3.2 Wiretap channel
Let
\(f:{\mathcal {X}}\times {\mathcal {S}}\rightarrow {\mathcal {A}}\) be the functional form of a mosaic
\((D_\alpha )_{\alpha \in {\mathcal {A}}}\) of (
v,
k,
r) tactical configurations and let
\(W:{\mathcal {X}}\rightarrow {\mathcal {Z}}\) be a wiretap channel. Assume that the confidential messages to be transmitted are represented by the random variable
A on
\({\mathcal {A}}\). The random seed is represented by
S, uniformly distributed on
\({\mathcal {S}}\) and independent of
A. Application of the randomized inverse of
f determines the random input
X to
W, and the random output of
W seen by Eve is denoted by
Z. The joint probability distribution of these four random variables is
$$\begin{aligned} P_{ZXSA}(z,x,s,\alpha )=\frac{1}{bk}w(z\vert x)N_\alpha (x,s)P_A(\alpha ), \end{aligned}$$
(3.4)
where
\(N_\alpha \) is the incidence matrix of
\(D_\alpha \).
The two security metrics by which we measure the degree of security offered by
f for
W are defined in terms of the joint distribution of
Z,
S and
A with a worst-case choice of
A. The first security metric is defined as the mutual information between the message
A and the eavesdropper’s information
Z,
S, maximized over all possible message distributions,
$$\begin{aligned} \max _{P_A}I(A\wedge Z,S). \end{aligned}$$
(3.5)
The best case would be that Eve’s observations are independent of the message, no matter what the message distribution is, in which case the mutual information would vanish. This is not achievable in general, even for a fixed message distribution. Instead, we try to make the maximum in (
3.5) as small as possible. Like the other security criteria defined below, the requirement that (
3.5) be small does not make any assumptions on Eve’s computing power. Thus we aim for
unconditional security.
In order to formulate the upper bound for (
3.5), we need to introduce additional notation. If
\({\mathcal {U}}\) is a finite set and
\(R:{\mathcal {U}}\rightarrow {\mathcal {X}}\) a channel, then the usual matrix product
RW of the stochastic matrices
R and
W gives the channel with input alphabet
\({\mathcal {U}}\) and output alphabet
\({\mathcal {Z}}\) resulting from concatenating
R and
W. If
P is a probability measure on
\({\mathcal {X}}\), then this also defines the probability measure
PW on
\({\mathcal {Z}}\) by regarding
P as a channel with a single row.
The uniform distribution on any set
\({\mathcal {X}}\) is denoted by
\(P_{{\mathcal {X}}}\). Also, recall Rényi 2-divergence defined in Sect.
3.1.
This theorem is proved in Sect.
4. The main observation is Proposition
4.2, which both for the BIBD and the GDD case states equality between
\(\exp (D_2(P_{Z\vert S,A=\alpha }\Vert P_{Z\vert S}\vert P_{{\mathcal {S}}}))\) and the respective upper bounds in the statement. Since this equality for every
\(\alpha \) only depends on
\(D_\alpha \), it really is a statement about BIBDs and GDDs.
Clearly, a GDD with
\(\lambda _1=\lambda _2\) is a BIBD, so the first part of the theorem is implied by the second one. The same holds for Theorems
3.3,
3.6 and
3.7 below.
An alternative measure of semantic security is formulated in terms of total variation distance. Denote the product of probability distributions
P and
Q by
PQ. Then, with the random variables
Z,
S,
A as defined in (
3.4), we would like
$$\begin{aligned} \max _{P_A}\Vert P_{ZSA}-P_{ZS}P_A\Vert \end{aligned}$$
(3.6)
to be small. If it equals zero, then the eavesdropper’s observations are independent of the message, for all possible message distributions.
This theorem is also proved in Sect.
4. It essentially follows from Theorem
3.2 and the relations (
3.1) and (
3.3).
Interpretation. The importance of the bounds of Theorems
3.2 and
3.3 is that they show how much randomness
k is sufficient in the randomized inverse in order to obtain a desired level of semantic security. Since
v non-confidential messages can be reliably transmitted to Bob, this transforms into a lower bound on the number
a of confidential messages.
The bounds of Theorems
3.2 and
3.3 can be improved by “smoothing”
W. This means that the outputs of
W are restricted to being “typical”, i.e., outputs of low probability are cut off. This idea goes back to Renner and Wolf [
28]. By smoothing, the conditional divergences can be reduced substantially at the cost of a small additive term in each bound. After smoothing, the channel will in general not be stochastic any more, but only substochastic. The proofs of the theorems remain valid for substochastic channels since they only use the nonnegativity of the entries of
W. All that needs to be done is to generalize the Rényi divergences to substochastic channels like in [
34].
The bounds can be evaluated by comparing them with the benchmark cases of memoryless discrete and Gaussian wiretap channels (see [
9] or [
34] for a definition). These wiretap channels actually are families
\(\{W_n:n\ge 1\}\) of channels; the parameter
n indicates the
blocklength. For these channels, a sequence of security codes achieves
asymptotic optimality as the blocklength goes to infinity if the largest possible asymptotic communication rate for confidential message transmission, the
secrecy capacity, is achieved subject to the condition that either (
3.5) or (
3.6) goes to zero.
Theorems
3.2 and
3.3 show that security functions given by suitable mosaics of BIBDs or of semi-regular GDDs achieve asymptotic optimality when applied to memoryless discrete or Gaussian wiretap channels after smoothing each
\(W_n\). This holds even if the channel between Alice and Bob is not perfect, in which case the
\(W_n\) are concatenations of an encoder and a memoryless channel. For the proof, one proceeds like in [
34]. Functional forms of block rate optimal mosaics of singular GDDs turn out to be suboptimal security functions, as discussed below.
We would like to stress, however, that the theorems hold without any further structural assumptions on the channel W. For a targeted level of security and a given channel, they can be used to determine an achievable communication rate at which confidential messages can be sent through the channel using an efficiently computable security code.
Note that both in Theorems
3.2 and
3.3, the wiretap channel enters into the upper bounds only through the conditional Rényi 2-divergences. This gives some robustness against channel variations or limited channel knowledge.
The bounds in the GDD case. Assume that
N is the incidence matrix of a
\((u,m,k,\lambda _1,\lambda _2)\) GDD and
\(w\in {\mathbb {R}}^{{\mathcal {X}}}\) a nonnegative vector. Set
\(\lambda _\mathrm {max}=\max \{\lambda _1,\lambda _2\}\). Then
$$\begin{aligned} w^TNN^Tw\le (r-\lambda _\mathrm {max})w^Tw+\lambda _\mathrm {max}(w^Tj)^2. \end{aligned}$$
(3.7)
In the proofs of the GDD cases of Theorems
3.2 and
3.3 , the relation (
2.5) is used with equality. By using (
3.7) instead of (
2.5), one obtains an upper bound of the same form as that obtained in the BIBD case of the theorems, with
\(\lambda \) replaced by
\(\lambda _\mathrm {max}\). Since the point class decomposition of
\({\mathcal {X}}\) associated with the applied mosaic of GDDs will not in general have any special relation to the channel, using this looser upper bound might save the work of estimating the additional Rényi divergence or entropy and give a bound which, for the benchmark cases and for mosaics of BIBDs or of semi-regular GDDs, is asymptotically equivalent to the one appearing in the theorems.
The GDD bounds of Theorems
3.2 and
3.3 can also be simplified without using the upper bound (
3.7) by taking the type of the members of the mosaic
\(M=(D_\alpha )_{\alpha \in {\mathcal {A}}}\) into consideration.
In the case where the members of
M are singular GDDs, every
\(D_\alpha \) is induced by a BIBD
\(D_\alpha ^*\). Since the point class partitions of all
\(D_\alpha \) are the same, all
\(D_\alpha ^*\) have the same parameters
\(v^*,k^*,\lambda ^*\) and form a mosaic of BIBDs. The coefficients of
\(D_2(W\Vert P_{{\mathcal {X}}}W\vert P_{{\mathcal {X}}})\) vanish, hence only the divergence involving the point class partition is relevant. In Theorem
3.2, the two nonzero coefficients have the form
$$\begin{aligned} 1-\frac{r^*-\lambda ^*}{k^*r^*}\quad \text {and}\quad \frac{r^*-\lambda ^*}{k^*r^*}. \end{aligned}$$
(3.8)
In Theorem
3.3, both remaining coefficients equal
\((r^*-\lambda ^*)/k^*r^*\).
Semi-regular GDDs satisfy
\(rk=\lambda _2v\). Hence if
M consists of semi-regular GDDs, then the three coefficients in Theorem
3.2, in the order of their appearance, equal
$$\begin{aligned} 1,\quad -\frac{r-\lambda _1}{kr},\quad \frac{r-\lambda _1}{kr}. \end{aligned}$$
(3.9)
For the case where
\(\lambda _1=0\), in particular, in the case of transversal designs, the same coefficients become
$$\begin{aligned} 1,\quad -\frac{1}{k},\quad \frac{1}{k}. \end{aligned}$$
The coefficients obtain a similarly simple form in Theorem
3.3.
Suboptimality of singular GDDs. When applied in Theorems
3.2 and
3.3, approximately block rate optimal mosaics of singular GDDs with a small color rate and a sufficiently large point set achieve strictly lower color rates than mosaics of BIBDs or of semi-regular GDDs at the same security level. In particular, they turn out to be asymptotically suboptimal in the case of memoryless discrete or Gaussian wiretap channels, where the size of the point set goes to infinity with increasing blocklength. This means that asymptotically optimal sequences of security functions given by mosaics of BIBDs or GDDs for these channels have block rates at least 1.
We only discuss Theorem
3.2 here, the situation is analogous in Theorem
3.3. We begin with the following simple lemma which is the basis of our discussion.
If one applies Theorem
3.2 with a mosaic of semi-regular GDDs, then one sees from (
3.9) that a security level
\(\max _{P_A}I(A\wedge Z,S)\) smaller than
\(\delta >0\) is achieved by choosing
\(\log k\) equal to
\(D_2(W\Vert P_{{\mathcal {X}}}W\vert P_{{\mathcal {X}}})+\log (1/\delta )\). This results in the color rate
$$\begin{aligned} {\tilde{\varrho }} =1-\frac{D_2(W\Vert P_{{\mathcal {X}}}W\vert P_{{\mathcal {X}}})+\log (1/\delta )}{\log v}. \end{aligned}$$
The same holds in the simpler situation of mosaics of BIBDs.
Now assume that
\({\tilde{\varrho }}<1/2\). By Sect.
2.3, the only possibility to achieve a security level smaller than
\(\delta \) for the same channel
W with an approximately block rate optimal mosaic could be a mosaic
M of singular GDDs which is the
u-fold multiple of a mosaic
\(M^*\) of block rate optimal BIBDs and of color rate
\(\varrho ^*\). When Theorem
3.2 is applied with the security function determined by
M, the
\(D_2(W\Vert P_{{\mathcal {X}}}W\vert P_{{\mathcal {X}}})\) term vanishes in the upper bound of Theorem
3.2. By (
3.8), a security level smaller than
\(\delta \) is achieved by choosing
\(\log k^*\) equal to
\(D_2(R_\varPi W\Vert P_{{\mathcal {X}}}W\vert P_\varPi )+\log (1/\delta )\), and without any further information about the channel, this latter expression can be as large as
\(D_2( W\Vert P_{{\mathcal {X}}}W\vert P_{{\mathcal {X}}})+\log (1/\delta )\) by Lemma
3.4.
For the color rate
\(\varrho \) of
M, this means that
$$\begin{aligned} \varrho =1-\frac{\log k}{\log v} =1-\frac{\log k^*+\log u}{\log v} \le {\tilde{\varrho }}-\frac{\log u}{\log v}. \end{aligned}$$
(3.10)
This is at most
\({\tilde{\varrho }}\). In fact, for fixed
\({\tilde{\varrho }}\), it is easy to see that
\(\log u/\log v\) is bounded from below for large
v. This is because the approximate block rate optimality of
M requires
\(\varrho ^*\) to be at least
\(\varrho _0(v^*,k^*)\), which tends to 1/2 as
\(v^*\) grows. And if
\(v^*\) is kept small, then
u necessarily has to be large.
The loss of color rate as in (
3.10) can be avoided if one knows that equality is satisfied in the left-hand inequality of Lemma
3.4 for a certain partition
\(\varPi \). However, an application of this in the security bounds would require knowledge of
\(D_2(R_\varPi W\Vert P_{{\mathcal {X}}}W\vert P_\varPi )\) and the adaptation of the point class partition of the GDDs to that of the wiretap channel, which is not necessary in the case of mosaics of BIBDs or of semi-regular GDDs.
3.3 Privacy amplification
Now we turn to privacy amplification. Assume that the random variable
X is shared by Alice and Bob and that Eve observes a random variable
Z correlated with
X. Without loss of generality, we assume that
\(P_Z(z)>0\) for all
\(z\in {\mathcal {Z}}\). Moreover, Alice and Bob both are given the functional form
\(f:{\mathcal {X}}\times {\mathcal {S}}\rightarrow {\mathcal {A}}\) of a mosaic
\((D_\alpha )_{\alpha \in {\mathcal {A}}}\) of (
v,
k,
r) tactical configurations. In order to generate a secret key, Alice and Bob observe a realization
x of
X, choose a seed
\(s\in {\mathcal {S}}\) uniformly at random, and take
\(\alpha =f(x,s)\) as the secret key. Denote the random variable generated by applying
f as described above by
A. The joint distribution of
X,
Z,
S and
A is
$$\begin{aligned} P_{XZSA}(x,z,s,\alpha )=\frac{1}{b}P_{XZ}(x,z)N_\alpha (x,s), \end{aligned}$$
(3.11)
where
\(N_\alpha \) is the incidence matrix of
\(D_\alpha \). The key
A should be nearly uniformly distributed on
\({\mathcal {A}}\) and semantically secure with respect to Eve’s observation. The first condition is satisfied perfectly.
For semantic security, we can again use total variation distance or mutual information as the security measure. One equivalent formulation of semantic security is the indistinguishability of two possible realizations of the secret. In terms of total variation distance, this means that for any two distinct
\(\alpha ,\alpha '\in {\mathcal {A}}\), one wants
$$\begin{aligned} \Vert P_{ZS\vert A=\alpha }-P_{ZS\vert A=\alpha '}\Vert \end{aligned}$$
to be uniformly small. By the triangle inequality, this is true if
$$\begin{aligned} \Vert P_{ZS\vert A=\alpha }-P_ZP_{{\mathcal {S}}}\Vert \end{aligned}$$
(3.12)
is small, uniformly in
\(\alpha \in {\mathcal {A}}\).
For any point class partition
\(\varPi =\{{\mathcal {X}}_1,\ldots ,{\mathcal {X}}_m\}\) of
\({\mathcal {X}}\), we define the random variable
\(X_\varPi \) whose conditional distribution given
Z is
$$\begin{aligned} P_{X_\varPi \vert Z}(i\vert z)=P_{X\vert Z}({\mathcal {X}}_i\vert z). \end{aligned}$$
Then we have the following result.
This is proved in Sect.
4 as a consequence of the next theorem.
If we prefer to measure the indistinguishability of key values with respect to Kullback-Leibler divergence, we should ensure that there exists a probability measure
Q on
\({\mathcal {Z}}\times {\mathcal {S}}\) such that
\(P_{ZS\vert A=\alpha }\) is close to
Q in terms of Kullback-Leibler divergence, uniformly in
\(\alpha \in {\mathcal {A}}\). This is analogous to (
3.12). If we choose
\(Q=P_ZP_{{\mathcal {S}}}\), then we have the following bound.
The theorem is proved in Sect.
4. As in the wiretap case, its core is Proposition
4.4, proving the equality of
\(\exp (D_2(P_{S\vert Z=z,A=\alpha }\Vert P_{{\mathcal {S}}}))\) with the
z-term in the upper bound.
Interpretation. The interpretation of Theorems
3.6 and
3.7 is analogous to that of Theorems
3.2 and
3.3 . The number of interest is
a, the size of the key space. Theorems
3.6 and
3.7 give a lower bound on the maximal possible
a given a required degree of security, and show that this lower bound is achievable using the functional form of a mosaic of BIBDs or GDDs.
It is proved in [
7, Corollary 4] that
$$\begin{aligned} \exp \bigl (I(A\wedge S\vert Z=z)\bigr )\le a2^{-\min _zH_2(X\vert Z=z)}+1 \end{aligned}$$
if the security function is a universal hash function. The upper bound is very similar to the one proved in the first part of Theorem
3.7 for mosaics of BIBDs or of semi-regular GDDs, but only gives strong secrecy. (The conditioning on the event
\(Z=z\) is also possible in our setting, see (
4.7).) It follows that these mosaics yield the same key size as universal hash functions, but resulting in a stronger notion of security and generating a perfectly uniformly distributed key. Mosaics of singular GDDs only involve the
\(\min _zH_2(X_\varPi \vert Z=z)\) term and are discussed in more detail below.
If Alice and Bob are connected by a public two-way channel without rate constraint, the secret-key capacity in the benchmark case of a memoryless discrete source model can be achieved by a sequential key distillation protocol guaranteeing semantic security, using functional forms of mosaics of BIBDs or suitable GDDs in the privacy amplification step (cf. [
9, Theorem 4.5]).
The bounds in the GDD case. By applying (
3.7), the bounds for the GDD cases of Theorems
3.6 and
3.7 can be given the same form as the ones for the BIBD case, with
\(\lambda \) replaced by
\(\lambda _\mathrm {max}\).
If the mosaic consists of singular GDDs, then the coefficient of the
\(H_2(X\vert Z=z)\) term vanishes. The second and third terms in Theorem
3.7 are
$$\begin{aligned} \frac{a(r^*-\lambda ^*)}{r^*}\quad \text {and}\quad -\frac{r^*-\lambda ^*}{k^*r^*}, \end{aligned}$$
where, like in the wiretap scenario,
\(k^*,r^*,\lambda ^*\) are parameters of the underlying BIBDs.
In the case of semi-regular GDDs, one has, in the order of their appearance, the three terms
$$\begin{aligned} \frac{a(r-\lambda _1)}{r},\quad -\frac{a(r-\lambda _1)}{ur},\quad 0. \end{aligned}$$
In particular, for transversal designs, one obtains
$$\begin{aligned} a,\quad -1,\quad 0. \end{aligned}$$
Similar simplifications are possible for the bounds of Theorem
3.6.
Suboptimality of singular GDDs. As in the wiretap scenario, mosaics of singular GDDs are suboptimal compared with mosaics of BIBDs or of semi-regular GDDs since they require a larger k in order to achieve a comparable security level.
The reasons are analogous to those for the wiretap case, based on the inequalities
$$\begin{aligned} H_2(X\vert Z=z)-\log u\le H_2(X_\varPi \vert Z=z)\le H_2(X\vert Z=z) \end{aligned}$$
(3.14)
for any partition
\(\varPi =\{{\mathcal {X}}_1,\ldots ,{\mathcal {X}}_m\}\) of
\({\mathcal {X}}\) into sets of size
u, and any
\(z\in {\mathcal {Z}}\). The condition for equality in the right-hand inequality is that there exist at most one
x per
\({\mathcal {X}}_i\) with
\(P_{X\vert Z}(x\vert z)>0\). On the left-hand side, equality holds if and only if
\(P_{X\vert Z}(\cdot \vert z)\) is constant on each
\({\mathcal {X}}_i\) for every
z.
With a mosaic of BIBDs or of semi-regular GDDs, a key size \(\log a\) approximately equal to \(\min _zH_2(X\vert Z=z)+\log (1/\delta )\) gives a security level \(\delta \).
Now assume that the security function is given by a mosaic of singular GDDs. If one only knows
\(\min _zH_2(X\vert Z=z)\), then the largest possible key size
\(\log a\) by which to guarantee a security level of
\(\delta \) is
\(H_2(X\vert Z=z)-\log u+\log (1/\delta )\). The key can be chosen larger if one also knows
\(\min _zH_2(X_\varPi \vert Z=z)\). However, the same key size as in the case of BIBDs or semi-regular GDDs is achievable only if there exists a partition
\(\varPi \) such that equality is satisfied on the right-hand side of (
3.14). If one knows that the joint distribution
\(P_{XZ}\) has this property for a partition
\(\varPi \), then a mosaic of singular GDDs incurs no rate loss, but the security function has to be adapted to
\(\varPi \).