Information Theoretic Security for Shannon Cipher System under Side-Channel Attacks ^†

Abstract

In this paper, we propose a new theoretical security model for Shannon cipher systems under side-channel attacks, where the adversary is not only allowed to collect ciphertexts by eavesdropping the public communication channel but is also allowed to collect the physical information leaked by the devices where the cipher system is implemented on, such as running time, power consumption, electromagnetic radiation, etc. Our model is very robust as it does not depend on the kind of physical information leaked by the devices. We also prove that in the case of one-time pad encryption, we can strengthen the secrecy/security of the cipher system by using an appropriate affine encoder. More precisely, we prove that for any distribution of the secret keys and any measurement device used for collecting the physical information, we can derive an achievable rate region for reliability and security such that if we compress the ciphertext using an affine encoder with a rate within the achievable rate region, then: (1) anyone with a secret key will be able to decrypt and decode the ciphertext correctly, but (2) any adversary who obtains the ciphertext and also the side physical information will not be able to obtain any information about the hidden source as long as the leaked physical information is encoded with a rate within the rate region. We derive our result by adapting the framework of the one helper source coding problem posed and investigated by Ahlswede and Körner (1975) and Wyner (1975). For reliability and security, we obtain our result by combining the result of Csizár (1982) on universal coding for a single source using linear codes and the exponential strong converse theorem of Oohama (2015) for the one helper source coding problem.

1. Introduction

In most of theoretical security models for encryption schemes, the adversary only obtains information from the public communication channel. In such models, an adversary is often treated as an entity that tries to obtain information about the hidden source only from the ciphertexts that are sent through the public communication channel. However, in the real world, the encryption schemes are implemented on physical electronic devices, and it is widely known that any process executed in an electronic circuit will generate a certain kind of correlated physical phenomena as “side” effects, according to the type of process. For example, differences in inputs to a process in an electronic circuit can induce differences in the heat, power consumption, and electromagnetic radiation generated as byproducts by the devices. Therefore, we may consider that an adversary who has a certain degree of physical access to the devices may obtain some information on very sensitive hidden data, such as the keys used for the encryption, just by measuring the generated physical phenomena using appropriate measurement devices. More precisely, an adversary may deduce the value of the bits of the key by measuring the differences in the timing of the process of encryption or the differences in the power consumption, electromagnetic radiation, and other physical phenomena. This information channel where the adversary obtains data in the form of physical phenomena is called the side-channel, and attacks using the side-channel are known as side-channel attacks.

In the literature, there have been many works showing that adversaries have succeeded in breaking the security of cryptographic systems by exploiting side-channel information such as running time, power consumption, and electromagnetic radiation in the real physical world [1,2,3,4,5].

1.1. Our Contributions

1.1.1. Security Model for Side-Channel Attacks

In this paper, we propose a security model where the adversary attempts to obtain information about the hidden source by collecting data from (1) the public communication channel in the form of ciphertexts, and (2) the side-channel in the form of some physical data related to the encryption keys. Our proposed security model is illustrated in Figure 1.

Based on the security model illustrated above, we formulate a security problem of strengthening the security of Shannon cipher system where the encryption is implemented on a physical encryption device and the adversary attempts to obtain some information on the hidden source by collecting ciphertexts and performing side-channel attacks.

We describe our security model in a more formal way as follows. The source X is encrypted using an encryption device with secret key K installed. The result of the encryption, i.e., ciphertext C, is sent through a public communication channel to a data center where C is decrypted back into the source X using the same key K. The adversary $\mathcal{A}$ is allowed to obtain C from the public communication channel and is also equipped with an encoding device ${\phi }_{\mathcal{A}}$ that encodes and processes the noisy large alphabet data Z, i.e., the measurement result of the physical information obtained from the side-channel, into the appropriate binary data $M_{\mathcal{A}}$. It should be noted that in our model, we do not put any limitation on the kind of physical information measured by the adversary. Hence, any theoretical result based on this model automatically applies to any kind of side-channel attack, including timing analysis, power analysis, and electromagnetic (EM) analysis. In addition, the measurement device may just be a simple analog-to-digital converter that converts the analog data representing physical information leaked from the device into “noisy” digital data Z. In our model, we represent the measurement process as a communication channel W.

1.1.2. Main Result

As the main theoretical result, we show that we can strengthen the secrecy/security of the Shannon cipher implemented on a physical device against an adversary who collects the ciphertexts and launches side-channel attacks by a simple method of compressing the ciphertext C from a Shannon cipher using an affine encoder $\phi$ into $\tilde{C}$ before releasing it into the public communication channel.

We prove that in the case of one-time pad encryption, we can strengthen the secrecy/security of the cipher system by using an appropriate affine encoder. More precisely, we prove that for any distribution of the secret key K and any measurement device (used to convert the physical information from a side-channel into the noisy large alphabet data Z), we can derive an achievable rate region for $(R_{\mathcal{A}},R)$ such that if we compress the ciphertext C into $\tilde{C}$ using the affine encoder $\phi$, which has an encoding rate R inside the achievable region, then we can achieve reliability and security in the following sense:

• anyone with secret key K can construct an appropriate decoder that decrypts and encodes $\tilde{C}$ with exponentially decaying error probability, but
• the amount of information gained by any adversary $\mathcal{A}$ who obtains the compressed ciphertext $\tilde{C}$ and encoded physical information $M_{\mathcal{A}}$ is exponentially decaying to zero as long as the encoding device ${\phi }_{\mathcal{A}}$ encodes the side physical information into $M_{\mathcal{A}}$ with a rate $R_{\mathcal{A}}$ within the achievable rate region.

By utilizing the homomorphic property of one-time-pad and affine encoding, we are able to separate the theoretical analysis of reliability and security such that we can deal with each issue independently. For reliability, we mainly obtain our result by using the result of Csizár [6] on the universal coding for a single source using linear codes. For the security analysis, we derive our result by adapting the framework of the one helper source coding problem posed and investigated by Ahlswede, Körner [7] and Wyner [8]. Specifically, in order to derive the secrecy exponent, we utilize the exponential strong converse theorem of Oohama [9] for the one helper source coding problem. In [10], Watanabe and Oohama deal with a similar source coding problem, but their result is insufficient for deriving the lower bound of the secrecy exponent. We will explain the relation between our method and previous related works in more detail in Section 4.

1.2. Comparison to Existing Models of Side-Channel Attacks

The most important feature of our model is that we do not make any assumption about the type or characteristics of the physical information that is measured by the adversary. Several theoretical models analyzing the security of a cryptographic system against side-channel attacks have been proposed in the literature. However, most of the existing works are applicable only for specific characteristics of the leaked physical information. For example, Brier et al. [1] and Coron et al. [11] propose a statistical model for side-channel attacks using the information from power consumption and the running time, whereas Agrawal et al. [5] propose a statistical model for side-channel attacks using electromagnetic (EM) radiations. A more general model for side-channel attacks is proposed by Köpf et al. [12] and Backes et al. [13], but they are heavily dependent upon implementation on certain specific devices. Micali et al. [14] propose a very general security model to capture the side-channel attacks, but they fail to offer any hint of how to build a concrete countermeasure against the side-channel attacks. The closest existing model to ours is the general framework for analyzing side-channel attacks proposed by Standaert et al. [15]. The authors of [15] propose a countermeasure against side-channel attacks that is different from ours, i.e., noise insertion on implementation. It should be noted that the noise insertion countermeasure proposed by [15] is dependent on the characteristics of the leaked physical information. On the other hand, our countermeasure, i.e., compression using an affine encoder, is independent of the characteristics of the leaked physical information.

1.3. Comparison to Encoding before Encryption

In this paper, our proposed solution is to perform additional encoding in the form of compression after the encryption process. Our aim is that by compressing the ciphertext, we compress the key “indirectly” and increase the “flatness” of the key used in the compressed ciphertext ($\tilde{C}$) such that the adversary will not get much additional information from eavesdropping on the compressed ciphertext ($\tilde{C}$). Instead of performing the encoding after encryption, one may consider performing the encoding before encryption, i.e., encoding the source and the key “directly” before performing the encryption. However, since we need to apply two separate encodings on the source and the key, we can expect that the implementation cost is more expensive than our proposed solution, i.e., approximately double the cost of applying our proposed solution. Moreover, it is not completely clear whether our security analysis still applies for this case. For example, if the adversary performs the side-channel attacks on the key after it is encoded (before encryption), we need a complete remodeling of the security problem.

1.4. Organization of this Paper

This paper is structured as follows. In Section 2, we show the basic notations and definitions that we use throughout this paper, and we also describe the formal formulations of our model and the security problem. In Section 3, we explain the idea and the formulation of our proposed solution. In Section 4, we explain the relation between our formulation and previous related works. Based on this, we explain the theoretical challenge which we have to overcome to prove that our proposed solution is sound. In Section 5, we state our main theorem on the reliability and security of our solution. In Section 6, we show the proof of our main theorem. We put the proofs of other related propositions, lemmas, and theorems in the appendix.

2. Problem Formulation

In this section, we will introduce the general notations used throughout this paper and provide a description of the basic problem we are focusing on, i.e., side-channel attacks on Shannon cipher systems. We also explain the basic framework of the solution that we consider to solve the problem. Finally, we state the formulation of the reliability and security problem that we consider and aim to solve in this paper.

2.1. Preliminaries

In this subsection, we show the basic notations and related consensus used in this paper.

Random Source of Information and Key: Let X be a random variable from a finite set $\mathcal{X}$. Let ${\left\{X_t\right\}}_{t=1}^{\infty }$ be a stationary discrete memoryless source (DMS) such that for each $t=1,2,\dots$, $X_t$ takes values in the finite set $\mathcal{X}$ and obeys the same distribution as that of X denoted by $p_X={\left\{p_X(x)\right\}}_{x\in \mathcal{X}}$. The stationary DMS ${\left\{X_t\right\}}_{t=1}^{\infty }$ is specified with $p_X$. In addition, let K be a random variable taken from the same finite set $\mathcal{X}$ and representing the key used for encryption. Similarly, let ${\left\{K_t\right\}}_{t=1}^{\infty }$ be a stationary discrete memoryless source such that for each $t=1,2,\dots$, $K_t$ takes values in the finite set $\mathcal{X}$ and obeys the same distribution as that of K denoted by $p_K={\left\{p_K(k)\right\}}_{k\in \mathcal{X}}$. The stationary DMS ${\left\{K_t\right\}}_{t=1}^{\infty }$ is specified with $p_K$. In this paper, we assume that $p_K$ is the uniform distribution over $\mathcal{X}$.

Random Variables and Sequences: We write the sequence of random variables with length n from the information source as follows: $X^n:=X_1{X}_2\cdots X_n$. Similarly, strings with length n of ${\mathcal{X}}^n$ are written as $x^n:=x_1{x}_2\cdots x_n\in {\mathcal{X}}^n$. For $x^n\in {\mathcal{X}}^n$, $p_{X^n}(x^n)$ stands for the probability of the occurrence of $x^n$. When the information source is memoryless, specified with $p_X$, the following equation holds:

$$p_{X^n}(x^n)=\prod _{t=1}^n{p}_X(x_t).$$

In this case, we write $p_{X^n}(x^n)$ as $p_X^n(x^n)$. Similar notations are used for other random variables and sequences.

Consensus and Notations: Without loss of generality, throughout this paper, we assume that $\mathcal{X}$ is a finite field. The notation ⊕ is used to denote the field addition operation, while the notation ⊖ is used to denote the field subtraction operation, i.e., $a\ominus b=a\oplus (-b)$, for any elements $a,b\in \mathcal{X}$. Throughout this paper, all logarithms are taken to the natural basis.

2.2. Basic System Description

In this subsection, we explain the basic system setting and the basic adversarial model we consider in this paper. First, let the information source and the key be generated independently by different parties ${\mathcal{S}}_{\mathsf{gen}}$ and ${\mathcal{K}}_{\mathsf{gen}}$, respectively. In our setting, we assume the following:

• The random key $K^n$ is generated by ${\mathcal{K}}_{\mathsf{gen}}$ from a uniform distribution.
• The source is generated by ${\mathcal{S}}_{\mathsf{gen}}$ and is independent of the key.

Next, let the random source $X^n$ from ${\mathcal{S}}_{\mathsf{gen}}$ be sent to the node $\mathsf{L}$, and let the random key $K^n$ from ${\mathcal{K}}_{\mathsf{gen}}$ also be sent to $\mathsf{L}$. Further settings of our system are described as follows and are also shown in Figure 2.

• Source Processing: At the node $\mathsf{L}$, $X^n$ is encrypted with the key $K^n$ using the encryption function $\mathsf{Enc}$. The ciphertext $C^n$ of $X^n$ is given by

  $$C^n:=\mathsf{Enc}(X^n)=X^n\oplus K^n.$$
• Transmission: Next, the ciphertext $C^n$ is sent to the information processing center $\mathsf{D}$ through a public communication channel. Meanwhile, the key $K^n$ is sent to $\mathsf{D}$ through a private communication channel.
• Sink Node Processing: In $\mathsf{D}$, we decrypt the ciphertext $C^n$ using the key $K^n$ through the corresponding decryption procedure $\mathsf{Dec}$ defined by $\mathsf{Dec}(C^n)=C^n\ominus K^n$. It is obvious that we can correctly reproduce the source output $X^n$ from $C^n$ and $K^n$ with the decryption function $\mathsf{Dec}$.

Side-Channel Attacks by Eavesdropper Adversary: An (eavesdropper) adversary $\mathcal{A}$ eavesdrops on the public communication channel in the system. The adversary $\mathcal{A}$ also uses side information obtained by side-channel attacks. In this paper, we introduce a new theoretical model of side-channel attacks that is described as follows. Let $\mathcal{Z}$ be a finite set and let $W:\mathcal{X}\to \mathcal{Z}$ be a noisy channel. Let Z be a channel output from W for the random input variable K. We consider the discrete memoryless channel specified with W. Let $Z^n\in {\mathcal{Z}}^n$ be a random variable obtained as the channel output by connecting $K^n\in {\mathcal{X}}^n$ to the input channel. We write a conditional distribution on $Z^n$ given $K^n$ as

$$W^n={\left\{W^n(z^n|k^n)\right\}}_{(k^n,z^n)\in {\mathcal{K}}^n\times {\mathcal{Z}}^n}.$$

Since the channel is memoryless, we have

$$W^n(z^n|k^n)=\prod _{t=1}^{n}W(z_t|k_t).$$

(1)

On the above output $Z^n$ of $W^n$ for the input $K^n$, we assume the following:

• The three random variables X, K, and Z satisfy $X\perp (K,Z)$, which implies that $X^n\perp (K^n,Z^n)$.
• W is given in the system and the adversary $\mathcal{A}$ cannot control W.
• Through side-channel attacks, the adversary $\mathcal{A}$ can access $Z^n$.

We next formulate the side information the adversary $\mathcal{A}$ obtains by side-channel attacks. For each $n=1,2,\cdots$, let ${\phi }_{\mathcal{A}}^{(n)}:{\mathcal{Z}}^n\to {\mathcal{M}}_{\mathcal{A}}^{(n)}$ be an encoder function. Set ${\phi }_{\mathcal{A}}:={\left\{{\phi }_{\mathcal{A}}^{(n)}\right\}}_{n=1,2,\cdots }.$ Let

$$R_{\mathcal{A}}^{(n)}:=\frac{1}{n}log\left|\right|{\phi }_{\mathcal{A}}\left|\right|=\frac{1}{n}log\left|{\mathcal{M}}_{\mathcal{A}}^{(n)}\right|$$

be a rate of the encoder function ${\phi }_{\mathcal{A}}^{(n)}$. For $R_{\mathcal{A}}>0$, we set

$${\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}}):=\{{\phi }_{\mathcal{A}}^{(n)}:R_{\mathcal{A}}^{(n)}\le R_{\mathcal{A}}\}.$$

For the encoded side information the adversary $\mathcal{A}$ obtains, we assume the following.

• The adversary $\mathcal{A}$, having accessed $Z^n$, obtains the encoded additional information ${\phi }_{\mathcal{A}}^{(n)}(Z^n)$. For each $n=1,2,\cdots$, the adversary $\mathcal{A}$ can design ${\phi }_{\mathcal{A}}^{(n)}$.
• The sequence ${\left\{R_{\mathcal{A}}^{(n)}\right\}}_{n=1}^{\infty }$ must be upper-bounded by a prescribed value. In other words, the adversary $\mathcal{A}$ must use ${\phi }_{\mathcal{A}}^{(n)}$ such that for some $R_{\mathcal{A}}$ and for any sufficiently large n, ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$.

On the Scope of Our Theoretical Model: When the $\left|\mathcal{Z}\right|$ is not so large, the adversary $\mathcal{A}$ may directly access $Z^n$. In contrast, in a real situation of side-channel attacks, often the noisy version $Z^n$ of $K^n$ can be regarded as very close to an analog random signal. In this case, $\left|\mathcal{Z}\right|$ is sufficiently large and the adversary $\mathcal{A}$ cannot obtain $Z^n$ in a lossless form. Our theoretical model can address such situations of side-channel attacks.

2.3. Solution Framework

As the basic solution framework, we consider applying a post-encryption-compression coding system. The application of this system is illustrated in Figure 3.

• Encoding at Source node$\mathsf{L}$: We first use ${\phi }^{(n)}$ to encode the ciphertext $C^n=X^n\oplus K^n$. The formal definition of ${\phi }^{(n)}$ is ${\phi }_i^{(n)}:$${\mathcal{X}}^n\to$${\mathcal{X}}^m$. Let ${\tilde{C}}^m={\phi }^{(n)}(C^n)$. Instead of sending $C^n$, we send ${\tilde{C}}^m$ to the public communication channel.
• Decoding at Sink Nodes$\mathsf{D}$: $\mathsf{D}$ receives ${\tilde{C}}^m$ from the public communication channel. Using the common key $K^n$ and the decoder function ${\mathsf{\Psi }}^{(n)}:{\mathcal{X}}^m\times {\mathcal{X}}^n\to {\mathcal{X}}^n$, $\mathsf{D}$ outputs an estimation ${\widehat{X}}^n={\mathsf{\Psi }}^{(n)}({\tilde{C}}^m,K^n)$ of $X^n$.

On Reliability and Security: From the description of our system in the previous section, the decoding process in our system above is successful if ${\widehat{X}}^n=X^n$ holds. Combining this and (6), it is clear that the decoding error probabilities $p_{\mathrm{e}}$ are as follows:

$$\begin{array}{cc}\hfill p_{\mathrm{e}}=& p_{\mathrm{e}}({\phi }^{(n)},{\mathsf{\Psi }}^{(n)}|p_X^n):=Pr[{\mathsf{\Psi }}^{(n)}({\phi }^{(n)}(X^n))\ne X^n].\hfill \end{array}$$

Set $M_{\mathcal{A}}^{(n)}={\phi }_{\mathcal{A}}^{(n)}(Z^n)$. The information leakage ${\Delta }^{(n)}$ on $X^n$ from $({\tilde{C}}^m,M_{\mathcal{A}}^{(n)})$ is measured by the mutual information between $X^n$ and $({\tilde{C}}^m,$$M_{\mathcal{A}}^{(n)})$. This quantity is formally defined by

$$\begin{array}{c}{\Delta }^{(n)}={\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n):=I(X^n;{\tilde{C}}^m,M_{\mathcal{A}}^{(n)}).\hfill \end{array}$$

Reliable and Secure Framework:

Definition 1.

A quantity R is achievable under$R_{\mathcal{A}}$$>0$for the system$\mathsf{Sys}$if there exists a sequence$\{({\phi }^{(n)},$${\mathsf{\Psi }}^{(n)}{)\}}_{n\ge 1}$such that$\forall ϵ>0$, $\exists n_0=n_0(ϵ)\in {\mathbb{N}}_0$, $\forall n\ge n_0$, we have

$$\begin{array}{c}\frac{1}{n}log|{\mathcal{X}}^m|=\frac{m}{n}log\left|\mathcal{X}\right|\le R,p_{\mathrm{e}}({\phi }^{(n)},{\mathsf{\Psi }}^{(n)}|p_X^n)\le ϵ,\hfill \end{array}$$

and for any eavesdropper$\mathcal{A}$with${\phi }_{\mathcal{A}}$satisfying${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$,

$$\begin{array}{c}\hfill {\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\le ϵ.\end{array}$$

Definition 2.

[Reliable and Secure Rate Region] Let${\mathcal{R}}_{\mathsf{Sys}}(p_X,$$p_K,W)$denote the set of all$(R_{\mathcal{A}},R)$such that R is achievable under$R_{\mathcal{A}}$. We call${\mathcal{R}}_{\mathsf{Sys}}(p_X,p_K,$$W)$the reliable and secure rate region.

Definition 3.

A triple$(R,E,F)$is achievable under$R_{\mathcal{A}}>0$for the system$\mathsf{Sys}$if there exists a sequence$\{({\phi }^{(n)},$${\psi }^{(n)}{)\}}_{n\ge 1}$such that$\forall ϵ>0$, $\exists n_0=n_0(ϵ)\in {\mathbb{N}}_0$, $\forall n$$\ge n_0$, we have

$$\begin{array}{c}\frac{1}{n}log|{\mathcal{X}}^m|=\frac{m}{n}log\left|\mathcal{X}\right|\le R,p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)\le {\mathrm{e}}^{-n(E-ϵ)},\hfill \end{array}$$

and for any eavesdropper$\mathcal{A}$with${\phi }_{\mathcal{A}}$satisfying${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{c}\hfill {\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\le {\mathrm{e}}^{-n(F-ϵ)}.\end{array}$$

Definition 4 (Rate, Reliability, and Security Region).

Let${\mathcal{D}}_{\mathsf{Sys}}(p_X,$$p_K,W)$denote the set of all$(R_{\mathcal{A}},R,E,F)$such that$(R,E,F)$is achievable under$R_{\mathcal{A}}$. We call${\mathcal{D}}_{\mathsf{Sys}}(p_X,$$p_K,W)$the rate, reliability and security region.

Our aim in this paper is to find the explicit inner bounds of ${\mathcal{R}}_{\mathsf{Sys}}(p_X,$ $p_K,W)$ and ${\mathcal{D}}_{\mathsf{Sys}}(p_X,$ $p_K,W)$.

3. Proposed Idea: Affine Encoder as a Privacy Amplifier

In order to instantiate the basic solution framework mentioned in previous section, we propose the use of an affine encoder as the compression function ${\phi }^{(n)}$. We show in this section that we can easily construct an affine encoder that is suitable for our solution framework based on a linear encoder. The instantiation of the solution framework with an affine encoder is illustrated in Figure 4.

Construction of the Affine Encoder: For each $n=1,2,\cdots$, let ${\varphi }^{(n)}:{\mathcal{X}}^n\to {\mathcal{X}}^m$ be a linear mapping. We define the mapping ${\varphi }^{(n)}$ by

$${\varphi }^{(n)}(x^n)=x^{n}A\mathrm{for}{x}^n\in {\mathcal{X}}^n,$$

(2)

where A is a matrix with n rows and m columns. Entries of A are from $\mathcal{X}$. We fix $b^m\in {\mathcal{X}}^m$. Define the mapping ${\phi }^{(n)}:{\mathcal{X}}^n\to {\mathcal{X}}^m$ by

$$\begin{array}{cc}\hfill {\phi }^{(n)}(k^n):=& {\varphi }^{(n)}(k^n)\oplus b^m=k^{n}A\oplus b^m,\mathrm{for}{k}^n\in {\mathcal{X}}^n.\hfill \end{array}$$

(3)

The mapping ${\phi }^{(n)}$ is called the affine mapping induced by the linear mapping ${\varphi }^{(n)}$ and constant vector $b^m$$\in {\mathcal{X}}^m$. By the definition of ${\phi }^{(n)}$ shown in (3), the following affine structure holds:

$$\begin{array}{c}{\phi }^{(n)}(x^n\oplus k^n)=(x^n\oplus k^n)A\oplus b^m=x^{n}A\oplus (k^{n}A\oplus b^m)={\varphi }^{(n)}(x^n)\oplus {\phi }^{(n)}(k^n),\mathrm{for}{x}^n,k^n\in {\mathcal{X}}^n.\hfill \end{array}$$

(4)

Next, let ${\psi }^{(n)}$ be the corresponding decoder for ${\varphi }^{(n)}$ such that ${\psi }^{(n)}:{\mathcal{X}}^m\to {\mathcal{X}}^n.$ Note that ${\psi }^{(n)}$ does not have a linear structure in general.

Description of Proposed Procedure: We describe the procedure of our privacy amplified system as follows.

• Encoding of Ciphertext: First, we use ${\phi }^{(n)}$ to encode the ciphertext $C^n=X^n\oplus K^n$. Let ${\tilde{C}}^m={\phi }^{(n)}(C^n)$. Then, instead of sending $C^n$, we send ${\tilde{C}}^m$ to the public communication channel. By the affine structure of the encoder ${\phi }^{(n)}$ (shown in (4)) we have

  $$\begin{array}{c}{\tilde{C}}^m={\phi }^{(n)}(X^n\oplus K^n)={\varphi }^{(n)}(X^n)\oplus {\phi }^{(n)}(K^n)={\tilde{X}}^m\oplus {\tilde{K}}^m,\hfill \end{array}$$

  (5)

  where we set ${\tilde{X}}^m:={\varphi }^{(n)}(X^n),{\tilde{K}}^m:={\phi }^{(n)}(K^n).$
• Decoding at Sink Node$\mathsf{D}$: First, using the linear encoder ${\phi }^{(n)}$, $\mathsf{D}$ encodes the key $K^n$ received through a private channel into ${\tilde{K}}^m=$$({\phi }^{(n)}(K^n)$. Receiving ${\tilde{C}}^m$ from the public communication channel, $\mathsf{D}$ computes ${\tilde{X}}^m$ in the following way. From (5), we have that the decoder $\mathsf{D}$ can obtain ${\tilde{X}}^m$ $={\varphi }^{(n)}(X^n)$ by subtracting ${\tilde{K}}^m={\phi }^{(n)}(K^n)$ from ${\tilde{C}}^m$. Finally, $\mathsf{D}$ outputs ${\widehat{X}}^n$ by applying the decoder ${\psi }^{(n)}$ to ${\tilde{X}}^m$ as follows:

  $$\begin{array}{cc}\hfill {\widehat{X}}^n& ={\psi }^{(n)}({\tilde{X}}^m)={\psi }^{(n)}({\varphi }^{(n)}(X^n)).\hfill \end{array}$$

  (6)

Our concrete privacy-amplified system described above is illustrated in Figure 4.

Splitting of Reliability and Security

By the affine structure of the encoder function ${\phi }^{(n)}$, the proposed privacy amplified system can be split into two coding problems. One is a source coding problem using a linear encoder ${\varphi }^{(n)}$. We hereafter call this Problem 0. The other is a privacy amplification problem using the affine encoder ${\phi }^{(n)}$. We call this Problem 1. These two problems are shown in Figure 5.

On Reliability (Problem 0): From the description of our system in the previous section, the decoding process in our system above is successful if ${\widehat{X}}^n=X^n$ holds. Combining this and (6), it is clear that the decoding error probability $p_{\mathrm{e}}$ is as follows:

$$\begin{array}{cc}\hfill p_{\mathrm{e}}=& p_{\mathrm{e}}({\phi }^{(n)},{\psi }^{(n)}|p_X^n)=Pr[{\psi }^{(n)}({\varphi }^{(n)}(X^n))\ne X^n].\hfill \end{array}$$

In Problem 0, we discuss the minimum rate R such that $\exists \{({\varphi }^{(n)},$${\psi }^{(n)}{)\}}_{n\ge 1}$ such that $\forall ϵ>0$, $\exists n_0=n_0(ϵ)\in {\mathbb{N}}_0$, $\forall n\ge n_0$, we have

$$\begin{array}{c}\frac{1}{n}log|{\mathcal{X}}^m|=\frac{m}{n}log\left|\mathcal{X}\right|\le R+\epsilon ,p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)\le ϵ.\hfill \end{array}$$

It is well known that this minimum is equal to $H(X)$ when ${\left\{{\varphi }^{(n)}\right\}}_{n\ge }$ is a sequence of general (nonlinear) encoders. Csiszár [6] proved the existence of a sequence of linear encoders and nonlinear decoders $\{({\varphi }^{(n)},$${\psi }^{(n)}{)\}}_{n\ge 1}$ such that for any $p_X$ satisfying $R>H(X)$, the error probability $p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)$ decays exponentially as $n\to \infty$. His result is stated in the next section.

On Security (Problem 1): We assume that the adversary $\mathcal{A}$ knows $(A,b^n)$ defining the affine encoder ${\phi }^{(n)}$. When ${\phi }^{(n)}$ has the affine structure shown in (4), the information leakage ${\Delta }^{(n)}$ measured by the mutual information between $X^n$ and $({\tilde{C}}^m,$ $M_{\mathcal{A}}^{(n)})$ has the following form:

$$\begin{array}{c}{\Delta }^{(n)}={\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)=I(X^n;{\tilde{C}}^m,M_{\mathcal{A}}^{(n)})=I(X^n;{\phi }^{(n)}(X^n\oplus K^n),M_{\mathcal{A}}^{(n)}),\hfill \\ \stackrel{(\mathrm{a})}{=}I(X^n;{\phi }^{(n)}(X^n)\oplus {\varphi }^{(n)}(K^n),M_{\mathcal{A}}^{(n)})=I(X^n;{\tilde{X}}^m\oplus {\tilde{K}}^m|M_{\mathcal{A}}^{(n)}).\hfill \end{array}$$

(7)

Step (a) follows from $X_1^n\perp M_{\mathcal{A}}^{(n)}$. Using (7), we upper bound ${\Delta }^{(n)}=I(X^n;{\tilde{C}}^m,M_{\mathcal{A}}^{(n)})$ to obtain the following lemma.

Lemma 1.

$$\begin{array}{c}{\Delta }^{(n)}=I(X^n;{\tilde{C}}^m,M_{\mathcal{A}}^{(n)})\le \left.\left.\left.D\left(p_{{\tilde{K}}^m|M_{\mathcal{A}}^{(n)}}\right|\right|p_{V^m}\right|p_{M_{\mathcal{A}}^{(n)}}\right),\hfill \end{array}$$

(8)

where$p_{V^m}$represents the uniform distribution over${\mathcal{X}}^m$.

Proof. 

We have the following chain of inequalities:

$$\begin{array}{c}{\Delta }^{(n)}=I(X^n;{\tilde{C}}^m,M_{\mathcal{A}}^{(n)})\stackrel{(\mathrm{a})}{=}I(X_1^n;{\tilde{X}}^m+{\tilde{K}}^m|M_{\mathcal{A}}^{(n)})\le log\left|{\mathcal{X}}^m\right|-H({\tilde{X}}^m+{\tilde{K}}^m|X^n,M_{\mathcal{A}}^{(n)})\hfill \\ \stackrel{(\mathrm{b})}{=}log|{\mathcal{X}}^m|-H({\tilde{K}}^m|X^n,M_{\mathcal{A}}^{(n)})\stackrel{(\mathrm{c})}{=}log\left|{\mathcal{X}}^m\right|-H({\tilde{K}}^m|M_{\mathcal{A}}^{(n)})=\left.\left.\left.D\left(p_{{\tilde{K}}^m|M_{\mathcal{A}}^{(n)}}\right|\right|p_{V^m}\right|p_{M_{\mathcal{A}}^{(n)}}\right).\hfill \end{array}$$

Step (a) follows from (7). Step (b) follows from ${\tilde{X}}^m={\varphi }^{(n)}(X^n)$. Step (c) follows from $({\tilde{K}}^m,M_{\mathcal{A}}^{(n)})\perp X_1^n$. □

We set

$${\xi }_D^{(n)}={\xi }_D^{(n)}({\phi }^{(n)},R_{\mathcal{A}}|p_K^n,W^n):={\displaystyle \underset{{\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}^{(n)}(R_{\mathcal{A}})}{max}}\left.\left.\left.D\left(p_{{\tilde{K}}^m|M_{\mathcal{A}}^{(n)}}\right|\right|p_{V^m}\right|p_{M_{\mathcal{A}}^{(n)}}\right).$$

Then we have the following lemma.

Lemma 2.

For any affine encoder${\phi }^{(n)}:{\mathcal{X}}^n\to {\mathcal{X}}^m$, we have

$${\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\le {\xi }_D^{(n)}({\phi }^{(n)},R_{\mathcal{A}}|p_K^n,W^n).$$

The quantity ${\xi }_D^{(n)}({\phi }^{(n)},R_{\mathcal{A}}|p_K^n,W^n)$ will play an important role in deriving an explicit upper bound of ${\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n).$ In Problem 1, we consider the privacy amplification problem using the quantity ${\xi }_D^{(n)}({\phi }^{(n)},R_{\mathcal{A}}|p_K^n,W^n)$ as a security criterion. In this problem, we study an explicit characterization of the region denoted by ${\mathcal{R}}_{\mathrm{P}1}(p_K,W)$, which consists of all pairs $(R,R_{\mathcal{A}})$ such that $\exists {\left\{{\phi }^{(n)}\right\}}_{n\ge 1}$ such that $\forall \epsilon >0,\exists n_0=n_0(\epsilon )\in {\mathbb{N}}_0,\forall n\ge n_0,$

$$\frac{1}{n}log\left|\right|{\phi }^{(n)}\left|\right|=\frac{m}{n}log\left|\mathcal{X}\right|\ge R-\epsilon and{\xi }_D^{(n)}({\phi }^{(n)},R_{\mathcal{A}}|p_K^n,W^n)\le \epsilon .$$

In the next section, we discuss two previous works related to Problem 1.

4. Previous Related Works

In this section, we introduce approaches from previous existing work related to Problem 0 (reliability) and Problem 1 (security). Our goal is that by showing these previous approaches, it will be easier to understand our approach to analyzing reliability and security. In particular, for Problem 1 (security), we explain approaches used in similar problems in previous works and highlight their differences from Problem 1.

We first state a previous result related to Problem 0. Let ${\phi }^{(n)}$ be an affine encoder and ${\varphi }^{(n)}$ be a linear encoder induced by ${\phi }^{(n)}$. We define a function related to an exponential upper bound of $p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)$. Let $\overline{X}$ be an arbitrary random variable over $\mathcal{X}$ that has a probability distribution $p_{\overline{X}}$. Let $\mathcal{P}(\mathcal{X})$ denote the set of all probability distributions on $\mathcal{X}$. For $R\ge 0$ and $p_X\in$$\mathcal{P}(\mathcal{X})$, we define the following function:

$$\begin{array}{cc}\hfill E(R|p_X)& :={\displaystyle \underset{p_{\overline{X}}\in \mathcal{P}(\mathcal{X})}{min}}\{{[R-H(\overline{X})]}^{+}+D(p_{\overline{X}}\left|\right|p_X)\}.\hfill \end{array}$$

By simple computation, we can prove that $E(R|p_X)$ takes positive values if and only if $R>H(X)$. We have the following result.

Theorem 1. 

(Csiszár [6]). There exists a sequence $\{{({\varphi }^{(n)},{\psi }^{(n)}\}}_{n\ge 1}$ such that for any $p_X$, we have

$$\begin{array}{c}\frac{1}{n}log|{\mathcal{X}}^m|=\frac{m}{n}log\left|\mathcal{X}\right|\le R,p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)\le {\mathrm{e}}^{-n[E(R|p_X)-{\delta }_n]},\hfill \end{array}$$

(9)

where ${\delta }_n$ is defined by

$$\begin{array}{c}{\delta }_n:=\frac{1}{n}log\left[\mathrm{e}{(n+1)}^{3\left|\mathcal{X}\right|}\right].\hfill \end{array}$$

Note that ${\delta }_n\to 0$ as $n\to \infty$.

It follows from Theorem 1 that if $R>H(X)$, then the error probability of decoding $p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)$ decays exponentially, and its exponent is lower bounded by the quantity $E(R|p_X)$. Furthermore, the code ${\left\{({\varphi }^{(n)},{\psi }^{(n)})\right\}}_{n\ge 1}$ is a universal code that depends only on the rate R and not on the value of $p_X\in \mathcal{P}(\mathcal{X})$.

We next state two coding problems related to Problem 1. One is a problem on the privacy amplification for the bounded storage eavesdropper posed and investigated by Watanabe and Oohama [10]. The other is the one helper source coding problem posed and investigated by Ashlswede and Körner [7] and Wyner [16]. We hereafter call the former and latter problems, respectively, Problem 2 and Problem 3. Problems 1–3 are shown in Figure 6. As we can see from this figure, these three problems are based on the same communication scheme. The classes of encoder functions and the security criteria on $\mathcal{A}$ are different between these three problems. In Problem 1, the sequence of encoding functions ${\left\{{\phi }^{(n)}\right\}}_{n\ge 1}$ is restricted to the class of affine encoders to satisfy the homomorphic property. On the other hand, in Problems 2 and 3, we have no such restriction on the class of encoder functions. In descriptions of Problems 2 and 3, we state the difference in security criteria between Problems 1, 2, and 3. A comparison of three problems in terms of ${\left\{{\phi }^{(n)}\right\}}_{n\ge 1}$ and security criteria is summarized in

Table 1. Differences between Problems 1, 2, and 3 in terms of ${\left\{{\phi }^{(n)}\right\}}_{n\ge 1}$ and security criteria.

	Problem 1	Problem 2	Problem 3
${\phi }^{(n)}$	affine encoders	general	general
Security Criteria	$D(p_{{\tilde{K}}^m|M_{\mathcal{A}}^{(n)}}||p_{V^m}|p_{M_{\mathcal{A}}^{(n)}})$	$d(p_{V^m}\times p_{M_{\mathcal{A}}^{(n)}},p_{{\tilde{K}}^m{M}_{\mathcal{A}}^{(n)}})$	$p_{\mathrm{c},\mathcal{A}}^{(n)}\left({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}|p_K^n,W^n\right)$

.

In Problem 2, Alice and Bob share a random variable $K^n$ of block length n, and an eavesdropper adversary $\mathcal{A}$ has a random variable $Z^n$ that is correlated to $K^n$. In such a situation, Alice and Bob try to distill a secret key as long as possible. In [10], they considered a situation such that the adversary’s random variable $Z^n$ is stored in a storage that is obtained as a function value of $Z^n$, and the rate of the storage size is bounded. This situation makes sense when the alphabet size of the adversary’s observation $Z^n$ is too huge to be stored directly in a storage. In such a situation, Watanabe and Oohama [10] obtained an explicit characterization of the region ${\mathcal{R}}_{\mathrm{WO}}(p_K,W)$ indicating the trade-off between the key rate $R=(m/n)log\left|\mathcal{X}\right|$ and the rate $R_{\mathcal{A}}=(1/n)log|{\mathcal{M}}_{\mathcal{A}}^{(n)}$ of the storage size. In Problem 2, the variational distance $d(p_{V^m}\times p_{M_{\mathcal{A}}^{(n)}},p_{{\tilde{K}}^m{M}_{\mathcal{A}}^{(n)}})$ between $p_{V^m}\times p_{M_{\mathcal{A}}^{(n)}}$ and $p_{{\tilde{K}}^m{M}_{\mathcal{A}}^{(n)}})$ is used as a security criterion instead of $D(p_{{\tilde{K}}^m|M_{\mathcal{A}}^{(n)}}||p_{V^m}|p_{M_{\mathcal{A}}^{(n)}})$ in Problem 1. Define

$${\xi }_d^{(n)}={\xi }_d^{(n)}({\phi }^{(n)},R_{\mathcal{A}}|p_K^n,W^n):={\displaystyle \underset{{\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}^{(n)}(R_{\mathcal{A}})}{max}}d(p_{V^m}\times p_{M_{\mathcal{A}}^{(n)}},p_{{\tilde{K}}^m{M}_{\mathcal{A}}^{(n)}}).$$

Then the formal definition of the region ${\mathcal{R}}_{\mathrm{WO}}(p_K,W)$ is given by the following:

$$\begin{array}{cc}{\mathcal{R}}_{\mathrm{WO}}(p_K,W):=\hfill & \{(R_{\mathcal{A}},R):\exists {\left\{{\phi }^{(n)}\right\}}_{n\ge 1}\mathrm{such}\mathrm{that}\forall \epsilon >0,\exists n_0=n_0(\epsilon )\in {\mathbb{N}}_0,\forall n\ge n_0,\hfill \\ & (m/n)log\left|\mathcal{X}\right|\ge R-\epsilon \mathrm{and}{\xi }_d^{(n)}({\phi }^{(n)},R_{\mathcal{A}}|p_K^n,W^n)\le \epsilon \}.\hfill \end{array}$$

In Problem 3, the adversary outputs an estimation ${\widehat{K}}^n$ of $K^n$ from ${\tilde{K}}^m={\phi }^{(n)}(K^n)$ and $M_{\mathcal{A}}^{(n)}={\phi }_{\mathcal{A}}^{(n)}(Z^n)$. Let ${\psi }_{\mathcal{A}}^{(n)}:{\mathcal{M}}^{(n)}\times {\mathcal{X}}^m$ be a decoder function of the adversary. Then ${\widehat{K}}^n$ is given by ${\widehat{K}}^n={\psi }_{\mathcal{A}}^{(n)}({\phi }_{\mathcal{A}}^{(n)}(Z^n),{\tilde{K}}^m={\phi }^{(n)}(K^n).$ Let

$$p_{\mathrm{e},\mathcal{A}}^{(n)}=p_{\mathrm{e},\mathcal{A}}^{(n)}\left({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}{\psi }_{\mathcal{A}}^{(n)}|p_K^n,W^n\right):=\mathrm{Pr}\left\{K^n\ne {\psi }_{\mathcal{A}}^{(n)}({\phi }_{\mathcal{A}}^{(n)}(Z^n),{\phi }^{(n)}(K^n))\right\}$$

be the error probability of decoding for Problem 3. The quantity $M_{\mathcal{A}}^{(n)}$ serves as a helper for the decoding of $K^n$ from ${\tilde{K}}^m$. In Problem 3, Ahlswede and Körner [7] and Wyner [16] investigated an explicit characterization of the rate region ${\mathcal{R}}_{\mathrm{AKW}}(p_K,W)$ indicating the trade-off between $R_{\mathcal{A}}$ and R under the condition that $p_{\mathrm{e},\mathcal{A}}^{(n)}=\mathrm{Pr}\{K^n\ne {\widehat{K}}_n\}$ vanishes asymptotically. The region ${\mathcal{R}}_{\mathrm{AKW}}(p_K,W)$ is formally defined by

$$\begin{array}{cc}{\mathcal{R}}_{\mathrm{AKW}}(p_K,W):=\hfill & \{(R_{\mathcal{A}},R):\exists \{{({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}\}}_{n\ge 1}\mathrm{such}\mathrm{that}\hfill \\ & \forall \epsilon >0,\exists n_0=n_0(\epsilon )\in {\mathbb{N}}_0,\forall n\ge n_0,\hfill \\ & (m/n)log\left|\mathcal{X}\right|\le R+\epsilon ,{\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}(R+\epsilon ),\hfill \\ & \mathrm{and}{p}_{\mathrm{e},\mathcal{A}}^{(n)}\left({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}|p_K^n,W^n\right)\le \epsilon \}.\hfill \end{array}$$

The region ${\mathcal{R}}_{\mathrm{AKW}}(p_K,W)$ was determined by Ashlswede and Körner [7] and Wyner [16]. To state their result, we define several quantities. Let U be an auxiliary random variable taking values in a finite set $\mathcal{U}$. We assume that the joint distribution of $(U,Z,K)$ is

$$p_{UZK}(u,z,k)=p_U(u)p_{Z|U}(z|u)p_{K|Z}(k|z).$$

The above condition is equivalent to $U\leftrightarrow Z\leftrightarrow K$. Define the set of probability distribution $p=p_{UZK}$ by

$$\begin{array}{c}\mathcal{P}(p_K,W):=\{p_{UZK}:\left|\mathcal{U}\right|\le \left|\mathcal{Z}\right|+1,U\leftrightarrow Z\leftrightarrow K\}.\hfill \end{array}$$

Set

$$\begin{array}{cc}\hfill \mathcal{R}(p):=& \begin{array}{c}\{(R_{\mathcal{A}},R):R_{\mathcal{A}},R\ge 0,R_{\mathcal{A}}\ge I(Z;U),R\ge H(K|U)\},\hfill \end{array}\hfill \\ \hfill \mathcal{R}(p_K,W):=& {\displaystyle \bigcup _{p\in \mathcal{P}(p_K,W)}}\mathcal{R}(p).\hfill \end{array}$$

We can show that the region $\mathcal{R}(p_K,W)$ satisfies the following property.

Property 1.

(a) 

The region$\mathcal{R}(p_K,W)$is a closed convex subset of${\mathbb{R}}_{+}^2:=\{R_{\mathcal{A}}\ge 0,R\ge 0\}$.

(b) 

For any$(p_K,W)$, we have

$${\displaystyle \underset{(R_{\mathcal{A}},R)\in \mathcal{R}(p_K,W)}{min}}(R_{\mathcal{A}}+R)=H(K).$$

(10)

The minimum is attained by$(R_{\mathcal{A}},R)=(0,H(K$$))$. This result implies that

$$\begin{array}{cc}\hfill \mathcal{R}(p_K,W)\subseteq & \{(R_{\mathcal{A}},R):R_{\mathcal{A}}+R\ge H(K)\}\cap {\mathbb{R}}_{+}^2.\hfill \end{array}$$

Furthermore, the point$(0,H(K))$always belongs to$\mathcal{R}(p_K,W)$.

Property 1 part (a) is a well-known property. Proof of Property 1 part (b) is easy. Proofs of Property 1 parts (a) and (b) are omitted. Typical shape of the region $\mathcal{R}(p_K,W)$ is shown in Figure 7.

The rate region ${\mathcal{R}}_{\mathrm{AKW}}(p_K,W)$ was determined by Ahlswede and Körner [7] and Wyner [16]. Their result is the following.

Theorem 2.

(Ahlswede, Körner [7] andWyner [16])

$$\begin{array}{c}{\mathcal{R}}_{\mathrm{AKW}}(p_K,W)=\mathcal{R}(p_K,W).\hfill \end{array}$$

Watanabe and Oohama [10] investigated an explicit form of ${\mathcal{R}}_{\mathrm{WO}}(p_K,W)$ to show that it is equal to ${\mathcal{R}}^{\mathrm{c}}(p_K,W)$, that is, we have the following result.

Theorem 3.

(Watanabe and Oohama [10])

$$\begin{array}{c}{\mathcal{R}}_{\mathrm{WO}}(p_K,W)={\mathcal{R}}_{\mathrm{AKW}}^{\mathrm{c}}(p_K,W)={\mathcal{R}}^{\mathrm{c}}(p_K,W).\hfill \end{array}$$

In the remaining part of this section, we investigate a relationship between Problems 2 and 3 to give an outline of the proof of this theorem. Let

$$p_{\mathrm{c},\mathcal{A}}^{(n)}=p_{\mathrm{c},\mathcal{A}}^{(n)}\left({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}|p_K^n,W^n\right):=\mathrm{Pr}\left\{K^n={\psi }_{\mathcal{A}}^{(n)}({\phi }_{\mathcal{A}}^{(n)}(Z^n),{\phi }^{(n)}(K^n))\right\}$$

be the correct probability of decoding for Problem 3. The following lemma provides an important inequality to examine a relationship between these two problems.

Lemma 3.

For any$({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)})$, we have the following:

$$p_{\mathrm{c},\mathcal{A}}^{(n)}\left({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}|p_K^n,W^n\right)\le \frac{1}{{\left|\mathcal{X}\right|}^m}+d\left(p_{V^m}\times p_{M_{\mathcal{A}}^{(n)}},p_{{\tilde{K}}^m{M}_{\mathcal{A}}^{(n)}}\right).$$

Proof of this lemma is given in Appendix A. Using Lemma 3, we can easily prove the inclusion ${\mathcal{R}}_{\mathrm{WO}}(p_K,W)\subseteq {\mathcal{R}}_{\mathrm{AKW}}(p_K,W)$, which corresponds to the converse part of Theorem 3.

Proof of${\mathcal{R}}_{\mathrm{WO}}(p_K,W)\subseteq {\mathcal{R}}_{\mathrm{AKW}}^{\mathrm{c}}(p_K,W)$:

We assume that $(R_{\mathcal{A}},R)\in {\mathcal{R}}_{\mathrm{AKW}}(p_K,W)$. Then there exists $\{{({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}\}}_{n\ge 1}$ such that $\forall \epsilon >0,$ $\exists n_0=n_0(\epsilon )\in {\mathbb{N}}_0,$ $\forall n\ge n_0$,

$$\begin{array}{c}\frac{m}{n}log\left|\mathcal{X}\right|\le R+\epsilon ,{\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R+\epsilon ),\hfill \end{array}$$

(11)

$$\begin{array}{c}\mathrm{and}{p}_{\mathrm{e},\mathcal{A}}^{(n)}\left({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}|p_K^n,W^n\right)\le \epsilon .\hfill \end{array}$$

(12)

From the above sequence ${\{({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)})\}}_{n\ge 1}$, we can construct the sequence $\{{({\widehat{\phi }}^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}\}}_{n\ge 1}$ such that

$$\begin{array}{c}R+\epsilon \ge \frac{1}{n}log\left|\right|{\widehat{\phi }}^{(n)}\left|\right|=\frac{\widehat{m}}{n}log\left|\mathcal{X}\right|\ge max\left\{R-\epsilon ,\frac{m}{n}log\left|\mathcal{X}\right|\right\},{\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R+\epsilon ),\hfill \end{array}$$

(13)

$$\begin{array}{c}{p}_{\mathrm{e},\mathcal{A}}^{(n)}\left({\widehat{\phi }}^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}|p_K^n,W^n\right)\le p_{\mathrm{e},\mathcal{A}}^{(n)}\left({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}|p_K^n,W^n\right)\le \epsilon .\hfill \end{array}$$

(14)

Set ${\tilde{K}}^{\widehat{m}}:={\widehat{\phi }}^{(n)}(K^n)$. Then from (14) and Lemma 3, we have

$$\begin{array}{c}\hfill d\left(p_{V^{\widehat{m}}}\times p_{M_{\mathcal{A}}^{(n)}},p_{{\tilde{K}}^{\widehat{m}}{M}_{\mathcal{A}}^{(n)}}\right)\ge 1-\epsilon -\frac{1}{{\left|\mathcal{X}\right|}^{\widehat{m}}},\end{array}$$

from which we have

$$\begin{array}{c}d\left(p_{V^{\widehat{m}}}\times p_{M_{\mathcal{A}}^{(n)}},p_{{\tilde{K}}^{\widehat{m}}{M}_{\mathcal{A}}^{(n)}}\right)\ge 1-2\epsilon ,\hfill \end{array}$$

(15)

for sufficiently large n. From (13), (15), and the definition of ${\mathcal{R}}_{\mathrm{WO}}(p_K,W)$, we can see that $(R_{\mathcal{A}}+\epsilon ,R)\notin {\mathcal{R}}_{\mathrm{WO}}(p_K,W)$, or equivalent to

$$\begin{array}{c}(R_{\mathcal{A}}+\epsilon ,R)\in {\mathcal{R}}_{\mathrm{WO}}^c(p_K,W)\iff (R_{\mathcal{A}},R)\in {\mathcal{R}}_{\mathrm{WO}}^c(p_K,W)-\epsilon (1,0),\hfill \end{array}$$

(16)

where we set $\mathcal{R}-(a,b):=\{(u,v):(u+a,v+b)\in \mathcal{R}\}$. Since $(R_{\mathcal{A}},R)\in {\mathcal{R}}_{\mathrm{AKW}}(p_K,W)$ is arbitrary, we have that

$$\begin{array}{c}{\mathcal{R}}_{\mathrm{AKW}}(p_K,W)\subseteq {\mathcal{R}}_{\mathrm{WO}}^c(p_K,W)-\epsilon (1,0)\iff {\mathcal{R}}_{\mathrm{AKW}}(p_K,W)+\epsilon (1,0)\subseteq {\mathcal{R}}_{\mathrm{WO}}^c(p_K,W)\hfill \\ \iff {\mathcal{R}}_{\mathrm{WO}}(p_K,W)\subseteq {\mathcal{R}}_{\mathrm{AKW}}^{\mathrm{c}}(p_K,W)+\epsilon (1,0)\iff {\mathcal{R}}_{\mathrm{WO}}(p_K,W)\subseteq {\mathcal{R}}^{\mathrm{c}}(p_K,W)+\epsilon (1,0).\hfill \end{array}$$

(17)

By letting $\epsilon \to 0$ in (17) and considering that ${\mathcal{R}}^{\mathrm{c}}(p_K,W)$ is an open set, we have that ${\mathcal{R}}_{\mathrm{WO}}(p_K,W)\subseteq {\mathcal{R}}^{\mathrm{c}}(p_K,W)$. □

To prove ${\mathcal{R}}_{\mathrm{WO}}(p_K,W)\supseteq {\mathcal{R}}_{\mathrm{AKW}}^{\mathrm{c}}$, we examine an upper bound of ${\xi }_d^{(n)}({\phi }^{(n)},R_{\mathcal{A}}|p_K^n,W^n)$. For $\eta >0$, we define

$$\begin{array}{c}{\wp }_{\eta }^{(n)}={\wp }_{\eta }^{(n)}(R|p_K^n,W^n):=p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}^n}\left\{R\ge \frac{1}{n}log\frac{1}{p_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})}-\eta \right\},\hfill \\ {\mathsf{\Phi }}_{d,\eta }^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n):={\displaystyle \underset{{\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}^{(n)}({\mathcal{R}}_{\mathcal{A}})}{max}}\left\{{\wp }_{\eta }^{(n)}(R|p_K^n,W^n)+\sqrt{{\mathrm{e}}^{-n\eta }}\right\}.\hfill \end{array}$$

According to Watanabe and Oohama [10], we have the following two propositions.

Proposition 1.

(Watanabe and Oohama [10]). Fix any positive $\eta >0$. $\exists {\phi }^{(n)}:{\mathcal{X}}^n\to {\mathcal{X}}^m$ satisfying $(m/n)log\left|\mathcal{X}\right|\ge R-2\eta$, we have

$${\xi }_d^{(n)}({\phi }^{(n)},R_{\mathcal{A}}|p_K^n,W^n)\le {\mathsf{\Phi }}_{d,\eta }^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n).$$

Proposition 2.

(Watanabe and Oohama [10]). If $(R_{\mathcal{A}},R)\notin \mathcal{R}(p_K,W)$, then for any $\eta >0$ and any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$${\displaystyle \underset{n\to \infty }{lim}}{\wp }_{\eta }^{(n)}(R|p_K^n,W)=0,$$

which implies that

$${\displaystyle \underset{n\to \infty }{lim}}{\mathsf{\Phi }}_{d,\eta }^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)=0.$$

The inclusion ${\mathcal{R}}_{\mathrm{WO}}(p_K,W)\supseteq {\mathcal{R}}_{\mathrm{AKW}}^{\mathrm{c}}$ immediately follows from Propositions 1 and 2.

5. Reliability and Security Analysis

In this section, we state our main results. We use the affine encoder ${\phi }^{(n)}$ defined in the previous section. We upper bound $p_{\mathrm{e}}=p_{\mathrm{e}}({\phi }^{(n)},{\psi }^{(n)}|p_X^n)$ and ${\Delta }^{(n)}={\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)$ to obtain inner bounds of ${\mathcal{R}}_{\mathsf{Sys}}(p_X,$$p_K,W)$ and ${\mathcal{D}}_{\mathsf{Sys}}(p_X,$$p_K,W)$.

Let

$$\begin{array}{c}{\mathsf{\Phi }}_{D,\eta }^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n):={\displaystyle \underset{{\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}^{(n)}({\mathcal{R}}_{\mathcal{A}})}{max}}\left\{nR{\wp }_{\eta }^{(n)}(R|p_K^n,W^n)+{\mathrm{e}}^{-n\eta }\right\},\hfill \\ {\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n):={\displaystyle \underset{\eta >0}{inf}}{\mathsf{\Phi }}_{D,\eta }(R_{\mathcal{A}},R|p_K^n{W}^n).\hfill \end{array}$$

Then we have the following proposition.

Proposition 3.

For any$R_{\mathcal{A}},R>0$and any$(p_K,W)$, there exists a sequence of mappings${\left\{({\phi }^{(n)},{\psi }^{(n)})\right\}}_{n=1}^{\infty }$such that for any$p_X\in \mathcal{P}(\mathcal{X})$, we have

$$\begin{array}{c}R-\frac{1}{n}\le \frac{1}{n}log|{\mathcal{X}}^m|=\frac{m}{n}log\left|\mathcal{X}\right|\le R,\hfill \\ p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)\le \mathrm{e}{(n+1)}^{2\left|\mathcal{X}\right|}\{{(n+1)}^{\left|\mathcal{X}\right|}+1\}{\mathrm{e}}^{-nE(R|p_X)},\hfill \end{array}$$

(18)

and for any eavesdropper$\mathcal{A}$with${\phi }_{\mathcal{A}}$satisfying${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{c}{\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\le \{{(n+1)}^{\left|\mathcal{X}\right|}+1\}{\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n).\hfill \end{array}$$

(19)

This proposition can be proved by several tools developed by previous works. The detail of the proof is given in the next section. As we stated in Proposition 2, Watanabe and Oohama [10] proved that if $(R_{\mathcal{A}},R)\notin \mathcal{R}(p_K,W)$, then the quantity for any $\eta >0$ and any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, the quantity ${\wp }_{\eta }^{(n)}(R|p_K^n,W)$. Their method can not be applied to the analysis of ${\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)$ since the quantity $nR$ is multiplied with the quantity ${\wp }_{\eta }^{(n)}(R|p_K^n,W)$ in the definition of ${\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)$. In this paper, we derive an upper bound of ${\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)$ that decays exponentially as $n\to \infty$ if $(R_{\mathcal{A}},R)\notin \mathcal{R}(p_K,W)$. To derive the upper bound, we use a new method that is developed by Oohama to prove strong converse theorems in multi-terminal source or channel networks [9,17,18,19,20].

We define several functions and sets to describe the upper bound of ${\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)$. Set

$$\begin{array}{cc}\hfill \mathcal{Q}(p_{K|Z}):=& \{q=q_{UZK}:|\mathcal{U}|\le |\mathcal{Z}|,U\leftrightarrow Z\leftrightarrow K,p_{K|Z}=q_{K|Z}\}.\hfill \end{array}$$

For $(\mu ,\alpha )\in {[0,1]}^2$ and for $q=q_{UZK}\in \mathcal{Q}(p_{K|Z})$, define

$$\begin{array}{c}{\omega }_{q|p_Z}^{(\mu ,\alpha )}(z,k|u):=\overline{\alpha }log\frac{q_Z(z)}{p_Z(z)}+\alpha \left[\mu log\frac{q_{Z|U}(z|u)}{p_Z(z)}\right.\left.+\overline{\mu }log\frac{1}{q_{K|U}(k|u)}\right],\hfill \\ {\mathsf{\Omega }}^{(\mu ,\alpha )}(q|p_Z):=-log{\mathrm{E}}_q\left[exp\left\{-{\omega }_{q|p_Z}^{(\mu ,\alpha )}(Z,K|U)\right\}\right],{\mathsf{\Omega }}^{(\mu ,\alpha )}(p_K,W):={\displaystyle \underset{\genfrac{}{}{0pt}{}{}{q\in \mathcal{Q}(p_{K|Z})}}{min}}{\mathsf{\Omega }}^{(\mu ,\alpha )}(q|p_Z),\hfill \\ F^{(\mu ,\alpha )}(\mu R_{\mathcal{A}}+\overline{\mu }{R}_{}|p_K,W):=\frac{{\mathsf{\Omega }}^{(\mu ,\alpha )}(p_K,W)-\alpha (\mu R_{\mathcal{A}}+\overline{\mu }{R}_{})}{2+\alpha \overline{\mu }},\hfill \\ F(R_{\mathcal{A}},R_{}|p_K,W):={\displaystyle \underset{(\mu ,\alpha )\in {[0,1]}^2}{sup}}{F}^{(\mu ,\alpha )}(\mu R_{\mathcal{A}}+\overline{\mu }{R}_{}|p_K,W).\hfill \end{array}$$

We next define a function serving as a lower bound of $F(R_{\mathcal{A}},R_{}|p_K,W)$. For each $p_{UZK}\in {\mathcal{P}}_{\mathrm{sh}}(p_K,W)$, define

$$\begin{array}{c}{\tilde{\omega }}_p^{(\mu )}(z,k|u):=\mu log\frac{p_{Z|U}(z|u)}{p_Z(z)}+\overline{\mu }log\frac{1}{p_{K|U}(K|U)},\hfill \\ {\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p):=-log{\mathrm{E}}_p\left[exp\left\{-\lambda {\tilde{\omega }}_p^{(\mu )}(Z,K|U)\right\}\right],{\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p_K,W):={\displaystyle \underset{\genfrac{}{}{0pt}{}{}{p\in {\mathcal{P}}_{\mathrm{sh}}(p_K,W)}}{min}}{\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p).\hfill \end{array}$$

Furthermore, set

$$\begin{array}{c}{\tilde{F}}^{(\mu ,\lambda )}(\mu R_{\mathcal{A}}+\overline{\mu }{R}_{}|p_K,W):=\frac{{\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p_K,W)-\lambda (\mu R_{\mathcal{A}}+R_{})}{2+\lambda (5-\mu )},\hfill \\ \tilde{F}(R_{\mathcal{A}},R_{}|p_K,W):={\displaystyle \underset{\genfrac{}{}{0pt}{}{\lambda \ge 0,}{\mu \in [0,1]}}{sup}}{\tilde{F}}^{(\mu ,\lambda )}(\mu R_{\mathcal{A}}+\overline{\mu }{R}_{}|p_K,W).\hfill \end{array}$$

We can show that the above functions satisfy the following property.

Property 2.

(a) 

The cardinality bound$\left|\mathcal{U}\right|\le \left|\mathcal{Z}\right|$in$\mathcal{Q}(p_{K|Z})$is sufficient to describe the quantity${\mathsf{\Omega }}^{(\mu ,\beta ,\alpha )}(p_K,W)$. Furthermore, the cardinality bound$\left|\mathcal{U}\right|\le \left|\mathcal{Z}\right|$in${\mathcal{P}}_{\mathrm{sh}}(p_K,W)$is sufficient to describe the quantity${\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p_K,W)$.

(b) 

For any$R_{\mathcal{A}},R_{}\ge 0$, we have

$$\begin{array}{c}F(R_{\mathcal{A}},R_{}|p_K,W)\ge \tilde{F}(R_{\mathcal{A}},R_{}|p_K,W).\hfill \end{array}$$

(c) 

For any$p=p_{UZK}\in {\mathcal{P}}_{\mathrm{sh}}(p_Z,W)$and any$(\mu ,\lambda )\in [0,$${1]}^2$, we have

$$0\le {\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p)\le \mu log\left|\mathcal{Z}\right|+\overline{\mu }log\left|\mathcal{K}\right|.$$

(20)

(d) 

Fix any$p=p_{UZK}\in {\mathcal{P}}_{\mathrm{sh}}(p_K,W)$and$\mu \in [0,1]$. For$\lambda \in [0,1]$, we define a probability distribution$p^{(\lambda )}=p_{UZK}^{(\lambda )}$by

$$\begin{array}{c}{p}^{(\lambda )}(u,z,k):=\frac{p(u,z,k)exp\left\{-\lambda {\tilde{\omega }}_p^{(\mu )}(z,k|u)\right\}}{{\mathrm{E}}_p\left[exp\left\{-\lambda {\tilde{\omega }}_p^{(\mu )}(Z,K|U)\right\}\right]}.\hfill \end{array}$$

Then for$\lambda \in [0,1/2]$, ${\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p)$is twice differentiable. Furthermore, for$\lambda \in [0,1/2]$, we have

$$\begin{array}{c}\frac{\mathrm{d}}{\mathrm{d}\lambda }{\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p)={\mathrm{E}}_{p^{(\lambda )}}\left[{\tilde{\omega }}_p^{(\mu )}(Z,K|U)\right],\frac{{\mathrm{d}}^2}{\mathrm{d}{\lambda }^2}{\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p)=-{\mathrm{Var}}_{p^{(\lambda )}}\left[{\tilde{\omega }}_p^{(\mu )}(Z,K|U)\right].\hfill \end{array}$$

The second equality implies that${\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p|p_K$$,W)$is a concave function of$\lambda \ge 0$.

(e) 

For$(\mu ,\lambda )\in [0,1]\times [0,1/2]$, define

$$\begin{array}{c}{\rho }^{(\mu ,\lambda )}(p_K,W):={\displaystyle \underset{\genfrac{}{}{0pt}{}{(\nu ,p)\in [0,\lambda ]\times {\mathcal{P}}_{\mathrm{sh}}(p_K,W):}{{\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p)={\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p_K,W)}}{max}}{\mathrm{Var}}_{p^{(\nu )}}\left[{\tilde{\omega }}_p^{(\mu )}(Z,K|U)\right],\hfill \end{array}$$

and set

$$\begin{array}{c}\rho =\rho (p_K,W):={\displaystyle \underset{(\mu ,\lambda )\in [0,1]\times [0,1/2]}{max}}{\rho }^{(\mu ,\lambda )}(p_K,W).\hfill \end{array}$$

Then we have$\rho (p_K,W)<\infty$. Furthermore, for any$(\mu ,\lambda )\in [0,1]\times [0,1/2]$, we have

$${\tilde{\mathsf{\Omega }}}^{(\mu ,\lambda )}(p_K,W)\ge \lambda R^{(\mu )}(p_K,W)-\frac{{\lambda }^2}{2}\rho (p_K,W).$$

(f) 

For every$\tau \in (0,(1/2)\rho (p_K,W))$, the condition$(R_{\mathcal{A}},$$R_{}+\tau )\notin \mathcal{R}(p_K,W)$implies

$$\begin{array}{c}\tilde{F}(R_{\mathcal{A}},R_{}|p_K,W)>\frac{\rho (p_K,W)}{4}·g^2\left(\frac{\tau }{\rho (p_K,W)}\right)>0,\hfill \end{array}$$

where g is the inverse function of$\vartheta (a):=a+(5/4)a^2,a\ge 0$.

Proof of this property is found in Oohama [9] (extended version). On the upper bound of ${\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)$, we have the following:

Proposition 4.

For any$n\ge 1/R$, we have

$${\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)\le 5nR{\mathrm{e}}^{-nF(R_{\mathcal{A}},R|p_K,W)}.$$

(21)

Proof of this proposition is given in the next section. Proposition 4 has a close connection with the one helper source coding problem, which is explained as Problem 3 in the previous section. In fact, for the proof we use the result Oohama [9] obtained for an explicit lower bound of the optimal exponent on the exponential decay of $p_{\mathrm{c},\mathcal{A}}^{(n)}\left({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)},{\psi }_{\mathcal{A}}^{(n)}|p_K^n,W^n\right)$ for $(R_{\mathcal{A}},R)\notin {\mathcal{R}}_{\mathrm{AKW}}(p_K,W)$. By Propositions 3 and 4, we obtain our main result shown below.

Theorem 4.

For any $R_{\mathcal{A}},R>0$ and any $(p_K,W)$, there exists a sequence of mappings ${\left\{({\phi }^{(n)},{\psi }^{(n)})\right\}}_{n=1}^{\infty }$ such that for any $p_X\in \mathcal{P}(\mathcal{X})$, we have

$$\begin{array}{c}\frac{1}{n}-R\le \frac{1}{n}log|{\mathcal{X}}^m|=\frac{m}{n}log\left|\mathcal{X}\right|\le R,\hfill \\ p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)\le {\mathrm{e}}^{-n[E(R|p_X)-{\delta }_{1,n}]}\hfill \end{array}$$

(22)

and for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{c}{\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\le {\mathrm{e}}^{-n[F(R_{\mathcal{A}},R|p_K,W)-{\delta }_{2,n}]},\hfill \end{array}$$

(23)

where ${\delta }_{i,n},i=1,2$ are defined by

$$\begin{array}{c}{\delta }_{1,n}:=\frac{1}{n}log\left[\mathrm{e}{(n+1)}^{2\left|\mathcal{X}\right|}\{{(n+1)}^{\left|\mathcal{X}\right|}+1\}\right],\hfill \\ {\delta }_{2,n}:=\frac{1}{n}log\left[5nR\{{(n+1)}^{\left|\mathcal{X}\right|}+1\}\right].\hfill \end{array}$$

Note that for $i=1,2$, ${\delta }_{i,n}\to 0$ as $n\to \infty$.

The functions $E(R|p_X)$ and $F(R_{\mathcal{A}},R|p_K,W)$ take positive values if and only if $(R_{\mathcal{A}},R)$ belongs to the set

$$\begin{array}{c}\{R>H(X)\}\cap {\mathcal{R}}^{\mathrm{c}}(p_K,W):={\mathcal{R}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_X,p_K,W).\hfill \end{array}$$

Thus, by Theorem 4, under $(R_{\mathcal{A}},R)\in {\mathcal{R}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_X,p_K,W),$ we have the following:

• In terms of reliability, $p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)$ goes to zero exponentially as n tends to infinity, and its exponent is lower bounded by the function $E(R|p_X)$.
• In terms of security, for any ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in$${\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, the information leakage ${\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}$$|p_X^n,p_K^n,W^n)$ on $X^n$ goes to zero exponentially as n tends to infinity, and its exponent is lower bounded by the function $F(R_{\mathcal{A}},R|p_K,W)$.
• The code that attains the exponent functions $E($$R|p_X)$ is the universal code that depends only on R and not on the value of the distribution $p_X$.

Define

$$\begin{array}{c}{\mathcal{D}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_X,p_K,W):=\{(R_1,R_2,E(R|p_X),F(R_{\mathcal{A}},R|p_K)):(R_1,R_2)\in {\mathcal{R}}_{\mathsf{Sys}}^{(\mathrm{in})}(p_X,p_K,W)\}.\end{array}$$

From Theorem 4, we immediately obtain the following corollary.

Corollary 1.

$$\begin{array}{c}\hfill {\mathcal{R}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_X,p_K,W)\subseteq {\mathcal{R}}_{\mathrm{Sys}}(p_X,p_K,W),{\mathcal{D}}_{\mathrm{Sys}}^{(\mathrm{in})}(p_X,p_K,W)\subseteq {\mathcal{D}}_{\mathrm{Sys}}(p_X,p_K,W).\end{array}$$

A typical shape of $\{R>H(X)\}\cap {\mathcal{R}}^{\mathrm{c}}(p_K,W)$ is shown in Figure 8.

6. Proofs of the Results

In this section, we prove our main theorem, i.e., Theorem 4.

6.1. Types of Sequences and Their Properties

In this subsection, we present basic results on the types. These results are basic tools for our analysis of several bounds related to the error provability of decoding or security.

Definition 5.

For any n-sequence $x^n=x_1{x}_2\cdots$ $x_n\in {\mathcal{X}}^n$, $n(x|x^n)$ denotes the number of t such that $x_t=x$. The relative frequency ${\left\{n(x|x^n)/n\right\}}_{x\in \mathcal{X}}$ of the components of $x^n$ is called the type of $x^n$ denoted by $P_{x^n}$. The set that consists of all the types on $\mathcal{X}$ is denoted by ${\mathcal{P}}_n(\mathcal{X})$. Let $\overline{X}$ denote an arbitrary random variable whose distribution $P_{\overline{X}}$ belongs to ${\mathcal{P}}_n(\mathcal{X})$. For $p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})$, set $T_{\overline{X}}^n:=\left\{x^n:P_{x^n}=p_{\overline{X}}\right\}.$

For sets of types and joint types, the following lemma holds. For details of the proof, see Csiszár and Körner [21].

Lemma 4.

(a)

$\begin{array}{c}|{\mathcal{P}}_n{(\mathcal{X})|\le (n+1)}^{\left|\mathcal{X}\right|}.\hfill \end{array}$

(b)

For $P_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})$,

$$\begin{array}{cc}\hfill {(n+1)}^{-\left|\mathcal{X}\right|}{\mathrm{e}}^{nH(\overline{X})}& \le |T_{\overline{X}}^n|\le {\mathrm{e}}^{nH(\overline{X})}.\hfill \end{array}$$

(c)

For $x^n\in T_{\overline{X}}^n$,

$$\begin{array}{cc}\hfill p_X^n(x^n)& ={\mathrm{e}}^{-n[H(\overline{X})+D(p_{\overline{X}}\left|\right|p_X)]}.\hfill \end{array}$$

By Lemma 4 parts (b) and (c), we immediately obtain the following lemma:

Lemma 5.

For $p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})$,

$$\begin{array}{c}{p}_X^n(T_{\overline{X}}^n)\le {\mathrm{e}}^{-nD(p_{\overline{X}}||p_X)}.\hfill \end{array}$$

6.2. Upper Bounds of $p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)$, and ${\Delta }_n({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}$$|p_X^n,p_K^n,W^n)$

In this subsection, we evaluate upper bounds of $p_{\mathrm{e}}($${\varphi }^{(n)},{\psi }^{(n)}|p_X^n)$ and ${\Delta }_n({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}$$|p_X^n,p_K^n,W^n)$. For $p_{\mathrm{e}}({\varphi }^{(n)}$$,{\psi }^{(n)}|p_X^n)$, we derive an upper bound that can be characterized with a quantity depending on $({\varphi }^{(n)},{\psi }^{(n)})$ and type $P_{x^n}$ of sequences $x^n\in {\mathcal{X}}^n$. We first evaluate $p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)$. For $x^n\in {\mathcal{X}}^n$ and $p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})$, we define the following functions:

$$\begin{array}{cc}\hfill {\Xi }_{x^n}({\varphi }^{(n)},{\psi }^{(n)})& :=\left\{\begin{array}{ccc}1& & \mathrm{if}{\psi }^{(n)}\left({\varphi }^{(n)}(x^n)\right)\ne x^n,\hfill \\ 0& & \mathrm{otherwise},\hfill \end{array}\right.\hfill \\ \hfill {\displaystyle {\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})}& :=\frac{1}{|T_{\overline{X}}^n|}{\displaystyle \sum _{x^n\in T_{\overline{X}}^n}}{\Xi }_{x^n}({\varphi }^{(n)},{\psi }^{(n)}).\hfill \end{array}$$

Then we have the following lemma.

Lemma 6.

In the proposed system, for any pair of$({\varphi }^{(n)},$${\psi }^{(n)})$, we have

$$\begin{array}{c}{p}_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)\le {\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)}){\mathrm{e}}^{-nD(p_{\overline{X}}||p_X)}.\hfill \end{array}$$

(24)

Proof. 

We have the following chain of inequalities:

$$\begin{array}{c}{p}_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)\stackrel{(\mathrm{a})}{=}{\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}{\displaystyle \sum _{x^n\in T_{\overline{X}}^n}}{\Xi }_{x^n}({\varphi }^{(n)},{\psi }^{(n)})p_X^n(x^n)\hfill \\ ={\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}\frac{1}{|T_{\overline{X}}^n|}{\displaystyle \sum _{x^n\in T_{\overline{X}}^n}}{\Xi }_{x^n}({\varphi }^{(n)},{\psi }^{(n)})\left|T_{\overline{X}}^n\right|p_X^n(x^n)\hfill \\ \stackrel{(\mathrm{b})}{=}{\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}\frac{1}{|T_{\overline{X}}^n|}{\displaystyle \sum _{x^n\in T_{\overline{X}}^n}}{\Xi }_{x^n}({\varphi }^{(n)},{\psi }^{(n)})p_X^n(T_{\overline{X}}^n)\stackrel{(\mathrm{c})}{=}{\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})p_X^n(T_{\overline{X}}^n)\hfill \\ \stackrel{(\mathrm{d})}{\le }{\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)}){\mathrm{e}}^{-nD(p_{\overline{X}}||p_X)}.\hfill \end{array}$$

Step (a) follows from the definition of ${\Xi }_{x^n}({\varphi }^{(n)},{\psi }^{(n)})$. Step (b) follows from the probabilities $p_X^n(x^n)$ for $x^n\in T_{\overline{X}}^n$ taking an identical value. Step (c) follows from the definition of ${\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})$. Step (d) follows from Lemma 5. □

6.3. Random Coding Arguments

We construct a pair of affine encoders ${\phi }^{(n)}=({\phi }_1^{(n)},{\phi }_{\mathrm{e}}^{(n)})$ using the random coding method. For the joint decoder ${\psi }^{(n)}$, we propose the minimum entropy decoder used in Csiszár [6] and Oohama and Han [22].

Random Construction of Affine Encoders: We first choose m such that

$$m:=⌊\frac{nR}{log\left|\mathcal{X}\right|}⌋,$$

where $\lfloor a\rfloor$ stands for the integer part of a. It is obvious that

$$R-\frac{1}{n}\le \frac{m}{n}log\left|\mathcal{X}\right|\le R.$$

By definition (2) of ${\varphi }^{(n)}$, we have that for $x^n\in {\mathcal{X}}^n$,

$$\begin{array}{c}{\varphi }^{(n)}(x^n)=x^{n}A,\hfill \end{array}$$

where A is a matrix with n rows and m columns. By definition (3) of ${\phi }^{(n)}$, we have that for $k^n\in {\mathcal{X}}^n$,

$$\begin{array}{c}{\phi }^{(n)}(k^n)=k^{n}A+b^m,\hfill \end{array}$$

where $b^m$ is a vector with m columns. Entries of A and $b^m$ are from the field of $\mathcal{X}$. These entries are selected at random, independently of each other, and with a uniform distribution. Randomly constructed linear encoder ${\varphi }^{(n)}$ and affine encoder ${\phi }^{(n)}$ have three properties shown in the following lemma.

Lemma 7 (Properties of Linear/Affine Encoders).

(a) 

For any $x^n,v^n\in {\mathcal{X}}^n$ with $x^n\ne v^n$, we have

$$\begin{array}{c}Pr[{\varphi }^{(n)}(x^n)={\varphi }^{(n)}(v^n)]=Pr[(x^n\ominus v^n)A=0^m]={\left|\mathcal{X}\right|}^{-m}.\hfill \end{array}$$

(25)

(b) 

For any $s^n\in {\mathcal{X}}^n$ and for any ${\tilde{s}}^m\in {\mathcal{X}}^m$, we have

$$\begin{array}{c}Pr[{\phi }^{(n)}(s^n)={\tilde{s}}^m]=Pr[s^{n}A\oplus b^m={\tilde{s}}^m]={\left|\mathcal{X}\right|}^{-m}.\hfill \end{array}$$

(26)

(c) 

For any $s^n,t^n\in {\mathcal{X}}^n$ with $s^n\ne t^n$, and for any ${\tilde{s}}^m\in {\mathcal{X}}^m$, we have

$$\begin{array}{c}Pr[{\phi }^{(n)}(s^n)={\phi }^{(n)}(t^n)={\tilde{s}}^m]=Pr[s^{n}A\oplus b^m=t^{n}A\oplus b^m={\tilde{s}}^m]={\left|\mathcal{X}\right|}^{-2m}.\hfill \end{array}$$

(27)

Proof of this lemma is given in Appendix B. We next define the decoder function ${\psi }^{(n)}:{\mathcal{X}}^m\to {\mathcal{X}}^n.$ To this end, we define the following quantities.

Definition 6.

For $x^n\in {\mathcal{X}}^n$, we denote the entropy calculated from the type $P_{x^n}$ by $H(x^n)$. In other words, for a type $P_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})$ such that $P_{\overline{X}}=P_{x^n}$, we define $H(x^n)=H(\overline{X})$.

Minimum Entropy Decoder: For ${\varphi }^{(n)}(x^n)={\tilde{x}}^m$, we define the decoder function ${\psi }^{(n)}:{\mathcal{X}}^m\to {\mathcal{X}}^n$ as follows:

$${\psi }^{(n)}({\tilde{x}}^m):=\left\{\begin{array}{cc}{\widehat{x}}^n& \mathrm{if}{\varphi }^{(n)}({\widehat{x}}^n)={\tilde{x}}^m,\hfill \\ & \mathrm{and}H({\widehat{x}}^n)<H({\check{x}}^n)\hfill \\ & \mathrm{for}\mathrm{all} {\check{x}}^n\mathrm{such}\mathrm{that}\hfill \\ & {\varphi }^{(n)}({\check{x}}^n)={\tilde{x}}^m,\hfill \\ & \mathrm{and}{\check{x}}^n\ne {\widehat{x}}^n,\hfill \\ \mathrm{arbitrary}& \mathrm{if}\mathrm{there}\mathrm{is}\mathrm{no}\mathrm{such}{\widehat{x}}^n\in {\mathcal{X}}^n.\hfill \end{array}\right.$$

Error Probability Bound: In the following arguments, we let expectations based on the random choice of the affine encoder ${\phi }^{(n)}$ be denoted by $\mathbf{E}$[$·]$. Define

$${\mathsf{\Lambda }}_{\overline{X}}(R):={\mathrm{e}}^{-n{[R-H(\overline{X})]}^{+}}.$$

Then we have the following lemma.

Lemma 8.

For any n and for any$P_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})$,

$$\mathbf{E}\left[{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})\right]\le \mathrm{e}{(n+1)}^{\left|\mathcal{X}\right|}{\mathsf{\Lambda }}_{\overline{X}}(R).$$

Proof of this lemma is given in Appendix C.

Estimation of Approximation Error: Define

$$\begin{array}{c}\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_{K^n},W^n):={\displaystyle \sum _{(a,k^n)\in {\mathcal{M}}_{\mathcal{A}}^{(n)}\times {\mathcal{X}}^n}}{p}_{M_{\mathcal{A}}^{(n)}{K}^n}(a,k^n)log\left[1+({\mathrm{e}}^{nR}-1)p_{K^n|M_{\mathcal{A}}^{(n)}}(k^n|a)\right].\hfill \end{array}$$

Then we have the following lemma.

Lemma 9.

For any$n,m$satisfying$(m/n)log\left|\mathcal{X}\right|$$\le R$, we have

$$\begin{array}{c}\mathbf{E}\left[D\left.\left.\left.\left(p_{{\tilde{K}}^m|M_{\mathcal{A}}^{(n)}}\right|\right|p_{V^m}\right|p_{M_{\mathcal{A}}^{(n)}}\right)\right]\le \Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_{K^n},W^n).\hfill \end{array}$$

(28)

Proof of this lemma is given in Appendix D. From the bound (28) in Lemma (9), we know that the quantity $\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_{K^n},W^n)$ serves as an upper bound of the ensemble average of the conditional divergence $D(p_{{\tilde{K}}^m|M_{\mathcal{A}}^{(n)}}$$\left|\right|p_{V^m}|p_{M_{\mathcal{A}}^{(n)}}).$ Hayashi [23] obtained the same upper bound of the ensemble average of the conditional divergence for an ensemble of universal${}_2$ functions. In this paper, we prove the bound (28) for an ensemble of affine encoders. To derive this bound, we need to use Lemma 7 parts (b) and (c), the two important properties that a class of random affine encoders satisfies. From Lemmas 1 and 9, we have the following corollary.

Corollary 2.

$$\begin{array}{c}\hfill \mathbf{E}\left[{\Delta }_n({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\right]\le \Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n).\end{array}$$

Existence of Good Universal Code $({\phi }^{(n)},{\psi }^{(n)})$:

From Lemma 8 and Corollary 2, we have the following lemma stating the existence of a good universal code $({\phi }^{(n)},{\psi }^{(n)})$.

Lemma 10.

There exists at least one deterministic code$({\phi }^{(n)},{\psi }^{(n)})$satisfying$(m/n)log\left|\mathcal{X}\right|\le R$, such that for any$p_{\overline{X}}$$\in {\mathcal{P}}_n(\mathcal{X})$,

$$\begin{array}{c}{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})\le \mathrm{e}{(n+1)}^{\left|\mathcal{X}\right|}\{{(n+1)}^{\left|\mathcal{X}\right|}+1\}{\mathsf{\Lambda }}_{\overline{X}}(R).\hfill \end{array}$$

Furthermore, for any${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{c}{\Delta }_n({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\le \{{(n+1)}^{\left|\mathcal{X}\right|}+1\}\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n).\hfill \end{array}$$

Proof. 

We have the following chain of inequalities:

$$\begin{array}{c}\mathbf{E}\left[{\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}\frac{{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})}{\mathrm{e}{(n+1)}^{\left|\mathcal{X}\right|}{\mathsf{\Lambda }}_{\overline{X}}(R)}+\frac{{\Delta }_n({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)}{\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n)}\right]\hfill \\ ={\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}\frac{\mathbf{E}\left[{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})\right]}{\mathrm{e}{(n+1)}^{\left|\mathcal{X}\right|}{\mathsf{\Lambda }}_{\overline{X}}(R)}+\frac{\mathbf{E}\left[{\Delta }_n({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\right]}{\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n)}\hfill \\ \stackrel{(\mathrm{a})}{\le }{\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}1+1=\left|{\mathcal{P}}_n(\mathcal{X})\right|+1\stackrel{(\mathrm{b})}{\le }{(n+1)}^{\left|\mathcal{X}\right|}+1.\hfill \end{array}$$

Step (a) follows from Lemma 8 and Corollary 2. Step (b) follows from Lemma 4 part (a). Hence, there exists at least one deterministic code $({\phi }^{(n)},{\psi }^{(n)})$ such that

$$\begin{array}{c}{\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}\frac{{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})}{\mathrm{e}{(n+1)}^{\left|\mathcal{X}\right|}{\mathsf{\Lambda }}_{\overline{X}}(R)}+\frac{{\Delta }_n({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)}{\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n)}\le {(n+1)}^{\left|\mathcal{X}\right|}+1,\hfill \end{array}$$

from which we have that

$$\begin{array}{c}\frac{{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})}{\mathrm{e}{(n+1)}^{\left|\mathcal{X}\right|}{\mathsf{\Lambda }}_{\overline{X}}(R)}\le {(n+1)}^{\left|\mathcal{X}\right|}+1,\hfill \end{array}$$

for any $p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})$. Furthermore, we have that for any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$,

$$\begin{array}{c}\frac{{\Delta }_n({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)}{\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n)}\le {(n+1)}^{\left|\mathcal{X}\right|}+1,\hfill \end{array}$$

completing the proof. □

Proposition 5.

For any$R_{\mathcal{A}},R>0$and any$(p_K,W)$, there exists a sequence of mappings${\left\{({\phi }^{(n)},{\psi }^{(n)})\right\}}_{n=1}^{\infty }$such that for any$p_X\in \mathcal{P}(\mathcal{X})$, we have

$$\begin{array}{c}R-\frac{1}{n}\le \frac{1}{n}log|{\mathcal{X}}^m|=\frac{m}{n}log\left|\mathcal{X}\right|\le R,\hfill \\ p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)\le \mathrm{e}{(n+1)}^{2\left|\mathcal{X}\right|}\{{(n+1)}^{\left|\mathcal{X}\right|}+1\}{\mathrm{e}}^{-n\left[E(R|p_X)\right]}\hfill \end{array}$$

(29)

and for any eavesdropper$\mathcal{A}$with${\phi }_{\mathcal{A}}$satisfying${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{c}{\Delta }^{(n)}({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\le \{{(n+1)}^{\left|\mathcal{X}\right|}+1\}\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n).\hfill \end{array}$$

(30)

Proof. 

By Lemma 10, there exists $({\phi }^{(n)},$${\psi }^{(n)})$ satisfying $(m/n)log\left|\mathcal{X}\right|\le R$ such that for any $p_{\overline{X}}$ $\in {\mathcal{P}}_n(\mathcal{X})$,

$$\begin{array}{c}{\Xi }_{\overline{X}}({\varphi }^{(n)},{\psi }^{(n)})\le \mathrm{e}{(n+1)}^{\left|\mathcal{X}\right|}\{{(n+1)}^{\left|\mathcal{X}\right|}+1\}{\mathsf{\Lambda }}_{\overline{X}}(R).\hfill \end{array}$$

(31)

Furthermore, for any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$,

$$\begin{array}{c}{\Delta }_n({\phi }^{(n)},{\phi }_{\mathcal{A}}^{(n)}|p_X^n,p_K^n,W^n)\le \{{(n+1)}^{\left|\mathcal{X}\right|}+1\}\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n).\hfill \end{array}$$

(32)

The bound (30) in Proposition 5 has already been proven in (32). Hence, it suffices to prove the bound (29) in Proposition 5 to complete the proof. On an upper bound of $p_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)$, we have the following chain of inequalities:

$$\begin{array}{l}{p}_{\mathrm{e}}({\varphi }^{(n)},{\psi }^{(n)}|p_X^n)\stackrel{(\mathrm{a})}{\le }\mathrm{e}{(n+1)}^{\left|\mathcal{X}\right|}\{{(n+1)}^{\left|\mathcal{X}\right|}+1\}{\displaystyle \sum _{p_{\overline{X}}\in {\mathcal{P}}_n(\mathcal{X})}}{\mathsf{\Lambda }}_{\overline{X}}(R){\mathrm{e}}^{-nD(p_{\overline{X}}||p_X)}\hfill \\ \le \mathrm{e}{(n+1)}^{\left|\mathcal{X}\right|}\{{(n+1)}^{\left|\mathcal{X}\right|}+1\}\left|{\mathcal{P}}_n(\mathcal{X})\right|{\mathrm{e}}^{-n\left[E(R|p_X)\right]}\stackrel{(\mathrm{c})}{\le }\mathrm{e}{(n+1)}^{2\left|\mathcal{X}\right|}\{{(n+1)}^{\left|\mathcal{X}\right|}+1\}{\mathrm{e}}^{-nE(R|p_X)}.\hfill \end{array}$$

Step (a) follows from Lemma 6 and (31). Step (b) follows from Lemma 4 part (a). □

6.4. Explicit Upper Bound of $\Theta (R_1,R_2,{\phi }_{\mathcal{A}}^{(n)}|p_{Z{K}_1{K}_2}^n)$

In this subsection, we derive an explicit upper bound of $\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n)$ that holds for any eavesdropper $\mathcal{A}$ with ${\phi }_{\mathcal{A}}$ satisfying ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$. Here we recall the following definitions:

$$\begin{array}{c}{\wp }_{\eta }^{(n)}={\wp }_{\eta }^{(n)}(R|p_K^n,W^n):=p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}^n}\{R\ge \left.\frac{1}{n}log\frac{1}{p_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})}-\eta \right\},\hfill \\ {\mathsf{\Phi }}_{D,\eta }^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n):={\displaystyle \underset{{\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}^{(n)}({\mathcal{R}}_{\mathcal{A}})}{max}}\left\{nR{\wp }_{\eta }^{(n)}(R|p_K^n,W^n)+{\mathrm{e}}^{-n\eta }\right\},\hfill \\ {\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n):={\displaystyle \underset{\eta >0}{inf}}{\mathsf{\Phi }}_{D,\eta }^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n).\hfill \end{array}$$

Then we have the following lemma.

Lemma 11.

For any$\eta >0$and for any eavesdropper$\mathcal{A}$with${\phi }_{\mathcal{A}}$satisfying${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have

$$\begin{array}{c}\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n)\le {\mathsf{\Phi }}_{D,\eta }^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n),\hfill \end{array}$$

(33)

which implies that

$$\begin{array}{c}\hfill \Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n)\le {\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n).\end{array}$$

(34)

Proof. 

We first observe that

$$\begin{array}{c}\Theta (R,{\phi }_{\mathcal{A}}^{(n)}|p_K^n,W^n)=\mathrm{E}\left[log\left\{1+({\mathrm{e}}^{nR}-1)p_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})\right\}\right].\hfill \end{array}$$

(35)

We further observe the following:

$$\begin{array}{c}R<\frac{1}{n}log\frac{1}{p_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})}-\eta \iff {\mathrm{e}}^{nR}{p}_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})<{\mathrm{e}}^{-n\eta }\hfill \\ \Rightarrow log\left\{1+{\mathrm{e}}^{nR}{p}_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})\right\}\le log\left(1+{\mathrm{e}}^{-n\eta }\right)\hfill \\ \stackrel{(\mathrm{a})}{\Rightarrow }log\left\{1+{\mathrm{e}}^{nR}{p}_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})\right\}\le {\mathrm{e}}^{-n\eta }\hfill \\ \Rightarrow log\left\{1+({\mathrm{e}}^{nR}-1)p_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})\right\}\le {\mathrm{e}}^{-n\eta }.\hfill \end{array}$$

(36)

Step (a) follows from $log(1+a)\le a$. We also note that

$$\begin{array}{c}log\left\{1+({\mathrm{e}}^{nR}-1)p_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})\right\}\le log\left[{\mathrm{e}}^{nR}\right]=nR.\hfill \end{array}$$

(37)

From (35), (36), and (37) we have the bound (33) in Lemma 11. □

Proof of Proposition 3:

This proposition immediately follows from Proposition 5 and Lemma 11. □

For the upper bound of ${\wp }_{\eta }^{(n)}$, we have the following lemma.

Lemma 12.

For any$\eta >0$and for any eavesdropper$\mathcal{A}$with${\phi }_{\mathcal{A}}$satisfying${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$, we have${\wp }_{\eta }^{(n)}\le {\tilde{\wp }}_{\eta }^{(n)}+3{\mathrm{e}}^{-n\eta }$, where

$$\begin{array}{c}{\tilde{\wp }}_{\eta }^{(n)}:=p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}^n}\{\hfill \end{array}$$

$$\begin{array}{cc}0\hfill & \ge \frac{1}{n}log\frac{{\widehat{q}}_{M_{\mathcal{A}}^{(n)}{Z}^n{K}^n}(M_{\mathcal{A}}^{(n)},Z^n,K^n)}{p_{M_{\mathcal{A}}^{(n)}{Z}^n{K}^n}(M_{\mathcal{A}}^{(n)},Z^n,K^n)}-\eta ,\hfill \end{array}$$

(38)

$$\begin{array}{cc}0\hfill & \ge \frac{1}{n}log\frac{q_{Z^n}(Z^n)}{p_{Z^n}(Z^n)}-\eta ,\hfill \end{array}$$

(39)

$$\begin{array}{cc}{R}_{\mathcal{A}}\hfill & {\displaystyle \ge \frac{1}{n}log\frac{p_{Z^n|M_{\mathcal{A}}^{(n)}}(Z^n|M_{\mathcal{A}}^{(n)})}{p_{Z^n}(Z^n)}-\eta ,}\hfill \end{array}$$

$$\begin{array}{cc}R\hfill & {\displaystyle \ge \frac{1}{n}log\frac{1}{p_{K^n|M_{\mathcal{A}}^{(n)}}(K^n|M_{\mathcal{A}}^{(n)})}-\eta \}.}\hfill \end{array}$$

(40)

The probability distributions appearing in the two inequalities (38) and (39) in the right members of (40) have a property that we can select them arbitrarily. In (38), we can choose any probability distribution${\widehat{q}}_{M_{\mathcal{A}}^{(n)}{Z}^n{K}^n}$on${\mathcal{M}}_{\mathcal{A}}^{(n)}$$\times {\mathcal{Z}}^n$$\times {\mathcal{X}}^n$. In (39), we can choose any distribution$q_{Z^n}$on${\mathcal{Z}}^n$.

Proof of this lemma is given in Appendix E.

Proof of Proposition 4:

The claim of Proposition 4 is that for $n\ge 1/R$,

$$\begin{array}{c}{\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)\le 5nR{\mathrm{e}}^{-nF(R_{\mathcal{A}},R|p_K,W)}.\hfill \end{array}$$

(41)

By Lemma 12 and the definition of ${\mathsf{\Phi }}_{D,\eta }^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)$, we have that for $n\ge 1/R$,

$$\begin{array}{c}\hfill {\mathsf{\Phi }}_{D,\eta }^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)\le nR({\tilde{\wp }}_{\eta }^{(n)}+4{\mathrm{e}}^{-n\eta }).\end{array}$$

(42)

The quantity ${\tilde{\wp }}_{\eta }^{(n)}+4{\mathrm{e}}^{-n\eta }$ is the same as the upper bound on the correct probability of decoding for one helper source coding problem in Lemma 1 in Oohama [9] (extended version). In a manner similar to the derivation of the exponential upper bound of the correct probability of decoding for one helper source coding problem, we can prove that for any ${\phi }_{\mathcal{A}}^{(n)}\in {\mathcal{F}}_{\mathcal{A}}^{(n)}(R_{\mathcal{A}})$ and for some ${\eta }^{*}={\eta }^{*}(n,R_{\mathcal{A}},R)$, we have

$$\begin{array}{c}{\tilde{\wp }}_{{\eta }^{*}}^{(n)}+4{\mathrm{e}}^{-n{\eta }^{*}}\le 5{\mathrm{e}}^{-nF(R_{\mathcal{A}},R|p_K,W)}.\hfill \end{array}$$

(43)

From (42), (43), and the definition of ${\mathsf{\Phi }}_D^{(n)}(R_{\mathcal{A}},R|p_K^n{W}^n)$, we have (41). □

7. Conclusions

In this paper, we have proposed a novel security model for analyzing the security of Shannon cipher systems against an adversary that is not only eavesdropping the public communication channel to obtain ciphertexts but is also obtaining some physical information leaked by the device implementing the cipher system through side-channel attacks. We have also presented a countermeasure against such an adversary in the case of one-time pad encryption by using an affine encoder with certain properties. The main distinguishing feature of our countermeasure is that it is independent of the characteristics or the types of physical information leaked from the devices on which the cipher system is implemented.