Secret Key Capacity For Multipleaccess Channel With Public Feedback
Himanshu Tyagi, Shun Watanabe

TL;DR
This paper investigates the maximum secret key rates achievable over a multipleaccess channel with public feedback, deriving bounds and proposing schemes that improve known rates, including for symmetric and adder MACs.
Contribution
It establishes upper bounds on secret key capacity under different public communication restrictions and introduces a scheme that surpasses previous rates for symmetric MACs.
Findings
Upper bounds on SK rates with feedback and no-feedback protocols.
A new scheme achieving the maximum symmetric rate in symmetric MACs.
Exact SK capacity for adder MAC without protocol restrictions.
Abstract
We consider the generation of a secret key (SK) by the inputs and the output of a secure multipleaccess channel (MAC) that additionally have access to a noiseless public communication channel. Under specific restrictions on the protocols, we derive various upper bounds on the rate of such SKs. Specifically, if the public communication consists of only the feedback from the output terminal, then the rate of SKs that can be generated is bounded above by the maximum symmetric rate in the capacity region of the MAC with feedback. On the other hand, if the public communication is allowed only before and after the transmission over the MAC, then the rate of SKs is bounded above by the maximum symmetric rate in the capacity region of the MAC without feedback. Furthermore, for a symmetric MAC, we present a scheme that generates an SK of rate , improving the best…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsWireless Communication Security Techniques · Chaos-based Image/Signal Encryption · Security in Wireless Sensor Networks
Secret Key Capacity For Multipleaccess Channel With Public Feedback
Himanshu Tyagi∗
Shun Watanabe*†*
Abstract
We consider the generation of a secret key (SK) by the inputs and the output of a secure multipleaccess channel (MAC) that additionally have access to a noiseless public communication channel. Under specific restrictions on the protocols, we derive various upper bounds on the rate of such SKs. Specifically, if the public communication consists of only the feedback from the output terminal, then the rate of SKs that can be generated is bounded above by the maximum symmetric rate in the capacity region of the MAC with feedback. On the other hand, if the public communication is allowed only before and after the transmission over the MAC, then the rate of SKs is bounded above by the maximum symmetric rate in the capacity region of the MAC without feedback. Furthermore, for a symmetric MAC, we present a scheme that generates an SK of rate , improving the best previously known achievable rate . An application of our results establishes the SK capacity for adder MAC, without any restriction on the protocols.
††footnotetext: ∗Department of Electrical and Computer Engineering, and Institute for Systems Research, University of Maryland, College Park, MD 20742, USA. Email: [email protected] *†*Department of Information Science and Intelligent Systems, University of Tokushima, Tokushima 770-8506, Japan, and Institute for Systems Research, University of Maryland, College Park, MD 20742, USA. Email: [email protected] Himanshu Tyagi was supported by the U.S. National Science Foundation under Grants CCF0830697 and CCF1117546.
I Introduction
What is the largest rate of a secret key (SK) that can be generated by the inputs and the output of a secure multipleaccess channel (MAC) with a public feedback from the output? We show that this rate is bounded above by
[TABLE]
where denotes the capacity region111Throughout this paper, the capacity region of the MAC is for the average probability of error criterion. of the MAC with feedback. In fact, for a MAC that is symmetric with respect to its inputs, this largest SK rate is equal to .
Previously, Csiszár and Narayan [6] presented two different protocols to establish SKs of rate
[TABLE]
where denotes the capacity region of the MAC without feedback. In both the protocols, the inputs of the MAC were selected without any knowledge of the previous outputs. Such protocols are reminiscent of SK generation in source models [4] and will be collectively referred to as source emulation222Our source emulation protocols include the generalized source emulation of [6, 3] as a special case; the latter restricts the MAC inputs for different channel uses to be independent and identically distributed (i.i.d.).. We show that is the best rate of an SK that can be generated using such simple protocols. Since for symmetric MACs we generate an SK of rate , it follows that complex protocols that select inputs of the MAC based on the feedback from the output can outperform source emulation. This answers a question raised in [6, Section VII].
In general, the inputs of the MAC can be selected based on interactive public communication from all the terminals after each transmission over the secure MAC. For this set-up, Csiszár and Narayan established an upper bound for the largest rate of an SK [6], termed the SK capacity and denoted by . Moreover, for the special case of MACs in Willems class [12], this upper bound was improved and it was shown that . Therefore, for symmetric MACs in Willems class, our aforementioned results imply . This class of channels includes adder MAC, which settles an open problem posed in [6, Example 2].
One of the rate -achieving schemes in [6] involves transmitting messages of rates over the MAC and communicating the modulo sum over the public channel, resulting in an SK of rate ; either or constitutes the SK. It was remarked in [6, page 21] that an SK generation protocol with “full feedback is ruled out as the feedback communication is public. Still, if a coding scheme with partial feedback could be found by which the gain in transmission rates exceeds the information leakage due to feedback, it would lead to an SK rate greater than” . Following this clue, our achievability scheme for symmetric MACs entails communicating compressed output sequences over the public channel and then extracting an SK of rate from the output sequence. One difficulty is the lack of a single-letter expression for . However, this is circumvented by converting the transmission schemes for MAC directly into SK generation protocols, without recourse to the single-letter rate achieved. In fact, our approach implies that any message transmission scheme of rates for a symmetric MAC can be used to generate an SK of rate , with appropriate modifications.
Our converse proofs rely on a general converse333This general converse is due to Prakash Narayan, who agreed to publish it in this paper. for the SK generation problem in a multiterminal source model, which in turn is a simple consequence of a basic property of interactive communication that was established in [5, Lemma B.1] (see, also, [8]). Here, too, the challenge posed by the lack of single-letter expressions is handled by working directly with -letter expressions.
The problem formulation and our main results are stated formally in the following section. Sections III and IV contain the necessary tools that are used in our converse proofs in Section V. The final section contains a discussion of our results and the properties of interactive communication that are used to derive them.
II Problem Formulation and Main Results
Consider a MAC with two inputs444 Our results in this paper can be extended to the multiple input case. See Section VII. and , and an output , specified by a DMC . We study a secrecy generation problem for three terminals: terminals and govern the inputs to the DMC over which they transmit, respectively, sequences and of length , while terminal observes the corresponding length output . Between two consecutive transmissions, the terminals communicate with each other interactively over a noiseless public communication channel of unlimited capacity. While the transmissions over the DMC are secure, the public communication is observed by all the terminals as well as a (passive) eavesdropper. This model is a special case of a general model for secrecy generation over channels introduced by Csiszár and Narayan in [6] (see also [5]). In the manner of [6], the messages sent over will be referred to as transmissions and those sent over the public channel will be referred to as communication.
Formally, assume that at the outset terminal generates rv , , to be used for (local) randomization; the rvs are mutually independent. The communication-transmission protocol can be divided into time slots. In the first time slots, the terminals communicate interactively over the public channel, followed by a transmission over the secure DMC. The protocol ends with a final round of interactive public communication in slot . Specifically, in time slot , , the terminals communicate interactively using their respective local randomization and observations upto time slot ; the overall interactive communication in slot is denoted by
[TABLE]
Subsequently, the inputs and are transmitted by terminals and , respectively, and is observed by terminal . Finally, the last round of interactive communication is sent over the public channel. For convenience, we denote
After the communication-transmission protocol ends, the terminals , , , respectively, form estimates as follows:
[TABLE]
An rv with range constitutes an -SK if the following two conditions are satisfied (c.f. [4]):
[TABLE]
where is the uniform distribution on . The first condition above represents reliable recoverability of the SK and the second guarantees its security. While our achievability proofs establish SKs that satisfy the “strong secrecy” condition (6), our converse results are valid for SKs satisfying the weaker secrecy condition given below:
[TABLE]
Definition 1**.**
A number is an achievable SK rate if for every , there exist local randomization , communication-transmission protocol and -SK with
[TABLE]
for all sufficiently large.
The supremum of all achievable SK rates is called the SK capacity, denoted by .
The general problem of characterizing remains open. In [6], general lower bounds and upper bounds for were given; we state the former next, specialized for the case of two input MAC.
Theorem 1**.**
[6]** The SK capacity for a MAC is bounded below as
[TABLE]
For the special case , the lower bound above is tight and [6, Example 1]. Also, for the case when is in Willems class of MACs [12], an upper bound for was derived in [6]. Willems class consists of MAC where one of the inputs, say input , is determined by the output and the other input, i.e., for some mapping , if . The following result holds.
Theorem 2**.**
[6]** For a MAC in Willems class,
[TABLE]
In this paper, we show that the bounds (8) and (9) are tight under various restrictions imposed on the MAC and the communication-transmission protocols. We first describe the specific restrictions we place. As in Definition 1, define the SK capacity with source emulation [5, 6, 3], denoted by , as the supremum of all achievable SK rates with the additional restriction that
[TABLE]
i.e., the transmission input sequences for the MAC are selected solely based on the initial interactive communication and local randomization at the input terminals, without any feedback from the output. Next, define the SK capacity with no input communication, denoted by , as the supremum of all achievable SK rates with the additional restriction that following the first round interactive communication , the subsequent communication are only from the output terminal, i.e.,
[TABLE]
The following inequalities ensue:
[TABLE]
We now state our main results. First, we show a general upper bound on .
Theorem 3**.**
The SK capacity with no input communication is bounded above as
[TABLE]
Next, we show that for the class of symmetric MACs, this upper bound is tight.
Theorem 4**.**
For a symmetric MAC with and
[TABLE]
the SK capacity with no input communication is given by
[TABLE]
As a corollary, we characterize for adder MAC, for which lower and upper bounds were reported in [6, Example 2].
Corollary**.**
For , the SK capacity is given by
[TABLE]
Since adder MAC is in Willems class and is symmetric, the corollary follows from Theorem 2 and Theorem 4.
Finally, the following result implies that source emulation does not suffice to generate SKs of rate and the complex communication-transmission protocols above are needed necessarily in Theorem 4.
Theorem 5**.**
The SK capacity with source emulation is given by
[TABLE]
The inequality was shown in [6]. We show the reverse inequality in Section V.
Remark*.*
Theorem 5 is a further strengthening of [6, Proposition 5] where this result was established for source emulation protocols that restrict the inputs of the MAC for different channel uses to be i.i.d. We show that the inequality holds even when this restriction is dropped.
III A General Converse for SK Capacity of a Multiterminal Source
In this section, we present a converse for an SK generation problem in a multiterminal source model with sources (c.f. [4]) that does not require the underlying sources to be i.i.d. This specific form of the converse is due to Prakash Narayan and it relies on a basic property of interactive communication in multiterminal models shown in [5].
Terminals observe correlated rvs , respectively; for brevity we denote by the set and by the rvs for . The terminals communicate over a public channel, possibly interactively in several rounds. Specifically, terminal sends communication in the th round, , where depends on the observation and the previously received communication
[TABLE]
We denote the overall interactive communication by . Consider an rv taking values in such that
[TABLE]
for and some mappings of , i.e., the terminals form estimates of using their respective observations and the interactive communication that agree with with probability greater than . We present below an upper bound on . The following notations will be used: Let be a collection of subsets of given by
[TABLE]
A collection constitutes a fractional partition of (c.f. [5]) if
[TABLE]
Consider a partition of . Corresponding to this partition, we define a fractional partition as follows:
[TABLE]
First, we present a key property of interactive communication that underlies all the converse proofs of this paper.
Lemma 6** (Interactive Communication Property).**
[5]** For an interactive communication , we have
[TABLE]
for every fractional partition of .
The following result is, in effect, a “single-shot” converse for the SK generation problem.
Theorem 7**.**
[9]** For an rv and interactive communication satisfying (10), we have
[TABLE]
for every fractional partition of , where .
Proof. It follows from [5, Lemma A.2] that
[TABLE]
which, along with Lemma 6 and the definition of in (6), completes the proof.∎
Corollary**.**
For and as in Theorem 7, we get
[TABLE]
for every partition of .
The corollary follows upon choosing in Theorem 7, where is given by (11).
IV Maximum Symmetric Rate for MAC
While a single-letter expression for is known [1, 7], for such an expression is available only in special cases [12]. In this section, we will present -letter characterizations for and , which will be used in our proofs in the next section.
Lemma 8**.**
For MAC with two inputs,
[TABLE]
where the is over all distributions
We omit the proof, which is a simple consequence of the capacity region for a MAC [1, 7].
Lemma 9**.**
For MAC with two inputs,
[TABLE]
where the is over all joint distributions of the randomization at the terminals and the output of the MAC that result from communication-transmission protocols with no input communication (as in the definition of ).
Proof. First, we claim that making additional independent common randomness available to the senders and the receiver does not improve the capacity region of a MAC. Indeed, let be the error probability of the MAC with feedback conditioned on . Clearly, there exists at least one realization such that
[TABLE]
Thus, using the encoders and decoders with fixed we can achieve the same rate as that of the original scheme. In the remainder of the proof, without loss of generality, we will assume the availability of rv to the senders and the receiver of the MAC.
If , then using standard manipulations and Fano’s inequality we get
[TABLE]
where are the messages sent by terminal and , respectively, i.i.d. uniform over , and as . Also,
[TABLE]
and
[TABLE]
Since a code for MAC with feedback constitutes a valid communication-transmission protocol with local randomization at terminals , , , respectively, it follows that is bounded above by the right-side of (12).
For the other direction, consider a MAC given by
[TABLE]
Then, by [1] and [7], the right-side of (12) is less than the maximum symmetric rate of the messages that can be transmitted reliably over this MAC (without feedback). To complete the proof we note that we can simulate by using the MAC with feedback times. Specifically, given a communication-transmission protocol with no input communication and fixed values , choosing
[TABLE]
simulates . This is a valid choice of inputs since both the senders know the common randomness and the feedback signals at time . ∎
V Upper Bounds
In this section, we prove upper bounds on and by applying the results developed in Sections III and IV. We assume that the SK satisfies the “weak secrecy” condition (7).
The following observation from [11] is needed.
Lemma 10**.**
For mutually independent rvs and an interactive communication for the sources described in Section III, we have
[TABLE]
i.e., independent observations remain independent when conditioned on an interactive communication.
We first remark that the initial round of interactive communication does not help. Specifically, for an -SK recoverable from an interactive communication , it follows from (5) and (6) that there exists a fixed value of such that
[TABLE]
Note that by Lemma 10 the rvs are conditionally independent given . Consider a modified protocol obtained by fixing and using local randomization with the same distribution as the conditional distribution of given . Then, in view of (13), the modified protocol generates a -SK of rate not less than the original protocol and does not require any initial interactive communication. Thus, without loss of generality, in the remainder of the section we assume that is constant.
V-A Proof of
Let be an achievable SK rate for a MAC with no input communication. Setting , and and applying the corollary to Theorem 7 with partition , for every and sufficiently large we have
[TABLE]
and similarly, using the partition ,
[TABLE]
Also, for the partition , we get for large
[TABLE]
where the equality uses the independence of and . Upon combining the bounds in (14) – (16) and taking the limit , an application of Lemma 9 yields
[TABLE]
since was arbitrary. This proves the claimed upper bound. ∎
Remark*.*
Choosing , we also get the bound
[TABLE]
which is subsumed by (16).
V-B Proof of
Let be an achievable SK rate for a MAC with source emulation. Setting , and , and following the steps of the previous part mutatis mutandis, we get
[TABLE]
Note that
[TABLE]
where the equality follows since is independent of the rest of the rvs, and the inequality555In fact, the inequality holds with equality. uses . Similarly,
[TABLE]
and
[TABLE]
where the rvs and are independent. By Lemma 8 and (17), the upper bound on follows. ∎
VI Lower Bounds
In this section, we prove Theorem 4. Suppose lies in for a symmetric MAC. Then, there exist encoder mappings
[TABLE]
and decoder mapping
[TABLE]
such that when messages are sent, where rvs and are i.i.d. uniform over , the error probability satisfies
[TABLE]
in the limit as .
Using this length code, we construct a symmetric code of length by applying (19) and (20) twice as follows. Consider rvs , , , i.i.d. uniform over . We send inputs corresponding to messages in the odd time instances, and, with the roles of and interchanged, send inputs corresponding to messages in the even time instances. Using the outputs at the odd and even time instances to decode , and , , respectively, we obtain a code of rate with error probability bounded above by . Denoting by the rv , , and letting and , we get
[TABLE]
where the second equality follows from the symmetry of the MAC.
Next, we replace the feedback with its compressed version given the observations of the input terminals. To do this, we consider a multiple-blocks extension of the symmetric code above and take recourse to the result of Slepian and Wolf [10]. Specifically, let , , be i.i.d. repetitions of rvs above. By Slepian-Wolf theorem [10], there exist mappings
[TABLE]
of rates
[TABLE]
such that an observer of or can recover with probability of error less than , for all sufficiently large. The equality in (22) uses (21). Then, using a union bound on probability of error, the communication-transmission protocol corresponding to allows all the terminals to recover with probability of error less than . Note that the overall communication-transmission protocol now consists of rounds of communication from terminal and transmissions over the MAC. In each time slot , the output terminal observing sends to the input terminals. Using this communication and their local observations and , the terminals and estimate and use the estimates to select the inputs and , respectively.
Finally, we show that for all sufficiently large, there exists a function of of rate greater than , satisfying
[TABLE]
Therefore, is an -SK for sufficiently large, where is arbitrary. It remains to find a mapping as above. By [4, Lemma 1], it suffices to show that
[TABLE]
for some . Indeed, by the “balanced coloring lemma” [4, Lemma B4], for sufficiently large, there exists such a mapping of rate
[TABLE]
where the second inequality is by (22) and the previous inequality uses Fano’s inequality. Thus, is an achievable SK rate.
VII Discussion
Our proof methodology in this paper is to use the basic properties of SKs and interactive communication to obtain upper bounds on SK rates, and then relate these upper bounds directly to the maximum rates of reliable transmission over a MAC, without reducing them to single-letter forms. In particular, this approach brings out a key property of interactive communication that is instrumental in proving the converse, namely the inequality (see Lemma 6)
[TABLE]
For the case of two terminals, this inequality can be written as
[TABLE]
which is well-known in the communication complexity literature (c.f. [2]) as the fact that external information cost is at least as much as the information cost. Besides (23), the only other property of interactive communication that we use is the fact that independent observations remain so when conditioned on interactive communication (see Lemma 10). However, for a specific choice of in (23), upon rearranging the terms we get
[TABLE]
which in turn implies Lemma 10. Thus, (23) is the only property of interactive communication that is used in our converse proofs. Note that (24) is indeed a characteristic of an interactive communication and does not hold for every function of and . For instance, for symmetrically distributed unbiased bits and , and ,
[TABLE]
Our results in this paper extend easily to MACs with multiple inputs. In particular, Theorems 3 and 5 hold for a multi-input MAC upon defining and as follows:
[TABLE]
Also, Theorem 4 holds for a multi-input MAC that satisfies
[TABLE]
for every permutation of .
Acknowledgements
The authors are indebted to Prakash Narayan for allowing us to include Theorem 7 in this paper. Also, the discussion on interactive communication properties in the last section is based on ideas developed jointly with him.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] R. Ahlswede, “Multiway communication channels,” Proc. IEEE International Symposium on Information Theory , pp. 23–52, 1973.
- 2[2] M. Braverman, “Coding for interactive computation: progress and challenges,” Proc. Conference on Communication, Control, and Computing (Allerton) , pp. 1914–1921, October 2012.
- 3[3] C. Chan, “Generating secret in a network,” Ph. D. Dissertation, Massachussetts Institute of Technology , 2010.
- 4[4] I. Csiszár and P. Narayan, “Secrecy capacities for multiple terminals,” IEEE Trans. Inf. Theory , vol. 50, no. 12, pp. 3047–3061, December 2004.
- 5[5] ——, “Secrecy capacities for multiterminal channel models,” IEEE Trans. Inf. Theory , vol. 54, no. 6, pp. 2437–2452, June 2008.
- 6[6] ——, “Secrecy generation for multiaccess channel models,” IEEE Trans. Inf. Theory , vol. 59, no. 1, pp. 17–31, 2013.
- 7[7] H. Liao, “A coding theorem for multipleaccess communications,” Proc. IEEE International Symposium on Information Theory , 1972.
- 8[8] M. Madiman and P. Tetali, “Information inequalities for joint distributions, with interpretations and applications,” IEEE Trans. Inf. Theory , vol. 56, no. 6, pp. 2699–2713, June 2010.
