New Results on Secret Key Establishment over a Pair of Broadcast Channels

1 Ne w Results on Secr et K ey Establishment o v er a P air of Broadcast Channels Hadi Ahmadi, Reihaneh Safa vi-Naini Department of Computer Science, Univ ersit y of Calgary , Canada. { hahmadi, rei } @ucalgary .ca Abstract The prob lem of Secret Ke y Establishment (SKE) over a pair of ind ependen t Discrete Memo ryless Broadcast Chann els (DMBCs) has alr eady been stu died in [ 3], wher e we provide d lo wer and up per boun ds on the s ecret-key capacity . In this paper, we study th e ab ove setup under each of the following two cases: (1) the DMBCs have secrecy potential, and (2) the DMBCs are stoc hastically degraded with independent channels. In the form er case, we propo se a simp le SKE pro tocol ba sed on a novel techn ique, called Interactive Channel Coding ( ICC), and prove that it achieves the lower boun d. In the latter case, we give a simplified expression f or the lower boun d an d prove a single-letter capacity fo rmula under th e cond ition that one of the legitimate parties can only send i.i.d. variables. I . I N T R O D U C T I O N W e c onsider the follo wing problem of Sec ret Key Establishme nt (SKE): Alice and Bob want to s hare a sec ret key in the p resence o f an e av esdropping adversary , Eve. Information-theoretic so lutions to this problem assu me that a collection of source s and/or cha nnels are av ailable to the p arties. W e refer this as a se tup . W yner’ s pioneering work [14] a nd its gene ralization b y Csisz ´ a r and K ¨ o rner [4] considered transmission of s ecure me ssage s over a Discrete Memo ryless Broad cast Chan nel (DMBC) from Alice to Bob and Eve. They defin ed the secrecy capacity in this se tup as the highe st rate of secu re and reliable mess age transmission (in bits per ch annel use) an d showed tha t this c apacity is po siti ve if Bob’ s c hannel is less noisy [8] tha n Eve’ s. The work in [4], [14] has also been p roved for the case of Gaus sian chann els [10]. These results can also be us ed for SKE since any secure message transmission protocol can be use d to send a s ecret-key secu rely over the DMBC. Extensions of the work in [4], [14] have in vestigated the improvement of SKE by c onsidering new setups. Mau rer [11] and ind epende ntly Ahlswede and Csisz ´ a r [1 ] stud ied SKE when there is a DMBC from Alice to Bob a nd Eve, and a p ublic discuss ion chan nel be tween Alice and Bob that is reliable, insecure, and un limitedly av ailable in b oth directions. They also con sidered S KE when the DMBC above is replaced by a Discrete Memoryless Multiple Source (DMMS) between the parties. Csisz ´ a r and Narayan [5] cons idered SKE in the latter se tup with a slight difference that the public cha nnel is one-way and limited in rate. Ahlswe de and Cai [2] studied SKE when W yner’ s s etup is a ccompan ied by a n ad ditional secure (an d reliable) outpu t feedba ck chann el that is us ed to feed b ack the information received from the forward channel. Noisy feedback over modulo-add iti ve b roadcast ch annels is another extension [9], [13]. Kh isti e t al. [7] and independ ently Prabhaka ran et a l. [12] co nsidered a setup where the p arties h av e acces s to a DMMS and a DMBC from Alice to Bo b an d Eve. 2 In practice spec ial types of cha nnel, e.g. , pub lic discu ssion cha nnel, must be realized from more bas ic resources such as a DMBC. In [3], we introduced a n ew se tup for SKE, called 2DMBC , where the only resource s av ailable to Alice and Bob are two indepe ndent DMBCs in the two direc tions. This setup is appropriate to model wireless networks where two no des can communica te interactively a nd their commun ication is eavesdropped by their wireless n eighbors. The secret-key ca pacity in this se tup is defined a s the maximum rate of s ecure a nd reliable key establishme nt, in bits p er c hannel use . Lower and upper bou nds o n the sec ret-key capac ity in the 2DMBC se tup have been p rovided an d shown to coincide when the broa dcast channe ls are p hysically de graded [3]. A. Our work Moti vated by a pplying the theoretical results to practical communication sce narios, in this pa per , we extend the results of [3] in the followi ng direc tions. 1) W e con sider the 2DMBC se tup when both DMBCs have se crecy p otential , by which, we mea n that realizing a noiseles s c hannel from any of the DMBCs is not op timal. In most of the c hannels of interest (in co mmunication), this occurs when the DMBCs hav e non-zero se crecy capac ities. W e propos e a two- round SKE p rotocol based on a novel tec hnique, called Interactive Channel Cod ing (ICC) tha t ac hiev es the lower boun d in [3]. This lower bound was proved before by a SKE p rotocol that, although being con venient for the proof, u ses an e laborate two-le vel coding con struction whose efficient d esign become s a new challenge in p ractice. Instead, ICC is a simple extension o f sy stematic channe l c oding to a two- round construction in which the messages are esse ntially a codeword from a systematic error co rrecting code, s plit into two parts: one re ceiv ed in the first round and one sent in the se cond round. Roughly speaking , the ICC protocol works as follows. Alice send s a random s equenc e R A and Bob rece i ves a noisy version of it, I A . He choose s an indepe ndent ran dom seq uence, I B , an d appen ds it to I A . W e refer to the conc atenated se quence I = ( I A || I B ) as the inform ation seque nce . Bob use s his systema tic en coder to calculate a parity-check s equenc e P for the information sequen ce I , a nd send s ( I B || P ) to Alice, wh ere Alice receiv es ( R B || R P ) . She uses her sys tematic de coder to decode R = ( R A || R B || R P ) to ˆ I = ( ˆ I A || ˆ I B ) as an estimation of the information sequenc e. T he rest is to generate a se cure key from the information sequen ce. ICC is particularly important as it allows progress in systema tic ca pacity ac hieving c odes to be directly applied to SKE. 2) W e study the 2DMBC setup when the DMBCs are stochastically de grade d with independent c hannels . W e refer to this s etup a s s d-2DMBC . This study is moti vated by observing that the results in [3] for the secret-key capa city of (physically) degraded 2DMBCs do not neces sarily hold for stocha stically degraded 2DMBCs. In se tups like [4], [5], [7], [12] that do not offer interactiv e communication, phys ically a nd stochas tically degraded broadcas t cha nnels are equiv alent in terms of the se cret-key capac ity . This is no t true, howe ver , for the 2D MBC s etup in wh ich interac ti ve communica tion is permitted. T w o important classes of stocha stically degraded channels with indep endent comp onents are b inary s ymmetric broadca st channe ls a nd Gaus sian broa dcast ch annels. W e note that our resu lts can be easily exten ded to continuou s memoryless chan nels. 2-a) W e gi ve a simplified expression for the lo wer boun d o n the secret-key c apacity in the s d-2DMBC setup which u ses fewer random variables and h ence results in a s impler maximization problem. 3 2-b) W e cons ider sd-2DMBC when one of the parties can only s end only indepe ndently , iden tically distrib uted (i.i.d) variables. W e prove a single-letter formula for the s ecret-key ca pacity tha t is achieved by a two-round protocol. An example of the scena rio (2-b) is when a bas e station wants to establish keys with s ev eral u sers in dif ferent locations. The offli ne computation power of the base station is high but its realtime computation power is limited. So, the base s tation send s i.i.d. variables in realtime and stores the recei ved variables from all other nodes in all commu nication rounds. Next, it calculates the c ommon keys with ea ch user from the stored information in the offli ne mode. Our study of the above sce nario provides a solution to this problem. B. Notation W e us e calligraphic letters ( U ) to de note finite alphab ets (sets), and the c orresponding letters in uppercas e ( U ) and lowercase ( u ) to deno te random v ariables (R Vs) and their realizations, respectiv ely . The size of U is denoted by |U | . U n is set o f all s equenc es of len gth n whos e elements are in U ; U n = ( U 1 , U 2 , . . . , U n ) is called an n -sequen ce, i.e., a s equenc e of n (pos sibly correlated) R Vs in U , and U j i is use d to d enote a part of this sequen ce that is ( U i , U i +1 , . . . , U j ) . W e use ‘ || ’ to show the concate nation of seq uences . For a value x , we use [ x ] + to show m ax { 0 , x } . For three rando m seq uence s Q 1 , Q 2 , and Q 3 , we use Q 1 ↔ Q 2 ↔ Q 3 to deno te a Markov chain be tween them in this o rder . C. P aper organization Section II d escribes the 2DMBC setup, defin itions, and existing SKE results in this setup. Section III summarizes the ma in results of this p aper . Sec tion IV is dedicated to the proofs. W e co nclude the p aper in Section V. I I . M O D E L , D E FI N I T I O N S , A N D E X I S T I N G R E S U L T S The 2DMBC s etup is depicted in F ig. 1. The re is a forward DMBC, X f → ( Y f , Z f ) spec ified b y P Y f ,Z f | X f , from Alice to Bo b (and Eve) and a backward DMBC, X b → ( Y b , Z b ) specified by P Y b ,Z b | X b , from Bob to Alice (and Eve). W e assu me that ea ch party has free access to an independe nt source of randomnes s. Forward DMBC X f Y f X Z Y P | Eve Bob Alice X Z f Z b f f f X Z Y | Backward DMBC X b Y b Backward DMBC b b b X Z Y P | Fig. 1. The 2DMBC setup An SKE protocol in this s etup may contain several communication rou nds. In each rou nd e ither Alice or Bob se nds a se quence of random vari ables (R Vs) which is computed using some indepe ndent randomnes s and the communica ted (sent and/or rece i ved) sequence s in the previous rounds. F inally ea ch pa rty will 4 have a set of communica ted sequence s, wh ich form their view . Using their views, one of the legitimate parties comp utes a key S , and the other on e computes a n estimation of the key ˆ S . A sec ure SKE protoco l and the se cret-key capac ity in the 2 DMBC setup are defined as follows. Definition 1: [3] An SKE protocol Π in the 2DMBC setup is ( R sk , δ ) -secure if it results in the key S and its es timation ˆ S s uch that H ( S ) n f + n b > R sk − δ, (1a) Pr( ˆ S 6 = S ) < δ, (1b) H ( S | V iew E ) H ( S ) > 1 − δ , (1c) where V iew E is E ve’ s view at the en d of the p rotocol, an d n f and n b are the nu mber of times tha t the forward and the bac kward channe ls are used , respectively . Definition 2: [ 3] The se cret- ke y capa city in the 2DMBC s etup, C 2 DM B C sk , is the lar gest R sk ≥ 0 such that, for any arbitrarily small δ > 0 , there exists a n ( R sk , δ ) -secure SKE protocol. W e recall the lower and the upper b ounds giv en in [3] on the secret-key capac ity in the 2DMBC se tup. Let the R Vs X f , Y f , Z f (resp. X b , Y b , Z b ) c orrespond to the conditional distribution P Y f ,Z f | X f (resp. P Y b ,Z b | X b ), spec ified by the 2DMBC. Let V f , V b , W 1 ,f , W 2 ,f , W 1 ,b , W 2 ,b be R Vs from a rbitrary sets where V f , V b , ( W 1 ,f , W 2 ,f ) , a nd ( W 1 ,b , W 2 ,b ) a re ind epende nt and the follo wing Markov chains are s atisfied: V f ↔ Y f ↔ ( X f , Z f ) , W 2 ,b ↔ W 1 ,b ↔ X b ↔ ( Y b , Z b ) , (2a) V b ↔ Y b ↔ ( X b , Z b ) , W 2 ,f ↔ W 1 ,f ↔ X f ↔ ( Y f , Z f ) . (2b) Also let R A s 1 = I ( V f ; X f ) − I ( V f ; Z f ) , (3a) R A s 2 = I ( W 1 ,b ; Y b | W 2 ,b ) − I ( W 1 ,b ; Z b | W 2 ,b ) , (3b) R B s 1 = I ( V b ; X b ) − I ( V b ; Z f ) , (3c) R B s 2 = I ( W 1 ,f ; Y f | W 2 ,f ) − I ( W 1 ,f ; Z f | W 2 ,f ) . (3d) The sec ret-key capacity is lower bounde d [3] a s C 2 DM B C sk ≥ m ax { L A , L B } , (4) where L A = max n f ,n b ,P X f ,V f ,P X b ,W 2 ,b ,W 1 ,b  n f R A s 1 + n b [ R A s 2 ] + n f + n b s . t . n f I ( V f ; Y f | X f ) < n b I ( W 1 ,b ; Y b )  , (5) L B = max n f ,n b ,P X b ,V b ,P X f ,W 2 ,f ,W 1 ,f  n b R B s 1 + n f [ R B s 2 ] + n f + n b s . t . n b I ( V b ; Y b | X b ) < n f I ( W 1 ,f ; Y f )  , (6) and it is upp er bounded [3] a s C 2 DM B C sk ≤ max P X f ,P X b { I ( X f ; Y f | Z f ) , I ( X b ; Y b | Z b ) } . (7) 5 I I I . S T A T E M E N T O F M A I N R E S U LT S A. The interactive channel coding protocol The lower bound in (4) ha s been obtained by an SKE protocol [3] that us es a complicated two-le vel coding construction whose efficient design become s a cha llenge in p ractice. W e introduc e the interac ti ve channe l co ding (ICC) technique which is u sed to design the s o-called ICC pr o tocol for SKE. W e s how that when the DMBCs h av e sec recy po tential, the ICC protocol can achieve the lower bou nd in (4). ICC relies on the existence of ca pacity-achieving sy stematic chann el codes . Designing efficient c onstructions for systema tic chan nel code s has b een well s tudied, e.g., a large bod y of work on the design of c apacity achieving channel co des follo ws on linear bloc k co des which can be repres ented as systematic c odes. This makes the design of an efficient ICC p rotocol for SKE as simple as the d esign of efficient cod ing for SKE over a (one-way) DMBC [4]. Definition 3: A (bipartite) systematic channel code , with encod ing alphabets ( Y f , X b ) and decoding alphabets ( X f , Y b ) , is s pecified by a pa ir of enc oding/deco ding functions ( E nc/D ec ) , where • E nc : Y n f f × X n b,i b → Y n f f × X n b b deterministically ma ps ( y n f f || x n b,i b ) (as the information sequ ence) to the c odeword ( y n f f || x n b b ) suc h that x n b b = ( x n b,i b || x n b,p b ) and n b = n b,i + n b,p ; we ca ll x n b,p b the parity-check se quence . • D ec : X n f f ×Y n b b → Y n f f ×X n b,i b deterministically assigns a guess ( ˆ y n f f || ˆ x n b,i b ) to each input ( x n f f || y n b b ) . The general construction o f the ICC protoc ol and a proof of Th eorem 1 are provided in S ection IV - A. In the follo wing, we desc ribe the ICC p rotocol for a spec ial c ase whe n V f = Y f , W 2 ,b = 1 , W 1 ,b = X b , and Alice is the initiator (see Fig. 2). Accordingly , we rephrase the a r gument to be maximized and the constraint cond ition in (12) respectively as R sk = n f [ I ( Y f ; X f ) − I ( Y f ; Z f )] + n b [ I ( X b ; Y b ) − I ( X b ; Z b )] n f + n b , (8) n f ( H ( Y f | X f ) + α ) ≤ n b I ( X b ; Y b ) , (9) where α > 0 is an a rbitraril y small constan t. Let n b = n b,i + n b,p , where n b,i is cho sen to satisfy n b,i H ( X b ) = n b I ( X b ; Y b ) − n f ( H ( Y f | X f ) + α ) . (10) Let N = n f + n b and ǫ be a small con stant such that 5 N ǫ < n f α . Let Y n f f ,ǫ (resp. X n b,i b,ǫ ) b e the set of a ll ǫ -typical seq uence s w .r .t. P Y f (resp. P X b ) in Y n f f (resp. X n b,i b ); Define η f = log |Y n f f ,ǫ | , η b = log |X n b,i b,ǫ | , η = η f + η b , κ = N R sk , γ = η − κ. Let {G i } 2 κ i =1 be a partition of Y n f f ,ǫ × X n b,i b,ǫ into 2 κ parts, each of s ize 2 γ . De fine g : Y n f f ,ǫ × X n b,i b,ǫ → { 1 , 2 , . . . , 2 κ } as a func tion that, for e very input ( y n f f , x n b,i b ) ∈ G i , outputs i . Encoding. Alice ch ooses an i.i.d. n f -vector X n f f and sends it over the forward DMBC; Bo b and Eve receiv e Y n f f and Z n f f , resp ectiv ely . If Y n f f / ∈ Y n f f ,ǫ , Bob returns a NULL; otherwise, h e choose s uniformly at random an n b,i -sequenc e X n b,i b from X n b,i b,ǫ , encode s E nc ( Y n f f || X n b,i b ) = ( Y n f f || X n b b ) , and sends X n b b over the bac kward DMBC; Alice and Eve receive Y n b b and Z n b b , respe cti vely . Decoding. Alice decodes ( ˆ Y f n f || ˆ X n b,i b ) = D ec ( X n f f || Y n b b ) using bipartite jointly typical decoding: she searche s through the 2 η words i n Y n f f ,ǫ ×X n b,i b,ǫ and either finds a unique ( ˆ Y n f f , ˆ X n b,i b ) suc h that E nc ( ˆ Y n f f , ˆ X n b,i b ) 6 and ( X n f f , Y n b b ) are ( n f , ǫ ) -bipartite jointly typica l w .r .t. ( P Y f ,X f , P X b ,Y b ) (see Section IV -A, Definition 7), or returns a NULL. Key der ivation. Bob computes S = g ( Y n f f , X n b,i b ) . Alice compu tes ˆ S = g ( ˆ Y f n f , ˆ X n b,i b ) . Forward DMBC f n f X f n f Y Bob Eve Alice f f n f Z b n b Z f n f Y n ˆ Backward DMBC b n b X b n b Y Systematic Encoder i b n b X , Systematic Decoder i b n b X , ˆ f n f Y ˆ Fig. 2. ICC ov er a 2DMBC: Alice initiates the protocol Theorem 1: T aking the variables from (2) and (3), the ICC protocol ca n ac hiev e the secret-key rate R I C C = m ax { R I C C A , R I C C B } , (11) where R I C C A = max n f ,n b ,P X f ,V f ,P X b ,W 2 ,b ,W 1 ,b { n f R A s 1 + n b R A s 2 n f + n b s . t . n f [ I ( V f ; Y f | X f )] < n b I ( W 1 ,b ; Y b ) } , (12) R I C C B = max n f ,n b ,P X b ,V b ,P X f ,W 2 ,f ,W 1 ,f { n f R B s 1 + n b R B s 2 n f + n b s . t . n b [ I ( V b ; Y b | X b )] < n f I ( W 1 ,f ; Y f ) } . (13) Comparing (5) with (12), we con clude that R I C C A and L A are e qual if for the op timal selection of the pa rameters, in the maximization p roblem of (5), R A s 2 becomes non -negati ve. In o ther words, the two values (rates) are e qual if the backward DMBC has secrecy poten tial, i.e., the o ptimal strategy is not ba sed on realizing a noiseless chan nel from the backward DMBC. Similarl y , R I C C B equals L B if the forward DMBC has secrecy potential. Cor ollary 1: When the DMBCs h av e sec recy pote ntial, the ICC protoco l can achieve the lower b ound in (4). B. The se cr et-ke y capacity in the s d-2DMBC setup SKE ov er phy sically de graded 2DMBCs (pd-2DMBCs ) was considered in [3], whe re w e showed that the lo wer and the upper bound s coincide and the capacity is achieved by a on e-round SKE protocol. This implies that interaction over a pd-2DMBC cannot increase the SKE rate. Ho wever , this is not generally true for stochastically degraded broa dcast c hannels , and the upper bound in (7) does not necess arily coincide with the lower bound in (4) for s tochastically degraded DMBCs . In this pape r , we co nsider SKE over a 2DMBC, where ea ch DMBC is stochastically degraded with inde penden t channels . W e refer to this setup a s sd-2DMBC . Definition 4: Th e DMBC X → ( Y , Z ) , with cond itional distrib ution P Y Z | X , is stochas tically de grade d in favor of Y (or the party who receiv es Y ) if there exist two R Vs ˜ Y and ˜ Z such that X ↔ ˜ Y ↔ ˜ Z forms a Marko v ch ain and P X Y ( x, y ) = P X, ˜ Y ( x, y ) , P X Z ( x, z ) = P X, ˜ Z ( x, z ) . 7 It con sists o f indepen dent channe ls if P Y Z | X = P Y | X .P Z | X . Definition 5: A sd-2DMBC is a 2DMBC whos e DMBCs are s tochastically degrade d (either in fav or of Y or in fav or of Z ), and cons ist of ind epende nt cha nnels. 1) Lower bo und: Pr o position 1 : The se cret-key capac ity in the sd-2DMBC setup is lo wer b ounded as C sd − 2 D M B C sk ≥ max { L ′ A , L ′ B } , (14) where L ′ A = max n f ,n b ,P V f ,X f ,X b { n f I ( V f ; X f | Z f ) + n b [ I ( X b ; Y b ) − I ( X b ; Z b )] + n f + n b s . t . n f [ I ( V f ; Y f | X f )] < n b I ( X b ; Y b ) } , (1 5) L ′ B = max n f ,n b ,P V b ,X b ,X f { n b I ( V b ; X b | Z b ) + n f [ I ( X f ; Y f ) − I ( X f ; Z f )] + n f + n b s . t . n b [ I ( V b ; Y b | X b )] < n f I ( X f ; Y f ) } . ( 16) The expres sions (15 ) an d (16) do not contain the R Vs W 1 ,b , W 2 ,b , W 1 ,f , a nd W 2 ,f , c ompared to (5) and (6). So, the max imization problem in obtaining the lower bo und (14) is e asier than that in (4). 2) single-letter character ization: W e cons ider a s cenario where on e of the legitimate parties can only send i.i.d. variables, and derive an expres sion for the s ecret-key capa city unde r this condition. Theorem 2: When one of the legitimate parties c an only send i.i.d. v ariables, the s ecret-key ca pacity in the sd-2DMBC s etup e quals max { L ′ A , L ′ B } , (17) where L ′ A and L ′ B are given in (15) and (16), respe cti vely . I V . P RO O F S A. Pr oof o f Theorem 1, the ICC pr otocol W e describe the ICC protocol when Alice is the initiator and prov e that it achiev es the rate in (12). In a similar way , one can describe ICC when Bob initiates the protocol and prove (13). First we give the following definitions from [3] for bipar tite typical s equenc es . A bipartite sequenc e X N = ( U n || T d ) , where N = n + d , is the c oncatena tion of two su bseque nces, U n ∈ U n and T d ∈ T d , with two probability distrib utions, P U n and P T d , respe cti vely . Definition 6: A s equenc e x N = ( u n || t d ) is a n ( ǫ, n ) -bipartite typical se quence with respe ct to the probability distribution pair ( P U ( u ) , P T ( t )) , iff | − 1 N log P ( x N ) − nH ( U ) + dH ( T ) N | < ǫ, (18) where P ( x N ) is c alculated as P ( x N ) = n Y i =1 P U ( u i ) × d Y i =1 P T ( t i ) . (19) Definition 7: A pair of seq uences ( x N , y N ) = (( u n || t d ) , ( u ′ n || t ′ d )) is an ( ǫ, n ) -bipartite jointly typical pair of seque nces with respect to the p robability distribution pair ( P U,U ′ ( u, u ′ ) , P T ,T ′ ( t, t ′ )) , iff x N 8 and y N are ( ǫ, n ) -bipartite typica l s equen ces with respe ct to the mar ginal probability distrib ution pairs ( P U ( u ) , P T ( t )) and ( P U ′ ( u ′ ) , P ′ T ( t ′ )) , resp ectiv ely , and | − 1 N log P ( x N , y N ) − nH ( U, U ′ ) + dH ( T , T ′ ) N | < ǫ, (20) where P ( x N , y N ) is c alculated as P ( x N , y N ) = n Y i =1 P U,U ′ ( u i , u ′ i ) × d Y i =1 P T ,T ′ ( t i , t ′ i ) . (21) Back to the proof, let the R Vs V f , X f , Y f , Z f , an d W 1 ,b , W 2 ,b , X b , Y b , Z b be the same as d efined in Theorem 1 s uch that the Markov chains in (2) a re satisfie d. Also let n f and n b be integers that satisfy the constraint condition in (12). For s implicity , we use W 1 , W 2 , and V to refer to W 1 ,b , W 2 ,b , and V f , respectively . Acco rdingly , we write the argument to be maximized in (12) as R sk = n f R A s 1 + n b R A s 2 n f + n b (22) where R A s 1 = I ( V ; X f ) − I ( V ; Z f ) , (23a) R A s 2 = I ( W 1 ; Y b | W 2 ) − I ( W 1 ; Z b | W 2 ) , (23b) and we reph rase the con straint c ondition in (12) a s n b I ( W 1 ; Y b ) ≥ n f ( I ( V ; Y f | X f ) + 3 α ) , (24) where α > 0 is an small cons tant to be determined (later) from δ . W e shall show that for any gi ven δ > 0 , for sufficiently large n f and n b that satisfy (24), the three requirements in (1) can be satisfie d. Let N = n f + n b and ǫ, β > 0 be small co nstants determined from α such that 3 N ǫ < n b β = n f α . Let n b = n b, 1 + n b, 2 , where n b, 2 is cho sen to satisfy n b, 2 I ( W 1 ; Y b ) = n f ( I ( V ; Y f | X f ) + 3 α ) . (25) Define η f = n f [ I ( V ; Y f ) + α ] , η f , 2 = n b, 2 I ( W 2 ; Y b ) , η f , 1 = η f − η f , 2 , (26) η b = n b, 1 [ I ( W 1 ; Y b ) − β ] , η b, 2 = n b, 1 I ( W 2 ; Y b ) , η b, 1 = η b − η b, 2 , (27) η 1 = η f , 1 + η b, 1 , η 2 = η f , 2 + η b, 2 , η = η f + η b , (28) κ = ( n f + n b ) R sk , γ = η − κ. (29) Although the q uantities ob tained in (25)-(29) are real values, for sufficiently lar ge n b and n f , we can approximate them b y integers. S ince β ca n be made arbitrarily sma ll, we can assu me η b and η f are non-negativ e. Furthermore, since η = η f + η b ( a ) = n f [ I ( V ; Y f , X f ) + α ] + n b, 1 [ I ( W 1 , Y b ) − β ] = n f I ( V ; X f ) + n f I ( V ; Y f | X f ) + n f α + n b, 1 I ( W 1 , Y b ) − n b, 1 β ( b ) = n f I ( V ; X f ) + n b, 2 I ( W 1 , Y b ) − 2 n f α + n b, 1 I ( W 1 , Y b ) − n b, 1 β ≥ n f I ( V ; X f ) + n b I ( W 1 , Y b ) − 3 n f α ≥ R A s 1 + R A s 2 − 3 n f α ≥ κ − 3 n f α, 9 for arbitrarily small α , we ca n assu me η ≥ κ and s o γ is non-negative. Eq uality (a) a bove is du e to (26 ), (27), a nd the Markov chain X f ↔ Y f ↔ V , and equality (b) follo ws from (25). The follo wing sets and functions are us ed in the d esign of the ICC p rotocol. (i) V n f is the set of all poss ible n f -sequenc es with eleme nts from V . Create V n f ǫ by ran domly and independ ently selecting 2 η f ǫ -typical seq uence s (w .r .t. P V ) from V n f . (ii) Let f : V n f ǫ → F = { 1 , 2 , . . . , 2 η f } be an a rbitrary bijecti ve mapping; deno te its in verse by f − 1 . (iii) let {F i } 2 η f, 2 i =1 be a p artition of F , into 2 η f, 2 equal-sized parts. Lab el elements of p art i as F i = { f i,j } η f, 1 j =1 . De fine f ind : F → { 1 , . . . , 2 η f, 2 } × { 1 , . . . , 2 η f, 1 } su ch that f ind ( f ) = ( i, j ) , if f is labe led by f i,j . (i v) W n b, 1 1 is the set of all possible seq uences W n b, 1 1 . Create W n b, 1 1 ,ǫ by rand omly se lecting 2 η b dif ferent ǫ -typical seq uence s (w .r .t. P W 1 ) from W n b, 1 1 . (v) Let b : W n b, 1 1 ,ǫ → B = { 1 , 2 , . . . , 2 η b } be an a rbitrary bijective mapping ; de note its in verse by b − 1 . (vi) In analogy to F , let {B i } 2 η b, 2 i =1 be a partition o f B wh ere B i = { b i,j } 2 η b, 1 j =1 . De fine b indx : B → { 1 , . . . , 2 η b, 2 } × { 1 , . . . , 2 η b, 1 } such tha t b indx ( b ) = ( i, j ) , if b is labeled by b i,j . (vii) Let {G i } 2 κ i =1 be a partition of F × B into parts of s ize 2 γ . D efine g : F × B → { 1 , 2 , . . . , 2 κ } such that, for any inpu t in G i , it outpu ts i . (viii) Define the parity-check book P 2 as a the collection of 2 η 2 words { w n b, 2 2 ,f 2 ,b 2 : f 2 = 1 , 2 , . . . , 2 η f, 2 , b 2 = 1 , 2 , . . . , 2 η b, 2 } , where e ach codeword w n b, 2 2 ,f 2 ,b 2 is of length n b, 2 and is inde penden tly g enerated according to the distrib ution n b, 2 Y i =1 p ( W 2 = w 2 ,f 2 ,b 2 ( i )) . (ix) For each w n b, 2 2 ,f 2 ,b 2 , Define the parity-chec k book P 1 ( w n b, 2 2 ,f 2 ,b 2 ) as a the collection of 2 η 1 words { w n b, 2 1 ,f 2 ,b 2 ,f 1 ,b 1 : f 1 = 1 , . . . , 2 η f, 1 , b 1 = 1 , . . . , 2 η b, 1 } , where eac h codew ord w n b, 2 1 ,f 2 ,b 2 ,f 1 ,b 1 is of leng th n b, 2 and is independ ently genera ted ac cording to the distrib u tion n b, 2 Y i =1 p ( W 1 = w 1 ,f 2 ,b 2 ,f 1 ,b 1 ( i ) | W 2 = w 2 ,f 2 ,b 2 ( i )) . (x) Let E nc : V n f × W n b, 1 1 → V n f × W n b 1 be a (bipartite) sy stematic enc oding function such that E nc ( v n f , w n b, 1 1 ) = ( v n f , w n b 1 ) , where w n b 1 = ( w n b, 1 1 , w n b, 2 1 ,f 2 ,b 2 ,f 1 ,b 1 ) , using the above parity-check books when f = f ( v n f ) , b = b ( W n b, 1 1 ) , ( f 2 , f 1 ) = f ind ( f ) , and ( b 2 , b 1 ) = b ind ( b ) . (xi) Let DM C W be the DMC, W 1 → X b , that is specified by P X b | W 1 . Encoding. Alice selects an i.i.d. n f -sequenc e X n f f and sends it over the forward DMBC. Bob and Eve receiv e Y n f f and Z n f f , res pectively . Bob finds a V n f ∈ V n f ǫ that is ǫ -jointly typical with Y n f f (w .r .t. P V ,Y f ), or returns a NULL if he fails. He selec ts indep endently a uniformly rando m W n b, 1 1 ∈ W n b, 1 1 ,ǫ . He computes F = f ( V n f ) , B = b ( W n b, 1 1 ) , ( F 2 , F 1 ) = f ind ( F ) , and ( B 2 , B 1 ) = b ind ( B ) , and calculates E nc ( V n f , W n b, 1 1 ) = ( V n f , W n b 1 ) using thes e vari ables. Next, B ob inputs W n b 1 to D M C W to compute X n b b , and sen ds X n b b over the bac kward DMBC. Alice and Eve receive Y n b b and Z n b b , respe cti vely . Decoding. Alice s earches through V n f ǫ × W n b, 1 1 ,ǫ and either finds a unique ( ˆ V n f , ˆ W n b, 1 1 ) that is ( ǫ, n f ) - bipartite jointly typ ical to ( X n f f , Y n b b ) w .r .t. ( P V ,X f , P W 1 ,Y b ) , or returns a NULL. 10 Key De rivati on. Bob co mputes S = g ( F , B ) . Alice computes ˆ F = f ( ˆ V n f ) a nd ˆ B = b ( ˆ W n b, 1 1 ) , a nd then ˆ S = g ( ˆ F , ˆ B ) . Fig. 3 shows the relationship between the random vari ables/seq uences us ed in the ICC protocol. T wo variables/sequence s are connected by an ed ge if (1) they be long to inpu t/outputs of the sa me DMBC, or (2) one is computed from the othe r by Alice or Bob using a (possibly randomize d) function. f n X n n F 1 F 2 F f n f X f n f Y f n V f n f Z Bob Alice Eve 1 2 F b n W 1 b n b X b n b Y b n b Z Bob Alice Eve B 1 B 2 B 1 , b n W B F 1 W V F V B A l i c e B o b (a) Encoding and decoding B o b A l i c e E v e B o b A l i c e E v e F ˆ f n V ˆ ) , ( b f n b n f Y X F S ˆ V b n W 1 ˆ B ˆ 1 , 1 ˆ b n W Alice B o b (b) Key deriv ation by Alice E v e E v e B o b A l i c e f F S f S B F B S B A l i c e Bob (c) Key deriv ation by Bob Fig. 3. The relation between the v ariables/sequences used in the ICC protocol for (a) encoding/decod ing, (b) ke y deriv ation by Alice, and (c) ke y deriv ation by Bob Unif ormity Analysis: Proving (1a) From AEP for P V (see [3, Ap pendix A] for more details), a nd since F and V n f have the sa me distributi on, ∀ f ∈ F , Pr ( F = f ) ≤ 2 − η f +5 N ǫ . (30) ⇒ η f − 5 N ǫ ≤ H ( V n f ) = H ( F ) ≤ η f , (31) Since W n b, 1 1 (resp. B ) is se lected uniformly a t rand om from W n b, 1 1 ,ǫ (resp. B ) of size η b ∀ b ∈ B , Pr( B = b ) = 2 − η b (32) ⇒ H ( W n b, 1 1 ) = H ( B ) = η b . (33) For ev ery i ∈ { 1 , 2 , . . . , 2 κ } , the prob ability that S = i eq uals to the probab ility that ( F , B ) ∈ G i . More specifica lly (see (28) and (29)), ∀ i : Pr( S = i ) = X f ,b ∈G i Pr( F = f ∧ B = b ) ≤ 2 γ 2 − η f +5 N ǫ 2 − η b = 2 γ 2 − η +5 N ǫ = 2 − ( κ − 5 N ǫ ) ⇒ H ( S ) n f + n b ≥ κ − 5 N ǫ n f + n b = R sk − δ, δ ≥ 5 ǫ. (34) Reliability Analysis: Proving (1b) Since there are η f = n f [ I ( V ; Y f ) + α ] se quenc es in V n f ǫ , from joint-AEP , with prob ability arbitrarily close to 1, there exists a V n f ∈ V n f ǫ that is ǫ -jointly typical with Y n f f (w .r .t. P V ,Y f ) and the encoding phase is succes sful. In the decod ing ph ase, Alice needs to sea rch through the 2 η words in V n f ǫ × W n b, 1 1 ,ǫ , 11 where η is calculated as η = η f + η b ( a ) = n f ( I ( V ; Y f ) + α ) + n b, 1 ( I ( W 1 ; Y b ) − β ) ( b ) = n f ( I ( V ; Y f ) + α ) + n b I ( W 1 ; Y b ) − n f ( I ( V f ; Y f | X f ) + 3 α ) − n b, 1 β ( c ) = n f ( I ( V ; X f , Y f ) + α ) + n b I ( W 1 ; Y b ) − n f ( I ( V f ; Y f | X f ) + 3 α ) − n b, 1 β (35) = n f I ( V ; X f ) + n b I ( W 1 ; Y b ) − 2 n f α − n b, 1 β < n f I ( V ; X f ) + n b I ( W 1 ; Y b ) − 9 N ǫ. (36) Equality (a) follows from (26 ) and (27), equality (b) follo ws from (25), and eq uality (c) is due to the Markov chain X f ↔ Y f ↔ V . Since η is sufficiently smaller than n f I ( V ; X f ) + n b I ( W 1 ; Y b ) , from AEP for bipartite sequ ences (see [3, The orem 4]), there exist an encoding func tion E nc ( . ) for which the decoding error prob ability become s arbitrarily close to 0. This implies that Pr( ˆ S 6 = S ) ≤ Pr  ( ˆ F , ˆ B ) 6 = ( F , B )  = P r  ( ˆ V n f , ˆ W n b, 1 1 ) 6 = ( V n f , W n b, 1 1 )  < δ. Secrecy Ana lysis: P ro ving (1c) W e shall show that the H ( S | Z n f f , Z n b b ) is c lose to H ( S ) . For the quan tities H ( F 2 ) and H ( B 2 ) , we have (see [3, Ap pendix A] for more de tails) η f , 2 − 5 N ǫ ≤ H ( F 2 ) ≤ η f , 2 , (37) ⇒ H ( B 2 ) = η b, 2 . (38) W e write H ( S | Z n f f , Z n b b ) a s H ( S | Z n f f , Z n b b ) ≥ H ( S | F 2 , B 2 , Z n f f , Z n b b ) = H ( S, F , B | F 2 , B 2 , Z n f f , Z n b b ) − H ( F, B | S, F 2 , B 2 , Z n f f , Z n b b ) = H ( F, B | F 2 , B 2 , Z n f f , Z n b b ) − H ( F , B | S, F 2 , B 2 , Z n f f , Z n b b ) = H ( F, B | F 2 , B 2 ) − I ( F, B ; Z n f f , Z n b b | F 2 , B 2 ) − H ( F , B | S, F 2 , B 2 , Z n f f , Z n b b ) . (39) The first term above is written as The first term is written as H ( F , B | F 2 , B 2 ) = H ( F | F 2 , B 2 ) + H ( B | F , F 2 , B 2 ) ( a ) = H ( F | F 2 ) + H ( B | B 2 ) ( b ) = H ( F ) + H ( B ) − H ( F 2 ) − H ( B 2 ) ( c ) ≥ η f − 5 N ǫ + η b − η F , 2 − η b, 2 ( d ) ≥ n f I ( V ; Y f ) − 2 N ǫ + n b, 1 [ I ( W 1 ; Y b ) − β ] − n b, 2 I ( W 2 ; Y b ) − n b, 1 I ( W 2 ; Y b ) ( e ) = n f I ( V ; X f ) + n f I ( V ; Y f | X f ) − 2 N ǫ + n b, 1 I ( W 1 ; Y b ) − n b I ( W 2 ; Y b ) − n b, 1 β = n f I ( V ; X f ) + n f ( I ( V ; Y f | X f ) + 3 α ) + n b, 1 I ( W 1 ; Y b ) − n b I ( W 2 ; Y b ) − 3 n f α − n b β − 2 N ǫ ( f ) = n f I ( V ; X f ) + n b, 2 I ( W 1 ; Y b ) + n b, 1 I ( W 1 ; Y b ) − n b I ( W 2 ; Y b ) − 3 n f α − n b β − 2 N ǫ > n f I ( V ; X f ) + n b I ( W 1 ; Y b ) − n b I ( W 2 ; Y b ) − 14 N ǫ ( g ) = n f I ( V ; X f ) + n b I ( W 1 ; Y b | W 2 ) − 14 N ǫ (40) 12 Equality (a) holds since B 2 and B are selected independe ntly of F 2 and F , equality (b) h olds since F 2 and B 2 are deterministic func tions of F and B , respec ti vely (the encod ing phas e), inequ ality (c) follows from (31), (33), (37), an d (38 ), equality (d) follows from (26) and (27), equality (e) is du e to the Markov chain X f ↔ Y f ↔ V , e quality (f) follows from (25 ), and equality (g) is due to the Markov c hain W 2 ↔ W 1 ↔ Y b . The sec ond term in (39) is written as I ( F , B ; Z n f f , Z n b b | F 2 , B 2 )= I ( F, B ; Z n f f | F 2 , B 2 ) + I ( F, B ; Z n b b | Z n f f , F 2 , B 2 ) ( a ) = I ( V n f , B ; Z n f f | F 2 , B 2 ) + I ( F, B ; Z n b b | Z n f f , F 2 , B 2 ) ( b ) ≤ I ( V n f ; Z n f f ) + I ( F, B ; Z n b b | F 2 , B 2 ) ( c ) = I ( V n f ; Z n f f ) + H ( Z n b b | F 2 , B 2 ) − H ( Z n b b | F , B ) ( d ) ≤ n f I ( V ; Z f ) + n b [ H ( Z b | W 2 ) − H ( Z b | W 1 )] ( e ) ≤ n f I ( V ; Z f ) + n b I ( W 1 ; Y b | W 2 ) (41) Inequality (a) holds be cause V n f = f − 1 ( F ) (the key deri vation phase ), equality (b) is due to the Markov chains ( F 2 , B 2 ) ↔ ( V n f , B ) ↔ Z n f f , B ↔ V n f ↔ Z n f f and Z n f f ↔ F ↔ Z n b b , equality (c) holds since F 2 and B 2 are deterministic func tions of F and B , equality (d) follows from AEP , a nd equa lity (e) is du e to the Marko v ch ain W 2 ↔ W 1 ↔ Z b . It remains to c alculate H ( F, B | S, F , B , Z n f f , Z n b b ) , i.e., the third te rm in (39). From (vii), knowing S = i giv es the partition G i that F , B belong s to; further , kno wing F 2 = f 2 and B 2 = b 2 giv es the parity-check sequen ce w n b, 1 2 ,f 2 ,b 2 ∈ P 2 which is us ed in the encoding phase (see (viii)). De fine the co debook C e i = { v n f , w n b 1 : ( f ( v n f ) , b ) ∈ G i , w n b 1 = E nc ( f ( v n f ) , b ) , F 2 = f 2 , B 2 = b 2 } . Gi ven S = i, Z n f f , and Z n b b , one can search all the codewords in C e i and return a unique ˇ V n f , ˇ W n b 1 ∈ C e i that is ( ǫ, n f ) -bipartite jointly typical to ( Z n f f , Z n b b ) w .r .t. ( P V ,Z f , P W 1 ,Z b ) ; othe rwise return a NULL. From (vii), |G i | = 2 γ , and so |C e i | = 2 γ − η 2 , where η 2 is giv en in (28). W e first calcu late η w hich is u sed in the calculation of γ − η 2 . η = η f + η b = n f ( I ( V ; Y f ) + α ) + n b, 1 I ( W 1 ; Y b ) − n b β = n f I ( V ; X f ) + n f ( I ( V ; Y f | X f ) + 3 α ) + n b, 1 I ( W 1 ; Y b ) − 2 n f α − n b β = n f I ( V ; X f ) + n b I ( W 1 ; Y b ) − 3 n f α. 13 γ − η 2 is written as γ − η 2 ( a ) = η − ( n f + n b ) R sk − η f , 2 − η b, 2 ( b ) ≤ n f I ( V ; X f ) + n b I ( W 1 ; Y b ) − 3 n f α + n f [ I ( V ; Z f ) − I ( V ; X f )] + n b [ I ( W 1 ; Z b | W 2 ) − I ( W 1 ; Y b | W 2 )] − n b, 2 I ( W 2 ; Y b ) − n b, 1 I ( W 2 ; Y b ) = n b I ( W 1 ; Y b ) − 3 n f α + n f I ( V ; Z f ) + n b [ I ( W 1 ; Z b | W 2 ) − I ( W 1 ; Y b | W 2 )] − n b I ( W 2 ; Y b ) ( c ) = n f I ( V ; Z f ) + n b I ( W 1 ; Z b | W 2 ) − 3 n f α ( d ) < n f I ( V ; Z f ) + n b I ( W 1 ; Z b ) − 9 N ǫ. Equality (a) follo ws from (28) an d (29), ine quality (b) follows from the defin ition of R sk in (22), equality (c) is due to the Marko v chain W 2 ↔ W 1 ↔ Y b , and inequa lity (d) is due to the Ma rkov chain W 2 ↔ W 1 ↔ Z b . Since γ − η 2 is sufficiently smaller than n f I ( V ; Z f ) + n b I ( W 1 ; Z b ) , from joint-AEP for bipartite sequen ces [3, The orem 4], for an appropriately cho sen p artition {G i } 2 κ i =1 , the dec oding e rror probability becomes arbitrarily c lose to 0, i.e., g i ven ( S, F 2 , B 2 , Z n f f , Z n b b ) , Pr  ( ˇ V n f , ˇ W n b 1 ) 6 = ( V n f , W n b 1 )  < 2 ǫ. Letting ˇ F = f ( ˇ V n f ) a nd ˇ B , ˇ F = E nc ( ˇ W n b 1 ) , we ha ve Pr  ( ˇ F , ˇ B ) 6 = ( F , B )  < 2 ǫ. Using Fano’ s inequality [6] results in H ( F , B | S, F , B , Z n f f , Z n b b ) ≤ H ( F , B | ˇ F , ˇ B ) < h (2 ǫ ) + 2 ǫη , (42) where h ( ǫ ) = − ǫ log( ǫ ) − (1 − ǫ ) log(1 − ǫ ) is the bina ry entropy func tion. Applying (40)-( 42) in (39) giv es H ( S | Z n f f , Z n b b ) > n f [ I ( V ; X f ) − I ( V ; Z f )] + n b [ I ( W 1 ; Y b | W 2 ) − I ( W 1 ; Z b | W 2 )] − 14 N ǫ − h (2 ǫ ) − 2 ǫη = ( n f + n b ) R sk − 14 N ǫ − h (2 ǫ ) − 2 ǫη ≥ H ( S ) − 14 N ǫ − h (2 ǫ ) + 2 ǫη , where the last inequality follows from (34). T his implies that by app ropriate selection of ǫ for an a rbitrarily small δ , we will have H ( S | Z n f f , Z n b b ) H ( S ) > 1 − δ. B. Pr oof o f Pr oposition 1 From (2a) and the ind epende nce of the two DMCs in the s d-2DMBC setup (see Definitions 4 a nd 5), V f ↔ Y f ↔ X f ↔ Z f forms a Markov chain, and so we write (3a) and (3c) as R A s 1 = I ( V f ; X f , Z f ) − I ( V f ; Z f ) = I ( V f ; X f | Z f ) , (43) R B s 1 = I ( V b ; X b , Z b ) − I ( V b ; Z b ) = I ( V b ; X b | Z b ) . (44) 14 From Definition 4 and the se cond Ma rkov chain in (2a), there exist ˜ Y b and ˜ Z b such that one o f the Markov cha ins W 2 ,b ↔ W 1 ,b ↔ X b ↔ ˜ Y b ↔ ˜ Z b , or (45a) W 2 ,b ↔ W 1 ,b ↔ X b ↔ ˜ Z b ↔ ˜ Y b (45b) hold, and I ( X b ; Y b ) = I ( X b ; ˜ Y b ) , I ( X b ; Z b ) = I ( X b ; ˜ Z b ) I ( W 1 ,b ; Y b | W 2 ,b ) = I ( W 1 ,b ; ˜ Y b | W 2 ,b ) , I ( W 1 ,b ; Z b | W 2 ,b ) = I ( W 1 ,b ; ˜ Z b | W 2 ,b ) . Hence, we write (3b) as R A s 2 = I ( W 1 ,b ; ˜ Y b | W 2 ,b ) − I ( W 1 ,b ; ˜ Z b | W 2 ,b ) ≤ I ( W 1 ,b ; ˜ Y b | ˜ Z b , W 2 ,b ) ( a ) ≤ I ( X b ; ˜ Y b | ˜ Z b ) = [ I ( X b ; ˜ Y b ) − I ( X b ; ˜ Z b )] + = [ I ( X b ; Y b ) − I ( X b ; Z b )] + . (46) Inequality (a) follo ws from (45). More precisely , if (45a) h olds the inequa lity is easily sa tisfied, a nd if (45b) holds both sides e qual z ero. It is easy to see that eq uality in (46 ) holds by cho osing W 2 ,b = 1 and W 1 ,b to be X b or 1 , in the case of (45 a) or (45b), res pectively . In a nalogy to the ab ove, we have R B s 2 ≤ [ I ( X f ; Y f ) − I ( X f ; Z f )] + , (47) where e quality holds for some W 2 ,f and W 1 ,f . B y replacing R A s 1 , R A s 2 , R B s 1 , and R B s 2 in (5) and (6) with the ab ove-obtained q uantities, (4) is s implified to (14). C. Pr oof o f Theorem 2 W e let Alice be the pa rty who sen ds i.i.d. variables. The o ther cas e follows b y symme try . W e u se Lemma 1 to reduce a multi-round SKE protocol to a tw o-round one, a nd then give the highes t rate that a two-round protocol ca n achieve. Lemma 1: Wh en Alice can on ly se nd i.i.d. v ariables, the secret-key capacity is achieved by a two-round SKE protocol wh ose initiator is Alice . Pr o of: Let Π be a t -round SKE protoco l that achieves the se cret-key cap acity un der the above condition. Case 1: Alice send s in o dd r o unds. In a ny (odd) round r , Alice’ s sent sequen ce X : r f is indepen dent of her view in rou nd r − 1 , and henc e she cou ld compu te it in the first communica tion round. Besides , sending this sequen ce in the first round doe s no t af fect the distrib ution of Bob’ s and Eve’ s receiv ed s equenc es ( Y : r f and Z : r f ) since the chan nels are memoryles s. Obviously Bob c an compute X : r b for any even r a s be fore. Hence, we can co n vert the p rotocol Π into Π ′ in which Alice sends the wh ole || ( odd ) r ≤ t h X n f,r : r f i in the first roun d su ch that all the communicated sequence s and the final ke y in Π a nd Π ′ have the same joint probability distribution, i.e., if the same ran domness is chos en by Alice, Bob , and the 2DMBC in the execution of Π a nd Π ′ , then all the c ommunicated sequenc es and the fin al key are ide ntical. Now , Bob can send the wh ole || ( even ) r ≤ t  X n b,r : r b  in the s econd round without affecting the joint distribution of the 15 sequen ces. W e refer to this last protoc ol as Π ′′ which is a two-round protocol with Alice as the initiator such that the c ommunicated sequ ences a nd the key hav e the same joint distribution as in Π . Hence Π ′′ achieves the secret-key cap acity . Case 2: Alice sends in eve n rounds. Using a similar ar gument to that of Case 1, we rea ch a three-round protocol Π ′′ with Bob as the initiator: B ob send s X n b, 1 :1 b in the first round, Alice s ends || ( even ) r ≤ t h X n f,r : r f i in the se cond round, and Bob s ends || ( odd )3 ≤ r ≤ t  X n b,r : r b  in the third round. Since the commu nicated sequen ce in the first round is not use d to calculate the seco nd round communicated se quence s, Bob can send X n b, 1 :1 b in the third round without a f fecting the distribution of the s equenc es in the protocol Π ′′ . This giv es a two-round c ommunication protocol with Alice as the initiator that a chieves the capac ity . Now , c onsider a two-round SKE protoc ol as de picted in Fig. 4 in wh ich Alice send s a sequenc e of i.i.d. variables X n f f in the first round. Sinc e the chan nels are memoryless and independ ent, Bob and Eve recei ve sequen ces of i.i.d. variables Y n f f and Z n f f and Y f ↔ X f ↔ Z f is a Markov cha in. Th is can be seen as the Discrete Memo ryless Mu ltiple Source (DMMS) ( Y f , X f , Z f ) be tween Bob, Alice, a nd Eve, respe cti vely and the DMBC X b → ( Y b , Z b ) from Bob to Alice and Bob . When the DMMS and DMBC satisfy the degradedne ss condition Y f ↔ X f ↔ Z f and X b ↔ Y b ↔ Z b , [7] proves a n u pper bound o n the se cret-key capac ity that co incides with the lower bo und in (14). Howe ver , the p roof in [7] can not be d irectly applied to our problem due to the “stochastic” degrad edness of the (backward) DMBC. W e giv e the following argument to upper bound the h ighest achievable rate R sk for an arbitrarily small δ > 0 as in (1). Bob f n f X f n f Y f n f Z Alice Eve Bob b n b X b n b Y b n b Z Alice Eve S ˆ S Fig. 4. The relations between variables/sequen ces in two-round SKE when Alice starts the protocol and Bob calculates the k ey The views of the p arties at the en d of the s econd round are V iew A = ( X n f f , Y n b b ) , V iew B = ( Y n f f , X n b b ) , and V iew E = ( Z n f f , Z n b b ) . Us ing Fano’ s inequality for (1b), we have H ( S | V iew A ) ≤ H ( S | ˆ S ) < h ( δ ) + δ H ( S ) , (48) Furthermore, (1c) gives I ( S ; V iew E ) = H ( S ) − H ( S | V iew E ) ≤ δ H ( S ) . (49 ) 16 In the followi ng, we o mit the length of the s equenc es, X n f f , Y n f f , Z n f f and X n b b , Y n b b , Z n b b from the supersc ripts, instead u se bold to denote the m. H ( S ) is upper boun ded as H ( S ) = I ( S ; V iew A ) + H ( S | V iew A ) ( a ) ≤ I ( S ; V iew A ) − I ( S ; V iew E ) + h ( δ ) + 2 δ H ( S ) ≤ I ( S ; V iew A | V iew E ) + h ( δ ) + 2 δ H ( S ) ⇒ (1 − 2 δ ) H ( S ) − h ( δ ) ≤ I ( S ; V iew A ) − I ( S ; V iew E ) = I ( S ; Y b ) + I ( S ; X f | Y b ) − I ( S ; Z f , Z b ) = I ( S ; Y b ) + I ( S ; X f , Z f | Y b ) − I ( S ; Z f , Z b ) = I ( S ; Y b ) + I ( S ; Z f | Y b ) + I ( S ; X f | Z f , Y b ) − I ( S ; Z f , Z b ) = [ I ( S ; Z f , Y b ) − I ( S ; Z f , Z b )] + [ I ( S ; X f | Z f , Y b )] , (50) where ine quality (a) follows from (48) and (49). W e se parately discus s the two terms in (50). No te tha t ( S, Z f ) ↔ X b ↔ ( Y b , Z b ) is a Markov ch ain. If the back ward DMBC is s tochastically degraded in fav or of Z b , the first term is at most zero; otherwise, letting X b ↔ ˜ Y b ↔ ˜ Z b (see Definition 4), we have I ( S ; Z f , Y b ) − I ( S ; Z f , Z b )= I ( S ; Z f , ˜ Y b ) − I ( S ; Z f , ˜ Z b ) = I ( S ; Z f , ˜ Y b , ˜ Z b ) − I ( S ; Z f , ˜ Z b ) I ( S ; ˜ Y b | Z f , ˜ Z b ) ≤ I ( S, Z f ; ˜ Y b | ˜ Z b ) = I ( S, Z f ; ˜ Y b ) − I ( S, Z f ; ˜ Z b ) = I ( S, Z f ; Y b ) − I ( S, Z f ; Z b ) ( a ) ≤ n b [ I ( W b ; Y b ) − I ( W b ; Z b )] ( b ) ≤ n b [ I ( X b ; Y b ) − I ( X b ; Z b )] + . (51) Inequality (a) follows from the resu lts o f messa ge transmission over s ingle DMBCs (e.g., [4, Section V]), where the c onditional distrib ution P Y b ,Z b | X b correspond s to the backward DMBC a nd W b is an R V that satisfies the Markov chain W b ↔ X b ↔ ( Y b , Z b ) . Inequality (b) is d ue to the degradedne ss o f the backward DMBC. Le tting J b e an independe nt random variable uniformly distributed over { 1 , 2 , . . . , n f } , we write the second term in (50) as I ( S ; X f | Z f , Y b ) ≤ I ( S, Y b ; X f | Z f ) ( a ) = I ( S, Y b ; X f ) − I ( S, Y b ; Z f ) ( b ) = n f X i =1 I ( S, Y b ; X f ,i | Z n f f ,i +1 , X i − 1 f ) − I ( S, Y b ; Z f ,i | Z n f f ,i +1 , Z i − 1 f ) ( c ) = n f X i =1 I ( S, Y b ; X f ,i | Z f ,i , Z n f f ,i +1 , X i − 1 f ) = n f I ( S, Y b ; X f ,J | Z f ,J , Z n f f ,J +1 , X J − 1 f , J ) ≤ n f I ( S, Y b , Z n f f ,J +1 , X J − 1 f , J ; X f ,J | Z f ,J ) . (52) Equality (a) is due to the Makov cha in Z f ↔ X f ↔ ( S, Y b ) , equality (b) follows from the cha in rule for dif ference betwee n mutual information (see e.g. , [4, Section V]), and equa lity (c) is due to the Marko v chain Z f ,i ↔ X f ,i ↔ ( S, Y b ) . 17 Now , letting V f = ( S, Y b , Z n f f ,J +1 , X J − 1 f , J ) , X f = X f ,J , Y f = Y f ,J and Z f = Z f ,J , the c onditional distrib ution P Y f .Z f | X f correspond s to the forward DMBC, the Markov chain Z f ↔ X f ↔ Y f ↔ V f is satisfied, and we ha ve I ( S ; X f | Z f , Y b ) ≤ n f I ( V f ; X f | Z f ) . (53) Using the q uantities of (51) and (53) in the c alculation of (50), H ( S ) is upper boun ded as H ( S ) ≤ n f I ( V f ; X f | Z f ) + n b [ I ( X b ; Y b ) − I ( X b ; Z b )] + + h ( δ ) (1 − 2 δ ) = n f I ( V f ; X f | Z f ) + n b [ I ( X b ; Y b ) − I ( X b ; Z b )] + , (54) where the last e quality holds since δ is arbitrarily s mall. Th is togethe r with (1a ) proves the argument in (15), and the condition in (15) is proven as follows. n b I ( X b ; Y b ) ≥ I ( X b ; Y b ) ( a ) ≥ I ( Y f ; Y b ) = I ( Y b , S ; Y f ) − I ( S ; Y f | Y b ) ≥ I ( Y b , S ; Y f ) − H ( S | Y b ) = I ( Y b , S ; Y f ) − H ( S | Y b , X f ) − I ( S ; X f | Y b ) ( b ) ≥ I ( Y b , S ; Y f ) − h ( δ ) − δ H ( S ) − I ( S ; X f | Y b ) ( c ) ≥ I ( Y b , S ; Y f ) − I ( Y b , S ; X f ) ( d ) = n f X i =1 I ( Y b , S, X i − 1 f , Y n f f ,i +1 ; Y f ,i ) − I ( Y b , S, X i − 1 f , Y n f f ,i +1 ; X f ,i ) ( e ) = n f X i =1 I ( Y b , S, X i − 1 f , Y n f f ,i +1 ; Y f ,i | X f ,i ) ( f ) ≥ n f X i =1 I ( Y b , S, X i − 1 f , Z n f f ,i +1 ; Y f ,i | X f ,i ) = n f I ( Y b , S, X J − 1 f , Z n f f ,J +1 ; Y f ,J | X f ,J , J ) = n f I ( V f ; Y f | X f ) − n f I ( J ; Y f | X f ) ( g ) = n f I ( V f ; Y f | X f ) . (55) Inequality (a) is due to the Markov chain Y f ↔ X b ↔ Y b ; inequality (b) follo ws from (48); inequa lity (c) h olds s ince δ is arbitrarily small and so h ( δ ) + δ H ( S ) is negligible co mpared to the other q uantities; equality (d) follows from the chain rule for dif ference b etween mutual information; equality (e) is due to the Markov cha in X f ,i ↔ Y f ,i ↔ ( Y b , S, X i − 1 f , Y n f f ,i +1 ) ; inequ ality (f) is due to the Markov chain Z n f f ,i +1 ↔ Y n f f ,i +1 ↔ Y f ,i , and equality (g) holds since Y f ,J is (i.i.d.) independent of J . One can prove (16) by symmetry . This implies that, under the condition of this theorem, equality in (14) holds. V . C O N C L U S I O N W e extended the res ults of S KE in the 2DMBC setup in the following two cases . When both DMBCs have sec recy p otential, w e propos ed the interactiv e cha nnel coding (ICC) protocol a nd proved that it achieves the lower bound. When both DMBCs are stochas tically degraded with independ ent chan nels (so called sd-2DMBC), we provided a simplified expression for the lo wer bound, and proved that this 18 lower bound is tight unde r the c ondition that one o f the parties sends only i.i.d v ariables. Obtaining a single-letter charac terization or e ven a tighter upper b ound for the secret-key capacity in the sd-2DMBC setup remains a s future work. R E F E R E N C E S [1] R. Ahlswede and I. C sisz ´ a r , “Common randomness in information theory and cryptography . Part I: secret sharing, ” IEEE T rans. Inf. T heory , vol. 39, no. 4, pp. 1121-1132 , Jul. 1993. [2] R. Ahlswede and N. Cai, “T ransmission, identification, and common r andomnes s capac ities for wire-tape channels wit h secure feedback from t he decoder , ” book chapter in General T heory of Information Transfer and Combinatorics, L NCS 4123, pp. 258-275, 2006. [3] H. Ahmadi and R. Safavi-Naini, “Secret Key Establishment ove r a Pair of Independent Br oadcast Channels”, arXiv :1001.3908, av ailable online on the arXiv preprint server . [4] I. Csisz ´ a r and J. K ¨ o rner , “Broadcast channels with confidential messages, ” IEEE Tr ans. Inf. T heory , vol. IT -24, no. 3, pp. 339-348, May 1978. [5] I. C sisz ´ a r and P . Narayan, “Common randomness and secret key generation with a helper , ” IEEE T ran s. Inf. Theory , vol. 46, pp. 34436 6, 2000. [6] R. G. Gallager, Information Theory and Reliable Communication , Ne w Y ork : W iley , 1968. [7] A. Khisti, S. Diggavi, G. W ornell, “Secret key generation using correlated sources and noisy channels, ” IEEE Int. Symp. Inf. T heory (ISIT) , pp. 1005-10 09, 2008. [8] J. K ¨ o rner and K. Marton, “Comparison of two noisy channels, ” T ran sactions of the Hungarian Colloquium on Information Theory , Keszth ely , pp. 411-423, 1977. [9] L. Lai, H. El Gamal, and V . P oor , “The wiretap channel with feedback: encryption over t he channel, ” IE EE Tr ans. Inf. Theory , vol. IT -54, no. 11, pp. 5059 -5067, 2008. [10] S. K. Leung-Y an-Cheong and M. E. Hellman, “The G aussian wire-tap channel, ” IEEE Tr ans. Inf. T heory , vol. IT -24, no. 4, pp. 451-456, Jul. 1978. [11] U. Maurer , “Secret key agreement by public discussion from common information, ” IEE E T rans. Inf. Theory , vol. 39, no. 3, pp. 733-742, May 1993. [12] V . Prabhakaran, K. Eswaran and K . Ramchandran, “Secrecy via S ources and Channels - A S ecret Ke y - Secret Message Rate T rade-of f Region, ” IEEE Int. Symp. Inf. Theory (ISIT) , pp. 1010-1014, 2008. [13] E. T ekin and A. Y ener , “The general Gaussian multiple access channel and two-way wire-tap channels: Achiev able rates and cooperati v e jamming, ” IEE E Tr ans. I nf. T heory , vol. IT -54, no. 6, pp. 2735-2751, 2008. [14] A. D.W yner, “The wire-tap channel, ” Bell Syst. T ec h. J . , vol. 54, no. 8, pp. 1355-1367 , Oct. 1975.