Multi-Entity and Multi-Enrollment Key Agreement with Correlated Noise

Onur Günlü Manuscript received April 30, 2020; revised August 19, 2020 and September 15, 2020; accepted September 23, 2020. O. Günlü is supported by the German Federal Ministry of Education and Research (BMBF) within the national initiative for “Post Shannon Communication (NewCom)” under the Grant 16KIS1004. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Matthieu Bloch.O. Günlü is with the Information Theory and Applications Chair, Technische Universität Berlin, 10623 Berlin, Germany (e-mail: [email protected]).

Abstract

A basic model for key agreement with a remote (or hidden) source is extended to a multi-user model with joint secrecy and privacy constraints over all entities that do not trust each other after key agreement. Multiple entities using different measurements of the same source through broadcast channels (BCs) to agree on mutually-independent local secret keys are considered. Our model is the proper multi-user extension of the basic model since the encoder and decoder pairs are not assumed to trust other pairs after key agreement, unlike assumed in the literature. Strong secrecy constraints imposed on all secret keys jointly, which is more stringent than separate secrecy leakage constraints for each secret key considered in the literature, are satisfied. Inner bounds for maximum key rate, and minimum privacy-leakage and database-storage rates are proposed for any finite number of entities. Inner and outer bounds for degraded and less-noisy BCs are given to illustrate cases with strong privacy. A multi-enrollment model that is used for common physical unclonable functions is also considered to establish inner and outer bounds for key-leakage-storage regions that differ only in the Markov chains imposed. For this special case, the encoder and decoder measurement channels have the same channel transition matrix and secrecy leakage is measured for each secret key separately. We illustrate cases for which it is useful to have multiple enrollments as compared to a single enrollment and vice versa.

Index Terms:

Information theoretic privacy, multiple enrollments, multiple entities, physical unclonable functions.

I Introduction

A natural source of randomness is biometric identifiers such as fingerprints that are generally transformed into a frequency domain and quantized to obtain bit sequences that are unique to an individual [1]. Similarly, physical identifiers such as fine variations of ring oscillator (RO) outputs or random start-up values of static random access memories (SRAMs) that are caused by uncontrollable manufacturing variations, are safer and cheaper alternatives to key storage in a non-volatile memory [2]. Physical identifiers for digital devices such as Internet-of-Things (IoT) devices can be implemented using physical unclonable functions (PUFs) [2]. One can use PUFs in various coding schemes as a source of local randomness [3, Chapter 1], e.g., in the randomized encoder of the wiretap channel [4] and of the strong coordination problem [5, 6].

We use the basic source model for key agreement from [7, 8] to find achievable rate regions for key agreement with PUFs and biometric identifiers. In this classic model, an encoder observes a source output to generate a secret key and sends public side information, i.e., helper data, to a decoder, so the decoder can reliably reconstruct the same secret key by observing another source output and the helper data. The main constraints are that the information leaked about the secret key, i.e., secrecy leakage, is negligible and the information leaked about the identifier output, i.e., privacy leakage, is small [9, 10]. Furthermore, the amount of public storage should also be minimized to limit the hardware cost [11].

Suppose the encoder generates a key from a noisy measurement of a hidden (or remote) source output, and a decoder has access to another noisy measurement of the same source and the helper data to reconstruct the same key. We call this model the generated-secret (GS) model with a hidden source. This model is introduced in [12] as an extension of the visible (noiseless) source outputs observed by the encoder, considered in [9, 10]. Similarly, for the chosen-secret (CS) model, an embedded (or chosen) key and noisy identifier measurements are combined by the encoder to generate the public helper data. We consider both models to address different applications.

I-A Related Work and Motivation

The same identifier is used by multiple encoder and decoder pairs in [13], where the identifier outputs observed by different encoders are the same because the encoder measurements are assumed to be noiseless. Therefore, the multiple use of the same noiseless source output allows all encoders to know the secret key of the other encoders. This model does not fit well to the practical key agreement with identifier scenarios because there is noise in every identifier measurement.

Multiple enrollments of a hidden source using noisy measurements are considered in [14], where weakly secure secret keys are generated without privacy leakage and storage constraints. Furthermore, there is a causality assumption in [14] on the availability of the helper data, i.e., any decoder has access to all previously-generated helper data. This assumption is not necessarily realistic as a decoder of, e.g., an IoT device that embodies a PUF should be low complexity and the amount of data to process increases linearly with the number of enrollments. In addition, any manipulation in any of the helper data can cause the complete multi-enrollment system to fail.

A classic method used for key agreement, i.e., the fuzzy commitment scheme (FCS) [15], is used in [16] in combination with an SRAM PUF to enroll the noisy outputs of the same SRAM multiple times. The symmetry condition in [16, Eq. (16)] conditioned on a fixed SRAM cell state is entirely similar to the symmetry satisfied by binary-input symmetric output (BISO) channels; see e.g., [17, p. 613], [12, Eq. (14)]. For SRAM outputs that satisfy this symmetry, the normalized (weak) secrecy leakage about each separate secret key is shown to be zero. It is discussed in [18, Section 3.4] that any uniformly-distributed hidden identifier output with BISO measurement channels satisfies the results in [16]. In [18, Theorem 1] the secret-key capacity of the two-enrollment key agreement problem is established for measurement channels with the same channel transition matrix. However, these multi-enrollment models do not consider the privacy leakage and storage constraints, there is no constraint on the independence of the secret keys of different enrollments, and the secrecy leakage constraint is weak and is not applied jointly on all secret keys. Furthermore, optimal random linear code constructions that achieve the boundaries of the key-leakage-storage regions are given in [19], where the classic code constructions FCS and code-offset fuzzy extractors [20] are shown to be strictly suboptimal. Therefore, the multi-enrollment models and constructions in the literature are strictly suboptimal and not necessarily realistic. We therefore list stronger secrecy constraints jointly on all entities, which approximates the reality better in combination with storage rate and joint privacy-leakage rate constraints. These constraints define the multi-entity key agreement problem, where the entities that use the same identifier do not have to trust other entities after key agreement. Therefore, the multi-entity key agreement problem is a proper multi-user extension of single-enrollment models. We first consider the multi-entity key agreement problem and then analyze a special case of the multi-enrollment key agreement problem to illustrate scenarios for which a single enrollment can be more useful than multiple enrollments and vice versa.

Every measurement of an identifier is considered to be noisy due to, e.g., local temperature and voltage changes in the hardware of the PUF circuit or a cut on the finger. Noise components at the encoder and decoder measurements of a hidden source can be also correlated due to, e.g., the surrounding logic in the hardware [21] or constant fingertip moisture. This correlation between the noise sequences is modeled in [22] as a broadcast channel (BC) [23] with an input that is the hidden source output and with outputs that are the noisy encoder and decoder measurements. We use this model for multi-entity key agreement with identifiers, where each entity (i.e., each encoder and decoder pair) observes noisy identifier outputs of the same hidden source through different BCs. For the multi-entity key agreement problem, we allow the BCs to be different as honest entities generally use different hardware implementations of the encoder and decoder pairs, which results in different correlations between noise components.

We also consider physically-degraded (PD) and less-noisy (LN) BCs to give finer inner and outer bounds to the key-leakage-storage regions for the GS and CS models of the multi-entity key agreement problem. For the considered PD and LN BCs, we prove that strong privacy can be achieved. In [9, 10, 24], an extra common randomness that is available to the encoder and decoder and that is hidden from the eavesdropper is required to obtain strong privacy. This assumption is not realistic since such a common randomness requires hardware protection against invasive attacks, and if such a protection is feasible, then it is not necessary to use an identifier for key agreement.

I-B Models for Identifier Outputs

We study physical and biometric identifier outputs that are independent and identically distributed (i.i.d.) according to a given probability distribution. These models are reasonable if one uses transform-coding algorithms from [25] that occupy a small hardware area to extract almost i.i.d. bits from PUFs under varying environmental conditions. Similar transform-coding based algorithms have been applied to biometric identifiers to obtain independent output symbols [26]. These transform-coding algorithms provide almost i.i.d. identifier outputs and noise sequences; however, the correlation between the noise components on the encoder and decoder components are not removed using these methods. Furthermore, PUFs are used for on-demand key reconstruction and physical attacks on PUFs permanently change the identifier outputs [27], so we assume that the eavesdropper cannot obtain information correlated with the PUF outputs, unlike biometric identifiers.

I-C Summary of Contributions

We extend the key-leakage-storage rate tuple analysis of the single-enrollment model for hidden identifier outputs measured through general BCs in [22] to consider multi-entity and multi-enrollment key agreement with a set of stringent secrecy constraints. A summary of the main contributions is as follows.

•

We derive achievable key-leakage-storage rate tuples for the GS model with strong secrecy for any finite number of entities using the same identifier’s measurements through different BCs for key agreement. Separate identifier measurements considered in [28, 12] correspond to a PD BC and the visible source model in [9, 10] corresponds to a semi-deterministic BC.
•

For a set of PD and LN BCs, the privacy-leakage rates for the two-entity key agreement problem are calculated. These PD and LN BCs are shown to provide strong privacy without the need of a common randomness. An outer bound is given for the considered PD and LN BCs.
•

We next consider a special case of the multi-enrollment key agreement problem, where all measurement channels are separate (i.e., PD BCs) and they have the same transition matrix. This is a common model used for SRAM PUFs. Using a less stringent secrecy leakage constraint that bounds the information leakage for each secret key separately and without the mutual independence constraint on the secret keys, we establish inner and outer bounds for the strong-secrecy key-leakage-storage region for this two-enrollment key agreement problem. The bounds differ only in the Markov chains imposed. This result is a significant improvement to the two-enrollment secret-key rate region (without storage and privacy-leakage rate constraints) established in [18] for weak secrecy, which is recovered by eliminating auxiliary random variables in the proposed rate regions.
•

All inner and outer bounds for the GS model are extended to the CS model, which comprises secret-key binding methods that embed a chosen secret key to the encoder.
•

We give two scenarios to compare single-enrollment and two-enrollment models and illustrate that for different assumptions on measurement channels, either of the two models can perform better in terms of the privacy-leakage vs. secret-key rate boundary tuples.

I-D Organization

This paper is organized as follows. In Section II, we describe the multi-entity key agreement problem with BC measurements. We give achievable key-leakage-storage regions for the GS and CS models with strong secrecy and BC measurements for any finite number of entities in Section III in addition to inner and outer bounds for PD and LN BCs that satisfy strong privacy. The proposed inner bounds for the two-enrollment key agreement problem in Section IV are shown to differ from the outer bounds only in the Markov chains imposed for a special case with less stringent secrecy constraints. In Sections V and VI, proofs of the given rate regions for the general multi-entity key agremeent problem and for the two-enrollment key agreement problem, respectively, are given. Section VII concludes the paper.

I-E Notation

Upper case letters represent random variables and lower case letters their realizations. A superscript denotes a string of variables, e.g., $\displaystyle X^{n}\!=\!X_{1},X_{2},\ldots,X_{i},\ldots,X_{n}$ , and a subscript $i$ denotes the position of a variable in a string. A random variable $\displaystyle X$ has probability distribution $\displaystyle P_{X}$ . Calligraphic letters such as $\displaystyle\mathcal{X}$ denote sets, set sizes are written as $\displaystyle|\mathcal{X}|$ and their complements as $\displaystyle\mathcal{X}^{c}$ . $[1:J]$ denotes the set $\{1,2,\ldots,J\}$ for an integer $J\geq 1$ and $[1:J]\setminus\{j\}$ denotes the set $\{1,2,,\ldots,j-1,j+1,\ldots,J\}$ for any $j\in[1:J]$ . $H_{b}(x)=-x\log x-(1-x)\log(1-x)$ is the binary entropy function, where we take logarithms to the base $2$ , and $H_{b}^{-1}(\cdot)$ denotes its inverse with range $[0,0.5]$ . $X\sim\text{Bern}(\alpha)$ is a binary random variable with $\Pr[X=1]=\alpha$ . A binary symmetric channel (BSC) with crossover probability $p$ is denoted by BSC( $p$ ). $Q(\cdot)$ is the $Q$ -function that gives the tail probability for the standard normal distribution.

II Multi-Entity Key Agreement Model

Consider hidden identifier outputs $X^{n}$ that are i.i.d. according to a probability distribution $P_{X}$ . The hidden (or remote) source with outputs $X^{n}$ is common to all honest entities that enroll the same identifier, but they observe different noisy measurements of the same hidden source. If there are a finite number $J$ of honest entities that use the same identifer, the $j$ -th encoder and decoder pair observes noisy source measurements that are outputs of a BC $P_{\widetilde{X}_{j}Y_{j}|X}$ , with abuse of notation, for all $j\in[1:J]$ , where $\mathcal{\widetilde{X}}_{j}$ , $\mathcal{Y}_{j}$ , and $\mathcal{X}$ are finite sets.

Figure 1: Illustration of the multi-entity key agremeent problem for

J=2

entities with encoder and decoder measurements through BCs for

(a)

the GS model and

(b)

the CS model.

For the GS model illustrated in Fig. 1 $(a)$ for $J=2$ honest entities, the $j$ -th encoder $f_{\text{GS},j}(\cdot)$ generates helper data $W_{j}$ and a secret key $S_{j}$ from its observed sequence $\widetilde{X}^{n}_{j}$ . All secret keys are stored in a secure database, whereas helper data are stored in a public database so that an eavesdropper has access only to the helper data. Using the helper data $W_{j}$ and its observed sequence $Y^{n}_{j}$ , the $j$ -th decoder $g_{j}(\cdot,\cdot)$ generates the key estimate $\hat{S}_{j}$ . Similar steps are applied for the CS model in Fig. 1 $(b)$ also for $J=2$ honest entities, except that each $S_{j}$ should be embedded into the $j$ -th encoder $f_{\text{CS},j}(\cdot,\cdot)$ .

Denote a set of secret keys as

\displaystyle\mathcal{S}_{\mathcal{K}}=\{S_{j}:j\in\mathcal{K}\}

(1)

and a set of helper data as

\displaystyle\mathcal{W}_{\mathcal{K}}=\{W_{j}:j\in\mathcal{K}\}

(2)

for any $\mathcal{K}\subseteq[1:J]$ . A (secret-key, privacy-leakage, storage), or key-leakage-storage, rate tuple is denoted as $(R_{\text{s}},R_{\ell},R_{\text{w}})$ . Similarly, we denote a set of secret-key rates, for any $\mathcal{K}\subseteq[1:J]$ , as

\displaystyle\mathcal{R}_{\text{s},\mathcal{K}}=\{R_{\text{s},j}:j\in\mathcal{K}\}

(3)

and a set of storage rates as

\displaystyle\mathcal{R}_{\text{w},\mathcal{K}}=\{R_{\text{w},j}:j\in\mathcal{K}\}.

(4)

We next define the multi-entity key-leakage-storage regions.

Definition 1.

A key-leakage-storage rate tuple $(\mathcal{R}_{\text{s},[1:J]},R_{\ell},\mathcal{R}_{\text{w},[1:J]})$ is achievable for the multi-entity GS and CS models with $j$ -th encoder and decoder measurements through a BC $P_{\widetilde{X}_{j}Y_{j}|X}$ if, given any $\delta\!>\!0$ , there is some $n\!\geq\!1$ , and $J$ encoder and decoder pairs for which $\displaystyle R_{\text{s},j}=\frac{\log|\mathcal{S}_{j}|}{n}$ for all $j\in[1:J]$ and

$\displaystyle\Pr\left[\underset{j\in[1:J]}{\bigcup}\{S_{j}\neq\hat{S}_{j}\}\right]\leq\delta$	(reliability)	(5)
$\displaystyle\frac{1}{n}H(S_{j})\geq R_{\text{s},j}-\delta,\quad\;\;\,\forall j\!\in\![1\!:\!J]$	(key uniformity)	(6)
$\displaystyle I\left(\mathcal{S}_{\mathcal{K}};\mathcal{S}_{\mathcal{K}^{c}}\right)\leq\delta,\qquad\;\;\;\;\;\forall\mathcal{K}\!\subseteq\![1\!:\!J]$	(strong key ind.)	(7)
$\displaystyle\frac{1}{n}I(X^{n};\mathcal{W}_{[1:J]})\!\leq\!R_{\ell}\!+\!\delta$	(privacy)	(8)
$\displaystyle I\left(\mathcal{S}_{[1:J]};\mathcal{W}_{[1:J]}\right)\leq\delta$	(strong secrecy)	(9)
$\displaystyle\frac{1}{n}\log\|\mathcal{W}_{j}\|\leq R_{\text{w},j}\!+\!\delta,\quad\forall j\!\in\![1\!:\!J]$	$\displaystyle\quad\text{(storage)}.$	(10)

The multi-entity key-leakage-storage regions $\mathcal{C}_{\text{gs}}$ for the GS model and $\mathcal{C}_{\text{cs}}$ for the CS model are the closures of the set of all achievable rate tuples $(\mathcal{R}_{\text{s},[1:J]},R_{\ell},\mathcal{R}_{\text{w},[1:J]})$ .

Both secret-key uniformity (6) and storage rate (10) constraints correspond to $J$ separate constraints. However, reliability (5), strong and mutual key independence (7), privacy-leakage rate (8), and secrecy leakage (9) constraints are joint constraints for all $J$ honest entities. Suppose after a key generation, an honest entity has access only to its corresponding secret key and it does not have access to other entities’ keys or sequences or even to the sequence it observed to generate its secret key.

The mutual key independence constraint in (7) is not imposed in the multi-enrollment key agreement problem considered in [16]. Furthermore, a normalized (weak) version of this constraint is imposed in the multi-enrollment key agreement problem considered in [14], where the $j$ -th decoder $g_{j}(\cdot,\cdot)$ is assumed to have access to the set of helper data $\mathcal{W}_{[1:j]}$ for all $j\in[1:J]$ . The lack of the mutual key independence constraint and the assumption of availability of all previous helper data require that different encoder and decoder pairs should trust each other after key agreement. This can be the case, e.g., if all enrollments are made by the same entity. Therefore, the multi-entity key agreement problem imposes strictly more stringent constraints than the multi-enrollment key agreement problem.

The unnormalized secrecy leakage constraint (9) provides strong secrecy, which is a stronger notion than the weak secrecy considered in [9, 10, 12, 28, 16, 14]. Furthermore, (9) is more stringent than the set of individual secrecy leakage constraints $I(S_{j};\mathcal{W}_{[1:J]})$ imposed for all $j\in[1:J]$ , considered in [16] for symmetric SRAM PUF outputs in combination with the suboptimal FCS.

The unnormalized privacy leakage $I(X^{n};\mathcal{W}_{[1:J]})$ cannot be bounded by a finite number in general. We illustrate special strong privacy cases in the next section.

III Inner Bounds

We are interested in characterizing the optimal trade-off among the secret-key, privacy-leakage, and storage rates with strong secrecy for BC measurements at the encoders and decoders of any finite number $J$ of entities that use the same hidden identifier outputs for the multi-entity key agreement problem. We give achievable rate regions for the GS and CS models in Theorem 1. The proofs are given in Section V.

Denote

\displaystyle\mathcal{U}_{\mathcal{K}}=\{U_{j}:j\in\mathcal{K}\}

(11)

and define a function $\max\{\cdot,\cdot\}$ that gives the maximum of the input values as its output.

Theorem 1 (Inner Bounds for Multi-entity GS and CS Models).

An achievable rate region $\mathcal{R}_{\text{gs}}$ for the multi-entity GS model with $J$ entities is the union over all $P_{U_{j}|\widetilde{X}_{j}}$ for all $j\in[1:J]$ of the rate tuples such that $R_{\text{s},j}\geq 0$ for all $j\in[1:J]$ and

$\displaystyle R_{\text{s},j}\leq I(U_{j};Y_{j})-I(U_{j};U_{[1:J]\setminus\{j\}}),$	$\displaystyle\;\;\forall j\in[1:J]$	(12)
$\displaystyle R_{\ell}\geq\sum_{j=1}^{J}\max\{0,I(U_{j};X)\!-\!I(U_{j};Y_{j})\},$		(13)
$\displaystyle R_{\text{w},j}\!\geq\!I(U_{j};\widetilde{X}_{j})-I(U_{j};Y_{j}),$	$\displaystyle\;\;\forall j\in[1:J]$	(14)
$\displaystyle R_{\text{s},j}+R_{\text{w},j}\leq H(U_{j}\|\,\mathcal{U}_{[1:J]\setminus\{j\}}),$	$\displaystyle\;\;\forall j\in[1:J].$	(15)

An achievable rate region $\mathcal{R}_{\text{cs}}$ for the multi-entity CS model with $J$ entities is the union over all $P_{U_{j}|\widetilde{X}_{j}}$ for all $j\in[1:J]$ of the rate tuples such that $R_{\text{s},j}\geq 0$ for all $j\in[1:J]$ , (12), (13), and

	$\displaystyle R_{\text{w},j}\!\geq\!I(U_{j};\widetilde{X}_{j})-I(U_{j};U_{[1:J]\setminus\{j\}}),$	$\displaystyle\quad\forall j\in[1:J]$		(16)
	$\displaystyle R_{\text{w},j}\leq H(U_{j}\|\,\mathcal{U}_{[1:J]\setminus\{j\}}),$	$\displaystyle\quad\forall j\in[1:J].$		(17)

For the achievable rate regions $\mathcal{R}_{\text{gs}}$ and $\mathcal{R}_{\text{cs}}$ , we have

\displaystyle\displaystyle P_{\mathcal{U}_{[1:J]}\mathcal{\widetilde{X}}_{[1:J]}X\mathcal{Y}_{[1:J]}}=P_{X}\prod_{j=1}^{J}P_{U_{j}|\widetilde{X}_{j}}P_{\widetilde{X}_{j}Y_{j}|X}.

(18)

Corollary 1.

Suppose for all $j\in[1:J]$ that

•

$\widetilde{X}_{j}-Y_{j}-X$ form a Markov chain, i.e., $X$ is a PD version of $Y_{j}$ with respect to $\widetilde{X}_{j}$ , or
•

$P_{XY_{j}|\widetilde{X}_{j}}$ is a LN BC with $I(U_{j};Y_{j})\geq I(U_{j};X)$ for all $P_{U_{j}|\widetilde{X}_{j}}$ .

For these cases, strong privacy, i.e.,

\displaystyle R_{\ell}\geq 0

(19)

can be achieved for the multi-entity GS and CS models in combination with the other corresponding bounds given in Theorem 1.

The proof of Corollary 1 follows from Theorem 1 because $I(U_{j};X)-I(U_{j};Y_{j})\leq 0$ for all $j\in[1:J]$ for BCs considered in Corollary 1.

Corollary 1 illustrates that it is possible to obtain strong privacy, i.e., negligible unnormalized privacy leakage, without the requirement of a common randommness that is hidden from an eavesdropper assumed in [9, 10, 24]. This is the case because the observation $Y^{n}_{j}$ of each decoder is “better” than the observation $\widetilde{X}^{n}_{j}$ of the corresponding encoder with respect to the hidden source $X^{n}$ for all entities.

Remark 1.

The rate regions for our problem depend on the joint conditional probability distributions $P_{XY_{j}|\widetilde{X}_{j}}$ rather than only the marginal conditional distributions. Thus, the key-leakage-storage regions for the stochastically-degraded BCs are not necessarily equal to the regions for the corresponding PD BCs, unlike in the classic BC problem. Furthermore, since $P_{\mathcal{\widetilde{X}}_{[1:J]}X\mathcal{Y}_{[1:J]}}$ is fixed, the distinction between the LN BCs and essentially-less noisy BCs [29], is not necessary.

We next give simple outer bounds for the multi-entity key-leakage-storage regions $\mathcal{C}_{\text{gs}}$ for the GS model and $\mathcal{C}_{\text{cs}}$ for the CS model when the BCs $P_{XY_{j}|\widetilde{X}_{j}}$ for all $j\in[1:J]$ are PD BCs or LN BCs, as defined in Corollary 1. These simple outer bounds give insights into the reason for different bounds on the secret-key rates. Based on these insights, we show a special multi-enrollment case in the next section with a less stringent secrecy constraint, for which the inner and outer bounds differ only in the Markov chains imposed and we illustrate that they match for simpler models.

Lemma 1.

Suppose one of the cases given in Corollary 1 is satisfied by the BCs $P_{XY_{j}|\widetilde{X}_{j}}$ for all $j\in[1:J]$ . An outer bound on the multi-entity key-leakage-storage region $\mathcal{C}_{\text{gs}}$ is the union over all $P_{U_{j}|\widetilde{X}_{j}}$ , where $U_{j}-\widetilde{X}_{j}-(X,Y_{j})$ form a Markov chain, for all $j\in[1:J]$ of the rate tuples such that $R_{\text{s},j}\geq 0$ for all $j\in[1:J]$ , (14), (19), and

\displaystyle R_{\text{s},j}\leq I(U_{j};Y_{j}),\qquad\qquad\forall j\in[1:J].

(20)

An outer bound to the multi-entity key-leakage-storage region $\mathcal{C}_{\text{cs}}$ for the same BCs $P_{XY_{j}|\widetilde{X}_{j}}$ is the union over all $P_{U_{j}|\widetilde{X}_{j}}$ , where $U_{j}-\widetilde{X}_{j}-(X,Y_{j})$ form a Markov chain, for all $j\in[1:J]$ of the rate tuples such that $R_{\text{s},j}\geq 0$ for all $j\in[1:J]$ , (19), (20), and

\displaystyle R_{\text{w},j}\geq I(U_{j};\widetilde{X}_{j}),\qquad\qquad\forall j\in[1:J].

(21)

The proof of Lemma 1 follows straightforwadly by following the steps in [12, Section VI], defining the auxiliary random variables $U_{j,i}=(S_{j},W_{j},Y_{j}^{i-1})$ for all $j\in[1:J]$ and $i\in[1:n]$ , and by bounding $I(X^{n};\mathcal{W}_{[1:J]})\geq 0$ ; therefore, we omit the proof.

The outer bounds do not include the inequalities in (15) and (17). Furthermore, the secret-key rate achieved by the inner bound in (12) is smaller than the outer bound given in (20), where the difference is the term $-I(U_{j};\mathcal{U}_{[1:J]\setminus\{j\}})$ . This term is a result of the constraint in (44) that is imposed to satisfy the strong and mutual key independence constraint given in (7). Therefore, we next consider a model without the constraint in (7) and use a secrecy-leakage constraint that is less stringent than the one in (9), i.e., replace (9) by

\displaystyle I(S_{j};\mathcal{W}_{[1:J]})\leq\delta,\qquad\qquad\forall j\in[1:J]

(22)

which is also a strong secrecy metric. Due to the lack of a mutual key independence constraint, the model in the next section is not a multi-entity model but rather a multi-enrollment model. For a special case of this multi-enrollment key agreement problem, we establish inner and outer bounds for the key-leakage-storage regions that comprise the same bounds but for different Markov chains.

IV Bounds for a Multi-Enrollment Model

Consider next the multi-enrollment model, where the strong and mutual key independence constraint (7) of the multi-entity model is not imposed. Assume further $J=2$ entities that measure noisy outputs of the same hidden source $X^{n}$ through separate channels that have the same channel transition matrices, i.e., for all $j\in[1:2]$ , $\tilde{x}_{j}\in\mathcal{\widetilde{X}}$ , and $y_{j}\in\mathcal{\widetilde{X}}$ we have

\displaystyle P_{\widetilde{X}_{j}Y_{j}|X}(\tilde{x}_{j},y_{j}|x)=P_{\widetilde{X}|X}(\tilde{x}_{j}|x)P_{\widetilde{X}|X}(y_{j}|x).

(23)

This model is common for SRAM PUFs, for which each measurement channel is modeled as a BSC with the same crossover probability corresponding to a worst case scenario[30]. Using (23), we define a multi-enrollment model.

Definition 2.

A key-leakage-storage rate tuple $(\widebar{R}_{\text{s},1},\widebar{R}_{\text{s},2},\widebar{R}_{\ell},\widebar{R}_{\text{w},1},\widebar{R}_{\text{w},2})$ is achievable for the multi-enrollment GS and CS models with measurements through a BC $\displaystyle P_{\widetilde{X}Y|X}(\tilde{x},y|x)$ as in (23) if, given any $\delta\!>\!0$ , there is some $n\!\geq\!1$ , and two encoder and decoder pairs for which $\displaystyle\widebar{R}_{\text{s},1}=\frac{\log|\mathcal{S}_{1}|}{n}$ , $\displaystyle\widebar{R}_{\text{s},2}=\frac{\log|\mathcal{S}_{2}|}{n}$ , $\displaystyle\widebar{R}_{\text{w},1}=\frac{H(W_{1})}{n}$ , $\displaystyle\widebar{R}_{\text{w},2}=\frac{H(W_{2})}{n}$ , and

$\displaystyle\Pr\left[\{S_{1}\neq\hat{S}_{1}\}\bigcup\{S_{2}\neq\hat{S}_{2}\}\right]\leq\delta$	(reliability)	(24)
$\displaystyle\frac{1}{n}H(S_{j})=\widebar{R}_{\text{s},j}-\delta,\qquad\;\;\,j=1,2$	(key uniformity)	(25)
$\displaystyle\frac{1}{n}I(X^{n};W_{1},W_{2})\!=\!\widebar{R}_{\ell}\!+\!\delta$	(privacy)	(26)
$\displaystyle I\left(S_{j};W_{1},W_{2}\right)\leq\delta,\qquad\quad j=1,2$	(strong secrecy)	(27)
$\displaystyle\frac{1}{n}\log\|\mathcal{W}_{j}\|=\widebar{R}_{\text{w},j}\!+\!\delta,\qquad j=1,2$	(storage)	(28)
$\displaystyle I(W_{1};W_{2})\leq\delta$	$\displaystyle\quad\text{(storage ind.)}.$	(29)

The multi-enrollment key-leakage-storage regions $\mathcal{\widebar{C}}_{\text{gs},J=2}$ for the GS model and $\mathcal{\widebar{C}}_{\text{cs},J=2}$ for the CS model are the closures of the set of all achievable rate tuples $(\widebar{R}_{\text{s},1},\widebar{R}_{\text{s},2},\widebar{R}_{\ell},\widebar{R}_{\text{w},1},\widebar{R}_{\text{w},2})$ .

We characterize in Theorem 2 inner and outer bounds for $\mathcal{\widebar{C}}_{\text{gs},J=2}$ and $\mathcal{\widebar{C}}_{\text{cs},J=2}$ . The proofs of Theorem 2 are given in Section VI, where the reason for the necessity of the secrecy-leakage constraint in (27) that is less stringent than the joint secrecy-leakage constraint in (9) is given in Remark 2. Similarly, the reason for the necessity of the strong helper data (storage) independence constraint in (29) is discussed in Remark 4. We remark that the equalities in (25), (26), and (28) are required in the outer bounds in Theorem 2 to provide both upper and lower bounds on $\widebar{R}_{\ell}$ and $\widebar{R}_{\text{w},j}$ in terms of Shannon entropy terms.

Denote

\displaystyle j^{\prime}=3-j,\qquad\qquad\qquad j=1,2.

(30)

Theorem 2.

(Inner Bounds for Multi-enrollment GS and CS Models): An achievable multi-enrollment key-leakage-storage region $\mathcal{\widebar{R}}_{\text{gs},J=2}$ is the union over all $P_{U_{1}|\widetilde{X}_{1}}$ and $P_{U_{2}|\widetilde{X}_{2}}$ of the rate tuples such that $\widebar{R}_{\text{s},j}\geq 0$ for $j=1,2$ and

$\displaystyle\widebar{R}_{\text{s},j}\leq I(U_{j};Y_{j}),$	$\displaystyle\quad j=1,2$	(31)
$\displaystyle\widebar{R}_{\ell}\geq\sum_{j=1}^{2}\big{(}I(U_{j};X)\!-\!I(U_{j};Y_{j})\big{)},$		(32)
$\displaystyle\widebar{R}_{\ell}\leq\sum_{j=1}^{2}\big{(}I(U_{j};X)\!-\!I(U_{j};\widetilde{X}_{j})\!+\!\widebar{R}_{\text{w},j}\big{)},$		(33)
$\displaystyle\widebar{R}_{\text{w},j}\!\geq\!I(U_{j};\widetilde{X}_{j})-I(U_{j};Y_{j}),$	$\displaystyle\quad j=1,2$	(34)
$\displaystyle\widebar{R}_{\text{s},j}+\widebar{R}_{\text{w},j}\leq H(U_{j}),$	$\displaystyle\quad j=1,2$	(35)
$\displaystyle\widebar{R}_{\text{s},j}+\widebar{R}_{\text{w},j}+\widebar{R}_{\text{w},j^{\prime}}\leq H(U_{j},U_{j^{\prime}}),$	$\displaystyle\quad j=1,2.$	(36)

An achievable multi-enrollment key-leakage-storage region $\mathcal{\widebar{R}}_{\text{cs},J=2}$ is the union over all $P_{U_{1}|\widetilde{X}_{1}}$ and $P_{U_{2}|\widetilde{X}_{2}}$ of the rate tuples such that $\widebar{R}_{\text{s},j}\geq 0$ for $j=1,2$ , (31)-(33), and

$\displaystyle\widebar{R}_{\text{w},j}\!\geq\!I(U_{j};\widetilde{X}_{j}),$	$\displaystyle\quad j=1,2$	(37)
$\displaystyle\widebar{R}_{\text{w},j}\leq H(U_{j}),$	$\displaystyle\quad j=1,2$	(38)
$\displaystyle\widebar{R}_{\text{w},j}\!+\!\widebar{R}_{\text{w},j^{\prime}}\!\leq\!H(U_{j},U_{j^{\prime}})\!+\!\widebar{R}_{\text{s},j^{\prime}},$	$\displaystyle\quad j=1,2.$	(39)

For both achievable rate regions $\mathcal{\widebar{R}}_{\text{gs},J=2}$ and $\mathcal{\widebar{R}}_{\text{cs},J=2}$ , we have

	$\displaystyle P_{U_{1}U_{2}\widetilde{X}_{1}\widetilde{X}_{2}XY_{1}Y_{2}}({u_{1},u_{2},\widetilde{x}_{1},\widetilde{x}_{2},x,y_{1},y_{2}})$
	$\displaystyle\quad=P_{U_{1}\|\widetilde{X}_{1}}(u_{1}\|\tilde{x}_{1})P_{U_{2}\|\widetilde{X}_{2}}(u_{2}\|\tilde{x}_{2})P_{\widetilde{X}\|X}(\tilde{x}_{1}\|x)P_{\widetilde{X}\|X}(\tilde{x}_{2}\|x)$
	$\displaystyle\quad\qquad\times P_{\widetilde{X}\|X}(y_{1}\|x)P_{\widetilde{X}\|X}(y_{2}\|x)P_{X}(x).$		(40)

(Outer Bounds for Multi-enrollment GS and CS Models) An outer bound for $\mathcal{\widebar{C}}_{\text{gs},J=2}$ is the union over all $P_{U_{1}|\widetilde{X}_{1}}$ and $P_{U_{2}|\widetilde{X}_{2}}$ of the rate tuples such that $\widebar{R}_{\text{s},j}\geq 0$ , (31) - (36), and $U_{j}-\widetilde{X}_{j}-X-Y_{j}$ form a Markov chain for $j=1,2$ . An outer bound for $\mathcal{\widebar{C}}_{\text{cs},J=2}$ is the union over all $P_{U_{1}|\widetilde{X}_{1}}$ and $P_{U_{2}|\widetilde{X}_{2}}$ of the rate tuples such that $\widebar{R}_{\text{s},j}\geq 0$ , (31) - (33), (37) - (39), and $U_{j}-\widetilde{X}_{j}-X-Y_{j}$ form a Markov chain for $j=1,2$ .

The inner and outer bounds differ because the outer bounds define rate regions for the Markov chains $U_{1}-\widetilde{X}_{1}-X-Y_{1}$ and $U_{2}-\widetilde{X}_{2}-X-Y_{2}$ , which are larger than the rate regions defined by the inner bounds that satisfy (40). For instance, in the achievability proof of Theorem 2, we apply the properties of the Markov chain $U_{2}-\widetilde{X}_{2}-U_{1}$ in (86)(b), which does not form a Markov chain for the choice of $U_{1}$ and $U_{2}$ in the outer bounds. Therefore, inner and outer bounds do not match in general.

Corollary 2.

Choosing $U_{1}=\widetilde{X}_{1}$ and $U_{2}=\widetilde{X}_{2}$ , it is straightforward to show that inner and outer bounds in Theorem 2 match if we do not impose any storage or privacy constraints, i.e., impose only (24), (25), and (27). This result improves on the secret-key capacity region given in [18, Theorem 1] for a weak secrecy constraint.

Example 1.

Consider the RO PUF model from [25, Section 4.1] where a transform-coding method is applied to conservatively model the measurement channels $P_{Y|X}=P_{\widetilde{X}|X}$ as independent BSCs with the same crossover probability of $p_{\text{A}}$ and where the hidden source output is $\text{Bern}(\frac{1}{2})$ . We therefore can apply the achievability results from Theorem 2 to this RO PUF model. Using [12, Theorem 3] to evaluate the boundary tuples of $\mathcal{\widebar{R}}_{\text{gs},J=2}$ , it suffices to consider probability distributions $P_{U_{j}|\widetilde{X}_{j}}$ for $j=1,2$ such that $P_{\widetilde{X}_{j}|U_{j}}$ are BSCs with crossover probabilities

\displaystyle\tilde{x}_{j}=\frac{H_{b}^{-1}(H(X|U_{j}))-p_{\text{A}}}{1-2p_{\text{A}}}.

(41)

Consider the projection of the boundary tuples of $\mathcal{\widebar{R}}_{\text{gs},J=2}$ onto key-leakage plane, i.e., (31) and (32). We plot in Fig. 2 single-enrollment results where the privacy-leakage rate is measured with respect to single helper data and two-enrollment results for the sum rate of the two keys, both for $p_{\text{A}}=0.06$ [25]. To achieve a total secret-key rate of $I(\widetilde{X}_{1};Y_{1})=I(\widetilde{X}_{2};Y_{2})$ , the privacy-leakage rate for the two-enrollment model is approximately $13.5\%$ less than the privacy-leakage rate for the single-enrollment model for RO PUFs. The reason for this gain is the information bottleneck problem that arises from (31) and (32) to find the boundary tuples.

Figure 2: Privacy-leakage vs. secret-key rate projection of the boundary tuples of the single- and two-enrollment RO PUF models with BSCs

(p_{\text{A}}=0.06)

Example 2.

Consider uniform binary antipodal measurements over an additive white Gaussian noise (AWGN) channel. Define the signal power as $P_{\text{S}}$ and the noise power as $P_{\text{N}}$ , so we have a signal-to-noise ratio (SNR) of $\displaystyle SNR=\frac{P_{\text{S}}}{P_{\text{N}}}$ . If a matched filter, which maximizes the $SNR$ at the sampling instant for the AWGN channel, is applied at the encoder and decoder, the bit error probability $P_{\text{b}}$ is given by [31, pp. 96]

\displaystyle P_{\text{b}}=Q\left(\sqrt{SNR}\right).

(42)

The channel between input binary symbols and outputs of the matched filter is a BISO channel. Using [12, Theorem 3], we have that $P_{\widetilde{X}_{j}|U_{j}}$ for $j=1,2$ that are BSCs with crossover probabilities given in (41) by replacing $p_{\text{A}}$ with $P_{\text{b}}$ , suffice to obtain the boundary tuples of $\mathcal{\widebar{R}}_{\text{gs},J=2}$ . We remark that $p_{\text{A}}=0.06$ used in Example 1 corresponds to an SNR of approximately $3.83$ dB.

In Fig. 3, the privacy-leakage rate vs. secret-key rate boundary tuples are depicted for two cases. First, a two-enrollment model at $SNR=3.83$ dB with a sum rate for two secret keys is depicted, where each enrollment has a signal power of $P_{s}$ . For comparison, we plot a single-enrollment model with the signal power of $2P_{\text{s}}$ , i.e., we have an SNR of approximately $6.84$ dB. Fig. 3 shows for the two cases with the same total signal power of $2P_{\text{s}}$ , unlike in Example 1, that the single enrollment boundary tuple can result in a gain of approximately $228.55\%$ at its top left corner point in terms of the secret-key rates achieved for a given privacy-leakage rate. For such an AWGN channel with a fixed total signal power; therefore, the single-enrollment model can result in significant gains in terms of achieved secret-key rates as compared to the two-enrollment model for small $\widebar{R}_{\ell}$ values.

Figure 3: Privacy-leakage vs. secret-key rate projection of the boundary tuples of the single- and two-enrollment RO PUF models with different SNRs.

V Proof of Theorem 1

We provide a proof that follows from the output statistics of random binning (OSRB) method, proposed in [32] and further extended in [33], by applying the steps in [34, Section 1.6].

V-A Proof for the GS Model

Proof:

Fix $\displaystyle P_{U_{1}|\widetilde{X}_{1}},\displaystyle P_{U_{2}|\widetilde{X}_{2}},\ldots,P_{U_{J}|\widetilde{X}_{J}}$ . Let $(\mathcal{U}_{[1:J]}^{n},\mathcal{\widetilde{X}}_{[1:J]}^{n},X^{n},\mathcal{Y}_{[1:J]}^{n})$ be i.i.d. according to (18). Assign three random bin indices $(S_{j},W_{j},C_{j})$ to each realization $u_{j}^{n}$ for all $j\in[1:J]$ , where $S_{j}$ represents the secret key, $W_{j}$ the helper data, and $C_{j}$ a public index referring to a random encoder-decoder pair fixed below. Assume $S_{j}\in[1:2^{nR_{\text{s},j}}]$ , $W_{j}\in[1:2^{nR_{\text{w},j}}]$ , and $C_{j}\in[1:2^{nR_{\text{c},j}}]$ such that $R_{\text{s},j},R_{\text{w},j},R_{\text{c},j}\geq 0$ for all $j\in[1:J]$ .

Apply the union bound to the reliability constraint in (5) to obtain the sum of $J$ error probabilities. This sum vanishes for any finite number $J$ when $n\rightarrow\infty$ by using a Slepian-Wolf (SW) [35] decoder to estimate $U_{j}^{n}$ from $(C_{j},W_{j},Y_{j}^{n})$ if [32, Lemma 1]

\displaystyle R_{\text{c},j}+R_{\text{w},j}>H(U_{j}|Y_{j}),\qquad\forall j\in[1:J].

(43)

The key uniformity (6), mutual and strong key independence (7), and strong secrecy (9) constraints are satisfied if [32, Theorem 1]

\displaystyle R_{\text{s},j}\!+\!R_{\text{w},j}\!+\!R_{\text{c},j}<H(U_{j}|\,\mathcal{U}_{[1:J]\setminus\{j\}}),\;\;\;\forall j\in[1:J]

(44)

since (44) ensures that the three random indices $(S_{j},W_{j},C_{j})$ are almost mutually independent and uniformly distributed, and they are almost independent of $\mathcal{U}_{[1:J]\setminus\{j\}}$ . Therefore, $(S_{j},W_{j},C_{j})$ are almost independent of $\left(\mathcal{S}_{[1:J]\setminus\{j\}},\mathcal{W}_{[1:J]\setminus\{j\}},\mathcal{C}_{[1:J]\setminus\{j\}}\right)$ because $U_{k}^{n}$ determines $(S_{k},W_{k},C_{k})$ for all $k\in[1:J]$ .

Similarly, the public randomness $C_{j}$ is almost independent of $\widetilde{X}^{n}_{j}$ , so it is almost independent of $(\mathcal{\widetilde{X}}_{[1:J]}^{n},X^{n},\mathcal{Y}_{[1:J]}^{n})$ , if we have [32, Theorem 1]

\displaystyle R_{\text{c},j}<H(U_{j}|\widetilde{X}_{j}),\qquad\qquad\forall j\in[1:J].

(45)

Thus, the public indices $\mathcal{C}_{[1:J]}$ can be fixed and shared with all parties by generating them uniformly at random. The $j$ -th encoder can generate $U_{j}^{n}$ according to $P_{U_{j}^{n}|\widetilde{X}_{j}^{n}C_{j}}$ obtained from the binning scheme above to compute the bins $(S_{j},W_{j})$ from $U_{j}^{n}$ for all $j\in[1:J]$ . This procedure induces a joint probability distribution that is almost equal to $P_{\mathcal{U}_{[1:J]}\mathcal{\widetilde{X}}_{[1:J]}X\mathcal{Y}_{[1:J]}}$ fixed in (18) [34, Section 1.6].

Applying the Fourier Motzkin elimination [36] using the software available in [37] to (43)-(45) for each $j\in[1:J]$ separately, we obtain the inequalities

	$\displaystyle R_{\text{w},j}>I(U_{j};\widetilde{X}_{j})-I(U_{j};Y_{j})$		(46)
	$\displaystyle R_{\text{s},j}<I(U_{j};Y_{j})-I(U_{j};\mathcal{U}_{[1:J]\setminus\{j\}})$		(47)
	$\displaystyle R_{\text{w},j}+R_{\text{s},j}<H(U_{j}\|\mathcal{U}_{[1:J]\setminus\{j\}})$		(48)

for all $j\in[1:J]$ .

To satisfy the constraints (46)-(48), we can fix the rates to

$\displaystyle R_{\text{s},j}=I(U_{j};Y_{j})\!-\!I(U_{j};\mathcal{U}_{[1:J]\setminus\{j\}})\!-\!2\epsilon,$	$\displaystyle\quad\forall j\in[1:J]$	(49)
$\displaystyle R_{\text{w},j}=I(U_{j};\widetilde{X}_{j})-I(U_{j};Y_{j})+2\epsilon,$	$\displaystyle\quad\forall j\in[1:J]$	(50)
$\displaystyle R_{\text{c},j}=H(U_{j}\|\widetilde{X}_{j})-\epsilon,$	$\displaystyle\quad\forall j\in[1:J]$	(51)

for some $\epsilon>0$ such that $\epsilon\rightarrow 0$ when $n\rightarrow\infty$ .

Consider the privacy leakage. Since $\mathcal{C}_{[1:J]}$ are public, we can bound the privacy leakage as follows.

	$\displaystyle I(X^{n};\mathcal{W}_{[1:J]},\mathcal{C}_{[1:J]})$
	$\displaystyle\quad\leq H(\mathcal{W}_{[1:J]})-H(\mathcal{W}_{[1:J]},\mathcal{C}_{[1:J]}\|X^{n})+H(\mathcal{C}_{[1:J]})$
	$\displaystyle\quad\overset{(a)}{=}H(\mathcal{W}_{[1:J]})-\sum_{j=1}^{J}H(W_{j},C_{j}\|X^{n})+H(\mathcal{C}_{[1:J]})$
	$\displaystyle\quad\leq\sum_{j=1}^{J}\Big{(}H(W_{j})\!+\!H(C_{j})\!-\!H(W_{j},C_{j}\|X^{n})\Big{)}$		(52)

where $(a)$ follows because $(W_{j},C_{j})-X^{n}-(\mathcal{W}_{[1:j-1]},\mathcal{C}_{[1:j-1]})$ form a Markov chain for all $j\in[2:J]$ .

Consider two cases for the privacy leakage analysis.

Case 1: Suppose for any $j\in[1:J]$ that we have

\displaystyle R_{\text{c},j}+R_{\text{w},j}<H(U_{j}|X)

(53)

i.e., $H(U_{j}|X)>H(U_{j}|Y_{j})$ , so $(W_{j},C_{j},X^{n})$ are almost mutually independent [32, Theorem 1]. Therefore, we have

	$\displaystyle H(W_{j})\!+\!H(C_{j})\!-\!H(W_{j},C_{j}\|X^{n})$
	$\displaystyle\quad\leq H(W_{j})\!+\!H(C_{j})\!-\!(H(W_{j})+H(C_{j})-\epsilon_{n}^{\prime})=\epsilon_{n}^{\prime}$		(54)

for some $\epsilon_{n}^{\prime}>0$ such that $\epsilon_{n}^{\prime}\rightarrow 0$ when $n\rightarrow\infty$ . Combining (52) and (54) proves strong privacy.

Case 2: Suppose for any $j\in[1:J]$ that we have

\displaystyle R_{\text{c},j}+R_{\text{w},j}\geq H(U_{j}|X)

(55)

i.e., $H(U_{j}|X)\leq H(U_{j}|Y_{j})$ , so $(W_{j},C_{j},X^{n})$ can reliably estimate $U_{j}^{n}$ [32, Lemma 1]. Therefore, we have

	$\displaystyle H(W_{j})\!+\!H(C_{j})\!-\!H(W_{j},C_{j}\|X^{n})$
	$\displaystyle\quad\overset{(a)}{\leq}H(W_{j})\!+\!H(C_{j})\!-\!nH(U_{j}\|X)+n\epsilon_{n}^{\prime\prime}$
	$\displaystyle\quad\overset{(b)}{\leq}n(I(U_{j};X)-I(U_{j};Y_{j})+\epsilon+\epsilon_{n}^{\prime\prime})$		(56)

where $(a)$ follows because $U_{j}^{n}$ determines $(W_{j},C_{j})$ , $(W_{j},C_{j},X^{n})$ can realiably estimate $U^{n}$ for some $\epsilon_{n}^{\prime\prime}>0$ such that $\epsilon_{n}^{\prime\prime}\rightarrow 0$ when $n\rightarrow\infty$ , and $(U_{j}^{n},X^{n})$ are i.i.d., and $(b)$ follows by (50) and (51).

Combining (52) and (56), we obtain

	$\displaystyle I(X^{n};\mathcal{W}_{[1:J]},\mathcal{C}_{[1:J]})$
	$\displaystyle\quad\!\leq\!\sum_{\begin{subarray}{c}j=1\\ \;j:\\ H(U_{j}\|X)\leq H(U_{j}\|Y_{j})\end{subarray}}^{J}\!n(I(U_{j};X)\!-\!I(U_{j};Y_{j})\!+\!\epsilon\!+\!\epsilon_{n}^{\prime\prime}).$		(57)

Using the selection lemma [38, Lemma 2.2], these prove the achievability of the rate region $\mathcal{R}_{\text{gs}}$ . ∎

V-B Proof for the CS Model

We use the achievability proof for the GS model. Suppose the key $S^{\prime}_{j}$ , generated as in the GS model together with the helper data $W^{\prime}_{j}$ and public index $C^{\prime}_{j}$ , have the same cardinality as the corresponding embedded secret key $S_{j}$ , i.e., $|\mathcal{S}^{\prime}_{j}|=|\mathcal{S}_{j}|$ for all $j\in[1:J]$ . The chosen key $S_{j}$ is uniformly distributed and independent of $(X^{n},\mathcal{\widetilde{X}}_{[1:J]}^{n},\mathcal{Y}_{[1:J]}^{n},\mathcal{S}_{[1:J]\setminus\{j\}})$ for all $j\in[1:J]$ . Consider the $j$ -th encoder $f_{\text{cs},j}(\cdot,\cdot)$ with inputs $(\widetilde{X}^{n}_{j},S_{j})$ and output $W_{j}=(S^{\prime}_{j}+S_{j},W^{\prime}_{j})$ , and the $j$ -th decoder $g_{j}(\cdot,\cdot)$ with inputs $(Y_{j}^{n},W_{j})$ and output $\hat{S}_{j}=S^{\prime}_{j}+S_{j}-\hat{S}^{\prime}_{j}$ . All addition and subtraction operations are modulo- $|\mathcal{S}_{j}|$ for all $j\in[1:J]$ . The $j$ -th decoder of the GS model is used to obtain $\hat{S}^{\prime}_{j}$ for all $j\in[1:J]$ .

We have the error probability

\displaystyle\Pr\left[\underset{j\in[1:J]}{\bigcup}\{S_{j}\neq\hat{S}_{j}\}\right]=\Pr\left[\underset{j\in[1:J]}{\bigcup}\{S^{\prime}_{j}\neq\hat{S}^{\prime}_{j}\}\right]

(58)

which is small due to the proof of achievability for the GS model.

Using (49) and (50), and from the one-time padding operation applied above, we can achieve a storage rate of

\displaystyle R_{\text{w},j}\geq I(U_{j};\widetilde{X}_{j})-I(U_{j};U_{[1:J]\setminus\{j\}}),\quad\;\forall j\in[1:J]

(59)

for the CS model.

We have the secrecy leakage of

	$\displaystyle I(\mathcal{S}_{[1:J]};\mathcal{W}_{[1:J]},\mathcal{C}_{[1:J]}^{\prime})\overset{(a)}{=}I(\mathcal{S}_{[1:J]};\mathcal{W}_{[1:J]}\|\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\!=\!I(\mathcal{S}_{[1:J]};\mathcal{W}_{[1:J]}^{\prime}\|\mathcal{C}_{[1:J]}^{\prime}\!)\!+\!I(\mathcal{S}_{[1:J]};{(\mathcal{S}^{\prime}\!+\!\mathcal{S})}_{[1:J]}\!\|\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime}\!)$
	$\displaystyle\!\overset{(b)}{=}H({(\mathcal{S}^{\prime}\!+\!\mathcal{S})}_{[1:J]}\|\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime})-H(\mathcal{S}_{[1:J]}^{\prime}\|\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\!\overset{(c)}{\leq}n\Big{(}\sum_{j=1}^{J}R_{\text{s},j}\Big{)}-H(\mathcal{S}_{[1:J]}^{\prime}\|\mathcal{C}_{[1:J]}^{\prime})+I(\mathcal{S}_{[1:J]}^{\prime};\mathcal{W}_{[1:J]}^{\prime}\|\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\!\overset{(d)}{\leq}n\Big{(}\sum_{j=1}^{J}R_{\text{s},j}\Big{)}-\Big{(}n\Big{(}\sum_{j=1}^{J}R_{\text{s},j}\Big{)}-\epsilon_{n}^{\prime\prime\prime}\Big{)}$
	$\displaystyle\qquad+I(\mathcal{S}_{[1:J]}^{\prime};\mathcal{W}_{[1:J]}^{\prime}\|\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\!\overset{(e)}{\leq}\epsilon_{n}^{\prime\prime\prime}+\epsilon_{n}^{(4)}$		(60)

where $(a)$ follows since $\mathcal{S}_{[1:J]}$ are chosen independently of the public indices $\mathcal{C}_{[1:J]}$ , $(b)$ follows because $\mathcal{S}_{[1:J]}$ are chosen independently of $(\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime},\mathcal{S}_{[1:J]}^{\prime})$ , $(c)$ follows because $|\mathcal{S}^{\prime}_{j}|=|\mathcal{S}_{j}|$ for all $j\in[1:J]$ , $(d)$ follows because $\mathcal{S}_{[1:J]}^{\prime}$ and $\mathcal{C}_{[1:J]}^{\prime}$ are almost mutually independent and each $S_{j}^{\prime}$ is almost uniformly distributed due to (44) for some $\epsilon_{n}^{\prime\prime\prime}>0$ such that $\epsilon_{n}^{\prime\prime\prime}\rightarrow 0$ when $n\rightarrow\infty$ , and $(e)$ follows because the GS model satisfies the strong secrecy constraint (9) due to (44) for some $\epsilon_{n}^{(4)}>0$ such that $\epsilon_{n}^{(4)}\rightarrow 0$ when $n\rightarrow\infty$ .

Consider the privacy leakage:

	$\displaystyle I(X^{n};\mathcal{W}_{[1:J]},\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\leq I(X^{n};\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime})+H((\mathcal{S}+\mathcal{S}^{\prime})_{[1:J]}\|\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\qquad-H((\mathcal{S}+\mathcal{S}^{\prime})_{[1:J]}\|X^{n},\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime},\mathcal{S}_{[1:J]}^{\prime})$
	$\displaystyle\overset{(a)}{\leq}I(X^{n};\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime})\!+\!\Big{(}\sum_{j=1}^{J}\log(\|\mathcal{S}_{j}\|)\Big{)}\!-\!H(\mathcal{S}_{[1:J]})$
	$\displaystyle\overset{(b)}{=}I(X^{n};\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime})$		(61)

where $(a)$ follows because $\mathcal{S}_{[1:J]}$ are chosen independently of $(X^{n},\mathcal{W}_{[1:J]}^{\prime},\mathcal{S}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime})$ and $|\mathcal{S}^{\prime}_{j}|=|\mathcal{S}_{j}|$ for all $j\in[1:J]$ and $(b)$ follows from the uniformity and mutual independence of $\mathcal{S}_{[1:J]}$ .

Using the selection lemma, these prove the achievability of the rate region $\mathcal{R}_{\text{cs}}$ .

VI Proof of Thorem 2

We use the OSRB method steps in [34, Section 1.6].

VI-A Achievability Proof for the GS Model

Fix

\displaystyle\displaystyle P_{U_{1}|\widetilde{X}_{1}}=P_{U_{2}|\widetilde{X}_{2}}=P_{U|\widetilde{X}}.

(62)

Let $(U_{1}^{n},U_{2}^{n},\widetilde{X}_{1}^{n},\widetilde{X}_{2}^{n},X^{n},Y_{1}^{n},Y_{2}^{n})$ be i.i.d. according to (40). Assign three random bin indices $(S_{j},W_{j},C_{j})$ to each realization $u_{j}^{n}$ for all $j=1,2$ . Assume $S_{j}\in[1:2^{n\widebar{R}_{\text{s},j}}]$ , $W_{j}\in[1:2^{n\widebar{R}_{\text{w},j}}]$ , and $C_{j}\in[1:2^{n\widebar{R}_{\text{c},j}}]$ such that $\widebar{R}_{\text{s},j},\widebar{R}_{\text{w},j},\widebar{R}_{\text{c},j}\geq 0$ for $j=1,2$ .

Apply the union bound to the reliability constraint in (24), which vanishes when $n\rightarrow\infty$ by using an SW decoder to estimate $U_{j}^{n}$ from $(C_{j},W_{j},Y_{j}^{n})$ if [32, Lemma 1]

\displaystyle\widebar{R}_{\text{c},j}+\widebar{R}_{\text{w},j}>H(U_{j}|Y_{j}),\qquad\;\;\;\;j=1,2.

(63)

The key uniformity (25) constraint is satisfied if [32, Theorem 1]

\displaystyle\widebar{R}_{\text{s},j}\!+\!\widebar{R}_{\text{w},j}\!+\!\widebar{R}_{\text{c},j}<H(U_{j}),\qquad j=1,2

(64)

since (64) ensures that the three random indices $(S_{j},W_{j},C_{j})$ are almost mutually independent and uniformly distributed.

Suppose a virtual joint encoder assigns six indices $(S_{1},W_{1},C_{1},S_{2},W_{2},C_{2})$ to each realization pair $(u_{1}^{n},u_{2}^{n})$ . This virtual encoder is an operational dual of the virtual decoder used in the proof of [18, Theorem 1]. Using the virtual joint encoder, the strong secrecy constraint in (27) and the strong helper data independence constraint in (29) are satisfied if [32, Theorem 1]

\displaystyle\widebar{R}_{\text{s},1}\!+\!\widebar{R}_{\text{w},1}\!+\!\widebar{R}_{\text{c},1}\!+\!\widebar{R}_{\text{w},2}\!+\!\widebar{R}_{\text{c},2}<H(U_{1},U_{2})

(65)

and

\displaystyle\widebar{R}_{\text{s},2}\!+\!\widebar{R}_{\text{w},2}\!+\!\widebar{R}_{\text{c},2}\!+\!\widebar{R}_{\text{w},1}\!+\!\widebar{R}_{\text{c},1}<H(U_{1},U_{2})

(66)

because (65) ensures that $(S_{1},W_{1},C_{1},W_{2},C_{2})$ are almost mutually independent; whereas, (66) ensures that $(S_{2},W_{2},C_{2},W_{1},C_{1})$ are almost mutually independent.

Remark 2.

The set of equations considered in (64)-(66) cannot be imposed for the joint secrecy-leakage constraint in (9) for general probability distributions $P_{\widetilde{X}_{1}\widetilde{X}_{2}XY_{1}Y_{2}}$ , since to impose (9) one would replace (65) and (66) with

\displaystyle\widebar{R}_{\text{s},1}\!+\!\widebar{R}_{\text{w},1}\!+\!\widebar{R}_{\text{c},1}\!+\widebar{R}_{\text{s},2}+\!\widebar{R}_{\text{w},2}\!+\!\widebar{R}_{\text{c},2}<H(U_{1},U_{2})

(67)

which would also imply the mutual independence of secret keys in (7). However, the inequalities in (64) and (67) cannot be satisfied simultaneously in general as $H(U_{1})+H(U_{2})\geq H(U_{1},U_{2})$ . This problem is avoided in the proof of Theorem 1 by imposing the inequality in (44) rather than (64).

The public randomness $C_{j}$ is almost independent of $\widetilde{X}^{n}_{j}$ , so it is almost independent of $(\widetilde{X}_{1}^{n},\widetilde{X}_{2}^{n},X^{n},Y_{1}^{n},Y_{2}^{n})$ , if we have [32, Theorem 1]

\displaystyle\widebar{R}_{\text{c},j}<H(U_{j}|\widetilde{X}_{j}),\qquad\qquad j=1,2.

(68)

Thus, the public indices $(C_{1},C_{2})$ can be fixed and shared publicly by generating them uniformly at random. $U_{j}^{n}$ can be generated according to $P_{U_{j}^{n}|\widetilde{X}_{j}^{n}C_{j}}$ for $j=1,2$ obtained from the binning scheme above to compute the bins $(S_{j},W_{j})$ from $U_{j}^{n}$ for $j=1,2$ . This procedure induces a joint probability distribution that is almost equal to $P_{U_{1}U_{2}\widetilde{X}_{1}\widetilde{X}_{2}XY_{1}Y_{2}}$ that is fixed in (40) [34, Section 1.6].

Applying the Fourier Motzkin elimination to (63)-(66) and (68), we obtain the inequalities

	$\displaystyle\widebar{R}_{\text{w},1}>H(U_{1}\|Y_{1})-H(U_{1}\|\widetilde{X}_{1})$		(69)
	$\displaystyle\widebar{R}_{\text{w},2}>H(U_{2}\|Y_{2})-H(U_{2}\|\widetilde{X}_{2})$		(70)
	$\displaystyle\widebar{R}_{\text{s},1}<I(U_{1};Y_{1})$		(71)
	$\displaystyle\widebar{R}_{\text{s},2}<I(U_{2};Y_{2})$		(72)
	$\displaystyle\widebar{R}_{\text{s},1}<-H(U_{1}\|Y_{1})-H(U_{2}\|Y_{2})+H(U_{1},U_{2})$		(73)
	$\displaystyle\widebar{R}_{\text{s},2}<-H(U_{1}\|Y_{1})-H(U_{2}\|Y_{2})+H(U_{1},U_{2})$		(74)
	$\displaystyle\widebar{R}_{\text{s},1}+\widebar{R}_{\text{w},2}<-H(U_{1}\|Y_{1})+H(U_{1},U_{2})$		(75)
	$\displaystyle\widebar{R}_{\text{s},1}+\widebar{R}_{\text{w},1}<H(U_{1})$		(76)
	$\displaystyle\widebar{R}_{\text{s},1}+\widebar{R}_{\text{w},1}<-H(U_{2}\|Y_{2})+H(U_{1},U_{2})$		(77)
	$\displaystyle\widebar{R}_{\text{s},1}+\widebar{R}_{\text{w},1}+\widebar{R}_{\text{w},2}<H(U_{1},U_{2})$		(78)
	$\displaystyle\widebar{R}_{\text{s},2}+\widebar{R}_{\text{w},2}<-H(U_{1}\|Y_{1})+H(U_{1},U_{2})$		(79)
	$\displaystyle\widebar{R}_{\text{s},2}+\widebar{R}_{\text{w},2}<H(U_{2})$		(80)
	$\displaystyle\widebar{R}_{\text{s},2}+\widebar{R}_{\text{w},1}<-H(U_{2}\|Y_{2})+H(U_{1},U_{2})$		(81)
	$\displaystyle\widebar{R}_{\text{s},2}+\widebar{R}_{\text{w},2}+\widebar{R}_{\text{w},1}<H(U_{1},U_{2}).$		(82)

Observe that we have

	$\displaystyle H(U_{1}\|\widetilde{X}_{2})=H(U_{1}\|Y_{1})=H(U_{2}\|\widetilde{X}_{1})=H(U_{2}\|Y_{2})$		(83)
	$\displaystyle H(U_{1}\|\widetilde{X}_{1})=H(U_{2}\|\widetilde{X}_{2})$		(84)
	$\displaystyle H(U_{1})=H(U_{2})$		(85)

due to (23) and (62). We therefore obtain

	$\displaystyle H(U_{1},U_{2})-H(U_{1}\|Y_{1})\overset{(a)}{=}H(U_{2})\!+\!H(U_{1}\|U_{2})\!-\!H(U_{1}\|\widetilde{X}_{2})$
	$\displaystyle\quad\overset{(b)}{\geq}H(U_{2})$		(86)

where $(a)$ follows by (83) and $(b)$ follows from the Markov chain $U_{2}-\widetilde{X}_{2}-U_{1}$ . A similar result can be shown by swaping the indices. Therefore, the constraints in (77) and (79) are inactive due to the constraints, respectively, in (76) and (80). Similarly, the constraints in (73) and (74) are inactive due to the constraints, respectively, in (71) and (72).

Replace the inequalities in (75) and (81), respectively, with

	$\displaystyle 2\widebar{R}_{\text{s},1}+\widebar{R}_{\text{w},1}+\widebar{R}_{\text{w},2}<I(U_{1};Y_{1})+H(U_{1},U_{2})$		(87)
	$\displaystyle 2\widebar{R}_{\text{s},2}+\widebar{R}_{\text{w},2}+\widebar{R}_{\text{w},1}<I(U_{2};Y_{2})+H(U_{1},U_{2}).$		(88)

Then, (87) is inactive because (71) and (78) imply (87), and (88) is inactive because (72) and (82) imply (88). We remark that the rate region represented by (69)-(82) is the same as the region represented by replacing (75) and (81) with (87) and (88) because the corner points (i.e., the points that asymptotically achieve equalities in the given inequalities for fixed $P_{U_{1}|\widetilde{X}_{1}}=P_{U_{2}|\widetilde{X}_{2}}$ ) of the two rate regions are the same. Therefore, the inequalities in (75) and (81) are inactive.

To satisfy the constraints (69)-(82), we can fix the rates to

$\displaystyle\widebar{R}_{\text{s},j}=I(U_{j};Y_{j})-\!5\epsilon,$	$\displaystyle\qquad j=1,2$	(89)
$\displaystyle\widebar{R}_{\text{w},j}=I(U_{j};\widetilde{X}_{j})-I(U_{j};Y_{j})+2\epsilon,$	$\displaystyle\qquad j=1,2$	(90)
$\displaystyle\widebar{R}_{\text{c},j}=H(U_{j}\|\widetilde{X}_{j})-\epsilon,$	$\displaystyle\qquad j=1,2$	(91)

for some $\epsilon>0$ such that $\epsilon\rightarrow 0$ when $n\rightarrow\infty$ due to (83)-(86).

Since $C_{1}$ and $C_{2}$ are public, we can bound the privacy leakage as follows.

	$\displaystyle I(X^{n};W_{1},W_{2},C_{1},C_{2})$
	$\displaystyle\overset{(a)}{\leq}H(W_{1},W_{2})-H(W_{1},C_{1}\|X^{n})-H(W_{2},C_{2}\|X^{n})$
	$\displaystyle\qquad+H(C_{1},C_{2})$
	$\displaystyle\overset{(b)}{\leq}H(W_{1})+H(W_{2})-H(U_{1}^{n}\|X^{n})-H(U_{2}^{n}\|X^{n})+2n\epsilon_{n}^{\prime\prime}$
	$\displaystyle\qquad+H(C_{1})+H(C_{2})$		(92)
	$\displaystyle\overset{(c)}{\leq}n(I(U_{1};X)-I(U_{1};Y_{1})+I(U_{2};X)-I(U_{2};Y_{2}))$
	$\displaystyle\qquad+2n\epsilon_{n}^{\prime\prime}+2n\epsilon$		(93)

where $(a)$ follows because $(W_{1},C_{1})-X^{n}-(W_{2},C_{2})$ form a Markov chain, $(b)$ follows for some $\epsilon_{n}^{\prime\prime}>0$ such that $\epsilon_{n}^{\prime\prime}\rightarrow 0$ when $n\rightarrow\infty$ because for the two-enrollment model considered, (55) is satisfied due to the Markov chain $U_{j}-X-Y_{j}$ for $j=1,2$ , and $(c)$ follows by (90) and (91), and because $(U_{1}^{n},U_{2}^{n},X^{n})$ are i.i.d.

Using (92) for general rate tuples that satisfy the constraints (69)-(82), i.e., not only (89)-(91), we can bound the privacy leakage alternatively as

	$\displaystyle I(X^{n};W_{1},W_{2},C_{1},C_{2})$
	$\displaystyle\overset{(a)}{\leq}n\widebar{R}_{\text{w},1}+n\widebar{R}_{\text{w},2}+nI(U_{1};X)-nI(U_{1};\widetilde{X}_{1})$
	$\displaystyle\qquad+nI(U_{2};X)-nI(U_{2};\widetilde{X}_{2})+2n\epsilon_{n}^{\prime\prime}$		(94)

where $(a)$ follows by (91) and because $(U_{1}^{n},U_{2}^{n},X^{n})$ are i.i.d.

Using the selection lemma, these prove the achievability of the key-leakage-storage region $\mathcal{\widebar{R}}_{\text{gs},J=2}$ .

VI-B Achievability Proof for the CS Model

The achievability proof for the CS model follows by applying the one-time padding step used in Section V-B.

VI-C Outer Bound Proofs for the Multi-enrollment Models

Suppose for some $\delta_{n}\!>\!0$ and $n$ , there is a pair of encoders and decoders such that (24)-(29) are satisfied by some key-leakage-storage tuple $(\widebar{R}_{\text{s},1},\widebar{R}_{\text{s},2},\widebar{R}_{\ell},\widebar{R}_{\text{w},1},\widebar{R}_{\text{w},2})$ . Using (24) and Fano’s inequality, we obtain

\displaystyle H(S_{j}|W_{j},Y_{j}^{n})\!\overset{(a)}{\leq}\!H(S_{j}|\hat{S}_{j})\!\leq\!n\epsilon_{n},\qquad j=1,2

(95)

where $(a)$ permits randomized decoding, $\epsilon_{n}\!=\!\delta_{n}\max\{\widebar{R}_{\text{s},1},\widebar{R}_{\text{s},2}\}\!+\!H_{b}(\delta_{n})/n$ such that $\epsilon_{n}\!\rightarrow\!0$ if $\delta_{n}\!\rightarrow\!0$ .

Let $U_{j,i}\triangleq(S_{j},W_{j},X^{i-1})$ , which satisfies the Markov chain $U_{j,i}-\widetilde{X}_{j,i}-X_{i}-Y_{j,i}$ for all $i\in[1:n]$ and $j=1,2$ .

Remark 3.

For the choice of $U_{j,i}=(S_{j},W_{j},X^{i-1})$ (and similarly for $U_{j,i}=(S_{j},W_{j},Y_{j}^{i-1})$ ) for $j\!=\!1,2$ , $U_{1,i}-\widetilde{X}_{1,i}-U_{2,i}$ do not form a Markov chain for all $i\in[1:n]$ although for the inner bound we use this Markov chain. This is the reason why inner and outer bounds do not match in general.

Proof for (31): We obtain for the multi-enrollment GS and CS models for $j=1,2$ that

	$\displaystyle n(\widebar{R}_{\text{s},j}-\delta_{n})\overset{(a)}{\leq}H(S_{j})-H(S_{j}\|W_{j},Y_{j}^{n})+n\epsilon_{n}$
	$\displaystyle\overset{(b)}{\leq}I(S_{j};Y_{j}^{n}\|W_{j})+n\epsilon_{n}+\delta_{n}$
	$\displaystyle\leq\sum_{i=1}^{n}\Big{[}I(S_{j},W_{j},Y_{j}^{i-1};Y_{j,i})+\epsilon_{n}+\frac{\delta_{n}}{n}\Big{]}$
	$\displaystyle\overset{(c)}{\leq}\sum_{i=1}^{n}\Big{[}I(S_{j},W_{j},X^{i-1};Y_{j,i})+\epsilon_{n}+\frac{\delta_{n}}{n}\Big{]}$
	$\displaystyle\overset{(d)}{=}\sum_{i=1}^{n}\Big{[}I(U_{j,i};Y_{j,i})+\epsilon_{n}+\frac{\delta_{n}}{n}\Big{]}$		(96)

$(a)$ follows by (25) and (95), $(b)$ follows by (27), $(c)$ follows by applying the data-processing inequality to the Markov chain

\displaystyle Y_{j}^{i-1}-(W_{j},S_{j},X^{i-1})-Y_{j,i},\quad j=1,2,\;\;\forall i\in[1\!:\!n]

(97)

and $(d)$ follows from the definition of $U_{j,i}$ .

Proof for (32): Observe for the multi-enrollment models that

	$\displaystyle n(\widebar{R}_{\ell}+\delta_{n})\overset{(a)}{=}H(W_{1},W_{2})-H(W_{1}\|X^{n})-H(W_{2}\|X^{n})$
	$\displaystyle\overset{(b)}{=}H(W_{1}\|Y_{1}^{n})-H(W_{1}\|X^{n})+H(W_{2}\|Y_{2}^{n})-H(W_{2}\|X^{n})$
	$\displaystyle\quad+I(W_{1};\widetilde{X}_{2}^{n})+I(W_{2};Y_{2}^{n})-I(W_{1};W_{2})$
	$\displaystyle\overset{(c)}{\geq}\sum_{j=1}^{2}\Big{[}H(W_{j}\|Y_{j}^{n})-H(W_{j}\|X^{n})\Big{]}$
	$\displaystyle\geq\sum_{j=1}^{2}\Big{[}H(S_{j},W_{j},Y_{j}^{n})-H(S_{j}\|W_{j},Y_{j}^{n})-H(Y_{j}^{n})$
	$\displaystyle\qquad\qquad-H(S_{j},W_{j}\|X^{n})\Big{]}$
	$\displaystyle\overset{(d)}{\geq}\sum_{j=1}^{2}\Big{[}I(S_{j},W_{j};X^{n})-I(S_{j},W_{j};Y_{j}^{n})-n\epsilon_{n}\Big{]}$
	$\displaystyle\overset{(e)}{\geq}\!\sum_{j=1}^{2}\!\sum_{i=1}^{n}\!\Big{[}I(S_{j},W_{j},X^{i-1};X_{i})\!-\!I(S_{j},W_{j},X^{i-1};Y_{j,i})\!-\!\epsilon_{n}\Big{]}$
	$\displaystyle\overset{(f)}{=}\!\sum_{j=1}^{2}\sum_{i=1}^{n}\Big{[}I(U_{j,i};X_{i})-I(U_{j,i};Y_{j,i})-\epsilon_{n}\Big{]}$		(98)

where $(a)$ follows by (26) and from the Markov chain $W_{1}-X^{n}-W_{2}$ , $(b)$ follows because $I(W_{1};Y_{1}^{n})=I(W_{1};\widetilde{X}_{2}^{n})$ due to (23), $(c)$ follows from the Markov chain $W_{1}-\widetilde{X}_{2}^{n}-W_{2}$ , $(d)$ follows by (95), $(e)$ follows because the channel and source are memoryless and from the Markov chain in (97), and $(f)$ follows from the definition of $U_{j,i}$ .

Proof for (33): Observe for the multi-enrollment models that

	$\displaystyle n(\widebar{R}_{\ell}+\delta_{n})\!\overset{(a)}{\leq}\!H(W_{1})\!+\!H(W_{2})\!-\!H(W_{1}\|X^{n})\!-\!H(W_{2}\|X^{n})$
	$\displaystyle\overset{(b)}{\leq}\sum_{j=1}^{2}\Big{[}n\widebar{R}_{\text{w},j}+H(S_{j},W_{j}\|\widetilde{X}_{j}^{n})-H(S_{j},W_{j}\|X^{n})+n\epsilon_{n}\Big{]}$

	$\displaystyle\overset{(c)}{=}\sum_{j=1}^{2}\Big{[}n\widebar{R}_{\text{w},j}+\sum_{i=1}^{n}I(S_{j},W_{j},X^{i-1};X_{i})$
	$\displaystyle\qquad\qquad-\sum_{i=1}^{n}I(S_{j},W_{j},\widetilde{X}_{j}^{i-1};\widetilde{X}_{j,i})+n\epsilon_{n}\Big{]}$
	$\displaystyle\overset{(d)}{\leq}\sum_{j=1}^{2}\Big{[}n\widebar{R}_{\text{w},j}+\sum_{i=1}^{n}I(S_{j},W_{j},X^{i-1};X_{i})$
	$\displaystyle\qquad\qquad-\sum_{i=1}^{n}I(S_{j},W_{j},X^{i-1};\widetilde{X}_{j,i})+n\epsilon_{n}\Big{]}$
	$\displaystyle\overset{(e)}{\leq}\sum_{j=1}^{2}\Big{[}n\widebar{R}_{\text{w},j}+\sum_{i=1}^{n}(I(U_{j,i};X_{i})-I(U_{j,i};\widetilde{X}_{j,i}))$
	$\displaystyle\qquad\qquad+n\epsilon_{n}\Big{]}$		(99)

where $(a)$ follows by (26) and from the Markov chain $W_{1}-X^{n}-W_{2}$ , $(b)$ follows by (95) and from the Markov chain $S_{j}-(W_{j},X^{n})-Y^{n}$ for $j=1,2$ , $(c)$ follows because the channel and source are memoryless, $(d)$ follows from the Markov chain

\displaystyle X^{i-1}\!-\!(W_{j},S_{j},\widetilde{X}_{j}^{i-1})\!-\!\widetilde{X}_{j,i},\;\;\;j=1,2,\;\;\forall i\in[1\!:\!n]

(100)

and $(e)$ follows from the definition of $U_{j,i}$ .

Proof for (34): Observe for the multi-enrollment GS model for $j=1,2$ that

	$\displaystyle n(\widebar{R}_{\text{w},j}+\delta_{n})\overset{(a)}{\geq}H(W_{j}\|Y_{j}^{n})+I(W_{j};Y_{j}^{n})$
	$\displaystyle\overset{(b)}{\geq}H(S_{j},W_{j},Y_{j}^{n})-H(Y_{j}^{n})-H(S_{j}\|W_{j},Y_{j}^{n})$
	$\displaystyle\qquad-H(S_{j},W_{j}\|\widetilde{X}_{j}^{n})+I(W_{j};Y_{j}^{n})$
	$\displaystyle\overset{(c)}{\geq}I(S_{j},W_{j};\widetilde{X}_{j}^{n})-I(S_{j},W_{j};Y_{j}^{n})-n\epsilon_{n}$
	$\displaystyle\overset{(d)}{=}\!\sum_{i=1}^{n}[I(S_{j},W_{j},\widetilde{X}_{j}^{i-1};\widetilde{X}_{j,i})\!-\!I(S_{j},W_{j},Y_{j}^{i-1};Y_{j,i})\!-\!n\epsilon_{n}]$
	$\displaystyle\overset{(e)}{\geq}\sum_{i=1}^{n}[I(S_{j},W_{j},X^{i-1};\widetilde{X}_{j,i})\!-\!I(S_{j},W_{j},X^{i-1};Y_{j,i})\!-\!n\epsilon_{n}]$
	$\displaystyle\overset{(f)}{=}\sum_{i=1}^{n}[I(U_{j,i};\widetilde{X}_{j,i})\!-\!I(U_{j,i};Y_{j,i})\!-\!n\epsilon_{n}]$		(101)

where $(a)$ follows by (28), $(b)$ follows from the encoding steps, $(c)$ follows by (95), $(d)$ follows because the source and channel are memoryless, $(e)$ follows from the data-processing inequality applied to the Markov chains in (97) and (100), and $(f)$ follows from the definition of $U_{j,i}$ .

Proof for (37): Observe for the multi-enrollment CS model for $j=1,2$ that

	$\displaystyle n(\widebar{R}_{\text{w},j}\!+\!\delta_{n})\overset{(a)}{\geq}\!I(S_{j},W_{j};\widetilde{X}_{j}^{n})\!-\!H(S_{j}\|W_{j})\!+\!H(S_{j},W_{j}\|\widetilde{X}_{j}^{n})$
	$\displaystyle\overset{(b)}{\geq}I(S_{j},W_{j};\widetilde{X}_{j}^{n})+I(S_{j};W_{j})\overset{(c)}{\geq}\!\sum_{i=1}^{n}I(S_{j},W_{j},\widetilde{X}_{j}^{i-1};\widetilde{X}_{j,i})$
	$\displaystyle\overset{(d)}{\geq}\sum_{i=1}^{n}I(S_{j},W_{j},X^{i-1};\widetilde{X}_{j,i})\overset{(e)}{=}\sum_{i=1}^{n}I(U_{j,i};\widetilde{X}_{j,i})$		(102)

where $(a)$ follows by (28), $(b)$ follows because $\widetilde{X}^{n}$ is independent of $S_{j}$ and from the encoding step, $(c)$ follows because the source and channel are memoryless, $(d)$ follows by applying the data-processing inequality to the Markov chain in (100), and $(e)$ follows from the definition of $U_{j,i}$ .

Proof for (35): We have for the multi-enrollment GS model for $j=1,2$ that

	$\displaystyle n(\widebar{R}_{\text{s},j}+\widebar{R}_{\text{w},j})\overset{(a)}{=}H(S_{j},W_{j})+I(S_{j};W_{j})+n\delta_{n}$
	$\displaystyle\overset{(b)}{\leq}\sum_{i=1}^{n}\big{[}H(S_{j},W_{j},X^{i-1})+\frac{\delta_{n}}{n}+\delta_{n}\big{]}$
	$\displaystyle\overset{(c)}{=}\sum_{i=1}^{n}\big{[}H(U_{j,i})+\frac{\delta_{n}}{n}+\delta_{n}\big{]}$		(103)

where $(a)$ follows by (25), $(b)$ follows by (27), and $(c)$ follows from the definition of $U_{j,i}$ .

Proof for (38): Similarly, we have for the multi-enrollment CS model for $j=1,2$ that

\displaystyle n\widebar{R}_{\text{w},j}\leq\sum_{i=1}^{n}H(S_{j},W_{j},X^{i-1})\overset{(a)}{=}\sum_{i=1}^{n}H(U_{j,i})

(104)

where $(a)$ follows from the definition of $U_{j,i}$ .

Proof for (36): We obtain for the multi-enrollment GS model for $j=1,2$ and $j^{\prime}$ as defined in (30) that

	$\displaystyle n(\widebar{R}_{\text{s},j}+\widebar{R}_{\text{w},j}+\widebar{R}_{\text{w},j^{\prime}})$
	$\displaystyle\overset{(a)}{=}H(S_{j},W_{j},W_{j^{\prime}})+I(S_{j};W_{j},W_{j^{\prime}})+I(W_{j};W_{j^{\prime}})+n\delta_{n}$
	$\displaystyle\overset{(b)}{\leq}\sum_{i=1}^{n}\Big{[}H(S_{j},W_{j},W_{j^{\prime}},S_{j^{\prime}},X^{i-1})+\frac{2\delta_{n}}{n}+\delta_{n}\Big{]}$		(105)
	$\displaystyle\overset{(c)}{=}\sum_{i=1}^{n}\Big{[}H(U_{j,i},U_{j^{\prime},i})+\frac{2\delta_{n}}{n}+\delta_{n}\Big{]}$		(106)

where $(a)$ follows by (25), $(b)$ follows by (27) and (29), and $(c)$ follows from the definitions of $U_{j,i}$ and $U_{j^{\prime},i}$ .

Proof for (39): We have for the multi-enrollment CS model for $j=1,2$ and $j^{\prime}$ as defined in (30) that

	$\displaystyle n(\widebar{R}_{\text{w},j}\!+\!\widebar{R}_{\text{w},j^{\prime}})$
	$\displaystyle\leq\sum_{i=1}^{n}H(W_{j},W_{j^{\prime}},S_{j},S_{j^{\prime}},X^{i-1})+I(W_{j};W_{j^{\prime}})+n\widebar{R}_{\text{s},j^{\prime}}$
	$\displaystyle\overset{(a)}{\leq}\sum_{i=1}^{n}\Big{[}H(W_{j},W_{j^{\prime}},S_{j},S_{j^{\prime}},X^{i-1})+\frac{\delta_{n}}{n}+\widebar{R}_{\text{s},j^{\prime}}\Big{]}$		(107)
	$\displaystyle\overset{(b)}{=}\sum_{i=1}^{n}\Big{[}H(U_{j,i},U_{j^{\prime},i})+\frac{\delta_{n}}{n}+\widebar{R}_{\text{s},j^{\prime}}\Big{]}$		(108)

where $(a)$ follows by (29) and $(b)$ follows from the definitions of $U_{j,i}$ and $U_{j^{\prime},i}$ .

Remark 4.

(105) and (107) are the only places we use the constraint in (29) and it does not seem straightforward to obtain the inequalities in (105) and (107) without (29).

Introduce a uniformly distributed time-sharing random variable $\displaystyle Q\!\sim\!\text{Unif}[1\!:\!n]$ independent of other random variables. Define $X\!=\!X_{Q}$ , $\displaystyle\widetilde{X}_{j}\!=\!\widetilde{X}_{j,Q}$ , $\displaystyle Y_{j}\!=\!Y_{j,Q}$ , and $U_{j}\!=\!(U_{j,Q},\!Q)$ so that $\displaystyle U_{j}\!-\!\widetilde{X}_{j}\!-\!X\!-\!Y_{j}$ form a Markov chain for $j=1,2$ . The outer bound for the GS model follows by using the introduced random variables in (96), (98), (99), (101), (103), and (106), and letting $\delta_{n}\rightarrow 0$ . Similarly, the outer bound for the CS model follows by using the introduced random variables in (96), (98), (99), (102), (104), and (108), and letting $\delta_{n}\rightarrow 0$ .

VII Conclusion

We derived inner bounds for the multi-entity key-leakage-storage regions for GS and CS models with strong secrecy, a hidden identifier source, and correlated noise components at the encoder and decoder measurements that are modeled as BCs. The inner bounds are valid for any finite number of entities that use the same hidden source to agree on a secret key. We argued that the mutual key independence constraint we impose makes the proposed multi-entity key agreement problem a proper multi-user extension of the classic single-enrollment key agreement problem, unlike the multi-enrollment key agreement problem considered in the literature. A set of degraded and less-noisy BCs was shown to provide strong privacy without a need for a common randomness. We also established inner and outer bounds for the key-lekage-storage regions for a two-enrollment model with measurement channels that are valid for SRAM and RO PUFs. Inner and outer bounds were shown to differ only in the Markov chains imposed and they match if the storage and privacy-leakage rate constraints are removed. Two examples illustrated that depending on the constraints of the practical scenario, a single or multiple enrollments might perform better in terms of the secret-key vs. privacy-leakage rate ratio. In future work, we will find a set of symmetric probability distributions for which the strong helper data independence constraint in the two-enrollment model can be eliminated.

Acknowledgment

O. Günlü thanks Rafael F. Schaefer for fruitful discussions.

References

[1] P. Campisi, Security and Privacy in Biometrics. London, U.K.: Springer-Verlag, 2013.
[2] B. Gassend, “Physical random functions,” Master’s thesis, M.I.T., Cambridge, MA, Jan. 2003.
[3] O. Günlü, “Key agreement with physical unclonable functions and biometric identifiers,” Ph.D. dissertation, TU Munich, Germany, Nov. 2018, published by Dr. Hut Verlag in Feb. 2019.
[4] A. D. Wyner, “The wire-tap channel,” Bell Labs Tech. J., vol. 54, no. 8, pp. 1355–1387, Oct. 1975.
[5] P. W. Cuff, H. H. Permuter, and T. M. Cover, “Coordination capacity,” IEEE Trans. Inf. Theory, vol. 56, no. 9, pp. 4181–4206, Sep. 2010.
[6] G. Cervia, L. Luzzi, M. L. Treust, and M. R. Bloch, “Strong coordination of signals and actions over noisy channels with two-sided state information,” Mar. 2018, [Online]. Available: arxiv.org/abs/1801.10543.
[7] R. Ahlswede and I. Csiszár, “Common randomness in information theory and cryptography - Part I: Secret sharing,” IEEE Trans. Inf. Theory, vol. 39, no. 4, pp. 1121–1132, July 1993.
[8] U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 2733–2742, May 1993.
[9] T. Ignatenko and F. M. J. Willems, “Biometric systems: Privacy and secrecy aspects,” IEEE Trans. Inf. Forensics Security, vol. 4, no. 4, pp. 956–973, Dec. 2009.
[10] L. Lai, S.-W. Ho, and H. V. Poor, “Privacy-security trade-offs in biometric security systems - Part I: Single use case,” IEEE Trans. Inf. Forensics Security, vol. 6, no. 1, pp. 122–139, Mar. 2011.
[11] I. Csiszár and P. Narayan, “Common randomness and secret key generation with a helper,” IEEE Trans. Inf. Theory, vol. 46, no. 2, pp. 344–366, Mar. 2000.
[12] O. Günlü and G. Kramer, “Privacy, secrecy, and storage with multiple noisy measurements of identifiers,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 11, pp. 2872–2883, Nov. 2018.
[13] L. Lai, S. Ho, and H. V. Poor, “Privacy–security trade-offs in biometric security systems - Part II: Multiple use case,” IEEE Trans. Inf. Forensics Security, vol. 6, no. 1, pp. 140–151, Mar. 2011.
[14] L. Kusters and F. M. J. Willems, “Secret-key capacity regions for multiple enrollments with an SRAM-PUF,” IEEE Trans. Inf. Forensics Security, vol. 14, no. 9, pp. 2276–2287, Sep. 2019.
[15] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in ACM Conf. Comp. Commun. Security, New York, NY, Nov. 1999, pp. 28–36.
[16] L. Kusters, T. Ignatenko, F. M. J. Willems, R. Maes, E. van der Sluis, and G. Selimis, “Security of helper data schemes for SRAM-PUF in multiple enrollment scenarios,” in IEEE Int. Symp. Inf. Theory, Aachen, Germany, June 2017, pp. 1803–1807.
[17] I. Land, S. Huettinger, P. A. Hoeher, and J. B. Huber, “Bounds on information combining,” IEEE Trans. Inf. Theory, vol. 51, no. 2, pp. 612–619, Feb. 2005.
[18] L. Kusters, O. Günlü, and F. M. Willems, “Zero secrecy leakage for multiple enrollments of physical unclonable functions,” in Symp. Inf. Theory Sign. Process. Benelux, Twente, The Netherlands, May-June 2018, pp. 119–127.
[19] O. Günlü, O. Iscan, V. Sidorenko, and G. Kramer, “Code constructions for physical unclonable functions and biometric secrecy systems,” IEEE Trans. Inf. Forensics Security, vol. 14, no. 11, pp. 2848–2858, Nov. 2019.
[20] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generate strong keys from biometrics and other noisy data,” SIAM J. Comput., vol. 38, no. 1, pp. 97–139, Jan. 2008.
[21] D. Merli, F. Stumpf, and C. Eckert, “Improving the quality of ring oscillator PUFs on FPGAs,” in ACM Workshop Embedded Sys. Security, New York, NY, Oct. 2010, pp. 9:1–9:9.
[22] O. Günlü, R. F. Schaefer, and G. Kramer, “Private authentication with physical identifiers through broadcast channel measurements,” in IEEE Inf. Theory Workshop, Visby, Sweden, Aug. 2019, pp. 1–5.
[23] T. M. Cover and J. A. Thomas, Elements of Information Theory, 2nd ed. Hoboken, NJ: John Wiley & Sons, 2012.
[24] R. A. Chou, M. R. Bloch, and E. Abbe, “Polar coding for secret-key generation,” IEEE Trans. Inf. Theory, vol. 61, no. 11, pp. 6213–6237, Nov. 2015.
[25] O. Günlü, T. Kernetzky, O. İşcan, V. Sidorenko, G. Kramer, and R. F. Schaefer, “Secure and reliable key agreement with physical unclonable functions,” Entropy, vol. 20, no. 5, May 2018.
[26] J. Wayman, A. Jain, D. Maltoni, and D. M. (Eds), Biometric Systems: Technology, Design and Performance Evaluation. London, U.K.: Springer-Verlag, 2005.
[27] R. Pappu, “Physical one-way functions,” Ph.D. dissertation, M.I.T., Cambridge, MA, Oct. 2001.
[28] O. Günlü, K. Kittichokechai, R. F. Schaefer, and G. Caire, “Controllable identifier measurements for private authentication with secret keys,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 8, pp. 1945–1959, Aug. 2018.
[29] C. Nair, “Capacity regions of two new classes of two-receiver broadcast channels,” IEEE Trans. Inf. Theory, vol. 56, no. 9, pp. 4207–4214, Sep. 2010.
[30] R. Maes, P. Tuyls, and I. Verbauwhede, “A soft decision helper data algorithm for SRAM PUFs,” in IEEE Int. Symp. Inf. Theory, Seoul, South Korea, June 2009, pp. 2101–2105.
[31] J. Hagenauer, “Lecture Notes in Digital Communications 1,” G. Kramer and O. Günlü, Eds. Singapore: TU Munich Asia, Feb. 2019.
[32] M. H. Yassaee, M. R. Aref, and A. Gohari, “Achievability proof via output statistics of random binning,” IEEE Trans. Inf. Theory, vol. 60, no. 11, pp. 6760–6786, Nov. 2014.
[33] M. Nafea and A. Yener, “A new wiretap channel model and its strong secrecy capacity,” IEEE Trans. Inf. Theory, vol. 64, no. 3, pp. 2077–2092, Mar. 2018.
[34] M. Bloch, Lecture Notes in Information-Theoretic Security. Atlanta, GA: Georgia Inst. Technol., July 2018.
[35] D. Slepian and J. Wolf, “Noiseless coding of correlated information sources,” IEEE Trans. Inf. Theory, vol. 19, no. 4, pp. 471–480, July 1973.
[36] A. Schrijver, Theory of Linear and Integer Programming. Chichester, England: John Wiley & Sons, June 1998.
[37] I. B. Gattegno, Z. Goldfeld, and H. H. Permuter, “Fourier-Motzkin elimination software for information theoretic inequalities,” 2016.
[38] M. Bloch and J. Barros, Physical-layer Security. Cambridge, U.K.: Cambridge Uni. Press, 2011.

	$\displaystyle I(X^{n};\mathcal{W}_{[1:J]},\mathcal{C}_{[1:J]})$
	$\displaystyle\quad\leq H(\mathcal{W}_{[1:J]})-H(\mathcal{W}_{[1:J]},\mathcal{C}_{[1:J]}\|X^{n})+H(\mathcal{C}_{[1:J]})$
	$\displaystyle\quad\overset{(a)}{=}H(\mathcal{W}_{[1:J]})-\sum_{j=1}^{J}H(W_{j},C_{j}\|X^{n})+H(\mathcal{C}_{[1:J]})$
	$\displaystyle\quad\leq\sum_{j=1}^{J}\Big{(}H(W_{j})\!+\!H(C_{j})\!-\!H(W_{j},C_{j}\|X^{n})\Big{)}$		(52)

	$\displaystyle I(\mathcal{S}_{[1:J]};\mathcal{W}_{[1:J]},\mathcal{C}_{[1:J]}^{\prime})\overset{(a)}{=}I(\mathcal{S}_{[1:J]};\mathcal{W}_{[1:J]}\|\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\!=\!I(\mathcal{S}_{[1:J]};\mathcal{W}_{[1:J]}^{\prime}\|\mathcal{C}_{[1:J]}^{\prime}\!)\!+\!I(\mathcal{S}_{[1:J]};{(\mathcal{S}^{\prime}\!+\!\mathcal{S})}_{[1:J]}\!\|\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime}\!)$
	$\displaystyle\!\overset{(b)}{=}H({(\mathcal{S}^{\prime}\!+\!\mathcal{S})}_{[1:J]}\|\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime})-H(\mathcal{S}_{[1:J]}^{\prime}\|\mathcal{W}_{[1:J]}^{\prime},\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\!\overset{(c)}{\leq}n\Big{(}\sum_{j=1}^{J}R_{\text{s},j}\Big{)}-H(\mathcal{S}_{[1:J]}^{\prime}\|\mathcal{C}_{[1:J]}^{\prime})+I(\mathcal{S}_{[1:J]}^{\prime};\mathcal{W}_{[1:J]}^{\prime}\|\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\!\overset{(d)}{\leq}n\Big{(}\sum_{j=1}^{J}R_{\text{s},j}\Big{)}-\Big{(}n\Big{(}\sum_{j=1}^{J}R_{\text{s},j}\Big{)}-\epsilon_{n}^{\prime\prime\prime}\Big{)}$
	$\displaystyle\qquad+I(\mathcal{S}_{[1:J]}^{\prime};\mathcal{W}_{[1:J]}^{\prime}\|\mathcal{C}_{[1:J]}^{\prime})$
	$\displaystyle\!\overset{(e)}{\leq}\epsilon_{n}^{\prime\prime\prime}+\epsilon_{n}^{(4)}$		(60)