Advantage of the key relay protocol over secure network coding

Go Kato, Mikio Fujiwara, and Toyohiro Tsurumaru Go Kato and Mikio Fujiwara are with NICT, Nukui-kita, Koganei, Tokyo 184-8795, Japan (e-mail: [email protected], [email protected]). Toyohiro Tsurumaru is with Mitsubishi Electric Corporation, Information Technology R&D Center, 5-1-1 Ofuna, Kamakura-shi, Kanagawa, 247-8501, Japan (e-mail: [email protected]).

Abstract

The key relay protocol (KRP) plays an important role in improving the performance and the security of quantum key distribution (QKD) networks. On the other hand, there is also an existing research field called secure network coding (SNC), which has similar goal and structure. We here analyze differences and similarities between the KRP and SNC rigorously. We found, rather surprisingly, that there is a definite gap in security between the KRP and SNC; that is, certain KRPs achieve better security than any SNC schemes on the same graph. We also found that this gap can be closed if we generalize the notion of SNC by adding free public channels; that is, KRPs are equivalent to SNC schemes augmented with free public channels.

I Introduction

The key relay protocol (KRP) plays an important role in improving the performance and the security of quantum key distribution (QKD) networks [1, 2, 3, 4]. On the other hand, there exists another research field called secure network coding (SNC; see, e.g., Refs. [5, 6]), which has the goal and structure similar to the KRP. The goal of this paper is to analyze differences and similarities between the KRP and SNC rigorously.

QKD realizes distribution of secret keys to players at distant locations (see, e.g., Refs. [7, 8]). However, the communication distance achievable by a single QKD link is limited by the technological level of quantum optics [8]. KRPs are used to enable key distribution beyond such limitation of a single QKD link. The basic idea of the KRP is to pass a secret key of one QKD link on to another QKD link with the help of insecure public channels, such as the internet (cf. Figs. 2 and 3).

The KRP has similarities and differences with SNC (Table I). While they share the same goal of sharing secret messages, they differ in that 1) Public channels are available in KRPs, but not in SNC schemes, 2) KRPs use QKD links (or more generally, local key sources) while SNC schemes use secret channels, and 3) The messages in KRPs must be a random bit, while in SNC schemes each sender can freely choose its message.

Then the question naturally arises whether these differences are really essential. For example, is it not possible that there is actually a way of converting KRPs to SNC schemes, and that they are shown to be equivalent? The goal of this paper is to answer to this question. For the sake of simplicity, we will limit ourselves to the one-shot scenario.

The outline of our results is as follows (Fig. 1).

If we generalize SNC [5] by adding public channels (see the third column of Table I), then KRPs and SNC schemes (with public channels) on the same graph are always equivalent (Theorem 1).

On the other hand, if we do not generalize SNC and limit ourselves to its conventional form (without public channels; see the second column of Table I), then there is a definite gap in security between the KRP and SNC: On some graphs a KRP achieves better security than any conventional SNC schemes (Theorem 2 and Corollary 1). Hence the accumulation of past research on the conventional SNC is not sufficient to explore the potential of KRPs. This suggests that the KRP is a new research field.

TABLE I: Similarities and differences between the KRP, the conventional SNC, SNC with public channels, and KRP-by-SNC.

	Key relay protocol	Secure network coding (SNC)
	(KRP)	without public channels	SNC with public channels	KRP-by-SNC
	(KRP)	(Conventional SNC)
Public channels	✓		✓
Local key sources	✓
(e.g., QKD links)	✓
Secret channels		✓	✓	✓
Goal	Each sender-receiver pair (or each user pair) $i$ share a secret message
Content of the message	Random bit $k_{i}$	Message $m_{i}$ chosen	Message $m_{i}$ chosen	Random bit $k_{i}$
Content of the message	Random bit $k_{i}$	by the sender	by the sender	Random bit $k_{i}$

Refer to caption — Figure 1: Relation of secure network coding (SNC) with and without public channels, and the key relay protocol (KRP). The settings and the goals of SNC and the KRP are summarized in Table I. The KRP and SNC with publich channels always achieve the same level of security (Theorem 1). The security of KRP is better than that of the conventional SNC or SNC without public channels (Theorem 2).

II Key relay protocol (KRP)

II-A Motivation and examples of the KRP

Quantum key distribution (QKD) distributes secret keys to two separate players. However, the communication distance achievable by a single set of QKD devices, or a QKD link, is limited by the technological level of quantum optics, and is currently in the order of 100 km [8]. For this reason, in this paper, we refer to a QKD link also as a local key source.

There is of course a strong demand to distribute secret keys globally, or beyond the reach of a single QKD link. The key relay protocol (KRP) [1, 2, 3] aims to fulfill this demand by connecting multiple QKD links, and also by using insecure public channels, such as the internet.

Fig. 2 illustrates the simplest example of such KRPs. Users $u^{1}$ and $u^{2}$ are separated by twice the reach of a local key source, and are connected by two local key sources $LKS_{e_{1}}$ and $LKS_{e_{2}}$ . From these local key sources, users $u^{1}$ and $u^{2}$ receive distinct local keys $r_{e_{1}},r_{e_{2}}\in_{\rm R}\{0,1\}$ respectively. Then, in order for both $u^{1}$ and $u^{2}$ to share the same key $k^{1}=k^{2}$ , which we call the relayed key, they execute the following procedure with the help of the midpoint $v$ :

1.

The midpoint $v$ announces the difference of the two local keys, $\Delta r=r_{e_{1}}+r_{e_{2}}$ .
2.

Users $u^{1}$ and $u^{2}$ calculate the relayed keys $k^{1}=r_{e_{1}}$ and $k^{2}=r_{e_{2}}+\Delta r$ , respectively.

Note that $k^{1}=k^{2}$ is indeed satisfied. Note also that $k_{i}$ remain secret even if the announcement $\Delta r$ is revealed.

This idea can be generalized to more complex network configurations. For example, one can improve the distance by serially extending the above construction (Fig. 3(a)), or can improve the security by extending it in parallel (Fig. 3(b)). In the next subsection, we will give a formal definition of KRPs, applicable to an arbitrary network configuration.

II-B Formal definition of the KRP

The outline is that: On an undirected graph $G=(V,E)$ , pairs of users wish to share a relayed key with the help of other players on nodes $V$ having access to local key sources and a public channels, without disseminating the message to the adversary.

II-B1 Setting

An undirected graph $G=(V,E)$ consists of a node set $V$ and an edge set $E$ . For the sake of simplicity, we assume that $G$ are connected. Each node $v\in V$ has an individual player (denoted by the same symbol as the node), some of which constitute $n_{\rm pair}$ pairs of users $u_{i}=(u^{1}_{i},u^{2}_{i})$ with $i=1,\dots,n_{\rm pair}$ . There is also an adversary, who can wiretap some edges $\subset E$ .

Each edge $e\in E$ has a local key source $LKS_{e}$ and a public channel $PC_{e}$ , which behave as follows.

Definition 1 (Local key sources and public channels).

$LKS_{e}$ and $PC_{e}$ operate as follows:

•

Local key source $LKS_{e}$ (Fig. 4 (a)): On input “start” command from an end node $v$ or $w$ , it sends a local key, or a uniformly random bit $r_{e}\in_{\rm R}\{0,1\}$ to both $v$ and $w$ . When edge $e$ is wiretapped, it also sends $r_{e}$ to the eavesdropper.
•

Public channel $PC_{e}$ (Fig. 4 (b)): On input a bit string $p_{e}\in\{0,1\}^{*}$ from an end node (say, $v$ ), it sends $p_{e}$ to the other end node (say, $w$ ) and to the adversary.

II-B2 Key relay protocol

With the above setting, each user pair $u_{i}=(u^{1}_{i},u^{2}_{i})$ wish to share a relayed key $k_{i}=(k^{1}_{i},k^{2}_{i})$ with the help of players $V$ , without disseminating $k_{i}$ to the adversary. To this end, they request all nodes $V$ to execute a procedure of the the following type.

Definition 2.

A protocol $L$ of the following type, performed by players $V$ , is called a key relay protocol (KRP).

1.

All players $V$ communicate using public channels $PC_{e}$ and local key sources $LKS_{e}$ ¹¹1More precisely, the outputs ( $p_{e}$ , $r_{e}$ , or “start”) of players $V$ are defined as functions of previously received data ( $\subset\{p_{e},r_{e}|e\in E\}$ ) and of random variables generated by the player. Each player sends out the outputs whenever necessary data are all received..

Here each $LKS_{e}$ can only be used once, while $PC_{e}$ can be used arbitrarily many times.
2.

Each user $u_{i}^{j}$ calculates a relayed key $k_{i}^{j}$ .

II-B3 Security criteria

There is a known collection ${\cal E}^{\rm adv}=\{E^{\rm adv}_{1},E^{\rm adv}_{2},\dots\}$ of edge set $E^{\rm adv}_{i}\subset E$ which the adversary can wiretap on. In each round of the protocol, the adversary chooses $E^{\rm adv}_{l}\in{\cal E}^{\rm adv}$ and wiretaps edges $e\in E^{\rm adv}_{l}$ .

Definition 3 (Security of the KRP).

A key relay protocol $L$ is secure against ${\cal E}^{\rm adv}$ , if it satisfies the followings.

•

Soundness: The relayed keys $k_{i}^{1},k_{i}^{2}$ generated by user pair $u_{i}=(u^{1}_{i},u^{2}_{i})$ are equal and uniformly distributed; i.e., $\Pr[K_{i}^{1}=K_{i}^{2}]=1$ , and $\Pr[K_{i}^{j}=0]=\Pr[K_{i}^{j}=1]=1/2$ .

Also, $k_{i}^{j}$ generated by different user pairs are independent.
•

Secrecy: The relayed key pairs $k_{i}=(k_{i}^{1},k_{i}^{2})$ are unknown to the adversary even when any edge set $E_{l}^{\rm adv}\in{\cal E}^{\rm adv}$ is wiretapped. That is, for any $l$ , we have

$I(K_{1},K_{2},\dots,K_{\rm n_{\rm pair}}:A(E_{l}^{\rm adv}))=0,$ (1)

where $A(E_{l}^{\rm adv})$ denotes the information that the adversary obtains by eavesdropping on edge set $E_{l}^{\rm adv}$ .

$A(E_{l}^{\rm adv})$ appearing in Definition 3 consists of local keys $r_{e}$ on edges $e\in E^{\rm adv}_{l}$ , and of all public information $p_{e}$ ( $e\in E$ ).

II-C Notes on KRPs used in practical QKD networks

In fact, the KRP defined above is slightly different from those used in actual QKD networks. Below we elaborate on their relation.

II-C1 Edge adversary model vs. node adversary model

In the above definition, we employed the edge adversary model (where the adversary eavesdrop on some edges), while in actual QKD networks the node adversary model (where the adversary can eavesdrop on information that goes in and out of a certain edges set) is usually assumed. This is not really a limitation, since the former model incorporates the latter: The situation where “the adversary eavesdrop on a node $v$ ” in the node adversary model can always be described as “all edges surrounding $v$ are wiretapped” in the edge adversary model.

II-C2 Passive adversary vs active adversary

Above we assumed that the adversary is passive (honest but curious), meaning that she eavesdrops on, but does not tamper with communication. On the other hand, in QKD, one usually assumes that the adversary is active; i.e., she can both eavesdrop on and tamper with communication.

The easiest way to convince oneself of this limitation, of course, is to accept it merely as a simplification introduced at the first step of continuing research.

On the other hand, there are also ways of justifying this limitation to some extent. That is, if the adversary is active, the following two problems arise,

•

Problem with soundness: The relayed keys may not match, $\Pr[k_{i}^{1}\neq k_{i}^{2}]>0$ .
•

Problem with secrecy: Players $V$ may malfunction and leak extra information to the adversary, damaging the secrecy.

but, in practical QKD networks, there are ways to solve or work around both these problems.

How to work around the problem with soundness

The basic idea here is the following. The relayed keys $k_{i}=(k_{i}^{1},k_{i}^{2})$ are random bits and are not meaningful by themselves, and thus can be discarded at any time. Hence, even if the event $k_{i}^{1}\neq k_{i}^{2}$ occurs, players can discard $k_{i}^{1},k_{i}^{2}$ and repeat new rounds the KRP (including QKD as local key sources) until they obtain $k_{i}^{1},k_{i}^{2}$ satisfying $k_{i}^{1}=k_{i}^{2}$ . This can generally decrease the key generation speed, but the secrecy remains intact.

Of course, in order for the above idea to actually function in practice, user pairs $u_{i}$ must be able to detect an error (check if $k_{i}^{1}=k_{i}^{2}$ or not) with a sufficiently small failure probability. This is also realizable by using information-theoretically secure message authentication codes (see, e.g., Section 4.6 of Ref. [9]).

Combining these ideas, we obtain the following method.

1.

User pairs $u_{i}=(u^{1}_{i},u^{2}_{i})$ repeat a KRP $n$ times and share $n$ -bit relayed keys $\vec{k_{i}^{1}},\vec{k_{i}^{2}}\in\{0,1\}^{n}$ .
2.

User $u_{i}^{1}$ calculates the hash value $\sigma_{i}=h(\vec{k_{i}^{1}})$ of $\vec{k_{i}^{1}}$ using an $\varepsilon$ -difference universal hash function $h$ [9]. User $u_{i}^{1}$ then encrypts $\sigma_{i}$ by the one-time pad scheme (see, e.g., Ref. [9]) and sends it to $u_{i}^{2}$ . (In fact, this entire step corresponds to authenticating message $\vec{k}^{1}_{i}$ using Construction 4.24 of Ref. [9].)
3.

User $u_{i}^{2}$ decrypts the received ciphertext to obtain $\sigma_{i}$ . If $\sigma_{i}\neq h(\vec{k_{i}^{2}})$ , $u_{i}^{2}$ announces that the relayed keys $\vec{k_{i}^{1}},\vec{k_{i}^{2}}$ must be discarded. (Here, $u_{i}^{2}$ authenticates his announcement by again using Construction 4.24 of Ref. [9].)

In this method, steps 2 and 3 each consume a pre-shared key²²2The security proofs of QKD require that its public communication be authenticated. A customary way to fulfill this requirement in practical QKD systems is that each user pair always keeps sharing a relatively small amount of secret key (pre-shared key), and uses it to authenticate their public communication, e.g., by the methods given in Ref. [10] and in Section 4.6, Ref. [9]. Here we use those pre-shared keys also for KRPs. of a length proportional to $|\sigma_{i}|$ , the length of $\sigma_{i}$ . However, one can set $|\sigma_{i}|$ negligibly small compared with $n$ , with an appropriate choice of the function $h$ and for sufficiently large $n$ . Thus the net relayed key obtained by this method almost equals $n$ . For example, by using a polynomial-based $\varepsilon$ -difference universal hash function, we have $|\sigma_{i}|=O(\varepsilon^{-1}\log n)$ with $\varepsilon$ being the failure probability of the error detection.

Countermeasure against problem with secrecy

As for the problem with secrecy, one countermeasure is to restrict ourselves with linear KRPs.

Here a linear KRP means the one where players $V$ are linear. A player $v\in V$ being linear means that its outputs $p_{e},r_{e}$ are all linear functions of previously received data ( $\subset\{p_{e},r_{e}|e\in E\}$ ) and of random variables generated by the player. In such restricted case we can prove the following lemma.

Lemma 1.

If a linear KRP is secure against passive (i.e., honest but curious) adversaries, it is also secure against active adversaries.

This lemma is a variant of Theorem 1, Ref. [11], which was previously obtained for the secure network coding (SNC). As the proof is essentially the same as in Ref. [11], we here only give a sketch: Suppose for example that the active adversary modifies a local key $r_{e^{\prime}}$ to $r_{e^{\prime}}+\Delta r$ , which is to be input to a node $v$ . With $v$ being linear, $v$ ’s subsequent outputs all change linearly in $\Delta r$ ; for example, a public message $p_{e}$ , which $v$ outputs, changes to $p_{e}+f(\Delta r)$ with $f$ being a linear function. Since those linear response to tampering, such as $f(\Delta r)$ , are all predictable, we can conclude that the adversary gains nothing by tampering with communication.

III Main results: Relation between the KRP and secure network coding (SNC)

As readers familiar with secure network coding (SNC; see, e.g., Refs. [5, 6]) may have already noticed, the KRP defined in the previous section have similarities and differences with SNC (Table I). That is, while they both share the same goal that each sender-receiver pair (or each user pair) share a secret message, they differ in that

1.

Public channels $PC_{e}$ are used in the KRP, but not in SNC.
2.

The KRP uses local key sources $LKS_{e}$ , while SNC uses secret channels.
3.

In SNC, the sender can choose the massage freely. However, in the KRP, the message (which we called the relayed key $k_{i}$ in the previous section) must be uniformly random, and thus the sender does not have freedom to choose it.

From this observation the question naturally arises whether these differences are really essential. For example, is it not possible that there is actually a way of converting KRPs to SNC schemes, and that they are shown to be equivalent? In this section we answer to this question. The outline of our results is as follows.

First, if we eliminate difference 1) above by hand, that is, if we generalize SNC [5] by adding public channels, then we can simultaneously resolve the remaining differences, items 2) and 3), as well. As a result of this, we can show that the generalized form of SNC (i.e., SNC with public channels, in the third column of Table I) and the KRP are equivalent (Theorem 1).

On the other hand, if we do not generalize SNC and limit ourselves with its conventional form (the second column of Table I), then there is a definite gap in security between SNC and the KRP: There are situations where KRPs achieve better securities than the conventional SNC schemes, without public channels (Theorem 2).

III-A Definition of SNC with public channels

We begin with a formal definition of SNC with public channels, which is mentioned above and corresponds to the third column of Table I.

The conventional SNC (the second column of Table I) is the special case of this scheme where the use of public channels is prohibited.

III-A1 Setting

The setting is the same as that of the KRP, given in Section II-B1, except

•

Of each user pair $u_{i}=(u_{i}^{1},u_{i}^{2})$ , one user (say, $u_{i}^{1}$ ) is named the sender $a_{i}$ , and the other (say, $u_{i}^{2}$ ) the receiver $b_{i}$ . Thus either $(u_{i}^{1},u_{i}^{2})=(a_{i},b_{i})$ or $(u_{i}^{1},u_{i}^{2})=(b_{i},a_{i})$ holds.

The is necessary because, in SNC, messages are not a random bit (as in the KRP), but must be chosen by the sender $a_{i}$ ; see Definition 5 below.
•

Local key sources $LKS_{e}$ are replaced by the secret channels $SC_{e}$ , defined in Definition 4 below.

Definition 4 (Secret channels).

On input a bit $s_{e}\in\{0,1\}$ from one end node (say, $v$ ), secret channel $SC_{e}$ sends $s_{e}$ to the other end node (say, $w$ ); see Fig. 5. When edge $e$ is wiretapped, it also sends $s_{e}$ to the eavesdropper.

In comparison with the conventional SNC [5], the setting above differs only in that players $V$ can use public channels $PC_{e}$ in addition to secret channels $SC_{e}$ (see Table I).

III-A2 SNC with public channels

The goal of our SNC with public channels is the same as that of the conventional SNC [5]: Each sender-receiver pair $(a_{i},b_{i})$ wish to exchange message $m_{i}$ with the help of other players on nodes $V$ , without disseminating $m_{i}$ to the adversary.

Definition 5 (SNC with public channels).

We call a protocol of the following type a secure network coding (SNC) scheme with public channels.

•

Each sender $a_{i}$ chooses a message $m_{i}\in\{0,1\}$ aimed at the receiver $b_{i}$ .
•

Players $V$ communicate by using public channels $PC_{e}$ and secret channels $SC_{e}$ ³³3As in the case of the KRP, we assume that the outputs ( $p_{e}$ , $s_{e}$ ) of players are defined as functions of previously received data ( $\subset\{p_{e},s_{e}|e\in E\}$ ) and of random variables generated by the player. We also assume that each player sends out the output whenever necessary data are all received..

Here, each $SC_{e}$ can only be used once, while $PC_{e}$ can be used arbitrarily many times.
•

Each receiver $b_{i}$ calculates message $\hat{m}_{i}\in\{0,1\}$ .

In comparison with Definition 2 for the KRP, Definition 5 above differs only in that $LKS_{e}$ are replaced by $SC_{e}$ , and that senders $a_{i}$ can arbitrarily choose message $m_{i}$ , which need not be uniformly distributed, unlike the relayed key $k_{i}^{1}$ (cf. Table I).

III-A3 Security criteria

The security criteria is essentially the same as Definition 3 for the case of the KRP. That is, there is again a known collection ${\cal E}^{\rm adv}=\{E^{\rm adv}_{1},E^{\rm adv}_{2},\dots\}$ of wiretap sets $E^{\rm adv}_{l}\subset E$ . In each round of the SNC scheme, the adversary chooses $E^{\rm adv}_{l}\in{\cal E}^{\rm adv}$ and wiretap edges $e\in E^{\rm adv}_{l}$ .

Definition 6 (Security of SNC with public channels).

A SNC scheme $L$ is secure against ${\cal E}^{\rm adv}$ , if it satisfies the followings.

•

Soundness: Sender $a_{i}$ ’s message $m_{i}$ reaches receiver $b_{i}$ without error; $\Pr[M_{i}=\hat{M}_{i}]=1$ .
•

Secrecy: Messages $m_{i},\hat{m}_{i}$ are unknown to the adversary even when any edge set $E_{j}^{\rm adv}\in{\cal E}^{\rm adv}$ is wiretapped. That is, for any $l$ , we have

$I(M_{1},M_{2},\dots,M_{n_{\rm pair}}:A(E_{l}^{\rm adv}))=0,$ (2)

where $A(E_{l}^{\rm adv})$ denotes the information that the adversary obtains by eavesdropping on edges $E_{l}^{\rm adv}$ ; i.e., $A(E_{l}^{\rm adv})$ consists of secret bits $s_{e}$ on edges $e\in E^{\rm adv}_{l}$ , and of all public information $p_{e}$ ( $e\in E$ ).

In comparison with Definition 3 for the KRP, Definition 6 above differs in that $m_{i}$ need not be uniformly distributed (cf. Table I), and that local keys $r_{e}$ included in the adversary’s information $A(E_{j}^{\rm adv})$ are replaced by secret bits $s_{e}$ .

III-B SNC with public channels and the KRP are equivalent

SNC with public channels thus defined are in fact equivalent to the KRP defined in the previous section.

Theorem 1 (The security of KRP $=$ The security of SNC with public channels).

KRPs and SNC schemes with public channels can always achieve the same security. That is,

1.

Given a KRP $L$ compatible with a graph $G$ and user configuration $u_{i}=(u_{i}^{1},u_{i}^{2})$ which is secure against wiretap sets ${\cal E}^{\rm adv}$ , one can construct a SNC scheme with public channels $L^{\prime}$ which is compatible with the same $G$ and $u_{i}$ , and also secure against the same ${\cal E}^{\rm adv}$ .

This is true whether the sender and the receiver for each user pair $u_{i}$ in $L^{\prime}$ are assigned as $(u_{i}^{1},u_{i}^{2})=(a_{i},b_{i})$ or $(u_{i}^{1},u_{i}^{2})=(b_{i},a_{i})$ (for the meaning of this notation, see Section III-A1).
2.

Given a SNC scheme $L$ (with or without public channels) compatible with a graph $G$ and a sender-receiver configutation $u_{i}=(a_{i},b_{i})$ which is secure against ${\cal E}^{\rm adv}$ , one can construct a KRP $L^{\prime}$ compatible with the same $G$ and $u_{i}$ , which is secure against the same ${\cal E}^{\rm adv}$ .

Therefore, if one wishes to analyze the potential and limitations of the KRP, it is necessary and sufficient to investigate SNC with public channels.

We will prove Theorem 1 in Section IV.

III-C SNC without public channels and the KRP are not equivalent

However, in order for Theorem 1 above to hold, it was in fact essential that we generalized SNC by adding public channels. The equivalence with the KRP no longer holds if we limit ourselves with the conventional SNC, i.e. SNC schemes without public channels. More precisely, we have the following theorem.

Theorem 2 (The security of KRP $\neq$ The security of SNC without public channels (conventional SNC)).

There exists a conbination of a graph $G$ , a user configuration $u_{i}$ , and wiretap sets ${\cal E}^{{\rm adv},G_{0}}$ for which there exists a secure KRP $L_{\rm KRP}$ , but there exists no secure SNC scheme without public channels.

This is true whether the sender and the receiver for each user pair $u_{i}$ (in the SNC without public channels) are assigned as $(u_{i}^{1},u_{i}^{2})=(a_{i},b_{i})$ or $(u_{i}^{1},u_{i}^{2})=(b_{i},a_{i})$ (for the meaning of this notation, see Section III-A1). ⁴⁴4It is important to note that this theorem applies even to SNC schemes on un-directed graphs. If one is somehow allowed to limit oneself with SNC on directed graphs, the counterexample $L_{\rm KRP}$ can be constructed straightforwardly.

The proof of this theorem is give in Section V.

In short, there are situations where the KRPs achieve better securities than the conventional SNC. Hence the accumulation of past research on the conventional SNC is not sufficient to explore the potential of the KRP. In this sense, the KRP is a new research field.

Combining Theorem 1 and Theorem 2, we can also obtain the following corollary.

Corollary 1 (The security of SNC with public channels $\neq$ The security of SNC without public channels (conventional SNC)).

There exists a combination of a graph $G$ , a user configuration $u_{i}$ , and wiretap sets $E^{\rm adv}$ for which there exists a secure SNC scheme with public channel, but there exists no secure SNC scheme without public channels.

IV Proof of Theorem 1

To prove item 1), note that operations of $LKS_{e}$ can be simulated by using $SC_{e}$ . That is, if an end node $v$ of edge $e$ wishes to send a local key $r_{e}$ to the other end node $w$ , it suffices that $v$ generates a random bit $r_{e}\in_{\rm R}\{0,1\}$ by itself and sends it to $w$ via $SC_{e}$ (Fig. 6).

By applying this simulation to all $LKS_{e}$ included in $L$ , one obtains a protocol $L^{\prime}$ where user pairs $u_{i}=(u_{i}^{1},u_{i}^{2})$ share relayed key $k_{i}=(k_{i}^{1},k_{i}^{2})$ in the same setting as in SNC with public channel, given in Section III-A1.

Then by using $k_{i}$ thus obtained to encrypt message $m_{i}$ by the one-time pad (OTP) encryption scheme [9], one obtains $L^{\prime}$ . Here the OTP encryption scheme is the following: User $u_{i}^{1}$ encrypts $m_{i}$ as the ciphertext $c_{i}=m_{i}+k_{i}^{1}$ and sends it to $u_{i}^{2}$ via public channel. Then $u_{i}^{2}$ decrypts it as $\hat{m}_{i}=c_{i}+k_{i}^{2}$ .

The soundness of $L^{\prime}$ is obvious from the construction. The secrecy of $L^{\prime}$ follows from that of $L$ , since the adversary’s information are the same in $L$ and $L^{\prime}$ . Indeed, in $L^{\prime}$ , the secrecy of $r_{e}$ on non-wiretapped edges $e$ is obvious by the construction, and thus the security of $k_{i}$ from that of $L$ . Then the secrecy of $m_{i}$ follows from that of the OTP. This completes the proof of item 1 of Theorem 1.

For the proof of item 2), note that $SC_{e}$ can be simulated by the local key source $LKS_{e}$ and the public channel $PC_{e}$ : When an end node $u$ wishes to send a bit $s_{e}$ to the other end node $v$ , it first distributes a random bit $r_{e}$ by switching on the local key source $LKS_{e}$ . Then $u$ sends $s_{e}$ to $v$ secretly by encrypting it by the OTP encryption scheme with $r_{e}$ being the secret key (Fig. 7).

By applying this construction to all secret channels included in $L$ , one obtains a new KRP, which we denote by $L^{\prime}$ . By construction, it is obvious that message $m_{i}$ as well as the adversary’s information are the same, whether in $L$ or in $L^{\prime}$ . This completes the proof of item 2 of Theorem 1.

V Proof of Theorem 2

Theorem 2 asserts that the difference of structure between the KRP and the conventional SNC (shown in the first and the third columns of Table I, and also explained in the first paragraph of Section III) cause a definite gap in security (Fig. 1). Below, we prove this theorem by proving a set of more general lemmas (Fig. 8).

That is, we introduce another new type of protocols that we call KRP-by-SNC (KRP by the setting of SNC without public channels), which corresponds to the fourth column of Table I. Then we show that secure schemes satisfy the relations

Conventional SNC $\subseteq$ KRP-by-SNC $\subseteq$ KRP

(Lemma 2 and 3), as well as

KRP-by-SNC $\neq$ KRP.

(Lemma 4). These two relations together assert that the KRP is strictly more secure than the conventional SNC, which completes the proof of Theorem 2.

V-A Definition of KRP-by-SNC

KRP-by-SNC (KRP by the setting of SNC without public channels) is a variant of SNC corresponding to the fourth column of Table I. That is, it uses the same setting as in the conventional SNC, where players $V$ use the secret channels $SC_{e}$ only. On the other hand, the goal is the same as in the KRP, where user pairs $u_{i}$ aim to share a random bit $k_{i}$ .

Alternatively, KRP-by-SNC can also be considered as a variant of KRP, obtained by replacing the public channels $PC_{e}$ and the local key sources $LKS_{e}$ with the secret channels $SC_{e}$ .

The formal definition of KRP-by-SNC is as follows.

V-A1 Setting

The setting is the same as that of SNC without public channels (the conventional SNC), except that

•

We denote user pairs by $u_{i}=(u_{i}^{1},u_{i}^{2})$ , as in the case of KRP. We make no distinction between the sender and the receiver.

We use this notation to stress that our goal here is to distribute a random bit $k_{i}$ , and thus no particular user ( $u_{i}^{1}$ or $u_{i}^{2}$ ) is entitled to choose the value $k_{i}$ .

V-A2 KRP-by-SNC

The goal here is the same as that of KRP: Each user pair $u_{i}=(u^{1}_{i},u^{2}_{i})$ share a uniformly random key $k_{i}=(k_{i}^{1},k_{i}^{2})$ , without disseminating it to the adversary. Thus the basic form of the protocol should be the same as that of the KRP given in Definition 2. However, as the setting here is different ( $SC_{e}$ are used instead of $PC_{e}$ and $LKS_{e}$ ), we need to modify Definition 2 as follows.

Definition 7 (KRP-by-SNC).

A protocol $L$ of the following type, performed by players $V$ , is called a KRP-by-SNC.

•

Players $V$ communicate by using secret channels $SC_{e}$ ⁵⁵5We also assume that the outputs of players are defined as functions of previously received data and of random variables generated by the player, and that each player sends out the output whenever necessary data are all received..

Here, each $SC_{e}$ can only be used once.
•

Each user $u_{i}^{j}$ calculates its relayed key $k_{i}^{j}$ .

V-A3 Security criteria of KRP-by-SNC

We use the same security criteria as in the KRP, namely, Definition 3. However, there is a caveat here: In the present case of KRP-by-SNC, the adversary’s information $A(E_{l}^{\rm adv})$ appearing in Definition 3 consists of the secret bits $s_{e}$ on wiretapped edges $e\in E_{l}^{\rm adv}$ . This is because, in KRP-by-SNC, players $V$ use the secret channels $SC_{e}$ only.

V-B Proof of Theorem 2

The following two lemmas assert that the security of KRP-by-SNC is between those of SNC and KRP.

Lemma 2 (Secure conventional SNC $\subseteq$ Secure KRP-by-SNC).

KRP-by-SNCs can always achieve the same security as the conventional SNC schemes. That is, given a conventional SNC scheme $L$ compatible with a graph $G$ and a sender-receiver configuration $u_{i}=(a_{i},b_{i})$ which is secure against wiretap sets ${\cal E}^{\rm adv}$ , one can construct a KRP-by-SNC $L^{\prime}$ compatible with the same $G$ and $u_{i}$ which is secure against the same ${\cal E}^{\rm adv}$ .

Proof.

KRP-by-SNC $L^{\prime}$ can be realized by letting the sender $a_{i}$ of SNC $L$ choose a random bit $k_{i}$ and send it out as a message $m_{i}$ . It is straightforward to verify that the security of $L^{\prime}$ , defined in Section V-A2, follows from the security of $L$ , defined in Section III-A3. ∎

Lemma 3 (Secure KRP-by-SNC $\subseteq$ Secure KRP).

KRP can always achieve the same security as KRP-by-SNC. That is, given a KRP-by-SNC $L$ compatible with a graph $G$ and a user configuration $u_{i}$ which is secure against wiretap sets ${\cal E}^{\rm adv}$ , one can construct a KRP $L^{\prime}$ compatible with the same $G$ and $u_{i}$ which is secure against the same ${\cal E}^{\rm adv}$ .

Proof.

This can be proved in the same manner as in the proof of item 2) of Theorem 1. By rewriting all the secret channels $SC_{e}$ appearing in KRP-by-SNC $L$ as the OTP-encrypted channels using $LKS_{e}$ and $PC_{e}$ , we obtain KRP $L^{\prime}$ . ∎

According to Lemma 3 above, there still remains the possibility that the securities of KRP-by-SNC and KRP are equal. Lemma 4 below disproves this possibility.

Lemma 4 (Secure KRP-by-SNC $\neq$ Secure KRP).

For a graph $G_{0}$ , a user configuration $u_{i}$ (defined in Section V-D), and the empty wiretap set ${\cal E}^{\rm adv}=\{\varnothing\}$ , there exists a secure KRP $L_{\rm KRP}$ (defined in Section V-E1), but there exists no secure KRP-by-SNC.

Hence there is a definite gap in security between KRP-by-SNC and KRP. Combined with Lemma 2, this also means that there is a definite gap in security between KRP and the conventional SNC, which completes the proof of Theorem 2.

The rest of this section is devoted to the proof of Lemma 4. The outline of the proof is as follows. First, we define a graph $G_{0}$ and a configuration of user pairs $u_{i}$ (Section V-D), as well as a KRP $L_{\rm KRP}$ compatible with them (Section V-E1). Then we show that $L_{\rm KRP}$ is secure secure against $\mathcal{E}^{{\rm adv},G_{0}}:=\{\varnothing\}$ , i.e., secure when no edge is wiretapped (Section V-E2). Then we show that there exists no secure KRP-by-SNC compatible with the same $G_{0}$ and $u_{i}$ even when no edge is wiretapped (Section V-F).

V-C Notation

For ease of notation, we will often write $r_{e}$ and $p_{e}$ defined in Definition 1 as $r[e]$ and $p[e]$ . Similarly, we often write $s_{e}$ defined in Definition 4 as $s[e]$ .

V-D Description of the graph $G_{0}$ and the user configuration $u_{i}$

V-D1 Description using figures

We define the graph $G_{0}$ by a nested structure as in Figs. 9, 10, and 11.

That is, we first define a sub-graph $G^{\rm bn}$ by Fig. 9, which is in fact the well-known modified butterfly network [12]. Then we construct the graph $G_{0}$ by connecting subgraphs⁶⁶6Copies of the subgraph $G^{\rm bn}$ labeled with indices $s,i$ . $G^{\rm bn}_{s,i}$ and users $u_{i}^{j}$ , as in Figs. 10 and 11.

V-D2 Alternative description using equations

The same graph $G_{0}=(V_{0},E_{0})$ and the user pairs $u_{i}=(u_{i}^{1},u_{i}^{2})$ can also be defined using equations, as follows.

The node set $V_{0}$ consists of the user pairs $u_{i}^{s}$ , and of the nodes $v_{s,i}^{(\alpha)}$ composing subgraphs $G^{\rm bn}_{s,i}$ , where indices $s,i,\alpha$ are in the ranges $s\in\{1,2\}$ , $i\in\mathbb{Z}/9\mathbb{Z}$ ⁷⁷7We use this notation to suggest that modulo 9 is implied in arithmetic involving variable $i$ . and $\alpha\in\{0,1,2,3,4,5\}$ .

The edge set $E_{0}$ consists of the internal edges of subgraphs $G^{\rm bn}_{s,i}$ ,

$\displaystyle\{v^{(0)},v^{(4)}\}$	$\displaystyle=e^{(4)},$	$\displaystyle\{v^{(2)},v^{(4)}\}$	$\displaystyle=e^{(5)},$	$\displaystyle\{v^{(0)},v^{(3)}\}$	$\displaystyle=e^{(6)},$
$\displaystyle\{v^{(4)},v^{(5)}\}$	$\displaystyle=e^{(7)},$	$\displaystyle\{v^{(2)},v^{(1)}\}$	$\displaystyle=e^{(8)},$	$\displaystyle\{v^{(5)},v^{(3)}\}$	$\displaystyle=e^{(9)},$
$\displaystyle\{v^{(5)},v^{(1)}\}$	$\displaystyle=e^{(10)},$					(3)

edges connecting different subgraphs $G^{\rm bn}_{s,i}$ ,

	$\displaystyle\{v_{1,i}^{(1)},v_{2,2i}^{(2)}\}$	$\displaystyle=e_{1,i}^{(1)}=e_{2,2i}^{(2)},$		(4)
	$\displaystyle\{v_{s,i}^{(3)},v_{s,i+1}^{(0)}\}$	$\displaystyle=e_{s,i}^{(3)}=e_{s,i+1}^{(0)},$		(5)

and edges connecting subgraphs $G^{\rm bn}_{s,i}$ and users $u_{i}^{s}$ :

\displaystyle\{u_{i+1}^{1},v_{1,i}^{(2)}\}=e_{1,i}^{(2)},\ \{v_{2,2i}^{(1)},u_{i+4}^{2}\}

\displaystyle=e_{2,2i}^{(1)},

(6)

where $s\in\{1,2\}$ , $i\in\mathbb{Z}/9\mathbb{Z}$ .

V-D3 Notation related with $G^{\rm bn}_{s,i}$

Below, for ease of notation, we will often suppress subscripts $s,i$ (corresponding to one of subgraphs $G^{\rm bn}_{s,i}$ ), if it is clear from the context which subgraph $G^{\rm bn}_{s,i}$ we focus on. Also, whenever we say a subgraph $G_{s,i}^{\rm bn}$ is a sender/receiver, it means that a node inside $G_{s,i}^{\rm bn}$ is a sender/receiver.

V-E KRP $L_{\rm KRP}$ compatible with $G_{0}$ and $u_{i}$

V-E1 Construction of $L_{\rm KRP}$

First step

The goal here is that: For all $s,i$ and $\beta\in\{0,2\}$ , the node $v_{s,i}^{(\beta)}$ sends the local key $r[e_{s,i}^{(\beta)}]$ to the node $v_{s,i}^{(\beta+1)}$ secretly.

In order to realize this task, we use the following idea: Note that, if secret channels $SC_{e}$ were available, this task could be realized by using the well-known modified butterfly network coding in each sub-graph $G_{s,i}^{\rm bn}$ [12]. However, since we do not have secret channels $SC_{e}$ in the present setting, we emulate them with the one-time pad (OTP) encrpytion using local keys supplied by $LKS_{e}$ and with public communication on $PC_{e}$ (as we did in the proof of Theorem 1; also see Fig. 7). Namely, whenever a node $v^{(\alpha)}$ wishes to secretly transmit a bit $r$ to an adjecent node $v^{(\alpha^{\prime})}$ , it encrypts $r$ using the key supplied by $LKS_{e}$ on the edge $e$ between $v^{(\alpha)}$ and $v^{(\alpha^{\prime})}$ , and sends it to $v^{(\alpha^{\prime})}$ via the public channel $PC_{e}$ . In the following, we often write this emulated secret transmission as $v^{(\alpha)}\rightarrow v^{(\alpha^{\prime})}:r$ .

Due to this idea and notation, our first step of $L_{\rm KRP}$ takes the following form (Fig. 12):

$\displaystyle v^{(0)}\rightarrow v^{(3)}:$	$\displaystyle r[e^{(0)}]$	(7)
$\displaystyle v^{(0)}\rightarrow v^{(4)}:$	$\displaystyle r[e^{(0)}]$	(8)
$\displaystyle v^{(2)}\rightarrow v^{(1)}:$	$\displaystyle r[e^{(2)}]$	(9)
$\displaystyle v^{(2)}\rightarrow v^{(4)}:$	$\displaystyle r[e^{(2)}]$	(10)
$\displaystyle v^{(4)}\rightarrow v^{(5)}:$	$\displaystyle r[e^{(0)}]\oplus r[e^{(2)}]$	(11)
$\displaystyle v^{(5)}\rightarrow v^{(1)}:$	$\displaystyle r[e^{(0)}]\oplus r[e^{(2)}]$	(12)
$\displaystyle v^{(5)}\rightarrow v^{(3)}:$	$\displaystyle r[e^{(0)}]\oplus r[e^{(2)}],$	(13)

and $v^{(1)}$ and $v^{(3)}$ obtain the values $(r[e^{(0)}]\oplus r[e^{(2)}])\oplus r[e^{(2)}]$ and $(r[e^{(0)}]\oplus r[e^{(2)}])\oplus r[e^{(0)}]$ respectively.

Second step

Next, using the local keys $r[e_{s,i}^{(\beta)}]$ thus obtained, each user pair $u_{i}=(u_{i}^{1},u_{i}^{2})$ shares a relayed key. They do this by performing the serial KRP of Fig. 3 (a), on a straight path consisting of edges $v_{1,i+8}^{(3)}$ , $v_{1,i}^{(1)}$ , $v_{2,2i}^{(3)}$ and $v_{2,2i+1}^{(1)}$ .

Namely, the nodes in the middle of the path announce $r[e^{(2)}_{1,i+8}]\oplus r[e^{(0)}_{1,i}]$ , $r[e^{(0)}_{1,i}]\oplus r[e^{(2)}_{2,2i}]$ , $r[e^{(2)}_{2,2i}]\oplus r[e^{(0)}_{2,2i+1}]$ and $r[e^{(0)}_{2,2i+1}]\oplus r[e^{(1)}_{2,2i+1}]$ , and then the user $u_{i}^{2}$ obtains the bit $r[e^{(2)}_{1,i+8}]$ by summing up the published bits and the local key $r[e^{(1)}_{2,2i+1}]$ .

V-E2 Security of $L_{\rm KRP}$

From the construction above, we immediately have the following lemma.

Lemma 5 (Security of $L_{\rm KRP}$ ).

The KRP $L_{\rm KRP}$ is secure against wiretap sets ${\cal E}^{{{\rm adv},G_{0}}}=\{\varnothing\}$ .

Proof.

We give a detailed proof in Appendix. The basic idea of the proof is as follows.

The security (the secrecy and the soundness) of the emulated secret channels used in the first step is obvious by construction, and thus the security of the local key $r[e_{s,i}^{(\beta)}]$ is guaranteed by that of the modified butterfly network coding. The security of the serial KRP is also obvious by construction. These two facts together guarantee the security of $L_{\rm KRP}$ . ∎

V-F Proof that there exists no secure KRP-by-SNC compatible with $G_{0}$ and $u_{i}$

Lemma 4 asserts that there exists no secure KRP-by-SNC compatible with $G_{0}$ and $u_{i}$ defined above, even when no edge is wiretapped. Below we prove this assertion by first supposing that such KRP-by-SNC exists and then deriving a contradiction.

In order to describe the contradiction, it is convenient to number edges $e$ according to the time when the secret channel $SC_{e}$ is used. Obviously, such numbering is possible for any KRP-by-SNC. Formally, this numbering is equivalent to the following total order $\prec$ .

Definition 8 (Total order $\prec$ of edges).

Given a KRP-by-SNC $L$ on a graph $G=(V,E)$ , we write $e\prec e^{\prime}$ ( $e\in E$ is smaller than $e^{\prime}\in E$ ) if the secret channel $SC_{e}$ is used before $SC_{e^{\prime}}$ is used, in $L$ .

Now, if we suppose that there exists a secure KRP-by-SNC $L_{0}$ (compatible with $G_{0}$ , $u_{i}$ , and ${\cal E}^{{\rm adv}}=\{\varnothing\}$ ), $L_{0}$ must satisfy the condition of the following lemma.

Lemma 6.

If a KRP-by-SNC $L_{0}$ compatible with $G_{0}$ and $u_{i}$ is secure against ${\cal E}^{\rm adv}=\{\varnothing\}$ , then at least one of subgraphs $G_{s,i}^{\rm bn}\subset G_{0}$ must satisfy the following four requirements:

R1

For $\beta\in\{0,2\}$ each, the secret bits conveyed on the edges $e_{s,i}^{(\beta)}$ and $e_{s,i}^{(\beta+1)}$ are completely random and completely correlated, i.e. $I(S[e_{s,i}^{(\beta)}]:S[e_{s,i}^{(\beta+1)}])=1$ .
R2

The secret bit on $e_{s,i}^{(0)}$ is independent of that on $e_{s,i}^{(2)}$ , i.e. $I(S[e_{s,i}^{(0)}]:S[e_{s,i}^{(2)}])=0$ .
R3

For $\beta\in\{0,2\}$ each, $G_{s,i}^{\rm bn}$ is the sender of the larger edge of $e_{s,i}^{(\beta)}$ and $e_{s,i}^{(\beta+1)}$ .
R4

$G_{s,i}^{\rm bn}$ is the receiver of the second largest edge in the set $\{e_{s,i}^{(\alpha)}\}_{\alpha\in\{0,1,2,3\}}$ .

We will prove this lemma in Section V-G.

However, we can also show that no KRP-by-SNC can satisfy such condition:

Lemma 7.

In any KRP-by-SNC $L_{0}$ compatible with $G_{0}$ and $u_{i}$ , no subgraph $G_{s,i}^{\rm bn}$ can satisfy the four requirements R1, $\dots$ , R4 of Lemma 6 simultaneously.

This is a contradiction, and thus a secure $L_{0}$ cannot exist. This completes the proof of Lemma 4.

Proof of Lemma 7.

We suppose that one of subgraphs $G_{s,i}^{\rm bn}$ satisfies R1, $\dots$ , R4, and derive a contradiction.

Below, as we concentrate on one such $G_{s,i}^{\rm bn}$ satisfying R1, $\dots$ , R4, we omit subscripts $s,i$ for ease of notation, on the subgraph $G_{s,i}^{\rm bn}$ , edges $e_{s,i}^{(\alpha)}$ , and nodes $v_{s,i}^{(\alpha)}$ . Also, as KRP-by-SNC here uses only one type of channels, $SC_{e}$ , we will often identify an edge $e$ with the secret channel $SC_{e}$ .

First note that the pair of the two largest edges in $\{e^{(\alpha)}\}_{\alpha\in\{0,1,2,3\}}$ must either be $e^{(0)}$ and $e^{(1)}$ , or be $e^{(2)}$ and $e^{(3)}$ . This is because if it is not the case, then R3 says that $G^{\rm bn}$ ( $=G_{s,i}^{\rm bn}$ ) is the sender of the second largest edge, but this contradicts R4.

Then, of all the remaining cases, we will below focus on one particular case where edges $e^{(\alpha)}$ are ordered as

1)

$e^{(0)}\prec e^{(1)}\prec e^{(2)}\prec e^{(3)}$ ,

and derive a contradiction. (Other cases, such as $e^{(2)}\prec e^{(3)}\prec e^{(1)}\prec e^{(2)}$ , can also be shown similarly.) In this case, due to R1 and R2 we have

2)

$I(S[e^{(0)}];S[e^{(1)}])=1$ ,
3)

$I(S[e^{(2)}];S[e^{(3)}])=1$ ,
4)

$I(S[e^{(0)}];S[e^{(2)}])=0$ .

Also, $G^{\rm bn}$ must be the sender of edges $e^{(1)}$ and $e^{(3)}$ due to R3, and also the receiver of $e^{(2)}$ due to R4. Thus we have

5)

$v^{(1)}$ is the sender of $e^{(1)}$ ,
6)

$v^{(2)}$ is the receiver of $e^{(2)}$ ,
7)

$v^{(3)}$ is the sender of $e^{(3)}$ .

From relations 1), $\dots$ ,7) above, we can also prove the following two relations,

8)

A series of edges connecting $v^{(0)}$ and $v^{(1)}$ , e.g. $e^{(4)}$ , $e^{(7)}$ and $e^{(10)}$ , are smaller than $e^{(1)}$ ,
9)

A series of edges connecting $v^{(2)}$ and $v^{(3)}$ , e.g. $e^{(5)}$ , $e^{(7)}$ and $e^{(9)}$ , are larger than $e^{(2)}$ and smaller than $e^{(3)}$ .

However, these two relations contradict each other, and thus Lemma 7 is be proved.

Item 8) is obtained as follows: In order to realize relations 1), 2), and 5), the information of the secret bit on $e^{(0)}$ must be transferred from $v^{(0)}$ to $v^{(1)}$ before using the edge $e^{(1)}$ . For this transfer, a series of edges connecting $v^{(0)}$ and $v^{(1)}$ must be used. Here, we have used the fact that there is no correlation between nodes before executing protocol $L_{0}$ .

Item 9) is obtained as follows: Relations 2) and 4) imply that $I(S[e^{(0)}],S[e^{(1)}];S[e^{(2)}])=0$ . Combining this fact and relations 1) and 6), we find that, before the secret channel on $e^{(2)}$ is used, any random variable obtained on the nodes $\{v^{(\alpha)}\}_{\alpha}$ is independent of $S[e^{(2)}]$ . As a result, relations 1), 3) and 7) imply that, the secret bit on $e^{(2)}$ must be transferred from $v^{(2)}$ to $v^{(3)}$ before $e^{(3)}$ is used (and of course after $e^{(2)}$ is used). ∎

V-G Proof of Lemma 6

We first introduce the notion of the standard path along with three lemmas related with it, and then use them to prove Lemma 6.

V-G1 Standard path and the related lemmas

Definition 9 (Standard path $e_{i}^{\left<\gamma\right>}$ ).

For each user pair $u_{i}=(u_{i}^{1},u_{i}^{2})$ , we define standard path $i$ connecting them via subgraphs $G^{\rm bn}$ (more precisely, subgraphs $G_{1,i+8}^{\rm bn}$ , $G_{1,i}^{\rm bn}$ , $G_{2,2i}^{\rm bn}$ , and $G_{2,2i+1}^{\rm bn}$ ) as in Fig. 13. The standard path $i$ consists of the following five edges,

$\displaystyle e_{i}^{\left<0\right>}$	$\displaystyle:=e_{1,i+8}^{(2)},$
$\displaystyle e_{i}^{\left<1\right>}$	$\displaystyle:=e_{1,i+8}^{(3)}=e_{1,i}^{(0)},$
$\displaystyle e_{i}^{\left<2\right>}$	$\displaystyle:=e_{1,i}^{(1)}=e_{2,2i}^{(2)},$
$\displaystyle e_{i}^{\left<3\right>}$	$\displaystyle:=e_{2,2i}^{(3)}=e_{2,2i+1}^{(0)},$
$\displaystyle e_{i}^{\left<4\right>}$	$\displaystyle:=e_{2,2i+1}^{(1)}.$	(14)

We can show that all the edges $e^{\langle\gamma\rangle}_{i}$ on a standard path $i$ conveys essentially the same information, the relayed key $k_{i}$ .

Lemma 8.

In each standard path $i$ , the secret bits $S[e_{i}^{\left<\gamma\right>}]$ conveyed there must be equal to the relayed key $k_{i}^{1}=k_{i}^{2}$ shared by the user pair $u_{i}^{1}$ and $u_{i}^{2}$ at the end points, up to constants. That is, for any $i$ , $j$ and $\gamma$ ,

\displaystyle S[e_{i}^{\left<\gamma\right>}]

\displaystyle=K_{i}^{j}\oplus d[e_{i}^{\left<\gamma\right>}]

(15)

with $d[e_{i}^{\left<\gamma\right>}]$ being constants.

We will prove this lemma in Section V-I.

Further, we can also show that $k_{i}$ is first generated locally by one entity (a subgraph $G^{\rm bn}_{i^{\prime},s^{\prime}}$ or a user $u_{i}^{j}$ ) on the standard path $i$ , and then repeatedly conveyed to an adjacent entity, until it is shared by the users $u_{i}^{1}$ and $u_{i}^{2}$ at the end points; see Fig. 14. This phenomenon can be stated formally in terms of the ordering $\prec$ , as follows.

Lemma 9.

In each standard path $i$ , the edges are used in the following manner. Let $e_{i}^{\left<\gamma_{i}\right>}$ denote the first edge used. Then,

•

Edges to the upper left of $e_{i}^{\left<\gamma_{i}\right>}$ are used in order from lower right to upper left:

$\displaystyle e_{i}^{\left<\gamma_{i}\right>}\prec e_{i}^{\left<\gamma_{i}-1\right>}\prec\cdots\prec e_{i}^{\left<0\right>},$ (16)

and secret bits $S[e_{i}^{\left<\gamma\right>}]$ on these edges besides $e_{i}^{\left<\gamma_{i}\right>}$ flow left or upward.
•

Similarly, edges to the lower right of $e_{i}^{\left<\gamma_{i}\right>}$ are used in order from upper left to lower right:

$\displaystyle e_{i}^{\left<\gamma_{i}\right>}\prec e_{i}^{\left<\gamma_{i}+1\right>}\prec\cdots\prec e_{i}^{\left<4\right>}.$ (17)

and secret bits $S[e_{i}^{\left<\gamma\right>}]$ on these edges besides $e_{i}^{\left<\gamma_{i}\right>}$ flow right or downward.

We will prove this lemma in Section V-J.

We can also show the following lemma.

Lemma 10.

At least one of the following two conditions is false:

C1

For any subgraph $G_{s,i}^{\rm bn}$ , $e_{s,i}^{(0)}$ or $e_{s,i}^{(1)}$ is the smallest edge in the standard path containing the two edges $e_{s,i}^{(0)}$ and $e_{s,i}^{(1)}$ , when they are the two largest edges in $\{e_{s,i}^{(\alpha)}\}_{\alpha\in\{0,1,2,3\}}$ .
C2

For any subgraph $G_{s,i}^{\rm bn}$ , $e_{s,i}^{(2)}$ or $e_{s,i}^{(3)}$ is the smallest edge in the standard path containing the two edges $e_{s,i}^{(2)}$ and $e_{s,i}^{(3)}$ , when they are the two largest edges in $\{e_{s,i}^{(\alpha)}\}_{\alpha\in\{0,1,2,3\}}$ .

We will prove this lemma in Section V-K.

V-G2 Proof of Lemma 6

From Lemma 8 (respectively, from Lemma 9), all the subgraph $G_{s,i}^{\rm bn}$ satisfy R1 and R2 (respectively, R3) in Lemma 6. Here, in order to derive R2, we used the mutual independence of $\{K_{i}^{j}\}_{i}$ additionally.

Hence, it remains to show that R4 holds for some $G_{s,i}^{\rm bn}$ . To this end, we suppose that R4 does not hold for any $G_{s,i}^{\rm bn}$ , and derive a contradiction with Lemma 10.

This is equivalent to showing that, in any subgraph $G_{s,i}^{\rm bn}$ ,

(i)

C1 and C2 hold if R4 does not hold.

Below we will choose one of $G_{s,i}^{\rm bn}$ and show how to prove item (i). As $G_{s,i}^{\rm bn}$ is fixed, we omit subscripts $s,i$ on the notation $e_{s,i}^{(\alpha)}$ for simplicity.

For the sake of the simplicity, we consider only the case of $e^{(0)}\prec e^{(1)}$ and $e^{(2)}\prec e^{(3)}$ ; all other cases can be shown similarly.

Then, we divide the remaining situation into three cases:

First, if the second largest edge in the set $\{e^{(\alpha)}\}_{\alpha\in\{0,1,2,3\}}$ is $e^{(1)}$ or $e^{(3)}$ , the order $e^{(0)},e^{(2)}\prec e^{(1)},e^{(3)}$ must be derived from the assumptions $e^{(0)}\prec e^{(1)}$ and $e^{(2)}\prec e^{(3)}$ , i.e. item (i) holds.

Second, if the second largest edge in the set $\{e^{(\alpha)}\}_{\alpha}$ is $e^{(0)}$ , we find that $e^{(2)},e^{(3)}\prec e^{(0)}\prec e^{(1)}$ holds (as a result, C2 holds) and the sender of $e^{(0)}$ must be $G_{s,i}^{\rm bn}$ . Here, we have used the assumption that R4 does not hold. From this fact and $e^{(0)}\prec e^{(1)}$ , Lemma 9 guarantees that $e^{(0)}$ is the smallest edge in the standard path where it belongs, i.e. C1 holds. Thus, the item (i) also holds in this case.

Finally, if the second largest edge in the set $\{e^{(\alpha)}\}_{\alpha}$ is $e^{(2)}$ , we can also show that item (i) holds in the same way as in the previous case.

This completes the proof of Lemma 6.

V-H Note on notation: $v_{s,i}$ and $E_{0}^{\rm st}$

In the proofs of Lemmas 8, 9 and 10 given below, we only need to consider communication between subgraphs $G_{s,i}^{\rm bn}$ , and do not need to refer to communication occurring inside each $G_{s,i}^{\rm bn}$ . Therefore, in order to simplify the presentation, we will often denote a subgraph $G_{s,i}^{\rm bn}$ as a single node $v_{s,i}$ . For example, the edge set $\{u^{1}_{i},v_{s,i}\}$ denotes the set $\{u^{1}_{i},v_{s,i}^{(0)},v_{s,i}^{(1)},v_{s,i}^{(2)},v_{s,i}^{(3)},v_{s,i}^{(4)},v_{s,i}^{(5)}\}$ .

Accordingly, we will also regard the graph $G_{0}$ as consisting of edges that connect nodes $v_{s,i}$ ( $=G_{s,i}^{\rm bn}$ ) and $u^{i}$ , which we denote by $E_{0}^{\rm st}$ . This edge set $E_{0}^{\rm st}$ in fact consists of edges on the standard paths $i$ , defined in the previous section,

E_{0}^{\rm st}:=\{e_{i}^{\left<\gamma\right>}\}_{i\in\mathbb{Z}/9\mathbb{Z},\gamma\in\{0,1,2,3,4\}}.

(18)

V-I Proof of Lemma 8

V-I1 Case of $e_{i}^{\left<0\right>}$

We divide nodes $V_{0}$ into $u_{i}^{1}$ and the others:

	$\displaystyle V_{i}^{(1)}$	$\displaystyle:=\{u_{i}^{1}\}$		(19)
	$\displaystyle\bar{V}_{i}^{(1)}$	$\displaystyle:=V_{0}\backslash V_{i}^{(1)}$		(20)

Since these two sets are connected by $e_{i}^{\langle 0\rangle}$ only, there must be functions $f_{i}^{(j)}$ which satisfy the relation

		$\displaystyle f_{i}^{(1)}\left(S[e_{i}^{\left<0\right>}],\{C_{v}\}_{v\in V_{i}^{(1)}}\right)=K_{i}^{1}$
	$\displaystyle=$	$\displaystyle K_{i}^{2}=f_{i}^{(2)}\left(S[e_{i}^{\left<0\right>}],\{C_{v}\}_{v\in\bar{V}_{i}^{(1)}}\right).$		(21)

where $C_{v}$ denotes all the random variables possessed by node $v\in V_{0}$ before executing protocol $L_{0}$ . The first (last) equality in (21) comes from the facts that the node $u_{i}^{1}$ ( $u_{i}^{2}$ ) are in the set $V_{i}^{(1)}$ ( $\bar{V}_{i}^{(1)}$ ). The second equality follows from the soundness of $L_{0}$ .

Recall that the two sets $V_{i}^{(1)}$ and $\bar{V}_{i}^{(1)}$ are connected by $e_{i}^{\langle 0\rangle}$ only. Also, note that from the setting of the KRP-by-SNC, the secret bit $S[e_{i}^{\left<0\right>}]$ must be generated locally by the sender. Then, we have

		$\displaystyle I(S[e_{i}^{\left<0\right>}],\{C_{v}\}_{v\in V_{i}^{(1)}};S[e_{i}^{\left<0\right>}],\{C_{v}\}_{v\in\bar{V}_{i}^{(1)}})$
	$\displaystyle=$	$\displaystyle H(S[e_{i}^{\left<0\right>}]).$		(22)

Also, since $S[e_{i}^{\left<0\right>}]$ is one bit,

\displaystyle H(S[e_{i}^{\left<0\right>}])\leq 1.

(23)

It remains to apply the following lemma to relations (21), (22), (21), and $H\left(K_{i}^{j}\right)=1$ .

Lemma 11.

If $B$ , $C_{0}$ , and $C_{1}$ are random variables, and $f_{0}$ and $f_{1}$ are functions, satisfying

	$\displaystyle f_{0}(B,C_{0})$	$\displaystyle=f_{1}(B,C_{1})=:A,$		(24)
	$\displaystyle H(A)$	$\displaystyle\geq I(B,C_{0};B,C_{1})=H(B)$		(25)

with $A\in{\cal A}$ , $B\in{\cal B}$ where $|{\cal A}|=|{\cal B}|$ . Then, there is a bijective function $g$ such that $g(A)=B$ .

Proof of this lemma is shown in Appendix. By using this lemma, we can find a bijective function $g$ such that

\displaystyle S[e_{i}^{\left<0\right>}]

\displaystyle=g\left(K_{i}^{j}\right).

(26)

In other words, we can find a certain constant values $d[e_{i}^{\left<0\right>}]\in\mathbb{Z}_{2}$ such that the relation

\displaystyle K_{i}^{j}

\displaystyle=S[e_{i}^{\left<0\right>}]\oplus d[e_{i}^{\left<0\right>}]

(27)

holds for $i\in\mathbb{Z}/9\mathbb{Z}$ and $j\in\{1,2\}$ . When we apply Lemma 11 above, we have substituted $K_{i}^{j}$ , $S[e_{i}^{\left<0\right>}]$ , $\{C_{v}\}_{v\in V_{i}^{(1)}}$ and $\{C_{v}\}_{v\in\bar{V}_{i}^{(1)}}$ into $A$ , $B$ , $C_{0}$ and $C_{1}$ in Lemma respectively.

Note, that from the constraint of soundness $K_{i}^{1}=K_{i}^{2}$ , we do not have to discriminate $K_{i}^{1}$ and $K_{i}^{2}$ hereafter. Therefore, we abbreviate the $K_{i}^{j}$ into $K_{i}$ below.

V-I2 Case of $e_{i}^{\left<4\right>}$

This case can be shown completely in the same manner as the case of $e_{i}^{\left<0\right>}$ . We have the relation

\displaystyle K_{i}

\displaystyle=S[e_{i}^{\left<4\right>}]\oplus d[e_{i}^{\left<4\right>}]

(28)

for a certain constant $d[e_{i}^{\left<4\right>}]$ .

V-I3 Cases of $e_{i}^{\left<1\right>}$ , $e_{i}^{\left<2\right>}$ , and $e_{i}^{\left<3\right>}$

First, we use the same idea as in the case of $e_{i}^{\left<0\right>}$ . We define the sets

$\displaystyle V^{(3)}_{i}$	$\displaystyle:=\{u_{i+1}^{1},u_{i+2}^{1},u_{i+8}^{2},u_{i+4}^{2},u_{i}^{2},u_{i+5}^{2},$
	$\displaystyle\quad\quad\quad v_{1,i},v_{1,i+1},v_{2,2i+8},v_{2,2i},v_{2,2i+1},v_{2,2i+2}\}$	(29)
$\displaystyle V^{(4)}_{i}$	$\displaystyle:=\{u_{i+1}^{1},u_{i+2}^{1},u_{i+3}^{1},u_{i+4}^{2},u_{i}^{2},u_{i+5}^{2},$
	$\displaystyle\quad\quad\quad v_{1,i},v_{1,i+1},v_{1,i+2},v_{2,2i},v_{2,2i+1},v_{2,2i+2}\}$	(30)
$\displaystyle V^{(5)}_{j}$	$\displaystyle:=\{u_{i+1}^{1},u_{i+2}^{1},u_{i+3}^{1},u_{i+4}^{2},u_{i}^{2},u_{i+5}^{2},u_{i+6}^{2},$
	$\displaystyle\quad\quad v_{1,i},v_{1,i+1},v_{1,i+2},v_{2,2i},v_{2,2i+1},v_{2,2i+2},v_{2,2i+4}\}$	(31)
$\displaystyle V^{(6)}_{i}$	$\displaystyle:=\{u_{i+1}^{1},u_{i+2}^{1},u_{i+6}^{1},u_{i+4}^{2},u_{i}^{2},u_{i+5}^{2},$
	$\displaystyle\quad\quad\quad v_{1,i},v_{1,i+1},v_{1,i+5},v_{2,2i},v_{2,2i+1},v_{2,2i+2}\}.$	(32)

and $\bar{V}_{i}^{(\mu)}:=V_{0}\backslash V_{i}^{(\mu)}$ .

Since the two sets $V_{i}^{(3)}$ and $\bar{V}_{i}^{(3)}$ are connected only by $e_{i}^{\left<1\right>}$ , $e_{i+2}^{\left<1\right>}$ , $e_{i+1}^{\left<3\right>}$ , $e_{i+8}^{\left<3\right>}$ , $e_{i+4}^{\left<2\right>}$ , and $e_{i+5}^{\left<2\right>}$ , there exists a bijective function $g^{(3,i)}$ :

	$\displaystyle\quad\left(S[e_{i}^{\left<1\right>}],S[e_{i+2}^{\left<1\right>}],S[e_{i+1}^{\left<3\right>}],S[e_{i+8}^{\left<3\right>}],S[e_{i+4}^{\left<2\right>}],S[e_{i+5}^{\left<2\right>}]\right)$
	$\displaystyle=g^{(3,i)}\left(K_{i},K_{i+1},K_{i+2},K_{i+4},K_{i+5},K_{i+8}\right).$		(33)

Similarly, we have bijective functions $g^{(\mu,i)}$ for $\mu\in\{4,5,6\}$ and $i\in\mathbb{Z}/9\mathbb{Z}$ such that

	$\displaystyle\quad\left(S[e_{i}^{\left<1\right>}],S[e_{i+3}^{\left<1\right>}],S[e_{i+4}^{\left<3\right>}],S[e_{i+1}^{\left<3\right>}],S[e_{i+2}^{\left<2\right>}],S[e_{i+5}^{\left<2\right>}]\right)$
	$\displaystyle=g^{(4,i)}\left(K_{i},K_{i+1},K_{i+2},K_{i+3},K_{i+4},K_{i+5}\right)$		(34)
	$\displaystyle\quad\left(S[e_{i}^{\left<1\right>}],S[e_{i+3}^{\left<1\right>}],S[e_{i+4}^{\left<3\right>}],S[e_{i+1}^{\left<3\right>}],\right.$
	$\displaystyle\quad\quad\quad\quad\left.S[e_{i+6}^{\left<3\right>}],S[e_{i+2}^{\left<3\right>}],S[e_{i+5}^{\left<2\right>}]\right)$
	$\displaystyle=g^{(5,i)}\left(K_{i},K_{i+1},K_{i+2},K_{i+3},K_{i+4},K_{i+5},K_{i+6}\right)$		(35)
	$\displaystyle\quad\left(S[e_{i}^{\left<1\right>}],S[e_{i+2}^{\left<1\right>}],S[e_{i+5}^{\left<1\right>}],S[e_{i+6}^{\left<1\right>}],S[e_{i+4}^{\left<3\right>}],S[e_{i+1}^{\left<3\right>}]\right)$
	$\displaystyle=g^{(6,i)}\left(K_{i},K_{i+1},K_{i+2},K_{i+4},K_{i+5},K_{i+6}\right).$		(36)

From these relations, we see that, for any $e\in E_{0}^{\rm st}$ , random variable $S[e]$ is generated by at least one of bijective functions on a subset of $\{K_{i}\}_{i\in\mathbb{Z}/9\mathbb{Z}}$ , i.e. the eqs. (27), (28), (33), (34), (35) and (36). This fact and the complete randomness of $\{K_{i}\}_{i}$ guarantee that the $S[e]$ must have the maximum entropy, i.e.

\displaystyle H(S[e])=1.

(37)

for $e\in E_{0}^{\rm st}$ .

The equations (33) $\sim$ (36) allow to write the random variable $S[e_{i}^{\left<1\right>}]$ in multiple expressions as follows:

$\displaystyle S[e_{i}^{\left<1\right>}]$	$\displaystyle=g^{(4,i)}_{1}(K_{i},K_{i+1},K_{i+2},K_{i+3},K_{i+4},K_{i+5})$
	$\displaystyle=g^{(4,i+6)}_{2}(K_{i+6},K_{i+7},K_{i+8},K_{i},K_{i+1},K_{i+2})$
	$\displaystyle=g^{(6,i+3)}_{4}(K_{i+3},K_{i+4},K_{i+5},K_{i+7},K_{i+8},K_{i}).$	(38)

Here, $g^{(\mu,i)}_{k}(\cdot)$ denotes the $k$ -th element of the list of variables defined by the function $g^{\mu,i}(\cdot)$ . From the complete randomness of $\{K_{i}\}_{i}$ , $S[e_{i}^{\left<1\right>}]$ must depend only on the inter section of the sets as arguments of these functions:

$\displaystyle\{K_{i},K_{i+1},K_{i+2},K_{i+3},K_{i+4},K_{i+5},\}$
$\displaystyle\cap\{K_{i},K_{i+1},K_{i+2},K_{i+6},K_{i+7},K_{i+8}\}$
$\displaystyle\cap\{K_{i},K_{i+3},K_{i+4},K_{i+5},K_{i+7},K_{i+8}\}$	$\displaystyle=\{K_{i}\}.$	(39)

This fact and the relation (37) imply that

\displaystyle S[e_{i}^{\left<1\right>}]=K_{i}\oplus d[e_{i}^{\left<1\right>}]

(40)

for a certain constant $d[e_{i}^{\left<1\right>}]$ .

In the same way, from the multiple representations of $S[e_{i}^{\left<2\right>}]$ and $S[e_{i}^{\left<3\right>}]$ :

$\displaystyle S[e_{i}^{\left<2\right>}]$	$\displaystyle=g^{(3,i+5)}_{5}(K_{i+5},K_{i+6},K_{i+7},K_{i},K_{i+1},K_{i+4})$
	$\displaystyle=g^{(3,i+4)}_{6}(K_{i+4},K_{i+5},K_{i+6},K_{i+8},K_{i},K_{i+3})$
	$\displaystyle=g^{(4,i+7)}_{5}(K_{i+7},K_{i+8},K_{i},K_{i+1},K_{i+2},K_{i+3}),$	(41)
$\displaystyle S[e_{i}^{\left<3\right>}]$	$\displaystyle=g^{(4,i+8)}_{4}(K_{i+8},K_{i},K_{i+1},K_{i+2},K_{i+3},K_{i+4})$
	$\displaystyle=g^{(5,i+3)}_{5}(K_{i+3},K_{i+4},K_{i+5},K_{i+6},K_{i+7},K_{i+8},K_{i})$
	$\displaystyle=g^{(6,i+5)}_{5}(K_{i+5},K_{i+6},K_{i+7},K_{i},K_{i+1},K_{i+2}),$	(42)

we can find that there are certain constants $d[e_{i}^{\left<\gamma\right>}]$ such that the relation

\displaystyle S[e_{i}^{\left<\gamma\right>}]

\displaystyle=K_{i}\oplus d[e_{i}^{\left<\gamma\right>}]

(43)

hold for $\gamma\in\{2,3\}$ .

Eqs. (27), (28), (40) and (43) prove the lemma.

V-J Proof of Lemma 9

Protocol $L_{0}$ can be viewed as a communication protocol performed by the subgraphs $G_{s,i}^{\rm bn}$ using the standard paths.

In this picture, the communication between $G_{s,i}^{\rm bn}$ satisfy the following properties.

1)

Subgraphs $G_{s,i}^{\rm bn}$ are connected solely by the standard paths.
2)

Each standard path $i^{\prime}$ is a straight line.
3)

All edges in standard path $i^{\prime}$ convey the same random bit $K_{i^{\prime}}$ , up to a constant (Lemma 8).
4)

Random bits $K_{i^{\prime}}$ are independent of each other (due to the definition of the KRP).

For these properties to hold, it is necessary that

a)

Random bit $K_{i^{\prime}}$ is generated inside one of subgraphs $G_{s,i}^{\rm bn}$ on the standard path $i^{\prime}$ .
b)

Value of $K_{i^{\prime}}$ thus generated is conveyed repeatedly to adjacent subgraphs $G_{s,i}^{\rm bn}$ on the same standard path $i^{\prime}$ .

and thus the lemma holds.

Indeed, if a) is not true, i.e., if $K_{i^{\prime}}$ is generated independently by two or more of $G_{s,i}^{\rm bn}$ , there is a nonzero probability that their values differ. For other subgraphs $G_{s,i}^{\rm bn}$ to be able to send out $K_{i^{\prime}}$ thus generated, they must learn it from an adjacent subgraph which already knows $K_{i^{\prime}}$ .

V-K Proof of Lemma 10

We will take two steps.

First, we will show that, for any order $\prec$ , there is a subset $E^{\prime}$ of $E_{0}^{\rm st}$ which satisfies the following four items:

1)

the subset $E^{\prime}$ contains the smallest edge in any standard path $i$ .
2)

$E_{0}^{\rm st}\neq E^{\prime}$ ,
3)

When $i\in\mathbb{Z}/9\mathbb{Z}$ is a value satisfying $e^{\left<\gamma\right>}_{i},e^{\left<\gamma^{\prime}\right>}_{i+1}\in E^{\prime}$ for $\gamma\in\{1,2\}$ and $\gamma^{\prime}\in\{0,1\}$ , the relation $e^{\left<3-\gamma\right>}_{i},e^{\left<1-\gamma^{\prime}\right>}_{i+1}\in E^{\prime}$ holds.
4)

When $i\in\mathbb{Z}/9\mathbb{Z}$ is a value satisfying $e^{\left<\gamma\right>}_{i},e^{\left<\gamma^{\prime}\right>}_{i+5}\in E^{\prime}$ for $\gamma\in\{3,4\}$ and $\gamma^{\prime}\in\{2,3\}$ , the relation $e^{\left<7-\gamma\right>}_{i},e^{\left<5-\gamma^{\prime}\right>}_{i+5}\in E^{\prime}$ holds.

Second, we will show that the existence of $E^{\prime}$ defined above and conditions $C_{1}$ and $C_{2}$ are incompatible for the order $\prec$ defined from a secure protocol $L_{0}$ .

Thus, Lemma Lemma 10 holds.

The first step is shown as follows: We constructively show that for any sequence $\{\gamma_{i}\in\{0,1,2,3,4\}\}_{i\in\mathbb{Z}/9\mathbb{Z}}$ , there is a subset which satisfies

1’)

$\forall i,\quad e^{\left<\gamma_{i}\right>}_{i}\in E^{\prime}$ ,

2), 3), and 4). Such a subset is one of $E^{(1)}$ , $E^{(2)}$ , $E^{(3)}_{i,i^{\prime}}$ and $E^{(4)}_{q}$ for $i\neq i^{\prime}\in\mathbb{Z}/9\mathbb{Z}$ and $q\in\{0,1,2\}$ defined below:

$\displaystyle E^{(1)}$	$\displaystyle:=\{e^{\left<\gamma\right>}_{i}\|i\in\mathbb{Z}/9\mathbb{Z},\quad\gamma\in\{2,3,4\}\}$	(44)
$\displaystyle E^{(2)}$	$\displaystyle:=\{e^{\left<\gamma\right>}_{i}\|i\in\mathbb{Z}/9\mathbb{Z},\quad\gamma\in\{0,1,2\}\}$	(45)
$\displaystyle E^{(3)}_{i^{\prime},i^{\prime\prime}}$	$\displaystyle:=\left\{e^{\left<\gamma\right>}_{i}\left\|\begin{array}[]{l}\;(i=i^{\prime},\gamma\in\{0,1\})\\ \lor(i\in\{i^{\prime}+1,i^{\prime}+2,\cdots,i^{\prime\prime}-1\},\\ \quad\quad\gamma=2)\\ \lor(i=i^{\prime\prime},\gamma\in\{3,4\})\\ \lor(i\in\{i^{\prime\prime}+1,i^{\prime\prime}+2,\cdots,i^{\prime}+4\},\\ \quad\quad\gamma\in\{0,1,2,3,4\})\\ \lor(i\in\{i^{\prime}+5,i^{\prime}+6,\cdots,i^{\prime\prime}+4\},\\ \quad\quad\gamma\in\{0,1,2\})\\ \lor(i\in\{i^{\prime\prime}+5,i^{\prime\prime}+6,\cdots,i^{\prime}+8\},\\ \quad\quad\gamma\in\{0,1,2,3,4\})\end{array}\right.\right\}$	(56)
$\displaystyle E^{(3)}_{i^{\prime\prime},i^{\prime}}$	$\displaystyle:=\left\{e^{\left<\gamma\right>}_{i}\left\|\begin{array}[]{l}\;(i=i^{\prime},\gamma\in\{3,4\})\\ \lor(i\in\{i^{\prime}+1,i^{\prime}+2,\cdots,i^{\prime\prime}-1\},\\ \quad\quad\gamma\in\{0,1,2,3,4\})\\ \lor(i=i^{\prime\prime},\gamma\in\{0,1\})\\ \lor(i\in\{i^{\prime\prime}+1,i^{\prime\prime}+2,\cdots,j^{\prime}+4\},\\ \quad\quad\gamma=2)\\ \lor(i\in\{i^{\prime}+5,i^{\prime}+6,\cdots,i^{\prime\prime}+4\},\\ \quad\quad\gamma\in\{2,3,4\})\\ \lor(i\in\{i^{\prime\prime}+5,i^{\prime\prime}+6,\cdots,i^{\prime}+8\},\\ \quad\quad\gamma=2)\end{array}\right.\right\}$	(67)
$\displaystyle E^{(4)}_{q}$	$\displaystyle:=\left\{e^{\left<\gamma\right>}_{i}\left\|\begin{array}[]{cll}&(\makebox[45.52458pt]{$i\equiv q$}\;{\rm mod}\>3,\;\gamma\in\{0,1\})\\ \land&(\makebox[45.52458pt]{$i\equiv q+1$}\;{\rm mod}\>3,\;\gamma\in\{2,3,4\})\\ \land&(\makebox[45.52458pt]{$i\equiv q+2$}\;{\rm mod}\>3,\;\gamma\in\{3,4\})\end{array}\right.\right\}$	(71)

where $i^{\prime\prime}\in\{i^{\prime}+1,i^{\prime}+2,i^{\prime}+3,i^{\prime}+4\}\subset\mathbb{Z}/9\mathbb{Z}$ . We can straightforwardly check that all the subsets satisfy the last three items 2), 3), and 4) directly. For any sequence $\{\gamma_{j}\in\{0,1,2,3,4\}\}_{j\in\mathbb{Z}/9\mathbb{Z}}$ , we can find that one of the above subsets satisfies the item 1’) as well. We confirmed this fact by a brute force search using a computer. This completes the first step of the proof.

For the second step, for any given order $\prec$ defined from a secure protocol $L_{0}$ , we will derive a contradiction from the assumptions that conditions C1 and C2 hold and that there exists $E^{\prime}$ which satisfies the four items 1), 2), 3), and 4). We pick up the smallest edge $e^{\left<\gamma_{m}\right>}_{i_{m}}$ in $E_{0}^{\rm st}\backslash E^{\prime}$ . Existence of it guaranteed from the item 2). From the first item 1) and Lemma 9, there is a node $e^{\left<\gamma^{\prime}\right>}_{i_{m}}\in E^{\prime}$ such that $|\gamma^{\prime}-\gamma_{m}|=1$ .

When $\gamma^{\prime},\gamma_{m}\in\{0,1\}$ , we will give a contradiction, as an example. The third item 3) enforces

\displaystyle e^{\left<1\right>}_{i_{m}+8},e^{\left<2\right>}_{i_{m}+8}\in E_{0}^{\rm st}\backslash E^{\prime}.

(72)

From this relation and the minimality of $e^{\left<\gamma_{m}\right>}_{i_{m}}$ in $E_{0}^{\rm st}\backslash E^{\prime}$ , the order $e^{\left<\gamma^{\prime}\right>}_{i_{m}}\prec e^{\left<\gamma_{m}\right>}_{i_{m}}\prec e^{\left<1\right>}_{i_{m}+8},e^{\left<2\right>}_{i_{m}+8}$ must hold. From this order, C1 enforces us that $e^{\left<1\right>}_{i_{m}+8}$ or $e^{\left<2\right>}_{i_{m}+8}$ must be a smallest edges in the standard path $i_{m}+8$ . Here, we have use the facts that $e^{\left<\gamma^{\prime}\right>}_{i_{m}}=e^{\left(\gamma^{\prime}+2\right)}_{1,i_{m}+8}$ , $e^{\left<\gamma_{m}\right>}_{i_{m}}=e^{\left(\gamma_{m}+2\right)}_{1,i_{m}+8}$ , $e^{\left<1\right>}_{i_{m}+8}=e^{\left(0\right)}_{1,i_{m}+8}$ , and $e^{\left<2\right>}_{i_{m}+8}=e^{\left(1\right)}_{1,i_{m}+8}$ . As a result, the item 1) enforces us that $e^{\left<1\right>}_{i_{m}+8}$ or $e^{\left<2\right>}_{i_{m}+8}$ must be in $E^{\prime}$ . However, this relation contradicts the relation (72).

In the same way, we can derive contradictions in the other cases, i.e. $\gamma^{\prime},\gamma_{m}\in\{1,2\}$ or $\gamma^{\prime},\gamma_{m}\in\{2,3\}$ or $\gamma^{\prime},\gamma_{m}\in\{3,4\}$ .

VI Summary and outlook

We investigated relations between the key relay protocol (KRP) and secure network coding (SNC) under the one-shot scenario, and also under the scenario where wiretap sets are restricted. We found that there is a definite gap in security between these two types of protocols; namely, certain KRPs achieve better security than any SNC schemes on the same graph. We also found that this gap can be closed by generalizing the notion of SNC by adding free public channels; that is the KRP is equivalent to SNC augmented with free public channels.

There are still many open problems. For example, does the gap we found here persist even under the asymptotic case?

It is also interesting to figure out on what types of graphs the gap occurs. Our conjecture is that there is no gap on plane graphs, and also for the case where there is only one sender-receiver pair, though the rigorous proofs remain as future works.

Formal proof of Lemma 5

Proof.

We prove the lemma by using a little bit modified protocol $L_{\rm KRP}^{\rm m}$ , such that $L_{\rm KRP}$ being secure is equivalent to $L_{\rm KRP}^{\rm m}$ being secure.

$L_{\rm KRP}^{\rm m}$ is obtained by the following three process. First, when a public message made at any node in $L_{\rm KRP}$ can be expressed as a linear combination of the other public messages $p_{x}$ and the local keys $r_{y}$ held by the node, i.e. $\bigoplus_{x}p_{x}\oplus\bigoplus_{y}r_{y}$ , the corresponding message made at the node in $L_{\rm KRP}^{\rm m}$ is a linear combination of the local keys $r_{y}$ only, i.e. the parity of them $\bigoplus_{y}r_{y}$ . Second, all the public communications in $L_{\rm KRP}^{\rm m}$ are used only for sending the parities to all users. Finally, as relayed keys, the users evaluate the same values as for $L_{\rm KRP}$ .

From this relation, we know that any bit obtained by the adversary in the case of $L_{\rm KRP}^{\rm m}$ can be evaluated by the adversary in the case of $L_{\rm KRP}$ , and vice versa. This is why $L_{\rm KRP}$ being secure is equivalent to $L_{\rm KRP}^{\rm m}$ being secure.

Self-contained definition of $L_{\rm KRP}^{\rm m}$ is as follows: $L_{\rm KRP}^{\rm m}$ is the protocol in which the following four phases are implemented in sequence.

•

Local key generation phase: All channels $LKS_{e}$ are used to generate local keys.
•

Parity evaluation phase: Each node evaluates parities of (part of) local keys held by the node.
•

Public communication phase: Evaluated parities are transferred from each node to users via public communications.
•

Relayed key generation phase: Each user generates the relayed key from received local keys and the parities.

Parity evaluation phase and Relayed key generation phase is explicitly identified by the following definitions:

•

All the parities each nodes evaluate: In each sub-graph $G_{s,i}^{\rm bn}$ , all the parities each nodes $v^{(\alpha)}$ evaluate are

$\displaystyle v^{(0)}:$	$\displaystyle p[v^{(0)},1]$	$\displaystyle:=r[e^{(0)}]\oplus r[e^{(4)}]$	(73)
	$\displaystyle p[v^{(0)},2]$	$\displaystyle:=r[e^{(4)}]\oplus r[e^{(6)}]$	(74)
$\displaystyle v^{(1)}:$	$\displaystyle p[v^{(1)}]$	$\displaystyle:=r[e^{(8)}]\oplus r[e^{(10)}]\oplus r[e^{(1)}]$	(75)
$\displaystyle v^{(2)}:$	$\displaystyle p[v^{(2)},1]$	$\displaystyle:=r[e^{(5)}]\oplus r[e^{(8)}]$	(76)
	$\displaystyle p[v^{(2)},2]$	$\displaystyle:=r[e^{(2)}]\oplus r[e^{(5)}]$	(77)
$\displaystyle v^{(3)}:$	$\displaystyle p[v^{(3)}]$	$\displaystyle:=r[e^{(6)}]\oplus r[e^{(9)}]\oplus r[e^{(3)}]$	(78)
$\displaystyle v^{(4)}:$	$\displaystyle p[v^{(4)}]$	$\displaystyle:=r[e^{(4)}]\oplus r[e^{(5)}]\oplus r[e^{(7)}]$	(79)
$\displaystyle v^{(5)}:$	$\displaystyle p[v^{(5)},1]$	$\displaystyle:=r[e^{(7)}]\oplus r[e^{(10)}]$	(80)
	$\displaystyle p[v^{(5)},2]$	$\displaystyle:=r[e^{(7)}]\oplus r[e^{(9)}].$	(81)

In order to simplify the next expression, we introduce notations:

$\displaystyle p_{s,i}^{(0)}$	$\displaystyle:=p[v^{(0)},1]\oplus p[v^{(4)}]\oplus p[v^{(2)},1]$
	$\displaystyle\quad\quad\oplus p[v^{(5)},1],\oplus p[v^{(1)}]$	(82)
$\displaystyle p_{s,i}^{(1)}$	$\displaystyle:=p[v^{(2)},2]\oplus p[v^{(4)}]\oplus p[v^{(0)},2]$
	$\displaystyle\quad\quad\oplus p[v^{(5)},2]\oplus p[v^{(3)}]$	(83)

•

The function which gives the relayed keys: The relayed keys generated by $u_{i}^{1}$ and $u_{i}^{2}$ are

	$\displaystyle k_{i}^{1}$	$\displaystyle:=r[e_{1,i+8}^{(2)}]$		(84)
	$\displaystyle k_{i}^{2}$	$\displaystyle:=p_{2,2i}^{(1)}\oplus p_{1,i+8}^{(1)}\oplus p_{1,i}^{(0)}\oplus p_{2,2i+1}^{(0)}\oplus r[e_{2,2i+1}^{(1)}]$		(85)

for $i\in\mathbb{Z}/9\mathbb{Z}$ .

From the definitions (73), $\dots$ ,(• ‣ Proof.),

	$\displaystyle p_{s,i}^{(0)}$	$\displaystyle=r[e^{(0)}_{s,i}]\oplus r[e_{s,i}^{(1)}]$		(86)
	$\displaystyle p_{s,i}^{(1)}$	$\displaystyle=r[e^{(2)}_{s,i}]\oplus r[e^{(3)}_{s,i}]$		(87)

is obtained for each sub-graph $G_{s,i}^{\rm bn}$ . Here, we have used the fact that $r\oplus r=0$ for $r\in\{0,1\}$ . By using the relations (86) and (87), the relayed keys (84) and (85) are evaluated as

\displaystyle k_{i}^{1}=k_{i}^{2}=r[e_{1,i+8}^{(2)}].

(88)

This relation implies the soundness of $L_{\rm KRP}$ . Since the generated relayed keys are part of the local keys, and the public information is linear combinations of the local keys, the secrecy can be checked from the fact that the relayed keys are linearly independent of all the published information. ∎

Proof of Lemma11

From the assumption (24)

\displaystyle I(B,C_{0};B,C_{1})\geq I(A;B,C_{1})\geq I(A;A)=H(A).

(89)

This relatoin and the assumption (25), guarantee that

	$\displaystyle I(B,C_{0};B,C_{1})$	$\displaystyle=I(A;B,C_{1}),$		(90)
	$\displaystyle H(A)$	$\displaystyle=H(B)$		(91)

The first relation and the assumption (24) imply

		$\displaystyle P(A=a)P(A=a,B=b,C_{0}=c_{0},C_{1}=c_{1})$
	$\displaystyle=$	$\displaystyle P(A=a,B=b,C_{0}=c_{0})P(A=a,B=b,C_{1}=c_{1})$		(92)

for any $a,b,c_{0},c_{1}$ . Here we have used the fact that, if $I(Z;Y)=I(X;Y)$ for $Z:=f(X)$ , the relation $\forall x,y,z,\;P(X=x,Y=y,Z=z)P(Z=z)=P(X=x,Z=z)P(Y=y,Z=z)$ holds. By summing up with respect to $c_{1}$ , the relation becomes

		$\displaystyle P(A=a,B=b,C_{0}=c_{0})P(A=a)$
	$\displaystyle=$	$\displaystyle P(A=a,B=b,C_{0}=c_{0})P(A=a,B=b).$		(93)

Since $A=f_{0}(B,C_{0})$ , we can define functions $h_{0}$ , and $h_{1}$ such that $a=f_{0}(h_{0}(a),h_{1}(a))$ and $P(A=a,B=h_{0}(a),C_{0}=h_{1}(a))\neq 0$ hold, if $P(A=a)\neq 0$ . Using these functions, by substitute $h_{0}(a)$ and $h_{1}(a)$ into $b$ and $c_{0}$ respectively in the above relation,

\displaystyle P(A=a)=P(A=a,B=h_{0}(a)).

(94)

is obtained. This relation guarantees the following relation

	$\displaystyle\sum_{a,b}P(A=a,B=b)\delta(b,h_{0}(a))$
	$\displaystyle=\sum_{a}P(A=a,B=h_{0}(a))$
	$\displaystyle=\sum_{a}P(A=a)=1.$		(95)

i.e. $h_{0}(A)=B$ . Therefore,

\displaystyle I(A;B)=H(B)=H(A)

(96)

holds where the eq.(91) is used in the second equality. As a result, there is a function $h_{2}$ such that $h_{2}(B)=A$ . The last assumption, i.e. the number of candidates for $A$ is equal to that for $B$ , and the existence of the functions $h_{0}$ and $h_{2}$ guarantee the existence of the bijective function $g$ such that $g(A)=B$ .

Acknowledgment

G.K. was supported in part by JSPS Kakenhi (C) No. 20K03779 and 21K03388. M.F. and T.T. were supported in part by “ICT Priority Technology Research and Development Project” (JPMI00316) of the Ministry of Internal Affairs and Communications, Japan.

References

[1] L. Salvail, M. Peev, E. Diamanti, R. Allèaume, N. Lütkenhaus, and T. Länger, “Security of trusted repeater quantum key distribution networks,” Journal of Computer Security, vol. 18, pp. 61–87, Jan 2010.
[2] R. Alléaume, C. Branciard, J. Bouda, T. Debuisschert, M. Dianati, N. Gisin, M. Godfrey, P. Grangier, T. Länger, N. Lütkenhaus, C. Monyk, P. Painchault, M. Peev, A. Poppe, T. Pornin, J. Rarity, R. Renner, G. Ribordy, M. Riguidel, L. Salvail, A. Shields, H. Weinfurter, and A. Zeilinger, “Using quantum key distribution for cryptographic purposes: A survey,” Theoretical Computer Science, vol. 560, pp. 62–81, 2014, theoretical Aspects of Quantum Cryptography – celebrating 30 years of BB84. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0304397514006963
[3] T. R. Beals and B. C. Sanders, “Distributed relay protocol for probabilistic information-theoretic security in a randomly-compromised network,” in Information Theoretic Security, R. Safavi-Naini, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, pp. 29–39.
[4] ITU-T, “Overview on networks supporting quantum key distribution,” International Telecommunication Union, Geneva, Recommendation Y.3800, Oct. 2019.
[5] N. Cai and R. Yeung, “Secure network coding,” in Proceedings IEEE International Symposium on Information Theory,, 2002, pp. 323–.
[6] T. Cui, T. Ho, and J. Kliewer, “On secure network coding with unequal link capacities and restricted wiretapping sets,” in 2010 IEEE Information Theory Workshop, 2010, pp. 1–5.
[7] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys., vol. 74, pp. 145–195, Mar 2002. [Online]. Available: https://link.aps.org/doi/10.1103/RevModPhys.74.145
[8] F. Xu, X. Ma, Q. Zhang, H.-K. Lo, and J.-W. Pan, “Secure quantum key distribution with realistic devices,” Rev. Mod. Phys., vol. 92, p. 025002, May 2020. [Online]. Available: https://link.aps.org/doi/10.1103/RevModPhys.92.025002
[9] J. Katz and Y. Lindell, Introduction to Modern Cryptography, Third Edition, 3rd ed. Chapman & Hall/CRC, 2020.
[10] M. N. Wegman and J. Carter, “New hash functions and their use in authentication and set equality,” Journal of Computer and System Sciences, vol. 22, no. 3, pp. 265 – 279, 1981. [Online]. Available: http://www.sciencedirect.com/science/article/pii/0022000081900337
[11] M. Hayashi, M. Owari, G. Kato, and N. Cai, “Reduction theorem for secrecy over linear network code for active attacks,” entropy, vol. 22, p. 1053, 2020.
[12] T. Ho and D. Lun, Network Coding: An Introduction. Cambridge University Press, 2008.

Go Kato was born in Japan, in 1976. He received the M.S. and Ph.D. degrees in science from The University of Tokyo in 2001 and 2004, respectively. In 2004, he joined the NTT Communication Science Laboratories and has been engaged in the theoretical investigation of quantum information. He is especially interested in mathematical structures emerging in the field of quantum information. He is a member of the Physical Society of Japan.

Mikio Fujiwara received the B.S. and M.S. degrees in electrical engineering and the Ph.D. degree in physics from Nagoya University, Nagoya, Japan, in 1990, 1992, and 2002, respectively. He has been involved R&D activities at NICT (previous name CRL, Ministry of Posts and Telecommunications of Japan) since 1992.

Toyohiro Tsurumaru was born in Japan in 1973. He received the B.S. degree from the Faculty of Science, University of Tokyo, Japan in 1996, and M.S. and Ph.D. degrees in physics from the Graduate School of Science, University of Tokyo, Japan in 1998 and 2001, respectively. Then he joined Mitsubishi Electric Corporation in 2001. His research interests include theoretical aspects of quantum cryptography and of modern cryptography.

Advantage of the key relay protocol over secure network coding

Abstract

I Introduction

II Key relay protocol (KRP)

II-A Motivation and examples of the KRP

II-B Formal definition of the KRP

II-B1 Setting

Definition 1 (Local key sources and public channels).

II-B2 Key relay protocol

Definition 2.

II-B3 Security criteria

Definition 3 (Security of the KRP).

II-C Notes on KRPs used in practical QKD networks

II-C1 Edge adversary model vs. node adversary model

II-C2 Passive adversary vs active adversary

How to work around the problem with soundness

Countermeasure against problem with secrecy

Lemma 1.

III Main results: Relation between the KRP and secure network coding (SNC)

III-A Definition of SNC with public channels

III-A1 Setting

Definition 4 (Secret channels).

III-A2 SNC with public channels

Definition 5 (SNC with public channels).

III-A3 Security criteria

Definition 6 (Security of SNC with public channels).

III-B SNC with public channels and the KRP are equivalent

Theorem 1 (The security of KRP == The security of SNC with public channels).

III-C SNC without public channels and the KRP are not equivalent

Theorem 2 (The security of KRP ≠\neq The security of SNC without public channels (conventional SNC)).

Corollary 1 (The security of SNC with public channels ≠\neq The security of SNC without public channels (conventional SNC)).

IV Proof of Theorem 1

V Proof of Theorem 2

V-A Definition of KRP-by-SNC

V-A1 Setting

V-A2 KRP-by-SNC

Definition 7 (KRP-by-SNC).

V-A3 Security criteria of KRP-by-SNC

V-B Proof of Theorem 2

Lemma 2 (Secure conventional SNC ⊆\subseteq Secure KRP-by-SNC).

Proof.

Lemma 3 (Secure KRP-by-SNC ⊆\subseteq Secure KRP).

Proof.

Lemma 4 (Secure KRP-by-SNC ≠\neq Secure KRP).

V-C Notation

V-D Description of the graph G0G_{0} and the user configuration uiu_{i}

V-D1 Description using figures

V-D2 Alternative description using equations

V-D3 Notation related with Gs,ibnG^{\rm bn}_{s,i}

V-E KRP LKRPL_{\rm KRP} compatible with G0G_{0} and uiu_{i}

V-E1 Construction of LKRPL_{\rm KRP}

First step

Second step

V-E2 Security of LKRPL_{\rm KRP}

Lemma 5 (Security of LKRPL_{\rm KRP}).

Proof.

V-F Proof that there exists no secure KRP-by-SNC compatible with G0G_{0} and uiu_{i}

Definition 8 (Total order ≺\prec of edges).

Lemma 6.

Lemma 7.

Proof of Lemma 7.

V-G Proof of Lemma 6

V-G1 Standard path and the related lemmas

Definition 9 (Standard path ei⟨γ⟩e_{i}^{\left<\gamma\right>}).

Lemma 8.

Lemma 9.

Lemma 10.

V-G2 Proof of Lemma 6

V-H Note on notation: vs,iv_{s,i} and E0stE_{0}^{\rm st}

V-I Proof of Lemma 8

V-I1 Case of ei⟨0⟩e_{i}^{\left<0\right>}

Lemma 11.

V-I2 Case of ei⟨4⟩e_{i}^{\left<4\right>}

V-I3 Cases of ei⟨1⟩e_{i}^{\left<1\right>}, ei⟨2⟩e_{i}^{\left<2\right>}, and ei⟨3⟩e_{i}^{\left<3\right>}

V-J Proof of Lemma 9

V-K Proof of Lemma 10

VI Summary and outlook

Formal proof of Lemma 5

Proof.

Proof of Lemma11

Theorem 1 (The security of KRP $=$ The security of SNC with public channels).

Theorem 2 (The security of KRP $\neq$ The security of SNC without public channels (conventional SNC)).

Corollary 1 (The security of SNC with public channels $\neq$ The security of SNC without public channels (conventional SNC)).

Lemma 2 (Secure conventional SNC $\subseteq$ Secure KRP-by-SNC).

Lemma 3 (Secure KRP-by-SNC $\subseteq$ Secure KRP).

Lemma 4 (Secure KRP-by-SNC $\neq$ Secure KRP).

V-D Description of the graph $G_{0}$ and the user configuration $u_{i}$

V-D3 Notation related with $G^{\rm bn}_{s,i}$

V-E KRP $L_{\rm KRP}$ compatible with $G_{0}$ and $u_{i}$

V-E1 Construction of $L_{\rm KRP}$

V-E2 Security of $L_{\rm KRP}$

Lemma 5 (Security of $L_{\rm KRP}$ ).

V-F Proof that there exists no secure KRP-by-SNC compatible with $G_{0}$ and $u_{i}$

Definition 8 (Total order $\prec$ of edges).

Definition 9 (Standard path $e_{i}^{\left<\gamma\right>}$ ).

V-H Note on notation: $v_{s,i}$ and $E_{0}^{\rm st}$

V-I1 Case of $e_{i}^{\left<0\right>}$

V-I2 Case of $e_{i}^{\left<4\right>}$

V-I3 Cases of $e_{i}^{\left<1\right>}$ , $e_{i}^{\left<2\right>}$ , and $e_{i}^{\left<3\right>}$