Robust Biometric Authentication from an Information Theoretic Perspective ^†

Abstract

Robust biometric authentication is studied from an information theoretic perspective. Compound sources are used to account for uncertainty in the knowledge of the source statistics and are further used to model certain attack classes. It is shown that authentication is robust against source uncertainty and a special class of attacks under the strong secrecy condition. A single-letter characterization of the privacy secrecy capacity region is derived for the generated and chosen secret key model. Furthermore, the question is studied whether small variations of the compound source lead to large losses of the privacy secrecy capacity region. It is shown that biometric authentication is robust in the sense that its privacy secrecy capacity region depends continuously on the compound source.

1. Introduction

Biometric identifiers, such as fingerprints, iris and retina scans, are becoming increasingly attractive for the use in security systems because of their uniqueness and time invariant characteristics—for example, in authentication and identification systems. Conventional personal authentication systems usually use secret passwords or physical tokens to guarantee the legitimacy of a person. On the other hand, biometric authentication systems use the physical characteristics of a person to guarantee the legitimacy of the person to be authenticated.

Biometric authentication systems are decomposed into two phases: the enrollment and the authentication phase. A simple authentication approach is to gather biometric measurements in the enrollment phase, apply a one-way function and then store the results in a public database. In the authentication phase, new biometric measurements are gathered. The same one-way is applied and the outcome is then compared to the one stored in the database. Unfortunately, biometric measurements might be affected by noise. To deal with noisy data, error correction is needed. Therefore, helper data is generated during the enrollment phase as well based on the biometric measurements and then stored directly in the public database that will be then used in the authentication phase, which will then be used in the authentication phase to correct the noisy imperfections of the measurements.

Since the database containing the helper data is public, an eavesdropper can have access to the data if desired. How can we prevent an eavesdropper from gaining information about the biometric data from the publicly stored helper data? One is interested in encoding the biometric data into a helper data and a secret key such that the helper data does not reveal any information about the secret key. Cryptographic techniques are one approach to keeping the key secret. However, security on higher layers is usually based on the assumption of insufficient computational capabilities of eavesdroppers. Information theoretic security, on the contrary, uses the physical properties of the source to guarantee security independent from the computational capabilities of the adversary. This line of research was initiated by Shannon in [1] and has attracted considerable interest recently—cf., for example, recent textbooks [2,3,4] and references therein. In particular, Ahlswede and Csiszár in [5] and Maurer in [6] introduced a secret key sharing model. It consists of two terminals that observe the correlated sequences of a joint source. Both terminals generate a common key based on their observation and using public communication. The message transmitted over the public channel should not leak any amount of information about the common key.

Both works mentioned above use the weak secrecy condition as a measure of secrecy. Given a code of a certain blocklength, the weak secrecy condition is fulfilled if the mutual information between the key and the available information at the eavesdropper normalized by the code blocklength is arbitrarily small for large blocklengths. On the other hand, the strong secrecy condition is fulfilled if the un-normalized mutual information between the key and the available information at the eavesdropper is arbitrarily small for large blocklengths, i.e., the total amount of information leaked to the eavesdropper is negligible. The secret key sharing model satisfying the strong secrecy condition has been studied in [7].

One could model the biometric authentication similar to this secret key generation source model; however, this model does not take into account the amount of information that the public data (the helper data in the biometric scenario) leaks about the biometric measurement. The goal of biometric authentication is to perform a secret and successful authentication procedure without compromising the information about the user (privacy leakage). Compromised biometric information is unique and cannot be replaced, so once it is compromised, it is compromised forever, which might lead to an identity theft (see [8,9,10] for more information on privacy concerns). Since the helper data we use to deal with noisy data is a function of the biometric measurements, it contains information about the biometric measurement. Thus, if an attacker breaks into the data base, he could be able to extract information about the biometric measurement from where the helper data is stored. Hence, we aim to control the privacy leakage as well. An information theoretic approach of secure biometric authentication controlling the privacy leakage was studied in [11,12] under ideal conditions, i.e., with perfect source state information (SSI) and without the presence of active attackers.

In both references [11,12], the capacity results under the weak secrecy condition were derived. In [13], the capacity result for the sequential key-distillation with rate limited one-way public communication using the strong secrecy condition was shown.

For reliable authentication, SSI is needed; however, in practical systems, it is never perfectly available. Compound sources model a simple and realistic SSI scenario in which the legitimate users are not aware of the actual source realisation. Nevertheless, they know that it belongs to a known uncertainty set of sources and that it remains constant during the entire observation. This model was first introduced and studied in [14,15] in a channel coding context. Compound sources can also model the presence of an active attacker, who is able to control the state of the source. We are interested in performing an authentication process that is robust against such uncertainties and attacks. The secret key generation for source uncertainty was studied in [16,17,18,19]. In [16], the secret key generation using compound joint sources was studied and the key-capacity was established.

In [20], the achievability result of the privacy secrecy capacity region for generated secret keys for compound sources has been derived under the weak secrecy condition. In this work, we study robust biometric authentication in detail and extend this result in several directions. First, we consider a model where the legitimate users suffer from source uncertainty and/or attacks and derive achievability results under the strong secrecy conditions for both the generated and chosen secret key authentication. We then provide matching converses to obtain single-letter characterizations of the corresponding privacy secrecy capacity regions.

We further address the following question: can small changes of the compound source cause large changes in the privacy secrecy capacity region? Such a question has been first studied in [21] for arbitrarily varying quantum channels (AVQCs) showing that deterministic capacity has discontinuity points, while the randomness-assisted capacity is a continuous function of the AVQCs. This line of research is continued in [22,23], in which the classical compound wiretap channel, the arbitrarily varying wiretap channel (AVWC), and the compound broadcast channel with confidential messages (BCC) are studied. We study this for the biometric authentication problem at hand and show that the corresponding privacy secrecy capacity regions are continuous functions of the underlying uncertainty sets. Thus, small changes in the compound set lead to small changes in the capacity region only.

The rest of this paper is organized as follows. In Section 2, we introduce the biometric authentication model for perfect SSI and present the corresponding capacity results. In Section 3, we introduce the biometric authentication model for compound sources and show that secure, under the strong secrecy condition, and reliable authentication, under source uncertainty with positive rates, is possible deriving a single-letter characterization of the privacy secrecy capacity region for the chosen and generated secret key model. In Section 4, we show that the privacy secrecy capacity region for compound sources is a continuous function of the uncertainty set. Finally, the paper ends with a conclusion in Section 5.

Notation: Discrete random variables are denoted by capital letters and their realizations and ranges by lower case and script letters. $\mathcal{P}(\mathcal{X})$ denotes the set of all probability distributions on $\mathcal{X}$; $\mathbb{E}(·)$ denotes the expectation of a random variable; $Pr\{·\}$, $H(·)$ and $I(·;·)$ indicate the probability, the entropy of a random variable, and mutual information between two random variables; $D(·\parallel ·)$ is the information divergence; ${\parallel p-q\parallel }_{TV}$ is the total variation distance between p and q on $\mathcal{X}$ defined as ${\parallel p-q\parallel }_{TV}≔{\sum }_{x\in \mathcal{X}}|p(x)-q(x)|$. The set ${\mathcal{T}}_{p,\delta }^n$ denotes the set of $\delta –$typical sequences of length n with respect to the distribution p; the set ${\mathcal{T}}_{W,\delta }^n(x^n)$ denotes the set of $\delta –$conditional typical sequences with respect to the conditional distribution $W:\mathcal{X}\to \mathcal{P}(\mathcal{Y})$ and sequence $x^n\in {\mathcal{X}}^n$; $p_{x^n}$ denotes the empirical distribution of the sequence $x^n$.

2. Information Theoretic Model for Biometric Authentication

Let $\mathcal{X}$ and $\mathcal{Y}$ be two finite alphabets. Let $(x^n,y^n)\in {\mathcal{X}}^n\times {\mathcal{Y}}^n$ be a pair of biometric sequences of length $n\in \mathbb{N}$; then, the discrete memoryless joint-source is given by the joint probability distribution $Q^n(x^n,y^n)≔{\prod }_{i=1}^{n}Q(x_i,y_i)$. This models perfect SSI, i.e., all possible measurements are generated by the discrete memoryless joint-source source Q, which is perfectly known at both the enrollment and the authentication terminal.

2.1. Generated Secret Key Model

The information theoretic authentication model consists of a discrete memoryless joint-source Q, which represents the biometric measurement source, and two terminals: the enrollment terminal and the authentication terminal as shown in Figure 1. At the enrollment terminal, the enrollment sequence $X^n$ is observed and the secret key K and helper data $M^{\prime }$ are generated. At the authentication terminal, the authentication sequence $Y^n$ is observed. An estimate of the secret key $\widehat{K}$ is made based on the authentication sequence $Y^n$ and the helper data $M^{\prime }$. Since the helper data is stored in a public database, this should not reveal anything about the secret key K and also as little as possible about the enrollment measurement $X^n$. The distribution of the key must be close to uniform.

Figure 1. The biometric measurements $X^n$ and $Y^n$ are observed in the enrollment and authentication terminal, respectively. In the enrollment terminal, the key K and the helper data $M^{\prime }$ are generated. The helper data is public, hence the eavesdropper also has access to it. In the authentication terminal, an estimation of a key $\widehat{K}$ is made based on the observed biometric measurements $Y^n$ and the helper data $M^{\prime }$.

We consider a block-processing of arbitrary but fixed length n. Let ${\mathcal{M}}^{\prime }≔\{1,\dots ,M_n^{\prime }\}$ be the helper data set and $\mathcal{K}≔\{1,\dots ,K_n\}$ the secret key set.

Definition 1.

An $(n,M_n^{\prime },K_n)$-code for generated secret key authentication for joint-source $Q\in \mathcal{P}(\mathcal{X}\times \mathcal{Y})$ consists of an encoder f at the enrollment terminal with

$$\begin{array}{cc}\hfill f& :{\mathcal{X}}^n\to \mathcal{K}\times {\mathcal{M}}^{\prime }\hfill \end{array}$$

and a decoder ϕ at the authentication terminal

$$\phi :{\mathcal{Y}}^n\times {\mathcal{M}}^{\prime }\to \mathcal{K}.$$

Remark 1.

Note that the function f means that every $x^n$ is mapped into a $(k,m^{\prime })\in \mathcal{K}\times {\mathcal{M}}^{\prime }$, which implies that $|f(·)|=K_n{M}_n^{\prime }\le |{\mathcal{X}}^n|$.

Definition 2.

A privacy secrecy rate pair $(R_{PL},R_K)\in {\mathbb{R}}_{+}^2$ is called achievable for the generated secret key authentication for a joint-source Q, if, for any $\delta >0,$ there exist an $n(\delta )\in \mathbb{N}$ and a sequence of $(n,M_n^{\prime },K_n)$-codes such that, for all $n\ge n(\delta ),$ we have

$$\begin{array}{cc}\hfill Pr\{\widehat{K}\ne K\}& \le \delta ,\hfill \end{array}$$

(1a)

$$\begin{array}{cc}\hfill \frac{1}{n}H(K)+\delta \ge \frac{1}{n}log{K}_n& \ge R_K-\delta ,\hfill \end{array}$$

(1b)

$$\begin{array}{cc}\hfill \frac{1}{n}I(K;M^{\prime })& \le \delta ,\hfill \end{array}$$

(1c)

$$\begin{array}{cc}\hfill \frac{1}{n}I(X^n;M^{\prime })& \le R_{PL}+\delta .\hfill \end{array}$$

(1d)

Remark 2.

Condition (1b) requires the key distribution $p_K$ to be close to the uniform distribution $p_{\tilde{K}}$, where $\tilde{K}$ is a random variable uniformly distributed over the key set $\mathcal{K}$. By (1b), we have $\frac{1}{n}log{K}_n-\frac{1}{n}H(K)=D(K\parallel \tilde{K})\le \delta$; combined with Pinsker’s inequality, we have $\parallel p_K-p_{\tilde{K}}\parallel \le \sqrt{2ln2\delta }$. For small δ, we have that both distributions are close to each other.

Remark 3.

Condition (1a) stands for reliable authentication, the information about the key leaked by the helper data is negligible by (1c) and the information about the biometric measurements leaked by the helper data $\frac{1}{n}I(X^n;M^{\prime })$ is close to $R_{PL}$ by (1d).

Definition 3.

The set of all achievable privacy secrecy rate pairs for generated key authentication is called privacy secrecy capacity region and is denoted by ${\mathfrak{C}}_G(Q)$.

We next present the privacy secrecy capacity region for the generated key authentication for the joint-source Q, which was first established in [11,12].

To do so, for some U with alphabet $|\mathcal{U}|\le |\mathcal{X}|+1$ and $V:\mathcal{X}\to \mathcal{P}(\mathcal{U})$, we define the region $\mathcal{R}(Q,V)$ as the set of all $(R_{PL},R_K)\in {\mathbb{R}}_{+}^2$ satisfying

$$\begin{array}{cc}\hfill R_K& \le I(U;Y),\hfill \\ \hfill R_{PL}& \ge I(U;X)-I(U;Y),\hfill \end{array}$$

with $P_{UXY}(u,x,y)=V(u|x)Q(x,y)$.

Theorem 1

[11,12]. The privacy secrecy capacity region for generated key authentication is given by

$${\mathfrak{C}}_G(Q)=\bigcup _{V:\mathcal{X}\to \mathcal{P}(\mathcal{U})}\mathcal{R}(Q,V).$$

2.2. Chosen Secret Key Model

In this section, we study the authentication model for systems for which the secret key is chosen beforehand. At the enrollment terminal, a secret key K is chosen uniformly and independent of the biometric measurements. The secret key K is bound to the biometric measurements $X^n,$ and, based on this, the helper data $M^{\prime }$ is generated as shown in Figure 2. At the authentication terminal, the authentication measurement $Y^n$ is observed. An estimate of the secret key $\widehat{K}$ is made based on the authentication sequence $Y^n$ and the helper data $M^{\prime }$. Since the helper data is stored in a public database, this should not reveal anything about the secret key and minimize the information leakage about the enrollment sequence $X^n$. However, we should be able to reconstruct K. To achieve this, a masking layer based on the one-time pad principles is used.

Figure 2. The biometric sequences $X^n$ and $Y^n$ are observed at the enrollment and authentication terminal, respectively. In the enrollment terminal, the helper data $M^{\prime }$ is generated for a given secret key K. The helper data is public, hence the eavesdropper also has access to it. In the authentication terminal, an estimation of a key $\widehat{K}$ is made based on the observed biometric authentication sequence $Y^n$ and the helper data $M^{\prime }$.

The masking layer, which is another uniformly distributed chosen secret key K, is added to the top of the generated secret key authentication. At the enrollment terminal, a secret key $K_g$ and a helper data M are generated. The generated secret key is added modulo-$|\mathcal{K}|$ to the masking layer K and sent together with the helper data as additional helper data, i.e., $M^{\prime }=(M,K\oplus K_g)$. At the authentication terminal, an estimation of the generated secret key ${\widehat{K}}_g$ is made based on $Y^n$ and M and the estimation of masking layer is made $\widehat{K}=K\oplus K_g\ominus {\widehat{K}}_g$.

We consider a block-processing of arbitrary but fixed length n. Let ${\mathcal{M}}^{\prime }≔\{1,\dots ,M_n^{\prime }\}$ be the helper data set and $\mathcal{K}≔\{1,\dots ,K_n\}$ the secret key set.

Definition 4.

An $(n,M_n^{\prime },K_n)$-code for chosen secret key authentication for joint-source $Q\in \mathcal{P}(\mathcal{X}\times \mathcal{Y})$ consists of an encoder f at the enrollment terminal with

$$\begin{array}{cc}\hfill f& :\mathcal{K}\times {\mathcal{X}}^n\to {\mathcal{M}}^{\prime }\hfill \end{array}$$

and a decoder ϕ at the authentication terminal

$$\phi :{\mathcal{Y}}^n\times {\mathcal{M}}^{\prime }\to \mathcal{K}.$$

Definition 5.

A privacy secrecy rate pair $(R_{PL},R_K)\in {\mathbb{R}}_{+}^2$ for chosen secret key authentication is called achievable for a joint-source Q, if, for any $\delta >0,$ there exist an $n(\delta )\in \mathbb{N}$ and a sequence of $(n,M_n^{\prime },K_n)$-codes, such that, for all $n\ge n(\delta ),$ we have

$$\begin{array}{cc}\hfill Pr\{\widehat{K}\ne K\}& \le \delta ,\hfill \end{array}$$

(2a)

$$\begin{array}{cc}\hfill \frac{1}{n}log{K}_n& \ge R_K-\delta ,\hfill \end{array}$$

(2b)

$$\begin{array}{cc}\hfill \frac{1}{n}I(K;M^{\prime })& \le \delta ,\hfill \end{array}$$

(2c)

$$\begin{array}{cc}\hfill \frac{1}{n}I(X^n;M^{\prime })& \le R_{PL}+\delta .\hfill \end{array}$$

(2d)

Remark 4.

The difference between Definition 5 and 2 is that, in here, the uniformity of the key is already guaranteed.

Definition 6.

The privacy secrecy capacity region for chosen secret key authentication for the joint-source $Q\in \mathcal{P}(\mathcal{X}\times \mathcal{Y})$ is called privacy secrecy capacity region and is denoted as ${\mathfrak{C}}_C(Q)$.

We next present the privacy secrecy capacity region for chosen secret key authentication for the joint-source Q as showed in [11].

Theorem 2

 ([11]). The privacy secrecy capacity region for the chosen secret key authentication is given by

$${\mathfrak{C}}_C(Q)=\bigcup _{V:\mathcal{X}\to \mathcal{P}(\mathcal{U})}\mathcal{R}(Q,V).$$

3. Authentication for Compound Sources

Let $\mathcal{X}$ and $\mathcal{Y}$ be two finite sets and $\mathcal{S}$ a finite state set. Let $(x^n,y^n)\in {\mathcal{X}}^n\times {\mathcal{Y}}^n$ be a sequence pair of length $n\in \mathbb{N}$. For every $s\in \mathcal{S},$ the discrete memoryless joint-source is given by the joint probability distribution $Q_s^n(x^n,y^n)≔{\prod }_{i=1}^n{Q}_s(x_i,y_i)={\prod }_{i=1}^n{p}_s(x_i)W_s(y_i|x_i),$ with $p_s\in \mathcal{P}(\mathcal{X})$ a marginal distribution on $\mathcal{X}$ and $W_s:\mathcal{X}\to \mathcal{P}(\mathcal{Y})$ a stochastic matrix.

Definition 7.

The discrete memoryless compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}$ is given by the family of joint probabilities distributions on $\mathcal{X}\times \mathcal{Y}$ as

$${\mathfrak{Q}}_{\mathcal{X}\mathcal{Y}}≔\{Q_s\in \mathcal{P}(\mathcal{X}\times \mathcal{Y}):s\in \mathcal{S}\}.$$

We define the finite set of marginal distributions ${\mathfrak{Q}}_{\mathcal{X}}$ over the alphabet $\mathcal{X}$ from the compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}$ as

$$\begin{array}{c}\hfill {\mathfrak{Q}}_{\mathcal{X}}≔\left\{p_s\in \mathcal{P}(\mathcal{X}):s\in \mathcal{S},p_s(x)=\sum _{y\in \mathcal{Y}}{Q}_s(x,y)\mathrm{for}\mathrm{every}x\in \mathcal{X}\mathrm{and}{Q}_s\in {\mathfrak{Q}}_{\mathcal{X}\mathcal{Y}}\right\}.\end{array}$$

We define $\mathcal{L}$ as the index set of ${\mathfrak{Q}}_{\mathcal{X}}$. Note that $|\mathcal{L}|=|{\mathfrak{Q}}_{\mathcal{X}}|\le |{\mathfrak{Q}}_{\mathcal{XY}}|$.

For every $\ell \in \mathcal{L}$, we define the subset of the compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}$ with the same marginal distribution $p_{\ell }$ as

$$\begin{array}{c}\hfill {\mathfrak{Q}}_{\mathcal{XY},\ell }≔\left\{Q_s\in {\mathfrak{Q}}_{\mathcal{XY}}:Q_s(x,y)=p_{\ell }(x)W_s(y|x)\mathrm{for}\mathrm{every}(x,y)\in \mathcal{X}\times \mathcal{Y}\right\}.\end{array}$$

For every $\ell \in \mathcal{L}$, we define the index set ${\mathcal{S}}_{\ell }$ of ${\mathfrak{Q}}_{\mathcal{XY},\ell }$ as

$${\mathcal{S}}_{\ell }≔\{s\in \mathcal{S}:Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell }\}.$$

Remark 5.

Note that, for every $\ell ,{\ell }^{\prime }\in \mathcal{L}$ with $\ell \ne {\ell }^{\prime }$, it holds that ${\mathfrak{Q}}_{\mathcal{XY},\ell }\cap {\mathfrak{Q}}_{\mathcal{XY},{\ell }^{\prime }}=\varnothing$, ${\mathcal{S}}_{\ell }\cap {\mathcal{S}}_{{\ell }^{\prime }}=\varnothing$, $\mathcal{S}={\bigcup }_{\ell \in \mathcal{L}}{\mathcal{S}}_{\ell }$ and ${\mathfrak{Q}}_{\mathcal{XY}}={\bigcup }_{\ell \in \mathcal{L}}{\mathfrak{Q}}_{\mathcal{XY},\ell }$.

3.1. Compound Generated Secret Key Model

In this section, we study the generated secret key authentication for finite compound joint-sources, which is a special class of sources that model a limited SSI, as shown in Figure 3.

Figure 3. The attacker controls the state of the source $s\in \mathcal{S}$. The biometric sequences $X^n$ and $Y^n$ are observed at the enrollment and authentication, terminal respectively. In the enrollment terminal, the key K and the helper data $M^{\prime }$ are generated. The helper data is public, hence the attacker also has access to it. In the authentication terminal, an estimation of a key $\widehat{K}$ is made based on the observed authentication sequence $Y^n$ and the helper data $M^{\prime }$.

We consider a block-processing of arbitrary but fixed length n. Let ${\mathcal{M}}^{\prime }≔\{1,\dots ,M_n^{\prime }\}$ be the helper data set and $\mathcal{K}≔\{1,\dots ,K_n\}$ the secret key set.

Definition 8.

An $(n,M_n^{\prime },K_n)$-code for generated secret key authentication for the compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}\subset \mathcal{P}(\mathcal{X}\times \mathcal{Y})$ consists of an encoder f at the enrollment terminal with

$$\begin{array}{cc}\hfill f& :{\mathcal{X}}^n\to \mathcal{K}\times {\mathcal{M}}^{\prime }\hfill \end{array}$$

and a decoder ϕ at the authentication terminal

$$\phi :{\mathcal{Y}}^n\times {\mathcal{M}}^{\prime }\to \mathcal{K}.$$

Definition 9.

A privacy secrecy rate pair $(R_{PL},R_K)\in {\mathbb{R}}_{+}^2$ is called achievable for generated secret key authentication for the compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}$, if, for any $\delta >0,$ there exist an $n(\delta )\in \mathbb{N}$ and a sequence of $(n,M_n^{\prime },K_n)$-codes, such that for all $n\ge n(\delta )$ and for every $s\in \mathcal{S},$ we have

$$\begin{array}{cc}\hfill Pr\{\widehat{K}\ne K\}& \le \delta ,\hfill \\ \hfill H(K)+\delta \ge \frac{1}{n}log{K}_n& \ge R_K-\delta ,\hfill \\ \hfill I(K;M^{\prime })& \le \delta ,\hfill \\ \hfill \frac{1}{n}I(X_s^n;M^{\prime })& \le R_{PL}+\delta .\hfill \end{array}$$

Consider the compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}$. For a fixed $\ell \in \mathcal{L}$, $V:\mathcal{X}\to \mathcal{P}(\mathcal{U})$ and for every $s\in {\mathcal{S}}_{\ell }$, we define the region $\mathcal{R}(V,\ell ,s)$ as the set of all $(R_{PL},R_K)\in {\mathbb{R}}_{+}^2$ that satisfy

$$\begin{array}{cc}\hfill R_K& \le I(U_{\ell };Y_s),\hfill \\ \hfill R_{PL}& \ge I(U_{\ell };X_{\ell })-I(U_{\ell };Y_s),\hfill \end{array}$$

with $P_{UXY,s}(u,x,y)=V(u|x)Q_s(x,y)$.

Theorem 3.

The privacy secrecy capacity region for generated secret key authentication for the compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}$ is given by

$${\mathfrak{C}}_G({\mathfrak{Q}}_{\mathcal{XY}})=\bigcap _{\ell \in \mathcal{L}}\bigcup _{\begin{array}{c}V:\mathcal{X}\to \mathcal{P}(\mathcal{U})\\ |\mathcal{U}|\le |\mathcal{X}|+|{\mathcal{S}}_{\ell }|\end{array}}\bigcap _{s\in {\mathcal{S}}_{\ell }}\mathcal{R}(V,\ell ,s).$$

Proof. 

The proof of Theorem 3 consists of two parts: achievability and converse. The achievability scheme uses the following protocol:

• Estimate the marginal distribution $p_{\widehat{\ell }}\in {\mathfrak{Q}}_{\mathcal{X}}$ from the observed sequence $X^n$ at the enrollment terminal via hypothesis testing.
• Compute the key K and a helper data M based on $X^n$, a common shared sequence $T=U^n$ by the enrollment and authentication terminal and using an extractor function $g:{\{0,1\}}^n\times {\{0,1\}}^d\to {\{0,1\}}^k$ with $N,d,k\in \mathbb{N}$ whose input are the shared sequence T and a sequence of d uniformly distributed bits $U_d$. The helper data M is equivalent to the helper data for the case with perfect SSI. The extended helper data in this case contains also the state of the marginal distribution and the uniformly distributed bits sequence, i.e., $M^{\prime }=(M,\widehat{L},U_d)$.
• Store the extended helper data $M^{\prime }$ in the public database.
• Estimate the key $\widehat{K}$ at the authentication terminal, based on the observations $M^{\prime }$ and $Y^n$, which can be seen as the outcome of one of the channels in ${\mathfrak{W}}_{\widehat{\ell }}≔\{W_s:\mathcal{X}\to \mathcal{P}(\mathcal{Y}):s\in {\mathcal{S}}_{\widehat{\ell }}\}$.

A detailed proof can be found in Appendix A. □

Remark 6.

Note that the authentication for compound source model is a generalization of the models studied by [11,12], i.e., $|\mathcal{S}|=1$. Furthermore, one can see that, for $|\mathcal{S}|=1$, the capacity region under the strong secrecy condition equals the capacity region under the weak secrecy condition showed by [11,12].

Remark 7.

As we already mentioned, we aim for strong secrecy, i.e., in contrast to the weak secrecy constraint in (1c), we now require the un-normalized mutual information between the key and the helper data to be negligibly small. It would be Ideal to show perfect secrecy and a perfectly uniformed key, i.e., $I(K;M^{\prime })=0$ and $H(K)=\frac{1}{n}log{K}_n$. It would be interesting to see how this constraint affects the achievable rate region. We suspect that the achievable rate region under perfect secrecy and perfectly uniformed key remains the same as in Theorem 3.

Remark 8.

From the protocol, note that once we have estimated the marginal distribution $p_{\widehat{\ell }}\in {\mathfrak{Q}}_{\mathcal{X}},$ we deal with a compound channel model without channel state information (CSI) at the transmitter (see [24]).

Remark 9.

The order of the set operations of the capacity region displays the fact that the marginal distribution is first estimated. This can be seen as partial state information, where the marginal distribution over $\mathcal{X}$ is known.

3.2. Compound Chosen Secret Key Model

In this section, we study chosen secret key authentication for finite compound joint-sources (see Figure 4).

Figure 4. The attacker controls the state of the source $s\in \mathcal{S}$. The biometric sequences $X^n$ and $Y^n$ are observed in the enrollment and authentication terminal, respectively. In the enrollment terminal, the key K is predefined and the helper data $M^{\prime }$ is generated. The helper data is public, hence the attacker also has access to it. In the authentication terminal, an estimation of a key $\widehat{K}$ is made based on the observed authentication sequences $Y^n$ and the helper data $M^{\prime }$.

We consider a $(n,M_n^{\prime },K_n)$-code of arbitrary but fixed length n.

Definition 10.

A privacy secrecy rate pair $(R_{PL},R_K)\in {\mathbb{R}}_{+}^2$ is called achievable for chosen secret key authentication for the compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}$, if for any $\delta >0$ there exist an $n(\delta )\in \mathbb{N}$ and a sequence of $(n,M_n^{\prime },K_n)$-codes, such that, for all $n\ge n(\delta )$ and for every $s\in \mathcal{S},$ we have

$$\begin{array}{cc}\hfill Pr\{\widehat{K}\ne K\}& \le \delta ,\hfill \end{array}$$

(3a)

$$\begin{array}{cc}\hfill \frac{1}{n}log{K}_n& \ge R_K-\delta ,\hfill \end{array}$$

(3b)

$$\begin{array}{cc}\hfill I(K;M^{\prime })& \le \delta ,\hfill \end{array}$$

(3c)

$$\begin{array}{cc}\hfill \frac{1}{n}I(X_s^n;M^{\prime })& \le R_{PL}+\delta .\hfill \end{array}$$

(3d)

Consider the compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}$. For a fixed $\ell \in \mathcal{L}$, $V:\mathcal{X}\to \mathcal{P}(\mathcal{U})$ and for every $s\in {\mathcal{S}}_{\ell }$, we define the region $\mathcal{R}(V,\ell ,s)$ as the set of all $(R_{PL},R_K)\in {\mathbb{R}}_{+}^2$ that satisfy

$$\begin{array}{cc}\hfill R_K& \le I(U_{\ell };Y_s),\hfill \\ \hfill R_{PL}& \ge I(U_{\ell };X_{\ell })-I(U_{\ell };Y_s),\hfill \end{array}$$

with $P_{UXY,s}(u,x,y)=V(u|x)Q_s(x,y)$.

Theorem 4.

The privacy secrecy capacity region for chosen secret key authentication for the compound joint-source ${\mathfrak{Q}}_{\mathcal{XY}}$ is given by

$${\mathfrak{C}}_C({\mathfrak{Q}}_{\mathcal{XY}})=\bigcap _{\ell \in \mathcal{L}}\bigcup _{\begin{array}{c}V:\mathcal{X}\to \mathcal{P}(\mathcal{U})\\ |\mathcal{U}|\le |\mathcal{X}|+|{\mathcal{S}}_{\ell }|\end{array}}\bigcap _{s\in {\mathcal{S}}_{\ell }}\mathcal{R}(V,\ell ,s).$$

Proof. 

The proof can be found in Appendix B. □

Remark 10.

Note that, as for generated secret key authentication for compound sources, chosen secret key authentication for compound sources is a generalization of the models studied by [11]. Furthermore, for perfect SSI, one can see that the capacity region under the strong secrecy condition equals the capacity region under the weak secrecy condition showed by [11].

Remark 11.

Note that the privacy secrecy capacity region for the generated key model equals the privacy secrecy capacity region for chosen secret key authentication, i.e., ${\mathfrak{C}}_G({\mathfrak{Q}}_{\mathcal{XY}})={\mathfrak{C}}_C({\mathfrak{Q}}_{\mathcal{XY}})$.

4. Continuity of the Privacy Secrecy Capacity Region for Compound Sources

We are interested in studying how small variations in the compound source affect the privacy secrecy capacity region. The question of whether the capacity or capacity region is a continuous function of a source or channel is not always clear, especially if the source or channel are complicated. In [22], one can find an example of AVWCs, whose uncertainty set consists of only two channels, which already shows discontinuity points in its unassisted secrecy capacity. For a detailed discussion, see [25]. In this section, we study the continuity of the privacy secrecy capacity region for compound sources. For this purpose, we introduce the distance between two compound sources and capacity regions, respectively.

4.1. Distance between Compound Sources

Definition 11.

Let ${\mathfrak{Q}}_{\mathcal{XY},1}$ and ${\mathfrak{Q}}_{\mathcal{XY},2}$ be two compound sources. We define

$$\begin{array}{cc}\hfill d_1({\mathfrak{Q}}_{\mathcal{XY},1},{\mathfrak{Q}}_{\mathcal{XY},2})& =\underset{s_2\in {\mathcal{S}}_2}{max}\underset{s_1\in {\mathcal{S}}_1}{min}{\parallel Q_{s_1}-Q_{s_2}\parallel }_{TV},\hfill \\ \hfill d_2({\mathfrak{Q}}_{\mathcal{XY},1},{\mathfrak{Q}}_{\mathcal{XY},2})& =\underset{s_1\in {\mathcal{S}}_1}{max}\underset{s_2\in {\mathcal{S}}_2}{min}{\parallel Q_{s_1}-Q_{s_2}\parallel }_{TV}.\hfill \end{array}$$

The Hausdorff distance $D_H({\mathfrak{Q}}_{\mathcal{XY},1},{\mathfrak{Q}}_{\mathcal{XY},2})$ between ${\mathfrak{Q}}_{\mathcal{XY},1}$ and ${\mathfrak{Q}}_{\mathcal{XY},2}$ is defined as

$$\begin{array}{c}\hfill D_H({\mathfrak{Q}}_{\mathcal{XY},1},{\mathfrak{Q}}_{\mathcal{XY},2})=max\left\{d_1({\mathfrak{Q}}_{\mathcal{XY},1},{\mathfrak{Q}}_{\mathcal{XY},2}),d_2({\mathfrak{Q}}_{\mathcal{XY},1},{\mathfrak{Q}}_{\mathcal{XY},2})\right\}.\end{array}$$

Definition 12.

Let ${\mathcal{R}}_1,$ and ${\mathcal{R}}_2$ be two non-empty subsets of the metric space $({\mathbb{R}}^2,d)$ with $d(x,y)=\sqrt{{\sum }_{i=1}^2{|x_i-y_i|}^2}$ for all $x,y\in {\mathbb{R}}^2$. We define the distance between two sets as

$$\begin{array}{c}\hfill D_R({\mathcal{R}}_1,{\mathcal{R}}_2)=max\{\underset{r_1\in {\mathcal{R}}_1}{max}\underset{r_2\in {\mathcal{R}}_2}{min}d(r_1,r_2),\underset{r_2\in {\mathcal{R}}_2}{max}\underset{r_1\in {\mathcal{R}}_2}{min}d(r_1,r_2)\}.\end{array}$$

4.2. Continuity of the Privacy Secrecy Capacity Region

Theorem 5.

Let $ϵ\in (0,1)$ and $n\in \mathbb{N}$. Let ${\mathfrak{Q}}_{\mathcal{XY},1}$ and ${\mathfrak{Q}}_{\mathcal{XY},2}$ be two compound sources. If

$$D_H({\mathfrak{Q}}_{\mathcal{XY},1},{\mathfrak{Q}}_{\mathcal{XY},2})\le ϵ,$$

then it holds

$$D_R({\mathfrak{C}}_G({\mathfrak{Q}}_{\mathcal{XY},1}),{\mathfrak{C}}_G({\mathfrak{Q}}_{\mathcal{XY},2}))\le \delta (ϵ,|\mathcal{X}|,|\mathcal{Y}|)$$

(4)

with $\delta (ϵ)=\sqrt{{\delta }_1{(ϵ)}^2+{\delta }_2{(ϵ)}^2},$ where ${\delta }_1(ϵ)=2ϵlog|\mathcal{Y}|+2H_2(ϵ)-ϵlog\frac{ϵ}{|\mathcal{U}|}$ and ${\delta }_2(ϵ)=2ϵlog|\mathcal{Y}||\mathcal{X}|+4H_2(ϵ)-2ϵlog\frac{ϵ}{|\mathcal{U}|}$.

Remark 12.

Note that since the privacy secrecy capacity region for the chosen secret key equals the privacy secrecy capacity region for the chosen secret key, the continuity behaviour holds also for the chosen secret key privacy capacity region.

Remark 13.

This theorem shows that the privacy secrecy capacity region is a continuous function of the uncertainty set. In other words, small variations of the uncertainty set lead to small variations in the capacity region.

Proof. 

A detailed proof can be found in Appendix C. □

Remark 14.

A complete characterisation of the discontinuity behaviour of the AVC capacity under list decoding can be found in [26]. Note that this behaviour, based on Theorem 5, can not occur.

5. Conclusions

In this paper, we considered a biometric authentication model in the presence of source uncertainty. In particular, we studied a model where the actual source realization is not known, however it belongs to a known source set: this is the finite compound source model. We have shown that biometric authentication is robust against source uncertainty and certain classes of attacks. In other words, reliable and secure authentication is possible at positive key rates. We further characterize the minimum privacy leakage rate under source uncertainty. For future work, perfect secrecy for the biometric authentication model and a compound source with infinite sources is of great interest.

Appendix A.1. Achievability of Theorem 3

Appendix A.1.1. State Estimation

We first show that we can estimate the marginal distribution $p_{\widehat{\ell }}\in {\mathfrak{Q}}_{\mathcal{X}}$ correctly with probability approaching one. Then, for every $\ell =\widehat{\ell }\in \mathcal{L},$ we use the random coding argument to show that all rate pairs $(R_{PL},R_K)\in \mathcal{R}(V,\ell ,s)$ are achievable.

To estimate the actual source realization, we perform hypothesis testing. The set of hypotheses is the set of finite marginal distributions ${\mathfrak{Q}}_{\mathcal{X}}$. For every $\ell \in \mathcal{L},$ we define

$${\delta }_{\ell }=\frac{1}{2}\underset{\begin{array}{c}{\ell }^{\prime }\ne \ell \\ {\ell }^{\prime }\in \mathcal{L}\end{array}}{min}{\parallel p_{\ell }-p_{{\ell }^{\prime }}\parallel }_{TV}.$$

We choose $0<\delta <{min}_{\ell \in \mathcal{L}}{\delta }_{\ell }$ and consider the test set (typical sequences set) ${\mathcal{T}}_{p_{\ell },\delta }^n≔\{x^n\in {\mathcal{X}}^n:\parallel p_{x^n}-p_{\ell }\parallel \le \delta \}$. Note that, for every $\ell ,{\ell }^{\prime }\in \mathcal{L}$ with ${\ell }^{\prime }\ne \ell ,$ we have that ${\mathcal{T}}_{p_{{\ell }^{\prime }},\delta }^n\cap {\mathcal{T}}_{p_{\ell },\delta }^n=\varnothing$. We show this by arbitrarily choosing a sequence $x^n\in {\mathcal{T}}_{p_{\ell },\delta }^n$ of type $p_{x^n}$ and show that $\parallel p_{{\ell }^{\prime }}-p_{x^n}{\parallel }_{TV}>\delta$ for ${\ell }^{\prime }\ne \ell$. By the triangle inequality, we have

$$\begin{array}{cc}\hfill \parallel p_{\ell }-p_{{\ell }^{\prime }}{\parallel }_{TV}& =\parallel p_{\ell }-p_{{\ell }^{\prime }}+p_{x^n}-p_{x^n}{\parallel }_{TV}\hfill \\ & \le \parallel p_{\ell }-p_{x^n}{\parallel }_{TV}+{\parallel p_{x^n}-p_{{\ell }^{\prime }}\parallel }_{TV}.\hfill \end{array}$$

Hence,

$$\begin{array}{cc}\hfill \parallel p_{x^n}-p_{{\ell }^{\prime }}{\parallel }_{TV}& \ge \parallel p_{\ell }-p_{{\ell }^{\prime }}{\parallel }_{TV}-{\parallel p_{\ell }-p_{x^n}\parallel }_{TV}\hfill \\ & \ge 2{\delta }_{{\ell }^{\prime }}-\delta >\delta ,\hfill \end{array}$$

proving the disjointness of the sets.

The test function is the indicator function $\mathbb{1}[x^n\in {\mathcal{T}}_{p_{\ell },\delta }^n]$, i.e., after observing $x^n$ the test looks for the hypothesis $p_{\widehat{\ell }}=p_{\ell }$ for which $\mathbb{1}[x^n\in {\mathcal{T}}_{p_{\ell },\delta }^n]=1$.

An error occurs, if the sequence $x^n$ was generated by the source $p_{\ell }$ for any $\ell \in \mathcal{L}$; however, $x^n\notin {\mathcal{T}}_{p_{\ell },\delta }^n$. This implies that either $x^n\notin {\bigcup }_{\ell \in \mathcal{L}}{\mathcal{T}}_{p_{\ell },\delta }^n$ or $x^n\in {\mathcal{T}}_{p_{{\ell }^{\prime }},\delta }^n$ with ${\ell }^{\prime }\ne \ell$. Using Lemma 2.12 in [27], we upper bound the probability of this error event by

$$p_{\ell }({{\mathcal{T}}_{p_{\ell },\delta }^n}^c)\le {ϵ}_{\delta }(n,|\mathcal{X}|),$$

(A1)

where ${ϵ}_{\delta }(n,|\mathcal{X}|)={(n+1)}^{|\mathcal{X}|}{2}^{-nc{\delta }^2}$. Letting $n\to \infty$, the right-hand side of (A1) tends to zero.

Appendix A.1.2. Code Construction

For each $\ell \in \mathcal{L},$ we consider the auxiliary random variable U and the channel V and construct a code for which we analyze the decoding error, secrecy and privacy condition.

Generate $2^{n(R_K+R_M)}$ codewords $U_{k,m}^n$ with $k\in \mathcal{K}≔\{1,\dots ,2^{n{R}_K}\}$ and $m\in \mathcal{M}≔\{1,\dots ,2^{n{R}_M}\}$ by choosing each symbol $U_{i_{k,m}}$ in the codebook independently at random according to $p_u\in \mathcal{P}(\mathcal{U})$, computed from $p_{\ell }(x)V(u|x)\mathrm{for}\mathrm{every}(x,u)\in \mathcal{X}\times \mathcal{U}$. We denote the codebook as $\tilde{U}={\{U_{k,m}^n\}}_{(k,m)\in \mathcal{K}\times \mathcal{M}}$.

For every $\ell \in \mathcal{L}$ and every $s\in {\mathcal{S}}_{\ell },$ we define the following channels ${\Sigma }_{{\mathcal{X}}_{\ell }}:\mathcal{U}\to \mathcal{P}(\mathcal{X}),{\Sigma }_{{\mathcal{Y}}_s}:\mathcal{U}\to \mathcal{P}(\mathcal{Y})$ and ${\Sigma }_{{\mathcal{XY}}_s}:\mathcal{U}\to \mathcal{P}(\mathcal{X}\times \mathcal{Y})$ that satisfy:

$$\begin{array}{cc}\hfill {\Sigma }_{{\mathcal{X}}_{\ell }}(x|u)& =\frac{p_{\ell }(x)V(u|x)}{{\sum }_{x\in \mathcal{X}}{p}_{\ell }(x)V(u|x)},\hfill \\ \hfill {\Sigma }_{{\mathcal{Y}}_s}(y|u)& =\frac{{\sum }_{x\in \mathcal{X}}V(u|x)Q_s(x,y)}{{\sum }_{(x,y)\in \mathcal{X}\times \mathcal{Y}}V(u|x)Q_s(x,y)},\hfill \\ \hfill {\Sigma }_{{\mathcal{XY}}_s}(x,y|u)& =\frac{V(u|x)Q_s(x,y)}{{\sum }_{(x,y)\in \mathcal{X}\times \mathcal{Y}}V(u|x)Q_s(x,y)},\hfill \end{array}$$

for every $(u,x,y)\in \mathcal{U}\times \mathcal{X}\times \mathcal{Y}$.

Appendix A.1.3. Encoding Sets

For every $(k,m,\ell )\in \mathcal{K}\times \mathcal{M}\times \mathcal{L},$ we define the encoding sets ${\mathcal{E}}_{k,m,\ell }(\tilde{U})\subset {\mathcal{X}}^n$ as follows:

$${\mathcal{E}}_{k,m,\ell }(\tilde{U})={\mathcal{T}}_{{\Sigma }_{{\mathcal{X}}_{\ell }},{\delta }^{\prime }}^n(U_{k,m}^n),$$

with ${\delta }^{\prime }>\frac{\delta }{|\mathcal{U}|}$.

Remark 15.

Note that, by the definition of ${\delta }^{\prime }$ and Lemma 2.10 in [27], if $U_{k,m}^n\in {\mathcal{T}}_{p_u,{\delta }^{\prime \prime \prime }}^n$ with ${\delta }^{\prime \prime \prime }=\frac{\delta }{|\mathcal{U}|}-{\delta }^{\prime }$ and $x^n\in {\mathcal{T}}_{{\Sigma }_{{\mathcal{X}}_{\ell }},{\delta }^{\prime }}^n(U_{k,m}^n),$ then $x^n\in {\mathcal{T}}_{p_{\ell },\delta }^n$.

Appendix A.1.4. Decoding Sets

For every $(k,m,\ell )\in \mathcal{K}\times \mathcal{M}\times \mathcal{L},$ we define the decoding sets ${\mathcal{D}}_k(m(\tilde{U}),\ell )\subset {\mathcal{Y}}^n$ as follows:

$$\begin{array}{cc}\hfill {\mathcal{D}}_k^{\prime }(m(\tilde{U}),\ell )≔& \bigcup _{s\in {\mathcal{S}}_{\widehat{\ell }}}{\mathcal{T}}_{{\Sigma }_{{\mathcal{Y}}_s},{\delta }^{″}}^n(U_{k,m}^n),\hfill \\ \hfill {\mathcal{D}}_k(m(\tilde{U}),\ell )≔& {\mathcal{D}}_k^{\prime }(m(\tilde{U}),\ell )\cap {\left(\bigcup _{\begin{array}{c}{k}^{\prime }\ne k\\ k^{\prime }\in \mathcal{K}\end{array}}{\mathcal{D}}_{k^{\prime }}^{\prime }(m(\tilde{U}),\ell )\right)}^c,\hfill \end{array}$$

with ${\delta }^{″}>\frac{\delta }{|\mathcal{U}|}$.

Remark 16.

One could consider sending some bits of the sequences $X^n$ through the public channel, such that the user at the authentication terminal can be able to estimate the actual source realization and so avoid the complicated decoding strategy. However, this approach would violate the strong secrecy condition.

Appendix A.1.5. Encoder–Decoder Pair Sets

For every $(k,m)\in \mathcal{K}\times \mathcal{M}$, we define the encoder–decoder pair set ${\mathcal{C}}_{k,m,\ell }(\tilde{U})\in {\mathcal{X}}^n\times {\mathcal{Y}}^n$ as follows:

$$\begin{array}{cc}\hfill {\mathcal{C}}_{k,m,\ell }(\tilde{U})& =({\mathcal{E}}_{k,m,\ell }(\tilde{U})\times {\mathcal{D}}_k(m(\tilde{U}),\ell ))\cap \left(\bigcup _{s\in {\mathcal{S}}_{\widehat{\ell }}}{\mathcal{T}}_{{\Sigma }_{{\mathcal{XY}}_s},\tilde{\delta }}^n(U_{k,m}^n)\right),\hfill \end{array}$$

with $\tilde{\delta }>0$.

Appendix A.1.6. Error Analysis

For every $\ell \in \mathcal{L},$ assume that the marginal distribution was estimated correctly, i.e., $\widehat{\ell }=\ell$. We analyze the probability of each error event separately. We denote the error at the enrollment terminal given the codebook $\tilde{U}$ as ${ϵ}_{E,n}(\tilde{U})$. An error occurs at the enrollment terminal if, for every $(k,m,\ell )\in \mathcal{K}\times \mathcal{M}\times \mathcal{L},$ the observed sequence $x^n$ does not belong to ${\mathcal{E}}_{k,m,\ell }(\tilde{U})$, i.e.,

$$\begin{array}{cc}\hfill {ϵ}_{E,n}(\tilde{U})& =p_{\ell }^n\left({\left(\bigcup _{(k,m)\in \mathcal{K}\times \mathcal{M}}{\mathcal{E}}_{k,m,\ell }(\tilde{U})\right)}^c\right)\hfill \\ & =p_{\ell }^n\left(\bigcap _{(k,m)\in \mathcal{K}\in \mathcal{M}}{\mathcal{E}}_{k,m,\ell }{(\tilde{U})}^c\right)\hfill \\ & =\prod _{(k,m)\in \mathcal{K}\in \mathcal{M}}\left[1-p_{\ell }^n({\mathcal{E}}_{k,m,\ell }(\tilde{U}))\right].\hfill \end{array}$$

Averaging over all codebooks, from the independence of the random variables involved and from Lemma 2.13 in [27], we have

$$\begin{array}{cc}\hfill {\mathbb{E}}_{\tilde{U}}({ϵ}_{E,n}(\tilde{U}))& =\prod _{(k,m)\in \mathcal{K}\in \mathcal{M}}{\mathbb{E}}_{U_{k,m}^n}\left[1-p_{\ell }^n({\mathcal{T}}_{{\Sigma }_{{\mathcal{X}}_{\ell }},{\delta }^{\prime }}^n(U_{k,m}^n))\right]\hfill \\ & \le {[1-{(n+1)}^{-|\mathcal{U}||\mathcal{X}|}(2^{-n(I(U_{\ell };X_{\ell })}{2}^{\psi ({\delta }^{\prime },|\mathcal{U}||\mathcal{X}|))})]}^{2^{n(R_K+R_M)}}\hfill \\ & \le exp\left(-{(n+1)}^{-|\mathcal{U}||\mathcal{X}|}\right)exp\left(2^{n(R_K+R_M-I(U_{\ell };X_{\ell })-\psi ({\delta }^{\prime },|\mathcal{U}||\mathcal{X}|))}\right).\hfill \end{array}$$

(A2)

The inequality (A2) follows from ${(1-x)}^r\le exp(-rx)$, which holds for every $x,r>0$. Letting $n\to \infty$ and choosing

$$R_K+R_M>I(U_{\ell };X_{\ell })+\psi ({\delta }^{\prime },|\mathcal{U}||\mathcal{X}|),$$

(A3)

the right-hand side of (A2) goes doubly exponentially fast to zero. An error at the authentication terminal occurs, when $(k,m)$ was encoded at the enrollment terminal, but $k^{\prime }\ne k$ was decoded at the authentication terminal. The set of joint observations describing this event is given by

$$\begin{array}{cc}\hfill {\mathcal{C}}_{{\mathcal{E}}_{k,m,\ell }}{(\tilde{U})}^c& ={\mathcal{C}}_{k,m,\ell }{(\tilde{U})}^c\cap \left({\mathcal{E}}_{k,m,\ell }(\tilde{U})\times {\mathcal{D}}_k{(m(\tilde{U}),\ell )}^c\right)\hfill \\ & =\left({\mathcal{E}}_{k,m,\ell }(\tilde{U})\times {\mathcal{D}}_k{(m(\tilde{U}),\ell )}^c\right)\cup \left(\bigcap _{s\in {\mathcal{S}}_{\ell }}{\mathcal{T}}_{{\Sigma }_{{\mathcal{XY}}_s},\tilde{\delta }}^n{(U_{k,m}^n)}^c\right).\hfill \end{array}$$

We denote the error probability of this event given the codebook $\tilde{U}$ for each correlated source $Q_t$ with $t\in {\mathcal{S}}_{\ell }$ as ${ϵ}_{n,k}^t(\tilde{U})$.

$$\begin{array}{cc}\hfill {ϵ}_{n,k}^t(\tilde{U})& ={\Sigma }_{{\mathcal{XY}}_t}^n({\mathcal{C}}_{{\mathcal{E}}_{k,m,\ell }}{(\tilde{U})}^c|U_{k,m}^n)\hfill \\ & ={\Sigma }_{{\mathcal{XY}}_t}^n\left(\left({\mathcal{E}}_{k,m,\ell }(\tilde{U})\times {\mathcal{D}}_k{(m(\tilde{U}),\ell )}^c\right)\cup \left(\bigcap _{s\in {\mathcal{S}}_{\ell }}{\mathcal{T}}_{{\Sigma }_{{\mathcal{XY}}_s},\tilde{\delta }}^n{(U_{k,m}^n)}^c\right)|U_{k,m}^n\right)\hfill \\ & \le {\Sigma }_{{\mathcal{XY}}_t}^n\left({\mathcal{E}}_{k,m,\ell }(\tilde{U})\times {\mathcal{D}}_k{(m(\tilde{U}),\ell )}^c|U_{k,m}^n\right)+{\Sigma }_{{\mathcal{XY}}_t}^n\left(\bigcap _{s\in {\mathcal{S}}_{\ell }}{\mathcal{T}}_{{\Sigma }_{{\mathcal{XY}}_s},\tilde{\delta }}^n{(U_{k,m}^n)}^c|U_{k,m}^n\right)\hfill \\ & \le {\Sigma }_{{\mathcal{Y}}_t}^n\left({\mathcal{D}}_k{(m(\tilde{U}),\ell )}^c|U_{k,m}^n\right)+{\Sigma }_{{\mathcal{XY}}_t}^n\left(\bigcap _{s\in {\mathcal{S}}_{\ell }}{\mathcal{T}}_{{\Sigma }_{{\mathcal{XY}}_s},\tilde{\delta }}^n{(U_{k,m}^n)}^c|U_{k,m}^n\right)\hfill \\ & ={\Sigma }_{{\mathcal{Y}}_t}^n\left({\mathcal{D}}_k^{\prime }{(m)}^c\cup \left(\bigcup _{\begin{array}{c}{k}^{\prime }\ne k\\ k^{\prime }\in \mathcal{K}\end{array}}{\mathcal{D}}_{k^{\prime }}^{\prime }(m(\tilde{U}),\ell )\right)|U_{k,m}^n\right)+{\Sigma }_{{\mathcal{XY}}_t}^n\left(\bigcap _{s\in {\mathcal{S}}_{\ell }}{\mathcal{T}}_{{\Sigma }_{{\mathcal{XY}}_s},\tilde{\delta }}^n{(U_{k,m}^n)}^c|U_{k,m}^n\right)\hfill \\ & \le {\Sigma }_{{\mathcal{Y}}_t}^n\left({\mathcal{D}}_k^{\prime }{(m)}^c|U_{k,m}^n\right)+{\Sigma }_{{\mathcal{Y}}_t}^n\left(\bigcup _{\begin{array}{c}{k}^{\prime }\ne k\\ k^{\prime }\in \mathcal{K}\end{array}}{\mathcal{D}}_{k^{\prime }}^{\prime }(m(\tilde{U}),\ell )|U_{k,m}^n\right)+{\Sigma }_{{\mathcal{XY}}_t}^n\left(\bigcap _{s\in {\mathcal{S}}_{\ell }}{\mathcal{T}}_{{\Sigma }_{{\mathcal{XY}}_s},\tilde{\delta }}^n{(U_{k,m}^n)}^c|U_{k,m}^n\right)\hfill \\ & ={\Sigma }_{{\mathcal{Y}}_t}^n\left(\bigcap _{s\in {\mathcal{S}}_{\ell }}{\mathcal{T}}_{{\Sigma }_{{\mathcal{Y}}_s},{\delta }^{″}}^n{(U_{k,m}^n)}^c|U_{k,m}^n\right)+{\Sigma }_{{\mathcal{Y}}_t}^n\left(\bigcup _{s\in {\mathcal{S}}_{\ell }}\bigcup _{\begin{array}{c}{k}^{\prime }\ne k\\ k^{\prime }\in \mathcal{K}\end{array}}{\mathcal{T}}_{{\Sigma }_{{\mathcal{Y}}_s},{\delta }^{″}}^n(U_{k^{\prime },m}^n)|U_{k,m}^n\right)+{\Sigma }_{{\mathcal{XY}}_t}^n\left(\bigcap _{s\in {\mathcal{S}}_{\ell }}{\mathcal{T}}_{{\Sigma }_{{\mathcal{XY}}_s},\tilde{\delta }}^n{(U_{k,m}^n)}^c|U_{k,m}^n\right)\hfill \\ & \le {\Sigma }_{{\mathcal{Y}}_t}^n\left({\mathcal{T}}_{{\Sigma }_{{\mathcal{Y}}_t},\delta }^n{(U_{k,m}^n)}^c|U_{k,m}^n\right)+\sum _{s\in {\mathcal{S}}_{\ell }}\sum _{\begin{array}{c}{k}^{\prime }\ne k\\ k^{\prime }\in \mathcal{K}\end{array}}{\Sigma }_{{\mathcal{Y}}_t}^n\left({\mathcal{T}}_{{\Sigma }_{{\mathcal{Y}}_s},{\delta }^{″}}^n(U_{k^{\prime },m}^n)|U_{k,m}^n\right)+{\Sigma }_{{\mathcal{XY}}_t}^n\left({\mathcal{T}}_{{\Sigma }_{{\mathcal{XY}}_t},\tilde{\delta }}^n{(U_{k,m}^n)}^c|U_{k,m}^n\right).\hfill \end{array}$$

Averaging over all codebooks and applying Lemma 2.12 in [27], we have

$$\begin{array}{cc}\hfill {\mathbb{E}}_{\tilde{U}}({ϵ}_{n,k}^t(\tilde{U}))& \le {ϵ}_{{\delta }^{″}}(n,|\mathcal{U}||\mathcal{Y}|)+{ϵ}_{\tilde{\delta }}(n,|\mathcal{U}||\mathcal{X}||\mathcal{Y}|)+\sum _{s\in {\mathcal{S}}_{\ell }}\sum _{\begin{array}{c}{k}^{\prime }\ne k\\ k^{\prime }\in \mathcal{K}\end{array}}{\mathbb{E}}_{U_{k^{\prime },m}^n}{\mathbb{E}}_{U_{k,m}^n}{\Sigma }_{{\mathcal{Y}}_t}^n\left({\mathcal{T}}_{{\Sigma }_{{\mathcal{Y}}_s},{\delta }^{″}}^n(U_{k^{\prime },m}^n)|U_{k,m}^n\right),\hfill \end{array}$$

with ${ϵ}_{{\delta }^{″}}(n,|\mathcal{U}||\mathcal{Y}|)={(n+1)}^{|\mathcal{U}||\mathcal{Y}|}{2}^{-nc{\delta }^{″2}}$ and ${ϵ}_{\tilde{\delta }}(n,|\mathcal{U}||\mathcal{X}||\mathcal{Y}|)={(n+1)}^{|\mathcal{U}||\mathcal{X}||\mathcal{Y}|}{2}^{-nc{\tilde{\delta }}^2}$.

For $k^{\prime }\ne k$ and applying from Lemma 3.3 in [28], we can bound the second term of the last inequality by

$$\begin{array}{cc}\hfill {\mathbb{E}}_{U_{k,m}^n}{\Sigma }_{{\mathcal{Y}}_t}^n({\mathcal{T}}_{{\Sigma }_{{\mathcal{Y}}_s},{\delta }^{″}}^n(& U_{k^{\prime },m}^n)|U_{k,m}^n)\le \frac{p_{Y,t}^n\left({\mathcal{T}}_{{\Sigma }_{{\mathcal{Y}}_s},{\delta }^{″}}^n(U_{k^{\prime },m}^n)\right)}{p_u^n({\mathcal{T}}_{p_u,{\delta }^{\prime \prime \prime }}^n),}\hfill \end{array}$$

with ${\delta }^{\prime \prime \prime }={\delta }^{\prime }-\frac{\delta }{|\mathcal{U}|}$, since $U_{k^{\prime },m}^n\in {\mathcal{T}}_{p_u,\delta }^n$ with probability one. For any $t,s\in {\mathcal{S}}_{\ell },$ we have

$$\begin{array}{c}{\mathbb{E}}_{U_{k,m}^n}{\Sigma }_{{\mathcal{Y}}_t}^n\left({\mathcal{T}}_{{\Sigma }_{{\mathcal{Y}}_s},{\delta }^{″}}^n(U_{k^{\prime },m}^n)|U_{k,m}^n\right)\le \frac{{(n+1)}^{|\mathcal{U}||\mathcal{Y}|}}{1-{ϵ}_{{\delta }^{\prime \prime \prime }}(n,|\mathcal{U}|)}{2}^{-n(I(U_{\ell };Y_s)-\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|))}.\end{array}$$

For every $t,s\in {\mathcal{S}}_{\ell }$ and every $k\in \mathcal{K}$, we have

$$\begin{array}{c}{\mathbb{E}}_{\tilde{U}}({ϵ}_{n,k}^t(\tilde{U})|U_{k,m}^n)\le {ϵ}_{{\delta }^{″}}(n,|\mathcal{U}||\mathcal{Y}|)+\sum _{s\in {\mathcal{S}}_{\ell }}\sum _{\begin{array}{c}{k}^{\prime }\ne k\\ k^{\prime }\in \mathcal{K}\end{array}}\frac{{(n+1)}^{|\mathcal{U}||\mathcal{Y}|}}{1-{ϵ}_{{\delta }^{\prime \prime \prime }}(n,|\mathcal{U}|)}{2}^{-n(I(U_{\ell };Y_s)-\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|))}\\ +{ϵ}_{\tilde{\delta }}(n,|\mathcal{U}||\mathcal{X}||\mathcal{Y}|)\hfill \\ \le {ϵ}_{{\delta }^{″}}(n,|\mathcal{U}||\mathcal{Y}|)+\frac{{(n+1)}^{|\mathcal{U}||\mathcal{Y}|}}{1-{ϵ}_{{\delta }^{\prime \prime \prime }}(n,|\mathcal{U}|)}|{\mathcal{S}}_{\ell }|2^{-n({min}_{s\in {\mathcal{S}}_{\ell }}I(U_{\ell };Y_s)-R_K-\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|))}\hfill \\ +{ϵ}_{\tilde{\delta }}(n,|\mathcal{U}||\mathcal{X}||\mathcal{Y}|).\hfill \end{array}$$

There is an $n({\delta }^{″},{\delta }^{\prime \prime \prime },\tilde{\delta },|\mathcal{U}|,|\mathcal{X}|,|\mathcal{Y}|)$ such that for all $n>n(\delta ,{\delta }^{\prime \prime \prime },\tilde{\delta },|\mathcal{U}|,|\mathcal{X}|,|\mathcal{Y}|)$ for which we have

$$\begin{array}{c}{\mathbb{E}}_{\tilde{U}}({ϵ}_{n,k}^t(\tilde{U})|U_{k,m}^n)\le |{\mathcal{S}}_{\ell }|2^{-n({min}_{s\in {\mathcal{S}}_{\ell }}I(U_{\ell };Y_s)-R_K-\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|))}\end{array}$$

(A4)

for all $k\in \mathcal{K}$. By choosing

$$R_K<I(U_{\ell };Y_s)-\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|)$$

(A5)

and letting $n\to \infty$, the right-hand side of (A4) tends to zero. Considering (A5) and (A3), the helper data rate is lower bounded by

$$\begin{array}{cc}\hfill R_M& >I(U_{\ell };X_{\ell })-I(U_{\ell };Y_s)+\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|)+\psi ({\delta }^{\prime },|\mathcal{U}|,|\mathcal{X}|).\hfill \end{array}$$

(A6)

Appendix A.1.7. Key Distribution

Besides reliability, a privacy secrecy rate pair has to fulfill three other conditions. One of them is that the secret key distribution must be close to the uniform distribution. Here, we show that this is indeed satisfied using the proof of [13]. For completeness, we introduce a sketch of the proof shown in [13] for a sequential key distillation, which consists of two phases: reconciliation and privacy amplification. The reconciliation step is equivalent to the reliability proved above. The privacy amplification step consists on the construction of the key K from a common shared sequence $T=U^n$ using an extractor function $g:{\{0,1\}}^n\times {\{0,1\}}^d\to {\{0,1\}}^k$ with $d,k,N\in \mathbb{N}$ whose inputs are the shared sequence T and a sequence of d uniformly distributed bits $U_d$ and gives as output a k nearly uniformly distributed sequence.

Lemma 1

 ([7]). Let $T\in {\{0,1\}}^n$ be the random variable that represents the common sequence shared by both terminals and let E be the random variable that represents the total knowledge about T available to the eavesdropper. Let e be a particular realization of E. If both terminals know the conditional min-entropy $H_{\infty }(T|E=e)\ge \gamma n$ for some $\gamma \in (0,1)$, then there exists an extractor

$$g:{\{0,1\}}^n\times {\{0,1\}}^d\to {\{0,1\}}^k$$

with

$$d\le n\delta (n)andk\ge n(\gamma -\delta (n)),$$

with ${lim}_{n\to \infty }\delta (n)=0$ and if $U_d$ is a random variable with uniform distribution on ${\{0,1\}}^d$ and both terminals choose $K=g(T,U_d)$ as their secret key, then

$$H(K|U_d,E=e)\ge k-\delta (n).$$

Sequential key distillation protocol: For every source realization $s\in \mathcal{S},$ we have an $\ell =\ell (s)\in \mathcal{L}$ such that $Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell }$. For every $\ell \in \mathcal{L},$ we perform the following protocol:

• Repeat $i\in \mathbb{N}$ times the reconciliation protocol creating i shared sequences $T_1,T_2,\cdots ,T_i$ of length n.
• Perform the privacy amplification phase based on an extractor with output size k, i.e., $K=g(T_1,T_2,\cdots ,T_i,U_d)=g(U_1^n,U_2^n,\cdots ,U_i^n,U_d)=g(U^N,U_d)$ with $N=in$. $U_d$ has to be transmitted through the public channel together with the public message $M^i$.
• The total information available to the eavesdropper is $E=(M^i,U_d,\Theta )$, with $\Theta$ being a binary random variable introduced for calculation purposes informing if $T^i\in {\mathcal{T}}_{p_T,\delta }^n$.

In [13], it was shown that

$$\begin{array}{cc}\hfill H_{\infty }(T^i|M_{\ell }^i=m^i,\widehat{L}=\ell ,\Theta =1,U_d)\ge & NI(U_{\ell };Y_s)-N\varphi (\delta {,}^{″}|\mathcal{U}|,|\mathcal{Y}|)H(X_{\ell }|U_{\ell })-2i\hfill \\ & -i\varphi (\delta {,}^{″}|\mathcal{U}|,|\mathcal{Y}|)-{\delta }_{ϵ}(i)-N\delta (N)-\sqrt{(}N),\hfill \end{array}$$

(A7)

with ${lim}_{n\to \infty }{\delta }_{ϵ}(n)=0$ (see Lemma 1 in [13]). Using Lemma 1, we have

$$H(K_{\ell }|M_{\ell }^i=m^i,\widehat{L}=\ell ,\Theta =1,U_d)\ge k-\delta (N),$$

which implies that

$$\begin{array}{cc}\hfill H(K_{\ell }|\widehat{L}=\ell )& \ge H(K_{\ell }|M_{\ell }^i,\Theta ,U_d,\widehat{L}=\ell )\ge k-\delta (N).\hfill \end{array}$$

(A8)

Since this holds for every $\ell \in \mathcal{L}$, we have that

$$\begin{array}{cc}\hfill log|\mathcal{K}|& \ge k\hfill \\ & \ge H(K_{\ell })\hfill \\ & \ge H(K_{\ell }|\widehat{L}).\hfill \end{array}$$

(A9)

Furthermore, we have

$$\begin{array}{cc}\hfill H(K_{\ell }|\widehat{L})& =\sum _{\tilde{\ell }\in \mathcal{L}}Pr\{\widehat{L}=\tilde{\ell }\}H(K_{\ell }|\widehat{L}=\tilde{\ell })\hfill \\ & =Pr\{\widehat{L}=\ell \}H(K_{\ell }|L=\ell )+\sum _{\begin{array}{c}\tilde{\ell }\ne \ell \\ \tilde{\ell }\in \mathcal{L}\end{array}}Pr\{\widehat{L}=\tilde{\ell }\}H(K_{\ell }|\widehat{L}=\tilde{\ell })\hfill \\ & =Pr\{\widehat{L}=\ell \}H(K_{\ell }|\widehat{L}=\ell )+Pr\{\widehat{L}\ne \ell \}H(K_{\ell }|\widehat{L}\ne \ell )\hfill \\ & \le Pr\{\widehat{L}=\ell \}H(K_{\ell }|\widehat{L}=\ell )+Pr\{\widehat{L}\ne \ell \}\underset{\ell \in \mathcal{L}}{max}H(K_{\ell }|\widehat{L}\ne \ell )\hfill \\ & \le Pr\{\widehat{L}=\ell \}H(K_{\ell }|\widehat{L}=\ell )+{ϵ}_{\delta }{(n,|\mathcal{X}|)}^{i}Nlog|\mathcal{X}|\hfill \end{array}$$

(A10)

$$\begin{array}{cc}& \le H(K_{\ell }|\widehat{L}=\ell )+{(n+1)}^{|\mathcal{X}|i}Nlog|\mathcal{X}|2^{-Nc{\delta }^2}\hfill \\ & =H(K_{\ell }|\widehat{L}=\ell )+{ϵ}_{\delta }(n,i,|\mathcal{X}|),\hfill \end{array}$$

(A11)

where ${lim}_{i,n\to \infty }{ϵ}_{\delta }(n,i,|\mathcal{X}|)=0$ and (A10) follows from (A1). We then have that

$$\begin{array}{c}\hfill |H(K_{\ell }|\widehat{L})-H(K_{\ell }|\widehat{L}=\ell )|\le {ϵ}_{\delta }(n,i,|\mathcal{X}|),\end{array}$$

(A12)

showing that $H(K_{\ell }|\widehat{L})$ approaches $H(K_{\ell }|\widehat{L}=\ell )$ for increasing n or i or both at the same time.

Combining (A8), (A9) and (A12), we get

$$\begin{array}{cc}\hfill log|\mathcal{K}|& \ge H(K_{\ell }|\widehat{L}=\ell )-{ϵ}_{\delta }(n,i,|\mathcal{X}|)\hfill \\ & \ge k-\delta (N)-{ϵ}_{\delta }(n,i,|\mathcal{X}|)\hfill \\ & =log|\mathcal{K}|-\delta (N)-{ϵ}_{\delta }(n,i,|\mathcal{X}|).\hfill \end{array}$$

(A13)

Appendix A.1.8. Privacy Leakage

Another condition that has to be fulfilled by an achievable privacy secrecy rate pair is that the information rate provided by the helper data about the sequence $X^n$ is bounded. We show here that this condition is fulfilled.

For every source realization $s\in \mathcal{S},$ we have an $\ell =\ell (s)\in \mathcal{L}$ such that $Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell }$. For every $\ell \in \mathcal{L},$ we have

$$\begin{array}{cc}\hfill \frac{1}{N}I(X_{\ell }^N;M_{\ell }^i,\Theta ,U_d,\widehat{L})& =\frac{1}{N}I(X_{\ell }^N;\widehat{L})+\frac{1}{N}I(X_{\ell }^N;M_{\ell }^i,\Theta ,U_d|\widehat{L})\hfill \\ & \le \frac{log|\mathcal{L}|}{N}+\frac{1}{N}I(X_{\ell }^N;M_{\ell }^i,\Theta ,U_d|\widehat{L}).\hfill \end{array}$$

(A14)

We analyze the second term of the right-hand side of (A14):

$$\begin{array}{cc}\hfill \frac{1}{N}I(X_{\ell }^N;M_{\ell }^i,\Theta ,U_d|\widehat{L})& \le Pr\{\widehat{L}=\ell \}\frac{1}{N}I(X_{\ell }^N;M_{\ell }^i,\Theta ,U_d|\widehat{L}=\ell )+Pr\{\widehat{L}\ne \ell \}log|\mathcal{X}|.\hfill \end{array}$$

Similar to (A11), we have

$$\begin{array}{c}\hfill \frac{1}{N}I(X_{\ell }^N;M_{\ell }^i,\Theta ,U_d|\widehat{L})\le \frac{1}{N}I(X_{\ell }^N;M_{\ell }^i,\Theta ,U_d|\widehat{L}=\ell )+{ϵ}_{\delta }{(n,|\mathcal{X}|)}^{i}log|\mathcal{X}|.\end{array}$$

(A15)

For every $\ell \in \mathcal{L}$ and from (A6), it holds

$$\begin{array}{cc}\hfill \frac{1}{N}I(X_{\ell }^N;M_{\ell }^i,\Theta ,U_d|\widehat{L}=\ell )& \le \frac{ilog|\mathcal{M}|}{N}+\frac{d+1}{N}\hfill \\ & \le I(U_{\ell };X_{\ell }|\widehat{L}=\ell )-I(U_{\ell };Y_s)+\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|)+\psi ({\delta }^{\prime },|\mathcal{U}|,|\mathcal{X}|)\hfill \end{array}$$

(A16)

$$\begin{array}{cc}& +\frac{d+1}{N},\hfill \end{array}$$

(A17)

with $\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|)>0$ and $\psi ({\delta }^{\prime },|\mathcal{U}|,|\mathcal{X}|)>0$. Combining (A14), (A15) and (A17), it follows that

$$\begin{array}{cc}\hfill \frac{1}{N}I(X_{\ell }^N;M_{\ell }^i,\Theta ,U_d,\widehat{L})& \le I(U_{\ell };X_{\ell }|\widehat{L}=\ell )-I(U_{\ell };Y_s)+\frac{log|\mathcal{L}|}{N}+\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|)\hfill \\ & +\psi ({\delta }^{\prime },|\mathcal{U}|,|\mathcal{X}|)+{ϵ}_{\delta }{(n,|\mathcal{X}|)}^{i}log|\mathcal{X}|,\hfill \end{array}$$

where the last three terms of the right-hand side of the inequality goes to zero for large enough n and i.

Appendix A.1.9. Secrecy Leakage

The last condition that has to be fulfilled by an achievable privacy secrecy rate pair is that the information rate provided by the helper data about the secret key is negligibly small. For every source realization $s\in \mathcal{S},$ we have an $\ell =\ell (s)\in \mathcal{L}$ such that $Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell }$. For every $\ell \in \mathcal{L},$ we have

$$\begin{array}{c}\hfill I(K_{\ell };M_{\ell }^i,\Theta ,U_d,\widehat{L})=I(K_{\ell };\widehat{L})+I(K_{\ell };M_{\ell }^i,\Theta ,U_d,|\widehat{L}).\end{array}$$

(A18)

We first consider the first term of (A18). Using (A8) and (A12), we get that

$$\begin{array}{cc}\hfill I(K_{\ell };\widehat{L})& =H(K_{\ell })-H(K_{\ell }|\widehat{L})\le \delta (N)+{ϵ}_{\delta }(n,i,|\mathcal{X}|).\hfill \end{array}$$

We consider the second term of (A18). Using (A13), we get

$$\begin{array}{cc}\hfill I(K_{\ell };M_{\ell }^i,\Theta ,U_d|\widehat{L})& \le Pr\{\widehat{L}=\ell \}I(K_{\ell };M_{\ell }^i,\Theta ,U_d|\widehat{L}=\ell )+Pr\{\widehat{L}\ne \ell \}Nlog|\mathcal{X}|\hfill \\ & \le H(K_{\ell }|\widehat{L}=\ell )-H(K_{\ell }|M_{\ell }^i,\Theta ,U_d,\widehat{L}=\ell )+ϵ{(n,|\mathcal{X}|)}^{i}Nlog|\mathcal{X}|2^{-Nc{\delta }^2}\hfill \\ & \le log|\mathcal{K}|-log|\mathcal{K}|+\delta (N)+{ϵ}_{\delta }(n,i,|\mathcal{X}|)\hfill \\ & =\delta (N)+{ϵ}_{\delta }(n,i,|\mathcal{X}|).\hfill \end{array}$$

(A19)

Hence,

$$I(K_{\ell };M_{\ell }^i,\Theta ,U_d,\widehat{L})\le 2\delta (N)+2{ϵ}_{\delta }(n,i,|\mathcal{X}|).$$

(A20)

Note that the right-hand side of the inequality goes to zero for large enough N, showing that for every source realization $s\in \mathcal{S}$, the secret key information rate leaked by the helper is negligibly small.

Note that we showed that the rate pair can be achieved for large $N=in$, i.e., not for all $N\in \mathbb{N}$. To show the achievability for all blocklengths $N\in \mathbb{N},$ we define the sequence $N_i$ with $i\in \mathbb{N}$ with $N_i=i^2$ . We showed that for the sequence $N_i$ of blocklengths with $i\in \mathbb{N}$, there exists a blocklength $N_{i_0}$ such that for all blocklengths $N_i>N_{i_0}$, we can find a code sequence that fulfills the achievability conditions. For every $N_i<N<N_{i+1},$ one can rewrite $N=N_i+r_i$ with $r_i<N_{i+1}-N_i$. We use only the first $N_i$ symbols to generate the key and discard the rest $r_i$. One can easily see that there is a $ϵ(N)$ such that, for $\delta =ϵ(N),$ all conditions are fulfilled. This completes the proof of achievability.

Appendix A.2. Converse of Theorem 3

For the converse, we consider a genie-aided enrollment and authentication terminal, i.e., the user at the enrollment and authentication terminal has partial knowledge of the source, i.e., he knows the actual state of the marginal distribution $\ell \in \mathcal{L}$ but not the complete source state. The converse follows from the corresponding result for a joint-source with perfect SSI shown in [11]. For a fixed $\ell \in \mathcal{L}$, $s\in {\mathcal{S}}_{\ell }$ and $V:\mathcal{X}\to \mathcal{P}(\mathcal{U}),$ we define the region $\mathcal{R}(V,\ell ,s)$ as the set of all $(R_{PL},R_K)\in {\mathbb{R}}_{+}^2$ that satisfy

$$\begin{array}{cc}\hfill R_K& \le I(U_{\ell };Y_s),\hfill \\ \hfill R_{PL}& \ge I(U_{\ell };X_{\ell }|L=\ell )-I(U_{\ell };Y_s).\hfill \end{array}$$

We start analyzing the secret key rate. For a fixed $\ell \in \mathcal{L}$ and $s\in {\mathcal{S}}_{\ell },$ we have

$$\begin{array}{cc}\hfill H(K_{\ell })& =H(K_{\ell }|L=\ell )\hfill \\ & =I(K_{\ell };M_{\ell }{Y}_s^n|L=\ell )+H(K_{\ell }|M_{\ell }{Y}_s^n\widehat{K},L=\ell ),\hfill \end{array}$$

where $\widehat{K}$ is a deterministic function of $M,Y^n$ and $L=\ell$, i.e., $\widehat{K}=f(M,Y^n,L=\ell ),$

$$\begin{array}{cc}\hfill H(K_{\ell })& \le I(K_{\ell };M_{\ell }{Y}_s^n|L=\ell )+H(K_{\ell }|\widehat{K})\hfill \\ & \le I(K_{\ell };M_{\ell }{Y}_s^n|L=\ell )+{ϵ}_n\hfill \\ & =I(K_{\ell };M_{\ell }|L=\ell )+I(K_{\ell }{M}_{\ell };Y_s^n|L=\ell )+{ϵ}_n\hfill \\ & =I(K_{\ell };M_{\ell }|L=\ell )+\sum _{i=1}^{n}I(K_{\ell }{M}_{\ell };Y_{s,i}|Y_s^{i-1}L=\ell )+{ϵ}_n\hfill \\ & =I(K_{\ell };M_{\ell }|L=\ell )+\sum _{i=1}^{n}I(K_{\ell }{M}_{\ell }{Y}_s^{i-1};Y_{s,i}|L=\ell )+{ϵ}_n\hfill \end{array}$$

(A21)

$$\begin{array}{cc}& \le I(K_{\ell };M_{\ell }|L=\ell )+\sum _{i=1}^{n}I(K_{\ell }{M}_{\ell }{X}_{\ell }^{i-1};Y_{s,i}|L=\ell )+{ϵ}_n\hfill \end{array}$$

(A22)

$$\begin{array}{cc}& =I(K_{\ell };M_{\ell }|L=\ell )+nI(U_{\ell };Y_s|L=\ell )+{ϵ}_n,\hfill \end{array}$$

(A23)

where (A21) holds for ${ϵ}_n=1+Pr\{\widehat{K}\ne K\}log{K}_n$ and follows from Fano’s Inequality and (A22) from $Y^{i-1}-KM{X}^{i-1}-Y_i$ forming a Markov chain. This comes from

$$\begin{array}{cc}\hfill P_{KM{Y}^{i-1}{X}^{i-1}{Y}_i}(k,m,y^{i-1},x^{i-1},y_i)& =\sum _{x_{i+1}^n}\sum _{x_i}{p}_{\ell }(x^{i-1})p_{\ell }(x_i)p_{\ell }(x_{i-1}^n)P_{KM}(k,m|x^n)W_s(y_i,x_i)W_s(y^{i-1}|x^{i-1})\hfill \\ & =P_{X^{i-1}KM{Y}_i}(x^{i-1},k,m,y_i)W_s(y^{i-1}|x^{i-1})\hfill \\ & =p_{\ell }(x^{i-1})Pr(k,m,y_i|x^{i-1})W_s(y^{i-1}|x^{i-1}).\hfill \end{array}$$

We define $U_{\ell ,i}=(K_{\ell }{M}_{\ell }{X}_{\ell }^{i-1})$. The Equality (A23) is obtained using a time-sharing variable T uniformly distributed over $\{1,\cdots ,n\}$ and independent of all other variables. Setting $U=(U_{\ell ,i})$, $X=X_{\ell ,i}$ and $Y=Y_{\ell ,i}$ for $T=i,$ we obtain

$$\begin{array}{cc}\hfill \sum _{i=1}^{n}I(K_{\ell }{M}_{\ell }{X}_{\ell }^{i-1};Y_{s,i}|L=\ell )& =\sum _{i=1}^{n}I(U_{\ell ,i};Y_{s,i}|L=\ell )\hfill \\ & =nI(U_{\ell ,T};Y_{s,T}|T,L=\ell )\hfill \\ & =nI((U_{\ell ,T},T);Y_{s,T}|L=\ell )\hfill \\ & =nI(U_{\ell };Y_s|L=\ell ).\hfill \end{array}$$

Dividing by n, we get

$$\begin{array}{cc}\hfill \frac{1}{n}H(K_{\ell })& \le \frac{1}{n}I(K_{\ell };M_{\ell }|L=\ell )+I(U_{\ell };Y_s,L=\ell )+\frac{1}{n}ϵ\hfill \\ & \le I(U_{\ell };Y_s,L=\ell )+{\lambda }_{n,\ell }+\frac{1}{n}+\frac{1+ϵ}{n},\hfill \end{array}$$

where the last inequality holds with ${\lambda }_{n,\ell }\to 0$ for $n\to \infty$ (see [11]).

Assuming the rate pair $(R_{PL},R_K)$ is achievable, we have that $ϵ\le 1+\delta log{K}_n$ and obtain

$$\begin{array}{cc}\hfill R_K-\delta & \le I(U_{\ell };Y_s,L=\ell )+{\lambda }_{n,\ell }+\frac{1}{n}+\frac{1+\delta log{K}_n}{n}.\hfill \end{array}$$

(A24)

We continue with the privacy leakage. For a fixed $s\in {\mathcal{S}}_{\ell }$ we have

$$\begin{array}{cc}\hfill I(X_{\ell }^n;M_{\ell })& =I(X_{\ell }^n;M_{\ell }|L=\ell )\hfill \\ & =H(M_{\ell }|L=\ell )-H(M_{\ell }|X_{\ell }^n,L=\ell )\hfill \\ & \ge H(M_{\ell }|Y_s^n,L=\ell )-H(K_{\ell }{M}_{\ell }|X_{\ell }^n,L=\ell )\hfill \\ & =H(K_{\ell }{M}_{\ell }|Y_s^n,L=\ell )-H(K|M{Y}^n\widehat{K})-H(K_{\ell }{M}_{\ell }|X_{\ell }^n,L=\ell )\hfill \\ & \ge H(K_{\ell }{M}_{\ell }|Y_s^n,L=\ell )-H(K|\widehat{K})-H(K_{\ell }{M}_{\ell }|X_{\ell }^n,L=\ell )\hfill \\ & \ge H(K_{\ell }{M}_{\ell }|Y_s^n,L=\ell )-{ϵ}_n-H(K_{\ell }{M}_{\ell }|X_{\ell }^n,L=\ell )\hfill \\ & =I(K_{\ell }{M}_{\ell };X_{\ell }^n|L=\ell )-I(K_{\ell }{M}_{\ell };Y_s^n|L=\ell ){-ϵ)}_n\hfill \\ & =\sum _{i=1}^{n}I(K_{\ell }{M}_{\ell };X_{\ell ,i}|X_{\ell }^{i-1},L=\ell )-\sum _{i=1}^{n}I(K_{\ell }{M}_{\ell };Y_{s,i}|Y_{\ell }^{i-1},L=\ell )-{ϵ}_n\hfill \\ & =\sum _{i=1}^{n}I(K_{\ell }{M}_{\ell }{X}_{\ell }^{i-1};X_{\ell ,i},L=\ell )-\sum _{i=1}^{n}I(K_{\ell }{M}_{\ell }{Y}_s^{i-1};Y_{s,i},L=\ell )-{ϵ}_n\hfill \\ & \ge \sum _{i=1}^{n}I(K_{\ell }{M}_{\ell }{X}_{\ell }^{i-1};X_{\ell ,i},L=\ell )-\sum _{i=1}^{n}I(K_{\ell }{M}_{\ell }{X}_{\ell }^{i-1};Y_{s,i},L=\ell )-{ϵ}_n\hfill \\ & =nI(U_{\ell };X_{\ell }|L=\ell )-nI(U_{\ell };Y_s|L=\ell )-{ϵ}_n.\hfill \end{array}$$

Dividing by n, we get

$$\begin{array}{cc}\hfill \frac{1}{n}I(X_{\ell }^n;M_{\ell })& \ge I(U_{\ell };X_{\ell }|L=\ell )-I(U_{\ell };Y_s|L=\ell )+\frac{1}{n}{ϵ}_n.\hfill \end{array}$$

Assuming $(R_{PL},R_K)$ is achievable, we have that $ϵ\le 1+\delta log{K}_n$ and obtain

$$\begin{array}{cc}\hfill R_{PL}+\delta & \ge I(U_{\ell };X_{\ell }|L=\ell )-I(U_{\ell };Y_s|L=\ell )+\frac{1+\delta log{K}_n}{n}.\hfill \end{array}$$

(A25)

We have shown that ${\mathfrak{C}}_G({\mathfrak{Q}}_{\mathcal{XY}})\subseteq {\bigcap }_{\ell \in \mathcal{L}}{\mathcal{C}}_{\ell }$. This means that if $(R_{PL},R_K)\in {\mathfrak{C}}_G({\mathfrak{Q}}_{\mathcal{XY}})$ holds, then we have that $(R_{PL},R_K)\in {\bigcap }_{\ell \in \mathcal{L}}{\mathcal{C}}_{\ell }$. Equivalently, if $(R_{PL},R_K)\notin {\bigcap }_{\ell \in \mathcal{L}}{\mathcal{C}}_{\ell }$, then $(R_{PL},R_K)\notin {\mathfrak{C}}_G({\mathfrak{Q}}_{\mathcal{XY}})$. Assume $(R_{PL}^{*},R_K^{*})\notin {\bigcap }_{\ell \in \mathcal{L}}{\mathcal{C}}_{\ell }$. This implies that there exists a $\ell \in \mathcal{L}$ such that, for all auxiliary channels V, we have that $(R_{PL}^{*},R_K^{*})\notin \mathcal{R}(V,\ell )$, which implies that $(R_{PL}^{*},R_K^{*})\notin {\mathfrak{C}}_G({\mathfrak{Q}}_{\mathcal{XY}})$. This completes the converse and therewith proves the desired result.

It remains to derive the bound on the cardinality of the auxiliary random variables U. Let $\ell \in \mathcal{L}$ be arbitrarily but fixed and U be a random variable fulfilling $P_{UXY,s}(u,x,y)=V(u|x)Q_s(x,y)$ for all $s\in \mathcal{S}(\ell )$. We show that there is a random variable $\overline{U}$ with range $|\overline{\mathcal{U}}|=|\mathcal{X}|+|{\mathcal{S}}_{\ell }|$

$$\begin{array}{cc}\hfill I(\overline{U};Y)& =I(U;Y),\hfill \\ \hfill I(\overline{U};X)-I(\overline{U};Y)& =I(U;X)-I(U;Y),\hfill \end{array}$$

(A26)

for all $s\in {\mathcal{S}}_{\ell }$. We consider the following $|\mathcal{X}|+|{\mathcal{S}}_{\ell }|$ real valued continuous functions on $\mathcal{P}(\mathcal{X})$

$$\begin{array}{cc}\hfill f_x(p)& =p(x),\mathrm{for}\mathrm{all}x\in \mathcal{X}\mathrm{but}\mathrm{one},\hfill \\ \hfill g_s(P)& =H(p{W}_s),\hfill \\ \hfill h(P)& =H(p),\hfill \end{array}$$

for all $s\in {\mathcal{S}}_{\ell }$. We have that ${\Sigma }_{{\mathcal{X}}_{\ell }}(·|u)\in \mathcal{P}(\mathcal{X})$ having $\mu$-measure $p_u$. Then, it holds that

$$\begin{array}{cc}\hfill \sum _u{p}_u(u)f_x({\Sigma }_{{\mathcal{X}}_{\ell }}(·|u))& =p(x),\hfill \\ \hfill \sum _u{p}_u(u)g_s({\Sigma }_{{\mathcal{X}}_{\ell }}(·|u))& =H(Y|U),\hfill \\ \hfill \sum _u{p}_u(u)h({\Sigma }_{{\mathcal{X}}_{\ell }}(·|u))& =H(X|U),\hfill \end{array}$$

for all $s\in {\mathcal{S}}_{\ell }$. According to (Lemma 15.4, [27]), there exists a random variable $\overline{U}$ fulfilling the Markov condition with values in $\overline{\mathcal{U}}=\{1,\cdots ,|\mathcal{X}|+|{\mathcal{S}}_{\ell }|\}$ and (A26) holds (see also Lemma 15.5 in [27]). □

Appendix B.1. Achievability of Theorem 4

The achievability proof of Theorem 4 is very similar to the achievability proof of Theorem 3, where first the index of marginal distribution ℓ over $\mathcal{X}$ is estimated. The difference is that, in this model, we use a generated secret key $K_{\ell ,g}$ in a one-pad system to conceal the uniformly distributed chosen key K over the set $\mathcal{K}$; as in [11], it is additionally sent together with the generated helper message $M_{\ell ,g}$ and the index of the estimated marginal distribution $\widehat{L}$ over the public message, i.e., the helper data is $M^{\prime }=(M_{\ell ,g},K\oplus K_{\ell ,g},\widehat{L})$. The error analysis is similar to the error analysis for Theorem 3 and the key is already uniformly distributed; however, we should take a deeper look into the privacy leakage and the secrecy leakage. We perform the privacy amplification step as in Appendix A to show that the strong secrecy is fulfilled.

Appendix B.1.1. Privacy Leakage

Another condition that has to be fulfilled by an achievable privacy secrecy rate pair is that the information rate provided by the helper data about the sequence $X^n$ is bounded. We show here that this condition is fulfilled.

For every source realization $s\in \mathcal{S}$, we have an $\ell =\ell (s)$ such that $Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell }$. We have

$$\begin{array}{cc}\hfill \frac{1}{N}I(X^N;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d,\widehat{L})& \le \frac{log|\mathcal{L}|}{N}+\frac{1}{N}I(X^N;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}).\hfill \end{array}$$

(A27)

We analyze the second term of the right-hand side of (A27)

$$\begin{array}{cc}\hfill \frac{1}{N}& I(X^N;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L})\hfill \\ & \le Pr\{\widehat{L}=\ell \}\frac{1}{N}I(X^N;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}=\ell )+Pr\{\widehat{L}\ne \ell \}\frac{Nlog|\mathcal{X}|}{N}\hfill \\ & \le Pr\{\widehat{L}=\ell \}\times \frac{1}{N}I(X^N;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}=\ell )+{ϵ}_{\delta }(n,i,|\mathcal{X}|)log|\mathcal{X}|.\hfill \end{array}$$

Similar to (A11), we have

$$\begin{array}{c}\frac{1}{N}I(X^N;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L})\hfill \\ \le \frac{1}{N}I(X^N;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}=\ell )+{ϵ}_{\delta }(n,i,|\mathcal{X}|)log|\mathcal{X}|.\hfill \end{array}$$

(A28)

In [11], the authors show that, for every $\ell \in \mathcal{L},$ it holds

$$\begin{array}{c}\frac{1}{N}I(X^N;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}=\ell )\hfill \\ \le \frac{1}{N}I(X^N;M_{\ell ,g}^i,\Theta ,U_d|\widehat{L}=\ell \parallel Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell })+\frac{1}{N}H(K\oplus K_{\ell ,g}|\widehat{L}=\ell \parallel Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell })\hfill \\ -\frac{1}{N}H(K\oplus K_{\ell ,g}|X^n,M_{\ell ,g}^i,\Theta ,U_d,K_{\ell ,g},\widehat{L}=\ell )\hfill \\ \le \frac{1}{N}I(X^N;M_{\ell ,g}^i,\Theta ,U_d|\widehat{L}=\ell \parallel Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell })+\frac{1}{N}log{K}_N-\frac{1}{N}log{K}_N\hfill \\ \le \frac{1}{N}I(X^n;M_{\ell ,g}^i,\Theta ,U_d|\widehat{L}=\ell \parallel Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell })\hfill \\ \le I(U;X|\widehat{L}=\ell \parallel Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell })-I(U;Y\parallel Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell })+\varphi ({\delta }^{″},|\mathcal{U}|,|\mathcal{Y}|)+\psi ({\delta }^{\prime },|\mathcal{U}|,|\mathcal{X}|)\hfill \\ +\frac{d+1}{N},\hfill \end{array}$$

(A29)

which proves the bound on the privacy leakage.

Appendix B.1.2. Secrecy Leakage

For every source realization $s\in \mathcal{S}$, we have an $\ell =\ell (s)$ such that $Q_s\in {\mathfrak{Q}}_{\mathcal{XY},\ell }$. Following similar steps as for the privacy leakage, it can be shown that the secrecy leakage is upper-bounded by

$$\begin{array}{c}\hfill I(K;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d,\widehat{L})=I(K;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}).\end{array}$$

(A30)

We analyze the right-hand side of (A30):

$$\begin{array}{c}I(K;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L})=\sum _{\tilde{\ell }\in \mathcal{L}}Pr\{\widehat{L}=\tilde{\ell }\}I(K;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}=\tilde{\ell })\hfill \\ =Pr\{\widehat{L}=\ell \}I(K;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}=\ell )+Pr\{\widehat{L}\ne \ell \}I(K;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}\ne \ell ).\hfill \end{array}$$

For every $\ell \in \mathcal{L},$ it holds

$$\begin{array}{cc}\hfill I(K;M_{\ell ,g}^i,K\oplus K_{\ell ,g},\Theta ,U_d|\widehat{L}=\ell )& \le log|\mathcal{K}|-H(K_{\ell ,g}|\widehat{L}=\ell )+I(K_{\ell ,g};M_{\ell ,g}^i,\Theta ,U_d|\widehat{L}=\ell )\hfill \\ & \le log|\mathcal{K}|-log|\mathcal{K}|+I(K_{\ell ,g};M_{\ell ,g}^i,\Theta ,U_d|\widehat{L}=\ell ).\hfill \end{array}$$

(A31)

The last inequality follows from (A13). Substituting $K_{\ell ,g}$ with K, combining (A31) with (A19) and letting $i,n\to \infty ,$ we obtain the desired result.

Appendix B.2. Converse of Theorem 4

The converse of Theorem 4 can be shown using the same lines of arguments as for the converse of Theorem 3. □