Secret Key Agreement: General Capacity and Second-Order Asymptotics - - PowerPoint PPT Presentation

secret key agreement general capacity and second order
SMART_READER_LITE
LIVE PREVIEW

Secret Key Agreement: General Capacity and Second-Order Asymptotics - - PowerPoint PPT Presentation

Mar 27, 2024 247 likes •578 views

Secret Key Agreement: General Capacity and Second-Order Asymptotics Masahito Hayashi Himanshu Tyagi Shun Watanabe Two party secret key agreement Maurer 93, Ahlswede-Csiszr 93 F X Y K y K x A random variable K constitutes an ( , )

slide-1
SLIDE 1

Secret Key Agreement: General Capacity and Second-Order Asymptotics

Masahito Hayashi Himanshu Tyagi Shun Watanabe

slide-2
SLIDE 2

Two party secret key agreement

Maurer 93, Ahlswede-Csiszár 93

Y X F Kx Ky

A random variable K constitutes an (, δ)-SK if: P (Kx = Ky = K) ≥ 1 − : recoverability 1 2 ∥PKF − PunifPF∥ ≤ δ : security

1

slide-3
SLIDE 3

Two party secret key agreement

Maurer 93, Ahlswede-Csiszár 93

Y X F Kx Ky

A random variable K constitutes an (, δ)-SK if: P (Kx = Ky = K) ≥ 1 − : recoverability 1 2 ∥PKF − PunifPF∥ ≤ δ : security

1

slide-4
SLIDE 4

Two party secret key agreement

Maurer 93, Ahlswede-Csiszár 93

Y X F Kx Ky

A random variable K constitutes an (, δ)-SK if: P (Kx = Ky = K) ≥ 1 − : recoverability 1 2 ∥PKF − PunifPF∥ ≤ δ : security What is the maximum length S(X, Y ) of a SK that can be generated?

1

slide-5
SLIDE 5

Where do we stand?

Maurer 93, Ahlswede-Csiszár 93 S(Xn, Y n) = nI(X ∧ Y ) + o(n) (Secret key capacity) Csiszár-Narayan 04 Secret key capacity for multiple terminals Renner-Wolf 03, 05 Single-shot bounds on S(X, Y )

2

slide-6
SLIDE 6

Where do we stand?

Maurer 93, Ahlswede-Csiszár 93 S(Xn, Y n) = nI(X ∧ Y ) + o(n) (Secret key capacity) Csiszár-Narayan 04 Secret key capacity for multiple terminals Renner-Wolf 03, 05 Single-shot bounds on S(X, Y ) Typical construction: X sends a compressed version of itself to Y , and the K is extracted from shared X using a 2-universal hash family

2

slide-7
SLIDE 7

Where do we stand?

Maurer 93, Ahlswede-Csiszár 93 S(Xn, Y n) = nI(X ∧ Y ) + o(n) (Secret key capacity) Csiszár-Narayan 04 Secret key capacity for multiple terminals Renner-Wolf 03, 05 Single-shot bounds on S(X, Y ) Typical construction: X sends a compressed version of itself to Y , and the K is extracted from shared X using a 2-universal hash family Converse??

2

slide-8
SLIDE 8

Where do we stand?

Maurer 93, Ahlswede-Csiszár 93 Fano’s inequality S(Xn, Y n) = nI(X ∧ Y ) + o(n) (Secret key capacity) Csiszár-Narayan 04 Fano’s inequality Secret key capacity for multiple terminals Renner-Wolf 03, 05 ∼ Potential function method Single-shot bounds on S(X, Y ) Typical construction: X sends a compressed version of itself to Y , and the K is extracted from shared X using a 2-universal hash family Converse??

2

slide-9
SLIDE 9

Converse: Conditional independence testing bound

The source of our rekindled excitement about this problem:

Theorem ( Tyagi-Watanabe 2014)

Given , δ ≥ 0 with + δ < 1 and 0 < η < 1 − − δ. It holds that S,δ (X, Y ) ≤ − log β+δ+η

  • PXY , PXPY
  • + 2 log(1/η)

3

slide-10
SLIDE 10

Converse: Conditional independence testing bound

The source of our rekindled excitement about this problem:

Theorem ( Tyagi-Watanabe 2014)

Given , δ ≥ 0 with + δ < 1 and 0 < η < 1 − − δ. It holds that S,δ (X, Y ) ≤ − log β+δ+η

  • PXY , PXPY
  • + 2 log(1/η)

β(P, Q) inf

T : P[T]≥1− Q[T],

where P[T] =

  • v

P(v)T(0|v) Q[T] =

  • v

Q(v)T(0|v)

3

slide-11
SLIDE 11

Converse: Conditional independence testing bound

The source of our rekindled excitement about this problem:

Theorem ( Tyagi-Watanabe 2014)

Given , δ ≥ 0 with + δ < 1 and 0 < η < 1 − − δ. It holds that S,δ (X, Y ) ≤ − log β+δ+η

  • PXY , PXPY
  • + 2 log(1/η)

β(P, Q) inf

T : P[T]≥1− Q[T],

where P[T] =

  • v

P(v)T(0|v) Q[T] =

  • v

Q(v)T(0|v) In the spirit of meta-converse of Polyanskiy, Poor, and Verdu

3

slide-12
SLIDE 12

Single-shot achievability?

Recall the two steps of SK agreement: Step 1 (aka Information reconciliation). Slepian-Wolf code to send X to Y Step 2 (aka Randomness extraction or privacy amplification). “Random function” K to extract uniform random bits from X as K(X)

  • Example. For (X, Y ) ≡ (Xn, Y n)

Rate of communication in step 1 = H(X | Y ) = H(X) − I(X ∧ Y ) Rate of randomness extraction in step 2 = H(X) The difference is the secret key capacity

4

slide-13
SLIDE 13

Single-shot achievability?

Recall the two steps of SK agreement: Step 1 (aka Information reconciliation). Slepian-Wolf code to send X to Y Step 2 (aka Randomness extraction or privacy amplification). “Random function” K to extract uniform random bits from X as K(X)

  • Example. For (X, Y ) ≡ (Xn, Y n)

Rate of communication in step 1 = H(X | Y ) = H(X) − I(X ∧ Y ) Rate of randomness extraction in step 2 = H(X) The difference is the secret key capacity Are we done?

4

slide-14
SLIDE 14

Single-shot achievability?

Recall the two steps of SK agreement: Step 1 (aka Information reconciliation). Slepian-Wolf code to send X to Y Step 2 (aka Randomness extraction or privacy amplification). “Random function” K to extract uniform random bits from X as K(X)

  • Example. For (X, Y ) ≡ (Xn, Y n)

Rate of communication in step 1 = H(X | Y ) = H(X) − I(X ∧ Y ) Rate of randomness extraction in step 2 = H(X) The difference is the secret key capacity Are we done? Not quite. Let’s take a careful look

4

slide-15
SLIDE 15

Step 1: Slepian-Wolf theorem

Miyake Kanaya 95, Han 03

Lemma (Slepian-Wolf coding)

There exists a code (e, d) of size M with encoder e : X → {1, ..., M}, and a decoder d : {1, ..., M} × Y → X, such that PXY ({(x, y) | x ̸= d(e(x), y)}) ≤ PXY

  • {(x, y) | − log PX|Y (x | y) ≥ log M − γ}
  • + 2−γ.

5

slide-16
SLIDE 16

Step 1: Slepian-Wolf theorem

Miyake Kanaya 95, Han 03

Lemma (Slepian-Wolf coding)

There exists a code (e, d) of size M with encoder e : X → {1, ..., M}, and a decoder d : {1, ..., M} × Y → X, such that PXY ({(x, y) | x ̸= d(e(x), y)}) ≤ PXY

  • {(x, y) | − log PX|Y (x | y) ≥ log M − γ}
  • + 2−γ.

− log PX|Y = − log PX − log(PY |X/PY ) Compare with H(X|Y ) = H(X) − I(X ∧ Y ) The second term is a proxy for the mutual information

5

slide-17
SLIDE 17

Step 1: Slepian-Wolf theorem

Miyake Kanaya 95, Han 03

Lemma (Slepian-Wolf coding)

There exists a code (e, d) of size M with encoder e : X → {1, ..., M}, and a decoder d : {1, ..., M} × Y → X, such that PXY ({(x, y) | x ̸= d(e(x), y)}) ≤ PXY ({(x, y) | ≥ log M − γ}) + 2−γ. − log PX|Y = − log PX − log(PY |X/PY ) Compare with H(X|Y ) = H(X) − I(X ∧ Y ) The second term is a proxy for the mutual information Communication rate needed is approximately equal to (large probability upper bound on − log PX) − log(PY |X/PY )

5

slide-18
SLIDE 18

Step 2: Leftover hash lemma

Lesson from the step 1: Communication rate is approximately (large probability upper bound on − log PX) − log(PY |X/PY ) Recall that the min entropy of X is given by Hmin (PX) = − log max

x

PX (x) Impagliazzo et. al. 89, Bennett et. al. 95, Renner-Wolf 05

Lemma (Leftover hash)

There exists a function K of X taking values in K such that ∥PKZ − PunifPZ∥ ≤

  • |K||Z|2−Hmin(PX)

6

slide-19
SLIDE 19

Step 2: Leftover hash lemma

Lesson from the step 1: Communication rate is approximately (large probability upper bound on − log PX) − log(PY |X/PY ) Recall that the min entropy of X is given by Hmin (PX) = − log max

x

PX (x) Impagliazzo et. al. 89, Bennett et. al. 95, Renner-Wolf 05

Lemma (Leftover hash)

There exists a function K of X taking values in K such that ∥PKZ − PunifPZ∥ ≤

  • |K||Z|2−Hmin(PX)

Randomness can be extracted at a rate approximately equal to (large probability lower bound on − log PX)

6

slide-20
SLIDE 20

Step 2: Leftover hash lemma

Lesson from the step 1: Communication rate is approximately (large probability upper bound on − log PX) − log(PY |X/PY ) Recall that the min entropy of X is given by Hmin (PX) = − log max

x

PX (x) Impagliazzo et. al. 89, Bennett et. al. 95, Renner-Wolf 05

Lemma (Leftover hash)

There exists a function K of X taking values in K such that ∥PKZ − PunifPZ∥ ≤

  • |K||Z|2−Hmin(PX)

Randomness can be extracted at a rate approximately equal to (large probability lower bound on − log PX)

− log PX(X) Information Spectrum of X

Loss in SK rate

6

slide-21
SLIDE 21

Spectrum slicing

− log PX(X)

A slice of the spectrum

λmax λmin

Slice the spectrum of X into L bins of length ∆ and send the bin number to Y

7

slide-22
SLIDE 22

Single-shot achievability

Theorem

For every γ > 0 and 0 ≤ λ ≤ λmin, there exists an (, δ)-SK K taking values in K with ≤ P

  • log

PXY (X, Y ) PX (X) PY (Y ) ≤ λ + γ + ∆

  • +P (− log PX (X) /

∈ (λmin, λmax)) + 1 L δ ≤ 1 2

  • |K|2−(λ−2 log L)

8

slide-23
SLIDE 23

Secret key capacity for general sources

Consider a sequence of sources (Xn, Yn) The SK capacity C is defined as C sup

n,δn

lim inf

n→∞

1 nSn,δn (Xn, Yn) where the sup is over all n, δn ≥ 0 such that lim

n→∞ n + δn = 0

9

slide-24
SLIDE 24

Secret key capacity for general sources

Consider a sequence of sources (Xn, Yn) The SK capacity C is defined as C sup

n,δn

lim inf

n→∞

1 nSn,δn (Xn, Yn) where the sup is over all n, δn ≥ 0 such that lim

n→∞ n + δn = 0

The inf-mutual information rate I(X ∧ Y) is defined as I(X ∧ Y) sup

  • α |

lim

n→∞ P (Zn < α) = 0

  • where

Zn = 1 n log PXnYn (Xn, Yn) PXn (Xn) PYn (Yn)

9

slide-25
SLIDE 25

General capacity

Theorem (Secret key capacity)

The SK capacity C for a sequence of sources {Xn, Yn}∞

n=1 is given by

C = I(X ∧ Y)

10

slide-26
SLIDE 26

General capacity

Theorem (Secret key capacity)

The SK capacity C for a sequence of sources {Xn, Yn}∞

n=1 is given by

C = I(X ∧ Y)

  • Converse. Follows from our conditional independence testing bound with:

Lemma (Verdú)

For every n such that lim

n→∞ n = 0

it holds that lim inf

n

− 1 n log βn (PXnYn, PXnPYn) ≤ I(X ∧ Y)

10

slide-27
SLIDE 27

General capacity

Theorem (Secret key capacity)

The SK capacity C for a sequence of sources {Xn, Yn}∞

n=1 is given by

C = I(X ∧ Y)

  • Achievability. Use the single-shot construction with

λmax = n

  • H(X) + ∆
  • λmin = n (H(X) − ∆)

λ = n (I (X ∧ Y) − ∆)

10

slide-28
SLIDE 28

Towards characterizing finite-blocklength performance

We identify the second term in the asymptotic expansion of S(Xn, Y n):

Theorem (Second order asymptotics)

For every 0 < < 1 and IID RVs Xn, Y n, we have S (Xn, Y n) = nI(X ∧ Y ) − √ nV Q−1() + o(√n) The quantity V is given by V = Var

  • log

PXY (X, Y ) PX (X) PY (Y )

  • 11
slide-29
SLIDE 29

Towards characterizing finite-blocklength performance

We identify the second term in the asymptotic expansion of S(Xn, Y n):

Theorem (Second order asymptotics)

For every 0 < < 1 and IID RVs Xn, Y n, we have S (Xn, Y n) = nI(X ∧ Y ) − √ nV Q−1() + o(√n) The quantity V is given by V = Var

  • log

PXY (X, Y ) PX (X) PY (Y )

  • Proof relies on the use of Berry-Esseen theorem as in

Polyanskiy-Poor-Verdu 10

11

slide-30
SLIDE 30

Dr

Towards characterizing finite-blocklength performance

We identify the second term in the asymptotic expansion of S(Xn, Y n):

Theorem (Second order asymptotics)

For every 0 < < 1 and IID RVs Xn, Y n, we have S (Xn, Y n) = nI(X ∧ Y ) − √ nV Q−1() + o(√n) The quantity V is given by V = Var

  • log

PXY (X, Y ) PX (X) PY (Y )

  • Proof relies on the use of Berry-Esseen theorem as in

Polyanskiy-Poor-Verdu 10 What about S,δ(Xn, Y n)?

11

slide-31
SLIDE 31

Dr

Looking ahead ...

What if the eavesdropper has side information Z? Best known converse bound on SK capacity due to Gohari-Ananthram 08 Recently we obtained a one-shot version of this bound Tyagi and Watanabe, Converses for Secret Key Agreement and Secure Computing, preprint arXiv:1404.5715, 2014 - arxiv.org Also, we have a single-shot achievability scheme that is asymptotically tight when X, Y, Z form a Markov chain

12