Achieving SK Capacity in the Source Model: When Must All Terminals Talk? Manuj Mukherjee† Navin Kashyap† Yogesh Sankarasubramaniam‡ Abstract—In thispaper,we addresstheproblemof character- of interest to us is the following: characterize the instances izing the instances of the multiterminal source model of Csisza´r of the multiterminal source model in which omnivocality is and Narayan in which communication from all terminals is necessary for maximal-rate SK generation. In this paper, we 4 needed for establishing a secret key of maximum rate. We give report partial progress made towards such a characterization. 1 an information-theoreticsufficientcondition for identifyingsuch 0 instances. We believe that our sufficient condition is in fact an The paper is organized as follows. After establishing the 2 exact characterization, but we are only able to prove this in the required notation and background in Section II, we give, in caseofthethree-terminalsourcemodel.Wealsogivearelatively SectionIII, asufficientconditionunderwhichomnivocalityis n simple criterion for determining whether or not our condition a necessary for achieving SK capacity in a source model with holds for a given multiterminal source model. J m ≥ 3 terminals. This condition is satisfied, for example, in 0 I. INTRODUCTION the case of the complete graph pairwise independentnetwork 2 (PIN) model of Nitinawarat and Narayan [7]. We conjecture We are concerned with the multiterminal source model of that our sufficient condition is also necessary, but at present, ] Csisza´r and Narayan [3], which can be briefly described as T we can only prove this in the m = 3 case. Finally, in follows. There are a certain number, m ≥ 2, of terminals, I SectionIV,wegivea usefulcriterionforcheckingwhetheror . each of which observes a distinct component of a source of s not our condition holds for a given source model. c correlated randomness. The terminals must agree on a shared [ SK by communicating over a noiseless public channel. This II. PRELIMINARIES key must be protected from a passive eavesdropper having 1 Throughout,weuseNtodenotethesetofpositiveintegers. v access to the public communication. The SK capacity, which In the multiterminal source model [3], a set of m ≥ 2 7 is the supremum of the rates of SKs that can be generated, 3 has been characterized in various ways [2], [3], [7]. What is terminals, denoted by [m] , {1,2,...,m}, has access to a 0 source (Xn,Xn,...,Xn), n∈N, where Xn denotesn i.i.d. less well-understood is the nature of public communication 1 2 m i 5 copies of a random variable (rv) X taking values in a finite that is needed to achieve SK capacity in this model. In a i . 1 companionpaper[6],wegavealowerboundontheminimum setXi.ThervsX1,X2,...,Xm areingeneralcorrelated,and 0 foreachi∈[m],theithterminalobservesonlythecomponent rate of communication required to generate a maximal-rate 4 Xn. For any subset A ⊆ [m], we will use X to denote the 1 (i.e., capacity-achieving)SK, building upon the prior work of i A collection of rvs (X : i ∈ A), and p to denote their joint : Tyagi[9]onthetwo-terminalmodel.Inthispaper,weaddress i XA v probability mass function. arelatedquestion:whenmustallmterminalsnecessarilyhave i X to communicate in order to generate a maximal-rate SK? The terminals communicate through a noiseless public channel, any communicationsent throughwhich is accessible r It is well known that, in order to generate a maximal-rate a to all terminals and to potential eavesdroppers as well. The SKinthetwo-terminalmodel(m=2),itissufficientforonly terminals communicate in a round-robin fashion, following oneterminaltocommunicate[1],[5],[3].Allthisterminalhas thecyclicorder(1,2,...,m).Anytransmissionsentbytheith to do is convey its local observations to the other terminal at terminalisadeterministicfunctionofXn andalltheprevious the least possible rate of communication required to do so. i communication.Formally,avalidcommunicationisafinitely- Thus, when m = 2, it is never necessary for both terminals supported random vector F = (F ,F ,...,F ), r ∈ N, with to communicate to generate a capacity-achieving SK. Even 1 2 r F denoting a communication sent by the terminal i ∈ [m] when m > 2, there are examples wherein not all terminals j withi≡j(mod m),andH(F |F ,...,F ,Xn)=0.The need to communicate — see remark following Theorem 1 in j 1 j−1 i rate of the communicationis taken to be 1 log |F|, where F [3].However,aswewillshowinthispaper,thereareplentyof n 2 is the finite set on which F is supported. Terminal i∈[m] is otherexampleswhereallterminalsmustcommunicateinorder said to be silent if F = 0 (with probability 1) for all j ≡ i toachieveSKcapacity.Wecointheterm“omnivocality”tode- j (mod m). An omnivocal communication is one in which no scribethestate whenallterminalscommunicate.Theproblem terminal is silent. †M. Mukherjee and N. Kashyap are with the Department of Electrical Given an ǫ>0, we say that an rv U is ǫ-recoverable from Communication Engineering, Indian Institute of Science, Bangalore. Email: an rv V if there exists a function g of V such that Pr[U = {manuj,nkashyap}@ece.iisc.ernet.in. g(V)]≥1−ǫ. ‡Email:[email protected] Definition 1. For any ǫ > 0, an ǫ-SK for [m] is an rv K = allowed to communicate, while terminals in [m] \ T must K(n)(Xn ), for some n ∈ N, such that there exists a valid remainsilent.Thus,wearerestrictedtovalidcommunications [m] communication F with the following properties: Finwhichtheterminalsin[m]\T aresilent,butwhichallow (i) I(K;F)≤ǫ; and all m terminalsto agree upona weak SK. In other words, we (ii) K is ǫ-recoverable from (Xn,F) for each i∈[m]. only consider weak ǫ-SKs for [m] that are obtainable through i The rate of this ǫ-SK is given by 1H(K). valid communicationsF in which all terminals in [m]\T are n silent. Thesupremumof ratesachievableby suchSKs will be A real number R ≥ 0 is an achievable SK rate if for denoted by C([m]kT). any ǫ > 0, there exists an ǫ-SK of rate greater than R−ǫ. The SK capacity C([m]) is defined as the supremum of all Theorem1 ([4],Theorem6). C([m]kT)=H(XT)−RT(min), achievable SK rates. The SK capacity can be expressedas [2, where R(min) = min R , the rate region R being the Theorem 1.1] (see also [3, Eq. (26)]) T R∈RT i∈T i T set of all points R=(RX,i∈T) such that i 1 C([m])=I(X[m]),mPin|P|−1D pX[m] k pXA! Ri ≥H(XA∩T|XAc) ∀A([m], A∩T 6=∅. AY∈P (1) i∈XA∩T the minimumbeing taken overall partitionsP of [m], of size Note that if C([m]) > C([m]kT) for all T ⊂ [m] of size |P| ≥ 2. The quantity D(·k·) denotes relative entropy, and |T| = m−1, then omnivocality is necessary for achieving for a partition P = {A ,...,A }, the notation p 1 k A∈P XA SK capacity. Thus, our approach for showing that omnivocal represents the product p ×···×p . Note that when m=2, the quantity I(XXA)1 defined inX(1A)ksimplyQreduces to communicationisneededincertaincasesisto useTheorem1 [m] the mutual information I(X ;X ). Thus, I(X ) should be to prove that C([m]) > C([m]kT) for all (m − 1)-subsets viewed as a multiparty exten1sion2of mutual inf[omr]mation. T ⊂ [m]. For this, we will need a lower bound on RT(min) when |T| = m−1. To prove this bound, we use a simpler Before proceeding further, a couple of clarifications con- characterization (than that given in Theorem 1) of the rate cerning Definition 1 are needed. We have adopted the notion region R when |T|=m−1. of strong secrecy (property (i) in the definition), as opposed T to weak secrecy, which only requires 1I(K;F) ≤ ǫ. All the Lemma 2. Let T = [m]\{u} for some u ∈ [m]. The rate n results proved in this paper would hold just as well under region R is the set of all points (R , i∈T) such that T i either type of secrecy. In particular, our main result shows R ≥H(X |X ) ∀B (T,B 6=∅, (2) that omnivocal communication is necessary for achieving i B T\B SK capacity if a certain condition on the singleton partition iX∈B S is satisfied. Our proof of this result relies only on the and R ≥H(X |X ). i T u expression for SK capacity given in (1), which remains the i∈T same under both forms of secrecy [3], and on a theorem of X Proof:ObservethatR isdefinedbyconstraintsonsums GohariandAnantharam[4],whichis statedandprovedunder T of the form R for non-empty subsets B ⊆ T. When the weak secrecy notion. Thus, our proof in fact shows that i∈B i B =T, the constraint is simply R ≥H(X |X ). omnivocal communication is necessary even under a weak P i∈T i T u Now, consider any non-empty B ( T. From Theorem 1, secrecy requirement on SKs. P we see that constraints on R arise as constraints on i∈B i A second clarification concerning Definition 1 is that, R in two ways: when A = B and when A = B ∪ usually, the definition of an ǫ-SK includes an additional {ui}∈.AT∩hTus,iwe have two conPstraints on R : requirement that K be almost uniformly distributed over its P i∈B i alphabet K, i.e., H(K) ≥ log|K|−ǫ [3]. However, this can R ≥H(X |X P), i B [m]\B always be dropped without affecting SK capacity — see e.g., i∈B X the discussion on p. 3976 in [4]. obtained when A=B, and Asmentionedabove,wemakeuseofaresultofGohariand R ≥H(X |X ), Anantharam[4,Theorem6]insomeofourproofs.Tostatethis i B T\B result,we explicitlydefinea weakǫ-SK for[m] to beanrvK iX∈B as in Definition 1, except that the strong secrecy condition (i) obtained when A = B ∪{u}. The latter constraint is clearly is replaced by the weak secrecy condition, 1I(K;F) ≤ ǫ. stronger, so we can safely discard the former. n Then, R≥0 is an achievable weak-SK rate if for any ǫ>0, We can now prove the desired lower bound on R(min). T there exists a weak ǫ-SK of rate greater than R − ǫ. It is Lemma 3. Let m ≥ 3 be given. For T ⊂ [m] with |T| = known that the supremum of achievable weak-SK rates is the m−1, we have sameastheSKcapacitygivenby(1).TheGohari-Anantharam 1 resultconcernsachievableweak-SKratesundertheadditional R(min) ≥ H(X |X ). assumption that some fixed subset of terminals remains silent T m−2 T\{j} j j∈T X throughout. Let T ⊆ [m] be such that terminals in T are Proof:ConsideranyT ⊂[m]with|T|=m−1.Foreach The pairwise independent network (PIN) model of Niti- j ∈ T, let B = T \{j}. Now, let (R ,i ∈ T) be any point nawarat and Narayan [7] is defined on an underlying graph j i in R . Applying (2) with B =B , we get G = (V,E) with V = [m]. For n ∈ N, let G(n) be the T j multigraph (V,E(n)), where E(n) is the multiset of edges R ≥H(X |X ), i T\{j} j formed by taking n copies of each edge of G. Associated iX∈Bj with each edge e∈E(n) is a Bernoulli(1/2) rv ξe; the rvs ξe for each j ∈T. Summing over all j ∈T, we obtain associated with distinct edges in E(n) are independent. With this, the rvs Xn, i ∈ [m], are defined as Xn = (ξ : e ∈ Ri ≥ H(XT\{j}|Xj). (3) E(n) and e is inicident on i). When G = K i, the coemplete m jX∈TiX∈Bj jX∈T graphon m vertices, we have the complete graphPIN model. Exchanging the order of summation in the double sum on We show in the next section (Corollary 7.2) that for the the left-hand side (LHS) above, we have R = complete graph PIN model, the singleton partition S is the Puit∈tiTng thji∈sBbiaRcki i=nto (3i∈),Tw(me g−et2)Ri =P(mj∈−T P2)i∈Bij∈TiRi. duinaitqeulye fmoilnloiwmsizferromforTIh(eXor[mem]).4T.he result below then imme- P P P P 1 Corollary 4.1. In the PIN model defined on the complete R ≥ H(X |X ). i m−2 T\{j} j graph Km, m ≥ 3, omnivocal communication is necessary i∈T j∈T X X for achieving C(X ). [m] Sincethisholdsforany(R ,i∈T)∈R ,thelemmafollows. i T In conjunction with Theorem 6 in [6], we now have the following picture for a capacity-achieving communication in III. OMNIVOCAL COMMUNICATION the complete graph PIN model: the communication must be omnivocal, and if it is constrained to be a linear function AspointedoutintheIntroduction,inthesourcemodelwith of the observations Xn , then it must have rate at least two terminals, omnivocality is never necessary for generating [m] a maximal-rate SK. However, the situation is different when m(m−2)/2. It should be noted that the capacity-achieving there are three or more terminals. In this section, we give a communicationintheproofof[7,Theorem1]isanomnivocal, sufficientconditionfor omnivocalitybeingneededfor achiev- linear communication of rate m(m−2)/2. ing SK capacity when there are m≥3 terminals, and give an For the proof of Theorem 4, we need some convenient example where the sufficient condition is met. The sufficient notation. For T ⊂ [m], |T| = m − 1, define ∆ (S) , T conditionalsoturnsouttobenecessarywhenthereareexactly 1 [ H(X )−H(X )]. m−2 i∈T i T three terminals. LemmPa 5. For m≥3 terminals, if the singleton partition S Tostateourresults,weneedafewdefinitions.Thepartition is the uniqueminimizer forI(X ), then ∆ (S)<∆(S) for {{1},{2},...,{m}}consistingofm singletoncellswillplay [m] T all T ⊂[m] with |T|=m−1. aspecialroleinourresults;wecallthisthesingletonpartition and denote it by S. For any partition P of [m] with |P|≥2, Proof: For any u ∈ [m], consider T = [m]\{u}. Using define ∆(S)= 1 [ m H(X )−H(X )] and the definition of m−1 i=1 i [m] ∆ (S) above, it is easy to verify the identity ∆(P), 1 H(X )−H(X ) . (4) T P |P|−1 A [m] m−1∆(S)=∆ (S)+ 1 I(X ;X ). "A∈P # m−2 T m−2 u T X Equivalently, Re-arranging the above, we obtain 1 ∆T(S)−∆(S)= m1−2[∆(S)−I(Xu;XT)] ∆(P)= D p k p , |P|−1 X[m] XA = 1 [∆(S)−∆(P)], (5) A∈P ! m−2 Y the notation being as in (1). Thus, C([m]) = I(X ) = where P is the 2-cell partition {{u},T} of [m]. By assump- [m] min ∆(P). In all that follows, we say that the singleton tion, the expression in (5) is strictly negative. P partition S is a minimizer for I(X ) if ∆(S) = I(X ), With this, we are ready to prove Theorem 4. [m] [m] andthatS istheuniqueminimizerforI(X )iftheminimum Proof of Theorem 4: We will show that C([m]) > [m] in (1) is uniquely achieved by S, i.e., ∆(S) < ∆(P) for all C([m]kT) for any T ⊂ [m] with |T| = m−1. First, note partitions P of [m], P 6=S, with |P|≥2. that since S is, by assumption, a minimizer for I(X ), we [m] We can now state the main result of this section. have C([m]) = I(X ) = ∆(S). Next, by Theorem 1 and [m] Lemma 3, we have Theorem4. Form≥3terminals,ifS istheuniqueminimizer for I(X[m]), then omnivocal communication is necessary for C([m]kT)≤H(XT)− m1−2 H(XT\{i}|Xi), achieving the SK capacity C([m]). i∈T X Before provingthe theorem,we give an examplewhere the = 1 (m−2)H(X )− [H(X )−H(X )] m−2 T T i condition of the theorem is met. (cid:20) i∈T (cid:21) X =∆ (S). a communication in which terminals 2 and 3 are both silent. T Therefore, C([m]kT) ≤ ∆ (S) < ∆(S) = C([m]), the Now, consider Case II, in which we obviously have T second inequality coming from Lemma 5. C([3]) = I(X ;X ). The idea here is to show that a {1,2} 3 valid communication of rate H(X |X ) exists in which For the three-terminal source model, it turns out that {1,2} 3 terminal 3 is silent, and which allows ǫ-recoverability of the unique minimizer condition in Theorem 4 is also (Xn,Xn) at all three terminals. Given this, an application necessary for the conclusion of the theorem to hold. 1 2 of [3, Lemma B.3] shows that an SK rate of H(X )− Note that when m = 3, (1) reduces to C(X ) = {1,2} [3] H(X |X )=I(X ;X )isachievable.Thus,thereisa min{I(X ;X ),I(X ;X ),I(X ;X ),∆(S)}; so {1,2} 3 {1,2} 3 {1,2} 3 {1,3} 2 {2,3} 1 C([3])-achievingcommunicationinwhichterminal3issilent. the unique minimizer condition is equivalent to To show that the desired communication exists, we argue ∆(S)<min{I(X{1,2};X3),I(X{1,3};X2),I(X{2,3};X1)}. as follows. For i=1,2, let Ri be the rate at which terminali communicates. A standard random binning argument shows Theorem 6. In the three-terminal source model, omnivocal that an achievable (R ,R ) region, with terminal 3 silent, 1 2 communication is necessary for achieving SK capacity iff the for a communication intended to allow ǫ-recoverability of singleton partition S is the unique minimizer for I(X[m]). (Xn,Xn) at all terminals is given by 1 2 Proof: The “if” part is by Theorem 4. R ≥H(X |X ), R ≥H(X |X ), 1 1 2 2 2 1 For the “only if” part, suppose that ∆(S) ≥ (9) R +R ≥H(X |X ). min{I(X ;X ),I(X ;X ),I(X ;X )}. Then, 1 2 {1,2} 3 {1,2} 3 {1,3} 2 {2,3} 1 ∆(S) is either (a) greater than or equal to at least two of the Now, using the assumption in Case II that ∆(S) ≥ three terms in the minimum, or (b) greater than or equal to I(X ;X ), we will prove that the inequality {1,2} 3 exactly one term. Up to symmetry, it suffices to distinguish H(X |X )+H(X |X )≤H(X |X ) (10) between two cases: 1 2 2 1 {1,2} 3 Case I: ∆(S)≥max{I(X{1,2};X3),I(X{1,3};X2)} holds.Itwouldthenfollowfrom(9)thatthereexistachievable Case II: min{I(X{1,3};X2),I(X{2,3};X1)} > ∆(S) ≥ rate pairs (R1,R2) with R1 + R2 = H(X{1,2}|X3), thus I(X{1,2};X3) completing the proof for Case II. In each case, we demonstrate a capacity-achieving communi- So,letusprove(10).Wehave∆(S)= 1[H(X )+H(X )+ 2 1 2 cation in which at least one terminal remains silent. H(X ) − H(X )] and I(X ;X ) = H(X ) + 3 [3] {1,2} 3 {1,2} H(X )−H(X ). Using these expressions in the inequality We deal with Case I first. Observe that 3 [3] ∆(S) = 1 3 H(X )−H(X ) can also be written ∆(S)≥I(X{1,2};X3), and re-arranging terms, we obtain 2 i=1 i [3] a∆s(S12)[I≥(X1I;(XXhP2) +;XI(X),{1u,p2o};nXs3o)m].eTirhe-uosr,gatnhiezataiossnu,mypietilodns 12[H(X1)+H(X2)−2H(X{1,2})]≥ 12[H(X3)−H(X[3])], {1,2} 3 I(X ;X )≥I(X ;X ), i.e., which is equivalent to (10). This completes the proof of the 1 2 {1,2} 3 theorem. I(X ;X )≥I(X ;X )+I(X ;X |X ). (6) 1 2 1 3 2 3 1 We in fact conjecture that the result of Theorem 6 should Similarly, using the identity ∆(S) = 1[I(X ;X ) + extend to more than three terminals as well. 2 1 3 I(X ;X )] in the assumption ∆(S)≥I(X ;X ), we {1,3} 2 {1,3} 2 Conjecture 1. In the multiterminalsource modelwith m≥3 obtain I(X ;X )≥I(X ;X ), i.e., 1 3 {1,3} 2 terminals, omnivocal communication is necessary for achiev- I(X ;X )≥I(X ;X )+I(X ;X |X ). (7) ing SK capacity iff the singleton partition is the unique 1 3 1 2 1 3 2 minimizer for I(X ). [m] The equalities in (6) and (7) can simultaneously hold iff At this point, we do not have a systematic approach for I(X ;X )=I(X ;X ) and 1 2 1 3 (8) proving the “only if” part of the conjecture for m≥4. I(X ;X |X )=I(X ;X |X )=0. 1 3 2 2 3 1 IV. SINGLETONPARTITIONS From (8), it is not hard to deduce that the quantities I(X ;X ), I(X ;X ), I(X ;X ) and ∆(S) are The condition that the singleton partition be a unique {1,2} 3 {1,3} 2 {2,3} 1 all equal to I(X ;X ). In particular, C(X )=I(X ;X ). minimizer for I(X ) plays a key role in the results of 1 2 [3] 1 2 [m] From the first equality in (8), we also have H(X |X ) = Section III. Thus, it would be very useful to have a way of 1 2 H(X |X ). Now, it can be shown by a standard random checkingwhetherthisconditionholdsforagivensourceX , 1 3 [m] binning argument that there exists a communication from m ≥ 3. The brute force method of comparing ∆(S) with terminal 1 of rate H(X |X ) = H(X |X ) such that Xn ∆(P) for all partitions P with at least two parts requires 1 2 1 3 1 is ǫ-recoverable at both terminals 2 and 3. It then follows an enormous amount of computation. Indeed, the number from the “balanced coloring lemma” [3, Lemma B.3] that an of partitions of an m-element set is the mth Bell number, SK rate of H(X1)−H(X1|X2) = I(X1;X2) is achievable. Bm, an asymptoticestimate forwhich is (logw)1/2wm−wew, Thus, the SK capacity, C([3])=I(X ;X ), is achievable by where w = m [1 + o(1)] is the solution to the equation 1 2 logm m = wlog(w+1) [8, Example 5.4]. The proposition below graph K (as defined in Section III) are not exchangeable m bringsdownthenumberofcomparisonsrequiredforverifying when m≥3, but they are isentropic. the unique minimizer condition to a “mere” 2m−m−2. Corollary 7.1. If X ,X ,...,X , m ≥ 3, are isentropic For any non-empty subset B = {b ,b ,...,b } of [m] 1 2 m 1 2 |B| rvs, then S is a minimizer for I(X ). with |B| < m, define P , {Bc,{b },{b },...,{b }} to [m] B 1 2 |B| bethepartitionof[m]consistingof|B|+1cells,ofwhich|B| Proof:ForapartitionP of[m]with|P|≥2,letusdefine cells are singletons comprising the elements of B. Note that 1 if |B| =m−1, then PB =S. δ(P) , |P|−1 H(XAc|XA) = H(X[m])−∆(P). A∈P X Proposition 7. For m ≥ 3, let Ω = {B ⊂ [m] : 1 ≤ |B|≤ By virtue of Proposition 7(a), we need to show that δ(P )≤ m−2}. The singleton partition S is B δ(S) for all B ∈Ω. (a) a minimizer for I(X ) iff ∆(S)≤∆(P ) ∀B ∈Ω; (b) the unique minimiz[emr]for I(X ) iff ∆B(S) < ∆(P ) For isentropic rvs, the quantity H(XB|XBc), for any [m] B B ⊆ [m], depends only on |B|. Hence, defining g(k) , ∀B ∈Ω. H(X |X ) for 1 ≤ k ≤ m, we can write δ(P ) = [k] [m]\[k] B Proof: We prove (b); for (a), we simply have to replace 1 g(|B|)+g(m−1) and δ(S) = m g(m−1). Thus, we |B| m−1 the ‘>’ in (11) below with a ‘≥’. havetoshowthat g(|B|) ≤ g(m−1) forallB ∈Ω.Thisfollows |B| m−1 The “only if” part is obvious. For the “if” part, suppose from the fact that for isentropic rvs, the function g(k)/k is that ∆(S)<∆(PB) for all B ⊂[m] with 1≤|B| ≤m−2. non-decreasing in k — see Appendix A. Consider any partition P of [m], P 6= S, with |P| ≥ 2. We OursecondapplicationofProposition7istothePINmodel. wish to show that ∆(P)>∆(S). Recall from Section III that this model is defined on an The following identity can be obtained from the definition underlying graph G = ([m],E). From the way that the rvs in (4) by some re-grouping of terms: X , i ∈ [m], are defined, it is not difficult to verify that for i |Ac|∆(P )=(|P|−1)[∆(P)+(m−1)∆(S)]. any partition P of [m] with |P|≥2, we have Ac A∈P |E(P)| X ∆(P)= , Thus, we have |P|−1 1 where|E(P)|denotesthenumberofedgese={i,j}∈E such ∆(P)= |Ac|∆(P )−(m−1)∆(S) |P|−1 Ac that i and j are in different cells of P. This, in conjunction A∈P X with Proposition 7, gives us a relatively simple criterion for 1 > |Ac|∆(S)−(m−1)∆(S) (11) verifying whether S is a (unique) minimizer for I(X ). As |P|−1 [m] A∈P anillustration,weapplythistothecompletegraphPINmodel. X =m∆(S)−(m−1)∆(S) = ∆(S). (12) Corollary7.2. ForthePINmodelonthecompletegraphK , m The inequality in (11) is due to the fact that at least one m ≥ 3, the singleton partition S is the unique minimizer for A ∈ P is not a singleton cell, so that P 6= S, and I(X ). Ac [m] hence, ∆(P ) > ∆(S) by assumption. To verify the first Ac Proof: It is easy to see that for any non-emptyB ([m], equality in (12), observe that A∈P|Ac|= A∈P i∈/A1= |E(P )|= m − |Bc| = 1|B|(2m−|B|−1). Hence, m 1=m(|P|−1). B 2 2 2 i=1 A∈P:i∈/A P P P (cid:0) (cid:1)|E((cid:0)PB)(cid:1)| 2m−|B|−1 m PNexPt, we apply the above proposition to some interesting ∆(PB)= = ≥ =∆(S), |B| 2 2 special cases. with equality iff |B| = m−1, i.e., P = S. The result now Random variables X ,X ,...,X , m ≥ 2, are called B 1 2 m follows from Proposition 7(b). isentropic if H(X ) = H(X ) for any pair of non-empty A B subsetsA,B ⊆[m] havingthe same cardinality.Equivalently, APPENDIX A X ,...,X are isentropic if, for all non-empty A ⊆ [m], 1 m the entropyH(XA) dependsonlyon|A|. One obviousconse- Here, we prove that for isentropic rvs X1,...,Xm, the quenceofthisdefinitionisthatfordisjointnon-emptysubsets function 1H(X |X ), defined for 1 ≤ k ≤ m, is non- k [k] [m]\[k] A,B ⊂[m],theconditionalentropyH(X |X )onlydepends decreasing in k. Define g(k) = H(X |X ). We show A B [k] [m]\[k] on |A| and |B|. that the difference kg(k +1)−(k +1)g(k) is always non- Clearly, i.i.d. rvs are isentropic. More generally, ex- negative, from which the result follows. changeable rvs are isentropic — rvs X1,X2,...,Xm are We have g(k + 1) = H(X[m]) − H(X{k+2,...,m}) and exchangeable if for all permutations σ of [m], the joint g(k) = H(X[m]) − H(X{k+1,...,m}) = g(k + 1) − distribution of (X1,X2,...,Xm) is the same as that of H(Xk+1|X{k+2,...,m}). Thus, (X ,X ,...,X ). However, isentropic rvs need σ(1) σ(2) σ(m) kg(k+1)−(k+1)g(k) not be exchangeable. It may be verified that the rvs =(k+1)H(X |X )−g(k+1). X ,X ,...,X in the PIN model defined on the complete k+1 {k+2,...,m} 1 2 m WeneedtoshowthattheRHSoftheequalityisnon-negative. This is straightforward: g(k+1)=H(X |X ) [k+1] {k+2,...,m} k+1 ≤ H(X |X ) i {k+2,...,m} i=1 X =(k+1)H(X |X ), k+1 {k+2,...,m} since, for 1 ≤ i ≤ k + 1, H(X |X ) = i {k+2,...,m} H(X |X ) by isentropy. k+1 {k+2,...,m} REFERENCES [1] R.AhlswedeandI.Csisza´r,“Commonrandomnessininformationtheory andcryptography,partI:Secretsharing,”IEEETrans.Inf.Theory,vol. 39,pp.1121–1132,July1993. [2] C.ChanandL.Zheng,“Mutualdependence forsecretkeyagreement,” Proc.44thAnnu.Conf.Inf.Sci.Syst.(CISS),2010. [3] I. Csisza´r and P. Narayan, “Secrecy capacities for multiple terminals,” IEEETrans.Inf.Theory,vol.50,pp.3047–3061, Dec.2004. [4] A.A.GohariandV.Anantharam,“Information-theoretic keyagreement of multiple terminals–Part I,” IEEE Trans. Inf. Theory, vol. 56, no. 8, pp.3973–3996, Aug.2010. [5] U.M.Maurer,“Secretkeyagreementbypublicdiscussionfromcommon information,”IEEETrans.Inf.Theory,vol.39,pp.733–742,May1993. [6] M. Mukherjee and N. Kashyap, “On the communication complex- ity of secret key generation in the multiterminal source model.” arXiv:1401.1117. [7] S. Nitinawarat and P. Narayan, “Perfect omniscience, perfect secrecy andSteinertreepacking,”IEEETrans.Inf.Theory,vol.56,no.12,pp. 6490–6500, Dec.2010. [8] A.M. Odlyzko, “Asymptotic enumeration methods,” in Handbook of Combinatorics, R.L.Grahametal.,eds.,1995,pp.1063–1229. [9] H.Tyagi,“Commoninformationandsecretkeycapacity,” IEEETrans. Inf.Theory,vol.59,no.9,pp.5627–5640, Sep.2013.