − nR ′ }≤ max ≤ s sH ↑ s ( A | E | P A,E ) − sR ′ . (139) Using (139) in Lemma 37 and the lower bound (72) in Theorem 20 with c = 2 , we obtain lim n →∞ − n log(min ǫ > ǫ + e nR e − H ↓ ,ǫ ( A | E | P nA ) ) ≤ lim n →∞ − n log(min R ′ min Q E,n P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) Q E,n ( e ) ≥ e − nR ′ } + e n ( R − R ′ ) )= max R ′ lim n →∞ − n log( min Q E,n P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) Q E,n ( e ) ≥ e − nR ′ } + e n ( R − R ′ ) )= max R ′ min { lim n →∞ − n log( min Q E,n P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) Q E,n ( e ) ≥ e − nR ′ } ) , R ′ − R }≤ max R ′ min { max ≤ s sH ↑ s ( A | E | P A,E ) − sR ′ , R ′ − R } = max R ′ max ≤ s min { sH ↑ s ( A | E | P A,E ) − sR ′ , R ′ − R } = max ≤ s max R ′ min { sH ↑ s ( A | E | P A,E ) − sR ′ , R ′ − R } . (140)Further, sH ↑ s ( A | E | P A,E ) − sR ′ is monotone increasing with respect to R ′ and R − R ′ is monotone decreasing with respectto R ′ . Solving the equation sH ↑ s ( A | E | P A,E ) − sR ′ = R ′ − R with respect to R ′ , we have R ′ = sH ↑ s ( A | E | P A,E )+ R s , whichimplies that max R ′ min { sH ↑ s ( A | E | P A,E ) − sR ′ , R ′ − R } = sH ↑ s ( A | E | P A,E ) − sR s . Thus, max ≤ s max R ′ min { sH ↑ s ( A | E | P A,E ) − sR ′ , R ′ − R } = max ≤ s sH ↑ s ( A | E | P A,E ) − sR s . Hence, we obtain (95).
Proof of Lemma 37:
We show Lemma 37 by using Lemmas 38 and 40, which will be given latter. For any distribution Q E,n , we define the permutation invariant distribution Q E,n, inv by Q E,n, inv ( e ) := X g ∈ S n n ! Q E,n ( g ( e )) , where S n is the n -th permutation group and g ( e ) is the element permuted from e ∈ E n by g ∈ S n . Then, we have P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) Q E,n ( e ) ≥ e − nR ′ } = P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) ≥ e − nR ′ Q E,n ( e ) }≥ P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) ≥ e − nR ′ Q E,n, inv ( e ) } = 12 P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) Q E,n, inv ( e ) ≥ e − nR ′ } , where the inequality follows from Lemma 38. Here, we denote the set of types of E by T n, E . For any element Q E ∈ T n, E ,we denote the uniform distribution over the subset of elements whose type is Q E by ˆ Q E . Now, we define the distribution Q E,n, inv , mix ( e ) := 1 | T n, E | X Q E ∈ T n, E ˆ Q E ( e ) . Since Q E,n, inv ( e ) ≤ | T n, E | Q E,n, inv , mix ( e ) , we have P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) ≥ e − nR ′ Q E,n, inv ( e ) }≥ P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) ≥ | T n, E | e − nR ′ Q E,n, inv , mix ( e ) } . For given sequence ( a, e ) ∈ A× E , we denote the type of ( a, e ) by P ′ A,E and its marginal distribution over E of P ′ A,E by P ′ E .Then, P nA,E ( a, e ) = e − n ( D ( P ′ A,E k P A,E )+ H ( P ′ A,E )) and | T n, E | Q E,n, inv , mix ( e ) = e − nH ( P ′ E ) . That is, the condition P nA,E ( a, e ) ≥ | T n, E | e − nR ′ Q E,n, inv , mix ( e ) is equivalent to the condition D ( P ′ A,E k P A,E ) + H ( P ′ A,E ) ≤ log 4 n + H ( P ′ E ) + R ′ . We denote theset of sequences whose types are P ′ A,E by T P A,E ′ . Hence, P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) ≥ | T n, E | e − nR ′ Q E,n, inv , mix ( e ) } = X P ′ A,E ∈ T n, A×E : D ( P ′ A,E k P A,E )+ H ( P ′ A,E ) ≤ log 4 n + H ( P ′ E )+ R ′ P nA,E ( T P A,E ′ ) ≥ max P ′ A,E ∈ T n, A×E : D ( P ′ A,E k P A,E )+ H ( P ′ A,E ) ≤ log 4 n + H ( P ′ E )+ R ′ P nA,E ( T P ′ A,E ) . Since P nA,E ( T P ′ A,E ) ∼ = e − nD ( P ′ A,E k P A,E ) , taking the limit, we have lim n →∞ − n log 12 P nA,E { ( a, e ) ∈ A n × E n | P nA,E ( a, e ) ≥ | T n, E | e − nR ′ Q E,n, inv , mix ( e ) }≤ max P ′ A,E { D ( P ′ A,E k P A,E ) | D ( P ′ A,E k P A,E ) + H ( P ′ A,E ) ≤ R ′ + H ( P ′ E ) } = max P ′ A,E { D ( P ′ A,E k P A,E ) | D ( P ′ A,E k P A,E ) + H ( A | E | P ′ A,E ) ≤ R ′ } . Hence, combining Lemma 40, we obtain (139).
Lemma 38:
The relation P nA { a ∈ A n | c ≥ f ( a ) } ≥ P mix , A { a ∈ A n | c ≥ n ! X g ∈ S n f ( g ( a )) } (141)holds for any function f . Proof:
Lemma 38 can be shown by applying Lemma 39 to all of distributions conditioned with type.
Lemma 39:
The relation P mix , A { a | c ≥ f ( a ) } ≥ P mix , A { a | c ≥ |A| X a f ( a ) } (142)holds for any function f . Proof:
Markov inequality implies that P mix , A { a | c < f ( a ) } ≤ c |A| X a f ( a ) . When c ≥ |A| P a f ( a ) , − c |A| P a f ( a ) is greater than . Hence, P mix , A { a | c ≥ f ( a ) } = 1 − P mix , A { a | c < f ( a ) } ≥ − c |A| X a f ( a ) ≥ P mix , A { a | c ≥ |A| X a f ( a ) } . Lemma 40:
The relation min P ′ A,E { D ( P ′ A,E k P A,E ) | D ( P ′ A,E k P A,E ) + H ( A | E | P ′ A,E ) ≤ R ′ } = max ≤ s sH ↑ s ( A | E | P A,E ) − sR ′ . (143)holds. Proof:
We show Lemma 40 by using Lemma 33, which will be given latter. We employ a generalization of the methodused in [61, Appendix D]. First, we define the distribution P A,E ; s as P A,E ; s ( a, e ) := P A | E ( a | e ) s P E ( e )( P a P A | E ( a | e ) s ) s s ( P e P E ( e )( P a P A | E ( a | e ) s ) s ) . That is, we have P A | E ; s ( a | e ) = P A | E ( a | e ) s P a P A | E ( a | e ) s P E ; s ( e ) = P E ( e )( P a P A | E ( a | e ) s ) s ( P e P E ( e )( P a P A | E ( a | e ) s ) s ) . Hence, D ( P A,E ; s k P A,E )= X a,e P A,E ; s ( a, e ) (cid:16) s log P A | E ( a | e ) − s s log( X a P A | E ( a | e ) s ) (cid:17) s s H ↑ s ( A | E | P A,E ) ,H ( A | E | P A,E ; s )= X a,e P A,E ; s ( a, e ) (cid:16) − (1 + s ) log P A | E ( a | e ) + log( X a P A | E ( a | e ) s ) (cid:17) D ( P A,E ; s k P A,E ) + H ( A | E | P A,E ; s ) , = X a,e P A,E ; s ( a, e ) (cid:16) − log P A | E ( a | e ) + 11 + s log( X a P A | E ( a | e ) s ) (cid:17) s s H ↑ s ( A | E | P A,E ) . Given s ≥ , we choose an arbitrary distribution P ′ A,E such that D ( P A,Es k P A,E ) = D ( P ′ A,E k P A,E ) . Since D ( P ′ A,E k P A,E ) = X a,e P ′ A,E ( a, e ) (cid:16) log P ′ A,E ( a, e ) − log P A,E ( a, e ) (cid:17) D ( P ′ A,E k P A,Es ) = X a,e P ′ A,E ( a, e ) (cid:16) log P ′ A,E ( a, e ) − − (1 + s ) log P A | E ( a | e ) − log P E ( e )+ s s log( X a P A | E ( a | e ) s ) − s s H ↑ s ( A | E | P A,E ) (cid:17) , we have D ( P ′ A,E k P A,E ; s ) = D ( P ′ A,E k P A,E ; s ) + D ( P A,E ; s k P A,E ) − D ( P ′ A,E k P A,E )= X a,e P A,E ; s ( a, e ) (cid:16) s log P A | E ( a | e ) − s s log( X a P A | E ( a | e ) s ) (cid:17) s s H ↑ s ( A | E | P A,E ) − X a,e P ′ A,E ( a, e ) (cid:16) s log P A | E ( a | e ) − s s log( X a P A | E ( a | e ) s ) (cid:17) − s s H ↑ s ( A | E | P A,E )= X a,e ( P A,E ; s ( a, e ) − P ′ A,E ( a, e )) (cid:16) s log P A | E ( a | e ) − s s log( X a P A | E ( a | e ) s ) (cid:17) . Hence, H ( A | E | P A,E ; s ) − H ( A | E | P ′ A,E ) + D ( P ′ E k P E ; s )= H ( A | E | P A,E ; s ) + D ( P A,E ; s k P A,E ) − ( H ( A | E | P ′ A,E ) − D ( P ′ A,E k P A,E )) + D ( P ′ E k P E ; s )= X a,e P A,E ; s ( a, e ) (cid:16) − log P A | E ( a | e ) + 11 + s log( X a P A | E ( a | e ) s ) (cid:17) + s s H ↑ s ( A | E | P A,E ) − X a,e P ′ A,E ( a, e ) (cid:16) − log P A | E ( a | e ) + 11 + s log( X a P A | E ( a | e ) s ) (cid:17) + s s H ↑ s ( A | E | P A,E )= X a,e ( P A,E ; s ( a, e ) − P ′ A,E ( a, e )) (cid:16) − log P A | E ( a | e ) + 11 + s log( X a P A | E ( a | e ) s ) (cid:17) = − sD ( P ′ A,E k P A,E ; s ) ≤ . Since D ( P ′ E k P E ; s ) ≥ , we have H ( A | E | P A,E ; s ) ≤ H ( A | E | P ′ A,E ) , which implies H ( A | E | P A,E ; s ) + D ( P A,E ; s k P A,E ) ≤ H ( A | E | P ′ A,E ) + D ( P ′ A,E k P A,E ) . Since the map s D ( P A,E ; s k P A,E ) is continuous, we have min P ′ A,E { D ( P ′ A,E k P A,E ) | D ( P ′ A,E k P A,E ) + H ( A | E | P ′ A,E ) ≤ R ′ } = min s ≥ { D ( P A,E ; s k P A,E ) | D ( P A,E ; s k P A,E ) + H ( A | E | P A,E ; s ) ≤ R ′ } . Now, we choose s ≥ such that D ( P A,Es k P A,E ) + H ( A | E | P A,Es )= X a,e P A,Es ( a, e ) (cid:16) − log P A | E ( a | e ) + 11 + s log( X a P A | E ( a | e ) s ) (cid:17) + s s H ↑ s ( A | E | P A,E )= R ′ , which implies that X a,e P A,Es ( a, e ) (cid:16) − log P A | E ( a | e ) + 11 + s log( X a P A | E ( a | e ) s ) (cid:17) = R ′ − s s H ↑ s ( A | E | P A,E ) . Then, min s ≥ { D ( P A,E ; s k P A,E ) | D ( P A,E ; s k P A,E ) + H ( A | E | P A,E ; s ) ≤ R ′ } = X a,e P A,Es ( a, e ) (cid:16) s log P A | E ( a | e ) − s s log( X a P A | E ( a | e ) s ) (cid:17) + s s H ↑ s ( A | E | P A,E )= − s X a,e P A,Es ( a, e ) (cid:16) − log P A | E ( a | e ) + 11 + s log( X a P A | E ( a | e ) s ) (cid:17) + s s H ↑ s ( A | E | P A,E )= − s ( R ′ + φ ( s s | A | E | P A,E )) + s s H ↑ s ( A | E | P A,E )= − s R ′ + s H ↑ s ( A | E | P A,E )= max s ≥ − sR ′ + sH ↑ s ( A | E | P A,E ) , where the reason of the equation is the following. Due to Lemma 33, the function s
7→ − sH ↑ s ( A | E | P A,E ) is convex, and − R ′ = − dds sH ↑ s ( A | E | P A,E ) . Then, we obtain (143). R EFERENCES[1] L. Carter and M. Wegman, “Universal classes of hash functions,”
J. Comput. System Sci. , vol. , No. 2, 143–154, 1979.[2] M. N. Wegman and J. L. Carter, “New Hash Functions and Their Use in Authentication and Set Inequality,” J. Comput. System Sci. , vol. , pp.265-279(1981).[3] Y. Mansour, N. Nisan, and P. Tiwari, “The Computational Complexity of Universal Hashing,” in STOC ’90, Proceedings of the twenty-second annualACM symposium on Theory of computing, pp.235-243 (1990).[4] C. H. Bennett, G. Brassard, C. Crepeau, and U.M. Maurer, “Generalized privacy amplification,” IEEE Trans. Inform. Theory , vol. , 1915-1923 (1995).[5] G. H. Golub, and C. F. Van Loan, Matrix Computation , Third Edition, The John Hopkins University Press, 1996.[6] U. Maurer, “Secret key agreement by public discussion from common information,”
IEEE Trans. Inform. Theory , vol. , 733–742, 1993.[7] R. Ahlswede and I. Csisz´ar, “Common randomness in information theory and cryptography part 1: Secret sharing,” IEEE Trans. Inform. Theory , vol. ,no. 4, 1121–1132, 1993.[8] R. G. Gallager, Information Theory and Reliable Communication , John Wiley & Sons, 1968.[9] Y. Dodis and A. Smith. “Correcting Errors Without Leaking Partial Information,” STOC 2005.[10] S. Fehr and C. Schaffner. “Randomness Extraction via Delta-Biased Masking in the Presence of a Quantum Attacker,” Theory of Cryptography, FifthTheory of Cryptography Conference, TCC 2008, New York, USA, March 19-21, 2008. pages, 465-48.[11] M. Hayashi, “Upper bounds of eavesdropper’s performances in finite-length code with the decoy method,”
Physical Review A , Vol. , 012329 (2007); Physical Review A , Vol. , 019901(E) (2009).[12] M. Hayashi, “Tight exponential analysis of universally composable privacy amplification and its applications,” IEEE Trans. Inform. Theory , vol. , No.11, 7728 – 7746, 2013.[13] M. Hayashi, “Exponential decreasing rate of leaked information in universal random privacy amplification,” IEEE Trans. Inform. Theory , Vol. , No.6, 3989-4001, (2011).[14] T. Tsurumaru, and M. Hayashi, “Dual universality of hash functions and its applications to quantum cryptography,” IEEE Trans. Inform. Theory , Vol.59, No. 7, 4700-4717, (2013).[15] J. H˚astad, R. Impagliazzo, L. A. Levin, and M. Luby, “A Pseudorandom Generator from any One-way Function,”
SIAM J. Comput. , 1364 (1999)[16] R. Renner, “Security of Quantum Key Distribution,” PhD thesis, Dipl. Phys. ETH, Switzerland, 2005; arXiv:quantph/0512258.[17] M. Tomamichel and M. Hayashi, “Hierarchy of Information Quantities for Finite Block Length Analysis of Quantum Tasks,” arXiv:1208.1478 (2012); IEEE Trans. Inform. Theory , vol. , No. 11, 7693 – 7710, 2013.[18] V. Strassen, “Asymptotische Absch¨atzugen in Shannon’s Informationstheorie,” In Transactions of the Third Prague Conference on Information Theoryetc , Czechoslovak Academy of Sciences, Prague, pp. 689-723, 1962.[19] I. Kontoyiannis, “Second-order noiseless source coding theorems,”
IEEE Trans. Inform. Theory , vol. , no. 4, pp. 1339-1341, Jul. 1997.[20] M. Hayashi, “Information Spectrum Approach to Second-Order Coding Rate in Channel Coding,” IEEE Trans. Inform. Theory , vol. , no.11, 4947 –4966, 2009.[21] Y. Polyanskiy, H.V. Poor, and S. Verd´u, “Channel coding rate in the finite blocklength regime,” IEEE Trans. Inform. Theory , vol. , no. 5,2307 – 2359,2010.[22] M. Hayashi, “Second-Order Asymptotics in Fixed-Length Source Coding and Intrinsic Randomness,” IEEE Trans. Inform. Theory , vol. , 4619 - 4637(2008).[23] T. S. Han: Information-Spectrum Methods in Information Theory , (Springer-Verlag, New York, 2002) (Originally written in Japanese in 1998).[24] I. Csisz´ar and J. K¨orner,
Information theory: Coding Theorem for Discrete Memoryless systems , Academic Press, New York, (1981) [25] M. Hayashi, “General non-asymptotic and asymptotic formulas in channel resolvability and identification capacity and its application to wire-tap channel,” IEEE Trans. Inform. Theory , vol. (4), 1562–1575, 2006.[26] T.S. Han, “The reliability functions of the general source with fixed-length coding,” IEEE Trans. Inform. Theory , vol. , 2117–2132, (2000).[27] M. Tomamichel, C. Schaffner, A. Smith, and R. Renner, “Leftover Hashing Against Quantum Side Information,” IEEE Trans. Inform. Theory , Vol. 57,No. 8, 5524–5535 (2011).[28] R. Renner, and R. K¨onig, ”Universally composable privacy amplification against quantum adversaries,” Theory of Cryptography: Second Theory ofCryptography Conference, TCC 2005, J.Kilian (ed.) Springer Verlag 2005, vol. 3378 of Lecture Notes in Computer Science, pp. 407-425.[29] S. Watanabe and M. Hayashi, “Non-asymptotic analysis of privacy amplification via R´enyi entropy and inf-spectral entropy,”
Proceedings of the 2013IEEE International Symposium on Information Theory , Istanbul, Turkey, 2013, pp. 2715-2719.[30] A. D. Wyner, “The wire-tap channel,”
Bell. Sys. Tech. Jour. , vol. 54, 1355–1387, 1975.[31] I. Csisz´ar and J. K¨orner, “Broadcast channels with confidential messages,”
IEEE Trans. Inform. Theory , vol. , No. 3, 339–348, 1978.[32] I. Csisz´ar, “Almost Independence and Secrecy Capacity,” Problems of Information Transmission , vol. , no.1, pp.40-47, 1996.[33] M. Hayashi and T. Tsurumaru, “More Efficient Privacy Amplification with Less Random Seeds via Dual Universal Hash Function,” arXiv:1311.5322(2013)[34] L.P. Kuptsov, “Holder inequality”, in Hazewinkel, Michiel, Encyclopaedia of Mathematics, Springer, (2001).[35] A. Dembo and O. Zaituni, Large Deviations Techniques and Applications , Springer (2010).[36] M. Hayashi and S. Watanabe, “Non-Asymptotic and Asymptotic Analyses on Markov Chains in Several Problems,” arXiv:1309.7528v1,v2,v3 (2013)[37] J. Shikata, “Formalization of Information-Theoretic Security for Encryption and Key Agreement, Revisited,” in
Proceedings of the 2013 IEEE InternationalSymposium on Information Theory , Istanbul, Turkey, 2013, pp. 2720-2724;
IACR Cryptology ePrint Archive
Information Theoretic Security , Now Publishers Inc, 2009.[40] I. Buhan, E. Kelkboom, and K. Simoens “A Survey of the Security and Privacy Measures for Anonymous Biometric Authentication Systems,”
Proceedingsof 2010 Sixth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP) , Darmstadt, Germany, 15-17 Oct.2010 pp. 346 - 351[41] X. Zhou, A. Kuijperl, R. Veldhuis, and C. Busch, “Quantifying Privacy and Security of Biometric Fuzzy Commitment,”
Proceedings of 2011 InternationalJoint Conference on Biometrics (IJCB) , 11-13 Oct. 2011, Washington, DC, USA, pp. 1 - 8.[42] M. Bloch, and J. Barros,
Physical-Layer Security: From Information Theory to Security Engineering , Cambridge University Press; 1 edition (November14, 2011).[43] A. J. Pierrot, and M. R. Bloch, “Strongly Secure Communications Over the Two-Way Wiretap Channel,”
IEEE Transactions on Information Forensicsand Security , Vol. 6, No. 3, pp. 595 - 605, (2011).[44] C. Ling, L. Luzzi, and M. R. Bloch “Secret key generation from Gaussian sources using lattice hashing,”
Proceedings of the 2013 IEEE InternationalSymposium on Information Theory , Istanbul, Turkey, 2013, pp. 2621-2625.[45] S. Watanabe and Y. Oohama, “Secret key agreement from correlated Gaussian sources by rate limited public communication,”
IEICE Trans. Fundamentals, vol. E93-A, pp. 1976-1983, (2010).[46] S. Nitinawarat and P. Narayan, “Secret key generation for correlated Gaussian sources,”
IEEE Trans. Inform. Theory , vol. 58, no. 6, pp. 3373-3391, June2012.[47] S. Nitinawarat, C. Ye, A. Barg, P. Narayan, and A. Reznik, “Secret Key Generation for a Pairwise Independent Network Model,”
IEEE Trans. Inform.Theory , vol. , No. 12, pp. 6482–6489 (2010).[48] H. Tyagi, P. Narayan, and P. Gupta “When is a Function Securely Computable?,” IEEE Trans. Inform. Theory , vol. , No. 10, pp. 6337 - 6350, (2011).[49] C. Crepeau, and J. Wullschleger. “Statistical Security Conditions for Two-Party Secure Function Evaluation,” R. Safavi-Naini (Ed.): Proceedings of ICITS2008 , LNCS 5155, pp. 86-99. Springer- Verlag, Berlin/Heidelberg, 2008.[50] I. Csisz´ar, and P. Narayan, “Common randomness and secret key generation with a helper,”
IEEE Trans. Inform. Theory , vol. , No. 2, 344-366, (2000)[51] I. Csisz´ar, and P. Narayan, “Secrecy capacities for multiple terminals,” IEEE Trans. Inform. Theory , vol. , No. 12, 3047 - 3061, (2004)[52] S. Dziembowski, U. Maurer, “On generating the initial key in the bounded-storage model,” EUROCRYPT 2004, LNCS 3027, pp. 126-137, Springer,2004.[53] U. Maurer, “The strong secret key rate of discrete random triples,” Communications and Cryptography - Two Sides of One Tapestry, Kluwer AcademicPublishers, pp. 271-285, 1994.[54] U. Maurer, S. Wolf, “Secret-key agreement over unauthenticated public channels - part I: definitions and a completeness result,” IEEE Trans. Inform.Theory , vol. , No. 4, 822-831, (2003).[55] A. I. Khinchin, Mathematical Foundations of Information Theory , New York: Dover. (1957). Translated by R. A. Silverman and M. D. Friedman fromtwo Russian articles in Uspekhi Matematicheskikh Nauk, 7 (1953): 3-20 and 9 (1956): 17-75.[56] M. Hayashi, “Large deviation analysis for quantum security via smoothing of R´enyi entropy of order 2,”
IEEE Trans. Inform. Theory , vol. , No. 10,6702 - 6732, (2014).[57] T. S. Han and S. Verdu, “Approximation theory of output statistics,” IEEE Trans. Inform. Theory , vol. , no. 3, pp. 752-772, May 1993.[58] S.Verdu and T. S. Han, “A general formula for channel capacity,” IEEE Trans. Inform. Theory , vol. , no. 4, pp. 1147-1157, Jul. 1994.[59] S. Vembu and S. Verdu, “Generating random bits from an arbitrary source: fundamental limits,” IEEE Trans. Inform. Theory , vol. , no. 5, pp. 1322-1332,Sep. 1995.[60] T.-S. Han and O. Uchida, “Source code with cost as a nonuniform random number generator,” IEEE Trans. Inform. Theory , vol. , no. 2, pp. 712-717,Mar. 2000.[61] M. Hayashi, M. Koashi, K. Matsumoto, F. Morikoshi, and A. Winter, “Error exponents for entanglement concentration,” Journal of Physics A:Mathematical and General , vol. , no.2, pp.527-553 (2003).[62] M. Iwamoto and J. Shikata, “Information Theoretic Security for Encryption Based on Conditional Renyi Entropies,” http://eprint.iacr.org/2013/440 (2013)[63] M. Muller-Lennert, F. Dupuis, O. Szehr, S. Fehr, and M. Tomamichel, “On quantum Renyi entropies: a new definition and some properties,” J. Math.Phys. (12), 122203 (2013).[64] M. Hayashi, and R. Matsumoto, “Secure Multiplex Coding with Dependent and Non-Uniform Multiple Messages,” arXiv:1202.1332 (2013).[65] M. Hayashi, “Precise evaluation of leaked information with secure randomness extraction in the presence of quantum attacker,” Accepted forCommunications in Mathematical Physics.[66] M. Tomamichel, M. Berta, and M. Hayashi, “Relating different quantum generalizations of the conditional Renyi entropy,” J. Math. Phys.55