Generalizing Multiple Access Wiretap and Wiretap II Channel Models: Achievable Rates and Cost of Strong Secrecy

# Generalizing Multiple Access Wiretap and Wiretap II Channel Models: Achievable Rates and Cost of Strong Secrecy

Mohamed Nafea   and Aylin Yener
Wireless Communications and Networking Laboratory (WCAN)
Electrical Engineering Department
The Pennsylvania State University, University Park, PA 16802.
mnafea@psu.edu   yener@engr.psu.edu
This work was supported in part by NSF Grant CNS 13-14719. This paper was presented in part at the 2016 IEEE International Symposium on Information Theory [1] and the 2016 IEEE Information Theory Workshop [2].
###### Abstract

In this paper, new two-user multiple access wiretap channel models are studied. First, the multiple access wiretap channel II with a discrete memoryless main channel, under three different wiretapping scenarios, is introduced. The wiretapper, as in the classical wiretap channel II model, chooses a fixed-length subset of the channel uses on which she obtains noise-free observations of one of the codewords, a superposition of the two codewords, or each of the two codewords. These thus extend the recently examined wiretap channel II with a noisy main channel to a multiple access setting with a variety of attack models for the wiretapper. Next, a new multiple access wiretap channel model, which further generalizes the multiple access wiretap channel II under the third wiretapping scenario, i.e., that which features the strongest adversarial model, is proposed. In this model, the wiretapper, besides choosing a subset of the channel uses to noiselessly observe the transmitted codeword symbols of both users, observes the remainder of the two codewords through a discrete memoryless multiple access channel. Achievable strong secrecy rate regions for all the proposed models are derived. Achievability is established by solving dual multi-terminal secret key agreement problems in the source model, and converting the solution to the original channel models using probability distribution approximation arguments. The derived achievable rate regions quantify the secrecy cost due to the additional capabilities of the wiretapper with respect to the previous multiple access wiretap models.

## I Introduction

The wiretap channel II, in which the legitimate terminals communicate over a noiseless channel while the wiretapper has perfect access to a fixed fraction of her choosing of the transmitted bits, was introduced in [3]. This model, while similar to a classical wiretap channel [4] with a noiseless main channel and a binary erasure channel to the wiretapper, models a more capable wiretapper who is able to select the positions of erasures. Using random partitioning and combinatorial arguments, [3] has shown that the secrecy capacity of the wiretap channel II model does not decrease if the wiretapper is a passive observer with a binary erasure channel whose erasures are randomly chosen by nature, demonstrating the immunity of wiretap coding against a more capable adversary who is able to choose the erasure positions.

Considerable amount of research on practical code design for secrecy has been motivated by the coset coding scheme devised in [3], see for example [5, 6, 7, 8, 9]. However, for several decades, there has been no effort for generalizing the wiretap II model outside the special scenario of the noiseless main channel. Recently, [10] has introduced a discrete memoryless main channel to the wiretap channel II model, and derived inner and outer bounds for its capacity-equivocation region. Reference [11] has characterized the secrecy capacity of this model, showing that, once again, the secrecy capacity of the model does not decrease when the more capable wiretapper is replaced with an erasure channel.

More recently, [12] has introduced the generalized wiretap channel and identified its secrecy capacity. In this model, the main channel is a discrete memoryless channel while the wiretapper, besides noiselessly observing a subset of the transmitted codeword symbols of her choice, observes the remainder through a discrete memoryless channel. This new model subsumes both the classical wiretap channel [13] and the wiretap channel II with a discrete memoryless main channel [10] as its special cases. The secrecy capacity of this generalized model quantifies the secrecy penalty of the additional capability at the wiretapper with respect to the previous wiretap models. Investigating the multi-terminal extensions of this new wiretap model is the natural next step, much like what happened with Wyner’s wiretap channel, see for example [14, 15, 16, 17, 18, 19, 20],

In this paper, we thus extend this new wiretap channel model to the multiple access scenario [16]. In particular, we first consider the special case of the multiple access wiretap channel II with a discrete memoryless main channel, and propose three different attack models for the wiretapper. In each of these models, the wiretapper chooses a fixed-length subset of the channel uses and observes erasures outside this subset. In the first wiretapping model, the wiretapper, in each position of the subset, decides to observe either the first or the second user’s symbol. In the second model, the wiretapper observes a noiseless superposition of the two transmitted symbols in the positions of the subset, while in the third model, the wiretapper observes the transmitted symbols of both users.

The first attack model is a setting in which the wiretapper is able to tap one of the two transmissions but not both. For instance, if two transmitters are distant from each other, the wiretapper may need get close to one in order to obtain noise-free observations, and thus is able to tap one at a time. The second attack model mimics a medium that superposes both transmissions (e.g., wireless), where the attacker is close enough to both transmitters. In the third attack model, the wiretapper is able to tap both codewords individually, which can be interpreted as the wiretapper being able to obtain noiseless (partial) side information about both transmitted codewords.

For each of these models, we derive an achievable strong secrecy rate region. Even though the third attack model, in which the wiretapper sees the transmitted symbols of both users, is stronger than the first, the ability of the wiretapper in the first model to choose which user’s symbol to tap into results in identical achievable strong secrecy rate regions for the two models. That is, each transmitter designs their encoding according to the worst case scenario in which the wiretapper chooses to see his symbols in all positions of the subset. The achievable secrecy rate region for the second attack model is shown to be larger than the achievable secrecy rate region for the other two models, demonstrating the intrinsic cooperation introduced by superposition.

After obtaining these insights, we generalize these models by replacing the wiretapper’s erasures with noisy channel outputs as was done in [12] for the single user channel. In particular, we generalize the multiple access wiretap channel II with a discrete memoryless main channel, under the third wiretapping scenario, i.e., the strongest attack model, to the case when the wiretapper observes the remainder of the codewords of both users separately through a discrete memoryless channel. This model also generalizes the multiple access wiretap channel in [15] to the case when the wiretapper is provided with a subset of noiseless observations of her choice for the transmitted symbols of both users. An achievable strong secrecy rate region, which quantifies the secrecy cost of the additional capability of the wiretapper in this model with respect to the multiple access wiretap channel in [15, 21], is derived.

Achievability of the strong secrecy rate regions for all the proposed models is established by muti-terminal extensions of methods in [12, 22, 23]. In particular, for each of the proposed models, a corresponding dual multi-terminal secret key agreement problem in the source model is introduced. In this dual model, two independent sources wish to agree on two indepedent keys with a common decoder in the presence of a compound wiretapping source. We solve the problem in the dual source model, and convert the solution to the original channel model by means of deriving the joint distributions of the two problems to become almost identical, in the total variation distance sense. The technical challenge in the present paper lies in generalizing the tool utilized for establishing secrecy of the key in the dual source model from the single source case, [12, Lemma 2], to the case of two independent sources. This is done by adapting the lemma in order to establish all the corner (extreme) points of the rate region for the two keys, generated at the independent sources, such that the convergence rate for the probability of the two keys being independent from the wiretapper’s observation is doubly-exponential. Time sharing between the resulting corner points produces the desired rate region. This doubly-exponential convergence rate is needed in order to exhaust the exponentially many possible strategies for the wiretapper [11, 12].

The remainder of the paper is organized as follows. Section II describes the channel models considered in this paper. Section III presents the main results. The proofs of the results are presented in Sections IV and V. Section VI concludes the paper.

## Ii Channel Models

We first remark the notation we use throughout the paper. Vectors are denoted by bold lower-case superscripted letters while their components are denoted by lower-case subscripted letters. A similar convention but with upper-case letters is used for random vectors and their components. Vector superscripts are omitted when the dimensions are clear from the context. denotes the Cartesian product of the sets . For random variables (vectors) and their components, we use to denote , where , . We also use for . We use to denote the indicator function of the event . For , denotes the set of integers . We use upper-case letters to denote random111Random probability distribution describes a mapping from the random experiment to the simplex of probability distributions over . probability distributions, e.g., . We use to denote a uniform distribution over the random variable . The argument of the probability distribution is omitted when it is clear from its subscript. and denote the total variation distance and the Kullback-Leibler (K-L) divergence between the two probability distributions and .

Next, we describe the channel models we consider in this paper. In Section II-A, we present the multiple access wiretap channel II with a noisy main channel under the three aforementioned attack models for the wiretapper. Section II-B describes a new multiple access wiretap channel model that generalizes the strongest attack model in Section II-A.

### Ii-a The Multiple Access Wiretap Channel II with a Noisy Main Channel

Consider the channel model in Fig. 1. The main channel is a discrete memoryless channel consisting of two finite input alphabets and , a finite output alphabet , and a transition probability distribution . Each transmitter wishes to reliably communicate an independent message to a common receiver and to keep it secret from the wiretapper. To do so, transmitter maps its message, , uniformly distributed over , into the transmitted codeword using a stochastic encoder, . The receiver observes the sequence and outputs the estimates of the transmitted messages. As shown in Fig. 1, we consider the following three models for the wiretapper channel.

#### Ii-A1 Model 1

This model is described in Fig. 1, when the switch is on position . The wiretapper chooses the subset and the sequence , where . That is, represents the set of positions noiselessly tapped by the wiretapper and represents her sequence of decisions to observe either the first or the second user codeword symbols. We define the fraction of the tapped symbols by the wiretapper as

 α=μn,0≤α≤1. (1)

Let and denote the th elements of the subset and the sequence , where . Let be the set of all possible strategies for the wiretapper, where is defined as

 S≜{(Sp(k),u(k)):Sp∈Sp,u∈{1,2}μ,k=1,2,⋯,μ}. (2)

For , the wiretapper observes , where

 ZS,i={Xj,i,(i,j)∈S?,(i,j)∉S, (3)

and the alphabet .

#### Ii-A2 Model 2

The model is described in Fig. 1, when the switch is on position . The wiretapper chooses the subset , where we redfine the set as

 S≜{S⊆[1:n]:|S|=μ≤n}. (4)

The wiretapper then observes , where

 ZS,i={X1,i+X2,i,i∈S?,,i∉S, (5)

and . That is, the wiretapper observes noiseless superposition of the two users codeword symbols in the positions of the subset , and erasures otherwise. The ratio is defined as in (1). Note that in the definition of the set , we consider natural addition over the alphabets and , i.e., .

#### Ii-A3 Model 3

The model is described in Fig. 1, when the switch is on position . The wiretapper chooses the subset , with defined as in (4), and observes , where

 ZS,i={{X1,i,X2,i},i∈S?,,i∉S, (6)

and . That is, the wiretapper observes the transmitted codeword symbols of both users in the positions of the subset , and erasures otherwise.

Next, we present a generalized multiple access wiretap channel model which extends the strongest attack model in Section II-A3 to the case when the wiretapper sees noisy observations, instead of erasures, outside the subset she chooses.

### Ii-B The Generalized Multiple Access Wiretap Channel

Consider the channel model in Fig. 2. The main channel in this model is identical to the main channel in Section II-A. The wiretapper however chooses the subset , with defined as in (4), and observes , where

 ZS,i={{X1,i,X2,i},i∈SVi,i∉S. (7)

is the -letter output of the discrete memoryless multiple access channel , is a finite alphabet, and .

For the channel models described in Sections II-A and II-B, an channel code consists of two message sets , ; two stochastic encoders , , and a decoder at the receiver. is an achievable strong secrecy rate pair if there exists a sequence of codes, , such that

 limn→∞P(⋃j=1,2(^Wj≠Wj)∣∣Cn)=0, (8) and limn→∞maxS∈SI(W1,W2;ZnS|Cn)=0. (9)

Strong secrecy capacity region for the channel is the supremum of all achievable strong secrecy rate pairs . In the following section, we describe the main results of this paper.

## Iii Main Results

We first present achievable strong secrecy rate regions for the two-user multiple access wiretap channel II with a discrete memoryless main channel, under the attack models for the wiretapper described in Sections II-A1 and II-A2.

###### Theorem 1

For , an achievable strong secrecy rate region for the multiple access wiretap channel II in Fig. 1 under the wiretapper model , , is given by the convex hull of all rate pairs satisfying

 R1 ≤I(U1;Y|U2)−αI(U1;X1), (10) R2 ≤I(U2;Y|U1)−αI(U2;X2), (11) R1+R2 ≤I(U1,U2;Y)−αI(U1,U2;X1,X2), (12)

for some distribution which satisfies the Markov chains and .

###### Remark 1

The achievable strong secrecy rate region for the wiretapper model in Theorem 1 is identical to the achievable region for the more capable wiretapper in model , see Corollary 1. When the wiretapper has the ability of choosing to observe either symbol in every tapped position, each user ought to design their transmission according to the worst case scenario in which the wiretapper decides to observe only his symbols in all the positions she taps. This results in an achievable rate region for the wiretapper model as when the wiretapper observes both users symbols in each position she taps.

###### Theorem 2

For , an achievable strong secrecy rate region for the multiple access wiretap channel II in Fig. 1 under the wiretapper model , , is given by the convex hull of all rate pairs satisfying

 R1 ≤I(U1;Y|U2)−αI(U1;X1+X2), (13) R2 ≤I(U2;Y|U1)−αI(U2;X1+X2), (14) R1+R2 ≤I(U1,U2;Y)−αI(U1,U2;X1+X2), (15)

for some distribution which satisfies the Markov chains and .

###### Remark 2

The achievable strong secrecy rate region for the wiretapper models and is included in the achievable region for the wiretapper model , i.e., . This follows due to the Markov chains ; , and . By data processing inequality, we have

 I(Uj;Xj)≥I(Uj;X1+X2),j=1,2, (16) I(U1,U2;X1,X2)≥I(U1,U2;X1+X2). (17)

Next, we present achievable strong secrecy rate regions for the generalized multiple access wiretap channel in Fig. 2.

###### Theorem 3

For , an achievable strong secrecy rate region for the generalized multiple access wiretap channel in Fig. 2, , is given by the convex hull of all rate pairs satisfying

 R1 ≤I(U1;Y|U2)−I(U1;V)−αI(U1;X1|V), (18) R2 ≤I(U2;Y|U1)−I(U2;V)−αI(U2;X2|V), (19) R1+R2 ≤I(U1,U2;Y)−I(U1,U2;V)−αI(U1,U2;X1,X2|V), (20)

for some distribution which satisfies the Markov chains and .

###### Corollary 1

For , an achievable strong secrecy rate region for the multiple access wiretap channel II in Section II-A3, i.e., in Fig. 1 under the wiretapper model , , is given by the convex hull of all rate pairs satisfying

 R1 ≤I(U1;Y|U2)−αI(U1;X1), (21) R2 ≤I(U2;Y|U1)−αI(U2;X2), (22) R1+R2 ≤I(U1,U2;Y)−αI(U1,U2;X1,X2), (23)

for some distribution which satisfies the Markov chains and .

Corollary 1 follows directly from Theorem 3 by setting , i.e., the channel is an erasure channel with erasure probability one. The proofs for Theorems 1, 2, and 3, are provided in Sections IV and V.

###### Remark 3

By setting the size of the subset to zero, i.e., , in Theorem 3, we obtain the achievable strong secrecy rate region in [21, Theorem 1] for the two user multiple access wiretap channel. The same region was derived under a weak secrecy criterion in [16, 24].

## Iv Proof for Theorem 1

The achievability proof for Theorem 1 follows the same key steps as in [12], with the need of extending the technique to address the multi-terminal setting as will be explained shortly. In particular, we first assume the availability of common randomness at all terminals of the original channel model. We then define a dual multi-terminal secret key agreement problem in the source model, which introduces a set of random variables similar to those introduced by the original problem with the assumed common randomness. We then solve for rate conditions which result in the induced joint distributions from the two models to be almost identical in the total variation distance sense. We also provide rate conditions which satisfy certain reliability and secrecy (independence) conditions in the source model. Next, we use the closeness of the induced joint distributions to show that, under the same rate conditions, the desired reliability and secrecy properties in the original channel model are satisfied. Finally, we eliminate the common randomness from the channel model by conditioning on a certain instance of that randomness.

The outline of achievability is hence threefold: (i) Reliability of the keys in the dual source model, (ii) Security of the keys in the dual source model, and (iii) Closeness of the induced joint distributions. Reliability of the keys follows from Slepian-Wolf source coding theorem for multiple sources [25, Theorem 10.3]. Closeness of joint distributions, and converting the reliability and security conditions from the dual model to the original problem, are ensured by deriving an exponential convergence rate for the average total variation distance between the two distributions. This is done using a rather straightforward generalization of [12, Lemma 1].

The main challenge in the proof lies in ensuring security for the keys in the dual source model, which requires doubly-exponential convergence rate for the probability of the two keys being uniform and independent from the wiretapper’s observation, in the Kullback-Leibler divergence sense. The double-exponential convergence is needed in order to ensure security against the exponentially many possible strategies for the wiretapper. This is established by adapting the lemma derived for the single source case in [12] so that we derive the corner points of the rate region, for the two keys, that satisfies the doubly-exponential convergence. Time sharing between these corner points hence results in the desired rate region.

Let us first fix the distribution . Let be the distribution resulting from concatenating the discrete memoryless channels and , where is the main channel transition probability distribution for the model in Section II-A. That is,

 pY|U1U2(y|u1,u2)=∑x1,x2∈X1×X2pX1|U1(x1|u1)pX2|U2(x2|u2)pY|X1X2(y|x1,x2). (24)

We describe the following two protocols, each of which introduces a set of random variables and induces a joint distribution over them. We precisely identify the joint distribution induced by each protocol.

Protocol A: This protocol describes a multi-terminal secret key agreement problem in the source model as shown in Fig. 3. Let be independent and identically distributed (i.i.d.) sequences according to the distribution . Source encoder observes the sequence , . The sequence is randomly and independently binned into the two indices and , where and are independent and uniformly distributed over and , respectively. The bins represent the public messages transmitted noiselessly to the common decoder and perfectly accessed by the wiretapper. The bins represent the independent confidential keys generated at the two encoders. The decoder observes the i.i.d. sequence and the public messages , and outputs the estimates , , , .

Let and , for all , be defined as in (2) and (3). The wiretapper chooses the strategy whose realization is unknown to the legitimate terminals. The wiretapper can thus be represented by the source whose distribution is only known to belong to the finite class ; the cardinality of the set of all possible wiretapper’s strategies for the attack model is upper bounded as

 |S|=(nμ)×2μ=(nαn)×2αn<2n×2αn=2(1+α)n. (25)

Protocol A hence introduces the random variables . The induced distribution over these variables is given by

 ~PW[1:2]F[1:2]U[1:2]YZS^U[1:2]=pU[1:2]YZS~PW[1:2]F[1:2]|U[1:2]~P^U[1:2]|YF[1:2] (26) =pU[1:2]YZS~P^U[1:2]|YF[1:2]\mathbbm1{B(j)1(Uj)=Wj,B(j)2(Uj)=Fj,∀j=1,2} (27) =~PW[1:2]F[1:2]~PU[1:2]|W[1:2]F[1:2]pYZS|U[1:2]~P^U[1:2]|YF[1:2]. (28)

Protocol B: This protocol is described as the original channel model in Section II-A1, with assuming the availability of common randomness , , at all terminals. and are independent, uniformly distributed over and , and independent from all other random variables. We utilize here the encoders and decoder in (28). That is,

 PU[1:2]|W[1:2]F[1:2]=~PU[1:2]|W[1:2]F[1:2], and P^U[1:2]|YF[1:2]=~P^U[1:2]|YF[1:2]. (29)

The induced joint distribution for protocol B is thus given by

 (30)
###### Remark 4

We have ignored the variables from the joint distributions in (28) and (30) at this stage, as we will introduce them later as deterministic functions of the random vectors, after fixing the binning functions.

###### Remark 5

Notice that factorizes as . That is, the common randomness available at the th transmitter, , is not utilized to generate . The common randomness represents the realization of transmitter ’s codebook, which is known at all terminals. However, the transmitted codeword at one transmitter does not depend on the codebook of the other transmitter.

###### Remark 6

The induced joint distributions from the two protocols in (28) and (30) are random due to the random binning of and .

Before continuing with the proof, we state the following lemmas.

### Iv-a Useful Lemmas

By comparing the joint distributions for protocols A and B in (28) and (30), we find that they only differ in the distribution for and . In particular, and are independent and uniformly distributed in protocol B, while their distribution in protocol A is determined by the random binning of and . The following lemma is a one-shot result which provides conditions on the binning rates such that the random binning of and described in protocol A results in a distribution for the bins that is close, in the total variation distance sense, to independent uniform distributions. The convergence rate provided by the lemma, which is exponential, is needed for converting the secrecy (independence) condition, established for the source model in protocol A, to the original channel model in protocol B.

###### Lemma 1

Let and be two independent sources. The source is randomly binned into the two indices and , where and are independent and uniformly distributed over and . Let , and for define

 Dγj≜{xj∈Xj:log1pXj(xj)>γj}. (31)

Then, we have

 EB(V(PW[1:2]F[1:2],pUW[1:2]pUF[1:2]))≤2∑j=1(PPXj(Xj∉Dγj)+12√~Wj~Fj2−γj), (32)

where is the induced distribution over and .

Proof:  Lemma 1 is a generalization of [12, Lemma 1]. In particular, using the triangle inequality,

 V (PW[1:2]F[1:2],pUW[1:2]pUF[1:2])=V(PW1F1PW2F2,pUW[1:2]pUF[1:2]) (33) ≤V(PW1F1PW2F2,pUW1pUF1PW2F2)+V(pUW1pUF1PW2F2,pUW[1:2]pUF[1:2]) (34) =∑j=1,2V(PWjFj,pUWjpUFj), (35)

where (33) follows since and are independent, and hence and are independent as well. Using [12, Lemma 1], we have, for

 EB(V(PWjFj,pUWjpUFj))≤PPXj(Xj∉Dγj)+12√~Wj~Fj2−γj, (36)

which completes the proof for Lemma 1.

Lemma 2 below is again a one-shot result which provides rate conditions for a certain secrecy (independence) condition in the source model. In particular, the lemma provides a doubly-exponential convergence rate for the probability of the confidential keys and the public messages being independent, uniformly distributed, and all independent from the wiretapper’s observation . This doubly-exponential convergence is utilized, along with the union bound, to guarantee secrecy against the exponentially many choices for the wiretapper.

###### Lemma 2

Let and be two sources, both are correlated with the source . The alphabets , and , are finite. For the source is randomly binned into the two indices and as in Lemma 1. For and for any , define

 DSj≜{(x[1:2],z)∈X1×X2×Z:(xj,z)∈DSγj,(x[1:2],z)∈DSγij}, (37) whereDSγj≜{(xj,z)∈Xj×Z:log1pXj|ZS(xj|z)>γj}, (38) andDSγij≜{(x[1:2],z)∈X1×X2×Z:log1pXi|XjZS(xi|xj,z)>γij}. (39)

If there exists a such that for and for all , we have

 PpX[1:2]ZS((X[1:2],ZS)∈DSj)≥1−δ2, (40)

then, we have, for every , that

 PB(maxS∈SD(PW[1:2]F[1:2]ZS||pUW[1:2]pUF[1:2]pZS)≥2~ϵ) ≤|S||Z|mini,j=1,2,i≠j{exp((−ϵ2(1−δ)2γj3~Wj~Fj))+exp((−ϵ2(1−δ)2γij3~Wi~Fi))}, (41)

where is the induced distribution over and ,

 ~ϵ=maxj=1,2{ϵ+(δ+δ2)log(~Wj~Fj)+Hb(δ2)}, (42)

and is the binary entropy function.

Proof:  See the Appendix.

###### Remark 7

In applying Lemmas 1 and 2 to the source model in protocol A, we utilize the version of Hoeffding’s inequality in [26, Theorem 2], [12, Lemma 3]. In addition, after showing that the reliability and secrecy properties established for the source model hold as well for the channel model in protocol B, we utilize the selection lemma, [27, Lemma 2.2], in order to prove the existence of a binning realization such that both properties are still satisfied for the channel model. It is also utilized to eliminate the common randomness from the channel model.

### Iv-B Proof

We first apply Lemma 1 to the source model in protocol A to establish the closeness of the induced joint distributions from the two protocols. In Lemma 1, set , , and , for ; are defined as in protocol A. Let be defined as in (31) with for . For choose . Without loss of generality, assume that for all . Using Hoeffding’s inequality, we have

 PpUj(Uj∉Dγj)=P(log1pUj(Uj)≤γj) (43) =P(n∑k=1log1pUj(Uj,k)≤n(1−ϵj)H(Uj))≤exp(−βjn), (44)

where . By substituting the choices for and (44) in (32), as long as

 R1+~R1<(1−ϵ1)H(U1) (45) R2+~R2<(1−ϵ2)H(U2), (46)

there exists a such that

 EB(V(~PW[1:2]F[1:2],pUW[1:2]pUF[1:2]))≤4exp(−βn). (47)

Using (28), (30), and (47), we have

 EB (V(~PW[1:2]F[1:2]U[1:2]YZS^U[1:2],PW[1:2]F[1:2]U[1:2]YZS^U[1:2])) =EB(V(~PW[1:2]F[1:2],pUW[1:2]pUF[1:2]))≤4exp(−βn). (48)

Next, we establish a reliability condition for the source model in protocol A. We utilize a Slepian-Wolf decoder [28], which implies that [25, Theorem 10.3]

 limn→∞EB(P~P(^U[1:2]≠U[1:2]))=0, (49)

as long as

 ~R1≥H(U1|U2,Y), (50) ~R2≥H(U2|U1,Y), (51) ~R1+~R2≥H(U1,U2|Y). (52)

Using (49) and [23, Lemma 1], which is a variation on the Slepian-Wolf source coding theorem, we have, for all ,

 limn→∞EB (V(~PW[1:2]F[1:2]U[1:2]YZS^U[1:2],~PW[1:2]F[1:2]U[1:2]YZS\mathbbm1{^U[1:2]=U[1:2]})) =limn→∞EB(P~P(^U[1:2]≠U[1:2]))=0. (53)

Next, we use Lemma 2 to establish the secrecy condition for the source model in protocol A. In Lemma 2, for set , , , , for all , where are defined as in protocol A. In addition, let