Biometric Identification Systems with Noisy Enrollment for Gaussian Sources and Channels ^†

Abstract

In the present paper, we investigate the fundamental trade-off of identification, secret-key, storage, and privacy-leakage rates in biometric identification systems for remote or hidden Gaussian sources. We use a technique of converting the system to one where the data flow is in one-way direction to derive the capacity region of these rates. Also, we provide numerical calculations of three different examples for the system. The numerical results imply that it seems hard to achieve both high secret-key and small privacy-leakage rates simultaneously.

1. Introduction

Biometric identification indicates an automated process of recognizing an individual by matching the individual’s biological data (bio-data) with the digital files stored in the system database [1]. Some unique bio-data that can be used for biometric identification include fingerprint, iris, face, voice, palm, and so on [2]. Compared to the traditional method such as password or smart card based identification, it provides higher convenience and security. However, the critical drawback for biometric identification is that the usable sources are limited [3], for instance, human has only two eyes and if their information are leaked, there is no alternative option to replace, and therefore it is important to protect users’ privacy. Furthermore, the size of the storage should be minimized to reduce the memory space of the database [4], especially when the number of users becomes large.

From an information theoretic point of view, there are two major settings of the studies related to biometric identification systems (BISs), namely, the BIS with exponentially many users and the system with one user. The difference of these systems is that in the former setting, we are interested in finding the maximum number of users who are reliably identifiable, i.e., the maximum achievable identification rate at which the error probability of the BIS vanishes (the identification capacity). However, in the latter setting, the estimation of the user need not be considered since there exists only one user and it becomes redundant. For discrete memoryless sources (DMSs), the fundamental performance of the BIS was widely analyzed for both scenarios.

The BIS with multiple users was initially treated as a mathematical model in the seminal work [5], and the identification capacity of the BIS was clarified. In the model, it is assumed that every biometric identifier is enrolled via a noisy channel, and this type of model is known as a remote or hidden source model. The term the remote sources were used in [6,7], and hidden source model (HSM) is from [8]. In this paper, we use HSM as in [8] to represent the BIS with noisy enrollment. The encoding process was introduced in [9] to reduce the size of the storage. This work was extended to incorporate noisy reconstruction in [10]. The BIS with estimating both user’s index and secret key for two classical models, namely, generated- and chosen-secret BIS models, was investigated in [11]. In this literature, a clear explanation of the difference of these models is given. Later, adopting the concept of the wiretap channel to assume that the adversary has side information of the identified user’s bio-data sequence for the generated-secret BIS model was analyzed in [12]. Recently, a storage constraint and an HSM added to the model of [11] were studied in [13,14]. By using an additional private key, user’s privacy-leakage can be made negligible [15,16]. Another scenario, that is, the BIS with one user, was extensively examined in [8,17,18,19,20,21,22]. More precisely, in [17,18], the relation of secret-key and privacy-leakage rates was analyzed. The optimal secret-key rate under privacy and storage constraints was characterized in [8,19] for non-vanishing and vanishing secrecy-leakage rate, respectively. It is worthwhile noting that in [8], a successful attempt for characterizing the capacity region of the BIS with one user for HSM was first made. The works of [8] was extended to constrain the action cost for the decoder in [20], and to consider two-enrollment systems for the same hidden source, where the encoders do not trust each other [21]. Moreover, in [22], the secret-key capacity of a multi-enrollment system, in which the decoder is required to estimate all secret keys generated in the earlier enrollments, was formulated.

Compared to the analyses of the BIS for DMSs, the results given under Gaussian sources are still few. For example, the optimal trade-off between secret-key and privacy-leakage rates was characterized in [23] and in order to speed up search complexity, hierarchical identification was taken into account in [24]. A common assumption in [23,24] is that the enrollment channel is noiseless, known as a visible source model (VSM). However, in real-life application, the signal of bio-data is basically represented with continuous values, and most communication links can be modeled as Gaussian channels [23]. What is more, the HSM is considered to be more realistic, e.g., captured picture of a finger via a scanner, and when the BIS is switched from the VSM to the HSM, the evaluation becomes more challenging [8] because many techniques used for deriving the results of the VSM are not directly applicable. These facts motivate us to extend the models in [13] to Gaussian sources and channels. Note that from the technical perspectives, this extension is not trivial since the technique for establishing Theorems 1 and 2 in [13] massively depends on the property that the alphabet sizes are finite, but unfortunately it cannot be applied to continuous sources. The technique used in this paper will be explained in Section 5 in details. Therefore, the extension is of both theoretical and practical interest. Although it is well-known that the bio-data is real-valued, as mentioned in [23], the validity of Gaussian assumption is not discussed in this paper and we leave this for further research. Here, we are interested in specifying the optimal trade-off of the BIS.

In this study, our goal is to find the optimal trade-off of identification and secret-key rates in the BIS under privacy and storage constraints. We demonstrate that an idea of converting the system to another one, where the data flow of each user is in the same direction, enables us to characterize the capacity region. More specifically, in establishing the outer bound of the region, the converted system allows us to use the entropy power inequality (EPI) [25] doubly in two opposite directions, and also its property facilitates the derivation of the inner bound. In [8], Mrs. Gerber’s lemma was applied twice, too, to simplify the rate region of the HSM for binary sources and symmetric channels without converting the BIS. That was possible due to the uniformity of the source, and the backward channel of the enrollment channel is also the binary symmetric channel with the same crossover probability. However, this claim is no longer true in the Gaussian case, so it is necessary to formulate the general behavior of the backward channel. We also provide numerical calculations of three different examples. As a consequence, we may conclude that it is difficult to achieve high secret-key and small privacy-leakage rates at the same time. To achieve a small privacy-leakage rate, the secret-key rate must be sacrificed. Furthermore, as a by-product of our result, the capacity regions of the BIS analyzed in [8] for Gaussian sources and channels are obtained, and as special cases, it can be checked that this characterization reduces to the results given in [5,23].

The rest of this paper is organized as follows. In Section 2, we define the notation used in this paper, and describe our system model and the converted system. In Section 3, the formal definitions and main results are discussed in detail. We continue investigating the basic properties of the capacity regions, and provide there different examples in Section 4. The overviews of the proof of our main results are given in Section 5. The full proof is available in Appendix A and Appendix B. Finally, some concluding remark and future work are mentioned in Section 6.

2. System Model and Converted System

2.1. Notation and System Model

Upper-case A and lower-case a denote random variable (RV) and its realization, respectively. $A^n=(A_1,\cdots ,A_n)$ represents a string of RVs and subscripts represent the position of an RV in the string. $f_A$ denotes the probability density function (pdf) of RV A. For integers k and t such that $k<t$, $[k:t]$ denotes the set $\{k,k+1,\cdots ,t\}$. $logx$ stands for the natural logarithm of $x>0$.

The generated-secret BIS model and chosen-secret BIS model considered in this study are depicted in Figure 1. Arrows (g) and (c) indicate the directions of the secret key of the former and latter models. Let $\mathcal{I}=[1:M_I]$, $\mathcal{S}=[1:M_S]$, and $\mathcal{J}=[1:M_J]$ be the sets of user’s indices, secret keys, and helper data, respectively, where $M_I$, $M_S$, and $M_J$ denote the numbers of users, secret keys, and helper data, respectively. These sets are assumed to be finite. $X_i^n$,$Y_i^n$, and $Z^n$ denote the bio-data sequence of user i generated from source $P_X$, the output of $X_i^n$ via the enrollment channel $P_{Y|X}$, and the output of $X_i^n$ via the identification channel $P_{Z|X}$, respectively. For $i\in \mathcal{I}$ and $k\in [1:n]$, we assume $X_{ik}\sim \mathcal{N}(0,1)$, where $\mathcal{N}(0,1)$ is a Gaussian RV with mean zero and variance one. Note that an RV with unit variance can be obtained by applying a scaling technique. $P_{Y|X}$ and $P_{Z|X}$ are additive Gaussian noise channels modeled as follows:

$$\begin{array}{c}\hfill Y_{ik}={\rho }_1{X}_{ik}+N_1,Z_k={\rho }_2{X}_{ik}+N_2,(k\in [1:n\left]\right).\end{array}$$

(1)

where $|{\rho }_1|<1$, $|{\rho }_2|<1$ are the Pearson’s correlation coefficients, and $N_1\sim \mathcal{N}(0,1-{\rho }_1^2)$ and $N_2\sim \mathcal{N}(0,1-{\rho }_2^2)$ are Gaussian RVs, independent of each other and bio-data sequences. From (1), $Y_{ik}$ and $Z_k$ are also Gaussian with zero mean and unit variance, and the Markov chain $Y-X-Z$ holds. Then, the pdf corresponding to the tuple $(X_i^n,Y_i^n,Z^n)$ is given by

$$\begin{array}{c}\hfill f_{X_i^n{Y}_i^n{Z}^n}(x_i^n,y_i^n,z^n)={\prod }_{k=1}^n{f}_{XYZ}(x_{ik},y_{ik},z_k),\end{array}$$

(2)

where for $x,y,z\in \mathbb{R}$,

$$\begin{array}{cc}\hfill f_{XYZ}(x,y,z)& =f_X\left(x\right)·f_{Y|X}\left(y\right|x)·f_{Z|X}\left(z\right|x),\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill & =\frac{1}{\sqrt{{\left(2\pi \right)}^3(1-{\rho }_1^2)(1-{\rho }_2^2)}}exp\left(-\left(\frac{x^2}{2}+\frac{{(y-{\rho }_{1}x)}^2}{2(1-{\rho }_1^2)}+\frac{{(z-{\rho }_{2}x)}^2}{2(1-{\rho }_2^2)}\right)\right).\hfill \end{array}$$

(4)

In the generated-secret BIS model, upon observing $Y_i^n$, the encoder $e(·)$ generates secret key $S\left(i\right)\in \mathcal{S}$ and helper data $J\left(i\right)\in \mathcal{J}$ as $(S\left(i\right),J\left(i\right))=e\left(Y_i^n\right)$. Then, $J\left(i\right)$ is stored at position i in the public database (helper DB) and $S\left(i\right)$ is saved in the key DB, which is installed in a secure location. Let W and $\widehat{W}$ denote the index of the identified user and its estimated value, respectively. Seeing $Z^n$, the decoder $d(·)$ estimates $(\widehat{W},\widehat{S\left(W\right)})$ from $Z^n$ and all helper data in DB $\mathit{J}\equiv \{J\left(1\right),\cdots ,J\left(M_I\right)\}$, i.e., $(\widehat{W},\widehat{S\left(W\right)})=d(Z^n,\mathit{J})$.

In the chosen-secret BIS model, the secret key $S\left(i\right)$ is chosen uniformly from $\mathcal{S}$, i.e.,

$$\begin{array}{c}\hfill P_{S\left(i\right)}\left(s\right)=1/M_S(s\in \mathcal{S}),\end{array}$$

(5)

and independent of other RVs. The encoder forms the helper data as $J\left(i\right)=e(Y_i^n,S\left(i\right))$ for every individual. The decoder $d(·)$ owns the same functionality as in the generated-secret BIS model.

2.2. Converted System

The original system, having X as input source and $Y,Z$ as outputs, is in the top figure in Figure 2. There are two main obstacles toward characterizing the capacity regions directly from this system. (I) In establishing the converse proof, an upper bound regarding RV Y for a fixed condition of RV X is needed, but it is laborious to pursue the desired bound since applying EPI to the first relation in (1) produces only a lower bound. (II) It seems difficult to prove the achievability part by generating the codebook via a test channel due to the input X. To overcome these bottlenecks, we use an idea of converting the original system to a new one in which the data flow of each user is one-way from Y to Z without losing its general properties. The image of this idea is shown in the bottom figure of Figure 2, where Y becomes input virtually. To achieve this objective, knowing the statistics of the backward channel $P_{X|Y}$, namely, how X correlates to the virtual input Y, is crucial and we explore that in the rest of this section.

Due to the Markov chain $Y-X-Z$, Equation (3) can also be expanded in the following form.

$$\begin{array}{c}\hfill f_{XYZ}(x,y,z)=f_Y\left(y\right)·f_{X|Y}\left(x\right|y)·f_{Z|X}\left(z\right|x).\end{array}$$

(6)

Observe that

$$\begin{array}{cc}\hfill \frac{x^2}{2}+\frac{{(y-{\rho }_{1}x)}^2}{2(1-{\rho }_1^2)}& =\frac{x^2}{2}+\frac{y^2}{2(1-{\rho }_1^2)}-\frac{{\rho }_{1}xy}{1-{\rho }_1^2}+\frac{{\left({\rho }_{1}x\right)}^2}{2(1-{\rho }_1^2)}=\frac{y^2}{2}+\frac{{(x-{\rho }_{1}y)}^2}{2(1-{\rho }_1^2)}.\hfill \end{array}$$

(7)

Without loss of generality, the exponential part in (4) can be rearranged as

$$\begin{array}{c}\hfill -\left(\frac{y^2}{2}+\frac{{(x-{\rho }_{1}y)}^2}{2(1-{\rho }_1^2)}+\frac{{(z-{\rho }_{2}x)}^2}{2(1-{\rho }_2^2)}\right).\end{array}$$

(8)

From (6) and (8), we may conclude that the following relations hold with some RV $N_1^{\prime }\sim \mathcal{N}(0,1-{\rho }_1^2)$.

$$\begin{array}{cc}\hfill X_{ik}& ={\rho }_1{Y}_{ik}+N_1^{\prime },\hfill \end{array}$$

(9)

$$\begin{array}{cc}\hfill Z_k& ={\rho }_2{X}_{ik}+N_2={\rho }_1{\rho }_2{Y}_{ik}+{\rho }_2{N}_1^{\prime }+N_2.\hfill \end{array}$$

(10)

Equations (9) and (10) describe the outputs of the backward channel $P_{X|Y}$ and the combined channel $P_{Z|Y}$ of the virtual system. Actually, these relations can also be observed directly from the covariance matrix of RVs $(X,Y,Z)$. However, we derive them based on the joint pdf for general readers’ purpose. Moreover, this transformation is useful for the analysis of a non-standard source. The above relations play key roles for solving the problem of the HSM, and we use them in many steps during the analysis in this paper. In [23,24], the concept of this transformation is not seen because the enrollment channel is noiseless due to the assumption of VSM as mentioned before.

Remark 1.

In the case where there is no operation of scaling, Equations (9) and (10) are settled as follows. Suppose that $X_{ik}\sim \mathcal{N}(0,{\sigma }_x^2)$ with ${\sigma }_x^2<\infty$, $Y_{ik}=X_{ik}+D_1$, and $Z_k=X_{ik}+D_2$, where $D_1\sim \mathcal{N}(0,{\sigma }_1^2)$ and $D_2\sim \mathcal{N}(0,{\sigma }_2^2)$ are Gaussian RVs, and independent of each other and other RVs. By applying the similar arguments around (6)–(8), we obtain that

$$\begin{array}{c}\hfill X_{ik}=\frac{{\sigma }_x^2}{{\sigma }_x^2+{\sigma }_1^2}{Y}_{ik}+D_1^{\prime },Z_k=X_{ik}+N_2^{\prime }=\frac{{\sigma }_x^2}{{\sigma }_x^2+{\sigma }_1^2}{Y}_{ik}+D_1^{\prime }+D_2,\end{array}$$

(11)

where $D_1^{\prime }\sim \mathcal{N}(0,\frac{{\sigma }_x^2{\sigma }_1^2}{{\sigma }_x^2+{\sigma }_1^2})$ is Gaussian and independent of other RVs. The capacity regions of the models considered in this paper can also be characterized via (11), and the results for this case will be mentioned in Remark 3. However, equation developments need more space and do not look so neat. Herein, we pursue our results based on the method that RVs X, Y, and Z are standardized.

Now from (9) and (10), it is not difficult to verify that

$$\begin{array}{c}\hfill I(X;Y)=\frac{1}{2}log\left(\frac{1}{1-{\rho }_1^2}\right),I(Z;Y)=\frac{1}{2}log\left(\frac{1}{1-{\rho }_1^2{\rho }_2^2}\right),\end{array}$$

(12)

where the right equation in (12) is attained because the variance of the noise term ${\rho }_2{N}_1^{\prime }+N_2$ in (10) is equal to $1-{\rho }_1^2{\rho }_2^2$.

3. Problem Formulation and Main Results

The achievability definition for the generated-secret BIS model is given below.

Definition 1.

A tuple of identification, secret-key, public storage, and privacy-leakage rates $(R_I,R_S,R_J,R_L)$ is said to be achievable for the generated-secret BIS model under a Gaussian source if for any $\delta >0$ and large enough n there exist pairs of encoders and decoders satisfying

$$\begin{array}{cc}\hfill {max}_{i\in \mathcal{I}}Pr\left\{\right(\widehat{W},\widehat{S\left(W\right))}\ne (W,S\left(W\right))& |W=i\}\le \delta ,\left(\mathrm{error}\mathrm{probability}\right)\hfill \end{array}$$

(13)

$$\begin{array}{cc}\hfill \frac{1}{n}log{M}_I& \ge R_I-\delta ,\left(\mathrm{identification}\mathrm{rate}\right)\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill {min}_{i\in \mathcal{I}}\frac{1}{n}H\left(S\left(i\right)\right)& \ge R_S-\delta ,\left(\mathrm{secret}-\mathrm{key}\mathrm{rate}\right)\hfill \end{array}$$

(15)

$$\begin{array}{cc}\hfill \frac{1}{n}log{M}_J& \le R_J+\delta ,\left(\mathrm{public}\mathrm{storage}\mathrm{rate}\right)\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill {max}_{i\in \mathcal{I}}\frac{1}{n}I(S\left(i\right);J\left(i\right))& \le \delta ,(\mathrm{secrecy}-\mathrm{leakage}\mathrm{rate})\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill {max}_{i\in \mathcal{I}}\frac{1}{n}I(X_i^n;J\left(i\right))& \le R_L+\delta .(\mathrm{privacy}-\mathrm{leakage}\mathrm{rate})\hfill \end{array}$$

(18)

Moreover, ${\mathcal{R}}_G$ is defined as the set of all achievable rate tuples for the generated-secret BIS model, called the capacity region.

For the chosen-secret BIS model, the definition is provided as follows:

Definition 2.

A tuple $(R_I,R_S,R_J,R_L)$ is said to be achievable for the chosen-secret BIS model under a Gaussian source if there exist pairs of encoders and decoders that satisfy all the requirements in Definition 1 for any $\delta >0$ and large enough n. Note that the left-hand side of (15) is expressed as $\frac{1}{n}log{M}_S$ because the key is chosen uniformly from $\mathcal{S}$ (cf. (5)). In addition, ${\mathcal{R}}_C$ is defined as the capacity region for the chosen-secret BIS model.

Remark 2.

Note that in the BIS, there are two databases, namely, databases of secret keys and helper data. The memory space of the database for storing the helper data (public database) is minimized, while that for the secret keys (secure database) should be maximized. This means only a part of the entire storage space of the BIS, which is the public database, is being compressed, and thus it is suitable to call this compression rate the public storage rate. However, we call the public storage rate just the storage rate as in [8] hereafter for brevity reason.

Now we are ready to introduce our main results.

Theorem 1.

The capacity regions for the generated- and chosen-secret BIS models are given by

$$\begin{array}{cc}\hfill {\mathcal{R}}_G=\bigcup _{0<\alpha \le 1}\{(R_I,R_S,R_J,R_L):R_I+R_S& \le \frac{1}{2}log\left(\frac{1}{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}\right),\hfill \\ \hfill R_J& \ge \frac{1}{2}log\left(\frac{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}{\alpha }\right)+R_I,\hfill \\ \hfill R_L& \ge \frac{1}{2}log\left(\frac{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}{\alpha {\rho }_1^2+1-{\rho }_1^2}\right)+R_I,\hfill \\ \hfill R_I& \ge 0,R_S\ge 0\},\hfill \end{array}$$

(19)

$$\begin{array}{cc}\hfill {\mathcal{R}}_C=\bigcup _{0<\alpha \le 1}\{(R_I,R_S,R_J,R_L):R_I+R_S& \le \frac{1}{2}log\left(\frac{1}{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}\right),\hfill \\ \hfill R_J& \ge \frac{1}{2}log\left(\frac{1}{\alpha }\right),\hfill \\ \hfill R_L& \ge \frac{1}{2}log\left(\frac{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}{\alpha {\rho }_1^2+1-{\rho }_1^2}\right)+R_I,\hfill \\ \hfill R_I& \ge 0,R_S\ge 0\}.\hfill \end{array}$$

(20)

The proof of Theorem 1 is provided in Appendix A and Appendix B. It can be verified that the regions ${\mathcal{R}}_G$ and ${\mathcal{R}}_C$ are both convex, whose proofs are available in Appendix C. Unlike the approach taken in [23], based on investigating the second derivative of the rate region function, our proof makes use of the concavity of the logarithmic function. In both regions, $\alpha =0$ is excluded by the reason that the point is not achievable, and this fact will be mentioned again in the converse proof of Equation (19).

For a fixed $\alpha$, the optimal rate values for the regions ${\mathcal{R}}_G$ and ${\mathcal{R}}_C$ are shown in Figure 3. We begin with explaining Figure 3a. Suppose that $0<R_I<\frac{1}{2}log\left(\frac{1}{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}\right)$. In the top band chart, $\frac{1}{2}log\left(\frac{1}{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}\right)$ is the maximum achievable rate that user’s identities can be estimated correctly at the decoder. Since the index and the secret key of the identified user are reconstructed at the decoder, the sum of the optimal values for the identification and secret-key rates is equal to this value, implying the optimal secret-key rate is $R_S=\frac{1}{2}log\left(\frac{1}{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}\right)-R_I$. One can see that these rates are in a trade-off relation as the identification rate rises, the secret-key rate falls off. In the bottom one, $\frac{1}{2}log\left(\frac{1}{\alpha }\right)$ is the entire rate that we need to generate auxiliary random sequences for encoding. The first part (blue part) represents the secret-key rate, and the second half $(\frac{1}{2}log\left(\frac{1}{\alpha }\right)-R_S=\frac{1}{2}log\left(\frac{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}{\alpha }\right)+R_I)$ is the rate of the sequences that are shared between the encoder and decoder to help estimation of the index and secret key, corresponding the storage rate. Storing the helper data at this rate results in leaking the user’s privacy at least $\frac{1}{2}log\left(\frac{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}{\alpha {\rho }_1^2+1-{\rho }_1^2}\right)+R_I$, which is the optimal or minimum privacy-leakage for a given $\alpha$.

For Figure 3b (the chosen-secret BIS model), the relation of the identification and secret-key rates is the same as in the generated-secret BIS model. However, the optimal storage rate becomes larger than the one seen in Figure 3a, equal to $\frac{1}{2}log\left(\frac{1}{\alpha }\right)$ (the bottom band chart of Figure 3b), as the information related to the secret key chosen at the encoder (the concealed part) must be saved together with the helper data in DB to help the estimation of the key. For the privacy-leakage rate, the minimum values are not distinct in both models. This is because the unconcealed part of the storage at rate $\frac{1}{2}log\left(\frac{1}{\alpha }\right)-R_S=\frac{1}{2}log\left(\frac{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}{\alpha }\right)+R_I$, identical to the optimal storage rate of the generated-secret BIS model, is still exposed publicly, and thus the minimum privacy-leakage rates of the two models are the same.

Figure 4 shows a numerical example of the region ${\mathcal{R}}_G$ for ${\rho }_1^2=3/4$ and ${\rho }_2^2=2/3$. More specially, Figure 4a is a projection of the capacity region to the three-dimensional Euclidean space with X-axis $R_J$, Y-axis $R_S$, and Z-axis $R_I$. The black thick arrow indicates the direction of the achievable region for all rate tuples $(R_J,R_S,R_I)$. Figure 4b is another projection of the capacity region to $R_J{R}_I$-plane. Red asterisks and circles correspond to the rate points $(R_J,R_I)$ at which $R_I$ is zero and $R_I$ is optimal, respectively, for some $\alpha \in (0,1]$. To explain the relation of the identification and storage rates, let us focus on the rightmost asterisk and circle pair in Figure 4b. When identification rate varies from zero to the optimal value, the rate point $(R_J,R_I)$ moves from the asterisk point (in the bottom) to the circled point along the arrow. From this, it is clear that the value of the storage rate for the circled point is greater compared to the asterisk point, implying that the change of identification rate affects the storage rate.

As a by-product of Theorem 1, the following corollary is obtained.

Corollary 1.

The capacity regions of the generated- and chosen-secret BIS models with a single user (the models considered in [8]) for Gaussian sources are given by substituting $R_I=0$ into the right-hand sides of (19) and (20), respectively.

Remark 3.

Let ${\mathcal{R}}_G^{\prime }$ and ${\mathcal{R}}_C^{\prime }$ denote the capacity regions of the generated-secret and chosen-secret BIS models characterized via (11) in Remark 1. The two regions are provided below.

$$\begin{array}{cc}\hfill {\mathcal{R}}_G^{\prime }=\bigcup _{0<\alpha \le 1}\{(R_I,R_S,R_J,R_L):R_I+R_S& \le \frac{1}{2}log\left(\frac{({\sigma }_x^2+{\sigma }_1^2)({\sigma }_x^2+{\sigma }_2^2)}{\alpha {\sigma }_x^4+{\sigma }_x^2{\sigma }_1^2+{\sigma }_1^2{\sigma }_2^2+{\sigma }_2^2{\sigma }_x^2}\right),\hfill \\ \hfill R_J& \ge \frac{1}{2}log\left(\frac{\alpha {\sigma }_x^4+{\sigma }_x^2{\sigma }_1^2+{\sigma }_1^2{\sigma }_2^2+{\sigma }_2^2{\sigma }_x^2}{\alpha ({\sigma }_x^2+{\sigma }_1^2)({\sigma }_x^2+{\sigma }_2^2)}\right)+R_I,\hfill \\ \hfill R_L& \ge \frac{1}{2}log\left(\frac{\alpha {\sigma }_x^4+{\sigma }_x^2{\sigma }_1^2+{\sigma }_1^2{\sigma }_2^2+{\sigma }_2^2{\sigma }_x^2}{(\alpha {\sigma }_x^2+{\sigma }_1^2)({\sigma }_x^2+{\sigma }_2^2)}\right)+R_I,\hfill \\ \hfill R_I& \ge 0,R_S\ge 0\},\hfill \end{array}$$

(21)

$$\begin{array}{cc}\hfill {\mathcal{R}}_C^{\prime }=\bigcup _{0<\alpha \le 1}\{(R_I,R_S,R_J,R_L):R_I+R_S& \le \frac{1}{2}log\left(\frac{({\sigma }_x^2+{\sigma }_1^2)({\sigma }_x^2+{\sigma }_2^2)}{\alpha {\sigma }_x^4+{\sigma }_x^2{\sigma }_1^2+{\sigma }_1^2{\sigma }_2^2+{\sigma }_2^2{\sigma }_x^2}\right),\hfill \\ \hfill R_J& \ge \frac{1}{2}log\left(\frac{1}{\alpha }\right),\hfill \\ \hfill R_L& \ge \frac{1}{2}log\left(\frac{\alpha {\sigma }_x^4+{\sigma }_x^2{\sigma }_1^2+{\sigma }_1^2{\sigma }_2^2+{\sigma }_2^2{\sigma }_x^2}{(\alpha {\sigma }_x^2+{\sigma }_1^2)({\sigma }_x^2+{\sigma }_2^2)}\right)+R_I,\hfill \\ \hfill R_I& \ge 0,R_S\ge 0\}.\hfill \end{array}$$

(22)

It can be verified that ${\mathcal{R}}_G$ and ${\mathcal{R}}_C$ are equivalent to ${\mathcal{R}}_G^{\prime }$ and ${\mathcal{R}}_C^{\prime }$, respectively, if one sets ${\rho }_1^2={\sigma }_x^2/({\sigma }_x^2+{\sigma }_1^2)$ and ${\rho }_2^2={\sigma }_x^2/({\sigma }_x^2+{\sigma }_2^2)$, respectively. In addition, as a connection to the result in a previous study, when there is no secret-key generation or provision $(R_S=0)$, and $R_J,R_L$ are large enough ($R_J,R_L\to \infty$), one can easily see that in ${\mathcal{R}}_G^{\prime }$ and ${\mathcal{R}}_C^{\prime }$, the maximum value of $R_I$ is $\frac{1}{2}log\left(\frac{({\sigma }_x^2+{\sigma }_1^2)({\sigma }_x^2+{\sigma }_2^2)}{{\sigma }_x^2{\sigma }_1^2+{\sigma }_1^2{\sigma }_2^2+{\sigma }_2^2{\sigma }_x^2}\right)=\frac{1}{2}log\left(1+\frac{{\sigma }_x^2}{{\sigma }_1^2+{\sigma }_2^2+{\sigma }_1^2{\sigma }_2^2/{\sigma }_x^2}\right)$. This value is exactly the identification capacity of the BIS for non-standard Gaussian RVs shown in [5] (Equation (21)) and it is achieved when $\alpha \downarrow 0$.

Another special case where $R_I=0$ (only one user), $R_J\to \infty$ (the storage rate is sufficiently large), and ${\rho }_1\to 1$ (the enrollment channel is noiseless), one can see that Theorem 1 naturally reduces to the characterizations of [23].

4. Behaviors of the Capacity Region

4.1. Optimal Asymptotic Rates and Zero-Rate Slopes

For the sake of succinct discussion, we concentrate on the generated-secret BIS model at which $R_I=0$, and the capacity region for this case is denoted by $\mathcal{R}$, whose characterization is obtained by setting $R_I=0$ in the right-hand side of (19). We first investigate some special points of secret-key and privacy-leakage rates when storage rate becomes extremely low or large. Define two rate functions of $R_J$ as

$$\begin{array}{c}\hfill R_S^{*}\left(R_J\right)=\underset{(R_S,R_J,R_L)\in \mathcal{R}}{max}{R}_S,R_L^{*}\left(R_J\right)=\underset{(R_S,R_J,R_L)\in \mathcal{R}}{min}{R}_L,\end{array}$$

(23)

where the left and right equations in (23) are the maximum secret-key rate and the minimum privacy-leakage rate, respectively. Moreover, we define $R_J^{\alpha }=\frac{1}{2}log\left(\frac{\alpha {\rho }_1^2{\rho }_2^2+1-{\rho }_1^2{\rho }_2^2}{\alpha }\right),$ so that we can write

$$\begin{array}{cc}\hfill R_S^{*}\left(R_J^{\alpha }\right)& =\frac{1}{2}log\left(\frac{1-{\rho }_1^2{\rho }_2^2/2^{2\left(R_J^{\alpha }\right)}}{1-{\rho }_1^2{\rho }_2^2}\right),\hfill \\ \hfill R_L^{*}\left(R_J^{\alpha }\right)& =\frac{1}{2}log\left(\frac{1-{\rho }_1^2{\rho }_2^2}{1-{\rho }_1^2+{\rho }_1^2(1-{\rho }_2^2)/2^{2\left(R_J^{\alpha }\right)}}\right).\hfill \end{array}$$

(24)

As $R_J^{\alpha }\to \infty (\alpha \downarrow 0)$, the optimal asymptotic secret-key rate and the amount of privacy-leakage approach to

$$\underset{R_J^{\alpha }\to \infty }{lim}{R}_S^{*}\left(R_J^{\alpha }\right)=\frac{1}{2}log\left(\frac{1}{1-{\rho }_1^2{\rho }_2^2}\right)=I(Y;Z),$$

(25)

$$\begin{array}{cc}\hfill \underset{R_J^{\alpha }\to \infty }{lim}{R}_L^{*}\left(R_J^{\alpha }\right)& =\frac{1}{2}log\left(\frac{1-{\rho }_1^2{\rho }_2^2}{1-{\rho }_1^2}\right)=\frac{1}{2}log\left(\frac{1}{1-{\rho }_1^2}\right)-\frac{1}{2}log\left(\frac{1}{1-{\rho }_1^2{\rho }_2^2}\right)\hfill \\ \hfill & =I(X;Y)-I(Z;Y).\hfill \end{array}$$

(26)

The result (25) corresponds to the optimal asymptotic secret-key rate [23] (Sect. III-B), and in order to achieve this value, it is required to let the storage rate go to infinity and leak the user’s privacy up to rate $I(X;Y)-I(Z;Y)$.

In contrast, when $R_J\downarrow 0$, it is evident that $R_S$ and $R_L$ become zero as well, which does not carry much information. However, to investigate the BIS that achieves high secret-key and small privacy-leakage rates in the low storage rate regime, the zero-rate slopes of secret-key and privacy-leakage rates, namely, how fast these rates converge to zero, are important indicators. In light of (24), by a few steps of calculations, the slopes of secret-key and privacy-leakage rates at $R_J\downarrow 0$ can be determined as follows:

$$\begin{array}{cc}\hfill \frac{d{R}_S^{*}\left(R_J^{\alpha }\right)}{d{R}_J^{\alpha }}{|}_{R_J^{\alpha }=0}& =\frac{{\rho }_1^2{\rho }_2^2}{1-{\rho }_1^2{\rho }_2^2},\hfill \end{array}$$

(27)

$$\begin{array}{cc}\hfill \frac{d{R}_L^{*}\left(R_J^{\alpha }\right)}{d{R}_J^{\alpha }}{|}_{R_J^{\alpha }=0}& =\frac{{\rho }_1^2(1-{\rho }_2^2)}{1-{\rho }_1^2{\rho }_2^2}=\frac{{\rho }_1^2{\rho }_2^2}{1-{\rho }_1^2{\rho }_2^2}·\frac{1-{\rho }_2^2}{{\rho }_2^2},\hfill \end{array}$$

(28)

where (27) is equal to the signal-to-noise ratio (SNR) of the channel from Y to Z, and this value multiplied by the reverse of the SNR of the channel $P_{Z|X}$ appears in the slope of privacy-leakage rate in (28).

4.2. Examples

Next, we give numerical computations of three different examples and take a look into behaviors of the special points.

Ex.1:

(a) ${\rho }_1^2=3/4,{\rho }_2^2=2/3$, (b) ${\rho }_1^2=7/8,{\rho }_2^2=2/3$, (c) ${\rho }_1^2=15/16,{\rho }_2^2=2/3$,

Ex.2:

(a) ${\rho }_1^2=3/4,{\rho }_2^2=2/3$, (b) ${\rho }_1^2=9/10,{\rho }_2^2=7/8$, (c) ${\rho }_1^2=15/16,{\rho }_2^2=11/12$,

Ex.3:

(a) ${\rho }_1^2=3/4,{\rho }_2^2=2/3$, (b) ${\rho }_1^2=3/4,{\rho }_2^2=8/9$, (c) ${\rho }_1^2=3/4,{\rho }_2^2=14/15$.

Note that as ${\rho }_1^2,{\rho }_2^2$ are large, the levels of noises (noises with smaller variances) added to the bio-data sequences at the encoder and decoder become small. Example 1 is the case where the level of noise at the encoder gradually decreases from (a) to (c), but the level of noise at the decoder stays constant for each round. Example 2 is the case in which the levels of noises at both the encoder and decoder are improved gradually from (a) to (c). Example 3 is opposite to Example 1. The calculated results of the secret-key and privacy-leakage rates for these cases are summarized in

Table 1. The secret-key and privacy-leakage rates when $R_J\to \infty$.

Cases	The Optimal Secret-Key Rate			Privacy-Leakage Rate
	(a)	(b)	(c)	(a)	(b)	(c)
Ex. 1	$0.35$	$0.44$	$0.49$	$0.35$	$0.6$	$0.90$
Ex. 2	$0.35$	$0.77$	$0.98$	$0.35$	$0.38$	$0.41$
Ex. 3	$0.35$	$0.55$	$0.6$	$0.35$	0.14	0.09

and

Table 2. The slopes of secret-key and privacy-leakage rates at $R_J\downarrow 0$.

Cases	The Slope of Secret-Key Rate			The Slope of Privacy-Leakage Rate
	(a)	(b)	(c)	(a)	(b)	(c)
Ex. 1	$1.0$	$1.40$	$1.67$	$0.5$	$0.7$	$0.83$
Ex. 2	$1.0$	$3.71$	$6.11$	$0.5$	$0.53$	$0.56$
Ex. 3	$1.0$	$2.0$	$2.33$	$0.5$	$0.25$	$0.17$

, and Figure 5.

It is ideal to keep the privacy-leakage rate small while producing a high secret-key rate, but Example 1 works out in the opposite way (cf. the rows of Ex. 1 in Table 1 and Table 2), so this is not a preferable choice. Example 2 realizes a high secret-key rate, but the amount of privacy-leakage remains high at some level, too (cf. the rows of Ex. 2 in Table 1 and Table 2, and Figure 5a,b). On the other hand, in Example 3, the privacy-leakage rate declines, but the secret-key rate becomes smaller compared to Example 2 (cf. the rows of Ex. 3 in Table 1 and Table 2, and Figure 5c,d). From these behaviors, we may conclude that it is unmanageable to achieve both high secret-key and small privacy-leakage rates at the same time. If one aims to achieve a high secret-key rate, it is important to diminish the levels of noises at both encoder and decoder, e.g., deploying quantizers with high quality, but this could result in leaking more users’ privacy. In different circumstances, to achieve a small privacy-leakage rate, it is preferable to maintain a certain level of noise at the encoder and pay sufficient attention for processing the noise’s level at the decoder. In this way, however, the gain of the secret-key rate may be dropped.

5. Overviews of the Proof of Theorem 1

The detailed proof of Theorem 1 is provided in Appendix A for ${\mathcal{R}}_G$ and Appendix B for ${\mathcal{R}}_C$. The regions ${\mathcal{R}}_G$ and ${\mathcal{R}}_C$ can be derived similarly, and the difference is that one-time pad is used to conceal the chosen secret key for secure transmission in the proof of ${\mathcal{R}}_C$. The proof of each region consists of two parts: achievability and converse parts. The converse proof follows by applying Fano’s inequality [26], and the conditional version of EPI [27] doubly in two different directions. In the achievability part, the modified typical set [11], giving the so-called Markov lemma for weak typicality, helps us show that the error probability of the BIS vanishes since the so-called Markov lemma based on strong typicality can not be applied to the case of continuous RVs. Though a more general version of the Markov lemma for Gaussian sources, including lossy reconstruction, is shown in [28], we found that the two properties of the modified typical set are handy tools for checking all conditions in Definitions 1 and 2, and thus we provide our proof of the achievability based on this set. To evaluate the secret-key, secrecy-leakage, and privacy-leakage rates, we extend [29] (Lemma 4) to include continuous RVs so that the extended one can be used to derive the upper bounds on conditional differential entropies of jointly typical sequences, appearing in these evaluations.

6. Conclusions and Future Work

We characterized the capacity regions of identification, secret-key, storage, and privacy-leakage rates for both generated- and chosen-secret BIS models under Gaussian sources and channels. We showed that an idea for deriving the capacity regions of the BIS with HSM is to convert the system to another one, where the data flows of each user are in one-way direction. We also gave numerical computations of three different examples for the generated-secret BIS model, and from these results, it appeared that achieving high secret-key and small privacy-leakage rates simultaneously is unlikely manageable.

For future work, a natural extension is to characterize the capacity regions of the BIS with Gaussian vector sources and channels. In the scalar Gaussian case, we showed that it suffices to use a single parameter to characterize the optimal trade-off of the BIS. However, for Gaussian vector sources, the optimal trade-off regions is generally in the form of the covariance matrix optimization problem, and solving the problem becomes more challenging as one may need to use the enhancement technique, introduced in [30], to characterize the capacity regions.

Another extension is to construct practical codes that can achieve the capacity regions. In the BIS with a single user, convolutional and turbo codes that control the privacy-leakage were investigated in [31] and applied to real-life application, Electroencephalograph, in [32]. In these studies, it was shown that by applying vector quantization at the encoder and soft-decision at the decoder for Gaussian sources, a lower privacy-leakage rate was realizable. However, to the best of our knowledge, there has not yet been any studies dealing with practical codes for the BIS with multiple users. This remains as an interesting research topic.