1

Mutual Dependence for Secret Key Agreement Chung Chan and Lizhong Zheng

Abstract—A mutual dependence expression is established for the secret key agreement problem when all users are active. In certain source networks, the expression can be interpreted as certain notions of connectivity and network information flow. In particular, the secrecy problem can be mapped to a new class of network coding problems with selectable links and undirected broadcast links. For such networks, the secrecy capacities serve as upper bounds on the maximum network throughputs, while the network coding solutions can be used for secret key agreement. Index Terms—Secret key agreement, mutual dependence, network coding, partition connectivity, supermodularity

I. M UTUAL D EPENDENCE We first consider a measure of correlation among a set of random variables, and establishes its operational meaning with the problems of secret key agreement and communication for omniscience in [2]. In information theory, the dependence between any two random variables is captured by the mutual information[3], I(Z1 ∧ Z2 ) := D(PZ1 Z2 ∥PZ1 PZ2 ) = H(Z1 ) − H(Z1 |Z2 ) (1.1) where PZ1 Z2 denotes the distribution of Z1 and Z2 , D(·∥·) is the information divergence, and H(·) is the entropy measure.[3] It has various operational meanings spanning over the source and channel coding theories. A heuristically appealing extension[2] to the multivariate case with more than two random variables is the following mutual dependence expression.

distribution to the product distribution of certain marginals. We will establish the following operational meaning for (1.2) in the problem of secret key agreement (SK) and communication for omniscience (CO) considered in [2].1 Operational meaning of mutual dependence: The mutual dependence expression I(ZV ) equals SK: the maximum rate (secrecy capacity) of secret key that can be generated from the discrete multiple memoryless source (DMMS) ZV with unlimited authenticated public discussion, and CO: the maximum savings in rate, below H(ZV ), of the public discussion required to attain omniscience of the DMMS ZV . i.e. H(ZV ) subtracted by the smallest rate of communication for omniscience. We have considered here the special case when all terminals are active in the sense that they all want to share the secret in the SK problem, and attain omniscience in the CO problem. Theorem 1.1 Given a finite ground set V : |V | ≥ 2, the mutual dependence in (1.2) satisfies, ∑ λB H(ZB |ZB c ) I(ZV ) = H(ZV ) − max (1.3) λ∈Λ

B∈F

where F := 2 \ {V }, Λ is defined as the collection of fractional partitions ∑ λ := (λB : B ∈ F ) of V , i.e. λB ≥ 0 for all B ∈ F and B∈F :i∈B λB = 1 for all i ∈ V . 2 V

Definition 1.1 (Mutual Dependence) For any finitely-valued random vector ZV := (Zi : i ∈ V ) with |V | ≥ 2, the mutual dependence of ZV is defined as,

( )

∏ 1

D PZV I(ZV ) := min P ZC (1.2)

P∈Π |P| − 1

This establishes the result since the expression on the R.H.S. of (1.3) bears the desired operation meaning by [2].

where Π is the collection of set-partitions P of V into at least 2 non-empty sets. 2

with the convention h(∅) = 0. We will use the following wellknown[4] supermodularity property of h to prove the theorem.

Example 1.1 Mutual dependence (1.2) reduces to the usual mutual information when |V | = 2. i.e. I(Z{1,2} ) = I(Z1 ∧Z2 ). With V := [3] := {1, 2, 3}, we have I(Z[3] ) is the minimum ∑ of I(Z1 ∧ Z2 Z3 ), I(Z2 ∧ Z1 Z3 ), I(Z3 ∧ Z1 Z2 ), and 1 [ 2 i∈[3] H(Zi ) − H(Z[3] )]. 2

Subclaim 1.1A h is supermodular, i.e.

C∈P

(1.1) and (1.2) are similar in the sense that both can be expressed in terms of the information divergence from the joint This work is supprted in part by Project. #MMT-p2-09 of the Shun Hing Institute of Advanced Engineering, The Chinese University of Hong Kong. Manuscript written for CISS 2010. Related work at [1]. Chung Chan ([email protected]) is with Shun Hing Institute of Advanced Engineering, The Chinese University of Hong Kong, and Research Laboratory of Electronics at MIT, Massachusetts Institute of Technology. Lizhong Zheng is with Research Laboratory of Electronics at MIT, Massachusetts Institute of Technology.

P ROOF (T HEOREM 1.1) Define h : F 7→ R as h(B) := H(ZB |ZB c )

∀B ∈ F

h(B1 ) + h(B2 ) ≤ h(B1 ∩ B2 ) + h(B1 ∪ B2 )

(1.4)

(1.5)

for all B1 , B2 ∈ F : B1 ∩ B2 , B1 ∪ B2 ∈ F .

▹

P ROOF (S UBCLAIM 1.1A) Consider proving the non-trivial case where B1 and B2 are non-empty. We have the positivity of mutual information that, I(ZB1c ∧ ZB2c |ZB1c ∩B2c ) ≥ 0 =⇒ H(ZB1c ) + H(ZB2c ) ≥ H(ZB1c ∪B2c ) + H(ZB1c ∩B2c ) 1 More generally, there is a duality that C CR (R) = CS (R) + R where CCR (R) and CS (R) are the common randomness and secrecy capacities respectively under the same rate constraint R on public discussion and the same source model. (See [1] for details)

2

(1.5) follows since h(B) = H(ZV ) − H(ZB c ).

◭

By the Strong Duality Theorem[5], the maximization in (1.3) is equal to its linear programming dual, ∑ minimize ri (1.6a) i∈V

subject to

∑

ri ≥ h(B) ∀B ∈ F

i.e. any set in B that contains i also contains j. Using this simplification, it is easy to see that ∼R satisfies the defining properties of an equivalence relation: • Reflexivity: R is reflexive since i ∈ Ci trivially for i ∈ V . • Transitivity: Suppose i ∼R j and j ∼R k for some i, j, k ∈ V . Then, {B ∈ B : i ∈ B} ⊆ {B ∈ B : j ∈ B} ⊆ {B ∈ B : k ∈ B}

(1.6b)

i∈B

The supermodularity property of h translates to the following property on the tight relations of the dual problem. Subclaim 1.1B For any feasible solution r to the dual linear program (1.6), and B1 , B2 ∈ F : B1 ∩ B2 , B1 ∪ B2 ∈ F , if B1 and B2 are tight constraints, i.e. ∑ r = h(Bj ) for j = 1, 2 (1.7a) i∈Bj

•

which implies i ∼R k as desired. Symmetry: suppose to the contrary that i ∼R j but j ̸∼R i for some i, j ∈ V . Then, {B ∈ B : i ∈ B} ( {B ∈ B : j ∈ B} This implies, by definition (1.8) of B that ∑ ∑ λ∗B λ∗B < B∋i

then B1 ∪ B2 is also a tight constraint, ∑ ri = h(B1 ∪ B2 )

(1.7b)

i∈B1 ∪B2

n.b. B1 ∩ B2 is also tight but we do not need it for the proof of Theorem 1.1. ▹ P ROOF (S UBCLAIM 1.1B) Since B1 ∪ B2 ∈ F , we immedi∑ ately have i∈B1 ∪B2 ri ≥ h(B1 ∪ B2 ) by (1.6b). The reverse inequality can be proved as follows. ∑ ∑ ∑ ∑ ri = ri + ri − ri i∈B1 ∪B2

i∈B1

i∈B2

i∈B1 ∩B2

≤ h(B1 ) + h(B2 ) − h(B1 ∩ B2 ) (b)

≤ h(B1 ∪ B2 )

where (a) is by (1.7a) and (1.6b) on B1 ∩ B2 ∈ F , and (b) is by Subclaim 1.1A. With a similar argument, we also have ∑ ◭ i∈B1 ∩B2 ri = h(B1 ∩ B2 ). Let λ∗ be an optimal solution to the maximization in (1.3).2 Define its support set as,

and the corresponding partition of V as, {(∪ )c } P ∗ := {B ∈ B : B ̸∋ i} : i ∈ V

which is the desired contradiction since both sides equal 1 by the definition of Λ in Theorem (1.1). Finally, to argue that |P ∗ | ≥ 2, note that B ̸= ∅ since ∑ ∗ B∈F λB > 0. Since any B ∈ F satisfies B ̸= V , we have Ci ̸= V for all i ∈ V as desired. ◭ The supermodularity of h implies the following property on every part of P ∗ . Subclaim 1.1D For any optimal r∗ to the dual problem (1.6), ∑ ∀C ∈ P ∗ ri∗ = h(C c ) (1.10) ▹

i∈C c

(a)

B := {B ∈ F : λ∗B > 0}

B∋j

(1.8)

(1.9)

Subclaim 1.1C P ∗ in (1.9) belongs to Π in Definition 1.1. ▹ P ROOF (S UBCLAIM 1.1C) Define the relation R on V as, i ∼R j ⇐⇒ i ∈ Cj for i, j ∈ V ∪ c where Ci := ( {B ∈ B : B ̸∋ i}) . By definition (1.9), P ∗ = {Ci : i ∈ V }. To show that P ∗ is a partition of V , it suffices to show that ∼R is an equivalence relation on V as follows. i ∼R j ⇐⇒ {B ∈ B : B ̸∋ i} ⊇ {B ∈ B : B ̸∋ j} ⇐⇒ {B ∈ B : i ∈ B} ⊆ {B ∈ B : j ∈ B} 2 λ∗ exists or equivalently Λ is non-empty. For example, λ {i} = 1 for i ∈ V is a fractional partition in Λ. For the more general case considered in Theorem 3.1, Λ may be empty.

P ROOF (S UBCLAIM 1.1D) ∑ By the Complementary Slackness Theorem[5, Theorem 5.4], i∈B ri∗ = h(B) for all B ∈ B. By Subclaim 1.1B, for all i ∈ V , we have ) (∪ ∑ {B ∈ B : B ̸∋ i} ri∗ = h ∪ i∈ {B∈B:B̸∋i}

which gives the desired equality (1.10) under (1.9).

◭

This completes the proof since the Primal/Dual Optimality Criteria[5, Theorem 5.5] implies (1{B c ∈ P ∗ }/(|P ∗ | − 1) : B ∈ F ) is an optimal solution in Λ. More precisely, for all feasible r to the dual (1.6), and P ∈ Π, ∑ H(ZV ) − max λB H(ZB |ZB c ) λ∈Λ

(a)

≤ H(ZV ) −

B∈F

∑

ri = H(ZV ) −

i∈V

∑ ∑ 1 ri |P| − 1 c

∑ 1 ≤ H(ZV ) − H(ZC c |ZC ) |P| − 1 C∈P ( ) ∑ 1 = H(ZC ) − H(ZV ) |P| − 1

C∈P i∈C

(b)

by (1.6b)

C∈P

When we set r to an optimal solution r∗ , (a) is satisfied with equality by the Strong Duality Theorem. When we also set P to P ∗ , which is valid by Subclaim 1.1C, (b) is also satisfied with equality by Subclaim 1.1D. This gives the desired equality (1.3) and completes the proof of Theorem 1.1. 

3

II. I NTERPRETATION VIA E MULATED S OURCE N ETWORK In this section, we will show that under certain classes of source networks, we can interpret mutual dependence (1.2) as certain notions of connectivity, and more concretely as the amount of information flow in certain types of networks. To make the notion of “flow” explicit, we consider the following class of source networks. Definition 2.1 (Emulated source network) Terminal i ∈ V observes Zi = (Xi , Yi ) such that, PXV YV =

∏(

PXi PYi |XV

)

(2.1)

A. Interference network Definition 2.2 (Interference network) Given a hypergraph H := (V, E, ϕ) and a finite additive group (G, +) of order q, terminal i ∈ V observes, Zi := {Zei : e ∈ E, i ∈ ϕ(e)}

where Zei for i ∈ V and e ∈ E are random variables taking values from G such that, 1) Zeϕ(e) := (Zei : i ∈ ϕ(e)) for e ∈ E are independent, and 2) for all e ∈ E ∑ Zei = 0 (2.4)

i∈V

i∈ϕ(e)

This can be viewed as a source emulated by having terminal i ∈ V send Xi independently over a channel that returns Yi = fi (XV , Ni ) to terminal i, where fi is deterministic and ∏ Ni ’s are independent channel noises that satisfy PNV |XV = i∈V PNi . 3

2

Proposition 2.1 The mutual dependence (1.2) of the emulated source network in Definition 2.1 is, ∑ 1 I(XC c ∧ YC |XC ) P∈Π |P| − 1

I(ZV ) = min

(2.2)

C∈P

which is also the secrecy capacity when all terminals are active by Theorem 1.1. 2 ∏ P ROOF For all P ∈ Π, D(PXV YV ∥ C∈P PXC YC ) equals, ∑ C∈P

=

H(XC YC ) − H(XV YV ) ∑

[H(XC ) + H(YC |XC )] − H(XV ) − H(YV |XV )

C∈P

=

∑

C∈P

(2.3)

[H(YC |XC ) − H(YC |XV )] {z } |

and for all j ∈ ϕ(e), Zeϕ(e)\{j} is uniformly distributed over G|ϕ(e)|−1 . 2 Proposition 2.2 The mutual dependence of the interference network in Definition 2.2 is (log q)p + (H) where p + (H) is the strength of H defined as, ∑ |δ + ∗ (C)| + p (H) := min C∈P H (2.5a) P∈Π |P| − 1 |δH (P)| = min (2.5b) P∈Π |P| − 1 where H ∗ := (V, E, ϕ, ρ) is any star hypergraph of H, + δH ∗ (C) := {e ∈ E : ρ(e) ∈ C ̸⊇ ϕ(e)}

δH (P) := {e ∈ E : ∀C ∈ P, C ̸⊇ ϕ(e)}

(2.6) (2.7)

which are the set of outgoing edges of C and crossing edges of P respectively. 2 P ROOF The interference network is a special case of the emulated source network in Definition 2.1 with, Yi := (Zei : e ∈ E, i = ρ(e))

=I(XC c ∧YC |XC )

Xi := (Zei : e ∈ E, i ∈ ϕ(e) \ {ρ(e)})

∑

where the last C∈P H(XC ) = ∑ equality is by (2.1) that H(XV ) and C∈P H(YC |XV ) = H(YV |XV ).  I(XC c ∧ YC |XC ) is intuitively the flow of information from C c to C. For a more concrete interpretation, we will consider some specific classes of networks for which the dependency among the observations can be abstracted by a hypergraph. Hypergraph: A hypergraph H := (V, E, ϕ) is defined by the mapping ϕ : E 7→ 2V \ {∅} from an edge e to a non-empty subset ϕ(e) of the vertices. The star hypergraph[6] H ∗ := (V, E, ϕ, ρ) of H has an additional mapping ρ : E 7→ V from an edge e to a root node ρ(e) ∈ ϕ(e) for the edge. 3 This pure source emulation approach to SK when terminals are given a channel instead of a source can sometimes be optimal. For instance, uniform input is optimal for finite linear channel Yi = Mi (XV , Ni ) for i ∈ V where Mi is a homomorphism between finite abelian groups and Ni ’s are arbitrarily correlated noise. This covers the interference and broadcast networks to be defined later. (See [1] for details)

where ρ is an arbitrarily chosen orientation of H. We have, + I(XC c ∧ YC |XC ) = H(YC |XC ) = |δH ∗ (C)| ∑ ∑ ∑ + |δH 1{C ̸⊇ ϕ(e)} = |δH (P)| ∗ (C)| = C∈P

e∈E C∋ρ(e)

which completes the proof with Proposition 2.1.



+

The strength p (H) of H has the following immediate interpretation of partition connectivity. Partition connectivity[7][8]: p + (H) is the maximum rational number x ∈ Q such that H is x-partition-connected, i.e. ⌈x(k − 1)⌉ edges need to be removed from H to yield k or more disconnected components for any k ∈ [|V |]. Each edge in H corresponds to a link of secret information flow with the following linear public discussion scheme.

4

Hyperedge as selectable link: Given an edge e, select a sender i ∈ ϕ(e) and a receiver j ∈ ϕ(e). Have the remaining terminals k ∈ ϕ(e) \ {i, j} publicly reveal Zek . Then, sender i can use Zei as a secret key to encrypt an independent secret M ∈ G into a public message (cryptogram) M + Zei . By (2.4), receiver j can perfectly recover Zei from the public messages Zeϕ(e)\{i,j} . Since Zeϕ(e)\{j} is uniformly distributed, the key is perfectly secret, i.e. I(Zei ∧ Zeϕ(e)\{i,j} ) = 0. Thus, M is also perfectly secret and recoverable by j. We effectively have a private independent link from i to j with unit (log q bits) capacity. Viewing each edge as a private link with a selectable sender and receiver, the terminals can agree on a common secret key, simply by broadcasting it through the resulting network. Thus, the secret key agreement problem turns into a broadcast network coding problem with selectable links. Definition 2.3 (Network with selectable links) A network with selectable links defined by the hypergraph H = (V, E, ϕ) is used at each time as follows: for each edge e ∈ E, a sender i ∈ ϕ(e) can be selected to send a unit (log q bits) of information noiselessly to any chosen receiver j ∈ ϕ(e). 2 This network coding approach to secret key agreement is indeed optimal. i.e. the maximum throughput of the network attains the secrecy capacity, as a consequence of the tree packing result[7] of Tutte and Nash-Williams and its extension[8][6] to hypergraphs summarized below. Proposition 2.3 Given a hypergraph H := (V, E, ϕ), let n := ˜ be the n˜ := (V, E, ˜ ϕ) min{i ∈ [|V |] : ip + (H) ∈ N} and H extended hypergraph with ˜ := {(e, t) : e ∈ E, t ∈ [n]} E (2.8a) ˜ e) := ϕ(e) ∀˜ ˜ e ∈ E : ∃t ∈ [n], e˜ = (e, t) (2.8b) ϕ(˜ e ∈ E, ˜ = np + (H) by (2.5), and Then, n ≤ |V | − 1, p + (H) ˜ can be represented by a graph G := (V, E, ˜ θ) in the 1) H + + ˜ following sense: p (G) = p (H) and for all e ∈ E θ(e) ⊆ ϕ(e) : 1 ≤ |θ(e)| ≤ 2 2) Up to p + (G) edge-disjoint spanning trees can be packed ˜j , θ) for in G. i.e. there exists spanning trees Tj := (V, E ˜j ⊆ E. ˜ j ∈ [p + (G)] with disjoint edge sets E 3) For all optimal P ∗ ∈ Π that attains∪the minimum in ˜\ ˜ (2.5b) and any excess edge e˜∗ ∈ E j∈[p + (G)] Ej not ∗ ˜ e∗ ) 2 used in a maximal tree packing, ∃C ∈ P , C ⊇ ϕ(˜ P ROOF 1) follows from [6, Lemma 3.1 and Theorem 4.2, 5.1]. 2) follows from the Disjoint Tree Theorem[7, Corollary 51.1a] of Tutte and Nash-Williams. 3) Suppose to the contrary that for some optimal P ∗ and

˜ e∗ ) for all C ∈ P ∗ . excess edge e˜∗ , we have C ̸⊆ ϕ(˜ ˜ e)} ˜ : ∀C ∈ P ∗ , C ̸⊇ ϕ(˜ |δH˜ (P ∗ )| = {˜ e∈E     ∪ (a) ˜ e) ˜j : ∀C ∈ P ∗ , C ̸⊇ ϕ(˜ > e˜ ∈ E   + j∈[p (G)]

(b)

=(|P ∗ | − 1)p + (G)

where (a) is by excluding e˜∗ and (b) is because each spanning tree Tj contributes (|P ∗ | − 1) distinct crossing edges. Substituting p + (G) = np + (H) and |δH˜ (P ∗ )| = n|δH (P)| into the last inequality, we have the desired contradiction to the optimality of P ∗ .  Since every spanning tree packed in H supports one unit of secret information flow from any designated root terminal to all other terminals, the tree packing result implies that p + (H) units of secret key can be broadcast to all terminals in total, acheiving the secrecy capacity. We now have the desired interpretation of mutual dependence as the secret information flow in a broadcast session of a network with selectable links. The optimal partition P ∗ to (2.5b) also has the intuitive meaning as classes of wellconnected terminals: two terminals must be in the same class in any optimal P ∗ if there is an excess private link between them. This connects and extends the results of [6][8][9][10]. Theorem 2.1 Given hypergraph H with strength p + (H) defined in (2.5), let CN,sl be the maximum throughput of a broadcast session of the delay-free network with selectable links defined in Defintion 2.3, and CS,if be the secrecy capacity of the interference network defined in Definition 2.2, then CN,sl = CS,if = (log q)p + (H) Furthermore, the maximum throughput and secrecy capacity can be attained non-asymptotically with delay at most |V |−1. The maximum throughput, in particular, can be achieved by routing. 2 Example 2.1 For the interference network defined in Definition 2.2, let G be the binary field F2 , and H := (V, E, ϕ) be the hypergraph on V = [3] with edge E := {123} and ϕ(123) = {1, 2, 3}. From (2.3), Z3 = Z1 + Z2 . Since p + (H) = 1/2, H can be extended as described in ˜ := (V, E, ˜ ϕ) with n = 2, and represented Proposition 2.3 to H ˜ by the graph G := (V, E, θ) that can be maximally packed ˜1 , θ) where, with p + (G) = 1 spanning tree T1 := (V, E ˜=E ˜1 := {(123, 1), (123, 2)} E θ((123, 1)) := {1, 2} and θ((123, 2)) := {1, 3} Thus, one secret key bit K can be propagated from terminal 1 through the tree network T1 to terminal 2 and 3. (123,1) In particular, we can have K set to Z1 and the public (123,1) (123,2) (123,2) (123,1) messages Z1 + Z1 , Z2 and Z3 revealed by terminal 1, 2 and 3 respectively. Terminal 2 and 3 can (123,1) (123,1) recover K by the linear operations Z2 + Z3 and (123,1) (123,2) (123,1) (123,2) Z3 + Z2 + (Z1 + Z1 ) respectively. K is (123,1) perfectly secret because Z1 is independent of the public messages. 2

5

B. Broadcast Network We now show another class of emulated source networks for which the mutual dependence has a different interpretation of connectivity, and can be mapped to a network coding problem with undirected broadcast links. Definition 2.4 (Broadcast Network) Given H := (V, E, ϕ) and a finite field Fq of order q, terminal i ∈ V observes, Zi := {Ze : e ∈ E, i ∈ ϕ(e)}

(2.9) |E|

where (Ze : e ∈ E) is uniformly distributed over Fq .

2

Proposition 2.4 The mutual dependence of the broadcast network in Definition 2.4 is (log q)p − (H) where, ∑ |δ − ∗ (C)| − p (H) := min C∈P H (2.10a) P∈Π |P| − 1 ∑ (|πP (ϕ(e))| − 1) = min e∈E (2.10b) P∈Π |P| − 1 H ∗ := (V, E, ϕ, ρ) is any star hypergraph of H, − c δH ̸⊇ ϕ(e)} ∗ (C) := {e ∈ E : ρ(e) ∈ C

πP (ϕ(e)) := {C ∩ ϕ(e) : C ∈ P} \ {∅}

(2.12)

P ROOF The broadcast network is a special emulated source network in Definition 2.1 with, Yi := (Ze : e ∈ E, i ∈ ϕ(e) \ {ρ(e)}) Xi := (Ze : e ∈ E, i = ρ(e)) for any arbitrary orientation ρ of H. With the equalities − I(XC c ∧ YC |XC ) = H(YC |XC ) = |δH ∗ (C)| and ∑ ∑ ∑ − |δH 1{C c ̸⊇ ϕ(e)} ∗ (C)| = e∈E C̸∋ρ(e)

=

∑

(|πP (ϕ(e))| − 1)

e∈E

the desired result follows from Proposition 2.1.

Definition 2.5 (Network with undirected broadcast links) A network with undirected broadcast links defined by the hypergraph H = (V, E, ϕ) is used at each time as follows: for all e ∈ E, a sender i ∈ ϕ(e) can be selected to send a unit (log q bits) of data noiselessly to all receivers j ∈ ϕ(e).2 Although there is no analogous packing result to Proposition 2.3, this network coding approach to secret key agreement is also optimal by the following min-cut characterization of ˜ in [6, Theorem 5.2]. p − (H) ˜ Min-cut characterization of p − (H): ˜ ∗ of the extension For any s ∈ V , there is a star hypergraph H + ˜ H of H (defined in (2.8) with p replaced by p − ) such that + − ˜ |δH ˜ ∗ (C)| ≥ p (H) for any C ( V : s ∈ C.

(2.11)

are the set of in-cut of C and the partition of e respectively.2

C∈P

Edge-connected spanning subhypergraphs: An edge-connected spanning subhypergraph ∪ H ′ := (V, E ′ , ϕ) ′ of a hypergraph (V, E, ϕ) satisfies E ⊆ E, e∈E ′ ϕ(e) = V and |δH ′ (C, C c )| ≥ 1 for every C ( V .



−

p (H) expresses an alternative notion of connectivity: the maximum x ∈ Q such that every partitioning of the vertices V into k parts split the edges into a total of at least ⌈x(k −1)⌉ additional parts for any k ∈ [|V |]. Each edge in H corresponds to a broadcast link of secret information flow as follows. Hyperedge as undirected broadcast link: Given an edge e, select a sender i ∈ ϕ(e) to encrypt an independent secret M ∈ Fq into the public message M + Ze . The remaining terminals in ϕ(e) can perfectly recover M knowing Ze . Since Ze is uniformly distributed, the encryption is perfectly secret. We effectively have a private broadcast link from i to ϕ(e) \ {i} with unit capacity. Viewing each edge as a broadcast link, the terminals can agree on a common secret key by broadcasting it through the network. In particular, at least one unit of secret information flow to all terminals is supported by an edge-connected spanning subhypergraph defined as follows.

Theorem 2.2 Given hypergraph H with p − (H) defined in (2.5), let CN,ub be the maximum throughput of a broadcast session of the delay-free network with undirected broadcast links in Defintion 2.5, and CS,bc be the secrecy capacity of the broadcast network defined in Definition 2.4, then CN,ub = CS,bc = (log q)p − (H) Furthermore, the maximum throughput and secrecy capacity can be attained asymptotically with finite delay at most 3 2 |V | |E|p − (H) logq |V | p − (H)q. The throughput, in particular, can be achieved by the convolutional code in [11]. 2 P ROOF (S KETCH FROM [1]) This result follows from an extension of the algebraic argument in [11] using the extension[6, Theorem 4.1] of the Menger’s Theorem for star hypergraphs. The delay is the product nk(µ+1) of the extension n to turn H ˜ the extension k to turn the field Fq to Fqk for existence to H, of the desired network code, and the delay µ required to avoid cyclic dependency in the information flow of the network.  In the following, we give a simple example for which one ˜ of H into p − (H) ˜ spanning cannot decompose any extension H edge-connected subhypergraphs. This implies that coding may be necessary to attain the maximum throughput of the network with undirected broadcast links in a broadcast session. Example 2.2 For the broadcast network defined in Defintion 2.4, let q = 2 and H := (V, E, ϕ) be the hypergraph on V = [4] with edges E := {123, 134, 124} and ϕ(ijk) := {i, j, k} for i, j, k ∈ V . Then, p − (H) = 2 but it is not possible to pack two spanning edge-connected subhypergraphs, for that requires four edges. Indeed, we can maximally pack three spanning edge-connected subhypergraphs ˜ for i ∈ [3] after extending H with n = 2, ˜i , ϕ) Hi := (V, E ˜1 := {(123, 1), (134, 1)}, E ˜2 := {(124, 1), (123, 2)} where E ˜3 := {(134, 2), (124, 2)}. Thus, a pure routing solution and E only achieves a key rate of 1.5 bits per use of the broadcast network in Definition 2.4.

6

Let H ∗ := (V, E, ϕ, ρ) be the star hypergraph of H where + ρ(e) = 1 for all e ∈ E. n.b. it satisfies |δH ∗ (C)| ≥ 2 for all C ⊆ V : s ∈ C. We can propagate two secret key bits K1 , K2 ∈ F2 from s := 1 using the following linear network code: send K1 through the broadcast link 123, K2 through 134, and K1 + K2 through 124. Since every terminal has access to at least two links, they can recover the key bits perfectly. 2 III. R ELATED W ORK

λ∈Λ(F (A),V )

(Please see [1] for details.) Consider the more general secret key agreement problem in [2] where only a subset A ⊆ V of the terminals are active. As shown in [2], inequality ≤ for (1.3) holds with F replaced by F (A) := {B ⊆ V : ∅ ̸= B ̸⊇ A} Theorem 1.1 asserts that equality holds for A = V . However, equality may not hold when A ( V as shown by the counterexample below.4 This resolves an open question in [2]. Example 3.1 Given uniformly random bits X1 , X2 and X3 in F2 , define the source network ZV for V := [6] as follows: Z1 := X1 + X2 , Z2 := X1 + X3 , Z3 := X2 + X3 , Z4 = X3 , Z5 = X2 and Z6 = X1 . With A := [3], the mutual dependence in (1.2) (with F replaced by F (A)) and secrecy capacity on the R.H.S. of (1.3) are 1 bit and 0.75 bits respectively. 2 Indeed, Theorem 1.1 can be extended in a slightly different direction to a general identity for supermodular function optimizations using the following notion of partitions. Definition 3.1 Given a finite ground set V : |V | ≥ 2, define Φ(A) for A ⊆ V : |A| ≥ 2 as the collection of all families F ⊆ 2V \ {V } that satisfy for all B, B ′ ∈ F that B ̸⊇ A and B ∪ B ′ ̸⊇ A =⇒ B ∩ B ′ , B ∪ B ′ ∈ F It follows that Φ(A) ( Φ(A′ ) for all A ( A′ . In particular, F (A′ ) ∈ Φ(A′ ) \ Φ(A) and F := 2V \ {V } = F (V ) ∈ Φ(V ). Denote F¯ := {B c : B ∈ F}. Define Π(F, U ) for F ∈ Φ(V ) and U ⊆ V as the collection of all families P such that {C ∩ U : C ∈ P} is a set-partition of U into at least 2 ¯ i.e. non-empty disjoint sets in F, ∪ P ⊆ F¯ : |P| ≥ 2, P ⊇ U and ∀i ∈ U, ∃!C ∈ P : i ∈ C It follows that Π(F, U ) ⊇ Π(F, U ′ ) for all U ⊆ U ′ . Define Λ(F, U ) as the set of λ := (λB : B ∈ F ) satisfying ∑ ∀B ∈ F, λB ≥ 0 and ∀i ∈ U, λB = 1 B∈F :i∈B ′

It follows that Λ(F, U ) ⊇ Λ(F, U ) for all U ⊆ U ′ .

2

Theorem 3.1 Given a finite ground set V : |V | ≥ 2, we have for all A ⊆ V : |A| ≥ 2, F ∈ Φ(A), and supermodular function h : F 7→ R that, ∑ ∑ 1 max. λB h(B) = max. h(C c ) (3.1) λ∈Λ(F ,A) P∈Π(F ,A) |P| − 1 B∈F

C∈P

with the convention that max. over an empty set is −∞.5 4 This 5 This

Given A is the set of active users, let CSA,esn , CSA,if and be the secrecy capacities of the emulated source model, interference network and broadcast network respectively, and A A CN ,sl and CN,ub be the maximum throughput of the multicast session from some source node s ∈ A to all other nodes in A for the networks with selectable links and undirected broadcast links respectively. Then, ∑ CSA,esn = (log q) min λB I(XB ∧ YB c |XB c ) CSA,bc

2

is also the minimal example, in lexicographical order of (|V |, |A|). gives as a corollary that Λ(F, A) = ∅ iff Π(F, A) = ∅.

A CN ,sl

(a)

≤ CSA,if

= (log q)

∑

B∈F (A)

min λ∈Λ(F (A),V )

(b)

A A CN ,ub ≤ CS,bc = (log q)

− λB |δH ∗ (B)|

∑

B∈F (A)

min λ∈Λ(F (A),V )

+ λB |δH ∗ (B)|

B∈F (A)

which are invariant to any star hypergraph H ∗ of H. The inequalities hold because the secret key agreement problem can be mapped to the corresponding network coding problem in the same way described before. We can also derive (b) using an alternative combinatorial argument since we have, (1 ) (c) A CN min |δ +˜ ∗ (B)| ,ub = max n log q n,ρ˜ B⊆V :s∈B̸⊇A H ∑ ( ) 1 (d) − = max n1 log q min |δH ˜ ∗ (C)| n,ρ˜ P∈Π(F (A),A) |P| − 1 C∈P

˜ of H. (c) and where ρ˜ is the orientation of the n-extension H (d) are obtained by extending [11, Theorem 15] and [6, Theorem 5.2] respectively. (b) then follows from Theorem 3.1 and the fact that Λ(F (A), A) ) Λ(F (A), V ). For the general class of network with both selectable links and undirected broadcast links, however, secrecy capacities conveniently upper bound maximum throughputs, with no obvious alternative proof. ACKNOWLEDGMENT The author would like to thank Barıs¸ Nakib˘oglu, Imre Csisz´ar, Jeff Kahn, Michel X. Goemans, Stephen P. Boyd, Anthony M.C. So, Angela Y.J. Zhang, Sidharth Jaggi and Raymond W.H. Yeung for stimulating discussions. R EFERENCES [1] C. Chan, “Generating secret in a network,” Ph.D. dissertation, Massachusetts Institute of Technology, 2010. [2] I. Csisz´ar and P. Narayan, “Secrecy capacities for multiple terminals,” IEEE Transactions on Information Theory, vol. 50, no. 12, Dec 2004. [3] T. M. Cover and J. A. Thomas, Elements of Information Theory. WileyInterscience Publication, 1991. [4] S. Fujishige, “Polymatroidal dependence structure of a set of random variables,” Information and Control, vol. 39, no. 1, pp. 55–72, 1978. [5] G. B. Dantzig and M. N. Thapa, Linear Programming. 1: Introduction. Springer-Verlag New York, 1997-2003. [6] J. Bang-Jensen and S. Thomass´e, “Decompositions and orientations of hypergraphs,” Preprint no. 10, Department of Mathematics and Computer Science, University of Southern Denmark, May 2001. [7] A. Schrijver, Combinatorial Optimization: Polyhedra and Efficiency. Springer, 2002. [8] T. K. A. Frank and M. Kriesell, “On decomposing a hypergraph into k-connected sub-hypergraphs,” Discrete Applied Mathematics, vol. 131, no. 2, pp. 373–383, September 2003. [9] C. Ye and A. Reznik, “Group secret key generation algorithms,” in IEEE International Symposium on Information Theory, 2007., June 2007, pp. 2596–2600. [10] Z. Li and B. Li, “Network coding in undirected networks,” in Proceedings of 38th Annual Conference on Information Sciences and Systems (CISS), 2004. [11] R. Koetter and M. M´edard, “An algebraic approach to network coding,” IEEE/ACM Transactions on Networking, vol. 11, no. 5, October 2003.