Information Theoretic Security for Broadcasting of Two Encrypted Sources under Side-Channel Attacks ^†

Abstract

In this paper, we propose a theoretical framework to analyze the secure communication problem for broadcasting two encrypted sources in the presence of an adversary which launches side-channel attacks. The adversary is not only allowed to eavesdrop the ciphertexts in the public communication channel, but is also allowed to gather additional information on the secret keys via the side-channels, physical phenomenon leaked by the encryption devices during the encryption process, such as the fluctuations of power consumption, heat, or electromagnetic radiation generated by the encryption devices. Based on our framework, we propose a countermeasure against such adversary by using the post-encryption-compression (PEC) paradigm, in the case of one-time-pad encryption. We implement the PEC paradigm using affine encoders constructed from linear encoders and derive the explicit the sufficient conditions to attain the exponential decay of the information leakage as the block lengths of encrypted sources become large. One interesting feature of the proposed countermeasure is that its performance is independent from the type of side information leaked by the encryption devices.

1. Introduction

In recent years, it has become very common that one person holds multiple wireless communication devices and broadcasts the messages through multiple devices. In order to ensure secrecy, it is a standard practice to encrypt the data before broadcasting them into the public communication channel. The usual security problem that is considered in such system of broadcasting encrypted sources is the secrecy against an adversary which eavesdrops the ciphertexts sent via the public communication channel. However, Kocher et al. [1,2] have shown that an adversary may also learn “side” information about the secret keys from “side-channel”, i.e., the measurements of physical phenomenon that occur in the physical devices where the encryption procedures are implemented. Such adversary is called as side-channel adversary. Examples of the physical phenomenon exploited by the side-channel adversaries are the fluctuations of time cost [1], the fluctuations of power consumption [2], and the electromagnetic (EM) radiation [3]. In this paper, we are focusing on a specific scenario where an adversary is not only eavesdropping on the public communication channel but is also launching side-channel attacks on multiple communication devices owned by a sender. We consider that this kind of side-channel attack is feasible in the real world when multiple devices owned by the sender relocated in the same area such that the adversary can catch the side information from the devices directly.

1.1. Modelling Side-Channel Attacks

The adversarial/security model we use in this paper and its relation to a real-world example are shown in Figure 1. Basically, we adapt the approach in [4] on modeling the side-channel, where the side-channel is modelled as a rate constraint noiseless channel.

We describe our model in a more formal way as follows. Let us consider two sources $X_1$ and $X_2$, where each is encrypted in two different encryption devices using secret keys $K_1$ and $K_2$, respectively, resulting in ciphertexts $C_1$ and $C_2$, respectively. The ciphertexts $C_1$ and $C_2$ are sent by the sender to multiple receivers through multiple public communication channels. The adversary $\mathcal{A}$ is allowed to obtain: (1) ciphertexts $C_1$ and $C_2$ from the public communication channels, and also (2) “noisy” digital data Z generated by the probe or the measurement device from the physical phenomenon leaked by all encryption devices of the sender. The measurement device may just be a simple analog-to-digital converter that converts the analog data representing physical information leaked by the devices into “noisy” digital data Z. In our model, we represent the measurement process as a communication channel W.The adversary $\mathcal{A}$ is equipped with a side-channel encoding device ${\phi }_{\mathcal{A}}$ which encodes and processes Z into the binary data $M_{\mathcal{A}}$. Finally, combining $C_1$, $C_2$, and $M_{\mathcal{A}}$, $\mathcal{A}$ will attempt to derive information on the sources $X_1$ and $X_2$.

1.2. Our Results and Methodology in Brief

We show that we can strengthen the secrecy/security of the Shannon ciphers which are implemented on multiple physical devices of a sender in a broadcasting system against an adversary who collects ciphertexts and launches side-channel attacks by a simple method of reencoding the ciphertexts before releasing them into the public communication channels. This method is based on post-encryption-compression (PEC) paradigm. We prove that, in the case that all encryption devices implement one time pad encryption, we can strengthen the secrecy/security using appropriate affine encoders ${\phi }_1$ and ${\phi }_2$ which transform the original ciphertexts $C_1$ and $C_2$ into reencoded ciphertexts ${\tilde{C}}_1$ and ${\tilde{C}}_2$.

More formally, we prove that, for any distribution of the secret keys ($K_1$, $K_2$) and any measurement device (used to convert the physical information from a side-channel into the noisy large alphabet data Z), we can derive an achievable rate region for ($R_1$, $R_2$, $R_{\mathcal{A}}$), where $R_1$ and $R_2$ are the encoding rates of ${\phi }_1$ and ${\phi }_2$, respectively, $R_{\mathcal{A}}$ is the encoding rate of adversary’s encoding device ${\phi }_{\mathcal{A}}$. More precisely, if we reencode $C_1$ and $C_2$ into ${\tilde{C}}_1$ and ${\tilde{C}}_2$ using ${\phi }_1$ and ${\phi }_2$ with encoding rates $R_1$ and $R_2$, respectively, such that $R_1$ and $R_2$ are inside the achievable region, then we can attain reliability and security in the following sense:

• anyone with secret keys $K_1$ and $K_2$ can construct appropriate decoders that decrypt and encode the reencoded ciphertexts ${\tilde{C}}_1$ and ${\tilde{C}}_2$ into original sources $X_1$ and $X_2$ with exponentially decaying error probability, and
• the amount of information on the sources $X_1$ and $X_2$ gained by any adversary $\mathcal{A}$ which collects the reencoded ciphertexts $C_1$, $C_2$ the encoded side-channel information $M_{\mathcal{A}}$ is exponentially decaying to zero as long as the side-channel encoding device ${\phi }_{\mathcal{A}}$ encodes Z into $M_{\mathcal{A}}$ with the rate $R_{\mathcal{A}}$ which is inside the achievable rate region.

Taking the advantage of the homomorphic property of one-time-pad and affine encoding, we separate the theoretical analysis of reliability and security such that we can deal with each issue independently. For reliability analysis, similar to the analysis in [4,5,6,7], we mainly obtain our result by adapting the result of Csizár [8] on the universal coding using linear codes. Our main theorem on security is based on the technique developed in [4] which is actually a combination of two other techniques. One is a technique developed by Oohama in [9] for deriving approximation error exponents for the intrinsic randomness problem in some framework of distributed random number extraction. (This technique is is also used in the security analysis in Santoso and Oohama [6,10].) Another one is a technique proposed by Oohama [11] to establish exponential strong converse theorem for the one helper source coding problem. (This technique is used in the security analysis for the side channel attacks to the Shannon cipher system.)

In addition, since we model the side-channel as a rate constraint noiseless channel, all theoretical results in this paper are independent from the type of side-channel information the adversary collects from the encryption devices. This means that the countermeasure we propose in this paper can be applied against any type of side-channel attacks launched by the adversary, e.g., timing attacks, electromagnetic radiation or power analysis, and so on.

1.3. Related Works

The use of PEC for communication system can be traced back to the work by Johnson et al., in [12]. However, their main focus is the issue of reliability and they only provide weak secrecy for security, whereas, in this paper, we provide security based on the strong secrecy [13,14].

Several theoretical models analyzing the security of a cryptographic system against side-channel attacks have been proposed in the literature. However, most of the existing works are applicable only for specific characteristics of the leaked physical information. For example, Brier et al. [15] and Coron et al. [16] propose a statistical model for side-channel attacks using the information from power consumption and the running time, whereas Agrawal et al. [3] propose a statistical model for side-channel attacks using electromagnetic (EM) radiations. A more general model for side-channel attacks is proposed by Köpf et al. [17] and Backes et al. [18], but they are heavily dependent upon implementation on certain specific devices. Micali et al. [19] propose a very general security model to capture the side-channel attacks, but they fail to offer any hint of how to build a concrete countermeasure against the side-channel attacks. One of the closest existing models to ours is the general framework for analyzing side-channel attacks proposed by Standaert et al. [20]. However, the authors of [20] propose a countermeasure against side-channel attacks that is different from ours, i.e., noise insertion on implementation. It should be noted that the noise insertion countermeasure proposed by [20] depends on the characteristics of the leaked physical information. Another model that is similar to ours in the sense that it is independent from the type of leaked physical information is proposed by Chérisey et al. [21,22]. However, the main aim of [21,22] is only establishing the mathematical link between success probability of side-channel adversary and mutual information and no countermeasure is proposed.

1.4. Organization of This Paper

This paper is structured as follows. In Section 2, we show the basic notations and definitions that we use throughout this paper, and we also describe the formal formulations of our model and the security problem. In Section 3, we explain the idea and the formulation of our proposed solution. In Section 4, we state our main theorem on the reliability and security of our solution. In Section 5, we show the proof of our main theorem. In Section 6, we discuss an alternative formulation of our model and problem. In Section 7, we show the comparison between our current results in this paper and our previous works. We put our conclusions in Section 9. We put the proofs of other related propositions, lemmas, and theorems in the appendix.

2. Problem Formulation

2.1. Preliminaries

In this subsection, we show the basic notations and related consensus used in this paper.

Random Source of Information and Key: For each $i=1,2$, let $X_i$ be a random variable from a finite set ${\mathcal{X}}_i$. For each $i=1,2$, let ${\{X_{i,t}\}}_{t=1}^{\infty }$ be two stationary discrete memoryless sources (DMS) such that, for each $t=1,2,\dots$, $X_{i,t}$ take values in finite set ${\mathcal{X}}_i$ and has the same distribution as that of $X_i$ denoted by $p_{X_i}={\{p_{X_i}(x_i)\}}_{x_i\in {\mathcal{X}}_i}$. The stationary DMS ${\{X_{i,t}\}}_{t=1}^{\infty },$ are specified with $p_{X_i}$.

We next define the two keys used in the two common cryptosystems. For each $i=1,2$, let $(K_1,K_2)$ be a pair of two correlated random variables taken from the same finite set ${\mathcal{X}}_1\times {\mathcal{X}}_2$. Let ${\{(K_{1,t},K_{2,t})\}}_{t=1}^{\infty }$ be a stationary discrete memoryless source such that, for each $t=1,2,\dots$, $(K_{1,t},K_{2,t})$ takes values in ${\mathcal{X}}_1\times$ ${\mathcal{X}}_2$ and has the same distribution as that of $(K_1,K_2)$ denoted by

$$p_{K_1{K}_2}={\{p_{K_1{K}_2}(k_1,k_2)\}}_{(k_1,k_2)\in {\mathcal{X}}_1\times {\mathcal{X}}_2}.$$

The stationary DMS $\{{(K_{1,t},K_{2,t}\}}_{t=1}^{\infty }$ is specified with $p_{K_1{K}_2}$.

Random Variables and Sequences: We write the sequence of random variables with length n from the information sources as follows: $X_i^n:=X_{i,1}{X}_{i,2}\cdots X_{i,n},i=1,2$. Similarly, the strings with length n of ${\mathcal{X}}_i^n$ are written as $x_i^n:=x_{i,1}{x}_{i,2}\cdots x_{i,n}\in {\mathcal{X}}_i^n$. For $(x_1^n,x_2^n)\in {\mathcal{X}}_1^n\times {\mathcal{X}}_2^n$, $p_{X_1^n{X}_2^n}(x_1^n,x_2^n)$ stands for the probability of the occurrence of $(x_1^n,x_2^n)$. When the information source is memoryless specified with $p_{X_1{X}_2}$, we have the following equation holds:

$$p_{X_1^n{X}_2^n}(x_1^n,x_2^n)=\prod _{t=1}^n{p}_{X_1{X}_2}(x_{1,t},x_{2,t}).$$

In this case, we write $p_{X_1^n{X}_2^n}(x_1^n,x_2^n)$ as $p_{X_1{X}_2}^n(x_1^n,x_2^n)$. Similar notations are used for other random variables and sequences.

Consensus and Notations: Without loss of generality, throughout this paper, we assume that $X_1$ and $X_2$ are finite fields. The notation ⊕ is used to denote the field addition operation, while the notation ⊖ is used to denote the field subtraction operation, i.e., $a\ominus b=a\oplus (-b)$ for any elements $a,b$ from the same finite field. All discussions and theorems in this paper still hold although $X_1$ and $X_2$ are different finite fields. However, for the sake of simplicity, we use the same notation for field addition and subtraction for both $X_1$ and $X_2$. Throughout this paper, all logarithms are taken to the natural basis.

2.2. Basic System Description

In this subsection, we explain the basic system setting and basic adversarial model we consider in this paper. First, let the information source and the key be generated independently by three different parties ${\mathcal{S}}_{\mathrm{gen},1}$, ${\mathcal{S}}_{\mathrm{gen},2}$ and ${\mathcal{K}}_{\mathrm{gen}}$, respectively. In our setting, we assume the following:

• The random keys $K_1^n$ and $K_2^n$ are generated by ${\mathcal{K}}_{\mathrm{gen}}$ from uniform distribution. We may have a correlation between $K_1^n$ and $K_2^n$.
• The sources $X_1^n$ and $X_2^n$, respectively, are generated by ${\mathcal{S}}_{\mathrm{gen},1}$ and ${\mathcal{S}}_{\mathrm{gen},2}$. Those are independent from the keys.

Next, let the two random sources $X_1^n$ and $X_2^n$, respectively, from ${\mathcal{S}}_{\mathrm{gen},1}$ and ${\mathcal{S}}_{\mathrm{gen},2}$ be sent to two separated nodes ${\mathsf{L}}_1$ and ${\mathsf{L}}_2$. In addition, let two random key (sources) $K_1^n$ and $K_2^n$ from ${\mathcal{K}}_{\mathrm{gen}}$ be also sent separately to ${\mathsf{L}}_1$ and ${\mathsf{L}}_2$. Further settings of our system are described as follows. Those are also shown in Figure 2.

• Separate Sources Processing: For each $i=1,2$, at the node ${\mathsf{L}}_i$, $X_i^n$ is encrypted with the key $K_i^n$ using the encryption function ${\mathsf{Enc}}_i$. The ciphertext $C_i^n$ of $X_i^n$ is given by $C_i^n:={\mathsf{Enc}}_i(X_i^n)=X_i^n\oplus K_i^n.$
• Transmission: The ciphertexts $C_1^n$ and $C_2^n$, respectively, are sent to the information processing center ${\mathsf{D}}_1$ and ${\mathsf{D}}_2$ through two public communication channels. Meanwhile, the keys $K_1^n$ and $K_2^n$, respectively are sent to ${\mathsf{D}}_1$ and ${\mathsf{D}}_2$ through two private communication channels.
• Sink Nodes Processing: For each $i=1,2$, in ${\mathsf{D}}_i$, we decrypt the ciphertext $C_i^n$ using the key $K_i^n$ through the corresponding decryption procedure ${\mathsf{Dec}}_i$ defined by ${\mathsf{Dec}}_i(C_i^n)=C_i^n\ominus K_i^n$. It is obvious that we can correctly reproduce the source output $X^n$ from $C_i^n$ and $K_i^n$ by the decryption function ${\mathsf{Dec}}_i$.

Side-Channel Attacks by Eavesdropper Adversary: An (eavesdropper) adversary$\mathcal{A}$ eavesdrops on the public communication channel in the system. The adversary $\mathcal{A}$ also uses a side information obtained by side-channel attacks. Let $\mathcal{Z}$ be a finite set and let $W:{\mathcal{X}}_1\times {\mathcal{X}}_2\to \mathcal{Z}$ be a noisy channel. Let Z be a channel output from W for the input random variable K. We consider the discrete memoryless channel specified with W. Let $Z^n\in {\mathcal{Z}}^n$ be a random variable obtained as the channel output by connecting $(K_1^n,K_2^n)\in {\mathcal{X}}_1^n\times {\mathcal{X}}_2^n$ to the input of channel. We write a conditional distribution on $Z^n$ given $(K_1^n,K_2^n)$ as

$$W^n={\left\{W^n(z^n|k_1^n,k_2^n)\right\}}_{(k_1^n,k_2^n,z^n)\in {\mathcal{X}}_1^n\times {\mathcal{X}}_2^n\times {\mathcal{Z}}^n}.$$

Since the channel is memoryless, we have

$$W^n(z^n|k_1^n,k_2^n)=\prod _{t=1}^{n}W(z_t|k_{1,t},k_{2,t}).$$

(1)

On the above output $Z^n$ of $W^n$ for the input $(K_1^n,K_2^n)$, we assume the following:

• The two random pairs $(X_1,X_2)$, $(K_1,K_2)$ and the random variable Z, satisfy $(X_1,X_2)\perp (K_1,K_2,Z)$, which implies that $(X_1^n,X_2^n)\perp (K_1^n,K_2^n,Z^n)$.
• By side-channel attacks, the adversary $\mathcal{A}$ can access $Z^n$.

We next formulate side information the adversary $\mathcal{A}$ obtains by side-channel attacks. For each $n=1,2,\cdots$, let ${\phi }_{\mathcal{A}}^{(n)}:{\mathcal{Z}}^n\to {\mathcal{M}}_{\mathcal{A}}^{(n)}$ be an encoder function. Set ${\phi }_{\mathcal{A}}:={\{{\phi }_{\mathcal{A}}^{(n)}\}}_{n=1,2,\cdots }.$ Let

$$R_{\mathcal{A}}^{(n)}:=\frac{1}{n}log||{\phi }_{\mathcal{A}}||=\frac{1}{n}log|{\mathcal{M}}_{\mathcal{A}}^{(n)}|$$

be a rate of the encoder function ${\phi }_{\mathcal{A}}^{(n)}$. For $R_{\mathcal{A}}>0$, we set

$${\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}}):=\{{\phi }_{\mathcal{A}}^{(n)}:R_{\mathcal{A}}^{(n)}\le R_{\mathcal{A}}\}.$$

On encoded side information, the adversary $\mathcal{A}$ obtains, we assume, the following:

• The adversary $\mathcal{A}$, having accessed $Z^n$, obtains the encoded additional information ${\phi }_{\mathcal{A}}^{(n)}(Z^n)$. For each $n=1,2,\cdots$, the adversary $\mathcal{A}$ can design ${\phi }_{\mathcal{A}}^{(n)}$.
• The sequence ${\{R_{\mathcal{A}}^{(n)}\}}_{n=1}^{\infty }$ must be upper bounded by a prescribed value. In other words, the adversary $\mathcal{A}$ must use ${\phi }_{\mathcal{A}}^{(n)}$ such that, for some $R_{\mathcal{A}}$ and for any sufficiently large n, ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$.

As a solution to the side channel attacks, we consider a system of broadcast encryption with post-encryption coding. We call this system as $\mathsf{Sys}$. The illustration of $\mathsf{Sys}$ is shown in Figure 3.

• Encoding at Source node ${\mathsf{L}}_i,i=1,2$: For each $i=1,2$, we first use ${\phi }_i^{(n)}$ to encode the ciphertext $C_i^n=X_i^n\oplus K_i^n$. A formal definition of ${\phi }_i^{(n)}$ is ${\phi }_i^{(n)}:$ ${\mathcal{X}}_i^n\to$ ${\mathcal{X}}_i^{m_i}$. Let ${\tilde{C}}_i^{m_i}={\phi }_i^{(n)}(C_i^n)$. Instead of sending $C_i^n$, we send ${\tilde{C}}_i^{m_i}$ to the public communication channel.
• Decoding at Sink Nodes ${\mathsf{D}}_i,i=1,2$: For each $i=1,2$, ${\mathsf{D}}_i$ receives ${\tilde{C}}_i^{m_i}$ from a public communication channel. Using common key $K_i^n$ and the decoder function ${\Psi }_i^{(n)}:{\mathcal{X}}_i^m\times {\mathcal{X}}_i^n\to {\mathcal{X}}_i^n$, ${\mathsf{D}}_i$ outputs an estimation ${\widehat{X}}_i^n={\Psi }_i^{(n)}({\tilde{C}}_i^{m_i},K_i^n)$ of $X_i^n$.

On Reliability and Security: From the description of our system in the previous section, the decoding process in our system above is successful if ${\widehat{X}}_i^n=X_i^n$ holds. Combining this and Equation (5), it is clear that the decoding error probabilities $p_{\mathrm{e},i},i=1,2,$ are as follows:

$$\begin{array}{ll}\hfill p_{\mathrm{e},i}=& p_{\mathrm{e}}({\phi }_i^{(n)},{\Psi }_i^{(n)}|p_{X_i}^n):=Pr[{\Psi }_i^{(n)}({\phi }_i^{(n)}(X_i^n))\ne X_i^n].\hfill \end{array}$$

Set $M_{\mathcal{A}}^{(n)}={\phi }_{\mathcal{A}}^{(n)}(Z^n)$. The information leakage ${\Delta }^{(n)}$ on $(X_1^n,X_2^n)$ from $({\tilde{C}}_1^{m_1},{\tilde{C}}_2^{m_2},M_{\mathcal{A}}^{(n)})$ is measured by the mutual information between $(X_1^n,X_2^n)$ and $({\tilde{C}}_1^{m_1},{\tilde{C}}_2^{m_2},$ $M_{\mathcal{A}}^{(n)})$. This quantity is formally defined by

$$\begin{array}{l}{\Delta }^{(n)}={\Delta }^{(n)}({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n):=I(X_1^n{X}_2^n;{\tilde{C}}_1^{m_2},{\tilde{C}}_2^{m_2},M_{\mathcal{A}}^{(n)}).\hfill \end{array}$$

Reliable and Secure Framework:

Definition 1.

A pair $(R_1,R_2)$ is achievable under $R_{\mathcal{A}}$ $>0$ for the system $\mathsf{Sys}$ if there exists two sequences $\{({\phi }_i^{(n)},$ ${\Psi }_i^{(n)}{)\}}_{n\ge 1},i=1,2,$ such that $\forall ϵ>0$, $\exists n_0=n_0(ϵ)\in {\mathbb{N}}_0$, $\forall n\ge n_0$, we have for $i=1,2,$

$$\begin{array}{l}\frac{1}{n}log|{\mathcal{X}}_i^{m_i}|=\frac{m_i}{n}log|{\mathcal{X}}_i|\le R_i,p_{\mathrm{e}}({\phi }_i^{(n)},{\Psi }_i^{(n)}|p_{X_i}^n)\le ϵ,\hfill \end{array}$$

and for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{l}\hfill {\Delta }^{(n)}({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)\le ϵ.\end{array}$$

Definition 2 (Reliable and Secure Rate Region).

Let ${\mathcal{R}}_{\mathsf{Sys}}(p_{X_1{X}_2},$ $p_{Z{K}_1{K}_2})$ denote the set of all $(R_{\mathcal{A}},R)$ such that R is achievable under $R_{\mathcal{A}}$. We call ${\mathcal{R}}_{\mathsf{Sys}}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})$ thereliable and secure rateregion.

Definition 3.

A five tuple $(R_1,R_2,E_1,E_2,F)$ is achievable under $R_{\mathcal{A}}>0$ for the system $\mathsf{Sys}$ if there exists a sequence $\{({\phi }_i^{(n)},$ ${\Psi }_i^{(n)}{)\}}_{n\ge 1}$, $i=1,2$, such that $\forall ϵ>0$, $\exists n_0=n_0(ϵ)\in {\mathbb{N}}_0$, $\forall n$ $\ge n_0$, we have for $i=1,2,$

$$\begin{array}{l}\frac{1}{n}log|{\mathcal{X}}_i^{m_i}|=\frac{m_i}{n}log|{\mathcal{X}}_i|\le R_i,p_{\mathrm{e}}({\phi }_i^{(n)},{\Psi }_i^{(n)}|p_{X_i}^n)\le {\mathrm{e}}^{-n(E_i-ϵ)},\hfill \end{array}$$

and for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{l}\hfill {\Delta }^{(n)}({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)\le {\mathrm{e}}^{-n(F-ϵ)}.\end{array}$$

Definition 4 (Rate, Reliability, and Security Region).

Let ${\mathcal{D}}_{\mathsf{Sys}}(p_{X_1{X}_2},$ $p_{K_1{K}_2},W)$ denote the set of all $(R_{\mathcal{A}},R,E,F)$ such that $(R_1,R_2,E_1,E_2,F)$ is achievable under $R_{\mathcal{A}}$. We call ${\mathcal{D}}_{\mathsf{Sys}}(p_{X_1{X}_2},$ $p_{K_1{K}_2},W)$ therate, reliability, and securityregion.

3. Proposed Idea: Affine Encoder as Privacy Amplifier

For each $n=1,2,\cdots$, let ${\varphi }_i^{(n)}:{\mathcal{X}}_i^n\to {\mathcal{X}}_i^{m_i}$ be a linear mapping. We define the mapping ${\varphi }_i^{(n)}$ by

$${\varphi }_i^{(n)}(x_i^n)=x_i^n{A}_i\mathrm{for}{x}_i^n\in {\mathcal{X}}_i^n,$$

(2)

where $A_i$ is a matrix with n rows and $m_i$ columns. Entries of $A_i$ are from ${\mathcal{X}}_i$. We fix $b_i^{m_i}\in {\mathcal{X}}_i^{m_i}$. Define the mapping ${\phi }_i^{(n)}:{\mathcal{X}}_i^n\to {\mathcal{X}}_i^{m_i}$ by

$$\begin{array}{ll}\hfill {\phi }_i^{(n)}(k_i^n):=& {\varphi }_i^{(n)}(k_i^n)\oplus b_i^{m_i}=k_i^n{A}_i\oplus b_i^{m_i},\mathrm{for}{k}_i^n\in {\mathcal{X}}_i^n.\hfill \end{array}$$

The mapping ${\phi }_i^{(n)}$ is called the affine mapping induced by the linear mapping ${\varphi }_i^{(n)}$ and constant vector $b_i^{m_i}$ $\in {\mathcal{X}}_i^{m_i}$. By the definition of ${\phi }_i^{(n)}$, the following affine structure holds:

$$\begin{array}{cc}\hfill {\phi }_i^{(n)}(x_i^n\oplus k_i^n)& =(x_i^n\oplus k_i^n)A_i\oplus b_i^{m_i}=x_i^n{A}_i\oplus (k_i^n{A}_i\oplus b_i^{m_i})\hfill \\ & ={\varphi }_i^{(n)}(x_i^n)\oplus {\phi }_i^{(n)}(k_i^n),\mathrm{for}{x}_i^n,k_i^n\in {\mathcal{X}}_i^n.\hfill \end{array}$$

(3)

Next, let ${\psi }_i^{(n)}$ be the corresponding decoder for ${\varphi }_i^{(n)}$ such that ${\psi }_i^{(n)}:{\mathcal{X}}_i^{m_i}\to {\mathcal{X}}_i^n.$ Note that ${\psi }_i^{(n)}$ does not have a linear structure in general.

Description of Proposed Procedure: We describe the procedure of our privacy amplified system as follows:

• Encoding at Source node ${\mathsf{L}}_i,i=1,2$: First, we use ${\phi }_i^{(n)}$ to encode the ciphertext $C_i^n=X_i^n\oplus K_i^n$ Let ${\tilde{C}}_i^{m_i}={\phi }_i^{(n)}(C_i^n)$. Then, instead of sending $C^n$, we send ${\tilde{C}}_i^{m_i}$ to the public communication channel. By the affine structure (3) of encoder, we have that

  $$\begin{array}{ll}\hfill {\tilde{C}}_i^{m_i}={\phi }_i^{(n)}(X_i^n\oplus K_i^n)& ={\varphi }_i^{(n)}(X_i^n)\oplus {\phi }_i^{(n)}(K_i^n)={\tilde{X}}_i^{m_i}\oplus {\tilde{K}}_i^{m_i},\hfill \end{array}$$

  (4)

  where we set ${\tilde{X}}_i^{m_i}:={\varphi }_i^{(n)}(X_i^n),{\tilde{K}}_i^{m_i}:={\phi }_i^{(n)}(K_i^n).$
• Decoding at Sink Node ${\mathsf{D}}_i,i=1,2$: First, using the linear encoder ${\phi }_i^{(n)}$, ${\mathsf{D}}_i$ encodes the key $K_i^n$ received through private channel into ${\tilde{K}}_i^{m_i}=$ ${\phi }_i^{(n)}(K_i^n)$. Receiving ${\tilde{C}}_i^{m_i}$ from public communication channel, ${\mathsf{D}}_i$ computes ${\tilde{X}}_i^{m_i}$ in the following way. From (4), we have that the decoder ${\mathsf{D}}_i$ can obtain ${\tilde{X}}_i^{m_i}$ $={\varphi }_i^{(n)}(X_i^n)$ by subtracting ${\tilde{K}}_i^{m_i}={\phi }_i^{(n)}(K_i^n)$ from ${\tilde{C}}_i^{m_i}$. Finally, ${\mathsf{D}}_i$ outputs ${\widehat{X}}_i^n$ by applying the decoder ${\psi }_i^{(n)}$ to ${\tilde{X}}_i^{m_i}$ as follows:

  $$\begin{array}{ll}\hfill {\widehat{X}}_i^n& ={\psi }_i^{(n)}({\tilde{X}}_i^{m_i})={\psi }_i^{(n)}({\varphi }_i^{(n)}(X_i^n)).\hfill \end{array}$$

  (5)

Our privacy amplified system described above is illustrated in Figure 4.

4. Main Results

In this section, we state our main results. To describe our results, we define several functions and sets. Let U be an auxiliary random variable taking values in a finite set $\mathcal{U}$. We assume that the joint distribution of $(U,Z,K_1,K_2)$ is

$$p_{UZ{K}_1{K}_2}(u,z,k_1,k_2)=p_U(u)p_{Z|U}(z|u)p_{K_1{K}_2|Z}(k_1,k_2|z).$$

The above condition is equivalent to $U\leftrightarrow Z\leftrightarrow (K_1,K_2)$. In the following argument for convenience of descriptions of definitions, we use the following notations:

$$\begin{array}{l}{R}_3:=R_1+R_2,{\mathcal{X}}_3:={\mathcal{X}}_1\times {\mathcal{X}}_2,k_3:=(k_1,k_2),K_3:=(K_1,K_2).\hfill \end{array}$$

For each $i=1,2,3$, we simply write $p_i=p_{UZ{K}_i}$. Specifically, for $i=3$, we have $p_3=p_{UZ{K}_1{K}_2}=p$. Define the three sets of probability distribution with $i=1,2,3$:

$$\begin{array}{ll}\hfill \mathcal{P}(p_{Z{K}_i}):=& \{p_{UZ{K}_i}:|\mathcal{U}|\le |\mathcal{Z}|+1,U\leftrightarrow Z\leftrightarrow K_i\}.\hfill \end{array}$$

(6)

For $i=1,2,3$, let us define as follows:

$$\begin{array}{ll}\hfill {\mathcal{R}}_i(p_i)& :=\begin{array}{c}\{(R_{\mathcal{A}},R_i):R_{\mathcal{A}},R_i\ge 0,R_{\mathcal{A}}\ge I_{}(Z;U),R_i\ge H_{}(K_i|U)\},\hfill \end{array}\hfill \end{array}$$

(7)

$$\begin{array}{cc}\hfill {\mathcal{R}}_i(p_{Z{K}_i})& :={\displaystyle \bigcup _{p_i\in \mathcal{P}(p_{Z{K}_i})}}{\mathcal{R}}_i(p_i).\hfill \end{array}$$

(8)

The two regions ${\mathcal{R}}_i(p_{Z{K}_i}),i=1,2$ have the same form as the region appearing as the admissible rate region in the one-helper source coding problem posed and investigated by Ahlswede and Körner [23]. We can show that the region ${\mathcal{R}}_i(p_{Z{K}_i}),i=1,2,$ and ${\mathcal{R}}_3(p_{Z{K}_1{K}_2})$ satisfy the following property.

Property 1.

(a) 

The region ${\mathcal{R}}_i(p_{Z{K}_i}),i=1,2$ is a closed convex subset of ${\mathbb{R}}_{+}^2$. The region ${\mathcal{R}}_3(p_{Z{K}_1{K}_2})$ is a closed convex subset of ${\mathbb{R}}_{+}^3$.

(b) 

The bound $|\mathcal{U}|\le |\mathcal{Z}|+1$ is sufficient to describe ${\mathcal{R}}_i(p_{Z{K}_i}),i=1,2,3$.

We define several quantities to state our main result. Let $i\in \{1,2\}$. We first define a function related to an exponential upper bound of $p_{\mathrm{e}}({\varphi }_i^{(n)},{\psi }_i^{(n)}|p_{X_i}^n)$. Let ${\overline{X}}_i$ be an arbitrary random variable over ${\mathcal{X}}_i$ and has a probability distribution $p_{{\overline{X}}_i}$. Let $\mathcal{P}({\mathcal{X}}_i)$ denote the set of all probability distributions on ${\mathcal{X}}_i$. For $R_i\ge 0$ and $p_{X_i}\in$ $\mathcal{P}({\mathcal{X}}_i)$, we define the following function:

$$\begin{array}{ll}\hfill E(R_i|p_{X_i})& :={\displaystyle \underset{p_{{\overline{X}}_i}\in \mathcal{P}({\mathcal{X}}_i)}{min}}\{{[R_i-H({\overline{X}}_i)]}^{+}+D(p_{{\overline{X}}_i}||p_{X_i})\}.\hfill \end{array}$$

(9)

We next define a function related to an exponential upper bound of ${\Delta }^{(n)}({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)$. For each $i=1,2,3$, we define three sets of probability distributions on $\mathcal{U}$ $\times \mathcal{Z}$ $\times {\mathcal{X}}_i$ by

$$\begin{array}{ll}\hfill \tilde{\mathcal{P}}(p_{Z{K}_i}):=& \{p=p_{UZ{K}_i}:|\mathcal{U}|\le |\mathcal{Z}|,U\leftrightarrow Z\leftrightarrow K_i\}.\hfill \end{array}$$

Furthermore, for each $i=1,2,3$, we define three sets of probability distributions on $\mathcal{U}$ $\times \mathcal{Z}$ $\times {\mathcal{X}}_i$ by

$$\begin{array}{l}\hfill \mathcal{Q}(p_{K_i|Z}):=\{q_i=q_{UZ{K}_i}:q_{K_{i}Z|U}=p_{K_{i}Z|U}:\mathrm{for} \mathrm{some}{p}_i\in \tilde{\mathcal{P}}(p_{Z{K}_i})\}.\end{array}$$

For each $i=1,2,3$, for $(\mu ,\alpha )\in {[0,1]}^2$, and for $q_i=q_{UZ{K}_i}\in \mathcal{Q}(p_{K_i|Z})$, define

$$\begin{array}{ll}\hfill {\omega }_{q_i|p_Z}^{(\mu ,\alpha )}(z,k_i|u)& :=\overline{\alpha }log\frac{q_Z(z)}{p_Z(z)}+\alpha \left[\mu log\frac{q_{Z|U}(z|u)}{p_Z(z)}\right.\left.+\overline{\mu }log\frac{1}{q_{K_i|U}(k_i|u)}\right],\hfill \\ \hfill {\Omega }^{(\mu ,\alpha )}(q_i|p_Z)& :=-log{\mathrm{E}}_q\left[exp\left\{-{\omega }_{q_i|p_Z}^{(\mu ,\alpha )}(Z,K_i|U)\right\}\right],\hfill \\ \hfill {\Omega }^{(\mu ,\alpha )}(p_{Z{K}_i})& :={\displaystyle \underset{\genfrac{}{}{0pt}{}{}{q_i\in \mathcal{Q}(p_{K_i|Z})}}{min}}{\Omega }^{(\mu ,\alpha )}(q_i|p_Z),\hfill \\ \hfill F^{(\mu ,\alpha )}(\mu R_{\mathcal{A}}+\overline{\mu }{R}_i|p_{Z{K}_i})& :=\frac{{\Omega }_i^{(\mu ,\alpha )}(p_{K_i},W)-\alpha (\mu R_{\mathcal{A}}+\overline{\mu }{R}_i)}{2+\alpha \overline{\mu }},\hfill \\ \hfill F(R_{\mathcal{A}},R_i|p_{Z{K}_i})& :={\displaystyle \underset{(\mu ,\alpha )\in {[0,1]}^2}{sup}}{F}^{(\mu ,\alpha )}(\mu R_{\mathcal{A}}+\overline{\mu }{R}_i|p_{Z{K}_i}).\hfill \end{array}$$

In [11] (extended version), Oohama proved several properties on $F(R_{\mathcal{A}},R_i|p_{Z{K}_i}),i=1,2,3$. According to [11] (extended version), we have the following property.

Property 2.

For any $i=1,2,3$ and for any $\tau \in (0,(1/2)\rho (p_{Z{K}_i}))$, the condition $(R_{\mathcal{A}},$ $R_i+\tau )\notin {\mathcal{R}}_i(p_{Z{K}_i})$ implies

$$\begin{array}{l}F(R_{\mathcal{A}},R_i|p_{Z{K}_i})>\frac{\rho (p_{Z{K}_i})}{4}·g^2\left(\frac{\tau }{\rho (p_{Z{K}_i})}\right)>0,\hfill \end{array}$$

where $\rho (p_{Z{K}_i}),i=1,2,3$, respectively, are some quantities depending on $p_{Z{K}_i}$ and g is the inverse function of $\vartheta (a):=a+(5/4)a^2,a\ge 0$.

Let us define as follows:

$$\begin{array}{l}\hfill F_{min}(R_{\mathcal{A}},R_1,R_2|p_{Z{K}_1{K}_2}):={\displaystyle \underset{i=1,2,3}{min}}F(R_{\mathcal{A}},R_i|p_{Z{K}_i}).\end{array}$$

(10)

Our main result is as follows.

Theorem 1.

For any $R_{\mathcal{A}},R_1,R_2>0$ and any $p_{Z{K}_1{K}_2}$, there exists two sequence of mappings ${\{({\phi }_i^{(n)},{\psi }_i^{(n)})\}}_{n=1}^{\infty },i=1,2$ such that, for any $p_{X_i},i=1,2,$ and any $n\ge {(R_1+R_2)}^{-1}$, we have

$$\begin{array}{ll}\hfill \frac{1}{n}log|{\mathcal{X}}_i^{m_i}|& =\frac{m_i}{n}log|{\mathcal{X}}_i|\le R_i,\hfill \\ \hfill p_{\mathrm{e}}({\varphi }_i^{(n)},{\psi }_i^{(n)}|p_{X_i}^n)& \le {\mathrm{e}}^{-n[E(R_i|p_{X_i})-{\delta }_{i,n}]},i=1,2\hfill \end{array}$$

(11)

and for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{ll}\hfill {\Delta }^{(n)}({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{K_1{K}_2}^n,W^n)& \le {\mathrm{e}}^{-n[F_{min}(R_{\mathcal{A}},R_1,R_2|p_{Z{K}_1{K}_2})-{\delta }_{3,n}]},\hfill \end{array}$$

(12)

where ${\delta }_{i,n},i=1,2,3$ are defined by

$$\begin{array}{ll}\hfill {\delta }_{i,n}:=& \frac{1}{n}log\left[\mathrm{e}{(n+1)}^{2|{\mathcal{X}}_i|}\right.\times \left.\left\{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\right\}\right],for i=1,2,\hfill \\ \hfill {\delta }_{3,n}:=& \frac{1}{n}log\left[15n(R_1+R_2)\times \left\{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\right\}\right].\hfill \end{array}$$

Note that, for $i=1,2,3$, ${\delta }_{i,n}\to 0$ as $n\to \infty$.

Detail of the proof of Theorem 1 will be explained in Section 5.

The functions $E(R_i|p_{X_i})$ and $F(R_{\mathcal{A}},R_1,R_2|p_{Z{K}_1{K}_2})$ take positive values if $(R_{\mathcal{A}},R_1,R_2)$ belongs to the set

$$\begin{array}{ll}\hfill {\mathcal{R}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})& :=\{R_1>H(X_1)\}\cap \{R_2>H(X_2)\}{\displaystyle \bigcap _{i=1,2,3}}{\mathcal{R}}_i^{\mathrm{c}}(p_{Z{K}_i}).\hfill \end{array}$$

Thus, by Theorem 1, under $(R_{\mathcal{A}},R_1,R_2)\in {\mathcal{R}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_{X_1{X}_2},$ $p_{Z{K}_1{K}_2}),$ we have the following:

• On the reliability, for $i=1,2$, $p_{\mathrm{e}}({\varphi }_i^{(n)},{\psi }_i^{(n)}|p_{X_i}^n)$ goes to zero exponentially as n tends to infinity, and its exponent is lower bounded by the function $E(R_i|p_{X_i})$.
• On the security, for any ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in$ ${\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, the information leakage ${\Delta }^{(n)}({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}$ $|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)$ on $X_1^n,X_2^n$ goes to zero exponentially as n tends to infinity, and its exponent is lower bounded by the function $F_{min}(R_{\mathcal{A}},R_1,R_2|p_{Z{K}_1{K}_2})$.
• For each $i=1,2$, any code $({\varphi }_i^{(n)},{\psi }_i^{(n)})$ that attains the exponent function $E($ $R_i|p_{X_i})$ is a universal code that depends only on $R_i$ not on the value of the distribution $p_{X_i}$.

Define

$$\begin{array}{ll}\hfill {\mathcal{D}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_{X_1{X}_1},p_{Z{K}_1{K}_2})& :=\{(R_{\mathcal{A}},R_1,R_2,E(R_1|p_{X_1}),E(R_2|p_{X_2}),F_{min}(R_{\mathcal{A}},R_1,R_2|p_{K_1{K}_2})):\hfill \\ & (R_1,R_2)\in {\mathcal{R}}_{\mathsf{Sys}}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})\}.\hfill \end{array}$$

From Theorem 1, we obtain the following corollary:

Corollary 1.

$$\begin{array}{l}{\mathcal{R}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_{X_1{X}_1},p_{Z{K}_1{K}_2})\subseteq {\mathcal{R}}_{\mathrm{Sys}}(p_{X_1{X}_1},p_{Z{K}_1{K}_2}),\hfill \\ {\mathcal{D}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_{X_1{X}_1},p_{Z{K}_1{K}_2})\subseteq {\mathcal{D}}_{\mathrm{Sys}}(p_{X_1{X}_1},p_{Z{K}_1{K}_2}).\hfill \end{array}$$

Remark 1.

Note that, from the definitions of sets $\mathcal{P}(p_{Z{K}_i})$, ${\mathcal{R}}_i(p_{Z{K}_i})$, it is easy to see that the set ${\mathcal{R}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_{X_1{X}_1},p_{Z{K}_1{K}_2})$ is the intersection of the outer regions of all possible adversarial encoding of $\mathcal{A}$ (where each encoding is represented by one auxiliary variable U) within rate $R_{\mathcal{A}}$. Moreover, since we use the strong converse theorem developed in [11] instead of the weak converse, we can guarantee that in ${\mathcal{R}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_{X_1{X}_1},p_{Z{K}_1{K}_2})$, not only the adversarial decoding success probability, but also the information leakage decays to zero at an exponential rate.

Remark 2.

Thanks to the separation between reliability and security analysis, the results related security in this paper will still hold even in the case where the sources are correlated. Moreover, our proposed countermeasure can strengthen the secrecy even in the case where the marginal distribution of each key $K_i$, i.e., $p_{K_i}$, $(i=1,2)$ is not uniform.

Examples of Extremal Cases

In the remaining part of this section, we give two simple examples of ${\mathcal{R}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_{X_1{X}_1},p_{Z{K}_1{K}_2})$. Those correspond to extremal cases on the correlation of $(K_1,K_2,Z)$. In those two examples, we assume that ${\mathcal{X}}_1={\mathcal{X}}_2=\{0,1\}$ and $p_{X_1}(1)=s_1,p_{X_2}(1)=s_2$. We further assume that $p_{K_1,K_2}$ has the binary symmetric distribution given by

$$p_{K_1{K}_2}(k_1,k_2)=(1/2)\left[\overline{\rho }{k}_1\oplus k_2+\rho \overline{k_1\oplus k_2}\right]\mathrm{for}(k_1,k_2)\in {\{0,1\}}^2,$$

where $\rho \in [0,0.5]$ is a parameter indicating the correlation level of $(K_1,K_2)$.

Example 1.

We consider the case where $W=p_{Z|K_1{K}_2}$ is given by

$$\begin{array}{cc}W(z|k_1,k_2)=\hfill & W(z|k_1)=\overline{{\rho }_{\mathcal{A}}}{k}_1\oplus z+{\rho }_{\mathcal{A}}\overline{k_1\oplus z}for(k_1,k_2,z)\in {\{0,1\}}^3.\hfill \end{array}$$

In this case, we have $K_2\leftrightarrow K_1\leftrightarrow Z$. This corresponds to the case where the adversary $\mathcal{A}$ attacks only node ${\mathrm{L}}_1$. Let $N_{\mathcal{A}}$ be a binary random variable with $p_{N_{\mathcal{A}}}(1)={\rho }_{\mathcal{A}}$. We assume that $N_{\mathcal{A}}$ is independent from $(X_1,X_2)$ and $(K_1,K_2)$. Using $N_{\mathcal{A}}$, Z can be written as $Z=K_1\oplus N_{\mathcal{A}}.$ The inner bound for this example denoted by ${\mathcal{R}}_{\mathrm{Sys},\mathrm{ex}1}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})$ is the following:

$$\begin{array}{ll}\hfill {\mathcal{R}}_{\mathrm{Sys},\mathrm{ex}1}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})=\{(R_{\mathcal{A}},R_1,R_2):& 0\le R_{\mathcal{A}}\le log2-h(\theta ),\hfill \\ \hfill h(s_1)<R_1& <h({\rho }_{\mathcal{A}}\ast \theta ),\hfill \\ \hfill h(s_2)<R_2& <h\left((\rho \ast {\rho }_{\mathcal{A}})\ast \theta \right),\hfill \\ \hfill R_1+R_2& <h(\rho )+h({\rho }_{\mathcal{A}}\ast \theta )for some \theta \in [0,1]\},\hfill \end{array}$$

(13)

where $h(·)$ denotes the binary entropy function and $a\ast b:=a\overline{b}+\overline{a}b$.

One can easily compute ${\mathcal{R}}_{\mathrm{Sys},\mathrm{ex}1}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})$ based on the solution for the problem of lossless source coding with helper, which is explained in [24]. The computation of ${\mathcal{R}}_{\mathrm{Sys},\mathrm{ex}1}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})$ is given in Appendix A.

Example 2.

We consider the case of $\rho =0.5$. In this case, $K_1$ and $K_2$ is independent. In this case, we have no information leakage if $R_{\mathcal{A}}=0$. We assume that $W=p_{Z|K_1{K}_2}$ is given by

$$\begin{array}{cc}W(z|k_1,k_2)=\hfill & \overline{{\rho }_{\mathcal{A}}}{k}_1\oplus k_2\oplus z+{\rho }_{\mathcal{A}}\overline{k_1\oplus k_2\oplus z}for(k_1,k_2,z)\in {\{0,1\}}^3.\hfill \end{array}$$

Let $N_{\mathcal{A}}$ be the same random variable as the previous example. Using $N_{\mathcal{A}}$, Z can be written as $Z=K_1\oplus K_2\oplus N_{\mathcal{A}}.$ The inner bound in this example denoted by ${\mathcal{R}}_{\mathrm{Sys},\mathrm{ex}2}^{(\mathrm{in})}($ $p_{X_1{X}_2},p_{Z{K}_1{K}_2})$ is the following:

$$\begin{array}{ll}\hfill {\mathcal{R}}_{\mathrm{Sys},\mathrm{ex}2}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})=\{(R_{\mathcal{A}},R_1,R_2):0& \le R_{\mathcal{A}}\le log2-h(\theta ),\hfill \\ \hfill h(s_i)<R_i& <log2,i=1,2,\hfill \\ \hfill R_1+R_2& <log2+h({\rho }_{\mathcal{A}}\ast \theta )for some \theta \in [0,1]\}.\hfill \end{array}$$

(14)

Similar to Example 1, one can also easily compute ${\mathcal{R}}_{\mathrm{Sys},\mathrm{ex}2}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})$ based on the solution for the problem of lossless source coding with helper, which is explained in [24]. Computation of ${\mathcal{R}}_{\mathrm{Sys},\mathrm{ex}2}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})$ is given in Appendix B.

For the above two examples, we show the section of the regions ${\mathcal{R}}_{\mathrm{Sys},\mathrm{exi}}^{(\mathrm{in})}($ $p_{X_1{X}_2},p_{Z{K}_1{K}_2})$ for $i=1,2$ by the plane $\{R_{\mathcal{A}}=log2-h(\theta )\},$ which is shown in Figure 5.

5. Proofs of the Main Results

In this section, we prove Theorem 1.

5.1. Types of Sequences and Their Properties

In this subsection, we prepare basic results on the types. Those results are basic tools for our analysis of several bounds related to error provability of decoding or security.

Definition 5.

For each $i=1,2$ and for any n-sequence $x_i^n=x_{i,1}{x}_{i,2}\cdots$ $x_{i,n}\in {\mathcal{X}}^n$, $n(x_i|x_i^n)$ denotes the number of t such that $x_{i,t}=x_i$. The relative frequency ${\left\{n(x_i|x_i^n)/n\right\}}_{x_i\in {\mathcal{X}}_i}$ of the components of $x_i^n$ is called the type of $x_1^n$ denoted by $P_{x^n}$. The set that consists of all the types on $\mathcal{X}$ is denoted by ${\mathcal{P}}_n(\mathcal{X})$. Let ${\overline{X}}_i$ denote an arbitrary random variable whose distribution $P_{{\overline{X}}_i}$ belongs to ${\mathcal{P}}_n({\mathcal{X}}_i)$. For $p_{{\overline{X}}_i}\in {\mathcal{P}}_n({\mathcal{X}}_i)$, set

$$T_{{\overline{X}}_i}^n:=\left\{x_i^n:P_{x_i^n}=p_{{\overline{X}}_i}\right\}.$$

For set of types and joint types, the following lemma holds. For the detail of the proof, see Csiszár and Körner [25].

Lemma 1.

(a) 

$\begin{array}{c}|{\mathcal{P}}_n({\mathcal{X}}_i)|\le {(n+1)}^{|{\mathcal{X}}_i|}.\hfill \end{array}$

(b) 

For $P_{{\overline{X}}_i}\in {\mathcal{P}}_n({\mathcal{X}}_i)$,

$$\begin{array}{ll}\hfill {(n+1)}^{-|{\mathcal{X}}_i|}{\mathrm{e}}^{nH({\overline{X}}_i)}& \le |T_{{\overline{X}}_i}^n|\le {\mathrm{e}}^{nH({\overline{X}}_i)}.\hfill \end{array}$$

(c) 

For $x_i^n\in T_{{\overline{X}}_i}^n$,

$$\begin{array}{ll}\hfill p_{X_i}^n(x_i^n)& ={\mathrm{e}}^{-n[H({\overline{X}}_i)+D(p_{{\overline{X}}_i}||p_{X_i})]}.\hfill \end{array}$$

By Lemma 1 parts (b) and (c), we immediately obtain the following lemma:

Lemma 2.

For $p_{{\overline{X}}_i}\in {\mathcal{P}}_n({\mathcal{X}}_i)$,

$$\begin{array}{l}{p}_{X_i}^n(T_{{\overline{X}}_i}^n)\le {\mathrm{e}}^{-nD(p_{{\overline{X}}_i}||p_{X_i})}.\hfill \end{array}$$

5.2. Upper Bounds on Reliability and Security

In this subsection, we evaluate upper bounds of $p_{\mathrm{e}}({\varphi }_i^{(n)},$ ${\psi }_i^{(n)}|p_{X_i}^n),$ $i=1,2,$ and ${\Delta }_n({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1}$ ${}_{K_{2}Un})$. For $p_{\mathrm{e}}({\varphi }_i^{(n)}$, ${\psi }_i^{(n)}|p_{X_i}^n)$, we derive an upper bound that can be characterized with a quantity depending on $({\varphi }_i^{(n)},{\psi }_i^{(n)})$ and type $P_{x_i^n}$ of sequences $x_i^n\in {\mathcal{X}}_i^n$. We first evaluate $p_{\mathrm{e}}({\varphi }_i^{(n)},{\psi }_i^{(n)}|p_{X_i}^n),i=1,2$. For $x_i^n\in {\mathcal{X}}_i^n$ and $p_{\overline{X}}\in {\mathcal{P}}_n({\mathcal{X}}_i),$ we define the following functions:

$$\begin{array}{ll}\hfill {\Xi }_{x_i^n}({\varphi }_i^{(n)},{\psi }_i^{(n)})& :=\left\{\begin{array}{ccc}1& & \mathrm{if}{\psi }_i^{(n)}\left({\varphi }_i^{(n)}(x_i^n)\right)\ne x_i^n,\hfill \\ 0& & \mathrm{otherwise},\hfill \end{array}\right.\hfill \\ \hfill {\displaystyle {\Xi }_{{\overline{X}}_i}({\varphi }^{(n)},{\psi }^{(n)})}& :=\frac{1}{|T_{{\overline{X}}_i}^n|}{\displaystyle \sum _{x_i^n\in T_{{\overline{X}}_i}^n}}{\Xi }_{x_i^n}({\varphi }_i^{(n)},{\psi }_i^{(n)}).\hfill \end{array}$$

Then, we have the following lemma.

Lemma 3.

In the proposed system, for $i=1,2$ and for any pair of $({\varphi }_i^{(n)},$ ${\psi }_i^{(n)})$, we have

$$\begin{array}{ll}\hfill p_{\mathrm{e}}({\varphi }_i^{(n)},{\psi }_i^{(n)}|p_{X_i}^n)& \le {\displaystyle \sum _{p_{{\overline{X}}_i}\in {\mathcal{P}}_n({\mathcal{X}}_i)}}{\Xi }_{\overline{X}}({\varphi }_i^{(n)},{\psi }_i^{(n)}){\mathrm{e}}^{-nD(p_{{\overline{X}}_i}||p_{X_i})}.\hfill \end{array}$$

(15)

Proof of this lemma is found in [26]. We omit the proof.

We next discuss upper bounds of

$$\begin{array}{l}\hfill {\Delta }_n({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)=I({\tilde{C}}_1^{m_1}{\tilde{C}}_2^{m_2},M_{\mathcal{A}}^{(n)};X_1^n{X}_2^n).\end{array}$$

On an upper bound of $I({\tilde{C}}_1^{m_1}{\tilde{C}}_2^{m_2},M_{\mathcal{A}}^{(n)};X_1^n{X}_2^n)$, we have the following lemma:

Lemma 4.

$$\begin{array}{ll}\hfill I({\tilde{C}}_1^{m_1}{\tilde{C}}_2^{m_2},M_{\mathcal{A}}^{(n)};X_1^n{X}_2^n)& \le \left.\left.\left.D\left(p_{K_1^{m_1}{K}_2^{m_2}|M_{\mathcal{A}}^{(n)}}\right|\right|p_{V_1^{m_1}{V}_2^{m_2}}\right|p_{M_{\mathcal{A}}^{(n)}}\right),\hfill \end{array}$$

(16)

where $p_{V_1^{m_1}{V}_2^{m_2}}$ represents the uniform distribution over ${\mathcal{X}}_1^{m_1}\times$ ${\mathcal{X}}_2^{m_2}$.

We can prove Lemma 4 using a similar method shown in [4]. The detailed proof is given in Appendix C.

5.3. Random Coding Arguments

We construct a pair of affine encoders $({\phi }_1^{(n)},{\phi }_2^{(n)})$ using the random coding method. For the two decoders ${\psi }_i^{(n)},i=1,2$, we propose the minimum entropy decoder used in Csiszár [8] and Oohama and Han [27].

Random Construction of Affine Encoders: For each $i=1,2$, we first choose $m_i$ such that

$$m_i:=⌊\frac{n{R}_i}{log|{\mathcal{X}}_i|}⌋,$$

where $\lfloor a\rfloor$ stands for the integer part of a. It is obvious that, for $i=1,2$,

$$R_i-\frac{1}{n}\le \frac{m_i}{n}log|{\mathcal{X}}_i|\le R_i.$$

By the Definition (2) of ${\varphi }_i^{(n)}$, we have that, for $x_i^n\in {\mathcal{X}}_i^n$,

$$\begin{array}{l}{\varphi }_i^{(n)}(x_i^n)=x_i^n{A}_i,\hfill \end{array}$$

where $A_i$ is a matrix with n rows and $m_i$ columns. By the definition (2) of ${\phi }_i^{(n)}$, we have that, for $k_i^n\in {\mathcal{X}}_i^n$,

$$\begin{array}{l}{\phi }_i^{(n)}(k_i^n)=k_i^n{A}_i+b_i^{m_i},\hfill \end{array}$$

where for each $i=1,2$, $b_i^{m_i}$ is a vector with $m_i$ columns. Entries of $A_i$ and $b_i^{m_i}$ are from the field of ${\mathcal{X}}_i$. Those entries are selected at random, independently from each other and with uniform distribution. Randomly constructed linear encoder ${\varphi }_i^{(n)}$ and affine encoder ${\phi }_i^{(n)}$ have three properties shown in the following lemma.

Lemma 5 (Properties of Linear/Affine Encoders).

For each $i=1,2$, we have the following:

(a) 

For any $x_i^n,v_i^n\in {\mathcal{X}}_i^n$ with $x_i^n\ne v_i^n$, we have

$$\begin{array}{l}Pr[{\varphi }_i^{(n)}(x_i^n)={\varphi }_i^{(n)}(v_i^n)]=Pr[(x_i^n\ominus v_i^n)A=0^{m_i}]={|\mathcal{X}|}^{-m_i}.\hfill \end{array}$$

(17)

(b) 

For any $s_i^n\in {\mathcal{X}}_i^n$, and for any ${\tilde{s}}_i^{m_i}\in {\mathcal{X}}^{m_i}$, we have

$$\begin{array}{l}Pr[{\phi }_i^{(n)}(s_i^n)={\tilde{s}}_i^{m_i}]=Pr[s^n{A}_i\oplus b_i^{m_i}={\tilde{s}}_i^{m_i}]={|{\mathcal{X}}_i|}^{-m_i}.\hfill \end{array}$$

(18)

(c) 

For any $s_i^n,t_i^n\in {\mathcal{X}}_i^n$ with $s_i^n\ne t_i^n$, and for any ${\tilde{s}}_i^{m_i}\in {\mathcal{X}}_i^{m_i}$, we have

$$\begin{array}{ll}\hfill Pr[{\phi }_i^{(n)}(s_i^n)={\phi }_i^{(n)}(t_i^n)={\tilde{s}}_i^{m_i}]& =Pr[s_i^n{A}_i\oplus b_i^{m_i}=t_i^n{A}_i\oplus b_i^{m_i}={\tilde{s}}_i^{m_i}]={|{\mathcal{X}}_i|}^{-2m_i}.\hfill \end{array}$$

(19)

Proof of this lemma is found in [26]. We omit the proof.

We next define the decoder function ${\psi }_i^{(n)}:{\mathcal{X}}_i^{m_i}\to {\mathcal{X}}_i^n,i=1,2.$ To this end, we define the following quantities.

Definition 6.

For $x_i^n\in {\mathcal{X}}_i^n$, we denote the entropy calculated from the type $P_{x_i^n}$ by $H(x_i^n)$. In other words, for a type $P_{{\overline{X}}_i}\in {\mathcal{P}}_n({\mathcal{X}}_i)$ such that $P_{{\overline{X}}_i}=P_{x_i^n}$, we define $H(x_i^n)=H({\overline{X}}_i)$.

Minimum Entropy Decoder: For each $i=1,2$, and for ${\varphi }_i^{(n)}(x_i^n)={\tilde{x}}_i^{m_i}$, we define the decoder function ${\psi }_i^{(n)}:{\mathcal{X}}_i^{m_i}\to {\mathcal{X}}_i^n$ as follows:

$${\psi }_i^{(n)}({\tilde{x}}_i^{m_i}):=\left\{\begin{array}{cc}{\widehat{x}}_i^n& \mathrm{if} {\varphi }_i^{(n)}({\widehat{x}}_i^n)={\tilde{x}}_i^{m_i} \mathrm{and} H({\widehat{x}}_i^n)<H({\check{x}}_i^n)\hfill \\ & \mathrm{for} \mathrm{all} {\check{x}}_i^n\mathrm{such} \mathrm{that} {\varphi }_i^{(n)}({\check{x}}_i^n)={\tilde{x}}_i^{m_i}, \mathrm{and} {\check{x}}_i^n\ne {\widehat{x}}_i^n,\hfill \\ \mathrm{arbitrary}& \mathrm{if} \mathrm{there} \mathrm{is} \mathrm{no} \mathrm{such} {\widehat{x}}_i^n\in {\mathcal{X}}_i^n.\hfill \end{array}\right.$$

Error Probability Bound: In the following arguments, we let expectations based on the random choice of the affine encoders ${\phi }_i^{(n)}i=1,2$ be denoted by $\mathbf{E}$[$·$]. For, $i=1,2$, define

$${\Pi }_{{\overline{X}}_i}(R_i):={\mathrm{e}}^{-n{[R_i-H({\overline{X}}_i)]}^{+}}.$$

Then, we have the following lemma.

Lemma 6.

For each $i=1,2$, for any n and for any $P_{{\overline{X}}_i}\in {\mathcal{P}}_n({\mathcal{X}}_i)$,

$$\mathbf{E}\left[{\Xi }_{{\overline{X}}_i}({\varphi }_i^{(n)},{\psi }_i^{(n)})\right]\le \mathrm{e}{(n+1)}^{|{\mathcal{X}}_i|}{\Pi }_{\overline{X}}(R_i).$$

Proof of this lemma is found in [26]. We omit the proof.

Estimation of Approximation Error: Define

$$\begin{array}{l}\Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)\hfill \\ :={\displaystyle \sum _{\genfrac{}{}{0pt}{}{(a,k_1^n,k_2^n)}{\in {\mathcal{M}}_{\mathcal{A}}^{(n)}\times {\mathcal{X}}_1^n\times {\mathcal{X}}_2^n}}}{p}_{M_{\mathcal{A}}^{(n)}{K}^n}(a,k_1^n,k_2^n)\times log[1+({\mathrm{e}}^{n{R}_1}-1)p_{K_1^n|M_{\mathcal{A}}^{(n)}}(k_1^n|a)+({\mathrm{e}}^{n{R}_2}-1)p_{K_2^n|M_{\mathcal{A}}^{(n)}}(k_2^n|a)\hfill \\ \left.+({\mathrm{e}}^{n{R}_1}-1)({\mathrm{e}}^{n{R}_2}-1)p_{K_1^n{K}_2^n|M_{\mathcal{A}}^{(n)}}(k_1^n,k_2^n|a)\right].\hfill \end{array}$$

Then, we have the following lemma.

Lemma 7.

For $i=1,2$ and for any $n,m_i$ satisfying $(m_i/n)log|{\mathcal{X}}_i|$ $\le R_i$, we have

$$\begin{array}{l}\hfill \mathbf{E}\left[D\left.\left.\left.\left(p_{{\tilde{K}}^{m_1}{\tilde{K}}^{m_2}|M_{\mathcal{A}}^{(n)}}\right|\right|p_{V_1^{m_1}{V}_2^{m_2}}\right|p_{M_{\mathcal{A}}^{(n)}}\right)\right]\le \Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n).\end{array}$$

(20)

Proof of this lemma is given in Appendix D. From the bound (20) in Lemma (7), we know that the quantity $\Theta (R_1,$ $R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)$ serves as an upper bound of the ensemble average of the conditional divergence $D(p_{{\tilde{K}}_1^{m_1}{\tilde{K}}_2^{m_2}|M_{\mathcal{A}}^{(n)}}$ $||p_{V_1^{m_1}{V}_2^{m_2}}|p_{M_{\mathcal{A}}^{(n)}}).$

From Lemmas 4 and 7, we have the following corollary.

Corollary 2.

$$\begin{array}{ll}\hfill \mathbf{E}\left[{\Delta }_n({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)\right]& \le \Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n).\hfill \end{array}$$

Existence of Good Code${\{({\phi }_i^{(n)},{\psi }_i^{(n)})\}}_{i=1,2}$:

From Lemma 6 and Corollary 2, we have the following lemma stating an existence of universal code ${\{({\phi }_i^{(n)},{\psi }_i^{(n)})\}}_{i=1,2}$.

Lemma 8.

There exists at least one deterministic code ${\{({\phi }_i^{(n)},{\psi }_i^{(n)})\}}_{i=1,2}$ satisfying $(m_i/n)log|{\mathcal{X}}_i|\le R_i,i=1,2$, such that, for $i=1,2$ and for any $p_{{\overline{X}}_i}$ $\in {\mathcal{P}}_n({\mathcal{X}}_i)$,

$$\begin{array}{ll}\hfill {\Xi }_{{\overline{X}}_i}({\varphi }_i^{(n)},{\psi }_i^{(n)})\le \mathrm{e}{(n+1)}^{|{\mathcal{X}}_i|}& \times \{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\}{\Pi }_{{\overline{X}}_i}(R_i).\hfill \end{array}$$

Furthermore, for any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{ll}\hfill {\Delta }_n({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)& \le \{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\}\Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n).\hfill \end{array}$$

Basically, we can prove Lemma 8 in the same way as to prove a similar lemma shown in [4]. The detailed proof is given in Appendix E.

Proposition 1.

For any $R_{\mathcal{A}},R_1,R_2>0$, and any $p_{Z{K}_1{K}_2}$, there exist two sequences of mappings ${\{({\phi }_i^{(n)},{\psi }_i^{(n)})\}}_{n=1}^{\infty },i=1,2$ such that, for $i=1,2$ and for any $p_{X_i}\in \mathcal{P}({\mathcal{X}}_i)$, we have

$$\begin{array}{l}\frac{1}{n}log|{\mathcal{X}}_i^{m_i}|=\frac{m_i}{n}log|{\mathcal{X}}_i|\le R_i,\hfill \\ \hfill p_{\mathrm{e}}({\varphi }_i^{(n)},{\psi }_i^{(n)}|p_{X_i}^n)\le \mathrm{e}{(n+1)}^{2|{\mathcal{X}}_i|}\times \{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\}{\mathrm{e}}^{-nE(R_i|p_{X_i})}\end{array}$$

(21)

and, for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{ll}\hfill {\Delta }^{(n)}({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)& \le \{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\}\times \Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n).\hfill \end{array}$$

(22)

Proof. 

By Lemma 8, there exists $({\phi }_i^{(n)},$ ${\psi }_i^{(n)}),i=1,2,$ satisfying $(m_i/n)log|{\mathcal{X}}_i|\le R_i$, such that for $i=1,2$ and for any $p_{{\overline{X}}_i}$ $\in {\mathcal{P}}_n({\mathcal{X}}_i)$,

$$\begin{array}{l}\hfill {\Xi }_{{\overline{X}}_i}({\varphi }_i^{(n)},{\psi }_i^{(n)})\le \mathrm{e}{(n+1)}^{|{\mathcal{X}}_i|}\times \{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\}{\Pi }_{\overline{X}}(R_i).\end{array}$$

(23)

Furthermore, for any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$,

$$\begin{array}{ll}\hfill {\Delta }_n({\phi }_1^{(n)},{\phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)& \le \{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\}\times \Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n).\hfill \end{array}$$

(24)

The bound (22) in Proposition 1 has already been proved in (24). Hence, it suffices to prove the bound (21) in Proposition 1 to complete the proof. On an upper bound of $p_{\mathrm{e}}({\varphi }_i^{(n)},{\psi }_i^{(n)}|p_{X_i}^n),i=1,2$, we have the following chain of inequalities:

$$\begin{array}{ll}\hfill p_{\mathrm{e}}({\varphi }_i^{(n)},{\psi }_i^{(n)}|p_{X_i}^n)& \stackrel{(\mathrm{a})}{\le }\mathrm{e}{(n+1)}^{|{\mathcal{X}}_i|}\times \{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\}\times {\displaystyle \sum _{p_{{\overline{X}}_i}\in {\mathcal{P}}_n({\mathcal{X}}_i)}}{\Pi }_{{\overline{X}}_i}(R_i){\mathrm{e}}^{-nD(p_{{\overline{X}}_i}||p_{X_i})}\hfill \\ & \le \mathrm{e}{(n+1)}^{|{\mathcal{X}}_i|}\{{(n+1)}^{|{\mathcal{X}}_i|}+1\}|{\mathcal{P}}_n({\mathcal{X}}_i)|{\mathrm{e}}^{-nE(R_i|p_{X_i})}\hfill \\ & \stackrel{(\mathrm{b})}{\le }\mathrm{e}{(n+1)}^{2|{\mathcal{X}}_i|}\{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\}\times {\mathrm{e}}^{-nE(R_i|p_{X_i})}.\hfill \end{array}$$

Step (a) follows from Lemma 3 and (23). Step (b) follows from Lemma 1 part (a). ☐

5.4. Explicit Upper Bound of $\Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)$

In this subsection, we derive an explicit upper bound of $\Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n),$ which holds for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$. Define

$$\begin{array}{ll}\hfill {\wp }_0:=p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}_1^n{K}_2^n}& \left\{\begin{array}{ccc}\hfill R_1& {\displaystyle \ge \frac{1}{n}log\frac{1}{p_{K_1^n|M_{\mathcal{A}}^{(n)}}(K_1^n|M_{\mathcal{A}}^{(n)})}-\eta }\hfill & \mathrm{or}\\ \hfill R_2& {\displaystyle \ge \frac{1}{n}log\frac{1}{p_{K_2^n|M_{\mathcal{A}}^{(n)}}(K_2^n|M_{\mathcal{A}}^{(n)})}-{\eta }_2}\hfill & \mathrm{or}\\ \hfill R_1+R_2& {\displaystyle \ge \frac{1}{n}log\frac{1}{p_{K_1^n{K}_2^n|M_{\mathcal{A}}^{(n)}}(K_1^n,K_2^n|M_{\mathcal{A}}^{(n)})}-{\eta }_3}\hfill & \end{array}\right\}.\hfill \end{array}$$

For $i=1,2$, define

$$\begin{array}{ll}\hfill {\wp }_i:=p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}_i^n}\{& R_i\ge \left.\frac{1}{n}log\frac{1}{p_{K_i^n|M_{\mathcal{A}}^{(n)}}(K_i^n|M_{\mathcal{A}}^{(n)})}-{\eta }_i\right\}.\hfill \end{array}$$

Furthermore, define

$$\begin{array}{l}\hfill {\wp }_3:=p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}_1^n{K}_2^n}\{R_1+R_2\ge \left.\frac{1}{n}log\frac{1}{p_{K_1^n{K}_2^n|M_{\mathcal{A}}^{(n)}}(K_1^n,K_2^n|M_{\mathcal{A}}^{(n)})}-{\eta }_3\right\}.\end{array}$$

By definition, it is obvious that

$$\begin{array}{ll}\hfill {\wp }_0& \le {\displaystyle \sum _{i=1}^3}{\wp }_i.\hfill \end{array}$$

(25)

We have the following lemma.

Lemma 9.

For any ${\eta }_i>0,i=1,2,3$ and for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have the following:

$$\begin{array}{}\mathrm{(26)}& \hfill \Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)& \le n(R_1+R_2){\wp }_0+{\displaystyle \sum _{i=1}^3}{\mathrm{e}}^{-n{\eta }_i}\hfill \mathrm{(27)}& & \hfill \le n(R_1+R_2)\left[{\displaystyle \sum _{i=1}^3}{\wp }_i\right]+{\displaystyle \sum _{i=1}^3}{\mathrm{e}}^{-n{\eta }_i}.\end{array}$$

Specifically, if $n\ge {[R_1+R_2]}^{-1}$, we have

$$\begin{array}{l}\hfill {(n[R_1+R_2])}^{-1}\Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)\le {\displaystyle \sum _{i=1}^3}({\wp }_i+{\mathrm{e}}^{-n{\eta }_i}).\end{array}$$

(28)

Proof. 

By (25), it suffices to show (26) to prove Lemma 9. We set

$$\begin{array}{ll}\hfill A_{R_1,R_2}(K_1^n,K_2^n|M_{\mathcal{A}}^{(n)})& :=({\mathrm{e}}^{n{R}_1}-1)p_{K_1^n|M_{\mathcal{A}}^{(n)}}(K_1^n|M_{\mathcal{A}}^{(n)})+({\mathrm{e}}^{n{R}_2}-1)p_{K_2^n|M_{\mathcal{A}}^{(n)}}(K_2^n|M_{\mathcal{A}}^{(n)})\hfill \\ & +({\mathrm{e}}^{n{R}_1}-1)({\mathrm{e}}^{n{R}_2}-1)p_{K_1^n{K}_2^n|M_{\mathcal{A}}^{(n)}}(K_1^n,K_2^n|M_{\mathcal{A}}^{(n)}).\hfill \end{array}$$

Then, we have

$$\begin{array}{ll}\hfill \Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)& =\mathrm{E}\left[log\left\{1+A_{R_1,R_2}(K_1^n,K_2^n|M_{\mathcal{A}}^{(n)})\right\}\right].\hfill \end{array}$$

(29)

We further observe the following:

$$\begin{array}{ll}\hfill \left\{\begin{array}{cc}\hfill R_1& {\displaystyle <\frac{1}{n}log\frac{1}{p_{K_1{K}_2^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})}-{\eta }_1}\hfill \\ \hfill R_2& {\displaystyle <\frac{1}{n}log\frac{1}{p_{K_1{K}_2^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})}-{\eta }_2}\hfill \\ \hfill R_1+R_2& {\displaystyle <\frac{1}{n}log\frac{1}{p_{K_1{K}_2^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})}-{\eta }_3}\hfill \end{array}\right.& \Rightarrow A_{R_1,R_2}(K_1^n,K_2^n|M_{\mathcal{A}}^{(n)})<{\displaystyle \sum _{i=1}^3}{\mathrm{e}}^{-n{\eta }_i}\hfill \\ & \hfill \stackrel{(\mathrm{a})}{\Rightarrow }log\left\{1+A_{R_1,R_2}(K_1^n,K_2^n|M_{\mathcal{A}}^{(n)})\right\}\le {\displaystyle \sum _{i=1}^3}{\mathrm{e}}^{-n{\eta }_i}.\end{array}$$

(30)

Step (a) follows from $log(1+a)\le a$. We also note that

$$\begin{array}{ll}\hfill log\{1& +({\mathrm{e}}^{n{R}_1}-1)p_{K_1^n|M_{\mathcal{A}}^{(n)}}(K_1^n|M_{\mathcal{A}}^{(n)})+({\mathrm{e}}^{n{R}_2}-1)p_{K_2^n|M_{\mathcal{A}}^{(n)}}(K_2^n|M_{\mathcal{A}}^{(n)})\hfill \\ & \hfill +({\mathrm{e}}^{n{R}_1}-1)({\mathrm{e}}^{n{R}_2}-1)\times p_{K_1^n{K}_2^n|M_{\mathcal{A}}^{(n)}}(K_1^n,K_2^n|M_{\mathcal{A}}^{(n)})\}\le log\left[{\mathrm{e}}^{n{R}_1}{\mathrm{e}}^{n{R}_2}\right]=n(R_1+R_2).\end{array}$$

(31)

From (29)–(31), we have the bound (26). ☐

On upper bound of ${\wp }_i,i=1,2,3$, we have the following lemma:

Lemma 10.

For any $\eta >0$ and for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have that for each $i=1,2$, we have ${\wp }_i\le {\tilde{\wp }}_i$, where

$$\begin{array}{l}\hfill {\tilde{\wp }}_i:=p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}_i^n}\left\{\begin{array}{ccc}0& \ge \frac{1}{n}log\frac{{\widehat{q}}_{i,M_{\mathcal{A}}^{(n)}{Z}^n{K}_i^n}(M_{\mathcal{A}}^{(n)},Z^n,K_i^n)}{p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}^n}(M_{\mathcal{A}}^{(n)},Z^n,K_i^n)}-{\eta }_i,\hfill & (\mathrm{a})\\ 0& \ge \frac{1}{n}log\frac{Q_{i,Z^n}(Z^n)}{p_{Z^n}(Z^n)}-{\eta }_i,\hfill & (\mathrm{b})\\ R_{\mathcal{A}}& {\displaystyle \ge \frac{1}{n}log\frac{Q_{i,Z^n|M_{\mathcal{A}}^{(n)}}(Z^n|M_{\mathcal{A}}^{(n)})}{p_{Z^n}(Z^n)}-{\eta }_i,}\hfill & (\mathrm{c})\\ R_i& {\displaystyle \ge \frac{1}{n}log\frac{1}{Q_{i,K_i^n|M_{\mathcal{A}}}^{(n)}(K_i^n|M_{\mathcal{A}}^{(n)})}-{\eta }_i}\hfill \end{array}\right\}+3{\mathrm{e}}^{-n{\eta }_i}\end{array}$$

(32)

and that for $i=3$, we have ${\wp }_3\le {\tilde{\wp }}_3$, where

$$\begin{array}{l}\hfill {\tilde{\wp }}_3:=p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}_1^n{K}_2^n}\left\{\begin{array}{ccc}\hfill 0& \ge \frac{1}{n}log\frac{{\widehat{q}}_{3,M_{\mathcal{A}}^{(n)}{Z}^n{K}_1^n{K}_2^n}(M_{\mathcal{A}}^{(n)},Z^n,K_1^n,K_2^n)}{p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}_1^n{K}_2^n}(M_{\mathcal{A}}^{(n)},Z^n,K_1^n{K}_2^n)}-{\eta }_3,\hfill & (\mathrm{a})\\ \hfill 0& \ge \frac{1}{n}log\frac{Q_{3,Z^n}(Z^n)}{p_{Z^n}(Z^n)}-{\eta }_3,\hfill & (\mathrm{b})\\ \hfill R_{\mathcal{A}}& \ge \frac{1}{n}log\frac{{\tilde{Q}}_{3,Z^n|M_{\mathcal{A}}^{(n)}}(Z^n|M_{\mathcal{A}}^{(n)})}{p_{Z^n}(Z^n)}-{\eta }_3,\hfill & (\mathrm{c})\\ \hfill R_1+R_2& \ge \frac{1}{n}log\frac{1}{p_{K_1^n{K}_2^n|M_{\mathcal{A}}^{(n)}}(K_1^n,K_2^n|M_{\mathcal{A}}^{(n)})}-{\eta }_3\hfill \end{array}\right\}+3{\mathrm{e}}^{-n{\eta }_3}.\end{array}$$

(33)

The probability distributions appearing in the three inequalities (a), (b), and (c) in the right members of (32) have a property that we can select them arbitrary. In (a), we can choose any probability distribution ${\widehat{q}}_{i,M_{\mathcal{A}}^{(n)}{Z}^n{K}_i^n}$ on ${\mathcal{M}}_{\mathcal{A}}^{(n)}$ $\times {\mathcal{Z}}^n$ $\times {\mathcal{X}}_i^n$. In (b), we can choose any distribution $Q_{i,Z^n}$ on ${\mathcal{Z}}^n$. In (c), we can choose any stochastic matrix ${\tilde{Q}}_{i,Z^n|M_{\mathcal{A}}^{(n)}}$: ${\mathcal{M}}_{\mathcal{A}}^{(n)}$ $\to {\mathcal{Z}}^n$. The probability distributions appearing in the three inequalities (a), (b), and (c) in the right members of (33) have a property that we can select them arbitrary. In (a), we can choose any probability distribution ${\widehat{q}}_{3,M_{\mathcal{A}}^{(n)}{Z}^n{K}_1^n{K}_2^n}$ on ${\mathcal{M}}_{\mathcal{A}}^{(n)}$ $\times {\mathcal{Z}}^n$ $\times {\mathcal{X}}_1^n$ $\times {\mathcal{X}}_2^n$. In (b), we can choose any distribution $Q_{3,Z^n}$ on ${\mathcal{Z}}^n$. In (c), we can choose any stochastic matrix ${\tilde{Q}}_{3,Z^n|M_{\mathcal{A}}^{(n)}}$: ${\mathcal{M}}_{\mathcal{A}}^{(n)}$ $\to {\mathcal{Z}}^n$.

The above lemma is the same as Lemma 10 in the previous work [26]. Since the proof of the lemma is in [26], we omit the proof of Lemma 10 in the present paper. We have the following proposition.

Proposition 2.

For any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$ and any $n\ge {[R_1+R_2]}^{-1}$, we have

$$\begin{array}{l}\hfill {(n[R_1+R_2])}^{-1}\Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)\le 15{\mathrm{e}}^{-n{F}_{min}(R_{\mathcal{A}},R_1,R_2|p_{Z{K}_1{K}_2})}.\end{array}$$

(34)

Proof: 

By Lemmas 9 and 10, we have for any

$$\begin{array}{ll}\hfill {(n[R_1+R_2])}^{-1}\Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)& \le {\displaystyle \sum _{i=1}^3}({\tilde{\wp }}_i+{\mathrm{e}}^{-n{\eta }_i}).\hfill \end{array}$$

(35)

The quantity ${\tilde{\wp }}_i+{\mathrm{e}}^{-n{\eta }_i},i=1,2,3$. is the same as the upper bound on the correct probability of decoding for one helper source coding problem in Lemma 1 in Oohama [11] (extended version). In a manner similar to the derivation of the exponential upper bound of the correct probability of decoding for one helper source coding problem, we can prove that, for any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}}),$ there exist ${\eta }_i^{\ast },i=1,2,3$ such that for $i=1,2,3$, we have

$$\begin{array}{l}\hfill {\tilde{\wp }}_i+{\mathrm{e}}^{-n{\eta }_i^{\ast }}\le 5{\mathrm{e}}^{-nF(R_{\mathcal{A}},R_i|p_{Z{K}_i})}.\end{array}$$

(36)

From (35) and (36), we have that for any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$ and any $n\ge {[R_1+R_2]}^{-1}$,

$$\begin{array}{l}\hfill {(n[R_1+R_2])}^{-1}\Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)\le 5{\displaystyle \sum _{i=1}^3}{\mathrm{e}}^{-nF(R_{\mathcal{A}},R_i|p_{Z{K}_i})}\le 15{\mathrm{e}}^{-n{F}_{min}(R_{\mathcal{A}},R_1,R_2|p_{Z{K}_1{K}_2})},\end{array}$$

completing the proof. □

6. Alternative Formulation

Here, we show an alternative way to formulate the main problem we consider in this paper. Originally, we consider a problem of having a reliable and secure broadcasting communication in the presence of a side-channel adversary in the case where the sender uses one-time-pad encryption. We can also formulate it in a slightly more general way as follows.

Let consider a problem of having a reliable and secure broadcasting communication in the presence of a side-channel adversary, in the case that the sender uses the encoding scheme ${\Phi }_i^{(n)}$ at node ${\mathsf{L}}_i$, where ${\Phi }_i^{(n)}$ encodes $X_i^{(n)}$ and $K_i^{(n)}$ into ${\tilde{C}}_i^{(m_i)}$ for $i=1,2$. We denote the system resulted from the alternative formulation as $\mathsf{AltSys}$. We illustrate $\mathsf{AltSys}$ in Figure 6.

6.1. Explanation on $\mathsf{Sys}$ and $\mathsf{AltSys}$ and Their Comparison

First, recall the “communication” channel W which is present in both systems, $\mathsf{Sys}$ and $\mathsf{AltSys}$. The channel W represents the process of transforming analog raw physical data from the side-channel into raw digital data which later can be processed further by the side-channel adversary $\mathcal{A}$.

In the broadcasting encryption system with post-encryption coding $\mathsf{Sys}$ shown in Figure 3, the main problem we consider to solve is how to strengthen the secrecy on broadcasting encrypted sources against side-channel adversary $\mathcal{A}$, where the encryption function is one-time-pad encryption. In $\mathsf{Sys}$, since the encryption has been explicitly described as one-time-pad encryption in the beginning, we always treat W as an immediate consequence of the side-channel attacks launched on one-time-pad encryption processes.

In the broadcasting system $\mathsf{AltSys}$ from our alternative formulation, shown in Figure 6, the problem we consider here is slightly different to the one in $\mathsf{Sys}$. In $\mathsf{AltSys}$, the problem we consider to solve is whether we can find or construct good encoding schemes that can guarantee the reliability and security against side-channel adversary $\mathcal{A}$. In $\mathsf{AltSys}$, we can have the properties of W fixed first, and then we will find good encoding schemes under the condition of the properties of W.

6.2. Reliability and Security of Alternative Formulation

We can also define the reliability and security of $\mathsf{AltSys}$ as follows in the same manner as the ones shown in Section 2.2.

Defining Reliability and Security: From the description of $\mathsf{AltSys}$ shown in Figure 6, the decoding process is successful if ${\widehat{X}}_i^n=X_i^n$ holds. The decoding error probabilities $p_{\mathrm{e},i},i=1,2,$ are defined as follows:

$$\begin{array}{ll}\hfill p_{\mathrm{e},i}=& p_{\mathrm{e}}({\Phi }_i^{(n)},{\Psi }_i^{(n)}|p_{X_i}^n,p_{K_i}^n):=Pr[{\Psi }_i^{(n)}({\Phi }_i^{(n)}(X_i^n,K_i^n))\ne X_i^n].\hfill \end{array}$$

Recall that $X_i$ and $K_i$ are assumed to be independent. Let us set $M_{\mathcal{A}}^{(n)}={\phi }_{\mathcal{A}}^{(n)}(Z^n)$. The information leakage ${\Delta }^{(n)}$ on $(X_1^n,X_2^n)$ from $({\tilde{C}}_1^{m_1},{\tilde{C}}_2^{m_2},M_{\mathcal{A}}^{(n)})$ is measured by the mutual information between $(X_1^n,X_2^n)$ and $({\tilde{C}}_1^{m_1},{\tilde{C}}_2^{m_2},$ $M_{\mathcal{A}}^{(n)})$. We can formally define this quantity by

$$\begin{array}{l}{\Delta }^{(n)}={\Delta }^{(n)}({\Phi }_1^{(n)},{\Phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n):=I(X_1^n{X}_2^n;{\tilde{C}}_1^{m_2},{\tilde{C}}_2^{m_2},M_{\mathcal{A}}^{(n)}).\hfill \end{array}$$

Definition 7.

A pair $(R_1,R_2)$ is achievable under $R_{\mathcal{A}}$ $>0$ for the system $\mathsf{AltSys}$ if there exists two sequences $\{({\Phi }_i^{(n)},$ ${\Psi }_i^{(n)}{)\}}_{n\ge 1},i=1,2,$ such that $\forall ϵ>0$, $\exists n_0=n_0(ϵ)\in {\mathbb{N}}_0$, $\forall n\ge n_0$, we have for $i=1,2,$

$$\begin{array}{l}\frac{1}{n}log|{\mathcal{X}}_i^{m_i}|=\frac{m_i}{n}log|{\mathcal{X}}_i|\le R_i,p_{\mathrm{e}}({\Phi }_i^{(n)},{\Psi }_i^{(n)}|p_{X_i}^n,p_{K_i}^n)\le ϵ,\hfill \end{array}$$

and for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{l}\hfill {\Delta }^{(n)}({\Phi }_1^{(n)},{\Phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)\le ϵ.\end{array}$$

Definition 8 (Reliable and Secure Rate Region).

Let ${\mathcal{R}}_{\mathsf{AltSys}}(p_{X_1{X}_2},$ $p_{Z{K}_1{K}_2})$ denote the set of all $(R_{\mathcal{A}},R)$ such that R is achievable under $R_{\mathcal{A}}$. We call ${\mathcal{R}}_{\mathsf{AltSys}}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})$ thereliable and secure rateregion.

Definition 9.

A five tuple $(R_1,R_2,E_1,E_2,F)$ is achievable under $R_{\mathcal{A}}>0$ for the system $\mathsf{AltSys}$ if there exists a sequence $\{({\Phi }_i^{(n)},$ ${\Psi }_i^{(n)}{)\}}_{n\ge 1}$, $i=1,2$, such that $\forall ϵ>0$, $\exists n_0=n_0(ϵ)\in {\mathbb{N}}_0$, $\forall n$ $\ge n_0$, we have for $i=1,2,$

$$\begin{array}{l}\frac{1}{n}log|{\mathcal{X}}_i^{m_i}|=\frac{m_i}{n}log|{\mathcal{X}}_i|\le R_i,p_{\mathrm{e}}({\Phi }_i^{(n)},{\Psi }_i^{(n)}|p_{X_i}^n,p_{K_i}^n)\le {\mathrm{e}}^{-n(E_i-ϵ)},\hfill \end{array}$$

and for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{l}\hfill {\Delta }^{(n)}({\Phi }_1^{(n)},{\Phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{Z{K}_1{K}_2}^n)\le {\mathrm{e}}^{-n(F-ϵ)}.\end{array}$$

Definition 10 (Rate, Reliability, and Security Region).

Let ${\mathcal{D}}_{\mathsf{AltSys}}(p_{X_1{X}_2},$ $p_{K_1{K}_2},W)$ denote the set of all $(R_{\mathcal{A}},R,E,F)$ such that $(R_1,R_2,E_1,E_2,F)$ is achievable under $R_{\mathcal{A}}$. We call ${\mathcal{D}}_{\mathsf{AltSys}}(p_{X_1{X}_2},$ $p_{K_1{K}_2},W)$ therate, reliability, and securityregion.

Theoretical Results on the Reliable and Security for Broadcasting System from Alternative Formulation: In order to provide solution for the problem from our alternative formulation, it is sufficient to show the existence of encoders and decoders $\{({\Phi }_i^{(n)},{\Psi }_i^{(n)})\},i=1,2$ which can guarantee reliable and security in the presence of a side-channel adversary. Based on the approach and theoretical results shown in Section 4 on proving the reliability and security of the broadcast system where the sender sends encrypted sources using one-time-pad encryption, it is easy to see that we can achieve the reliability and security for the broadcasting system from alternative formulation of the problem (Figure 6) such that the decoding error probabilities $p_{e,i}$ ($i=1,2$) and the information leakage ${\Delta }^{(n)}$ decay into zero in exponential rates by specifying ${\Phi }_i^{(n)}$ and ${\Psi }_i^{(n)}$, $i=1,2$, as follows:

$$\begin{array}{lll}\hfill {\Phi }_i^{(n)}(X_i^n,K_i^n)& :={\phi }_i^{(n)}({\mathsf{EncOTP}}_i^{(n)}(X_i^n,K_i^n))\hfill & \mathrm{for} i=1,2,\hfill \\ \hfill {\Psi }_i^{(n)}({\tilde{C}}_i^{m_i},K_i^n)& :={\psi }_i^{(n)}({\mathsf{DecOTP}}_i^{(n)}({\tilde{C}}_i^{m_i},{\phi }_i^{(n)}(K_i^n)))\hfill & \mathrm{for} i=1,2,\hfill \end{array}$$

(37)

where:

• ${\mathsf{EncOTP}}_i^{(n)}:{\mathcal{X}}_i^n\times {\mathcal{X}}_i^n\to {\mathcal{X}}_i^n$ is the one-time-pad encryption function defined as ${\mathsf{EncOTP}}_i^{(n)}(a,b):=a\oplus b$ for $(a,b)\in {\mathcal{X}}_i^n\times {\mathcal{X}}_i^n$,
• ${\phi }_i^{(n)}:{\mathcal{X}}_i^n\to {\mathcal{X}}_i^{m_i}$ is an affine encoder constructed based on a linear encoder ${\varphi }_i^{(n)}:{\mathcal{X}}_i^n\to {\mathcal{X}}_i^{m_i}$ as shown in Section 5.3,
• ${\mathsf{DecOTP}}_i^{(n)}:{\mathcal{X}}_i^{m_i}\times {\mathcal{X}}_i^{m_i}\to {\mathcal{X}}_i^{m_i}$ is the one-time-pad decryption function defined as ${\mathsf{DecOTP}}_i^{(n)}(a,b):=a\ominus b$ for $(a,b)\in {\mathcal{X}}_i^{m_i}\times {\mathcal{X}}_i^{m_i}$,
• ${\psi }_i^{(n)}:{\mathcal{X}}_i^{m_i}\to {\mathcal{X}}_i^n$ is a decoder function for linear encoder ${\varphi }_i^{(n)}$ which is associated with the affine encoder ${\phi }_i^{(n)}$. (See Section 5.3 for the detailed construction.).

It is easy to see that Theorem 1 actually shows the achievability of reliability and security for broadcasting system in the presence of a side-channel adversary with the specification of ${\Phi }_i^{(n)}$ and ${\Psi }_i^{(n)}$, $i=1,2$ stated in Equation (37). Hence, the following theorem automatically holds.

Theorem 2.

For any $R_{\mathcal{A}},R_1,R_2>0$ and any $p_{Z{K}_1{K}_2}$, there exist two sequences of mappings ${\{({\Phi }_i^{(n)},{\Psi }_i^{(n)})\}}_{n=1}^{\infty },i=1,2$ such that for any $p_{X_i}$ and $p_{K_i}$ for $i=1,2$, and any $n\ge {(R_1+R_2)}^{-1}$, we have

$$\begin{array}{ll}\hfill \frac{1}{n}log|{\mathcal{X}}_i^{m_i}|& =\frac{m_i}{n}log|{\mathcal{X}}_i|\le R_i,\hfill \\ \hfill p_{\mathrm{e}}({\Phi }_i^{(n)},{\Psi }_i^{(n)}|p_{X_i}^n,p_{K_i}^n)& \le {\mathrm{e}}^{-n[E(R_i|p_{X_i})-{\delta }_{i,n}]},i=1,2\hfill \end{array}$$

(38)

and for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{ll}\hfill {\Delta }^{(n)}({\Phi }_1^{(n)},{\Phi }_2^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_{X_1{X}_2}^n,p_{K_1{K}_2}^n,W^n)& \le {\mathrm{e}}^{-n[F_{min}(R_{\mathcal{A}},R_1,R_2|p_{Z{K}_1{K}_2})-{\delta }_{3,n}]},\hfill \end{array}$$

(39)

where ${\delta }_{i,n},i=1,2,3$ are defined by

$$\begin{array}{ll}\hfill {\delta }_{i,n}:=& \frac{1}{n}log\left[\mathrm{e}{(n+1)}^{2|{\mathcal{X}}_i|}\right.\times \left.\left\{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\right\}\right],for i=1,2,\hfill \\ \hfill {\delta }_{3,n}:=& \frac{1}{n}log\left[15n(R_1+R_2)\times \left\{1+{(n+1)}^{|{\mathcal{X}}_1|}+{(n+1)}^{|{\mathcal{X}}_2|}\right\}\right].\hfill \end{array}$$

Note that, for $i=1,2,3$, ${\delta }_{i,n}\to 0$ as $n\to \infty$.

It is easy to see that the proof of Theorem 1 that has been explained in Section 5 is also the proof of Theorem 2. Note that the functions $E(R_i|p_{X_i})$ and $F(R_{\mathcal{A}},R_1,R_2|p_{Z{K}_1{K}_2})$ take positive values if $(R_{\mathcal{A}},R_1,R_2)$ belongs to the set

$$\begin{array}{ll}\hfill {\mathcal{R}}_{\mathrm{AltSys}}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})& :=\{R_1>H(X_1)\}\cap \{R_2>H(X_2)\}{\displaystyle \bigcap _{i=1,2,3}}{\mathcal{R}}_i^{\mathrm{c}}(p_{Z{K}_i}).\hfill \end{array}$$

Then, define the following:

$$\begin{array}{ll}\hfill {\mathcal{D}}_{\mathsf{AltSys}}^{(\mathrm{in})}(p_{X_1{X}_1},p_{Z{K}_1{K}_2})& :=\{(R_{\mathcal{A}},R_1,R_2,E(R_1|p_{X_1}),E(R_2|p_{X_2}),F_{min}(R_{\mathcal{A}},R_1,R_2|p_{K_1{K}_2})):\hfill \\ & (R_1,R_2)\in {\mathcal{R}}_{\mathsf{Sys}}^{(\mathrm{in})}(p_{X_1{X}_2},p_{Z{K}_1{K}_2})\}.\hfill \end{array}$$

Hence, we have the following corollary.

Corollary 3.

$$\begin{array}{l}{\mathcal{R}}_{\mathsf{AltSys}}^{(\mathrm{in})}(p_{X_1{X}_1},p_{Z{K}_1{K}_2})\subseteq {\mathcal{R}}_{\mathsf{AltSys}}(p_{X_1{X}_1},p_{Z{K}_1{K}_2}),\hfill \\ {\mathcal{D}}_{\mathsf{AltSys}}^{(\mathrm{in})}(p_{X_1{X}_1},p_{Z{K}_1{K}_2})\subseteq {\mathcal{D}}_{\mathsf{AltSys}}(p_{X_1{X}_1},p_{Z{K}_1{K}_2}).\hfill \end{array}$$

7. Comparison to Previous Results

The following

Table 1. Comparison of research on application of PEC for secrecy amplification.

	Network System	Side-Channel Adversary	Correlated Keys
Previous work 1 [5,6]	Distributed Encryption (2 senders, 2 receivers)	No	Yes
Previous work 2 [4,7]	Two Terminals (1 sender, 1 receiver)	Yes	No
This paper	Broadcast Encryption (1 sender, 2 receivers)	Yes	Yes

shows the comparison between our result in this paper and already existing published research results which use the PEC paradigm for amplifying secrecy of the system.

8. Discussion on the Outer-Bounds of Rate Regions and Open Problems

In this paper, we have shown the inner-bound of ${\mathcal{R}}_{\mathsf{Sys}}$ (resp. ${\mathcal{R}}_{\mathsf{AltSys}}$). Although we have not touched the issue on the outer-bound of ${\mathcal{R}}_{\mathsf{Sys}}$ (resp. ${\mathcal{R}}_{\mathsf{AltSys}}$) in this paper, one may find the hints to derive the outer-bounds in Yamamoto [28]. However, it should be remarked that, in this paper, we are dealing with the side-channel adversary model, which is different from the wiretap model in Yamamoto [28]. In order to apply the method in Yamamoto [28] to find the outer-bound of ${\mathcal{R}}_{\mathsf{Sys}}$ (resp. ${\mathcal{R}}_{\mathsf{AltSys}}$), one may need to extend the method in Yamamoto [28] so that it can handle the rate constraint introduced by the side-channel adversary. We left the outer-bounds of ${\mathcal{R}}_{\mathsf{Sys}}$ and ${\mathcal{R}}_{\mathsf{AltSys}}$ as open problems.

Furthermore, in contrast to the case of ${\mathcal{R}}_{\mathsf{Sys}}$ (resp. ${\mathcal{R}}_{\mathsf{AltSys}}$) where we found hints in Yamamoto [28], we are not able to find any hints in the literature on determining the upper-bound of ${\mathcal{D}}_{\mathsf{Sys}}$ (resp. ${\mathcal{R}}_{\mathsf{AltSys}}$). We also left the outer-bounds of ${\mathcal{D}}_{\mathsf{Sys}}$ (resp. ${\mathcal{R}}_{\mathsf{AltSys}}$) as open problems.

9. Conclusions

In this paper, we have proposed a new model for analyzing the reliability and the security of broadcasting encrypted sources in the case of one-time-pad encryption, in the presence of an adversary that is not only eavesdropping the public communication channel to obtain ciphertexts but is also obtaining some physical information leaked by multiple devices owned by the sender while performing the encryption. We have also presented a countermeasure against such an adversary by utilizing affine encoders with certain properties. The main distinguishing feature of our countermeasure is that its performance is independent from the characteristics or the types of physical information leaked from the devices exploited by the adversary.