Controllable Identifier Measurements for Private Authentication with Secret Keys

IEEE TRANSA CTIONS ON INFORMA TION FORENSICS AND SECURITY 1 Controllable Identiﬁer Measurements for Pri v ate Authentication with Secret K eys Onur G ¨ unl ¨ u, Student Member , IEEE, Kittipong Kittichokechai, Member , IEEE, Rafael F . Schaefer , Senior Member , IEEE, and Giuseppe Caire, F ellow , IEEE Abstract —The problem of secr et-key based authentication under a privacy constraint on the sour ce sequence is considered. The identiﬁer measurements during authentication are assumed to be controllable via a cost-constrained “action” sequence. Single-letter characterizations of the optimal trade-off among the secret-k ey rate, storage rate, privacy-leakage rate, and action cost are given f or the four problems where noisy or noiseless measure- ments of the source are enr olled to generate or embed secret keys. The results are rele vant f or se veral user -authentication scenarios including physical and biometric authentications with multiple measurements. Our results include, as special cases, new r esults for secr et-key generation and embedding with action-dependent side information without any privacy constraint on the enrolled source sequence. Index T erms —Private authentication, information theoretic security , action dependent privacy , hidden source. I . I N T RO D U C T I O N W E study a problem of priv ate authentication based on key generation or embedding, moti vated by emerging technologies such as biometric authentication [2] and key generation from physical unclonable functions (PUFs) [3]. The system consists of an encoder and a decoder that observe different measurements of an identiﬁer output and w ant to agree on a key , secret from an eavesdropper . Replacing biometric identiﬁers is generally impossible [4], and replacing physical identiﬁers is expensiv e or unappealing, for instance, if the ne w identiﬁer outputs and the replaced ones are dependent. Therefore, for such applications, priv ac y of the identiﬁer output is of signiﬁcant importance because the biometric or physical source is closely related to the identity of a person or a device. There exists a fundamental Manuscript recei ved July 20, 2017; re vised December 18, 2017; and accepted February 5, 2018. The work of O. G ¨ unl ¨ u was supported by the German Research Foundation (DFG) through the HoliPUF Project under Grant KR3517/6-1. The work of G. Caire was supported by an Alexander von Humboldt Professorship. P art of this paper was presented at the 2016 Asilomar Conference on Signals, Systems, and Computers [1]. The associate editor coordinating the revie w of this manuscript and approving it for publication was Dr . T anya Ignatenko ( Corresponding Author: Onur G ¨ unl ¨ u ). O. G ¨ unl ¨ u is with the Chair of Communications Engineering, T echnical Univ ersity of Munich, 80333 Munich, Germany (e-mail: onur .gunlu@tum.de). K. Kittichokechai was with the Communications and Information The- ory Chair , T echnische Universit ¨ at Berlin, 10623 Berlin, Germany . He is now with the Ericsson Research, 164 83 Stockholm, Sweden (e-mail: kit- tipong.kittichokechai@ericsson.com). R. F . Schaefer is with the Information Theory and Applications Chair , T ech- nische Univ ersit ¨ at Berlin, 10623 Berlin, Germany (email: rafael.schaefer@tu- berlin.de). G. Caire is with the Communications and Information Theory Chair , T echnische Univ ersit ¨ at Berlin, 10623 Berlin, Germany (email: caire@tu- berlin.de). Digital Object Identiﬁer 10.1109/TIFS.2018.2806937 trade-off between priv acy and security performance of an authentication system. An information theoretic formulation provides a frame work to capture such a trade-off [4], [5]. Moreov er , the identiﬁer measurements can be controlled or tuned with an additional cost. In this w ork, we study the optimal trade-of fs among the secret-ke y rate, public storage rate, priv ac y-leakage rate, and expected action cost for discrete memoryless sources and measurement channels. A vailability of post-processing methods in, e.g., [6] to obtain memoryless channels and sources from biometric or physical identiﬁers allows us to not consider channels with memory and correlated sources, which are considered, e.g., in [7] and [8]. A. Motivation The use of authentication for access control is an effecti ve method to ensure information security . Unlike concealing the data to be transmitted [9], authentication of a user by using a secret requires correlated random variables in order to agree on a sequence [10], [11]. Most important physical identiﬁers used for de vice authentication are PUFs, e.g., random variations in ring oscillator (R O) outputs or in speckle patterns of optical to- kens when irradiated by a laser . Similarly , body traits lik e irises and ﬁngerprints are used as biometric randomness sources for authentication. There are code constructions in the biometric secrecy literature proposed for authentication, e.g., the fuzzy- vault scheme [12], fuzzy-commitment scheme [13], and (code- offset) fuzzy extractors [14]. It is sho wn in [15] that the fuzzy- commitment scheme and fuzzy extractors are suboptimal for a simpliﬁed version of the priv ate authentication problem we consider in this work. Accordingly , we are interested in understanding the fundamental limits of priv ate authentication by studying optimal code constructions and their rate regions. Motiv ated by the use of biometric or physical identiﬁers that in v olve different forms of measurements, e.g., the use of multiple measurements or variations in the quality of the measurement process [16], [17], we consider a new priv ate authentication model where the measurement process is represented by a cost-constrained action-dependent side information acquisition, where an action sequence determines the measurement channel. A high action cost can, for instance, represent the use of a high quality measurement device. There are two canonical models for pri v ate authentication: generated-secret model and chosen-secret model. W e ﬁrst consider the generated-secr et model , where the secret ke y is generated from the identiﬁer outputs. The secret key recon- structed at the decoder is generally stored in a trusted database. 2 IEEE TRANSA CTIONS ON INFORMA TION FORENSICS AND SECURITY It can therefore be practical to embed a uniformly-distributed and independently chosen secret key into the encoder rather than generating it from identiﬁer outputs [4]. The encoder binds the ke y to the identiﬁer outputs in order to provide priv ate authentication at the decoder . W e also consider this practical model, called the chosen-secr et model , with cost- constrained actions and show that its general implication is an increased need of storage. Remark that the fuzzy-commitment scheme and fuzzy extractors are realizations of, respectiv ely , the chosen- and generated-secret models. Biometric and physical identiﬁer outputs are noisy by nature. For instance, a cut in the palm corresponds to noise on the palmprint. Similar to multiple-antenna systems, mul- tiple identiﬁer measurements at the decoder can therefore signiﬁcantly improv e the rate regions as compared to a single measurement. Suppose we have multiple measurements also at the encoder , which assumes that the source is hidden or remote. A hidden or remote source represents that the encoder observes one or multiple noisy measurements of a source rather than the source output. It is shown in [18] that if a visible source is mistakenly assumed for system design, there can be unnoticed secrecy leakages and the reliability at the decoder can decrease. Moti vated by these results, we study also hidden identiﬁers with cost-constrained actions for the generated- and chosen-secret models. B. Summary of Contributions and Organization In [18], the enlargements of the rate regions due to in- creasing multiplicity of noisy measurements of a hidden source are illustrated. An attacker with access to a correlated identiﬁer measurement tries to deceiv e the authentication in [19]. W e combine and extend the models in [18] and [19], and consider a cost-constrained action sequence that controls the source measurements during authentication to reconstruct the secret k ey . In this w ork, the secret key can be either generated or embedded. Multiple identiﬁer measurements both at the encoder and decoder are also possible by considering a hidden identiﬁer . Similar to [19], correlated information at the ea vesdropper is also considered here unlike in [4], [5], and [18], which is a realistic assumption especially for biometric identiﬁers. The ke y-storage-leakage-cost region for secret-key generation from an identiﬁer with a cost-constrained action at the decoder and a noiseless (visible) output at the encoder is giv en ﬁrst in the conference version of this paper [1]. This rate region recovers sev eral results in the literature including the key-leakage rate regions for a visible source in [4] and [5]. In this work, we further study the following extensions and the main contributions are as follows. • W e e xtend the region for key generation to a chosen secret-key embedding scenario, where the source output is used to conceal the chosen secret key . • For a hidden source, we show that the key-storage- leakage-cost re gion is signiﬁcantly different from the vis- ible source model for both k ey generation and embedding scenarios. Comparisons among these regions illustrate that an incorrect system model could result in secrecy and reliability threats. P X ( W, K ) ( a ) = f ( n ) 1 ( X n ) W ( b ) = f ( n ) 2 ( X n , K ) P Y Z | X A ˆ K = g ( n ) ( W, Y n ) A n = f ( n ) a ( W ) EVE W X n Y n A n Z n K ˆ K ( b ) ( a ) Fig. 1. A visible source: ( a ) represents the generated-secret model with the encoder f ( n ) 1 ( · ) and ( b ) represents the chosen-secret model with the encoder f ( n ) 2 ( · , · ) . The decoder and EVE measurements can be performed after observing the action sequence. • As an example, we use realistic channel and source models to generate secret keys from PUFs and illustrate the key-leakage trade-off for a binary physical identiﬁer with cost-constrained actions during authentication. This paper is or ganized as follows. In Section II, we describe the source models and the generated- and chosen-secret mod- els. W e develop the key-storage-leakage-cost regions for the four problems, and compare them with each other and pre vious results in Section III. An achiev able key-storage-leakage-cost region for a binary source with cost-constrained measurements during authentication is illustrated in Section IV. C. Notation Upper case letters represent random variables and lower case letters their realizations. Superscripts denote a string of variables, e.g., X n = X 1 . . . X i . . . X n , and subscripts denote the position of a variable in a string. X n \ i represents the vector ( X 1 , X 2 , . . . , X i − 1 , X i +1 , . . . , X n ) . A random v ariable X has probability distrib ution P X . Calligraphic letters such as X denote sets and their sizes are written as |X | . A set, e.g., X n , with superscript n denotes an n -fold product-distribution set, and a set, e.g., W ( n ) , with superscript in parentheses ( n ) denotes a set whose size grows with the superscript n . T n  ( · ) denotes the set of length- n letter-typical sequences with respect to the positive number  [20, Ch. 3], [21]. X − Y − Z indicates that ( X , Y , Z ) forms a Markov chain. H b ( x ) = − x log x − (1 − x ) log(1 − x ) is the binary entropy function and H − 1 b ( · ) denotes its in v erse with range [0 , 0 . 5] . The ∗ -operator is deﬁned as p ∗ x = p (1 − x ) + (1 − p ) x . I I . P RO B L E M F O R M U L A T I O NS W e deﬁne the four problems in the following. A. V isible Sour ce, Generated-secr et Model Consider the system model in Fig. 1 ( a ) . The source X , mea- surements Y , Z , and action A alphabets are ﬁnite sets. Let X n be a length- n sequence which has independent and identically distributed (i.i.d.) components distrib uted according to some ﬁxed distribution P X . Authentication has two phases. First, a user enrolls the source sequence X n in the system to generate G ¨ UNL ¨ U et al. : CONTR OLLABLE IDENTIFIER MEASUREMENTS FOR PRIV A TE A UTHENTICA TION WITH SECRET KEYS 3 the helper data W and the secret key K . A cost-constrained action sequence A n is chosen based on W to control quality or reliability of the measurements during the authentication, during which ( Y n , Z n ) are generated as outputs of a given memoryless channel P Y Z | X A with inputs X n and A n . The sequence Y n here represents a controllable measurement (side information) while Z n is another correlated side information. Based on W and measurement Y n , the decoder reconstructs the secret ke y ˆ K . Authentication is successful if ˆ K = K . For generality , we consider an eavesdropper (EVE) who has access to the description W and correlated side information Z n . Deﬁnition 1. A ( |W ( n ) | , |K ( n ) | , n ) -code C n for priv ate au- thentication with a ke y generated from a visible source, controllable decoder measurements, and a noiseless encoder measurement consists of • an encoder f ( n ) 1 : X n → W ( n ) × K ( n ) , • an action encoder: f ( n ) a : W ( n ) → A n , • a decoder g ( n ) : W ( n ) × Y n → K ( n ) . ♦ Deﬁnition 2. A key-storage-leakage-cost tuple ( R k , R w , ∆ , C ) ∈ R 4 + is said to be achie vable for a visible source with the generated-secret model if for any δ > 0 there is some n ≥ 1 and a  |W ( n ) | , |K ( n ) | , n  -code for which R k = log |K ( n ) | n such that Pr[ ˆ K 6 = K ] ≤ δ, ( r eliability ) (1) 1 n I ( K ; W, Z n ) ≤ δ ( secr ecy ) (2) 1 n H ( K ) ≥ R k − δ ( unif or mity ) (3) 1 n log   W ( n )   ≤ R w + δ ( stor age ) (4) 1 n I ( X n ; W, Z n ) ≤ ∆ + δ ( pr ivacy ) (5) E [Γ ( n ) ( A n )] ≤ C + δ ( cost ) (6) where we ha ve ( W , K ) = f ( n ) 1 ( X n ) , A n = f ( n ) a ( W ) , ˆ K = g ( n ) ( W , Y n ) , and Γ ( n ) ( · ) is a cost function with Γ ( n ) ( A n ) = 1 n P n i =1 Γ( A i ) . The ke y-stor ag e-leakage-cost region R g s is the closure of the set of all achiev able tuples. ♦ B. V isible Sour ce, Chosen-secr et Model Consider the problem of binding a secret key to a visible identiﬁer , illustrated in Fig. 1 ( b ) . The decoder observes cost- constrained controllable measurements during authentication, whereas the encoder observes the noiseless source outputs. Deﬁnition 3. A  |W ( n ) | , |K ( n ) | , n  -code C n for pri vate au- thentication with an embedded ke y concealed by a visible source, controllable decoder measurements, and a noiseless encoder measurement consists of • an encoder f ( n ) 2 : X n × K ( n ) → W ( n ) , • an action encoder f ( n ) a : W ( n ) → A n , • a decoder g ( n ) : W ( n ) × Y n → K ( n ) . ♦ Deﬁnition 4. A key-storage-leakage-cost tuple ( R k , R w , ∆ , C ) ∈ R 4 + is said to be achie vable for a visible source with the chosen-secret model if for any δ > 0 P X ( W, K ) ( a ) = f ( n ) 3 ( e X n ) W ( b ) = f ( n ) 4 ( e X n , K ) P Y Z | X A P e X | X ˆ K = g ( n ) ( W, Y n ) A n = f ( n ) a ( W ) EVE W X n Y n e X n A n Z n K ˆ K ( b ) ( a ) Fig. 2. A hidden source: ( a ) represents the generated-secret model with the encoder f ( n ) 3 ( · ) and ( b ) represents the chosen-secret model with the encoder f ( n ) 4 ( · , · ) . The decoder and EVE measurements can be performed after observing the action sequence. there is some n ≥ 1 and a  |W ( n ) | , |K ( n ) | , n  -code for which R k = log |K ( n ) | n such that (1)-(6) are satisﬁed, where we hav e W = f ( n ) 2 ( X n , K ) , A n = f ( n ) a ( W ) , ˆ K = g ( n ) ( W , Y n ) , and Γ ( n ) ( A n ) = 1 n P n i =1 Γ( A i ) . The ke y-stor age-leaka ge-cost region R cs is the closure of all achiev able tuples. ♦ C. Hidden Sour ce, Generated-secr et Model Consider the system model in Fig. 2 ( a ) , where a key is generated from a hidden source. The decoder observes cost-constrained controllable source measurements Y n during authentication, whereas the encoder observ es uncontrollable noisy measurements e X n of the hidden source outputs X n through a memoryless channel P e X | X . The source alphabet X , the measurement alphabets e X , Y , Z , and the action alphabet A are ﬁnite sets. Deﬁnition 5. A  |W ( n ) | , |K ( n ) | , n  -code C n for pri vate au- thentication with a key generated from noisy measurements of a hidden source, controllable decoder measurements, and noisy encoder measurements consists of • an encoder f ( n ) 3 : e X n → W ( n ) × K ( n ) , • an action encoder f ( n ) a : W ( n ) → A n , • a decoder g ( n ) : W ( n ) × Y n → K ( n ) . ♦ Deﬁnition 6. A key-storage-leakage-cost tuple ( R k , R w , ∆ , C ) ∈ R 4 + is said to be achie vable for a hidden source with the generated-secret model if for any δ > 0 there is some n ≥ 1 and a  |W ( n ) | , |K ( n ) | , n  -code for which R k = log |K ( n ) | n such that (1)-(6) are satisﬁed, where we hav e ( W, K ) = f ( n ) 3 ( e X n ) , A n = f ( n ) a ( W ) , ˆ K = g ( n ) ( W , Y n ) , and Γ ( n ) ( A n ) = 1 n P n i =1 Γ( A i ) . The ke y-stor age-leaka ge-cost region R hg s is the closure of all achiev able tuples. ♦ D. Hidden Sour ce, Chosen-secr et Model Consider the problem of binding a chosen secret key to a hidden biometric or physical identiﬁer , as sho wn in Fig. 2 ( b ) . The decoder observes cost-constrained controllable source 4 IEEE TRANSA CTIONS ON INFORMA TION FORENSICS AND SECURITY measurements during authentication, whereas the encoder ob- serves uncontrollable noisy source outputs. Deﬁnition 7. A  |W ( n ) | , |K ( n ) | , n  -code C n for pri vate au- thentication with an embedded secret key concealed by noisy measurements of a hidden source, controllable decoder mea- surements, and noisy encoder measurements consists of • an encoder f ( n ) 4 : e X n × K ( n ) → W ( n ) , • an action encoder f ( n ) a : W ( n ) → A n , • a decoder g ( n ) : W ( n ) × Y n → K ( n ) . ♦ Deﬁnition 8. A key-storage-leakage-cost tuple ( R k , R w , ∆ , C ) ∈ R 4 + is said to be achie vable for a hidden source with the chosen-secret model if for any δ > 0 there is some n ≥ 1 and a  |W ( n ) | , |K ( n ) | , n  -code for which R k = log |K ( n ) | n such that (1)-(6) are satisﬁed, where we hav e W = f ( n ) 4 ( e X n , K ) , A n = f ( n ) a ( W ) , ˆ K = g ( n ) ( W , Y n ) , and Γ ( n ) ( A n ) = 1 n P n i =1 Γ( A i ) . The ke y-stor age-leaka ge-cost region R hcs is the closure of all achiev able tuples. ♦ Remark. The encoder - and decoder -measurement channels in Fig. 2 are modeled as tw o separate channels, i.e., e X − ( A, X ) − ( Y , Z ) forms a Markov chain. This is the case if, e.g., there is a considerable amount of time between the encoder and decoder measurements of a palmprint so that the cuts on it during enrollment and authentication are independent. I I I . K E Y - S TO R A G E - L E A K AG E - C O S T R E G I O N S W e are interested in characterizing the optimal trade-of f among the secret-key rate, storage rate, priv acy-leakage rate, and expected action cost. W e gi v e the rate regions for all cases. Theorem 1 ( V isible Sour ce, Generated-secr et ) . F or given P X and P Y Z | X A , the ke y-stor age-leaka ge-cost r egion R g s is given as the set of all tuples ( R k , R w , ∆ , C ) ∈ R 4 + satisfying R k ≤ I ( V ; Y | A, U ) − I ( V ; Z | A, U ) (7) R w ≥ I ( X ; A ) + I ( V ; X | A, Y ) (8) ∆ ≥ I ( X ; A, V , Y ) + I ( X ; Z | A, U ) − I ( X ; Y | A, U ) (9) for some P X P A | X P Y Z | X A P V | X A P U | V such that E [Γ( A )] ≤ C with |U | ≤ |X ||A| + 2 and |V | ≤ ( |X ||A| + 2)( |X ||A| + 1) . Pr oof: Achie v ability is based on a random coding scheme that consists of superposition of a rate-distortion code for communicating the action sequence and a layered coding with binning for secret-key generation. The conv erse is based on standard properties of entropy functions. The proof details are giv en in Appendices A-B. Theorem 2 ( V isible Sour ce, Chosen-secr et ) . F or given P X and P Y Z | X A , the ke y-stor age-leaka ge-cost r e gion R cs is given as the set of all tuples ( R k , R w , ∆ , C ) ∈ R 4 + satisfying R k ≤ I ( V ; Y | A, U ) − I ( V ; Z | A, U ) (10) R w ≥ I ( X ; A, V ) − I ( U ; Y | A ) − I ( V ; Z | A, U ) (11) ∆ ≥ I ( X ; A, V , Y ) + I ( X ; Z | A, U ) − I ( X ; Y | A, U ) (12) for some P X P A | X P Y Z | X A P V | X A P U | V such that E [Γ( A )] ≤ C with |U | ≤ |X ||A| + 2 and |V | ≤ ( |X ||A| + 2)( |X ||A| + 1) . Pr oof: W e use the proof of achiev ability for Theorem 1 and add a one-time padding step. W e apply the codebook generation and encoding steps of the generated-secret model to generate the key K 0 and the helper data W 0 . The embedded chosen key K is uniformly distributed and independent of other random v ariables. Compared to Theorem 1, the secret- key and pri v acy-leakage rate bounds ha ve the same expres- sions, and the storage rate bound is the sum of the secret-key and storage rate bounds of the generated-secret model. The proof details are giv en in Appendices C-D. Remark. The results in Theorems 1 and 2 include, as special cases, results for one-round secret-key generation and embedding, respectiv ely , that extend the results in [10], where there is no pri v acy constraint on the source sequence, i.e., ∆ = ∆ max = H ( X ) in Deﬁnitions 2 and 4, with action- dependent side information. Moreov er , Theorem 1 can also be seen as an extension of the result in [19] because we ad- ditionally capture cost-constrained action-dependent decoder measurements. Theorem 3 ( Hidden Sour ce, Generated-secr et ) . F or given P X , P e X | X , and P Y Z | X A , the ke y-stor age-leaka ge-cost r e gion R hg s is given as the set of all tuples ( R k , R w , ∆ , C ) ∈ R 4 + satisfying R k ≤ I ( V ; Y | A, U ) − I ( V ; Z | A, U ) (13) R w ≥ I ( e X ; A ) + I ( V ; e X | A, Y ) (14) ∆ ≥ I ( X ; A, V , Y ) + I ( X ; Z | A, U ) − I ( X ; Y | A, U ) (15) for some P X P e X | X P A | e X P Y Z | X A P V | e X A P U | V such that E [Γ( A )] ≤ C with |U | ≤ | e X ||A| + 3 and |V | ≤ ( | e X ||A| + 3)( | e X ||A| + 2) . Pr oof: Achie v ability proof is similar to Theorem 1. W e mainly modify the priv acy-leakage analysis since the source is now hidden. The proof is given in Appendices E-F. Theorem 4 ( Hidden Sour ce , Chosen-secr et ) . F or given P X , P e X | X , and P Y Z | X A , the key-stor ag e-leakage-cost r e gion R hcs is given as the set of all tuples ( R k , R w , ∆ , C ) ∈ R 4 + satisfying R k ≤ I ( V ; Y | A, U ) − I ( V ; Z | A, U ) (16) R w ≥ I ( e X ; A, V ) − I ( U ; Y | A ) − I ( V ; Z | A, U ) (17) ∆ ≥ I ( X ; A, V , Y ) + I ( X ; Z | A, U ) − I ( X ; Y | A, U ) (18) for some P X P e X | X P A | e X P Y Z | X A P V | e X A P U | V such that E [Γ( A )] ≤ C with |U | ≤ | e X ||A| + 3 and |V | ≤ ( | e X ||A| + 3)( | e X ||A| + 2) . Pr oof: W e use the proof of achiev ability for Theorem 3 and add a one-time padding step. The secret-key and pri vac y- leakage rate bounds have the same expressions, and the new storage rate bound is the sum of the secret-ke y and storage rate bounds of the generated-secret model for a hidden source. The proof details are giv en in Appendices G-H. Remark. Theorems 3 and 4 can be seen as e xtensions of the results in [18] with the addition of cost-constrained action- dependent measurements at the decoder and correlated side information at the eav esdropper . G ¨ UNL ¨ U et al. : CONTR OLLABLE IDENTIFIER MEASUREMENTS FOR PRIV A TE A UTHENTICA TION WITH SECRET KEYS 5 A. Rate Re gion Comparisons and Discussions Consider the compression-leakage-key region giv en in [19, Theorem 2] for the generated-secret model and a visible source. W e compare this region with the rate region R g s to illustrate the effects of the cost-constrained action sequence. In particular , we observe that the action A appears as a conditioning random variable in each mutual information term in [19, Theorem 2], the new storage and priv acy-leakage rate limits are increased by the rate-distortion coding amount of I ( X ; A ) , and the probability distribution of A is limited by an expected cost constraint. Therefore, the cost-constrained action sequence A n brings the possibility of enlarging the rate re gion, which recovers the rate region in [19, Theorem 2] by choosing a constant action with ﬁxed cost. The action sequence A n has similar effects on other rate regions. The rate region R g s differs from the rate region R cs only in the bound for the storage rate. The bound in (11) can be written as I ( X ; A ) + I ( X ; V | A, Y ) + I ( V ; Y | A, U ) − I ( V ; Z | A, U ) (cf. (8)), revealing an additional rate that is I ( V ; Y | A, U ) − I ( V ; Z | A, U ) (cf. (10)) needed to con v ey the chosen secret to the decoder . Suppose ( R k , R w , ∆ , C ) ∈ R cs for giv en P X and P Y Z | X A . Therefore, there exist A , U , and V such that U − V − ( X, A ) − ( Y , Z ) forms a Marko v chain as in Theorem 2. It is straightforward to sho w that ( R k , R w − R k , ∆ , C ) ∈ R g s for the same P X and P Y Z | X A . Similar conclusions follow also for a hidden source. The bounds for the secret-key and priv acy-leakage rates of visible and hidden sources ha ve the same expressions, i.e., for the generated-secret model in R g s and R hg s , and for the chosen-secret model in R cs and R hcs , respecti vely . Ho we ver , the storage-rate limits of different source models are different. Moreov er , the Markov chain constraints and the cardinality bounds on the auxiliary random v ariables are different for visible and hidden source models. The rate regions therefore differ signiﬁcantly , which can result in unnoticed secrecy leakages and reliability reductions if the wrong source model is used for a system design (see [18]). I V . E X A M P L E W e want to illustrate an achiev able rate region for cost- constrained action-dependent secret-key generation from a visible source. W e ﬁrst deﬁne the scenario where a PUF in an internet-of-things (IoT) de vice is used for key generation so that only a mobile device with access to the key can control the IoT device. W e then show an achiev able rate re gion for this scenario by proving speciﬁc con v exity results. These con ve xity results signiﬁcantly simplify the encoder design by decreasing the cardinality of the auxiliary random variable. Suppose X is binary and uniformly distributed, the channel P A | X is a binary symmetric channel (BSC) with crossov er probability α , and the channels P Y | AX ( . | a, . ) are BSCs with crossov er probabilities p a for a = 0 , 1 . Suppose the eavesdrop- per has degraded side information and the channel P Z | Y is a BSC with crossov er probability p . In practice, quantized ﬁne variations of ring oscillator (R O) outputs follo w these source and channel models. The ef fects of v oltage and temperature variations can also be suppressed by a legitimate user by applying additional post-processing steps to the RO outputs [6]. Classic crossover probabilities for the BSCs P Y | AX ( ·| a, · ) under ideal en vironmental conditions are p a = 0 . 03 and 0 . 05 for a = 0 , 1 , where, e.g., a = 0 corresponds to the case that X n is sent through the P Y | AX ( ·| 0 , · ) channel. Suppose the attacker has access to a noisy version Z n of the R O outputs X n disturbed by en vironmental variations in addition to noise. A classic crossov er probability for one of the BSCs P Z | AX ( ·| a, · ) is p 0 = 0 . 15 [6]. W e thus choose p 0 = 0 . 03 , p 1 = 0 . 05 , p = 0 . 1277 so that p ∗ p 0 = 0 . 15 = p 0 and p ∗ p 1 = 0 . 1649 . W e also consider the cost of Γ(0) = 0 . 5 units for a = 0 and Γ(1) = 0 . 3 units for a = 1 since obtaining a more reliable channel requires more post-processing steps, which results in higher cost. Suppose the crossov er probability α of the BSC P A | X is 0 . 2 . It is therefore more likely that the input X = 1 is sent through a channel that is stochastically degraded with respect to the channel through which the input X = 0 is sent because p 1 > p 0 . This is the case if, e.g., a one-bit quantizer is applied to R O outputs, where the bit 0 is extracted if the output value is less than the mean over all ROs and the bit 1 otherwise. R O outputs decrease with increasing temperature. Therefore, the error probability of the channel through which the input bit 0 is sent is smaller than the bit 1 is sent if the ambient temperature is greater than the temperature assumed for system design. W e no w illustrate an achiev able rate region for the R O PUF problem deﬁned abo ve by pro ving con v exity of a function used for entropy calculations. First, ﬁx V = ( A, X ) so that the rate region is R k ≤ I ( X ; Y | A, U ) − I ( X ; Z | A, U ) R w ≥ I ( X ; A ) + H ( X | A, Y ) ∆ ≥ H ( X ) − ( I ( X ; Y | A, U ) − I ( X ; Z | A, U )) (19) such that U − ( A, X ) − ( Y , Z ) forms a Markov chain and C ≥ E [Γ( A )] . The optimization problem of achieving bound- ary points in (19) is equiv alent to min P AX | U H ( Z | A, U ) for a ﬁxed H ( Y | A, U ) = η (20) for all 0 ≤ η ≤ 1 , which is a similar problem to Mrs. Ger- ber’ s lemma (MGL) [22]. Denote the conditional probabilities P AX | U ( ax | i ) = ˆ x i,ax and the probabilities P U ( i ) = u i for i = 1 , 2 , . . . , |U | . Due to P AX , we obtain the constraints |U | X i =1 u i ˆ x i, 01 = |U | X i =1 u i ˆ x i, 10 = α 2 , (21) |U | X i =1 u i ˆ x i, 00 = |U | X i =1 u i ˆ x i, 11 = 1 − α 2 . (22) T o ﬁx H ( Y | A, U ) , it therefore sufﬁces to consider ˆ x i, 01 = 1 2 − ˆ x i, 00 , ˆ x i, 10 = 1 2 − ˆ x i, 11 . (23) 6 IEEE TRANSA CTIONS ON INFORMA TION FORENSICS AND SECURITY Deﬁne the functions f ( ˆ x i, 00 , ˆ x i, 11 ) = " H b p 0 ∗ 2 ˆ x i, 00 1 − 2( ˆ x i, 11 − ˆ x i, 00 ) ! + H b p 1 ∗ 2 ˆ x i, 11 1 − 2( ˆ x i, 00 − ˆ x i, 11 ) ! # , (24) g ( ˆ x i, 00 , ˆ x i, 11 ) = " H b p ∗ p 0 ∗ 2 ˆ x i, 00 1 − 2( ˆ x i, 11 − ˆ x i, 00 ) ! + H b p ∗ p 1 ∗ 2 ˆ x i, 11 1 − 2( ˆ x i, 00 − ˆ x i, 11 ) ! # . (25) Using (23), (24), and (25), we obtain H ( Y | A, U ) = |U | X i =1 u i 1 2 f ( ˆ x i, 00 , ˆ x i, 11 ) , (26) H ( Z | A, U ) = |U | X i =1 u i 1 2 g ( ˆ x i, 00 , ˆ x i, 11 ) . (27) Deﬁne an in verse function f − 1 ( ν ) = ( ¯ x, ¯ x ) for all ν ∈ [ H b ( p 0 ) + H b ( p 1 ) , 2] and ¯ x ∈ [0 , 0 . 5] . It sufﬁces to replace f ( ˆ x i, 00 , ˆ x i, 11 ) and g ( ˆ x i, 00 , ˆ x i, 11 ) , respectively , with ¯ f ( ¯ x ) = f  ¯ x 2 , ¯ x 2  (28) ¯ g ( ¯ x ) = g  ¯ x 2 , ¯ x 2  (29) to ﬁx (26) and (27) separately . Lemma 1. Ther e is a unique ¯ x in the interval [0 , 0 . 5] for which H ( Y | A, U ) = 1 2 ¯ f ( ¯ x ) . Pr oof. The function ¯ f ( ¯ x ) is strictly increasing from H b ( p 0 )+ H b ( p 1 ) to 2 in the interv al [0 , 0 . 5) and we hav e H b ( p 0 ) + H b ( p 1 ) ≤ 2 H ( Y | A, U ) ≤ 2 H ( Y ) ≤ 2 . Lemma 2. Deﬁne ˜ p 0 = min { p 0 , 1 − p 0 } for some 0 ≤ p 0 ≤ 1 . If ˜ p ∗ ˜ p 0 ≥ ˜ p 1 and ˜ p ∗ ˜ p 1 ≥ ˜ p 0 , the function ¯ g ( f − 1 ( ν )) is conve x in ν for ν ∈ [ H b ( p 0 ) + H b ( p 1 ) , 2] . Pr oof. The functions ¯ f ( ¯ x ) and ¯ g ( ¯ x ) are symmetric with respect to p 0 = 1 2 , p 1 = 1 2 , and p = 1 2 . It thus sufﬁces to prov e the con ve xity for 0 ≤ ˜ p 0 , ˜ p 1 , ˜ p ≤ 0 . 5 . Deﬁne ¯ f 0 ( ¯ x ) = d d ¯ x ¯ f ( ¯ x ) . ¯ g ( f − 1 ( ν )) is con ve x in ν if [23] ∂ 2 ∂ ν 2  ¯ g ( f − 1 ( ν ))  = 1 ¯ f 0 ( ¯ x ) ∂ ∂ ¯ x  ¯ g 0 ( ¯ x ) ¯ f 0 ( ¯ x )  ≥ 0 (30) for all ¯ x ∈ [0 , 0 . 5] . Note that H b ( · ) is an increasing function for ¯ x ∈ [0 , 0 . 5] , so ¯ f 0 ( ¯ x ) ≥ 0 for all ¯ x ∈ [0 , 0 . 5] . It thus suf ﬁces to show that ∂ ∂ ¯ x  ¯ g 0 ( ¯ x ) ¯ f 0 ( ¯ x )  ≥ 0 , i.e., ¯ g 00 ( ¯ x ) ¯ f 0 ( ¯ x ) − ¯ f 00 ( ¯ x ) ¯ g 0 ( ¯ x ) ≥ 0 . (31) The functions ¯ f ( ¯ x ) and ¯ g ( ¯ x ) consist of two parts as H b ( ˜ p a ∗ ¯ x ) and H b ( ˜ p ∗ ˜ p a ∗ ¯ x ) , respecti vely , for a = 0 , 1 . It is shown in [22] that H b ( ˜ p ∗ H − 1 b ( ν )) is con ve x in 0 ≤ ν ≤ 1 for any ˜ p ∈ [0 , 0 . 5] , so the terms in (31) that consist of the multiplications of the parts with the same ˜ p a provide positive contributions. It thus sufﬁces to ﬁnd a set of ˜ p 0 and ˜ p 1 values that satisﬁes 1 − 2( ˜ p ∗ ˜ p a ) ( ˜ p ∗ ˜ p a ∗ ¯ x )(1 − ˜ p ∗ ˜ p a ∗ ¯ x ) log  1 − ˜ p ∗ ˜ p a ∗ ¯ x ˜ p ∗ ˜ p a ∗ ¯ x  ≤ 1 − 2 ˜ p b ( ˜ p b ∗ ¯ x )(1 − ˜ p b ∗ ¯ x ) log  1 − ˜ p b ∗ ¯ x ˜ p b ∗ ¯ x  (32) where b = 1 − a for a = 0 , 1 . Deﬁne the function l ( ˆ p ) = 1 − 2 ˆ p ( ˆ p ∗ ¯ x )(1 − ˆ p ∗ ¯ x ) log  1 − ˆ p ∗ ¯ x ˆ p ∗ ¯ x  (33) for 0 ≤ ˆ p, ¯ x ≤ 0 . 5 . It is straightforward to prov e that l ( ˆ p ) is a decreasing function by showing that l ( ˆ p ) is con ve x and l 0 (0 . 5) = 0 . The inequality in (32) is thus satisﬁed if ˜ p ∗ ˜ p a ≥ ˜ p b for a = 0 , 1 . This proves the conv exity . W e use the con ve xity property for channels satisfying the assumptions in Lemma 2 to giv e an achiev able lo wer bound for H ( Z | A, U ) when H ( Y | A, U ) is ﬁxed. Lemma 3. Suppose ¯ g ( f − 1 ( ν )) is conve x in ν . W ith the assumptions given above, we have H ( Z | A, U ) ≥ 1 2 ¯ g ( f − 1 (2 H ( Y | A, U ))) . (34) Pr oof. Using Jensen’ s inequality , we hav e H ( Z | A, U ) = |U | X i =1 u i 1 2 ¯ g ( f − 1 ( ¯ f ( ¯ x i ))) ≥ 1 2 ¯ g  f − 1  |U | X i =1 u i ¯ f ( ¯ x i )   = 1 2 ¯ g  f − 1 (2 H ( Y | A, U ))  . Lemma 4. Consider the pr oblem setup deﬁned above and the re gion in (19). The BSCs P AX | U ( a, ·|· ) with the same cr osso ver pr obability ¯ x ∈ [0 , 0 . 5] when P AX | U ( a, 0 |· ) + P AX | U ( a, 1 |· ) = 1 2 achie ve the r e gion that satisﬁes equality in (34) if (23), ˜ p ∗ ˜ p 0 ≥ ˜ p 1 , and ˜ p ∗ ˜ p 1 ≥ ˜ p 0 ar e satisﬁed. Pr oof. Consider the boundary points in (19) that depend on U . Using Lemma 3, we obtain R k ≤ H ( Y | A, U ) − H ( Y | A, X ) − 1 2 ¯ g  f − 1 (2 H ( Y | A, U ))  + H ( Z | A, X ) , (35) ∆ ≥ H ( X ) − H ( Y | A, U ) + H ( Y | A, X ) + 1 2 ¯ g  f − 1 (2 H ( Y | A, U ))  − H ( Z | A, X ) (36) where we use Lemma 2 for the con ve xity requirement and Lemma 1 to show that the in verse function f − 1 ( · ) is a bijectiv e mapping. Equalities in (35) and (36) are achiev ed by BSCs P AX | U ( a, ·|· ) with crossov er probability 0 ≤ ¯ x ≤ 0 . 5 , deﬁned in Lemma 1, when P AX | U ( a, 0 |· ) + P AX | U ( a, 1 |· ) = 1 2 . Remark. One can show that the lower bound in (34) can be improv ed for H ( Z | A, U ) giv en in (27) that is a function of a general g ( ˆ x i, 00 , ˆ x i, 11 ) , although this lower bound is tight for the function ¯ g ( ¯ x ) . G ¨ UNL ¨ U et al. : CONTR OLLABLE IDENTIFIER MEASUREMENTS FOR PRIV A TE A UTHENTICA TION WITH SECRET KEYS 7 For the R O PUF problem with the source and channel parameters gi ven abov e, we obtain R w ≥ 0 . 4731 bits/source-bit and C ≥ 0 . 4 units since P AX Y Z is ﬁxed. The boundary points for R k and ∆ sum up to H ( X ) = 1 bits, which determines the trade-off between the secret-ke y and pri v acy-leakage rates for this example. The maximum R k achiev able by using Lemma 4 is R ∗ k = 0 . 3876 bits/source-bit, achieved with ∆ ≥ 0 . 6124 bits/source-bit. V . C O N C L U S I O N W e deri ved the key-storage-leakage-cost regions for a vis- ible source with the generated- or chosen-secret model when a cost-constrained action sequence controls the source mea- surements during authentication. Correlated side information at the eavesdropper is also considered as a realistic assumption especially for biometric identiﬁers. The achiev ability proof of the generated-secret model in v olves layered random binning. W e bound the secret key generated by the generated-secret model to a chosen secret key for the proof of the chosen- secret model. W e illustrated achie v able key-storage-leakage- cost re gions with an example, where used channel and source parameters were moti vated by realistic authentication scenar- ios that use secret keys generated from R O PUFs. Multiple source measurements during enrollment are stud- ied by considering a hidden source with noisy measurements at the encoder . W e also deri ved the key-storage-leakage-cost regions for such a hidden source. The achie v ability proofs of the hidden source models also in v olve the same layered random binning as of the visible source models, but this time the noiseless identiﬁer outputs are replaced with the noisy outputs at the encoder and the priv ac y-leakage rate is measured with respect to the hidden source. Comparisons showed that the rate re gions for the two source models differ signiﬁcantly due to different rate limits for the storage rate, and different Markov chain constraints and cardinality bounds on the auxiliary random v ariables. In future work, we will consider adaptiv e decoder measurements with causal actions that depend on the helper data and previous decoder measurements, which might improve the rate regions. A C K N O W L E D G M E N T The authors thank the Associate Editor and anonymous revie wers for their valuable suggestions that helped to improv e the paper . Speciﬁcally , we thank an anonymous revie wer who suggested the future work problem above. A P P E N D I X P RO O F S O F T H E O R E M S 1 - 4 Based on the condition that all sequences are jointly typical with high probability , we bound some conditional entropy terms of interest with single letter expressions using the following two lemmas (see [17] for proofs). Lemma 5. Let ( X n , A n ) be jointly typical with high pr ob- ability and Z n i.i.d. ∼ P Z | X A , we have H ( Z n | X n , A n ) ≥ n ( H ( Z | X , A ) − δ  ) , wher e δ  → 0 as  → 0 and  → 0 as n → ∞ . Lemma 6. Let ( A n , U n , Z n ) be jointly typical with high pr obability and C n r epr esent a random codebook. Then, H ( Z n | A n , U n , C n ) ≤ n ( H ( Z | A, U ) + δ  ) , where δ  → 0 as  → 0 and  → 0 as n → ∞ . P RO O F O F T H E O R E M 1 A. Pr oof of Achie vability The proof follows from standard random coding ar guments where we show the existence of a code that satisﬁes the key , storage, priv acy-leakage rates, and expected cost constraints. Codebook generation : Fix P A | X P V | X A P U | V such that E [Γ( A )] ≤ C / (1 +  ) . • Randomly and independently generate 2 n ( I ( X ; A )+ δ  ) codew ords a n ( w a ) according to Q n i =1 P A ( a i ( w a )) for w a ∈ [1 : 2 n ( I ( X ; A )+ δ  ) ] . • For each w a , randomly and conditionally independently generate 2 n ( I ( U ; X | A )+ δ  ) codew ords u n ( w a , m ) each according to Q n i =1 P U | A ( u i | a i ( w a )) for m ∈ [1 : 2 n ( I ( U ; X | A )+ δ  ) ] , and distribute them uniformly at ran- dom into 2 n ( I ( U ; X | A ) − I ( U ; Y | A )+2 δ  ) bins b U ( w u ) for w u ∈ [1 : 2 n ( I ( U ; X | A ) − I ( U ; Y | A )+2 δ  ) ] . W ithout loss of generality , we can identify the index m = ( w u , m 0 ) for some m 0 ∈ [1 : 2 n ( I ( U ; Y | A ) − δ  ) ] . • For each ( w a , m ) pair, randomly and conditionally independently generate 2 n ( I ( V ; X | A,U )+ δ  ) codew ords v n ( w a , m, l ) each according to Q n i =1 P V | U A ( v i | u i ( w a , m ) , a i ( w a )) for l ∈ [1 : 2 n ( I ( V ; X | A,U )+ δ  ) ] , and distribute them uniformly at random into 2 n ( I ( V ; X | A,U ) − I ( V ; Y | A,U )+3 δ  ) bins b V ( m, w v ) for w v ∈ [1 : 2 n ( I ( V ; X | A,U ) − I ( V ; Y | A,U )+3 δ  ) ] . Furthermore, for each bin, we divide codew ords v n into 2 n ( I ( V ; Y | A,U ) − I ( V ; Z | A,U ) − δ  ) equal-sized subbins, each denoted by a subbin index w k . W ithout loss of generality , we can identify the index l = ( w v , w k , l 0 ) for some l 0 ∈ [1 : 2 n ( I ( V ; Z | A,U ) − δ  ) ] . The codebook is rev ealed to all parties. Encoding : • For a giv en source sequence x n , the encoder looks for a a n ( w a ) which is jointly typical with x n . Since there are more than 2 nI ( X ; A ) codew ords a n , by the cov ering lemma [24], there exists such an a n with high probability . If there are more than one, we choose one uniformly at random and send the corresponding index w a to the decoder . • The encoder then looks for a u n ( w a , m ) that is jointly typical with ( x n , a n ) . Since there are more than 2 nI ( U ; X | A ) codew ords u n , by the covering lemma, there exists such a u n with high probability . If there are more than one, we choose one uniformly at random and send the corresponding bin index w u to the decoder . • Again, the encoder looks for a v n ( w a , m, l ) which is jointly typical with ( x n , a n , u n ) . Since there are more than 2 nI ( V ; X | A,U ) codew ords v n , by the cov ering lemma, there exists such a v n with high probability . If there are more than one, we choose one uniformly at random and send the corresponding bin index w v to the decoder . The 8 IEEE TRANSA CTIONS ON INFORMA TION FORENSICS AND SECURITY secret key k is chosen to be the subbin index w k of the chosen codeword v n . This gi ves the total storage rate of I ( X ; A ) + I ( U ; X | A ) − I ( U ; Y | A ) + I ( V ; X | A, U ) − I ( V ; Y | A, U ) + 6 δ  = I ( X ; A ) + I ( V ; X | A, Y ) + 6 δ  . Once the action sequence is chosen, action-dependent side information ( y n , z n ) is generated as the output of the memoryless channel P Y ,Z | X,A . Decoding : • Upon receiving the indices ( w a , w u , w v ) and side infor- mation y n , the decoder looks for the unique u n which is jointly typical with ( y n , a n ) . Since there are less than 2 nI ( U ; Y | A ) sequences in the bin b U ( w u ) , by the packing lemma [24], it will ﬁnd the unique and correct u n with high probability . • Then, the decoder looks for the unique v n which is jointly typical with ( y n , a n , u n ) . Since there are less than 2 nI ( V ; Y | A,U ) sequences in the bin b V ( m, w v ) , by the packing lemma, it will ﬁnd the unique and correct v n with high probability . The decoder puts out ˆ k as the subbin index ˆ w k of the decoded codeword v n which will be the correct one with high probability . Action Cost : Since each action sequence a n is in the typical set with high probability , by the typical av erage lemma [24], the expected cost constraint is satisﬁed. Privacy-leakage Rate : The information leakage averaged ov er the random codebook C n can be bounded as I ( X n ; W a , W u , W v , Z n |C n ) ≤ I ( X n ; W a , M , W v , Z n |C n ) = H ( X n |C n ) − H ( X n , W a , M , W v , Z n |C n ) + H ( W a , M , W v |C n ) + H ( Z n | W a , M , W v , C n ) = − H ( Z n | X n , C n ) − H ( W a , M , W v | X n , Z n , C n ) + H ( W a , M , W v |C n ) + H ( Z n | W a , M , W v , C n ) ( a ) ≤ − H ( Z n | X n , A n ) + H ( W a , M , W v |C n ) + H ( Z n | W a , M , W v , C n ) ( b ) ≤ − H ( Z n | X n , A n ) + H ( W a |C n ) + H ( M |C n ) + H ( W v |C n ) + H ( Z n | A n , U n , C n ) ( c ) ≤ n [ − H ( Z | X , A ) + I ( X ; A ) + I ( U ; X | A ) + 5 δ  + ( I ( V ; X | A, U ) − I ( V ; Y | A, U )) + H ( Z | A, U )] ( d ) = n [ I ( X ; A, V , Y ) − I ( X ; Y | A, U ) + I ( X ; Z | A, U ) + δ 0  ] ≤ n [∆ + δ 0  ] (37) if ∆ ≥ I ( X ; A, V , Y ) − ( I ( X ; Y | A, U ) − I ( X ; Z | A, U )) , where ( a ) follows from the facts that conditioning reduces entropy , and that Z n − ( X n , A n ) − C n forms a Markov chain, ( b ) follows because giv en the codebook, ( A n , U n ) are functions of ( W a , M ) , ( c ) follows from the codebook generation, from the memoryless properties of the source and the side information channel, from Lemma 5 with which we bound the term H ( Z n | X n , A n ) , and from Lemma 6 with which we bound the term H ( Z n | A n , U n , C n ) , and ( d ) follows from the Markov chain ( Y , Z ) − ( X , A ) − V − U . Secr ecy-leakag e Rate : The secrec y-leakage rate a veraged ov er the random codebook C n can be bounded as I ( W k ; W a , W u , W v , Z n |C n ) ≤ H ( W k |C n ) − H ( W k | W a , M , W v , Z n , C n ) = H ( W k |C n ) − H ( W a , M , L, Z n |C n ) + H ( L 0 | W a , M , W v , W k , Z n , C n ) + H ( W a , M , W v , Z n |C n ) ( a ) ≤ H ( W k |C n ) − H ( A n , U n , V n , Z n |C n ) + n n + H ( W a |C n ) + H ( M |C n ) + H ( W v |C n ) + H ( Z n | A n , U n , C n ) ( b ) ≤ H ( W k |C n ) − H ( A n , U n , V n , Z n |C n ) + n n + n ( I ( X ; A ) + I ( U ; X | A ) + I ( V ; X | A, U, Y ) + H ( Z | A, U ) + δ 0  ) ( c ) ≤ nδ (2)  (38) where ( a ) follows from the fact that giv en the code- book, ( A n , U n ) are functions of ( W a , M ) and V n of ( W a , M , L ) , and from Fano’ s inequality where gi ven ( W a , M , W v , W k , Z n ) , the codeword V n and thus L 0 can be decoded correctly with high probability since there are less than 2 nI ( V ; Z | A,U ) remaining V n , ( b ) follows from the code- book generation and Lemma 6, and ( c ) follo ws from the code- book generation, from the bound on H ( A n , U n , V n , Z n |C n ) which is shown below , and from the Markov chain U − V − ( X, A ) − ( Y , Z ) . H ( A n , U n , V n , Z n |C n ) ( a ) = H ( A n , U n , V n , X n |C n ) + H ( Z n | X n , A n ) − H ( X n | A n , U n , V n , Z n , C n ) ≥ H ( X n ) + H ( Z n | X n , A n ) − H ( X n | A n , U n , V n , Z n , C n ) ( b ) ≥ n ( H ( X ) + H ( Z | X , A ) − H ( X | A, U, V , Z ) − δ 0  ) where ( a ) follows from the Markov chain Z n − ( X n , A n ) − ( U n , V n , C n ) and ( b ) follo ws from Lemma 5 and from a bound on H ( X n | A n , U n , V n , Z n , C n ) which can be deriv ed similarly as in Lemma 6. Secr et-ke y Rate : The key rate averaged over the random codebook C n can be bounded as follows. H ( W k |C n ) ≥ H ( W k | W a , M , W v , L 0 , C n ) ( a ) ≥ H ( A n , U n , V n |C n ) − H ( W a |C n ) − H ( M |C n ) − H ( W v |C n ) − H ( L 0 |C n ) ( b ) ≥ n ( I ( X ; A, U, V ) − I ( X ; A ) − I ( U ; X | A ) − I ( V ; X | A, U, Y ) − I ( V ; Z | A, U ) − δ 0  ) = n ( I ( V ; Y | A, U ) − I ( V ; Z | A, U ) − δ 0  ) ≥ n ( R k − δ 0  ) (39) if R k ≤ I ( V ; Y | A, U ) − I ( V ; Z | A, U ) , where ( a ) fol- lows from the fact that gi ven the codebook ( A n , U n , V n ) are functions of ( W a , M , L ) , ( b ) follows from the code- book generation, from the bound P A n U n V n ( a n , u n , v n ) = G ¨ UNL ¨ U et al. : CONTR OLLABLE IDENTIFIER MEASUREMENTS FOR PRIV A TE A UTHENTICA TION WITH SECRET KEYS 9 P x n ∈T ( n )  ( X | a n ,u n ,v n ) P X n ( x n ) ≤ 2 − n ( I ( X ; A,U,V ) − δ  ) , and from the Markov chain V − ( X, A, U ) − Y . Using the random coding argument, we ha ve that a tuple ( R k , R w , ∆ , C ) ∈ R 4 + that satisﬁes (7)-(9) for some P A | X , P V | X A , and P U | V such that E [Γ( A )] ≤ C is achiev able. B. Pr oof of Con verse Let U i , ( W , A n \ i , Y n i +1 , Z i − 1 ) and V i , ( W , K, A n \ i , Y n i +1 , Z i − 1 ) , which satisfy the Markov chain U i − V i − ( A i , X i ) − ( Y i , Z i ) for all i = 1 , 2 , . . . , n . For any achiev able tuple ( R k , R w , ∆ , C ) , we hav e the following. Storag e Rate : W e obtain n ( R w + δ n ) ≥ log |W ( n ) | ≥ H ( W ) ( a ) = H ( W ) + H ( A n | W ) = H ( A n ) + H ( W | A n ) ≥ [ H ( A n ) − H ( A n | X n , Z n )] + [ H ( W | A n , Y n ) − H ( W | A n , X n , Y n , Z n )] = H ( X n , Z n ) − H ( X n , Z n | A n ) + H ( X n , Z n | A n , Y n ) − H ( X n , Z n | A n , Y n , W ) = H ( X n ) + H ( Z n | X n ) − H ( Y n | A n ) + H ( Y n , Z n | X n , A n ) − H ( Z n | X n , A n ) − H ( X n , Z n | A n , Y n , W , K ) − I ( X n , Z n ; K | A n , Y n , W ) ≥ H ( X n ) − H ( Y n | A n ) + H ( Y n , Z n | X n , A n ) − H ( X n , Z n | A n , Y n , W , K ) − H ( K | A n , Y n , W ) ( b ) ≥ n X i =1 H ( X i ) − H ( Y i | A i ) + H ( Y i , Z i | X i , A i ) − H ( X i , Z i | A n , Y n , W , K , X i − 1 , Z i − 1 ) − n n ( c ) ≥ n X i =1 H ( X i ) − H ( Y i | A i ) + H ( Y i | X i , A i , Z i ) + H ( Z i | X i , A i ) − H ( X i , Z i | A i , Y i , V i ) − n n ≥ n X i =1 I ( X i ; A i ) + I ( V i ; X i | A i , Y i ) − n n where ( a ) follows from the deterministic action encoder, ( b ) follows from Fano’ s inequality , and ( c ) follows from the deﬁnition of V i . Privacy-leakage Rate : W e have n (∆ + δ n ) ≥ I ( X n ; W, Z n ) = I ( X n ; W ) + I ( X n ; Z n | W ) ( a ) = I ( X n ; W, A n ) + I ( X n ; Z n | W , A n ) = H ( X n ) − H ( X n | W , K, A n , Y n ) − I ( X n ; K | W, A n , Y n ) − I ( X n ; Y n | W , A n ) + I ( X n ; Z n | W , A n ) ( b ) ≥ n X i =1 H ( X i ) − H ( X i | W , K, A n , Y n , X i − 1 ) − H ( Y i | W , A n , Y n i +1 ) + H ( Y i | X i , A i ) + H ( Z i | W , A n , Z i − 1 ) − H ( Z i | X i , A i ) − n n ( c ) = n X i =1 H ( X i ) − H ( X i | W , K, A n , Y n , X i − 1 , Z i − 1 ) − I ( X i ; Y i | A i ) + H ( Y i | A i ) + I ( X i ; Z i | A i ) − H ( Z i | A i ) − H ( Y i | W , A n , Y n i +1 ) + H ( Z i | W , A n , Z i − 1 ) − n n ( d ) ≥ n X i =1 H ( X i ) − H ( X i | V i , A i , Y i ) − I ( X i ; Y i | A i ) + H ( Y i | A i ) + I ( X i ; Z i | A i ) − H ( Z i | A i ) − H ( Y i | W , A n , Y n i +1 ) + H ( Z i | W , A n , Z i − 1 ) − n n = n X i =1 I ( X i ; A i , V i , Y i ) − I ( X i ; Y i | A i ) + I ( X i ; Z i | A i ) | {z } , P i + I ( W, Y n i +1 , A n \ i ; Y i | A i ) − I ( W, Z i − 1 , A n \ i ; Z i | A i ) − n n where ( a ) follows from the deterministic action encoder , ( b ) follows from Fano’ s inequality and the Markov chain ( W , K, A n \ i , X n \ i , Y n i +1 , Z i − 1 ) − ( A i , X i ) − ( Y i , Z i ) , ( c ) follows from the Markov chain ( X i , W , K , A n i , Y n i ) − ( A i − 1 , X i − 1 ) − ( Z i − 1 , Y i − 1 ) , and ( d ) follows from the deﬁ- nition of V i and the deterministic action encoder . By adding the Csisz ´ ar’ s sum identity [25], i.e., P n i =1 I ( Y i ; Z i − 1 | A n , W , Y n i +1 ) − I ( Z i ; Y n i +1 | A n , W , Z i − 1 ) = 0 , to the right hand side, we get n (∆ + δ n ) ≥ n X i =1 P i + I ( W, Y n i +1 , Z i − 1 , A n \ i ; Y i | A i ) − I ( W, Y n i +1 , Z i − 1 , A n \ i ; Z i | A i ) − n n ( a ) = n X i =1 I ( X i ; A i , V i , Y i ) − I ( X i ; Y i | A i ) + I ( X i ; Z i | A i ) + I ( U i ; Y i | A i ) − I ( U i ; Z i | A i ) − n n ( b ) = n X i =1 I ( X i ; A i , V i , Y i ) − I ( X i ; Y i | U i , A i ) + I ( X i ; Z i | U i , A i ) − n n , where ( a ) follows from the deﬁnitions of P i and U i and ( b ) from the Markov chain U i − ( A i , X i ) − ( Y i , Z i ) . Secr et-ke y Rate : W e obtain n ( R k − δ n ) ≤ H ( K ) ( a ) ≤ H ( K | W, Z n ) + nδ n ( b ) = H ( K | W, A n , Z n ) + nδ n ( c ) ≤ H ( K | W, A n , Z n ) − H ( K | W, A n , Y n ) + 2 nδ n = n X i =1 I ( K ; Y i | W , A n , Y n i +1 ) − I ( K ; Z i | W , A n , Z i − 1 ) + 2 nδ n ( d ) = n X i =1 I ( K ; Y i | W , A n , Y n i +1 , Z i − 1 ) − I ( K ; Z i | W , A n , Y n i +1 , Z i − 1 ) + 2 nδ n ( e ) = n X i =1 I ( V i ; Y i | A i , U i ) − I ( V i ; Z i | A i , U i ) + 2 nδ n (40) 10 IEEE TRANSA CTIONS ON INFORMA TION FORENSICS AND SECURITY where ( a ) follows by (2), ( b ) follows from the deterministic action encoder , ( c ) follo ws from Fano’ s inequality , ( d ) fol- lows from Csisz ´ ar’ s sum identity , and ( e ) follows from the deﬁnitions of U i and V i . Action Cost : W e have C + δ n ≥ E  Γ ( n ) ( A n )  = 1 n n X i =1 E  Γ( A i )  . (41) Finally , we complete the proof by the standard time-sharing argument and letting δ n → 0 . Car dinality Bounds : It can be sho wn by using the support lemma [25] that U should hav e |X ||A| − 1 elements to preserve P X A and three more to pre- serve H ( X | U, V , A, Y ) , I ( X ; Z | A, U ) − I ( X ; Y | A, U ) , and I ( V ; Y | A, U ) − I ( V ; Z | A, U ) . Similarly , the cardinality |V | can be limited to at most ( |X ||A| + 2)( |X ||A| + 1) . P RO O F O F T H E O R E M 2 C. Pr oof of Achie vability Fix P A | X , P V | X A , and P U | V such that E [Γ( A )] ≤ C / (1 +  ) . W e use the achie vability proof of Theorem 1. Suppose the key K 0 = W k 0 , generated as in the generated-secret model, has the same cardinality as the embedded key K = W k , i.e., |K 0 | = |K| . Consider an encoder f ( n ) 2 with inputs ( X n , K ) and outputs W = ( K 0 + K, W 0 ) . Similarly , consider a decoder g ( n ) with inputs ( Y n , W ) and output ˆ K = K 0 + K − ˆ K 0 , where the addition and subtraction operations are modulo- |K| . The decoder of the generated-secret model is used at the decoder to obtain ˆ K 0 . Err or Pr obability : W e have Pr[ K 6 = ˆ K ] = Pr[ K 0 6 = ˆ K 0 ] (42) which is small due to the proof of achiev ability for the generated-secret model. Action Cost : Similar to the generated-secret model, one can show that the expected cost constraint is satisﬁed with high probability by using the typical average lemma. Privacy-leakage Rate : W e obtain I ( X n ; W a 0 , W u 0 , W v 0 , W k + W k 0 , Z n |C n ) = I ( X n ; W a 0 , W u 0 , W v 0 , Z n |C n ) + I ( X n ; W k + W k 0 | W a 0 , W u 0 , W v 0 , Z n , C n ) ≤ I ( X n ; W a 0 , W u 0 , W v 0 , Z n |C n ) + H ( W k + W k 0 | W a 0 , W u 0 , W v 0 , Z n , C n ) − H ( W k + W k 0 | W a 0 , W u 0 , W v 0 , Z n , X n , W k 0 , C n ) ( a ) ≤ I ( X n ; W a 0 , W u 0 , W v 0 , Z n |C n ) + log |K | − H ( W k ) ( b ) ≤ n [ I ( X ; A, V , Y ) − ( I ( X ; Y | A, U ) − I ( X ; Z | A, U )) + δ 0  ] ≤ n [∆ + δ 0  ] if ∆ ≥ I ( X ; A, V , Y ) − ( I ( X ; Y | A, U ) − I ( X ; Z | A, U )) , where ( a ) follo ws because the embedded key K = W k is independent of other random variables and ( b ) follows from uniformity of W k and (37). Secr ecy-leakag e Rate : Observe that I ( W k ; W a 0 , W u 0 , W v 0 , W k + W k 0 , Z n |C n ) = I ( W k ; W a 0 , W u 0 , W v 0 , Z n |C n ) + I ( W k ; W k + W k 0 | W a 0 , W u 0 , W v 0 , Z n , C n ) ( a ) = H ( W k + W k 0 | W a 0 , W u 0 , W v 0 , Z n , C n ) − H ( W k 0 | W a 0 , W u 0 , W v 0 , Z n , C n ) ≤ log |K | − H ( W k 0 ) + I ( W k 0 ; W a 0 , W u 0 , W v 0 , Z n |C n ) ( b ) ≤ n ( δ n + δ (2)  ) where ( a ) follows because K = W k is independent of other random variables and ( b ) follows by (38) and (39). Secr et-ke y Rate : W e have H ( W k |C n ) = log |K | ≥ H ( W k 0 |C n ) ( a ) ≥ n ( I ( V ; Y | A, U ) − I ( V ; Z | A, U ) − δ 0  ) ≥ n ( R k − δ 0  ) (43) if R k ≤ I ( V ; Y | A, U ) − I ( V ; Z | A, U ) , where ( a ) follows by (39). Storag e Rate : The storage rate is the sum of the storage R w 0 for the generated-secret model and for K 0 + K . W e obtain R w ≤ R w 0 + 1 n log |K | ( a ) = I ( X, A ) + I ( V ; X | A, Y ) + 6 δ  + R k ( b ) ≤ I ( X , A ) + I ( V ; X | A, Y ) + 6 δ  + I ( V ; Y | A, U ) − I ( V ; Z | A, U ) ( c ) = I ( X ; A, V ) − I ( U ; Y | A ) − I ( V ; Z | A, U ) + 6 δ  where ( a ) follo ws from the storage rate of the generated-secret model, ( b ) follows by (43), and ( c ) follows from the Markov chain U − V − ( X , A ) − ( Y , Z ) . Using the random coding argument, we ha ve that a tuple ( R k , R w , ∆ , C ) ∈ R 4 + that satisﬁes (10)-(12) for some P A | X , P V | X A , and P U | V such that E [Γ( A )] ≤ C is achiev able. D. Pr oof of Con verse Use the deﬁnitions of U i and V i giv en in Appendix B so that U i − V i − ( A i , X i ) − ( Y i , Z i ) forms a Markov chain for all i = 1 , 2 , . . . , n . The main step is the proof of conv erse for the storage rate. Secr et-ke y Rate : Use similar steps as in (40) to obtain R k ≤ 1 n h n X i =1 I ( V i ; Y i | A i , U i ) − I ( V i ; Z i | A i , U i ) + 3 nδ n i . Action Cost : Similar to Appendix B, we obtain (41) for the expected cost constraint. Privacy-leakage Rate : W e apply similar steps as in Ap- pendix B and obtain ∆ ≥ 1 n h n X i =1 I ( X i ; V i , A i , Y i ) − I ( X i ; Y i | U i , A i ) + I ( X i ; Z i | U i , A i ) − n n − nδ n i . G ¨ UNL ¨ U et al. : CONTR OLLABLE IDENTIFIER MEASUREMENTS FOR PRIV A TE A UTHENTICA TION WITH SECRET KEYS 11 Storag e Rate : W e have n ( R w + δ n ) ≥ log |W ( n ) | ≥ H ( W ) ( a ) = H ( W ) + H ( A n | W ) = H ( A n ) + H ( W | A n ) ( b ) ≥ H ( A n ) − H ( A n | X n , Z n ) + H ( A n | X n , Z n ) + H ( W | A n , Y n ) − H ( W | A n , X n , Y n , Z n ) + H ( W | A n , X n ) = H ( X n , Z n ) − H ( X n , Z n | A n ) + H ( A n | X n , Z n ) + H ( X n , Z n | A n , Y n ) − H ( X n , Z n | A n , Y n , W ) + H ( W | A n , X n ) = H ( X n ) + H ( Z n | X n ) − H ( Y n | A n ) + H ( Y n , Z n | X n , A n ) − H ( Z n | X n , A n ) + H ( A n | X n , Z n ) − H ( X n , Z n | A n , Y n , W , K ) − I ( X n , Z n ; K | A n , Y n , W ) + H ( W | A n , X n ) = H ( X n ) + I ( Z n ; A n | X n ) − H ( Y n | A n ) + H ( Y n , Z n | X n , A n ) + H ( A n | X n , Z n ) − H ( X n , Z n | A n , Y n , W , K ) − H ( K | A n , Y n , W ) + H ( K | A n , Y n , W , X n , Z n ) + H ( W | A n , X n ) ( c ) = H ( X n ) + H ( W, A n , K | X n ) − H ( Y n | A n ) + H ( Y n , Z n | X n , A n ) − H ( X n , Z n | A n , Y n , W , K ) − H ( K | A n , Y n , W ) ( d ) ≥ H ( X n ) + H ( K ) − H ( Y n | A n ) + H ( Y n , Z n | X n , A n ) − H ( X n , Z n | A n , Y n , W , K ) − H ( K | A n , Y n , W ) ≥ H ( X n ) − H ( Y n | A n ) + H ( Y n , Z n | X n , A n ) − H ( X n , Z n | A n , Y n , W , K ) + H ( K | A n , Z n , W ) − H ( K | A n , Y n , W ) ≥ n X i =1 H ( X i ) − H ( Y i | A i ) + H ( Y i , Z i | X i , A i ) − H ( X i , Z i | A n , Y n , W , K , X i − 1 , Z i − 1 ) + I ( K ; Y i | W , A n , Y n i +1 ) − I ( K ; Z i | W , A n , Z i − 1 ) ( e ) = n X i =1 H ( X i ) − H ( Y i | A i ) + H ( Y i , Z i | X i , A i ) − H ( X i , Z i | A n , Y n , W , K , X i − 1 , Z i − 1 ) + I ( K ; Y i | W , A n , Y n i +1 , Z i − 1 ) − I ( K ; Z i | W , A n , Y n i +1 , Z i − 1 ) ( f ) ≥ n X i =1 H ( X i ) − H ( Y i | A i ) + H ( Y i | X i , A i , Z i ) + H ( Z i | X i , A i ) − H ( X i , Z i | A i , Y i , V i ) + I ( V i ; Y i | A i , U i ) − I ( V i ; Z i | A i , U i ) ≥ n X i =1 I ( X i ; A i ) + I ( V i ; X i | Y i , A i ) + I ( V i ; Y i | A i , U i ) − I ( V i ; Z i | A i , U i ) ( g ) = n X i =1 I ( X i ; A i , V i ) − I ( U i ; Y i | A i ) − I ( V i ; Z i | A i , U i ) where ( a ) follows from the deterministic action encoder, ( b ) follows from the Markov chain W − ( A n , X n ) − ( Y n , Z n ) , ( c ) follo ws from the Marko v chain ( K, W ) − ( A n , X n ) − ( Y n , Z n ) , ( d ) follows because the embedded key K is inde- pendent of X n , and ( e ) follo ws from Csisz ´ ar’ s sum identity . W e use the deﬁnitions of U i and V i in ( f ) , and ( g ) follows because U i − V i − ( A i , X i ) − ( Y i , Z i ) forms a Markov chain for all i = 1 , 2 , . . . , n . The con v erse follo ws by applying the standard time-sharing argument and letting δ n → 0 . Car dinality Bounds : W e use the support lemma and satisfy the Markov condition U − V − ( A, X ) − ( Y , Z ) . W e therefore preserve P X A by using |X ||A| − 1 elements. The bound in (11) for the storage rate can be written as I ( X ; A, V ) − I ( U ; Y | A ) − I ( V ; Z | A, U ) = I ( X ; A ) + I ( V ; X | A, Y ) + I ( V ; Y | A, U ) − I ( V ; Z | A, U ) . W e thus hav e to preserve three more expressions, i.e., I ( V ; Y | A, U ) − I ( V ; Z | A, U ) , H ( X | U, V , A, Y ) , and I ( X ; Z | A, U ) − I ( X ; Y | A, U ) . One can therefore preserve all expressions in Theorem 2 by using an auxiliary random variable U with |U | ≤ |X ||A| + 2 and, similarly , V with |V | ≤ ( |X ||A| + 2)( |X ||A| + 1) . P RO O F O F T H E O R E M 3 E. Pr oof of Achie vability Consider the codebook generation, encoding, and decoding steps of the generated-secret model with a visible source. Fix P A | e X , P V | e X A , and P U | V such that E [Γ( A )] ≤ C / (1 +  ) . W e apply the steps in Appendix A after replacing ev ery X with e X and ev ery realization x n with ˜ x n . These replacements guarantee that ( e X n , A n , U n , V n , Y n ) are jointly typical with high probability due to standard arguments used in Ap- pendix A for error analysis. Markov lemma [24] then ensures that ( X n , e X n , A n , U n , V n , Y n ) are also jointly typical with high probability . Action Cost : The typical a verage lemma sho ws that the expected cost constraint is satisﬁed with high probability . Storag e Rate : After replacing X with e X in Appendix A, the total storage rate in this case is R w = I ( e X , A ) + I ( V ; e X | A, Y ) + 6 δ  because U − V − ( A, e X ) − ( A, X ) − ( Y , Z ) forms a Markov chain. Privacy-leakage Rate : Consider the leakage about the hid- den source averaged ov er the random codebook C n . I ( X n ; W a , W u , W v , Z n |C n ) ≤ I ( X n ; W a , W u , M 0 , W v , Z n |C n ) = I ( X n ; W a , M , W v , Z n |C n ) = H ( X n |C n ) − H ( X n , W a , M , W v , Z n |C n ) + H ( W a , M , W v |C n ) + H ( Z n | W a , M , W v , C n ) ( a ) = − H ( Z n | X n , C n ) − H ( W a , A n , M , W v | X n , Z n , C n ) + H ( W a , M , W v |C n ) + H ( Z n | W a , M , W v , C n ) = − H ( Z n | X n , A n , C n ) − I ( A n ; Z n | X n , C n ) − H ( A n | X n , Z n , C n ) − H ( W a , M , W v | X n , Z n , A n , C n ) + H ( W a , M , W v |C n ) + H ( Z n | W a , M , W v , C n ) 12 IEEE TRANSA CTIONS ON INFORMA TION FORENSICS AND SECURITY ( b ) = − H ( Z n | X n , A n ) − H ( A n | X n , C n ) − H ( W a , M , W v , W | X n , Z n , A n , C n ) + H ( W a , M , W v |C n ) + H ( Z n | W a , M , W v , C n ) = − H ( Z n | X n , A n ) − H ( A n | X n , C n ) − H ( W a , M , W v , W , V n | X n , Z n , A n , C n ) + H ( V n | X n , Z n , A n , W a , M , W v , W , C n ) + H ( W a , M , W v |C n ) + H ( Z n | W a , M , W v , C n ) ( c ) ≤ − H ( Z n | X n , A n ) − H ( A n | X n , C n ) − H ( V n | X n , Z n , A n , C n ) + n n + H ( W a , M , W v |C n ) + H ( Z n | W a , M , W v , C n ) ( d ) ≤ − H ( Z n | X n , A n ) − H ( V n , A n | X n , C n ) + H ( W a |C n ) + H ( M |C n ) + H ( W v |C n ) + H ( Z n | A n , U n , C n ) + n n ( e ) ≤ − H ( Z n | X n , A n ) − n [ H ( V , A | X ) − H ( V , A | e X ) − 2 δ  ] + H ( W a |C n ) + H ( M |C n ) + H ( W v |C n ) + H ( Z n | A n , U n , C n ) + n n ( f ) ≤ − n [ H ( Z | X , A ) − H ( V , A | X ) + H ( V , A | e X ) + 7 δ  + I ( e X ; A ) + I ( e X ; U | A ) + I ( V ; e X | A, U ) − I ( V ; Y | A, U ) + H ( Z | A, U ) +  n ] ( g ) = n [ I ( e X ; V , A ) − H ( V , A | X ) + H ( V , A | e X ) − I ( V ; Y | A, U ) + I ( X ; Z | A, U ) + δ (3)  ] = n [ I ( X ; V , A ) − I ( V ; Y | A, U ) + I ( X ; Z | A, U ) + δ (3)  ] ( h ) = n [ I ( X ; A, V , Y ) − ( I ( X ; Y | A, U ) − I ( X ; Z | A, U )) + δ (3)  ] ≤ n [∆ + δ (3)  ] (44) if ∆ ≥ I ( X ; A, V , Y ) − ( I ( X ; Y | A, U ) − I ( X ; Z | A, U )) , where ( a ) follows since giv en C n , W a determines A n , ( b ) follo ws since Z n − ( X n , A n ) − C n forms a Marko v chain and ( W a , W u , W v ) determine the helper data W , ( c ) follows from the Mark ov chain V n − ( X n , A n , W , C n ) − Y n and Fano’ s inequality applied as H ( V n | X n , Z n , A n , W a , M , W v , W , C n ) ≤ H ( V n | X n , A n , W , C n ) ≤ H ( V n | Y n , A n , W , C n ) ≤ n n , ( d ) follows from the Markov chain V n − ( X n , A n , C n ) − Z n and from the facts that gi ven the codebook, W a determines A n and ( W a , M ) determine U n , ( e ) follows from the following inequality H ( V n , A n | X n , C n ) = H ( A n | X n , C n ) + H ( V n | X n , A n , e X n , C n ) + I ( V n ; e X n | X n , A n , C n ) ≥ H ( e X n , A n | X n , C n ) − H ( e X n | X n , A n , V n , C n ) ( a ) ≥ H ( e X n | X n ) − H ( e X n | X n , A n , V n , C n ) ( b ) ≥ n [ H ( e X | X ) − H ( e X | X, A, V ) − 2 δ  ] ( c ) = n [ H ( V , A | X ) − H ( V , A | e X ) − 2 δ  ] where ( a ) follo ws since e X n − X n − C n forms a Marko v chain, ( b ) follows by applying Lemma 5 to bound the term H ( e X n | X n ) and Lemma 6 to bound the term H ( e X n | X n , A n , V n , C n ) , and ( c ) follows due to the Marko v chain ( V , A ) − e X − X , ( f ) follows from the codebook generation, from the memo- ryless property of the source and side information channels, from Lemma 5 applied to H ( Z n | X n , A n ) , and from Lemma 6 applied to H ( Z n | A n , U n , C n ) , ( g ) follows from the Marko v chains U − ( V , A ) − e X and U − ( A, X ) − Z , ( h ) follows from the Markov chain U − V − ( A, X ) − Y . Secr ecy-leakag e Rate : The secrecy-leakage rate analysis follows by replacing ev ery X n in Appendix A with e X n when bounding the term H ( A n , U n , V n , Z n |C n ) since, this time, ( U n , V n , C n ) − ( A n , e X n ) − Z n and U − V − ( A, e X ) − ( Y , Z ) form Markov chains. Use H ( Z n | e X n , A n , C n ) = H ( Z n | e X n , A n , X n , C n ) + I ( Z n ; X n | e X n , A n , C n ) ( a ) = H ( Z n | A n , X n ) + H ( X n | e X n ) − H ( X n | e X n ,A n , Z n , C n ) ( b ) ≥ n ( H ( Z | A,X ) + H ( X | e X ) − 2 δ  ) − H ( X n | e X n ,A n ,Z n , C n ) ( c ) ≥ n ( H ( Z | A, X ) + H ( X | e X , A ) − H ( X | e X , A, Z ) − 3 δ  ) ( d ) = n ( H ( Z | e X , A ) − 3 δ  ) where ( a ) follo ws because Z n − ( A n , X n ) − ( e X n , C n ) and X n − e X n − ( A n , C n ) form Marko v chains, ( b ) follows by applying Lemma 5 to bound the terms H ( Z n | A n , X n ) and H ( X n | e X n ) because Z n is i.i.d. ∼ P Z | X A and X n is i.i.d. ∼ P X | e X , ( c ) follows from the Mark ov chain X − e X − A and by applying Lemma 6 to bound the term H ( X n | e X n , A n , Z n , C n ) , and ( d ) follo ws from the Marko v chain Z − ( A, X ) − e X . W e thus obtain I ( W k ; W a , W u , W v , Z n |C n ) ≤ nδ (4)  . (45) Secr et-ke y Rate : Using the codebook generation in Ap- pendix A and the fact that no w V − ( A, e X , U ) − Y forms a Markov chain, it is straightforward to show that H ( W k |C n ) ≥ n [ I ( V ; Y | A, U ) − I ( Y ; Z | A, U ) − δ (3)  ] ≥ n ( R k − δ (3)  ) (46) if R k ≤ I ( V ; Y | A, U ) − I ( V ; Z | A, U ) . Using the random coding argument, we ha ve that a tuple ( R k , R w , ∆ , C ) ∈ R 4 + that satisﬁes (13)-(15) for some P A | e X , P V | e X A , and P U | V such that E [Γ( A )] ≤ C is achiev able. F . Pr oof of Conver se Use the deﬁnitions of U i and V i giv en in Appendix B so that U i − V i − ( A i , e X i ) − ( A i , X i ) − ( Y i , Z i ) forms a Markov chain for all i = 1 , 2 , . . . , n . G ¨ UNL ¨ U et al. : CONTR OLLABLE IDENTIFIER MEASUREMENTS FOR PRIV A TE A UTHENTICA TION WITH SECRET KEYS 13 Storag e Rate : Replace e v ery X n with e X n and e very X i with e X i for all i = 1 , 2 , . . . , n in Appendix B and apply similar steps to obtain R w ≥ 1 n h n X i =1 I ( e X i ; A i ) + I ( V i ; e X i | A i , Y i ) − n n − nδ n i . Privacy-leakage Rate : W e apply similar steps as in Appendix B. It is also straightforw ard to show that ( W , K, A n \ i , X n \ i , Y n i +1 , Z i − 1 ) − ( A i , X i ) − ( Y i , Z i ) , ( X i , W , K , A n i , Y n i ) − ( A i − 1 , X i − 1 ) − ( Z i − 1 , Y i − 1 ) , and U i − ( A i , X i ) − ( Y i , Z i ) form Markov chains for all i = 1 , 2 , . . . , n also for a hidden source. W e thus obtain ∆ ≥ 1 n h n X i =1 I ( X i ; A i , V i , Y i ) − I ( X i ; Y i | A i , U i ) + I ( X i ; Z i | A i , U i ) − n n − nδ n i . Secr et-ke y Rate : The con verse is similar to the con verse for a visible source with the generated-secret model. By applying similar steps as in Appendix B, we obtain R k ≤ 1 n h n X i =1 I ( V i ; Y i | A i , U i ) − I ( V i ; Z i | A i , U i ) + 3 nδ n i . Action Cost : W e obtain (41) for the expected cost constraint. The con v erse follo ws by applying the standard time-sharing argument and letting δ n → 0 . Car dinality Bounds : W e use the support lemma and satisfy the Marko v condition U − V − ( A, e X ) − ( A, X ) − ( Y , Z ) , so we preserve P e X A by using | e X ||A| − 1 real-v alued con- tinuous functions. W e ha ve to preserv e four more e xpres- sions, i.e., I ( V ; Y | A, U ) − I ( V ; Z | A, U ) , H ( e X | U, V , A, Y ) , H ( X | U, V , A, Y ) , and I ( X ; Z | A, U ) − I ( X ; Y | A, U ) . One can therefore preserve all expressions in Theorem 3 by using an auxiliary random variable U with |U | ≤ |X ||A| + 3 and, similarly , V with |V | ≤ ( |X ||A| + 3)( |X ||A| + 2) . P RO O F O F T H E O R E M 4 G. Pr oof of Achie vability Fix P A | e X , P V | e X A , and P U | V such that E [Γ( A )] ≤ C / (1 +  ) . W e use the achie vability proof of Theorem 3. Suppose the key K 0 = W k 0 generated as in the generated-secret model for a hidden source has the same cardinality as the embedded ke y K = W k , i.e., |K 0 | = |K| . Consider an encoder f ( n ) 4 with inputs ( e X n , K ) and outputs W = ( K 0 + K, W 0 ) . Similarly , consider a decoder g ( n ) with inputs ( Y n , W ) and output ˆ K = K 0 + K − ˆ K 0 , where the addition and subtraction operations are modulo- |K| . Note that the decoder of the generated-secret model for a hidden source is used at the decoder to obtain ˆ K 0 . Err or Pr obability : W e obtain (42), which is small due to the proof of achiev ability for Theorem 3. Action Cost : Similar to Appendix E, one can show that the expected cost constraint is satisﬁed with high probability by using the typical av erage lemma. Privacy-leakage Rate : W e have I ( X n ; W a 0 , W u 0 , W v 0 , W k + W k 0 , Z n |C n ) ≤ I ( X n ; W a 0 , W u 0 , W v 0 , Z n |C n ) + log |K | − H ( W k + W k 0 | W a 0 , W u 0 , W v 0 , Z n , X n , W k 0 , C n ) ( a ) ≤ n [ I ( X ; A, V , Y ) − ( I ( X ; Y | A, U ) − I ( X ; Z | A, U )) + δ (3)  ] ≤ n [∆ + δ (3)  ] if ∆ ≥ I ( X ; A, V , Y ) − ( I ( X ; Y | A, U ) − I ( X ; Z | A, U )) , where ( a ) follows because K = W k is independent of other random variables, and from uniformity of W k and (44). Secr ecy-leakag e Rate : W e obtain I ( W k ; W a 0 , W u 0 , W v 0 , W k + W k 0 , Z n |C n ) = I ( W k ; W a 0 , W u 0 , W v 0 , Z n |C n ) + I ( W k ; W k + W k 0 | W a 0 , W u 0 , W v 0 , Z n , C n ) ( a ) = H ( W k + W k 0 | W a 0 , W u 0 , W v 0 , Z n , C n ) − H ( W k 0 | W a 0 , W u 0 , W v 0 , Z n , C n ) ≤ log |K | − H ( W k 0 ) + I ( W k 0 ; W a 0 , W u 0 , W v 0 , Z n |C n ) ( b ) ≤ n ( δ n + δ (4)  ) where ( a ) follows because K = W k is independent of other random variables and ( b ) follows by (45) and (46). Secr et-ke y Rate : Observe that H ( W k |C n ) = log |K | ≥ H ( W k 0 |C n ) ( a ) ≥ n ( I ( Y ; V | A, U ) − I ( Z ; V | A, U ) − δ (3)  ) ≥ n ( R k − δ (3)  ) (47) if R k ≤ I ( V ; Y | A, U ) − I ( V ; Z | A, U ) , where ( a ) follows by (46). Storag e Rate : The storage rate is the sum of the storage R w 0 for a hidden source with the generated-secret model and for K 0 + K . W e obtain R w ≤ R w 0 + 1 n log |K | ( a ) = I ( e X , A ) + I ( V ; e X | A, Y ) + 6 δ  + R k ( b ) ≤ I ( e X , A ) + I ( V ; e X | A, Y ) + 6 δ  + I ( V ; Y | A, U ) − I ( V ; Z | A, U ) ( c ) = I ( e X ; A, V ) − I ( U ; Y | A ) − I ( V ; Z | A, U ) + 6 δ  where ( a ) follo ws from the storage rate for a hidden source with the generated-secret model, ( b ) follows by (47), and ( c ) follows from the Markov chain U − V − ( A, e X ) − ( Y , Z ) . Using the random coding argument, we ha ve that a tuple ( R k , R w , ∆ , C ) ∈ R 4 + that satisﬁes (16)-(18) for some P A | e X , P V | e X A , and P U | V such that E [Γ( A )] ≤ C is achiev able. H. Pr oof of Con verse Use the deﬁnitions of U i and V i giv en in Appendix B so that U i − V i − ( A i , e X i ) − ( A i , X i ) − ( Y i , Z i ) forms a Markov chain for all i = 1 , 2 , . . . , n . 14 IEEE TRANSA CTIONS ON INFORMA TION FORENSICS AND SECURITY Secr et-ke y Rate : The conv erse for the secret-key rate is similar to the con v erse for a hidden source with the generated- secret model. W e obtain R k ≤ 1 n h n X i =1 I ( V i ; Y i | A i , U i ) − I ( V i ; Z i | A i , U i ) + 3 nδ n i . Action Cost : Similar to Appendix F, we obtain (41) for the expected cost constraint. Privacy-leakage Rate : W e apply similar steps to Appendix F. It is straightforward to show that ( W , K, A n \ i , X n \ i , Y n i +1 , Z i − 1 ) − ( A i , X i ) − ( Y i , Z i ) , ( X i , W , K , A n i , Y n i ) − ( A i − 1 , X i − 1 ) − ( Z i − 1 , Y i − 1 ) , and U i − ( A i , X i ) − ( Y i , Z i ) form Markov chains for all i = 1 , 2 , . . . , n also for a hidden source and an embedded secret key K . W e thus obtain ∆ ≥ 1 n h n X i =1 I ( X i ; A i , V i , Y i ) − I ( X i ; Y i | A i , U i ) + I ( X i ; Z i | A i , U i ) − n n − nδ n i . Storag e Rate : This time, we apply similar steps as in Appendix D. Replace every sequence X n with e X n and e very X i with e X i for all i = 1 , 2 , . . . , n . Using similar steps as in Appendix D, and the facts that U i − V i − ( A i , e X i ) − ( Y i , Z i ) for all i = 1 , 2 , . . . , n and ( K, W ) − ( A n , e X n ) − ( Y n , Z n ) form Markov chains, we obtain R w ≥ 1 n h n X i =1 I ( e X i ; A i , V i ) − I ( U i ; Y i | A i ) − I ( V i ; Z i | A i , U i ) − nδ n i . The con v erse follo ws by applying the standard time-sharing argument and letting δ n → 0 . Car dinality Bounds : W e use the support lemma. One has to satisfy the Mark ov condition U − V − ( A, e X ) − ( A, X ) − ( Y , Z ) . W e therefore preserve P e X A by using | e X ||A| − 1 real-valued continuous functions. The bound in (17) can be written as I ( e X ; A, V ) − I ( U ; Y | A ) − I ( V ; Z | A, U ) = I ( e X ; A ) + I ( e X ; V | A, Y ) + I ( V ; Y | A, U ) − I ( V ; Z | A, U ) . W e therefore ha ve to preserv e four more expressions, i.e., I ( V ; Y | A, U ) − I ( V ; Z | A, U ) , H ( e X | U, V , A, Y ) , H ( X | U, V , A, Y ) , and I ( X ; Z | A, U ) − I ( X ; Y | A, U ) . One can therefore preserve all expressions in Theorem 4 by using an auxiliary random variable U with |U | ≤ |X ||A| + 3 and, similarly , V with |V | ≤ ( |X ||A| + 3)( |X ||A| + 2) . R E F E R E N C E S [1] K. Kittichokechai, O. G ¨ unl ¨ u, R. F . Schaefer , and G. Caire, “Pri vate au- thentication with controllable measurement, ” in Asilomar Conf . Signals, Syst., Comput. , Paciﬁc Grove, CA, Nov . 2016, pp. 1680–1684. [2] S. Rane, Y . W ang, S. C. Draper , and P . Ishwar , “Secure biometrics: Concepts, authentication architectures, and challenges, ” IEEE Signal Pr ocess. Ma g. , vol. 30, no. 5, pp. 51–64, Sept. 2013. [3] C. B ¨ ohm and M. Hofer, Physical Unclonable Functions in Theory and Practice . New Y ork, NY : Springer , Oct. 2012. [4] T . Ignatenko and F . M. J. W illems, “Biometric systems: Priv ac y and secrecy aspects, ” IEEE T rans. Inf . F orensics Security , vol. 4, no. 4, pp. 956–973, Dec. 2009. [5] L. Lai, S.-W . Ho, and H. V . Poor , “Privac y-security trade-of fs in biometric security systems - Part I: Single use case, ” IEEE T rans. Inf. F or ensics Security , vol. 6, no. 1, pp. 122–139, Mar. 2011. [6] O. G ¨ unl ¨ u, O. ˙ Is ¸can, and G. Kramer, “Reliable secret ke y generation from physical unclonable functions under varying environmental conditions, ” in IEEE Int. W orkshop Inf. F orensics Security , Rome, Italy , Nov . 2015, pp. 1–6. [7] R. Renner and S. W olf, “Simple and tight bounds for information reconciliation and privac y ampliﬁcation, ” in Int. Conf. Theory Appl. Cryptology Inf . Security , Chennai, India, Dec. 2005, pp. 199–216. [8] H. T yagi and S. W atanabe, “Conv erses for secret key agreement and secure computing, ” IEEE T r ans. Inf. Theory , vol. 61, no. 9, pp. 4809– 4827, Sept. 2015. [9] A. D. W yner , “The wire-tap channel, ” Bell Labs T ech. J. , vol. 54, no. 8, pp. 1355–1387, Oct. 1975. [10] R. Ahlswede and I. Csisz ´ ar , “Common randomness in information theory and cryptography - Part I: Secret sharing, ” IEEE T rans. Inf. Theory , vol. 39, no. 4, pp. 1121–1132, July 1993. [11] U. M. Maurer , “Secret key agreement by public discussion from common information, ” IEEE T rans. Inf. Theory , v ol. 39, no. 3, pp. 2733–742, May 1993. [12] A. Juels and M. Sudan, “ A fuzzy vault scheme, ” Des. Codes Cryptog- raphy , vol. 38, no. 2, pp. 237–257, Feb . 2006. [13] A. Juels and M. W attenberg, “ A fuzzy commitment scheme, ” in A CM Conf. Comp. Commun. Security , New Y ork, NY , Nov . 1999, pp. 28–36. [14] Y . Dodis, R. Ostrovsk y , L. Reyzin, and A. Smith, “Fuzzy extractors: How to generate strong keys from biometrics and other noisy data, ” SIAM J . Comput. , vol. 38, no. 1, pp. 97–139, Jan. 2008. [15] O. G ¨ unl ¨ u, O. ˙ Is ¸can, V . Sidorenko, and G. Kramer, “Wyner-Zi v coding for physical unclonable functions and biometric secrecy systems, ” Sep. 2017, [Online]. A v ailable: arxi v .org/pdf/1709.00275.pdf. [16] H. Permuter and T . W eissman, “Source coding with a side information “Vending Machine”, ” IEEE Tr ans. Inf. Theory , vol. 57, no. 7, pp. 4530– 4544, July 2011. [17] K. Kittichokechai, T . J. Oechtering, M. Skoglund, and Y . K. Chia, “Secure source coding with action-dependent side information, ” IEEE T r ans. Inf. Theory , vol. 61, no. 12, pp. 6444–6464, Dec. 2015. [18] O. G ¨ unl ¨ u and G. Kramer, “Privac y , secrecy , and storage with noisy identiﬁers, ” Jan. 2016, [Online]. A v ailable: arxi v .org/abs/1601.06756. [19] K. Kittichokechai and G. Caire, “Secret key-based authentication with a privac y constraint, ” in IEEE Int. Symp. Inf . Theory , Hong Kong, June 2015, pp. 1791–1795. [20] J. L. Massey , Applied Digital Information Theory . Zurich, Switzerland: ETH Zurich, 1980-1998. [21] A. Orlitsk y and J. R. Roche, “Coding for computing, ” IEEE T r ans. Inf. Theory , v ol. 47, no. 3, pp. 903–917, Mar. 2001. [22] A. D. W yner and J. Zi v , “ A theorem on the entropy of certain binary sequences and applications: Part I, ” IEEE T rans. Inf. Theory , vol. 19, no. 6, pp. 769–772, Nov . 1973. [23] O. G ¨ unl ¨ u, G. Kramer , and M. Sk ´ orski, “Priv acy and secrecy with multiple measurements of physical and biometric identiﬁers, ” in IEEE Int. Conf. Commun. Network Sec. , Florence, Italy , Sep. 2015, pp. 89–94. [24] A. E. Gamal and Y .-H. Kim, Network Information Theory . Cambridge, U.K.: Cambridge Uni. Press, 2011. [25] I. Csisz ´ ar and J. K ¨ orner , Information Theory: Coding Theorems for Discr ete Memoryless Systems , 2nd ed. Cambridge, U.K.: Cambridge Uni. Press, 2011. Onur G ¨ unl ¨ u (S’10) received the B.Sc. degree in electrical and electronics engineering from Bilkent Univ ersity , Ankara, in 2011, and the M.Sc. degree in communications engineering from the T echnical Univ ersity of Munich (TUM), Munich, in 2013, where he is currently pursuing the Dr.-Ing. de- gree. He is a Research and T eaching Assistant with TUM. In 2018, he was visiting the Information and Communication Theory Lab, TU Eindhoven, The Netherlands. His research interests include informa- tion theoretic priv acy and security , code design for secret k ey generation from the source model, statistical signal processing for biometric secrecy systems and physical unclonable functions (PUFs). G ¨ UNL ¨ U et al. : CONTR OLLABLE IDENTIFIER MEASUREMENTS FOR PRIV A TE A UTHENTICA TION WITH SECRET KEYS 15 Kittipong Kittichokechai (S’10–M’15) recei v ed the B.Eng. degree in electrical engineering from Chu- lalongkorn University , Thailand, in 2007, and the M.Sc. and Ph.D. degrees in electrical engineering from the KTH Royal Institute of T echnology , Swe- den, in 2009 and 2014, respectively . In 2012, he was a V isiting Scholar at the Information Systems Laboratory (ISL), Stanford University , USA. From 2014 to 2016, he was a Post-Doctoral Researcher with T echnische Universit ¨ at Berlin, Germany . Since 2016, he has been a Researcher with Ericsson Re- search, Stockholm, Sweden, where he has been contributing to the dev el- opment of new communication technologies of 5G. His research interests include network information theory , information theoretic security and priv acy , distributed detection, and their applications in wireless communications. K. Kittichokechai was a recipient of the Ananda Mahidol Foundation Scholarship under the Royal Patronage of His Majesty the King of Thailand. Rafael F . Schaefer (S’08–M’12–SM’17) received the Dipl.-Ing. degree in electrical engineering and computer science from T echnische Universit ¨ at Berlin, Germany , in 2007, and the Dr.-Ing. degree in electrical engineering from T echnische Universit ¨ at M ¨ unchen, Germany , in 2012. From 2007 to 2010, he was a Research and T eaching Assistant with T echnische Universit ¨ at Berlin and from 2010 to 2013, with T echnische Universit ¨ at M ¨ unchen. From 2013 to 2015, he was a Post-Doctoral Research Fellow with Princeton Univ ersity . Since 2015, he has been an Assistant Professor with T echnische Universit ¨ at Berlin. Among his publications is the recent book Information Theoretic Security and Privacy of Information Systems (Cambridge University Press, 2017). He is an Associate Member of the IEEE Information F orensics and Security T echnical Commit- tee. He was a recipient of the VDE Johann-Philipp-Reis Prize in 2013. He receiv ed the best paper award of the German Information T echnology Society (ITG-Preis) in 2016. He was one of the exemplary revie wers of the I E EE C O MM U N I CATI O N L E T T ER S in 2013. He is currently an Associate Editor of the I E E E T R A N SA CT I O N S O N C O M MU N I C A T I O N S . Giuseppe Caire (S’92–M’94–SM’03–F’05) was born in T orino, Italy , in 1965. He received the B.Sc. in electrical engineering from the Politecnico di T orino, Italy , in 1990, the M.Sc. in electrical engineering from Princeton Uni versity in 1992, and the Ph.D. from the Politecnico di T orino in 1994. He was a Post-Doctoral Research Fellow with the European Space Agency , ESTEC, Noordwijk, The Netherlands, from 1994 to 1995, an Assistant Pro- fessor in telecommunications with the Politecnico di T orino, an Associate Professor with the University of Parma, Italy , a Professor with the Department of Mobile Communica- tions, Eurecom Institute, Sophia-Antipolis, France, a Professor of electrical engineering with the V iterbi School of Engineering, Univ ersity of Southern California, Los Angeles, CA, USA, and is currently an Alexander von Humboldt Professor with the Electrical Engineering and Computer Science Department, T echnische Univ ersit ¨ at Berlin, Germany . His main research interests include communications theory , information theory , channel and source coding with particular focus on wireless com- munications. He served as Associate Editor for the I E E E T R A NS A CT I O NS O N C O M MU N I C A TI O N S from 1998 to 2001 and as Associate Editor for the I E E E T R A NS AC T I O NS O N I N F O R MAT IO N T HE O RY from 2001 to 2003. He received the Jack Neubauer Best System Paper A ward from the IEEE V ehicular T echnology Society in 2003, the IEEE Communications Society & Information Theory Society Joint Paper A ward in 2004 and in 2011, the Okawa Research A ward in 2006, the Ale xander von Humboldt Professorship in 2014, and the V odafone Innovati on Prize in 2015. Giuseppe Caire is a Fellow of IEEE since 2005. He has served on the Board of Gov ernors of the IEEE Information Theory Society from 2004 to 2007, and as an of ﬁcer from 2008 to 2013. He was President of the IEEE Information Theory Society in 2011.

Controllable Identifier Measurements for Private Authentication with Secret Keys

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment