On the Simulatability Condition in Key Generation Over a Non-authenticated Public Channel

Similar documents
On Function Computation with Privacy and Secrecy Constraints

PERFECTLY secure key agreement has been studied recently

Perfect Omniscience, Perfect Secrecy and Steiner Tree Packing

Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result

Properties of Matrices and Operations on Matrices

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

MULTITERMINAL SECRECY AND TREE PACKING. With Imre Csiszár, Sirin Nitinawarat, Chunxuan Ye, Alexander Barg and Alex Reznik

linearly indepedent eigenvectors as the multiplicity of the root, but in general there may be no more than one. For further discussion, assume matrice

SHARED INFORMATION. Prakash Narayan with. Imre Csiszár, Sirin Nitinawarat, Himanshu Tyagi, Shun Watanabe

Linear Algebra (Review) Volker Tresp 2018

Chain Independence and Common Information

A Single-letter Upper Bound for the Sum Rate of Multiple Access Channels with Correlated Sources

UNIT 6: The singular value decomposition.

SHARED INFORMATION. Prakash Narayan with. Imre Csiszár, Sirin Nitinawarat, Himanshu Tyagi, Shun Watanabe

Diagonal and Monomial Solutions of the Matrix Equation AXB = C

Chapter 1. Matrix Algebra

Matrices. Chapter Definitions and Notations

Privacy Amplification Theorem for Noisy Main Channel

Advanced Cryptography Quantum Algorithms Christophe Petit

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

6 The SVD Applied to Signal and Image Deblurring

On some matrices related to a tree with attached graphs

Public-Key Cryptosystems CHAPTER 4

8 The SVD Applied to Signal and Image Deblurring

8 The SVD Applied to Signal and Image Deblurring

Secret Key and Private Key Constructions for Simple Multiterminal Source Models

The Singular Value Decomposition (SVD) and Principal Component Analysis (PCA)

Image Registration Lecture 2: Vectors and Matrices

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

ASPECIAL case of the general key agreement scenario defined

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lecture notes: Applied linear algebra Part 1. Version 2

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Formulation of L 1 Norm Minimization in Gauss-Markov Models

EIGENVALUES AND SINGULAR VALUE DECOMPOSITION

Linear Algebra. The analysis of many models in the social sciences reduces to the study of systems of equations.

Linear Algebra and Eigenproblems

Mathematical Foundations of Applied Statistics: Matrix Algebra

ELEMENTARY LINEAR ALGEBRA

MATH 320, WEEK 7: Matrices, Matrix Operations

Chapter 2: Matrix Algebra

Linear Algebra in Actuarial Science: Slides to the lecture

In [5] for instance, a general model for secret-key agreement by public communication over an authentic channel was described. Here, two parties Alice

An iterative method for the skew-symmetric solution and the optimal approximate solution of the matrix equation AXB =C

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Secret Key Generation and Secure Computing

1 Determinants. 1.1 Determinant

Linear Programming Decoding of Binary Linear Codes for Symbol-Pair Read Channels

protocols such as protocols in quantum cryptography and secret-key agreement by public discussion [8]. Before we formalize the main problem considered

B553 Lecture 5: Matrix Algebra Review

Linear Algebra (Review) Volker Tresp 2017

2012 IEEE International Symposium on Information Theory Proceedings

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Stat 159/259: Linear Algebra Notes

Maths for Signals and Systems Linear Algebra in Engineering

Elementary maths for GMT

Achieving Shannon Capacity Region as Secrecy Rate Region in a Multiple Access Wiretap Channel

REALIZING secret key generation in a variety of

RELIABLE BIOMETRIC AUTHENTICATION WITH PRIVACY PROTECTION

Extracting a Secret Key from a Wireless Channel

ON SUM OF SQUARES DECOMPOSITION FOR A BIQUADRATIC MATRIX FUNCTION

LINEAR INTERVAL INEQUALITIES

Chapter 3 Transformations

The Singular Value Decomposition

Masao KASAHARA. Graduate School of Osaka Gakuin University

Algorithm to Compute Minimal Nullspace Basis of a Polynomial Matrix

Linear Algebra for Machine Learning. Sargur N. Srihari

A LINEAR PROGRAMMING BASED ANALYSIS OF THE CP-RANK OF COMPLETELY POSITIVE MATRICES

Implementation of Automatic Invertible Matrix Mechanism in NTRU Matrix Formulation Algorithm

Matrix-Product-States/ Tensor-Trains

Linear Algebra Review. Fei-Fei Li

Principal Component Analysis

Positive semidefinite matrix approximation with a trace constraint

Optimality, Duality, Complementarity for Constrained Optimization

Distributed Data Storage with Minimum Storage Regenerating Codes - Exact and Functional Repair are Asymptotically Equally Efficient

Secure RAID Schemes from EVENODD and STAR Codes

Linear Algebra. Session 12

EFFICIENT CONSTRUCTION OF POLYPHASE SEQUENCES WITH OPTIMAL PEAK SIDELOBE LEVEL GROWTH. Arindam Bose and Mojtaba Soltanalian

This appendix provides a very basic introduction to linear algebra concepts.

Math Linear Algebra II. 1. Inner Products and Norms

Algebraic Attacks on linear RFID Authentication Protocols

THESIS. Presented in Partial Fulfillment of the Requirements for the Degree Master of Science in the Graduate School of The Ohio State University

A matrix over a field F is a rectangular array of elements from F. The symbol

Semidefinite and Second Order Cone Programming Seminar Fall 2001 Lecture 5

Security Implications of Quantum Technologies

Definition 2.3. We define addition and multiplication of matrices as follows.

LEAST SQUARES SOLUTION TRICKS

forms Christopher Engström November 14, 2014 MAA704: Matrix factorization and canonical forms Matrix properties Matrix factorization Canonical forms

Mismatched Multi-letter Successive Decoding for the Multiple-Access Channel

CONTINUED FRACTIONS, PELL S EQUATION, AND TRANSCENDENTAL NUMBERS

THE PERTURBATION BOUND FOR THE SPECTRAL RADIUS OF A NON-NEGATIVE TENSOR

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Lecture #21. c T x Ax b. maximize subject to

Elliptic Curve Cryptography with Derive

Duke University, Department of Electrical and Computer Engineering Optimization for Scientists and Engineers c Alex Bronstein, 2014

Fundamentals of Engineering Analysis (650163)

arxiv: v1 [cs.cr] 1 May 2012

On Euclidean distance matrices

Division Property: a New Attack Against Block Ciphers

STAT 309: MATHEMATICAL COMPUTATIONS I FALL 2017 LECTURE 5

Transcription:

On the Simulatability Condition in Key Generation Over a Non-authenticated Public Channel Wenwen Tu and Lifeng Lai Department of Electrical and Computer Engineering Worcester Polytechnic Institute Worcester, MA {wtu, llai}@wpiedu Abstract Simulatability condition is a fundamental concept in studying key generation over a non-authenticated public channel, in which Eve is active and can intercept, modify and falsify messages exchanged over the non-authenticated public channel Using this condition, Maurer and Wolf showed a remarkable all or nothing result: if the simulatability condition does not hold, the key capacity over the non-authenticated public channel will be the same as that of the case with a passive Eve, while the key capacity over the non-authenticated channel will be zero if the simulatability condition holds However, two questions remain open so far: 1) For a given joint probability mass function (PMF), are there efficient algorithms (polynomial complexity algorithms) for checking whether the simulatability condition holds or not?; and 2) If the simulatability condition holds, are there efficient algorithms for finding the corresponding attack strategy? In this paper, we answer these two open questions affirmatively In particular, for a given joint PMF, we construct a linear programming (LP) problem and show that the simulatability condition holds if and only if the optimal value obtained from the constructed LP is zero Furthermore, we construct another LP and show that the minimizer of the newly constructed LP is a valid attack strategy Both LPs can be solved with a polynomial complexity Index Terms Computational complexity, Key generation, Linear programming, Non-authenticated channel, Simulatability condition I INTRODUCTION The problem of secret key generation via public discussion under both source and channel models has attracted significant research interests [1 [7 Under the source model, users observe correlated sources generated from a certain joint probability mass function (PMF), and can discuss with each other via a noiseless public channel Any discussion over the public channel will be overheard by Eve Furthermore, the public channel can either be authenticated or non-authenticated An authenticated public channel implies that Eve is a passive listener On the other hand, a non-authenticated public channel implies that Eve is active and can intercept, modify or falsify any message exchanged through the public channel While most of the existing work focused on the key generation with an authenticated public channel, [4 [7 made significant contributions to the case with a non-authenticated The work of W Tu and L Lai was supported by the National Science Foundation CAREER Award under Grant CCF-1318980 and by the National Science Foundation under Grant ECCS-1408114 public channel In [4 [7, Maurer and Wolf introduced a simulatability condition (this condition will be defined precisely in the sequel) and established a remarkable all or nothing result In particular, they showed that for the secret key generation via a non-authenticated public channel with two legitimate terminals in the presence of an active adversary: 1) if the simulatability condition holds, the two legitimate terminals will not be able to establish a secret key, and hence the key capacity is 0; and 2) if the simulatability condition does not hold, the two legitimate terminals can establish a secret key and furthermore the key capacity will be the same as that of the case when Eve is passive It is clear that the simulatability condition is a fundamental concept for the key generation via a non-authenticated public channel, and hence it is important to design efficient algorithms to check whether the simulatability condition holds or not Using ideas from mechanical models, [6 made significant progress in designing efficient algorithms In particular, [6 proposed to represent PMFs as mass constellations in a coordinate, and showed that the simulatability condition holds if and only if one mass constellation can be transformed into another mass constellation using a finite number of basic mass operations Furthermore, [6 introduced another notion of one mass constellation being more centered than another constellation and designed a low-complexity algorithm to check this more centered condition For some important special cases, which will be described precisely in Section II, [6 showed that the more centered condition is necessary and sufficient for the mass constellation transformation problem (and hence is a necessary and sufficient condition for the simulatability condition for these special cases) However, in the general case, the more centered condition is a necessary but not sufficient condition for the mass constellation transformation problem Whether there exists efficient algorithms for the mass constellation transformation problem, and hence the simulatability condition, in the general case is still an open question As the result, despite the significant progress made in [6, the following two questions remain open regarding the simulatability condition for the general case: 1) For a given joint PMF, are there efficient algorithms (polynomial complexity algorithms) for checking 978-1-4673-7704-1/15/$3100 2015 IEEE 720 ISIT 2015

whether the simulatability condition holds or not? 2) If the simulatability condition holds, are there efficient algorithms for finding the corresponding Eve s attack strategy? In this paper, we answer these two open questions affirmatively To answer the first open question, we construct a linear programming (LP) problem and show that the simulatability condition holds if and only if the optimal value obtained from this LP is zero We establish our result in three main steps We first show that, after some basic transformations, checking whether the simulatability condition holds or not is equivalent to checking whether there exists a nonnegative solution to a specially constructed system of linear equations We then use a basic result from linear algebra to show that whether there exists a nonnegative solution to the constructed system of linear equations is equivalent to whether there is a solution (not necessarily nonnegative) to a related system of inequalities or not Finally, we use Farkas lemma [8, a fundamental result in linear programming and other optimization problems, to show that whether the system of inequalities has a solution or not is equivalent to whether the optimal value of a specially constructed LP is zero or not Since there exists polynomial complexity algorithms for solving LP problems [9 [11, we thus find a polynomial complexity algorithm for checking the simulatability condition for a general PMF To answer the second open question, we construct another LP and show that the minimizer of this LP is a valid attack strategy The proposed approach is very flexible in the sense that one can simply modify the cost function of the constructed LP to obtain different attack strategies Furthermore, the cost function can be modified to satisfy various design criteria For example, a simple cost function can be constructed to minimize the amount of modifications Eve needs to perform during the attack All these optimization problems with different cost functions can be solved with a polynomial complexity The remainder of the paper is organized as follows In Section II, we introduce some preliminaries and the problem setup In Section III, we present our main results In Section IV, we use a numerical example to illustrate the proposed algorithm In Section V, we offer our concluding remarks II PRELIMINARIES AND PROBLEM SETUP Let X = {1,, X }, Y = {1,, Y } and Z = {1,, Z } be three finite sets Consider three correlated random variables (X, Y, Z), taking values from X Y Z, with joint PMF P XY Z, the simulatability condition is defined as follows: Definition 1 ( [4) For a given P XY Z, we say X is simulatable by Z with respect to Y, denoted by Sim Y (Z X), if there exists a conditional PMF P X Z such that P Y X = P Y X, with P Y X(y, x) = z Z P Y Z (y, z) P X Z (x z), (1) in which P Y X and P Y Z are the joint PMFs of (Y, X) and (Y, Z) under P XY Z respectively One can also define Sim X (Z Y ) in the same manner This concept of simulatability, first defined in [4, is a fundamental concept in the problem of secret key generation over a non-authenticated public channel [5 [7, in which two terminals Alice and Bob would like to establish a secret key in the presence of an adversary Eve These three terminals observe sequences X N, Y N and Z N generated according to P X N Y N Z N (xn, y N, z N ) = N P XY Z (x i, y i, z i ) (2) i=1 Alice and Bob can discuss with each other via a public nonauthenticated noiseless channel, which means that Eve not only has full access to the channel but can also interrupt, modify and falsify messages exchanged over this public channel The largest key rate that Alice and Bob can generate with the presence of the active attacker is denoted as S (X; Y Z) [5 Let S(X; Y Z) denote the largest key rate that Alice and Bob can generate when Eve is passive, ie, when the public channel is authenticated Clearly, S(X; Y Z) S (X; Y Z) Although a full characterization of S(X; Y Z) is unknown in general, [5 established the following remarkable all or nothing result: Theorem 1 ( [5) If Sim Y (Z X) or Sim X (Z Y ), then S (X; Y Z) = 0 Otherwise, S (X; Y Z) = S(X; Y Z) This significant result implies that, if the simulatability condition does not hold, one can generate a key with the same rate as if Eve were passive On the other hand, if the simulatability condition holds, the key rate will be zero Intuitively speaking, if Sim Y (Z X) holds, then after observing Z N, Eve can generate X N by passing Z N through a channel defined by P X Z Then ( X N, Y N ) has the same statistics as (X N, Y N ) Hence by knowing only Y N, Bob cannot distinguish X N and X N, and hence cannot distinguish Alice or Eve As mentioned in the introduction, [6 has made important progress in developing low-complexity algorithms for checking whether Sim Y (Z X) (or Sim X (Z Y )) holds or not In particular, [6 developed an efficient algorithm to check a related condition called more centered condition When Y = 2, that is when Y is a binary random variable, this more centered condition is shown to be necessary and sufficient for Sim Y (Z X) Hence, [6 has found an efficient algorithm to check Sim Y (Z X) for the special case of Y being binary (the algorithm is also effective in checking Sim X (Z Y ) when X is binary) However, when Y is not binary, the more centered condition is only a necessary condition for Sim Y (Z X) Hence, two questions remain open: 1) For a general given P XY Z, are there efficient algorithms (polynomial complexity algorithms) for checking whether Sim Y (Z X) (or Sim X (Z Y )) holds or not? 721

2) If Sim Y (Z X) (or Sim X (Z Y )) holds, are there efficient algorithms for finding the corresponding P X Z (or P Ȳ Z )? In this paper, we answer these two open questions affirmatively Notation: Throughout this paper, we use boldface uppercase letters to denote matrices, boldface lowercase letters to denote vectors We also use 1, 0 and I, unless stated otherwise, to denote all ones column vector, all zeros column vector and the identity matrix, respectively In addition, we denote the vectorization of a matrix by Vec( ) Specifically, for an m n matrix A, Vec(A) is an mn 1 column vector: Vec(A) = [a 11,, a m1,, a 1n,, a mn T, (3) in which [ T is the transpose of the matrix And vice versa can be done by A =Reshape(Vec(A), [m, n) We use A B to denote the Kronecker product of matrices A and B Specifically, assume A is an m n matrix, then a 11 B a 1n B A B = (4) a m1 B a mn B All matrices and vectors in this paper are real III MAIN RESULTS In this paper, we focus on Sim Y (Z X) The developed algorithm can be easily modified to check Sim X (Z Y ) We rewrite (1) in the following matrix form C = AQ, (5) in which C = [c ij is a Y X matrix with c ij = P Y X (i, j), A = [a ik is a Y Z matrix with a ik = P Y Z (i, k), and Q = [q kj is a Z X matrix with q kj = P X Z (j k) if such P X Z exists Checking whether Sim Y (Z X) holds or not is equivalent to checking whether there exists a transition matrix Q such that (5) holds As Q is a transition matrix, its entries q kj s must satisfy X q kj 0, k [1 : Z, j [1 : X, (6) q kj = 1, k [1 : Z (7) j=1 We note that if q kj s satisfy (6) and (7), they will automatically satisfy q kj 1 Hence, we don t need to state this requirement here If there exists at least one transition matrix Q satisfying (5), (6) and (7) simultaneously, we can conclude that the simulatability condition Sim Y (Z X) holds (7) can be written in the matrix form 1 Z 1 = Q1 X 1, (8) Then, (5) and (8) can be written in the following compact form: a 11 I a 12 I a 1 Z I [ Vec(C T a Y 1 I a Y 2 I a Y Z I ) 1 0 0 = Vec(Q T ) 1 Z 1 0 1 0 0 1 [ A I = Vec(Q T ), (9) I Z 1 in which the sizes for I, 1 and 0 are X X, 1 X and 1 X, respectively For notational convenience, we define [ Vec(C c T ) 1 Z 1, A [ A I I Z 1, q Vec(Q T ) (10) From (9), it is clear that c is an m 1 vector, A is an m n matrix, and q is an n 1 vector, in which m = Y X + Z, n = Z X (11) With these notation and combining (9) with (6), the original problem of checking whether Sim Y (Z X) holds or not is equivalent to checking whether there exists nonnegative solutions q for the system Aq = c (12) In the following, we check whether there exists at least a nonnegative solution for the system defined by (12) There are two main steps: 1) whether the system is consistent or not; 2) if it is consistent, whether there exists a nonnegative solution or not Checking the consistency of (12) is straightforward: a necessary and sufficient condition for a system of nonhomogenous linear equations to be consistent is Rank(A) = Rank((A c)), (13) where (A c) is the augmented matrix of A If (13) is not satisfied, it can be concluded that Sim Y (Z X) does not hold If (13) is satisfied, we need to further check whether there exists a nonnegative solution to (12) or not To proceed further, we will need the following definition of generalized inverse (g-inverse) of a matrix G Definition 2 ( [12) For a given m n real matrix G, an n m real matrix G g is called a g-inverse of G if GG g G = G The g-inverse G g is generally not unique (If n = m and G is full rank, then G g is unique and equal to the inverse matrix G 1 ) A particular choice of g-inverse is called the Moore-Penrose pseudoinverse G +, which can be computed using multiple different approaches One approach is to use the singular value decomposition (SVD): by SVD, for a given G and its SVD decomposition G = UΣV T, then, G + can be obtained as G + = VΣ + U T, in which Σ + is obtained by 722

taking the reciprocal of each non-zero element on the diagonal of the diagonal matrix Σ, leaving the zeros in place One can easily check that the Moore-Penrose pseudoinverse G + obtained by SVD satisfies the g-inverse matrix definition and hence is a valid g-inverse With the concept of g-inverse, we are ready to state our main result regarding the first open question Theorem 2 Let A g be any given g-inverse of A (eg, it can be chosen as the Moore-Penrose pseudoinverse A + ), and h be obtained by the following LP h = min t {t T A g c}, (14) s t t 0, (I A g A) T t = 0 Then Sim Y (Z X) holds, if and only if h = 0 and (13) holds Proof If (13) does not hold, then there is no solution to (12), and hence Sim Y (Z X) does not hold In the remainder of the proof, we assume that (13) holds If (13) holds, the general solution to (12) can be written in the following form (see, eg, Theorem 2 a(d) of [12) q = A g c + (A g A I)p, (15) in which A g can be any given g-inverse of A, and p is an arbitrary length-n vector As the result, the problem of whether there exists a nonnegative solution to (12) (ie, q 0) is equivalent to the problem of whether there exists a solution p for the following system defined by (I A g A)p A g c (16) To check whether the system defined by (16) has a solution, we use Farkas lemma, a fundamental lemma in linear programming and related area in optimization For completeness, we state the form of Farkas lemma used in our proof in Appendix A To use Farkas lemma, we first write a LP related to the system defined in (16) h = min{t T A g c}, t st t 0, (I A g A) T t = 0 The above LP is always feasible since t = 0 is a vector that satisfies the constraints, which results in t T A g c = 0 Hence the optimal value h 0 Using Farkas lemma, we have that (16) has a solution if and if h = 0 More specifically, if h = 0, then there exists at least a solution p for (16), which further implies that there is a nonnegative solution to (12), and hence Sim Y (Z X) holds On the other hand, if h < 0, then there is no solution p for (16), which further implies that there is no nonnegative solution to (12), and hence Sim Y (Z X) does not hold As mentioned above, if Rank(A) = m = n holds, then A g = A 1 is unique For other cases, A g might not be unique We have the following proposition asserting that different choices of A g will not affect the result in Theorem 2 Proposition 1 Different choices of A g will not affect the result on whether h equals 0 or not Due to the page limitation, we omit the details of this proof, which can be found in [13 Remark 1 The proposed algorithm for checking whether Sim Y (Z X) holds or not has a polynomial complexity Among all operations required, computing the g-inverse and solving the LP defined by (14) require most computations The complexity to obtain A g is of order O(n 3 ) [14 Furthermore, there exists polynomial complexity algorithms to solve the LP defined by (14) For example, [10 provided an algorithm to solve LP using O(n 3 L) operations, where L is number of binary bits needed to store input data of the problem (one can refer to Chapter 8 in [11 for more details about the complexity of algorithms for solving LP) Hence, the total operations of our algorithm for checking Sim Y (Z X) is of order O(n 3 L) Thus, we can conclude that the proposed algorithm can check whether Sim Y (Z X) holds or not with a polynomial complexity In the following, we provide our answer to the second open question, ie, if Sim Y (Z X) holds, how to find P X Z efficiently Theorem 3 Let e be any n 1 vector with e 0, and q be the obtained from the following LP: min q f(q) = e T q, (17) st q 0, Aq = c If Sim Y (Z X) holds, then Q = Reshape(q, [ X, Z ) T is a valid choice for P X Z Proof By assumption, Sim Y (Z X) holds, which implies that the system defined by (12) is consistent and it has nonnegative solutions Hence, the following LP is feasible min q f(q) = e T q, (18) st q 0, Aq = c, where e 0 Hence, the minimizer q is nonnegative and satisfies Aq = c We can then reshape q into matrix Q (the reverse operation of (10)) Q is a valid choice for P X Z Remark 2 Since finding a suitable P X Z using our approach is equivalent to solving a LP, the complexity is of polynomial order Remark 3 For a given distribution P XY Z, there may be more than one possible P X Z such that (1) holds Different choices of e in (17) give different values for P X Z In addition, the objective function f(q) can be further modified to satisfy various design criteria of Eve For example, let q = Vec( Q[ q kj T ) with q kj = P X Z (k j), then setting f(q) = q q 2 2 will minimize the amount of changes in the conditional PMF in the l 2 norm sense This is a quadratic programming, which can still be solved efficiently 723

IV NUMERICAL EXAMPLE In this section, we provide an example to illustrate the proposed algorithm To better compare our proposed algorithm with the method in [6, we use one of examples in [6 as the example Example: Let P XY Z with ranges X = {x 1, x 2 }, Y = {y 1, y 2 } and Z = {z 1, z 2, z 3 } be: P XY Z (x 1, y 1, z 1 ) = 6/100, P XY Z (x 2, y 1, z 1 ) = 4/100, P XY Z (x 1, y 1, z 2 ) = 9/100, P XY Z (x 2, y 1, z 2 ) = 6/100, P XY Z (x 1, y 1, z 3 ) = 15/100, P XY Z (x 2, y 1, z 3 ) = 10/100, P XY Z (x 1, y 2, z 1 ) = 36/100, P XY Z (x 2, y 2, z 1 ) = 4/100, P XY Z (x 1, y 2, z 2 ) = 9/100, P XY Z (x 2, y 2, z 2 ) = 1/100, P XY Z (x 1, y 2, z 3 ) = 0, P XY Z (x 2, y 2, z 3 ) = 0 To use our algorithm, we have the following steps: Step 1: Compute P Y Z and P Y X, and write them in the matrix form A and C: A = [ 01 015 025 04 01 0 [ 03 02, C = 045 005 (19) Step 2: Construct A and c using (10): 01 0 015 0 025 0 0 01 0 015 0 025 04 0 01 0 0 0 A = 0 04 0 01 0 0, (20) 1 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 1 c = [03, 02, 045, 005, 1, 1, 1 T (21) Step 3: Check the ranks of A and (A c): Rank(A) = Rank((A c)) = 5 Step 4: Choose the g-inverse to be the Moore-Penrose pseudoinverse A + and calculate A + c and I A + A: A + c = [09762, 00238, 05952, 04048, 04524, 05476 T,(22) I A + A = 00238 00238 00952 00952 00476 00476 00238 00238 00952 00952 00476 00476 00952 00952 03810 03810 01905 01905 00952 00952 03810 03810 01905 01905 (23) 00476 00476 01905 01905 00952 00952 00476 00476 01905 01905 00952 00952 Step 5: Solve LP (14) Using the above data, we obtain h = 0, which implies that Sim Y (Z X) holds Step 6: Obtain a possible P X Z We construct the LP defined in (17) with e = [2, 2, 2, 1, 1, 1 T, and get q = [1, 0, 1/2, 1/2, 1/2, 1/2 T Thus the simulatability [ T 1 1/2 1/2 channel is P X Z =, which is consistent with the result obtained from the criterion proposed 0 1/2 1/2 in [6 If we set e = [1, 1, 1, 1, 1, 1 T, we get q = [09762, 00238, 05952, 04048, 04524, 05476 T, which implies that another valid choice is 09762 00238 P X Z = 05962 04048 (24) 04524 05476 We note that our proposed algorithm works with distributions with larger alphabet sizes, while the method proposed in [6 loses its efficiency in these cases V CONCLUSION In this paper, we have proposed an efficient algorithm to check the simulatability condition, an important condition in studying secret key generation using a non-authenticated public channel We have also proposed a simple and flexible method to calculate a possible simulatability channel if the simulatability condition holds The proposed algorithms have polynomial complexities APPENDIX A FARKAS LEMMA There are several equivalent forms of the Farkas lemma [8 Here, we state a form that will be used in our proof Lemma 1 ( [8) Let B be a matrix, and b be a vector, then the system specified by Bp b, has a solution p, if and only if t T b 0 for each column vector t 0 with B T t = 0 REFERENCES [1 U Maurer, Secret key agreement by public discussion from common information, IEEE Trans Inform Theory, vol 39, pp 733 742, May 1993 [2 R Ahlswede and I Csiszár, Common randomness in information theory and cryptography, Part I: Secret sharing, IEEE Trans Inform Theory, vol 39, pp 1121 1132, July 1993 [3 S Nitinawarat, C Ye, A Barg, P Narayan, and A Reznik, Secret key generation for a pairwise independent network model, IEEE Trans Inform Theory, vol 56, pp 6482 6489, Dec 2010 [4 U Maurer, Information-theoretically secure secret-key agreement by not authenticated public discussion, in Advances in CryptologyEurocrypt97, pp 209 225, Springer, 1997 [5 U M Maurer and S Wolf, Secret key agreement over a nonauthenticated channel - Part I: Definitions and bounds, IEEE Trans Inform Theory, vol 49, pp 822 831, Apr 2003 [6 U M Maurer and S Wolf, Secret key agreement over a nonauthenticated channel - Part II: The simulatability condition, IEEE Trans Inform Theory, vol 49, pp 832 838, Apr 2003 [7 U M Maurer and S Wolf, Secret key agreement over a nonauthenticated channel - Part III: Privacy amplification, IEEE Trans Inform Theory, vol 49, pp 839 851, Apr 2003 [8 A Schrijver, Theory of linear and integer programming New York: John Wiley & Sons, 1998 [9 N Karmarkar, A new polynomial-time algorithm for linear programming, in Proceedings of the sixteenth annual ACM symposium on Theory of computing, pp 302 311, ACM, 1984 [10 C C Gonzaga, An algorithm for solving linear programming problems in O(n 3 L) operations New York: Springer, 1989 [11 M S Bazaraa, J J Jarvis, and H D Sherali, Linear programming and network flows New York: John Wiley & Sons, 2011 [12 C R Rao, Calculus of generalized inverses of matrices Part I: General theory, Sankhyā: The Indian Journal of Statistics, Series A, pp 317 342, 1967 [13 W Tu and L Lai, On the simulatability condition in key generation over a non-authenticated public channel, Submitted to IEEE Trans Inform Theory, Sep 2014 Available at http://arxivorg/abs/14094064 [14 H-M Möller, Exact Computation of the Generalized Inverse and the Least-squares Solution Techn Univ, Fak für Mathematik, 1999 724

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback