Secret Key Agreement Using Conferencing in State- Dependent Multiple Access Channels with An Eavesdropper

Secret Key Agreement Using Conferencing in State- Dependent Multiple Access Channels with An Eavesdropper

Mohsen Bahrami, Ali Bereyhi, Mahtab Mirmohseni and Mohammad Reza Aref This work was partially supported by Iranian NSF under contract no. . Information Systems and Security Lab (ISSL),
Sharif University of Technology, Tehran, Iran,
Email: {bahramy, bereyhi}@ee.sharif.edu, m.mirmohseni@ece.ut.ac.ir, aref@sharif.edu
Abstract

In this paper, the problem of secret key agreement in state-dependent multiple access channels with an eavesdropper is studied. For this model, the channel state information is non-causally available at the transmitters; furthermore, a legitimate receiver observes a degraded version of the channel state information. The transmitters can partially cooperate with each other using a conferencing link with a limited rate. In addition, a backward public channel is assumed between the terminals. The problem of secret key sharing consists of two rounds. In the first round, the transmitters wish to share a common key with the legitimate receiver. Lower and upper bounds on the common key capacity are established. In a special case, the capacity of the common key is obtained. In the second round, the legitimate receiver agrees on two independent private keys with the corresponding transmitters using the public channel. Inner and outer bounds on the private key capacity region are characterized. In a special case, the inner bound coincides with the outer bound. We provide some examples to illustrate our results.

{keywords}

Information theoretic security, multiple access channel, state-dependent, secret key sharing, common and private key capacity region.

I Introduction

Secure communication in a network is possible when legitimate users have access to some secret keys. In [1], Shannon demonstrated that the perfect secrecy condition can be satisfied if:

where, and are the entropies of the message and the key, respectively. Secret key generation in a network requires the existence of common randomness between users. A simple model for common randomness, in the information theory context, is distributed correlated sources. This model was first studied by Ahlswede and Csiszar [2], where legitimate users utilize two correlated sources as common randomness to share a secret key in a noiseless network that must be concealed from an eavesdropper. In [3], new bounds on the secret key capacity over a multiterminal network with public channel were established by Gohari and Anantharam. In their model, there are legitimate terminals and an eavesdropper that have access to correlated sources. Only some of the legitimate terminals can transmit over the channel. All the legitimate terminals intend to agree on a common key that must be kept secret from the eavesdropper. In a noisy channel, common randomness can be obtained by implementing the channel distribution. This model is useful when illegal users have no access to the common randomness or a part of it. But if the legitimate users do not have any advantages compared to the illegal users, this common randomness is not beneficial for secret key sharing any more. Maurer solved this problem using a backward public channel in the wiretap model [4]. The backward public channel is a noiseless channel used by the receivers to transmit messages to the transmitters where the messages can be observed by an eavesdropper. In [2], Ahlswede and Csiszar showed that a forward noiseless channel does not help to solve the problem. In addition to the Maurer’s solution, the problem can be solved when correlated sources are distributed between legitimate users in a noisy network. This idea was recently developed by Khisti in the wiretap channel where the transmitter and the legitimate receiver have access to correlated sources [5]. Salimi and Skoglund, in another recent work, investigated the problem of secret key agreement over generalized multiple access channels using correlated sources [6]. In this channel, each of transmitters intends to agree on a private key with a receiver. Furthermore, when a forward public channel is available, the secret key sharing problem was studied by Salimi [7]. In their model, the transmitters intend to share private keys over the generalized multiple access channel with the receiver using the public channel. The authors established examples to show that the forward public channel can improve the secret key capacity. In addition, they showed that using the forward public channel for key sharing is more effective than compress and forward strategy which was proposed in [8]. In state-dependent noisy networks, the Channel State Information (CSI) can be used as common randomness when illegal users have limited access to the CSI. In these networks, the CSI may be available causally or non-causally at the legitimate users. Khisti studied the problem of secret key agreement over 2-receiver broadcast channels with causal or non-causal CSI where the transmitter upon observing the CSI generates a secret key and sends the required information over the channel and the legitimate receiver estimates the secret key [9]-[11].

Cooperation can be effective for common key sharing in a network where there are more than one transmitter. Conferencing is one of the schemes that can be utilized to provide cooperation. In most cases, a noiseless channel with a limited rate is used to establish the conferencing scheme. In [12], Willems used the conferencing scheme in a multiple access channel where there is an interactive noiseless channel with a limited rate between the transmitters. Upon receiving sequences from the noiseless channel, each transmitter determines the channel input as a function of its message and the observed sequences.

Main Contributions and Organization

Consider a multiterminal network with users, where one of them acts as a Trusted Center (TC) and others act as End Nodes (ENs). In addition, there is an illegal user in the network which wishes to eavesdrop. In this network, the ENs try to establish a confidential connection with the TC. Therefore, they first need to agree on some keys with the TC to announce themselves as trusted users. For transmitting the confidential message, the TC needs to generate independent private keys and share them with each of the ENs. These private keys provide an ability of multiplexing in the network. The eavesdropper tries to find the keys and attack the network. Motivated by the above scenario, we define our system model. As Fig. 1 illustrates, we consider a three-user network with an eavesdropper, in which two ENs and a TC are modeled as two transmitters and a legitimate receiver, respectively. The transmitters and the legitimate receiver are connected by a State-Dependent Multiple Access Channel (SD-MAC) where a conferencing link is available between the transmitters. In addition, the eavesdropper observes the channel. An insecure backward public channel with an unlimited capacity is available between all the terminals. In order to achieve a secure connection; at first, the transmitters intend to share a common key over the SD-MAC with the legitimate receiver using the conferencing scheme. Then, the legitimate receiver shares an independent private key with each of the transmitters over the public channel.

In this model, we investigate the problem of secret key agreement in two rounds. In the first round, we establish the lower and upper bounds on the common key capacity. The intuition behind the lower bound comes from the superposition coding and random binning. The state is utilized to generate the common key by means of the hybrid joint source channel coding. In the second round, the inner and outer bounds are derived on the private key capacity region. The double random binning is used to satisfy the secrecy constrains. In this round, the private key capacity is obtained for some special cases. Different systems can be modeled as the SD-MAC with an eavesdropper. For example, we consider a binary memory with stuck at faults in which two end nodes utilize this memory to share a common key with a trusted center where an eavesdropper has access to the memory. As another example, we discuss the key agreement in the modulo-additive SD-MAC with an eavesdropper.

The rest of the paper is organized as follows. In Section II, the problem definition is described. In Section III, our main results and the intuitions behind them are given. In Section IV, examples are provided. Finally, proofs are presented in Section V.

Ii Problem Definition

Throughout the paper, we denote a discrete random variable with an upper case letter (e.g., ) and its realization by the lower case letter (e.g., ). We denote the probability density function of over with and the conditional probability density function of given by . Finally, we use to indicate vector .

A discrete memoryless SD-MAC with an eavesdropper is defined by a channel input alphabet , a channel state alphabet , a channel output alphabet , an eavesdropper’s output alphabet and a transition probability function where are finite sets. As Fig. 1 illustrates, the transmitters have access to the exact CSI while the legitimate receiver has access to the degraded version of the CSI non-causally.

Fig. 1: The state-dependent multiple access channel with an eavesdropper.

We consider the interactive key agreement in the SD-MAC with an eavesdropper where a backward public channel with unlimited capacity is available from the receivers to the transmitters. We assume that a noiseless channel, with limited rate , is available between the encoders which can be used for conferencing. The interactive key agreement scheme consists of two rounds. In the first round, the transmitters generate a common key using conferencing and transmit required information for common key sharing to the legitimate receiver via the SD-MAC. In the second round, the legitimate receiver agrees on a private key with each transmitter using the public channel. In the following we clarify the schemes with details.

Ii-a The First Round

In the first round, as Fig. 1 illustrates, the first transmitter, upon observing , generates as a common key and sends the required information to the second transmitter over the noiseless channel with limited rate . The second transmitter generates , as a function of received information and , to share with the legitimate receiver. Then, the transmitters determine and for , as deterministic functions of the corresponding common keys and and transmit and over the SD-MAC with an eavesdropper. The legitimate receiver observes the channel output and reconstructs the common key . The sequence is received from the SD-MAC by the eavesdropper.

Definition 1

In the first round, a rate is said to be achievable if for every and sufficiently large , there exists a protocol such that

(1)
(2)
(3)
(4)
(5)

Equation (1) investigates conferencing achievement. Equation (2) is the reliability condition of the common key. Equation (3) implies that the eavesdropper has effectively no information about the common key. Finally, the set of equations (4) and (5) investigate the uniformity conditions.

Definition 2

The common key capacity is the set of all achievable rates .

Ii-B The Second Round

In the second round, as Fig. 1 illustrates, the legitimate receiver, upon observing and , determines two independent private keys and for sharing with the first and second transmitter, respectively. The legitimate receiver transmits and over the backward public channel. For , the th transmitter estimates its private key . The eavesdropper utilizes for eavesdropping.

Definition 3

In the second round, a rate pair is an achievable private key rate pairs if for every and sufficiently large n there exists a protocol such that

(6)
(7)
(8)
(9)
(10)

for , where is complement, i.e., . Equation (6) is the reliability conditions. Equations (7) and (8) mean that the eavesdropper and each transmitter have efficiently no information about the other transmitter’s private key. Finally, the set of equations (9) and (10), investigate the uniformity conditions.

Definition 4

The private key capacity region is the set of all achievable rate pairs .

Iii Main Results

Here, we provide inner and outer bounds on the secret key capacity region of the SD-MAC with an eavesdropper, in two sub-sections. In sub-section III-A, we discuss the lower and upper bounds on the common key capacity. The inner and the outer bounds on the private capacity region are given in sub-section III-B.

Iii-a The First Round

In this sub-section, we present two theorems. Theorem 1 states a lower bound on the common key capacity.

Theorem 1 (Common Key Lower Bound)

The common key rate is achievable for the first round if

(11)

subject to the constraints:

(12)
(13)
(14)

for some input distribution:

(15)

where .

Proof:

The achievability follows by specifying the sequence as a description of . is generated over using the superposition coding. The and are shared between the transmitters by utilizing the conferencing link. The random binning is applied to satisfy the secrecy constrains. Upon observing and , the legitimate receiver estimates the common key by means of joint typicality decoding. The proof is provided in section V-A. \qed

Theorem 2 states an upper bound on the common key capacity.

Theorem 2 (Common Key Upper Bound)

For the common key sharing, any rate must satisfy

(16)

Proof: See Section V-B.

In the following, we establish the common key capacity for a special case.

Corollary 1

If the random variables form the Markov chain, , i.e., the illegal output is the degraded version of , the common key capacity reduces to:

(17)

subject to the constraints:

(18)
(19)
(20)

Proof: See section V-C.

Iii-B The Second Round

Now, the bounds on the private key capacity region are given. Theorem 3 states an inner bound on the private key capacity region.

Theorem 3 (Private Key Inner Bound)

The private key rate pair is achievable for the second round if

(21)
(22)

subject to the constraints:

(23)
(24)

for some input distribution:

(25)
Proof:

In order to achieve the inner bound, two conditionally independent sequences and are generated with probability distribution . Then, we use the double random binning to satisfy the secrecy constrains. The proof is given in section V-D. \qed

Theorem 4 states an outer bound on the private key capacity region.

Theorem 4 (Private Key Outer Bound)

For the private key sharing, any rate pair must satisfy:

(26)
(27)

This bound can be directly deduced from Theorem 1 in [2]. In the following, we obtain the private key capacity region for a special case.

Corollary 2

If the inputs and output of the SD-MAC with an eavesdropper form a Markov chain as , the private key capacity region reduces to:

(28)
(29)

subject to the constraints:

(30)
(31)

Proof: The achievability follows from Theorem 3 where we have:

(32)

where , and can be deduced from the Markov chain, . The proof of converse can be obtained from the outer bound of Theorem 4.

Iv Examples

Different examples can be established to illustrate our proposed model. In this section, we present some examples to explain our results.

Iv-a Binary Memory with Stuck at Faults

Consider a network where two ENs intend to share a common key with the TC. In this network, a binary memory with stuck at faults is available where the eavesdropper has access to this memory. Suppose only the ENs have access to the defect information. For the key agreement, the ENs utilize the fault pattern to share the required information with the TC. The binary memory with stuck at faults can be modeled as the state-dependent memoryless channel where each of the memory cells sticks at with a probability , likewise, sticks at 1 with a probability and behaves as a noiseless binary channel with a probability [13]. For the described example, the following argument shows that a lower bound on the common key capacity is bits subject to the constraint .

We propose a protocol for the common key agreement: Fix distribution such that . Generate a set of binary sequences , according to a Bernoulli distribution with success probability where there are roughly sequences that match any given fault pattern. Partition them into equal size subsets. Choose the sequence such that and are jointly typical respect to . Set the subset index of chosen as the common key. By using the above protocol and Theorem 1, we prove .

Proof: By setting in Theorem 1, we have:

and for the constraint we have:

In fact, the ENs utilize the fault pattern for common key sharing with the TC. Therefore, the common key rate is bounded by error probability .

Iv-B The Modulo-Additive SD-MAC

Consider the binary SD-MAC with channel output and eavesdropper’s output where , , and the channel state has a Bernoulli distribution with success probability . In proposed model, the transmitters intend to share a common key with the legitimate receiver using conferencing with limited rate . A lower bound on the common key capacity of the modulo-additive SD-MAC with eavesdropper is

subject to the constraint:

Proof: In order to prove the lower bound, we set and , using the conferencing link, in Theorem 1 such that

for the constraint we have:

and

where and .

V Proofs

In this section, we present proofs of the main results. In order to prove Theorem 1, we employ the superposition coding [14] and random binning [15]. The intuition behind the proof of Theorem 3 comes from the Slepian & Wolf coding [16] and the double random binning. The proofs of the outer bounds are similar to [2].

V-a Proof of Theorem 1

Fix probability distribution ,

Codebook Generation: Randomly and independently generate sequences each according to . The set of all sequences is represented by . For each , randomly and conditionally independently generate , sequences , each according to and randomly partition them into bins. Consequently, each bin consists of sequences in average. Codebook contains of sub-codebooks where sub-codebook is represented by .

Encoding: The first encoder, ENC 1, upon observing CSI chooses a pair such that,

(33)

If there is no such pair, ENC 1 sets . If there are more than one pair, ENC 1 randomly chooses . Then, ENC 1 sends pair over the noiseless channel with limited rate . ENC 2 reconstructs , using the codebook. The reconstruction can be done successfully if:

(34)

the sets and are defined as below:

where and indicate the number of sequences in and in that are jointly typical with , respectively. It can be shown that condition (34) is satisfied by . Simply, we can consider .

ENC transmits over the SD-MAC. This can be done with an arbitrarily small probability of error as if:

(35)
(36)

The above conditions can be deduced from the covering lemma [17].

Remark 1: According to the channel distribution, the output distribution can be written as

In order to cover the probability space of variables , and completely, we must generate the codewords and as functions of .

Common Key Generation: The transmitters choose the bin index of as the common key to share with the legitimate receiver.

Decoding: The legitimate decoder, upon observing the channel output , estimates such that

(37)

and recovers such that

(38)

If an error occurs, the legitimate decoder sets . By using the packing lemma and mutual packing lemma [18], the probability of error tends to zero as if:

(39)
(40)
(41)

Secrecy Analysis: In order to check the security condition on the common key rate averaged over the random codebook assignments , we have:

(42)

where follows from the fact that is the bin index of and the equality holds. can be deduced from inequalities and if , the proof is similar to [18, Lemma 22.3].

V-B Proof of Theorem 2

In our described model, the legitimate receiver should be able to estimate the common key correctly, therefore, according to the Fano’s inequality we have and also, the security condition must be satisfied. We obtain an upper bound on ,

(43)

where deduces from the security condition, follows from the Fano’s inequality, can be derived from the Markov chain . can be obtained by considering as a uniform variable over .

V-C Proof of Corollary 1

The achievability follows from Theorem 1 where we have:

(44)

where comes from the Markovity. For the converse proof, we have:

(45)

where follows from the security condition , comes from the Fano’s inequality . and can be deduced from the Markov chains, and , respectively. By defining and , is obtained. can be established by considering as a uniform variable over .

V-D Proof of Theorem 3

Fix probability distribution

Codebook Generation: For , randomly generate sequences each according to and partition them into bins and sub-bins using the double random binning. Therefore, there are sequences in each bin and sequences in each sub-bin in average. indicates the coodebook containing all . The bin and sub-bin are represented by