Mutual Dependence for Secret Key Agreement Please share
advertisement
Mutual Dependence for Secret Key Agreement
The MIT Faculty has made this article openly available. Please share
how this access benefits you. Your story matters.
Citation
Chung Chan, and Lizhong Zheng. “Mutual dependence for secret
key agreement.” IEEE, 2010. 1-6. Web. 28 Oct. 2011. © 2010
Institute of Electrical and Electronics Engineers
As Published
http://dx.doi.org/ 10.1109/CISS.2010.5464805
Publisher
Institute of Electrical and Electronics Engineers
Version
Final Published Version
Accessed
Thu May 26 09:57:19 EDT 2016
Citable Link
http://hdl.handle.net/1721.1/66685
Terms of Use
Article is made available in accordance with the publisher's policy
and may be subject to US copyright law. Please refer to the
publisher's site for terms of use.
Detailed Terms
1
Mutual Dependence for Secret Key Agreement
Chung Chan and Lizhong Zheng
Abstract—A mutual dependence expression is established for
the secret key agreement problem when all users are active. In
certain source networks, the expression can be interpreted as
certain notions of connectivity and network information flow. In
particular, the secrecy problem can be mapped to a new class
of network coding problems with selectable links and undirected
broadcast links. For such networks, the secrecy capacities serve as
upper bounds on the maximum network throughputs, while the
network coding solutions can be used for secret key agreement.
Index Terms—Secret key agreement, mutual dependence, network coding, partition connectivity, supermodularity
I. M UTUAL D EPENDENCE
We first consider a measure of correlation among a set of
random variables, and establishes its operational meaning with
the problems of secret key agreement and communication for
omniscience in [2].
In information theory, the dependence between any two
random variables is captured by the mutual information[3],
I(Z1 ∧ Z2 ) := D(PZ1 Z2 kPZ1 PZ2 ) = H(Z1 ) − H(Z1 |Z2 ) (1.1)
where PZ1 Z2 denotes the distribution of Z1 and Z2 , D(·k·)
is the information divergence, and H(·) is the entropy
measure.[3] It has various operational meanings spanning
over the source and channel coding theories. A heuristically
appealing extension[2] to the multivariate case with more than
two random variables is the following mutual dependence
expression.
distribution to the product distribution of certain marginals. We
will establish the following operational meaning for (1.2) in
the problem of secret key agreement (SK) and communication
for omniscience (CO) considered in [2].1
Operational meaning of mutual dependence:
The mutual dependence expression I(ZV ) equals
SK: the maximum rate (secrecy capacity) of secret key
that can be generated from the discrete multiple
memoryless source (DMMS) ZV with unlimited authenticated public discussion, and
CO: the maximum savings in rate, below H(ZV ), of
the public discussion required to attain omniscience
of the DMMS ZV . i.e. H(ZV ) subtracted by the
smallest rate of communication for omniscience.
We have considered here the special case when all terminals
are active in the sense that they all want to share the secret in
the SK problem, and attain omniscience in the CO problem.
Theorem 1.1 Given a finite ground set V : |V | ≥ 2, the
mutual dependence in (1.2) satisfies,
X
I(ZV ) = H(ZV ) − max
λB H(ZB |ZB c )
(1.3)
λ∈Λ
B∈F
V
where F := 2 \ {V }, Λ is defined as the collection of
fractional partitions
P λ := (λB : B ∈ F ) of V , i.e. λB ≥ 0 for
all B ∈ F and B∈F :i∈B λB = 1 for all i ∈ V .
2
Definition 1.1 (Mutual Dependence) For any finitely-valued
random vector ZV := (Zi : i ∈ V ) with |V | ≥ 2, the mutual
dependence of ZV is defined as,
!
Y
1
I(ZV ) := min
D PZV PZC
(1.2)
P∈Π |P| − 1
This establishes the result since the expression on the R.H.S.
of (1.3) bears the desired operation meaning by [2].
where Π is the collection of set-partitions P of V into at least
2 non-empty sets.
2
with the convention h(∅) = 0. We will use the following wellknown[4] supermodularity property of h to prove the theorem.
Example 1.1 Mutual dependence (1.2) reduces to the usual
mutual information when |V | = 2. i.e. I(Z{1,2} ) = I(Z1 ∧Z2 ).
With V := [3] := {1, 2, 3}, we have I(Z[3] ) is the minimum
P of I(Z1 ∧ Z2 Z3 ), I(Z2 ∧ Z1 Z3 ), I(Z3 ∧ Z1 Z2 ), and
1
[
2
i∈[3] H(Zi ) − H(Z[3] )].
2
Subclaim 1.1A h is supermodular, i.e.
P ROOF (T HEOREM 1.1) Define h : F 7→ R as
h(B) := H(ZB |ZB c )
∀B ∈ F
(1.4)
C∈P
(1.1) and (1.2) are similar in the sense that both can be
expressed in terms of the information divergence from the joint
This work is supprted in part by Project. #MMT-p2-09 of the Shun Hing
Institute of Advanced Engineering, The Chinese University of Hong Kong.
Manuscript written for CISS 2010. Related work at [1].
Chung Chan (chungc@mit.edu) is with Shun Hing Institute of Advanced
Engineering, The Chinese University of Hong Kong, and Research Laboratory
of Electronics at MIT, Massachusetts Institute of Technology.
Lizhong Zheng is with Research Laboratory of Electronics at MIT, Massachusetts Institute of Technology.
978-1-4244-7417-2/10/$26.00 ©2010 IEEE
h(B1 ) + h(B2 ) ≤ h(B1 ∩ B2 ) + h(B1 ∪ B2 )
(1.5)
for all B1 , B2 ∈ F : B1 ∩ B2 , B1 ∪ B2 ∈ F .
C
P ROOF (S UBCLAIM 1.1A) Consider proving the non-trivial
case where B1 and B2 are non-empty. We have the positivity
of mutual information that,
I(ZB1c ∧ ZB2c |ZB1c ∩B2c ) ≥ 0 =⇒
H(ZB1c ) + H(ZB2c ) ≥ H(ZB1c ∪B2c ) + H(ZB1c ∩B2c )
1 More generally, there is a duality that C
CR (R) = CS (R) + R where
CCR (R) and CS (R) are the common randomness and secrecy capacities
respectively under the same rate constraint R on public discussion and the
same source model. (See [1] for details)
2
(1.5) follows since h(B) = H(ZV ) − H(ZB c ).
J
By the Strong Duality Theorem[5], the maximization in
(1.3) is equal to its linear programming dual,
X
minimize
ri
(1.6a)
i∈V
subject to
X
ri ≥ h(B) ∀B ∈ F
i.e. any set in B that contains i also contains j. Using this
simplification, it is easy to see that ∼R satisfies the defining
properties of an equivalence relation:
• Reflexivity: R is reflexive since i ∈ Ci trivially for i ∈ V .
• Transitivity: Suppose i ∼R j and j ∼R k for some
i, j, k ∈ V . Then,
(1.6b)
{B ∈ B : i ∈ B} ⊆ {B ∈ B : j ∈ B} ⊆ {B ∈ B : k ∈ B}
i∈B
The supermodularity property of h translates to the following
property on the tight relations of the dual problem.
Subclaim 1.1B For any feasible solution r to the dual linear
program (1.6), and B1 , B2 ∈ F : B1 ∩ B2 , B1 ∪ B2 ∈ F , if
B1 and B2 are tight constraints, i.e.
X
r = h(Bj )
for j = 1, 2
(1.7a)
i∈Bj
•
which implies i ∼R k as desired.
Symmetry: suppose to the contrary that i ∼R j but j 6∼R i
for some i, j ∈ V . Then,
{B ∈ B : i ∈ B} ( {B ∈ B : j ∈ B}
This implies, by definition (1.8) of B that
X
X
λ∗B <
λ∗B
B3i
then B1 ∪ B2 is also a tight constraint,
X
ri = h(B1 ∪ B2 )
(1.7b)
i∈B1 ∪B2
n.b. B1 ∩ B2 is also tight but we do not need it for the proof
of Theorem 1.1.
C
P ROOF (S UBCLAIM
1.1B) Since B1 ∪ B2 ∈ F , we immediP
ately have i∈B1 ∪B2 ri ≥ h(B1 ∪ B2 ) by (1.6b). The reverse
inequality can be proved as follows.
X
X
X
X
ri =
ri +
ri −
ri
i∈B1 ∪B2
i∈B1
i∈B2
i∈B1 ∩B2
≤ h(B1 ) + h(B2 ) − h(B1 ∩ B2 )
(b)
≤ h(B1 ∪ B2 )
where (a) is by (1.7a) and (1.6b) on B1 ∩ B2 ∈ F , and (b)
is
Pby Subclaim 1.1A. With a similar argument, we also have
J
i∈B1 ∩B2 ri = h(B1 ∩ B2 ).
Let λ∗ be an optimal solution to the maximization in (1.3).2
Define its support set as,
and the corresponding partition of V as,
n[
c
o
P ∗ :=
{B ∈ B : B 63 i} : i ∈ V
which is the desired contradiction since both sides equal
1 by the definition of Λ in Theorem (1.1).
Finally,
to argue that |P ∗ | ≥ 2, note that B 6= ∅ since
P
∗
B∈F λB > 0. Since any B ∈ F satisfies B 6= V , we have
Ci 6= V for all i ∈ V as desired.
J
The supermodularity of h implies the following property on
every part of P ∗ .
Subclaim 1.1D For any optimal r∗ to the dual problem (1.6),
X
ri∗ = h(C c )
∀C ∈ P ∗
(1.10)
C
i∈C c
(a)
B := {B ∈ F : λ∗B > 0}
B3j
(1.8)
(1.9)
Subclaim 1.1C P ∗ in (1.9) belongs to Π in Definition 1.1. C
P ROOF (S UBCLAIM 1.1D) P
By the Complementary Slackness
Theorem[5, Theorem 5.4], i∈B ri∗ = h(B) for all B ∈ B.
By Subclaim 1.1B, for all i ∈ V , we have
[
X
{B ∈ B : B 63 i}
ri∗ = h
S
i∈ {B∈B:B63i}
which gives the desired equality (1.10) under (1.9).
This completes the proof since the Primal/Dual Optimality
Criteria[5, Theorem 5.5] implies (1{B c ∈ P ∗ }/(|P ∗ | − 1) :
B ∈ F ) is an optimal solution in Λ. More precisely, for all
feasible r to the dual (1.6), and P ∈ Π,
X
H(ZV ) − max
λB H(ZB |ZB c )
λ∈Λ
(a)
≤ H(ZV ) −
P ROOF (S UBCLAIM 1.1C) Define the relation R on V as,
i ∼R j ⇐⇒ i ∈ Cj for i, j ∈ V
S
c
where Ci := ( {B ∈ B : B 63 i}) . By definition (1.9), P ∗ =
{Ci : i ∈ V }. To show that P ∗ is a partition of V , it suffices
to show that ∼R is an equivalence relation on V as follows.
i ∼R j ⇐⇒ {B ∈ B : B 63 i} ⊇ {B ∈ B : B 63 j}
⇐⇒ {B ∈ B : i ∈ B} ⊆ {B ∈ B : j ∈ B}
2 λ∗ exists or equivalently Λ is non-empty. For example, λ
{i} = 1 for
i ∈ V is a fractional partition in Λ. For the more general case considered in
Theorem 3.1, Λ may be empty.
J
B∈F
X
ri = H(ZV ) −
i∈V
X X
1
ri
|P| − 1
c
X
1
≤ H(ZV ) −
H(ZC c |ZC )
|P| − 1
C∈P
!
X
1
=
H(ZC ) − H(ZV )
|P| − 1
C∈P i∈C
(b)
by (1.6b)
C∈P
When we set r to an optimal solution r∗ , (a) is satisfied with
equality by the Strong Duality Theorem. When we also set
P to P ∗ , which is valid by Subclaim 1.1C, (b) is also satisfied with equality by Subclaim 1.1D. This gives the desired
equality (1.3) and completes the proof of Theorem 1.1.
3
II. I NTERPRETATION VIA E MULATED S OURCE N ETWORK
In this section, we will show that under certain classes of
source networks, we can interpret mutual dependence (1.2)
as certain notions of connectivity, and more concretely as the
amount of information flow in certain types of networks. To
make the notion of “flow” explicit, we consider the following
class of source networks.
Definition 2.1 (Emulated source network) Terminal i ∈ V
observes Zi = (Xi , Yi ) such that,
!
Y
PXV YV =
PXi PYi |XV
(2.1)
A. Interference network
Definition 2.2 (Interference network) Given a hypergraph
H := (V, E, φ) and a finite additive group (G, +) of order
q, terminal i ∈ V observes,
Zi := {Zei : e ∈ E, i ∈ φ(e)}
where Zei for i ∈ V and e ∈ E are random variables taking
values from G such that,
1) Zeφ(e) := (Zei : i ∈ φ(e)) for e ∈ E are independent, and
2) for all e ∈ E
X
Zei = 0
(2.4)
i∈φ(e)
i∈V
This can be viewed as a source emulated by having terminal
i ∈ V send Xi independently over a channel that returns Yi =
fi (XV , Ni ) to terminal i, where fi is deterministic and
Q Ni ’s are
independent channel noises that satisfy PNV |XV = i∈V PNi .
3
2
Proposition 2.1 The mutual dependence (1.2) of the emulated
source network in Definition 2.1 is,
X
1
I(XC c ∧ YC |XC )
P∈Π |P| − 1
I(ZV ) = min
(2.2)
C∈P
which is also the secrecy capacity when all terminals are
active by Theorem 1.1.
2
Q
P ROOF For all P ∈ Π, D(PXV YV k C∈P PXC YC ) equals,
X
H(XC YC ) − H(XV YV )
C∈P
=
X
[H(XC ) + H(YC |XC )] − H(XV ) − H(YV |XV )
C∈P
=
X
C∈P
(2.3)
[H(YC |XC ) − H(YC |XV )]
{z
}
|
and for all j ∈ φ(e), Zeφ(e)\{j} is uniformly distributed
over G|φ(e)|−1 .
2
Proposition 2.2 The mutual dependence of the interference
network in Definition 2.2 is (log q)p + (H) where p + (H) is
the strength of H defined as,
P
|δ + ∗ (C)|
+
p (H) := min C∈P H
(2.5a)
P∈Π
|P| − 1
|δH (P)|
= min
(2.5b)
P∈Π |P| − 1
where H ∗ := (V, E, φ, ρ) is any star hypergraph of H,
+
δH
∗ (C) := {e ∈ E : ρ(e) ∈ C 6⊇ φ(e)}
δH (P) := {e ∈ E : ∀C ∈ P, C 6⊇ φ(e)}
which are the set of outgoing edges of C and crossing edges
of P respectively.
2
P ROOF The interference network is a special case of the
emulated source network in Definition 2.1 with,
Yi := (Zei : e ∈ E, i = ρ(e))
Xi := (Zei : e ∈ E, i ∈ φ(e) \ {ρ(e)})
=I(XC c ∧YC |XC )
P
where the last
C∈P H(XC ) =
P equality is by (2.1) that
H(XV ) and C∈P H(YC |XV ) = H(YV |XV ).
I(XC c ∧ YC |XC ) is intuitively the flow of information from
C c to C. For a more concrete interpretation, we will consider
some specific classes of networks for which the dependency
among the observations can be abstracted by a hypergraph.
Hypergraph:
A hypergraph H := (V, E, φ) is defined by the mapping φ :
E 7→ 2V \ {∅} from an edge e to a non-empty subset φ(e) of
the vertices. The star hypergraph[6] H ∗ := (V, E, φ, ρ) of H
has an additional mapping ρ : E 7→ V from an edge e to a
root node ρ(e) ∈ φ(e) for the edge.
3 This pure source emulation approach to SK when terminals are given a
channel instead of a source can sometimes be optimal. For instance, uniform
input is optimal for finite linear channel Yi = Mi (XV , Ni ) for i ∈ V where
Mi is a homomorphism between finite abelian groups and Ni ’s are arbitrarily
correlated noise. This covers the interference and broadcast networks to be
defined later. (See [1] for details)
(2.6)
(2.7)
where ρ is an arbitrarily chosen orientation of H. We have,
+
I(XC c ∧ YC |XC ) = H(YC |XC ) = |δH
∗ (C)|
X
X X
+
|δH
1{C 6⊇ φ(e)} = |δH (P)|
∗ (C)| =
C∈P
e∈E C3ρ(e)
which completes the proof with Proposition 2.1.
+
The strength p (H) of H has the following immediate
interpretation of partition connectivity.
Partition connectivity[7][8]:
p + (H) is the maximum rational number x ∈ Q such that
H is x-partition-connected, i.e. dx(k − 1)e edges need to be
removed from H to yield k or more disconnected components
for any k ∈ [|V |].
Each edge in H corresponds to a link of secret information
flow with the following linear public discussion scheme.
4
Hyperedge as selectable link:
Given an edge e, select a sender i ∈ φ(e) and a receiver
j ∈ φ(e). Have the remaining terminals k ∈ φ(e) \ {i, j}
publicly reveal Zek . Then, sender i can use Zei as a secret
key to encrypt an independent secret M ∈ G into a public
message (cryptogram) M + Zei . By (2.4), receiver j can
perfectly recover Zei from the public messages Zeφ(e)\{i,j} .
Since Zeφ(e)\{j} is uniformly distributed, the key is perfectly
secret, i.e. I(Zei ∧ Zeφ(e)\{i,j} ) = 0. Thus, M is also perfectly
secret and recoverable by j. We effectively have a private
independent link from i to j with unit (log q bits) capacity.
Viewing each edge as a private link with a selectable sender
and receiver, the terminals can agree on a common secret
key, simply by broadcasting it through the resulting network.
Thus, the secret key agreement problem turns into a broadcast
network coding problem with selectable links.
Definition 2.3 (Network with selectable links) A network
with selectable links defined by the hypergraph H = (V, E, φ)
is used at each time as follows: for each edge e ∈ E, a
sender i ∈ φ(e) can be selected to send a unit (log q bits)
of information noiselessly to any chosen receiver j ∈ φ(e). 2
This network coding approach to secret key agreement
is indeed optimal. i.e. the maximum throughput of the network attains the secrecy capacity, as a consequence of the
tree packing result[7] of Tutte and Nash-Williams and its
extension[8][6] to hypergraphs summarized below.
Proposition 2.3 Given a hypergraph H := (V, E, φ), let n :=
min{i ∈ [|V |] : ip + (H) ∈ N} and H̃ := (V, Ẽ, φ̃) be the nextended hypergraph with
Ẽ := {(e, t) : e ∈ E, t ∈ [n]}
φ̃(ẽ) := φ(e)
(2.8a)
∀ẽ ∈ Ẽ, e ∈ E : ∃t ∈ [n], ẽ = (e, t) (2.8b)
Then, n ≤ |V | − 1, p + (H̃) = np + (H) by (2.5), and
1) H̃ can be represented by a graph G := (V, Ẽ, θ) in the
following sense: p + (G) = p + (H̃) and for all e ∈ E
θ(e) ⊆ φ(e) : 1 ≤ |θ(e)| ≤ 2
2) Up to p + (G) edge-disjoint spanning trees can be packed
in G. i.e. there exists spanning trees Tj := (V, Ẽj , θ) for
j ∈ [p + (G)] with disjoint edge sets Ẽj ⊆ Ẽ.
3) For all optimal P ∗ ∈ Π that attainsSthe minimum in
(2.5b) and any excess edge ẽ∗ ∈ Ẽ \ j∈[p + (G)] Ẽj not
used in a maximal tree packing, ∃C ∈ P ∗ , C ⊇ φ̃(ẽ∗ ) 2
P ROOF
1) follows from [6, Lemma 3.1 and Theorem 4.2, 5.1].
2) follows from the Disjoint Tree Theorem[7, Corollary 51.1a] of Tutte and Nash-Williams.
3) Suppose to the contrary that for some optimal P ∗ and
excess edge ẽ∗ , we have C 6⊆ φ̃(ẽ∗ ) for all C ∈ P ∗ .
|δH̃ (P ∗ )| = {ẽ ∈ Ẽ : ∀C ∈ P ∗ , C 6⊇ φ̃(ẽ)}
[
(a) Ẽj : ∀C ∈ P ∗ , C 6⊇ φ̃(ẽ) > ẽ ∈
+
j∈[p (G)]
(b)
=(|P ∗ | − 1)p + (G)
where (a) is by excluding ẽ∗ and (b) is because each
spanning tree Tj contributes (|P ∗ | − 1) distinct crossing
edges. Substituting p + (G) = np + (H) and |δH̃ (P ∗ )| =
n|δH (P)| into the last inequality, we have the desired
contradiction to the optimality of P ∗ .
Since every spanning tree packed in H supports one unit of
secret information flow from any designated root terminal to
all other terminals, the tree packing result implies that p + (H)
units of secret key can be broadcast to all terminals in total,
acheiving the secrecy capacity.
We now have the desired interpretation of mutual dependence as the secret information flow in a broadcast session
of a network with selectable links. The optimal partition P ∗
to (2.5b) also has the intuitive meaning as classes of wellconnected terminals: two terminals must be in the same class
in any optimal P ∗ if there is an excess private link between
them. This connects and extends the results of [6][8][9][10].
Theorem 2.1 Given hypergraph H with strength p + (H) defined in (2.5), let CN,sl be the maximum throughput of a
broadcast session of the delay-free network with selectable
links defined in Defintion 2.3, and CS,if be the secrecy capacity
of the interference network defined in Definition 2.2, then
CN,sl = CS,if = (log q)p + (H)
Furthermore, the maximum throughput and secrecy capacity
can be attained non-asymptotically with delay at most |V |−1.
The maximum throughput, in particular, can be achieved by
routing.
2
Example 2.1 For the interference network defined in Definition 2.2, let G be the binary field F2 , and H := (V, E, φ)
be the hypergraph on V = [3] with edge E := {123} and
φ(123) = {1, 2, 3}. From (2.3), Z3 = Z1 + Z2 .
Since p + (H) = 1/2, H can be extended as described in
Proposition 2.3 to H̃ := (V, Ẽ, φ) with n = 2, and represented
by the graph G := (V, Ẽ, θ) that can be maximally packed
with p + (G) = 1 spanning tree T1 := (V, Ẽ1 , θ) where,
Ẽ = Ẽ1 := {(123, 1), (123, 2)}
θ((123, 1)) := {1, 2} and θ((123, 2)) := {1, 3}
Thus, one secret key bit K can be propagated from terminal 1 through the tree network T1 to terminal 2 and 3.
(123,1)
In particular, we can have K set to Z1
and the public
(123,1)
(123,2)
(123,2)
(123,1)
messages Z1
+ Z1
, Z2
and Z3
revealed
by terminal 1, 2 and 3 respectively. Terminal 2 and 3 can
(123,1)
(123,1)
recover K by the linear operations Z2
+ Z3
and
(123,1)
(123,2)
(123,1)
(123,2)
Z3
+ Z2
+ (Z1
+ Z1
) respectively. K is
(123,1)
perfectly secret because Z1
is independent of the public
messages.
2
5
B. Broadcast Network
We now show another class of emulated source networks for
which the mutual dependence has a different interpretation of
connectivity, and can be mapped to a network coding problem
with undirected broadcast links.
Definition 2.4 (Broadcast Network) Given H := (V, E, φ)
and a finite field Fq of order q, terminal i ∈ V observes,
Zi := {Ze : e ∈ E, i ∈ φ(e)}
(2.9)
|E|
where (Ze : e ∈ E) is uniformly distributed over Fq .
2
Proposition 2.4 The mutual dependence of the broadcast
network in Definition 2.4 is (log q)p − (H) where,
P
|δ − ∗ (C)|
−
(2.10a)
p (H) := min C∈P H
P∈Π
|P| − 1
P
(|πP (φ(e))| − 1)
= min e∈E
(2.10b)
P∈Π
|P| − 1
H ∗ := (V, E, φ, ρ) is any star hypergraph of H,
−
c
δH
6⊇ φ(e)}
∗ (C) := {e ∈ E : ρ(e) ∈ C
πP (φ(e)) := {C ∩ φ(e) : C ∈ P} \ {∅}
(2.11)
(2.12)
are the set of in-cut of C and the partition of e respectively.2
P ROOF The broadcast network is a special emulated source
network in Definition 2.1 with,
Yi := (Ze : e ∈ E, i ∈ φ(e) \ {ρ(e)})
Xi := (Ze : e ∈ E, i = ρ(e))
for any arbitrary orientation ρ of H. With the equalities
−
I(XC c ∧ YC |XC ) = H(YC |XC ) = |δH
∗ (C)| and
X
X X
−
|δH
1{C c 6⊇ φ(e)}
∗ (C)| =
C∈P
e∈E C63ρ(e)
=
X
(|πP (φ(e))| − 1)
e∈E
the desired result follows from Proposition 2.1.
−
p (H) expresses an alternative notion of connectivity: the
maximum x ∈ Q such that every partitioning of the vertices
V into k parts split the edges into a total of at least dx(k −1)e
additional parts for any k ∈ [|V |].
Each edge in H corresponds to a broadcast link of secret
information flow as follows.
Hyperedge as undirected broadcast link:
Given an edge e, select a sender i ∈ φ(e) to encrypt an
independent secret M ∈ Fq into the public message M + Ze .
The remaining terminals in φ(e) can perfectly recover M
knowing Ze . Since Ze is uniformly distributed, the encryption
is perfectly secret. We effectively have a private broadcast link
from i to φ(e) \ {i} with unit capacity.
Viewing each edge as a broadcast link, the terminals can
agree on a common secret key by broadcasting it through the
network. In particular, at least one unit of secret information
flow to all terminals is supported by an edge-connected
spanning subhypergraph defined as follows.
Edge-connected spanning subhypergraphs:
An edge-connected spanning subhypergraph S
H 0 := (V, E 0 , φ)
0
of a hypergraph (V, E, φ) satisfies E ⊆ E, e∈E 0 φ(e) = V
and |δH 0 (C, C c )| ≥ 1 for every C ( V .
Definition 2.5 (Network with undirected broadcast links)
A network with undirected broadcast links defined by the
hypergraph H = (V, E, φ) is used at each time as follows:
for all e ∈ E, a sender i ∈ φ(e) can be selected to send a
unit (log q bits) of data noiselessly to all receivers j ∈ φ(e).2
Although there is no analogous packing result to Proposition 2.3, this network coding approach to secret key agreement
is also optimal by the following min-cut characterization of
p − (H̃) in [6, Theorem 5.2].
Min-cut characterization of p − (H̃):
For any s ∈ V , there is a star hypergraph H̃ ∗ of the extension
H̃ of H (defined in (2.8) with p + replaced by p − ) such that
+
(C)| ≥ p − (H̃) for any C ( V : s ∈ C.
|δH̃
∗
Theorem 2.2 Given hypergraph H with p − (H) defined in
(2.5), let CN,ub be the maximum throughput of a broadcast
session of the delay-free network with undirected broadcast
links in Defintion 2.5, and CS,bc be the secrecy capacity of
the broadcast network defined in Definition 2.4, then
CN,ub = CS,bc = (log q)p − (H)
Furthermore, the maximum throughput and secrecy capacity
can be attained asymptotically with finite delay at most
3
2
|V | |E|p − (H)2 logq |V | |E|p − (H)q. The throughput, in particular, can be achieved by the convolutional code in [11]. 2
P ROOF (S KETCH FROM [1]) This result follows from an extension of the algebraic argument in [11] using the extension[6,
Theorem 4.1] of the Menger’s Theorem for star hypergraphs.
The delay is the product nk(µ+1) of the extension n to turn H
to H̃, the extension k to turn the field Fq to Fqk for existence
of the desired network code, and the delay µ required to avoid
cyclic dependency in the information flow of the network. In the following, we give a simple example for which one
cannot decompose any extension H̃ of H into p − (H̃) spanning
edge-connected subhypergraphs. This implies that coding may
be necessary to attain the maximum throughput of the network
with undirected broadcast links in a broadcast session.
Example 2.2 For the broadcast network defined in Defintion 2.4, let q = 2 and H := (V, E, φ) be the hypergraph on V = [4] with edges E := {123, 134, 124} and
φ(ijk) := {i, j, k} for i, j, k ∈ V . Then, p − (H) = 2 but
it is not possible to pack two spanning edge-connected subhypergraphs, for that requires four edges. Indeed, we can maximally pack three spanning edge-connected subhypergraphs
Hi := (V, Ẽi , φ̃) for i ∈ [3] after extending H with n = 2,
where Ẽ1 := {(123, 1), (134, 1)}, Ẽ2 := {(124, 1), (123, 2)}
and Ẽ3 := {(134, 2), (124, 2)}. Thus, a pure routing solution
only achieves a key rate of 1.5 bits per use of the broadcast
network in Definition 2.4.
6
Let H ∗ := (V, E, φ, ρ) be the star hypergraph of H where
+
ρ(e) = 1 for all e ∈ E. n.b. it satisfies |δH
∗ (C)| ≥ 2 for
all C ⊆ V : s ∈ C. We can propagate two secret key bits
K1 , K2 ∈ F2 from s := 1 using the following linear network
code: send K1 through the broadcast link 123, K2 through 134,
and K1 + K2 through 124. Since every terminal has access to
at least two links, they can recover the key bits perfectly. 2
III. R ELATED W ORK
λ∈Λ(F (A),V )
(Please see [1] for details.) Consider the more general secret
key agreement problem in [2] where only a subset A ⊆ V of
the terminals are active. As shown in [2], inequality ≤ for
(1.3) holds with F replaced by
F (A) := {B ⊆ V : ∅ 6= B 6⊇ A}
Theorem 1.1 asserts that equality holds for A = V . However,
equality may not hold when A ( V as shown by the counterexample below.4 This resolves an open question in [2].
Example 3.1 Given uniformly random bits X1 , X2 and X3 in
F2 , define the source network ZV for V := [6] as follows:
Z1 := X1 + X2 , Z2 := X1 + X3 , Z3 := X2 + X3 , Z4 = X3 ,
Z5 = X2 and Z6 = X1 . With A := [3], the mutual dependence
in (1.2) (with F replaced by F (A)) and secrecy capacity on
the R.H.S. of (1.3) are 1 bit and 0.75 bits respectively.
2
Indeed, Theorem 1.1 can be extended in a slightly different
direction to a general identity for supermodular function
optimizations using the following notion of partitions.
Definition 3.1 Given a finite ground set V : |V | ≥ 2, define
Φ(A) for A ⊆ V : |A| ≥ 2 as the collection of all families
F ⊆ 2V \ {V } that satisfy for all B, B 0 ∈ F that B 6⊇ A and
B ∪ B 0 6⊇ A =⇒ B ∩ B 0 , B ∪ B 0 ∈ F
It follows that Φ(A) ( Φ(A0 ) for all A ( A0 . In particular,
F (A0 ) ∈ Φ(A0 ) \ Φ(A) and F := 2V \ {V } = F (V ) ∈ Φ(V ).
Denote F̄ := {B c : B ∈ F}. Define Π(F, U ) for F ∈
Φ(V ) and U ⊆ V as the collection of all families P such
that {C ∩ U : C ∈ P} is a set-partition of U into at least 2
non-empty disjoint sets in F̄, i.e.
[
P ⊆ F̄ : |P| ≥ 2, P ⊇ U and ∀i ∈ U, ∃!C ∈ P : i ∈ C
It follows that Π(F, U ) ⊇ Π(F, U 0 ) for all U ⊆ U 0 .
Define Λ(F, U ) as the set of λ := (λB : B ∈ F) satisfying
X
∀B ∈ F, λB ≥ 0 and ∀i ∈ U,
λB = 1
B∈F :i∈B
0
It follows that Λ(F, U ) ⊇ Λ(F, U ) for all U ⊆ U 0 .
2
Theorem 3.1 Given a finite ground set V : |V | ≥ 2, we have
for all A ⊆ V : |A| ≥ 2, F ∈ Φ(A), and supermodular
function h : F 7→ R that,
X
X
1
h(C c ) (3.1)
max.
λB h(B) = max.
λ∈Λ(F ,A)
P∈Π(F ,A) |P| − 1
B∈F
C∈P
with the convention that max. over an empty set is −∞.5
4 This
5 This
Given A is the set of active users, let CSA,esn , CSA,if and
be the secrecy capacities of the emulated source model,
interference network and broadcast network respectively, and
A
A
CN
,sl and CN,ub be the maximum throughput of the multicast
session from some source node s ∈ A to all other nodes in A
for the networks with selectable links and undirected broadcast
links respectively. Then,
X
CSA,esn = (log q)
min
λB I(XB ∧ YB c |XB c )
CSA,bc
2
is also the minimal example, in lexicographical order of (|V |, |A|).
gives as a corollary that Λ(F , A) = ∅ iff Π(F , A) = ∅.
(a)
A
A
CN
,sl ≤ CS,if = (log q)
B∈F (A)
X
min
λ∈Λ(F (A),V )
(b)
A
A
CN
,ub ≤ CS,bc = (log q)
−
λB |δH
∗ (B)|
B∈F (A)
min
λ∈Λ(F (A),V )
X
+
λB |δH
∗ (B)|
B∈F (A)
which are invariant to any star hypergraph H ∗ of H. The
inequalities hold because the secret key agreement problem
can be mapped to the corresponding network coding problem
in the same way described before. We can also derive (b) using
an alternative combinatorial argument since we have,
(c)
A
1
min
|δ + ∗ (B)|
CN
,ub = max n log q
n,ρ̃
B⊆V :s∈B6⊇A H̃
X
1
(d)
−
(C)|
= max n1 log q
|δH̃
min
∗
n,ρ̃
P∈Π(F (A),A) |P| − 1
C∈P
where ρ̃ is the orientation of the n-extension H̃ of H. (c) and
(d) are obtained by extending [11, Theorem 15] and [6, Theorem 5.2] respectively. (b) then follows from Theorem 3.1 and
the fact that Λ(F (A), A) ) Λ(F (A), V ). For the general class
of network with both selectable links and undirected broadcast
links, however, secrecy capacities conveniently upper bound
maximum throughputs, with no obvious alternative proof.
ACKNOWLEDGMENT
The author would like to thank Bariş Nakibŏglu, Imre
Csiszár, Jeff Kahn, Michel X. Goemans, Stephen P. Boyd,
Anthony M.C. So, Angela Y.J. Zhang, Sidharth Jaggi and
Raymond W.H. Yeung for stimulating discussions.
R EFERENCES
[1] Related work: http://mit.edu/chungc/dissertation.
[2] I. Csiszár and P. Narayan, “Secrecy capacities for multiple terminals,”
IEEE Transactions on Information Theory, vol. 50, Dec 2004.
[3] T. M. Cover and J. A. Thomas, Elements of Information Theory. WileyInterscience Publication, 1991.
[4] S. Fujishige, “Polymatroidal dependence structure of a set of random
variables,” Information and Control, vol. 39, no. 1, pp. 55–72, 1978.
[5] G. B. Dantzig and M. N. Thapa, Linear Programming. 1: Introduction.
Springer-Verlag New York, 1997-2003.
[6] J. Bang-Jensen and S. Thomassé, “Decompositions and orientations
of hypergraphs.” Preprint no. 10, Department of Mathematics and
Computer Science, University of Southern Denmark, May 2001.
[7] A. Schrijver, Combinatorial Optimization: Polyhedra and Efficiency.
Springer, 2002.
[8] T. K. A. Frank and M. Kriesell, “On decomposing a hypergraph into
k-connected sub-hypergraphs,” Discrete Applied Mathematics, vol. 131,
pp. 373–383, September 2003.
[9] C. Ye and A. Reznik, “Group secret key generation algorithms,” in
IEEE International Symposium on Information Theory, 2007. ISIT 2008.,
pp. 2596–2600, June 2007.
[10] Z. Li and B. Li, “Network coding in undirected networks,” in Proceedings of 38th Annual Conference on Information Sciences and Systems
(CISS), 2004.
[11] R. Koetter and M. Médard, “An algebraic approach to network coding,”
IEEE/ACM Transactions on Networking, vol. 11, October 2003.
