Secure list decoding and its application to bit-string commitment

Masahito Hayashi Masahito Hayashi is with Shenzhen Institute for Quantum Science and Engineering, Southern University of Science and Technology, Shenzhen, 518055, China, Guangdong Provincial Key Laboratory of Quantum Science and Engineering, Southern University of Science and Technology, Shenzhen 518055, China, and Graduate School of Mathematics, Nagoya University, Nagoya, 464-8602, Japan. (e-mail:[email protected], [email protected])

Abstract

We propose a new concept of secure list decoding, which is related to bit-string commitment. While the conventional list decoding requires that the list contains the transmitted message, secure list decoding requires the following additional security conditions to work as a modification of bit-string commitment. The first additional security condition is the receiver’s uncertainty for the transmitted message, which is stronger than the impossibility of the correct decoding, even though the transmitted message is contained in the list. The other additional security condition is the impossibility for the sender to estimate another element of the decoded list except for the transmitted message. The first condition is evaluated by the equivocation rate. The asymptotic property is evaluated by three parameters, the rates of the message and list sizes, and the equivocation rate. We derive the capacity region of this problem. We show that the combination of hash function and secure list decoding yields the conventional bit-string commitment. Our results hold even when the input and output systems are general probability spaces including continuous systems. When the input system is a general probability space, we formulate the abilities of the honest sender and the dishonest sender in a different way.

Index Terms:

list decoding; security condition; capacity region; bit-string commitment; general probability space

I Introduction

Relaxing the condition of the decoding process, Elias [1] and Wozencraft [2] independently introduced list decoding as the method to allow more than one element as candidates of the message sent by the encoder at the decoder. When one of these elements coincides with the true message, the decoding is regarded as successful. The paper [3] discussed its algorithmic aspect. In this formulation, Nishimura [4] obtained the channel capacity by showing its strong converse part¹¹1The strong converse part is the argument that the average error goes to $1$ if the code has a transmission rate over the capacity.. That is, he showed that the transmission rate is less than the conventional capacity plus the rate of the list size, i.e., the number of list elements. Then, the reliable transmission rate does not increase even when list decoding is allowed if the list size does not increase exponentially. In the non-exponential case, these results were generalized by Ahlswede [5]. Further, the paper [6] showed that the upper bound of capacity by Nishimura can be attained even if the list size increases exponentially. When the number of lists is $\mathsf{L}$ , the capacity can be achieved by choosing the same codeword for $\mathsf{L}$ distinct messages.

However, the merit of the increase in the list size was not discussed sufficiently. To get a merit of list coding, we need a code construction that is essentially different from conventional coding. Since the above capacity-achieving code construction does not have an essential difference from the conventional coding, we need to rule out the above type of construction of list coding. That is, to extract a merit of list decoding, we need additional parameters to characterize the difference from the conventional code construction, which can be expected to rule out such a trivial construction.

To seek a merit of list decoding, we focus on bit commitment, which is a fundamental task in information security. It is known that bit commitment can be realized when a noisy channel is available [7]. Winter et al [8, 9] studied bit-string commitment, the bit string version of bit commitment when an unlimited bidirectional noiseless channel is available between Alice and Bob, and a discrete memoryless noisy channel $W:{\cal X}\to{\cal Y}$ from Alice to Bob, which may be used $n$ times. They derived the asymptotically optimal rate as $n$ goes to infinity, which is called the commitment capacity. Since their result is based on Shannon theory, the tightness of their result shows the strong advantage of Shannon theoretic approach to information theoretic security. This result was extended to the formulation with multiplex coding [10]. However, their optimal method has the following problems;

(P1): When the number of use of the channel is limited, it is impossible to send a message with a larger rate than the commitment capacity.
(P2): Their protocol assumes that the output system ${\cal Y}$ is a finite set because they employ the method of type. However, when a noisy channel is realized by wireless communication, like an additive white Gaussian noise (AWGN) channel, the output system ${\cal Y}$ is a continuous set.

To resolve the problem (P1), it is natural to relax the condition for bit-string commitment. Winter et al [8, 9] imposed strong security for the concealing condition. However, studies in information theory, in particular, papers for wire-tap channel, often employs equivocation rate instead of strong security. In this paper, to relax the condition of bit-string commitment by using equivocation rate, we consider the following simple protocol by employing list decoding, where Alice wants to send her message $M\in\{1,\ldots,\mathsf{M}\}$ to Bob.

(i): (Commit Phase) Alice sends her message $M$ to Bob via a noisy channel. Bob outputs $\mathsf{L}$ messages as the list. The list is required to contain the message $M$ .
(ii): (Reveal Phase) Alice sends her message $M$ to Bob via a noiseless channel. If $M$ is contained in Bob’s decoded list, Bob accepts it. Otherwise, Bob rejects it.

In order that the protocol with phase (i) and (ii) works for bit-string commitment, the following requirements need to be satisfied.

(a): The message $M$ needs to be one of $\mathsf{L}$ messages $M_{1},\ldots,M_{\mathsf{L}}$ output by Bob.
(b): Bob cannot identify the message $M$ at the phase (i).
(c): Alice cannot find another element among $\mathsf{L}$ messages $M_{1},\ldots,M_{\mathsf{L}}$ output by Bob.

The requirement (a) is the condition for the requirement for the conventional list decoding while the requirements (b) and (c) correspond to the concealing condition and the binding condition, respectively and have not been considered in the conventional list decoding.

In this paper, we propose a new concept of secure list decoding by adding the requirements (b) and (c). One typical condition for (b) is the conventional equivocation rate based on the conditional entropy. In this paper, we also consider the equivocation rate based on the conditional Rényi entropy similar to the paper [11, 12]²²2 While the conference paper [13] discussed a similar modification of list decoding, it did not consider the equivocation rate. In this sense, the content of this paper is different from that of [13].. Hence, our code can be evaluated by three parameters. The first one is the rate of the message size, the second one is the rate of list size, and the third one is the equivocation rate. Using three parameters, we define the capacity region. In addition, our method works with a general output system including a continuous output system, which resolves the problem (P2) while an extension to such a general case was mentioned as an open problem in [9].

In the second step, we extend our result to the case with a general input system including a continuous input system. We need to be careful in formulating the problem setting in this case. If Alice is allowed to access infinitely many input elements in a continuous input system, the conditional entropy rate $H(X|Y)$ might be infinity. Further, it is not realistic for Alice to access infinitely many input elements. because a realistic modulator converts messages to finite constellation points in a continuous input system in wireless communication. Therefore, we need to separately formulate honest Alice and dishonest Alice as follows. The honest Alice is assumed to access only a fixed finite subset of a general input system. But, the dishonest Alice is assumed to access all elements of the general input system. Under this problem setting, we derived the capacity region.

In the third step, we propose a conversion method to make a protocol for bit-string commitment with strong security as the concealing condition (b) by converting a secure list decoding code. In this converted protocol, the security parameter for the concealing condition (b) is evaluated by variational distance in the same way as Winter et al [8, 9]. In particular, this converted protocol has strong security even with continuous input and output systems, where the honest Alice and the dishonest Alice has different accessibility to the continuous input system. In this converted protocol, the rate of message size of the bit-string commitment is the same as the equivocation rate based on the conditional entropy of the original secure list decoding code, which shows the merit of the equivocation rate of a secure list decoding code. In fact, the bit-string commitment with the continuous case was treated as an open problem in the preceding studies [9]. In addition, due to the above second step, our protocol for bit-string commitment works even when the accessible alphabet by the honest Alice is different from the accessible alphabet by the dishonest Alice.

This paper is structured as follows. Section II reviews the existing results for bit-string commitment. Section III explains how we mathematically handle a general probability space as input and output systems including continuous systems. Section IV gives the formulation of secure list decoding. Section V introduces information quantities used in our main results. Section VI states our results for secure list decoding with a discrete input system. Section VII explains our formulation of secure list decoding with general input system and states our results under this setting. Section VIII presents the application of secure list decoding to the bit-string commitment with strong security. Section IX shows the converse part, and Section X proves the direct part.

II Review of existing results for bit-string commitment

Before stating our result, we review existing results for bit-string commitment [8, 9]. Throughout this paper, the base of the logarithm is chosen to be $2$ . Also, we employ the standard notation for probability theory, in which, upper case letters denote random variables and the corresponding lower case letters denote their realizations. Bit-string commitment has two security parameters, the concealing parameter $\delta_{\mathop{\rm CON}}>0$ and the binding parameter $\delta_{\mathop{\rm BIN}}>0$ . We denote the message revealed by Alice in Reveal Phase by $\hat{M}$ . Let $Z_{1}$ be all information that Bob obtains during Commit Phase, and $Z_{2}$ be all information that Bob obtains during Reveal Phase except for $\hat{M}$ . Here, $Z_{1}$ contains the information generated by Bob. After Reveal Phase, Bob makes his decision, $\mathop{\rm ACC}$ (accept) or $\mathop{\rm REJ}$ (rejection). For this decision, Bob has a function $\beta(Z_{1},Z_{2},\hat{M})$ that takes the value $\mathop{\rm ACC}$ or $\mathop{\rm REJ}$ . When Alice intends to send message $M$ in ${\cal M}$ to Bob, the concealing and binding conditions are given as follows.

(CON)

Concealing condition with $\delta_{\mathop{\rm CON}}>0$ . When Alice is honest, the inequality

\displaystyle\frac{1}{2}\|P_{Z_{1}|M=m}-P_{Z_{1}|M=m^{\prime}}\|_{1}\leq\delta_{\mathop{\rm CON}}

(1)

holds for $m\neq m^{\prime}\in{\cal M}$ .

(BIN)

Binding condition with $\delta_{\mathop{\rm BIN}}>0$ . We assume that the message $M$ is subject to the uniform distribution on ${\cal M}$ . When Alice and Bob are honest,

\displaystyle{\rm Pr}(\beta(Z_{1},Z_{2},{M})=\mathop{\rm ACC})\geq 1-\delta_{\mathop{\rm BIN}}.

(2)

When Bob is honest, the inequality

		$\displaystyle{\rm Pr}(\beta(Z_{1},z_{2},m)=\mathop{\rm ACC},\beta(Z_{1},z_{2}^{\prime},m^{\prime})=\mathop{\rm ACC})$
	$\displaystyle\leq$	$\displaystyle\delta_{\mathop{\rm BIN}}$		(3)

holds for $m\neq m^{\prime}\in{\cal M}$ and $z_{2},z_{2}^{\prime}$ .

When the protocol with (i) and (ii) is used for bit-string commitment, the conditions (a) and (c) guarantee (2) and (3) of (BIN), respectively, and the condition (b) guarantees (CON).

Now, we denote a noisy channel $\bm{W}$ from a finite set ${\cal X}$ to a finite set ${\cal Y}$ by using a set $\{W_{x}\}_{x\in{\cal X}}$ of distributions on ${\cal Y}$ . Winter et al [8, 9] considered the situation that Alice and Bob use the channel $\bm{W}$ at $n$ times and the noiseless channel can be used freely. Winter et al [8, 9] defined the commitment capacity as the maximum rate when the code satisfies Concealing condition with $\delta_{\mathop{\rm CON},n}$ and Binding condition with $\delta_{\mathop{\rm BIN},n}$ under the condition that the parameters $\delta_{\mathop{\rm CON},n}$ and $\delta_{\mathop{\rm BIN},n}$ approach to zero as $n$ goes to infinity. They derived the commitment capacity under the following conditions for the channel $\bm{W}$ ;

(W1)

${\cal X}$ and ${\cal Y}$ are finite sets.

(W2)

For any $x\in{\cal X}$ , the relation

\displaystyle\min_{x\in{\cal X}}\min_{P\in{\cal P}({\cal X}\setminus\{x\})}D\bigg{(}\sum_{x^{\prime}\in{\cal X}\setminus\{x\}}P(x^{\prime})W_{x^{\prime}}\bigg{\|}W_{x}\bigg{)}>0

(4)

holds, where $D(P\|Q)$ is the Kullback-Leibler divergence between two distributions $P$ and $Q$ . This condition is called the non-redundant condition.

To state their result, we introduce a notation; Given a joint distribution $P_{X,Y}$ on a discrete set ${\cal X}\times{\cal Y}$ , we denote the conditional distribution $P_{X|Y=y}$ under the condition that $Y=y$ . Then, the conditional entropy $H(X|Y)$ is given as

	$\displaystyle H(X\|Y)_{P_{X,Y}}$	$\displaystyle:=\sum_{y\in{\cal Y}}P_{Y}(y)H(P_{X\|Y=y}),$		(5)
	$\displaystyle H(P_{X\|Y=y})$	$\displaystyle:=-\sum_{x\in{\cal X}}P_{X\|Y=y}(x)\log P_{X\|Y=y}(x).$		(6)

When the joint distribution $P_{X,Y}$ is given as $P_{X,Y}(x,y)=W_{x}(y)P(x)$ by using a distribution $P\in{\cal P}({\cal X})$ , we denote the conditional entropy $H(X|Y)_{P_{X,Y}}$ by $H(X|Y)_{P}$ . They showed the following proposition;

Proposition 1 ([8, Theorem 2], [9])

When the channel $\bm{W}$ satisfies Conditions (W1) and (W2), the commitment capacity is given as

\displaystyle\sup_{P\in{\cal P}({\cal X})}H(X|Y)_{P}.

(7)

$\square$

Many noisy channels are physically realized by wireless communication, and such channels have continuous output system ${\cal Y}$ . Indeed, if we apply discretization to a continuous output system ${\cal Y}$ , we obtain a discrete output system ${\cal Y}^{\prime}$ . When we apply their result to the channel with the discrete output system ${\cal Y}^{\prime}$ , the obtained protocol satisfies Condition (BIN) even when Bob uses the continuous output system ${\cal Y}$ . However, the obtained protocol does not satisfy Condition (CON) in general under the continuous output system ${\cal Y}$ .

In fact, Condition (W2) can be removed and Proposition 1 can be generalized as follows. Therefore, Condition (W2) can be considered as an assumption for simplifying our analysis.

Proposition 2

Assume that the channel $\bm{W}$ satisfies Condition (W1). We define ${\cal X}_{0}\subset{\cal X}$ as

\displaystyle{\cal X}_{0}:=\mathop{\rm argmin}_{{\cal X}^{\prime}\subset{\cal X}}\Big{\{}|{\cal X}^{\prime}|~{}\Big{|}CH\{W_{x}\}_{x\in{\cal X}^{\prime}}=CH\{W_{x}\}_{x\in{\cal X}}\Big{\}},

(8)

where $CH{\cal S}$ expresses the convex hull of a set ${\cal S}$ . Then, the commitment capacity is given as

\displaystyle\sup_{P\in{\cal P}({\cal X}_{0})}H(X|Y)_{P}.

(9)

$\square$

Proposition 2 follows from Proposition 1 in the following way. Due to Condition (W1), the channel $\bm{W}$ with input alphabet ${\cal X}_{0}$ satisfies Condition (W2) as well as (W1). Hence, the commitment capacity is lower bounded by (9). Since any operation with the channel $\bm{W}$ with input alphabet ${\cal X}$ can be simulated with ${\cal X}_{0}$ . Therefore, the commitment capacity is upper bounded by (9). Thus, we obtain Proposition 2.

III Various types of conditional entropies with general probability space

We focus on an input alphabet ${\cal X}$ with finite cardinality, and denote the set of probability distributions on ${\cal X}$ by ${\cal P}({\cal X})$ . But, an output alphabet ${\cal Y}$ may have infinite cardinality and is a general measurable set. In this paper, the output alphabet ${\cal Y}$ is treated as a general probability space with a measure $\mu(dy)$ because this description covers the probability space of finite elements and the set of real values. Hence, when the alphabet ${\cal Y}$ is a discrete set including a finite set, the measure $\mu(dy)$ is chosen to be the counting measure. When the alphabet ${\cal Y}$ is a vector space over the real numbers $\mathbb{R}$ , the measure $\mu(dy)$ is chosen to be the Lebesgue measure. Throughout this paper, we will use an upper case letter and corresponding lower case letter to stand for a probability measure and its density function. When we treat a probability distribution $P$ on the alphabet ${\cal Y}$ , it is restricted to a distribution absolutely continuous with respect to $\mu(dy)$ . In the following, we use the lower case $p(y)$ to express the Radon-Nikodym derivative of $P$ with respect to the measure $\mu(dy)$ , i.e., the probability density function of $P$ so that $P(dy)=p(y)\mu(dy)$ . This kind of channel description covers many useful channels. For example, phase-shift keying (PSK) scheme of additive white Gaussian noise (AWGN) channels satisfies this condition. In addition, the capacity of AWGN channel with the energy constraint can be approximately achieved when the input alphabet for encoding is restricted to a finite subset of the set of real numbers.

For a distribution $P$ on ${\cal Y}$ and a general measure $Q$ on ${\cal Y}$ , we define the Kullback–Leibler (KL) divergence $D(P\|Q):=\mathbb{E}_{P}[\log\frac{p(Y)}{q(Y)}]$ and Rényi divergence of order $\alpha(\neq 1)>0$ $D_{\alpha}(P\|Q):=\frac{1}{\alpha-1}\log\mathbb{E}_{P}[(\frac{p(Y)}{q(Y)})^{\alpha-1}]$ .

When ${\cal M}$ is a finite set and ${\cal Y}$ is a general probability space, the conditional entropy is defined as

\displaystyle H(M|Y):=\int_{{\cal Y}}H(P_{M|Y=y})p(y)\mu(dy).

(10)

This quantity can be written as

		$\displaystyle H(M\|Y)=-D(P_{MY}\\|I_{M}\times P_{Y})$
	$\displaystyle=$	$\displaystyle\max_{Q\in{\cal P}({\cal Y})}-D(P_{MY}\\|I_{M}\times Q),$		(11)

where $I_{M}$ is defined as $I_{M}(m)=1$ . We focus on the following type of Rényi conditional entropy $H_{\alpha}(M|Y)$ as [14, 15, 16]

\displaystyle H_{\alpha}(M|Y)

\displaystyle:=\max_{Q\in{\cal P}({\cal Y})}-D_{\alpha}(P_{MY}\|I_{M}\times Q).

(12)

$H_{\alpha}(M|Y)$ is monotonically decreasing for $\alpha$ [16, Lemma 7]. Hence, we have $H(M|Y)\geq H_{\alpha}(M|Y)$ for $\alpha>1$ . It is known that the maximum is attained by $q_{\alpha}(y):=\frac{(\sum_{m}p_{MY}(m,y)^{\alpha})^{1/\alpha}}{\int_{{\cal Y}}(\sum_{m}p_{MY}(m,y)^{\alpha})^{1/\alpha}\mu(dy)}$ [16, Lemma 4]. Hence, when two pairs of variables $(M_{1},Y_{1})$ and $(M_{2},Y_{2})$ are independent, we have the additivity;

\displaystyle H_{\alpha}(M_{1}M_{2}|Y_{1}Y_{2})=H_{\alpha}(M_{1}|Y_{1})+H_{\alpha}(M_{2}|Y_{2}).

(13)

IV Problem setting

IV-A Our problem setting without explicit description of coding structure

To realize the requirements (a), (b), and (c) mentioned in Section I, we formulate the mathematical conditions for the protocol for a given channel $\bm{W}$ from the discrete system ${\cal X}$ to the other system ${\cal Y}$ with integers $\mathsf{L}<\mathsf{M}$ and security parameters $\epsilon_{A},\delta_{C},\delta_{D}$ . In the asymptotic regime, i.e., the case when the channel $\bm{W}$ is used $n$ times and $n$ goes to infinity, the integers $\mathsf{L}$ and $\mathsf{M}$ go to infinity, which realizes the situation that the security parameters $\epsilon_{A},\delta_{C},$ and $\delta_{D}$ approach to zero. Hence, when $\mathsf{L}$ and $\mathsf{M}$ is fixed, the security parameters cannot be chosen to be arbitrarily small. In the following, we describe the condition in an intuitive form in the first step. Later, we transform it into a coding-theoretic form because the coding-theoretic form matches the theoretical discussion including the proofs of our main results.

Alice sends her message $M\in{\cal M}:=\{1,\ldots,\mathsf{M}\}$ via a noisy channel with an encoder $\phi$ , which is a map from ${\cal M}$ to ${\cal X}$ . Bob outputs the $\mathsf{L}$ messages $M_{1},\ldots M_{\mathsf{L}}$ . The decoder is given as the following $\Psi$ ; For $y\in{\cal Y}$ , we choose a subset $\Psi(y)\subset{\cal M}$ with $|\Psi(y)|=\mathsf{L}$ .

Then, we impose the following conditions for an encoder $\phi$ and a decoder $\Psi$ .

(A)

Verifiable condition with $\epsilon_{A}>0$ . Any element $m\in{\cal M}$ satisfies

\displaystyle{\rm Pr}[m\notin\Psi(Y)|X=\phi(m)]\leq\epsilon_{A}.

(14)

(B)

Equivocation version of concealing condition with $r>0$ . The inequality

\displaystyle H(M|Y)\geq r

(15)

holds.

(C)

Binding condition for honest Alice with $\delta_{C}>0$ . Any distinct pair $m^{\prime}\neq m$ satisfies

\displaystyle{\rm Pr}[m^{\prime}\in\Psi(Y)|X=\phi(m)]\leq\delta_{C}.

(16)

Now, we discuss how the code $(\phi,\Psi)$ can be used for the task explained in Section I. Assume that Alice sends her message $M$ to Bob by using the encoder $\phi$ via noisy channel $\bm{W}$ and Bob gets the list $M_{1},\ldots,M_{\mathsf{L}}$ by applying the decoder $\Psi$ at Step (i). At Step (ii), Alice sends her message $M$ to Bob via a noiseless channel. Verifiable condition (A) guarantees that her message $M$ belongs to Bob’s list. Hence, the requirement (a) is satisfied. Equivocation version of concealing condition (B) forbids Bob to identify Alice’s message at Step (i), hence it guarantees the requirement (b). In the asymptotic setting, this condition is weaker than Concealing condition (CON) when $\delta_{\mathop{\rm CON}}$ goes to zero and $r$ is smaller than $\log\mathsf{M}$ . Hence, this relaxation enables us to exceed the rate (7) derived by [8, 9]. This type of relaxation is often used in wire-tap channel [17].

In fact, if $m$ is Alice’s message and there exists another element $m^{\prime}(\neq m)\in{\cal M}$ such that ${\rm Pr}[m\in\Psi(Y)|X=\phi(m)]$ and ${\rm Pr}[m^{\prime}\in\Psi(Y)|X=\phi(m)]$ are close to $1$ , Alice can make the following cheating as follows; She sends $m^{\prime}$ instead of $m$ at the phase (ii). Since Condition (C) forbids Alice such cheating, it guarantees the requirement (c). Hence, it can be considered as the binding condition for honest Alice. Further, Bob is allowed to decode less than $\mathsf{L}$ messages. That is, $\mathsf{L}$ is the maximum number that Bob can list as the candidates of the original message. However, Condition (C) assumes honest Alice who uses the correct encoder $\phi$ . Dishonest Alice can send an element $x_{0}$ different from $\phi(m)$ such that ${\rm Pr}[m\in\Psi(Y)|X=x_{0}]$ and ${\rm Pr}[m^{\prime}\in\Psi(Y)|X=x_{0}]$ are close to $1$ . To cover such a case, we impose the following condition instead of Condition (C).

(D)

Binding condition for dishonest Alice with $\delta_{D}>0$ . For $x\in{\cal X}$ , we define the quantity $\delta(x,\Psi)$ as the second largest value among $\{{\rm Pr}[m\in\Psi(Y)|X=x]\}_{m=1}^{\mathsf{M}}$ . Then, any $x\in{\cal X}$ satisfies

\displaystyle\delta(x,\Psi)\leq\delta_{D}.

(17)

In fact, Condition (D) implies that

\displaystyle{\rm Pr}[m^{\prime},m\in\Psi(Y)|X=x]\leq\delta_{D}.

(18)

Eq. (18) can be shown by contradiction due to the following relation;

	$\displaystyle{\rm Pr}[m^{\prime},m\in\Psi(Y)\|X=x]$
$\displaystyle\leq$	$\displaystyle\min({\rm Pr}[m\in\Psi(Y)\|X=x],{\rm Pr}[m^{\prime}\in\Psi(Y)\|X=x])$
$\displaystyle\leq$	$\displaystyle\delta(x,\Psi).$	(19)

The difference between Conditions (C) and (D) are summarized as follows. Condition (C) expresses the possibility that Alice makes cheating in the reveal phase while she behaves honestly in the commit phase. Condition (D) expresses the possibility that Alice makes cheating in the reveal phase when she behaves dishonestly even in the commit phase. Hence, it can be considered as the binding condition for dishonest Alice. Therefore, while the case with honest Alice and honest Bob is summarized in Fig. 1, the case with dishonest Alice and honest Bob is summarized in Fig. 2.

We consider another possibility for requirement (b) by replacing the conditional entropy by the conditional Rényi entropy of order $\alpha>1$ .

(B $\alpha$ )

Rényi equivocation type of concealing condition of order $\alpha>1$ with $r$ . The inequality

\displaystyle H_{\alpha}(M|Y)\geq r

(20)

holds.

Now, we observe how to characterize the code constructed to achieve the capacity in the paper [6]. For this characterization, we consider the following code when $\mathsf{M}^{\prime}\mathsf{L}=\mathsf{M}$ . We divide the $\mathsf{M}$ messages into $\mathsf{M}^{\prime}$ groups whose group is composed of $\mathsf{L}$ messages. First, we prepare a code $({\phi}^{\prime},{\psi}^{\prime})$ to transmit the message with size $\mathsf{M}^{\prime}$ with a decoding error probability $\epsilon_{A}^{\prime}$ , where ${\phi}^{\prime}$ is the encoder and ${\psi}^{\prime}$ is the decoder. When the message $M$ belongs to the $i$ -th group, Alice sends ${\phi}^{\prime}(i)$ . Using the decoder ${\psi}^{\prime}$ , Bob recovers $i^{\prime}$ . Then, Bob outputs $\mathsf{L}$ elements that belongs to the $i^{\prime}$ -th group. In this code, the parameter $H(M|Y)$ is given as $\log\mathsf{L}$ . Hence, it satisfies condition (B) with a good parameter. However, the parameters $\delta_{C}$ and $\delta_{D}$ become at least $1-\epsilon_{A}^{\prime}$ . Hence, this protocol essentially does not satisfy Biding condition (C) nor (D). In this way, our security parameter rules out the above trivial code construction.

Refer to caption — Figure 1: Case with honest Alice and honest Bob. The set of Bob’s decoded messages contains Alice’s message $M$ . Alice cannot infer other decoded messages.

IV-B Our setting with coding-theoretic description

To rewrite the above conditions in a coding-theoretic way, we introduce several notations. For $x\in{\cal X}$ and a distribution on ${\cal X}$ , we define the distribution $W_{x}$ and $W_{P}$ on ${\cal Y}$ as $W_{x}(y):=W(y|x)$ and $W_{P}(y):=\sum_{x\in{\cal X}}P(x)W(y|x)$ . Alice sends her message $M\in{\cal M}:=\{1,\ldots,\mathsf{M}\}$ via noisy channel $\bm{W}$ with a code $\phi$ , which is a map from ${\cal M}$ to ${\cal X}$ . Bob’ decoder is described as disjoint subsets $D=\{{\cal D}_{m_{1},\ldots,m_{\mathsf{L}}}\}_{\{m_{1},\ldots,m_{\mathsf{L}}\}\subset{\cal M}}$ such that $\cup_{\{m_{1},\ldots,m_{\mathsf{L}}\}\subset{\cal M}}{\cal D}_{m_{1},\ldots,m_{\mathsf{L}}}={\cal Y}$ . That is, we have the relation ${\cal D}_{m_{1},\ldots,m_{\mathsf{L}}}=\{y|\{m_{1},\ldots,m_{\mathsf{L}}\}=\Psi(y)\}$ . In the following, we denote our decoder by $D$ instead of $\Psi$ .

In particular, when a decoder has only one outcome as an element of ${\cal M}$ it is called a single-element decoder. It is given as disjoint subsets $\tilde{{\cal D}}=\{\tilde{{\cal D}}_{m}\}_{m\in{\cal M}}$ such that $\cup_{m\in{\cal M}}\tilde{{\cal D}}_{m}={\cal Y}$ . Here, remember that Winter et al [8, 9] assumes the uniform distribution on ${\cal M}$ for the message $M$ in Binding condition.

Theorem 1

When the message $M$ is subject to the uniform distribution on ${\cal M}$ in a similar way to Winter et al [8, 9], the conditions (A) – (D) for an encoder $\phi$ and a decoder $D=\{{\cal D}_{m_{1},\ldots,m_{\mathsf{L}}}\}_{\{m_{1},\ldots,m_{\mathsf{L}}\}\subset{\cal M}}$ are rewritten in a coding-theoretic way as follows.

(A)

Verifiable condition.

	$\displaystyle\epsilon_{A}(\phi,D):=$	$\displaystyle\max_{m\in{\cal M}}\epsilon_{A,m}(\phi(m),D)\leq\epsilon_{A}$		(21)
	$\displaystyle\epsilon_{A,m}(x,D):=$	$\displaystyle 1-\sum_{m_{1},\ldots,m_{\mathsf{L}}}W_{x}({\cal D}_{m_{1},\ldots,m_{\mathsf{L}}}),$		(22)

where the above sum is taken under the condition $m\in\{m_{1},\ldots,m_{\mathsf{L}}\}$ .

(B)

Equivocation version of concealing condition with $r>0$ .

	$\displaystyle E(\phi):=$	$\displaystyle\log\mathsf{M}-\min_{Q\in{\cal P}({\cal Y})}\sum_{m=1}^{\mathsf{M}}\frac{1}{\mathsf{M}}D(W_{\phi(m)}\\|Q)$
	$\displaystyle\geq$	$\displaystyle r.$		(23)

(B $\alpha$ )

Rényi equivocation type of concealing condition of order $\alpha>1$ with $r$ .

	$\displaystyle E_{\alpha}(\phi)$
$\displaystyle:=$	$\displaystyle\log\mathsf{M}$
	$\displaystyle-\min_{Q\in{\cal P}({\cal Y})}\frac{1}{\alpha-1}\log\sum_{m=1}^{\mathsf{M}}\frac{1}{\mathsf{M}}2^{(\alpha-1)D_{\alpha}(W_{\phi(m)}\\|Q)}$
$\displaystyle\geq$	$\displaystyle r.$	(24)

(C)

Binding condition for honest Alice.

	$\displaystyle\delta_{C}(\phi,D):=\max_{m\in{\cal M}}\delta_{C,m}(\phi(m),D)\leq\delta_{C}$		(25)
	$\displaystyle\delta_{C,m}(x,D)$
	$\displaystyle:=\max_{m^{\prime}(\neq m)\in{\cal M}}\sum_{m_{1},\ldots,m_{\mathsf{L}}}W_{x}({\cal D}_{m_{1},\ldots,m_{\mathsf{L}}}),$		(26)

where the above sum is taken under the condition $m^{\prime}\in\{m_{1},\ldots,m_{\mathsf{L}}\}$ .

(D)

Binding condition for dishonest Alice. For $x\in{\cal X}$ , we define the quantity $\delta_{D,x}(D)$ as the second largest value among $\{(1-\epsilon_{A,m}(x,D))\}_{m=1}^{\mathsf{M}}$ . Then, the relation

\displaystyle\delta_{D}(D)

\displaystyle:=\max_{x\in{\cal X}}\delta_{D,x}(D)\leq\delta_{D}

(27)

holds.

$\square$

Proof: For any $m\in{\cal M}$ and $y\in{\cal Y}$ , the condition $m\in\Psi(y)$ is equivalent to the condition $y\in\cup_{m_{1},\ldots,m_{\mathsf{L}}:\{m_{1},\ldots,m_{\mathsf{L}}\}\ni m^{\prime}}{\cal D}_{m_{1},\ldots,m_{\mathsf{L}}}$ . Since

		$\displaystyle\sum_{m_{1},\ldots,m_{\mathsf{L}}:\{m_{1},\ldots,m_{\mathsf{L}}\}\ni m}W_{x}({\cal D}_{m_{1},\ldots,m_{\mathsf{L}}})$
	$\displaystyle=$	$\displaystyle W_{x}\Big{(}\bigcup_{m_{1},\ldots,m_{\mathsf{L}}:\{m_{1},\ldots,m_{\mathsf{L}}\}\ni m}{\cal D}_{m_{1},\ldots,m_{\mathsf{L}}}\Big{)},$

we obtain the equivalence between the conditions (A) and (C) given in Section IV-A and those given here. In a similar way, the condition (17) is equivalent to the condition (27), which implies the desired equivalence with respect to the condition (D). Since $M$ is subject to the uniform distribution, (15) and (20) are equivalent to (23) and (24). In fact, since $\min_{Q\in{\cal P}({\cal Y})}\sum_{m=1}^{\mathsf{M}}\frac{1}{\mathsf{M}}D(W_{\phi(m)}\|Q)$

$=\sum_{m=1}^{\mathsf{M}}\frac{1}{\mathsf{M}}D(W_{\phi(m)}\|\sum_{m=1}^{\mathsf{M}}\frac{1}{\mathsf{M}}W_{\phi(m)})=I(M;Y)$ , $E(\phi)$ is calculated as $H(M)-I(M;Y)=H(M|Y)$ , and $E_{\alpha}(\phi)$ is calculated as

	$\displaystyle 2^{-(\alpha-1)E_{\alpha}(\phi)}$
$\displaystyle=$	$\displaystyle\min_{Q\in{\cal P}({\cal Y})}\Big{(}\frac{1}{\mathsf{M}}\Big{)}^{\alpha-1}\sum_{m=1}^{\mathsf{M}}\frac{1}{\mathsf{M}}2^{(\alpha-1)D_{\alpha}(W_{\phi(m)}\\|Q)}$
$\displaystyle=$	$\displaystyle\min_{Q\in{\cal P}({\cal Y})}\sum_{m=1}^{\mathsf{M}}\frac{1}{\mathsf{M}}\int_{{\cal Y}}\Big{(}\frac{\frac{w_{\phi(m)}(y)}{\mathsf{M}}}{q(y)}\Big{)}^{\alpha-1}w_{\phi(m)}(y)\mu(dy)$
$\displaystyle=$	$\displaystyle\min_{Q\in{\cal P}({\cal Y})}2^{(\alpha-1)D_{\alpha}(P_{MY}\\|I_{M}\times Q)}$
$\displaystyle=$	$\displaystyle 2^{-(\alpha-1)\max_{Q\in{\cal P}({\cal Y})}(-D_{\alpha}(P_{MY}\\|I_{M}\times Q))}$
$\displaystyle=$	$\displaystyle 2^{-(\alpha-1)H_{\alpha}(M\|Y)}.$	(28)

Hence, we obtain the desired equivalence for the conditions (B) and (B $\alpha$ ).

In the following, when a code $(\phi,D)$ satisfies conditions (A), (B) and (D), it is called an $(\epsilon_{A},r,\delta_{D})$ code. Also, for a code $(\phi,D)$ , we denote $\mathsf{M}$ and $\mathsf{L}$ by $|(\phi,D)|_{1}$ and $|(\phi,D)|_{2}$ . Also, we allow a stochastic encoder, in which $\phi(m)$ is a distribution $P_{m}$ on ${\cal X}$ . In this case, for a function $f$ from ${\cal X}$ to $\mathbb{R}$ , $f(\phi(m))$ expresses $\sum_{x}f(x)P_{m}(x)$ .

V Information quantities and regions with general probability space

V-A Information quantities

Section III introduced various types of conditional entropies with general probability space. This section introduces other types of information quantities with general probability space. In general, a channel from ${\cal X}$ to ${\cal Y}$ is described as a collection $\bm{W}$ of conditional probability measures $W_{x}$ on ${\cal Y}$ for all inputs $x\in{\cal X}$ . Then, we impose the above assumption to $W_{x}$ for any $x\in{\cal X}$ . Hence, we have $W_{x}(dy)=w_{x}(y)\mu(dy)$ . We denote the conditional probability density function by $\bm{w}=(w_{x})_{x\in{\cal X}}$ . When a distribution on ${\cal X}$ is given by a probability distribution $P\in{\cal P}({\cal X})$ , and a conditional distribution on a set ${\cal Y}$ with the condition on ${\cal X}$ is given by $\bm{V}$ , we define the joint distribution $\bm{W}\times P$ on ${\cal X}\times{\cal Y}$ by $\bm{W}\times P(B,x):=W(B|x)P(x)$ , and the distribution $\bm{W}\cdot P$ on ${\cal Y}$ by $\bm{W}\cdot P(B):=\sum_{x}W(B|x)P(x)$ for a measurable set $B\subset{\cal Y}$ . Also, we define the notations $\bm{w}\times P$ and $\bm{w}\cdot P$ as $\bm{w}\times P(y,x)\mu(dy):=\bm{W}\times P(dy,x)=w_{x}(y)P(x)\mu(dy)$ and $\bm{w}\cdot P(y)\mu(dy):=\bm{W}\cdot P(dy)=\sum_{x\in{\cal X}}w_{x}(y)P(x)\mu(dy)$ . We also employ the notations $W_{P}:=\bm{W}\cdot P$ and $w_{P}:=\bm{w}\cdot P$ .

As explained in Section VI, we denote the expectation and the variance under the distribution $P\in{\cal P}({\cal Y})$ by $\mathbb{E}_{P}[~{}]$ and $\mathbb{V}_{P}[~{}]$ , respectively. When $P$ is the distribution $W_{x}\in{\cal P}({\cal Y})$ with $x\in{\cal X}$ , we simplify them as $\mathbb{E}_{x}[~{}]$ and $\mathbb{V}_{x}[~{}]$ , respectively. This notation is also applied to the $n$ -fold extended setting on ${\cal Y}^{n}$ . In contrast, when we consider the expectation on the discrete set ${\cal X}$ or ${\cal X}^{n}$ , ${\rm E}_{T}$ expresses the expectation with respect to the random variable $T$ that takes values in the set ${\cal X}$ or the set ${\cal X}^{n}$ .

In our analysis, for $P\in{\cal P}({\cal X})$ , we address the following quantities;

	$\displaystyle I(X;Y)_{P}$
$\displaystyle:=$	$\displaystyle D(\bm{W}\times P\\|W_{P}\times P)=\sum_{x\in{\cal X}}P(x)D(W_{x}\\|W_{P}),$	(29)
	$\displaystyle I_{\alpha}(X;Y)_{P}$
$\displaystyle:=$	$\displaystyle\min_{Q\in{\cal P}({\cal Y})}D_{\alpha}(\bm{W}\times P\\|Q\times P)$
$\displaystyle=$	$\displaystyle\min_{Q\in{\cal P}({\cal Y})}\frac{1}{\alpha-1}\log\int_{{\cal Y}}\sum_{x\in{\cal X}}P(x)w_{x}(y)^{\alpha}q(y)^{-\alpha+1}\mu(dy)$
$\displaystyle\stackrel{{\scriptstyle(a)}}{{=}}$	$\displaystyle\frac{\alpha}{\alpha-1}\log\int_{{\cal Y}}\Big{(}\sum_{x\in{\cal X}}P(x)w_{x}(y)^{\alpha}\Big{)}^{\frac{1}{\alpha}}\mu(dy),$	(30)
	$\displaystyle H(X)_{P}$
$\displaystyle:=$	$\displaystyle-\sum_{x\in{\cal X}}P(x)\log P(x),$	(31)

where $(a)$ follows from the equality condition of Hölder inequality [18]. Since in this paper, the conditional distribution on $Y$ conditioned with $X$ is fixed to the channel $\bm{W}$ , it is sufficient to fix a joint distribution $P\in{\cal P}({\cal X})$ in the above notation. In addition, our analysis needs mathematical analysis with a Markov chain $U-X-Y$ with a variable on a finite set ${\cal U}$ . Hence, we generalize the above notation as follows.

	$\displaystyle I(X;Y\|U)_{P}:=\sum_{u\in{\cal U}}P_{U}(u)D(\bm{W}\times P\\|W_{P}\times P_{X\|U=u}),$		(32)
	$\displaystyle H(X\|U)_{P}:=-\sum_{u\in{\cal U}}\sum_{x\in{\cal X}}P(x,u)\log\frac{P(x,u)}{P_{U}(u)},$		(33)

and

		$\displaystyle I_{\alpha}(X;Y\|U)_{P}$
	$\displaystyle:=$	$\displaystyle\sum_{u\in{\cal U}}P_{U}(u)\min_{Q\in{\cal P}({\cal Y})}D_{\alpha}(\bm{W}\times P\\|Q\times P_{X\|U=u}).$		(34)

V-B Regions

Then, we define the following regions.

	$\displaystyle{\cal C}$
$\displaystyle:=$	$\displaystyle\bigcup_{P\in{\cal P}({\cal U}\times{\cal X})}\left\{\!\left(\!\begin{array}[]{c}R_{1}\\ R_{2}\\ R_{3}\end{array}\!\right)\!\left\|\begin{array}[]{l}0<R_{1}-R_{2}<I(X;Y\|U)_{P},\!\!\!\!\\ R_{3}\leq R_{1}-I(X;Y\|U)_{P},\\ R_{1}<H(X\|U)_{P},\\ 0<R_{1},R_{2},R_{3}\end{array}\right.\right\}$	(42)
	$\displaystyle{\cal C}^{s}$
$\displaystyle:=$	$\displaystyle\bigcup_{P\in{\cal P}({\cal U}\times{\cal X})}\left\{\!\left(\!\begin{array}[]{c}R_{1}\\ R_{2}\\ R_{3}\end{array}\!\right)\!\left\|\begin{array}[]{l}0<R_{1}-R_{2}<I(X;Y\|U)_{P},\!\!\!\!\\ R_{3}\leq H(X\|YU)_{P},\\ R_{1}<H(X\|U)_{P},\\ 0<R_{1},R_{2},R_{3}\end{array}\right.\right\}$	(50)
	$\displaystyle{\cal C}_{\alpha}$
$\displaystyle:=$	$\displaystyle\bigcup_{P\in{\cal P}({\cal U}\times{\cal X})}\left\{\!\left(\!\begin{array}[]{c}R_{1}\\ R_{2}\\ R_{3}\end{array}\!\right)\!\left\|\begin{array}[]{l}0<R_{1}-R_{2}<I(X;Y\|U)_{P},\!\!\!\!\\ R_{3}<R_{1}-I_{\alpha}(X;Y\|U)_{P},\\ R_{1}<H(X\|U)_{P},\\ 0<R_{1},R_{2},R_{3}\end{array}\right.\right\}.$	(58)

In the above definitions, there is no restriction for the cardinality of ${\cal U}$ . Due to the relations

\displaystyle\begin{aligned} H(X|U)_{P}&=\sum_{u\in{\cal U}}P_{U}(u)H(X)_{P_{X|U=u}},\\ H(X|YU)_{P}&=\sum_{u\in{\cal U}}P_{U}(u)H(X|Y)_{P_{X|U=u}},\end{aligned}

(59)

and $I(X;Y|U)_{P}=H(X|U)_{P}-H(X|YU)_{P}$ , Caratheodory lemma guarantees that the cardinality of ${\cal U}$ can be restricted to $3$ in the definitions of ${\cal C}$ and ${\cal C}^{s}$ . In addition, the condition $R_{3}<R_{1}-I_{\alpha}(X;Y|U)_{P}$ in the definition of ${\cal C}_{\alpha}$ is rewritten as

\displaystyle 2^{(\alpha-1)I_{\alpha}(X;Y|U)_{P}}<2^{(\alpha-1)(R_{1}-R_{3})}.

(60)

Since the relation $2^{(\alpha-1)I_{\alpha}(X;Y|U)_{P}}=\sum_{u\in{\cal U}}P_{U}(u)2^{(\alpha-1)I_{\alpha}(X;Y)_{P|X|U=u}}$ holds, Caratheodory lemma guarantees that the cardinality of ${\cal U}$ can be restricted to $4$ in the definition of ${\cal C}_{\alpha}$ .

To see the relation between two regions ${\cal C}$ and ${\cal C}^{s}$ , we focus on the inequality

	$\displaystyle R_{1}-I(X;Y\|U)_{P}<$	$\displaystyle H(X\|U)_{P}-I(X;Y\|U)_{P}$
	$\displaystyle=$	$\displaystyle H(X\|YU)_{P}$		(61)

in the region ${\cal C}$ . Hence, the condition $R_{3}\leq R_{1}-I(X;Y|U)_{P}$ is stronger than the condition $R_{3}\leq H(X|YU)_{P}$ , which implies the relation;

\displaystyle{\cal C}\subset{\cal C}^{s}.

(62)

When we focus only on $R_{1}$ and $R_{3}$ instead of $(R_{1},R_{2},R_{3})$ , we have simpler characterizations. We define the regions;

$\displaystyle{\cal C}^{1,3}$	$\displaystyle:=\{(R_{1},R_{3})\|\exists R_{2}\hbox{ such that }(R_{1},R_{2},R_{3})\in{\cal C}\}$	(63)
$\displaystyle{\cal C}^{s,1,3}$	$\displaystyle:=\{(R_{1},R_{3})\|\exists R_{2}\hbox{ such that }(R_{1},R_{2},R_{3})\in{\cal C}^{s}\}$	(64)
$\displaystyle{\cal C}_{\alpha}^{1,3}$	$\displaystyle:=\{(R_{1},R_{3})\|\exists R_{2}\hbox{ such that }(R_{1},R_{2},R_{3})\in{\cal C}_{\alpha}\}.$	(65)

Then, we have the following lemma.

Lemma 1

We have

	$\displaystyle\overline{{\cal C}^{1,3}}$	$\displaystyle=\left\{(R_{1},R_{3})\left\|0\leq R_{1}\leq\log d,~{}0\leq R_{3}\leq\gamma_{1}(R_{1})\right.\right\}$		(66)
	$\displaystyle\overline{{\cal C}_{\alpha}^{1,3}}$	$\displaystyle=\left\{(R_{1},R_{3})\left\|0\leq R_{1}\leq\log d,~{}0\leq R_{3}\leq\gamma_{\alpha}(R_{1})\right.\right\},$		(67)

and

		$\displaystyle\overline{{\cal C}^{s,1,3}}$
	$\displaystyle=$	$\displaystyle\left\{(R_{1},R_{3})\left\|0\leq R_{1}\leq\log d,~{}0\leq R_{3}\leq\max_{R\leq R_{1}}\gamma_{1}(R)\right.\right\},$		(68)

where $d:=|{\cal X}|$ and

	$\displaystyle\gamma_{1}(R_{1})$
$\displaystyle:=$	$\displaystyle\max_{P\in{\cal P}({\cal U}\times{\cal X})}\{H(X\|YU)_{P}\|H(X\|U)_{P}=R_{1}\},$	(69)
	$\displaystyle\gamma_{\alpha}(R_{1})$
$\displaystyle:=$	$\displaystyle\max_{P\in{\cal P}({\cal U}\times{\cal X})}\{R_{1}-I_{\alpha}(X;Y\|U)_{P}\|H(X\|U)_{P}=R_{1}\}.$	(70)

When $|{\cal X}|$ is infinite, the condition $\leq\log d$ is removed in the above equations. $\square$

Lemma 1 is shown in Appendix A. For the analysis on the above regions, we define the functions;

	$\displaystyle\gamma_{1,o}(R_{1})$	$\displaystyle:=\max_{P\in{\cal P}({\cal X})}\{H(X\|Y)_{P}\|H(X)_{P}=R_{1}\}$		(71)
	$\displaystyle\gamma_{\alpha,o}(R_{1})$	$\displaystyle:=\max_{P\in{\cal P}({\cal X})}\{R_{1}-I_{\alpha}(X;Y)_{P}\|H(X)_{P}=R_{1}\}.$		(72)

Then, we have the following lemma.

Lemma 2

When $\gamma_{1,o}$ is a concave function, we have $\gamma_{1}(R_{1})=\gamma_{1,o}(R_{1})$ . When $\gamma_{\alpha,o}$ is a concave function, we have $\gamma_{\alpha}(R_{1})=\gamma_{\alpha,o}(R_{1})$ .

Lemma 2 is shown in Appendix B. Using these two lemmas, we numerically calculate the regions $\overline{{\cal C}^{1,3}}$ , $\overline{{\cal C}^{s,1,3}}$ , and $\overline{{\cal C}_{\alpha}^{1,3}}$ as Fig. 3.

We also define the quantities;

	$\displaystyle C$	$\displaystyle:=\sup_{(R_{1},R_{2},R_{3})\in{\cal C}}R_{3},\quad C^{s}:=\sup_{(R_{1},R_{2},R_{3})\in{\cal C}^{s}}R_{3},$		(73)
	$\displaystyle C_{\alpha}$	$\displaystyle:=\sup_{(R_{1},R_{2},R_{3})\in{\cal C}_{\alpha}}R_{3}.$		(74)

Then, using (68) and (66), we have the following lemma.

Lemma 3

	$\displaystyle C$	$\displaystyle=C^{s}=\max_{P\in{\cal P}({\cal X})}H(X\|Y)_{P},$		(75)
	$\displaystyle C_{\alpha}$	$\displaystyle=\max_{P\in{\cal P}({\cal X})}H(X)_{P}-I_{\alpha}(X;Y)_{P}.$		(76)

$\square$

VI Results for secure list decoding with discrete input

VI-A Statements of results

To give the capacity region, we consider $n$ -fold discrete memoryless extension $\bm{W}^{n}$ of the channel $\bm{W}$ . A sequence of codes $\{(\phi_{n},D_{n})\}$ is called strongly secure when $\epsilon_{A}(\phi_{n},D_{n})$ and $\delta_{D}(D_{n})$ approach to zero. A sequence of codes $\{(\phi_{n},D_{n})\}$ is called weakly secure when $\epsilon_{A}(\phi_{n},D_{n})$ and $\delta_{C}(\phi_{n},D_{n})$ approach to zero. A rate triple $(R_{1},R_{2},R_{3})$ is strongly deterministically (stochastically) achievable when there exists a strongly secure sequence of deterministic (stochastic) codes $\{(\phi_{n},D_{n})\}$ such that $\frac{1}{n}\log|(\phi_{n},D_{n})|_{1}$ approaches to $R_{1}$ , $\frac{1}{n}\log|(\phi_{n},D_{n})|_{2}$ approaches to $R_{2}$ ³³3The definitions of $|(\phi_{n},D_{n})|_{1}$ and $|(\phi_{n},D_{n})|_{2}$ are given in the end of Section IV-B., and $\lim_{n\to\infty}\frac{1}{n}E(\phi_{n})\geq R_{3}$ . A rate triple $(R_{1},R_{2},R_{3})$ is $\alpha$ -strongly deterministically (stochastically) achievable when there exists a strongly secure sequence of deterministic (stochastic) codes $\{(\phi_{n},D_{n})\}$ such that $\frac{1}{n}\log|(\phi_{n},D_{n})|_{1}$ approaches to $R_{1}$ , $\frac{1}{n}\log|(\phi_{n},D_{n})|_{2}$ approaches to $R_{2}$ , and $\lim_{n\to\infty}\frac{1}{n}E_{\alpha}(\phi_{n})\geq R_{3}$ . A rate triplet $(R_{1},R_{2},R_{3})$ is ( $\alpha$ -)weakly deterministically (stochastically) achievable when there exists a weakly secure sequence of deterministic (stochastic) codes $\{(\phi_{n},D_{n})\}$ such that $\frac{1}{n}\log|(\phi_{n},D_{n})|_{1}$ approaches to $R_{1}$ , $\frac{1}{n}\log|(\phi_{n},D_{n})|_{2}$ approaches to $R_{2}$ , and $\lim_{n\to\infty}\frac{1}{n}E(\phi_{n})\geq R_{3}$ ( $\lim_{n\to\infty}\frac{1}{n}E_{\alpha}(\phi_{n})\geq R_{3}$ ). Then, we denote the set of strongly deterministically (stochastically) achievable rate triple $(R_{1},R_{2},R_{3})$ by ${\cal R}_{(s,d)}^{L}$ ( ${\cal R}_{(s,s)}^{L}$ ). In the same way, we denote the set of weakly deterministically (stochastically) achievable rate triple $(R_{1},R_{2},R_{3})$ by ${\cal R}_{(w,d)}^{L}$ ( ${\cal R}_{(w,s)}^{L}$ ). The $\alpha$ -version with $\alpha>1$ is denoted by ${\cal R}_{(s,d)}^{L,\alpha}$ , ${\cal R}_{(s,s)}^{\alpha}$ , ${\cal R}_{(w,d)}^{L,\alpha}$ , and ${\cal R}_{(w,s)}^{\alpha}$ , respectively.

As outer bounds of ${\cal R}_{(w,d)}^{L}$ , ${\cal R}_{(s,s)}^{L}$ , and ${\cal R}_{(s,d)}^{L}$ , we have the following theorem.

Theorem 2

We have the following characterization.

\displaystyle{\cal R}_{(w,d)}^{L}\subset\overline{{\cal C}},\quad{\cal R}_{(s,s)}^{L}\subset\overline{{\cal C}^{s}},\quad{\cal R}_{(s,d)}^{L}\subset\overline{{\cal C}},

(77)

where $\overline{{\cal C}}$ expresses the closure of the set ${\cal C}$ . $\square$

For their inner bounds, we have the following theorem.

Theorem 3

Assume the condition (W2). (i) A rate triplet $(R_{1},R_{2},R_{3})$ is strongly deterministically achievable when there exists a distribution $P\in{\cal P}({\cal X})$ such that

$\displaystyle 0<R_{1}-R_{2}$	$\displaystyle<I(X;Y)_{P},$	(78)
$\displaystyle R_{1}$	$\displaystyle<H(X)_{P},$	(79)
$\displaystyle R_{3}$	$\displaystyle\leq R_{1}-I(X;Y)_{P}.$	(80)

(ii) A rate triplet $(R_{1},R_{2},R_{3})$ is $\alpha$ -strongly deterministically achievable when there exists a distribution $P\in{\cal P}({\cal X})$ such that

$\displaystyle 0<R_{1}-R_{2}$	$\displaystyle<I(X;Y)_{P},$	(81)
$\displaystyle R_{1}$	$\displaystyle<H(X)_{P},$	(82)
$\displaystyle R_{3}$	$\displaystyle\leq R_{1}-I_{\alpha}(X;Y)_{P}.$	(83)

$\square$

In fact, the condition $R_{1}-R_{2}<I(X;Y)_{P}$ corresponds to Verifiable condition (A), the condition $I(X;Y)_{P}\leq R_{1}-R_{3}$ ( $I_{\alpha}(X;Y)_{P}\leq R_{1}-R_{3}$ ) does to (Rényi) equivocation type of concealing condition (B), and the condition $R_{1}<H(X)_{P}$ does to the binding condition for dishonest Alice (D). Theorems 2 and 3 are shown in Sections IX and X, respectively. We have the following corollaries from Theorems 2 and 3.

Corollary 1

When Condition (W2) holds, we have the following relation for $G\in\{(s,d),(w,d)\}$ ;

\displaystyle\overline{{\cal R}_{G}^{L}}=\overline{{\cal C}}

(84)

and

\displaystyle{\cal C}_{\alpha}\subset{\cal R}_{G}^{L,\alpha}.

(85)

$\square$

Hence, even when our binding condition is relaxed to Condition (C), when our code is limited to deterministic codes, we have the same region as the case with Condition (D).

Proof: It is sufficient to show the direct part. For this aim, we notice that the following relation for $\alpha>\alpha^{\prime}>1$ ;

\displaystyle{{\cal R}_{G}^{L,\alpha}}\subset{{\cal R}_{G}^{L,\alpha^{\prime}}},\quad\overline{\cup_{\alpha>1}{\cal C}_{\alpha}}=\overline{{\cal C}}.

(86)

Hence, it is sufficient to show that there exists a strongly secure sequence of deterministic codes with the rate triplet $(R_{1},R_{2},R_{3})$ to satisfy

$\displaystyle 0<R_{1}-R_{2}$	$\displaystyle<I(X;Y\|U)_{P},$	(87)
$\displaystyle R_{1}$	$\displaystyle<H(X\|U)_{P},$	(88)
$\displaystyle R_{3}$	$\displaystyle\leq R_{1}-I_{\alpha}(X;Y\|U)_{P}$	(89)

for a given $P\in{\cal P}({\cal X}\times{\cal U})$ . There exist distributions $P_{1},\ldots,P_{\mathsf{U}}\in{\cal P}({\cal X})$ such that ${\cal U}=\{1,\ldots,\mathsf{U}\}$ and $P_{u}(x)=\frac{P(x,u)}{P_{U}(u)}$ for $u\in{\cal U}$ , where $P_{U}(u)=\sum_{x^{\prime}\in{\cal X}}P(x^{\prime},u)$ . Then, we have $\sum_{u\in{\cal U}}P_{U}(u)I(X;Y)_{P_{u}}=I(X;Y|U)_{P}$ , $\sum_{u\in{\cal U}}P_{U}(u)H(X)_{P_{u}}=H(X|U)_{P}$ , and $\sum_{u\in{\cal U}}P_{U}(u)I_{\alpha}(X;Y)_{P_{u}}=I_{\alpha}(X;Y|U)_{P}$ .

For simplicity, in the following, we consider the case with $\mathsf{U}=2$ . We choose a sequence $\{(\phi_{n,1},D_{n,1})\}$ ( $\{(\phi_{n,2},D_{n,2})\}$ ) of strongly secure deterministic codes that achieve the rates to satisfy (81), (82), and (83) with $P=P_{1}(P_{2})$ . We denote $P_{U}(1)$ by $\lambda$ . Then, we define the concatenation $\{(\phi_{n},D_{n})\}$ as follows. We assume that $\phi_{\lfloor\lambda n\rfloor,1}$ ( $\phi_{n-\lfloor\lambda n\rfloor,2}$ ) is a map from ${\cal M}_{1}$ ( ${\cal M}_{2}$ ) to ${\cal X}^{\lfloor\lambda n\rfloor}$ ( ${\cal X}^{n-\lfloor\lambda n\rfloor}$ ). The encoder $\phi_{n}$ is given as a map from $(m_{1},m_{2})\in{\cal M}_{1}\times{\cal M}_{2}$ to $(\phi_{\lfloor\lambda n\rfloor}(m_{1}),\phi_{n-{\lfloor\lambda n\rfloor}}(m_{2}))\in{\cal X}^{n}$ . The decoder $D_{n}$ is given as a map from ${\cal Y}^{n}$ to ${\cal M}_{1}^{\mathsf{L}_{1}}\times{{\cal M}_{2}}^{\mathsf{L}_{2}}$ as

		$\displaystyle D_{n}(y_{1},\ldots,y_{n})$
	$\displaystyle:=$	$\displaystyle(D_{\lfloor\lambda n\rfloor,1}(y_{1},\ldots,y_{\lfloor\lambda n\rfloor}),D_{n-\lfloor\lambda n\rfloor,2}(y_{\lfloor\lambda n\rfloor+1},\ldots,y_{n}))$		(90)

for $(y_{1},\ldots,y_{n})\in{\cal Y}^{n}$ . We have $\epsilon_{A}(\phi_{n},D_{n})\leq\epsilon_{A}(\phi_{\lfloor\lambda n\rfloor,1},D_{\lfloor\lambda n\rfloor,1})+\epsilon_{A}(\phi_{n-\lfloor\lambda n\rfloor,2},D_{n-\lfloor\lambda n\rfloor,2})$ because the code $(\phi_{n},D_{n})$ is correctly decoded when both codes $(\phi_{\lfloor\lambda n\rfloor,1},D_{\lfloor\lambda n\rfloor,2})$ and $(\phi_{n-\lfloor\lambda n\rfloor,2},D_{n-\lfloor\lambda n\rfloor,2})$ are correctly decoded. Alice can cheat the decoder $D_{n}$ only when Alice cheats one of the decoders $D_{\lfloor\lambda n\rfloor,1}$ and $D_{n-\lfloor\lambda n\rfloor,2}$ . Hence, $\delta_{D}(D_{n})\leq\min(\delta_{D}(D_{\lfloor\lambda n\rfloor,1}),\delta_{D}(D_{n-\lfloor\lambda n\rfloor,2}))$ . Therefore, the concatenation $\{(\phi_{n},D_{n})\}$ is also strongly secure.

The rate tuples of the code $(\phi_{n},D_{n})$ is calculated as $|(\phi_{n},D_{n})|_{i}=|(\phi_{\lfloor\lambda n\rfloor,1},D_{\lfloor\lambda n\rfloor,1})|_{i}+|(\phi_{n-\lfloor\lambda n\rfloor,2},D_{n-\lfloor\lambda n\rfloor,2})|_{i}$ for $i=1,2$ . Also, using the additivity property (13), we have $E_{\alpha}(\phi_{n})=E_{\alpha}(\phi_{\lfloor\lambda n\rfloor,1})+E_{\alpha}(\phi_{n-\lfloor\lambda n\rfloor,2})$ . Hence, we have shown the existence of a strongly secure sequence of deterministic codes with the rate triplet $(R_{1},R_{2},R_{3})$ to satisfy the conditions (87), (88), and (89) when $\mathsf{U}=2$ . For a general $\mathsf{U}$ , we can show the same statement by repeating the above procedure.

VI-B Outline of proof of direct theorem

Here, we present the outline of the direct theorem (Theorem 3). Since $\lim_{\alpha\to 1}I_{\alpha}(X;Y)_{P}=I(X;Y)_{P}$ , the first part (i) follows from the second part (ii). Hence, we show only the second part (ii) in Section X based on the random coding. To realize Binding condition for dishonest Alice (D), we need to exclude the existence of $x^{n}\in{\cal X}^{n}$ and $m\neq m^{\prime}\in{\cal M}_{n}$ such that $1-\epsilon_{A,m}(x^{n},D)$ and $1-\epsilon_{A,m^{\prime}}(x^{n},D)$ are far from 0. For this aim, we focus on Hamming distance $d_{H}(x^{n},{x^{n}}^{\prime})$ between $x^{n}=(x_{1}^{n},\ldots,x^{n}_{n}),{x^{n}}^{\prime}=({x_{1}^{n}}^{\prime},\ldots,{x^{n}_{n}}^{\prime})\in{\cal X}^{n}$ as

\displaystyle d_{H}(x^{n},{x^{n}}^{\prime}):=|\{k|x_{k}^{n}\neq{x_{k}^{n}}^{\prime}\}|.

(91)

and introduce functions $\{\xi_{x}\}_{x\in{\cal X}}$ to satisfy the following conditions;

	$\displaystyle\mathbb{E}_{x}[\xi_{x}(Y)]=0,$		(92)
	$\displaystyle\zeta_{1}:=\min_{x\neq x^{\prime}\in{\cal X}}\mathbb{E}_{x^{\prime}}[-\xi_{x}(Y)]>0,$		(93)
	$\displaystyle\zeta_{2}:=\max_{x,x^{\prime}\in{\cal X}}\mathbb{V}_{x^{\prime}}[\xi_{x}(Y)]<\infty.$		(94)

For $x^{n}=(x_{1}^{n},\ldots,x_{n}^{n})\in{\cal X}^{n}$ and $y^{n}=(y_{1}^{n},\ldots,y_{n}^{n})\in{\cal Y}^{n}$ , we define

\displaystyle\xi_{x^{n}}(y^{n}):=\sum_{i=1}^{n}\xi_{x_{i}^{n}}(y_{i}^{n}).

(95)

Then, given an encoder $\phi_{n}$ mapping ${\cal M}_{n}$ to ${\cal X}^{n}$ , we impose the following condition on Bob’s decoder to include the message $m$ in his decoded list; the inequality

\displaystyle\xi_{\phi_{n}(m)}(Y^{n})\geq-\epsilon_{1}n

(96)

holds when $Y^{n}$ is observed. The condition (96) guarantees that $1-\epsilon_{A,m}(x^{n},D)$ is small when $d_{H}(x^{n},\phi_{n}(m))$ is larger than a certain threshold.

As shown in Section X, due to the conditions (92), (93), and (94), the condition (96) guarantees that the quantity $\delta_{D}(D)$ is small. Indeed, we have the following lemma, which is shown in Section X-A.

Lemma 4

When the condition (W2) holds, there exist functions $\{\xi_{x}\}_{x\in{\cal X}}$ to satisfy the conditions (92), (93), and (94). $\square$

VII Results for secure list decoding with continuous input

In the previous section, we assume that Alice can access only elements of the finite set ${\cal X}$ even when Alice is malicious. However, in the wireless communication case, the input system is given as a continuous space $\tilde{\cal X}$ . When we transmit a message via such a channel, usually we fix the set ${\cal X}$ of constellation points as a subset of $\tilde{\cal X}$ , and the modulator converts an element of input alphabet to a constellation point. That is, the choice of the set ${\cal X}$ depends on the performance of the modulator. In this situation, it is natural that dishonest Alice can send any element of the continuous space $\tilde{\cal X}$ while honest Alice sends only an element of ${\cal X}$ . Therefore, only the condition (D) is changed as follows because only the condition (D) is related to dishonest Alice.

(D’)

Binding condition for dishonest Alice. For $x\in\tilde{\cal X}$ , we define the quantity $\delta_{D^{\prime},x}(D)$ as the second largest value among $\{(1-\epsilon_{A,m}(x,D))\}_{m=1}^{\mathsf{M}}$ . Then, the relation

\displaystyle\delta_{D^{\prime}}(D)

\displaystyle:=\max_{x\in{\cal X}}\delta_{D^{\prime},x}(D)\leq\delta_{C}

(97)

holds.

Then, a sequence of codes $\{(\phi_{n},D_{n})\}$ is called ultimately secure when $\epsilon_{A}(\phi_{n},D_{n})$ and $\delta_{D^{\prime}}(D_{n})$ approach to zero. A rate triple $(R_{1},R_{2},R_{3})$ is ( $\alpha$ )-ultimately deterministically (stochastically) achievable when there exists a ultimately secure sequence of deterministic (stochastic) codes $\{(\phi_{n},D_{n})\}$ such that $\frac{1}{n}\log|(\phi_{n},D_{n})|_{1}$ approaches to $R_{1}$ , $\frac{1}{n}\log|(\phi_{n},D_{n})|_{2}$ approaches to $R_{2}$ , and $\lim_{n\to\infty}\frac{1}{n}E(\phi_{n})\geq R_{3}$ ( $\lim_{n\to\infty}\frac{1}{n}E_{\alpha}(\phi_{n})\geq R_{3}$ ). We denote the set of ultimately deterministically (stochastically) achievable rate triple $(R_{1},R_{2},R_{3})$ by ${\cal R}_{(u,d)}^{L}$ ( ${\cal R}_{(u,s)}^{L}$ ). The $\alpha$ -version with $\alpha>1$ is denoted by ${\cal R}_{(u,d)}^{L,\alpha}$ , ${\cal R}_{(u,s)}^{L,\alpha}$ , respectively.

The same converse result as Theorem 2 holds for ${\cal R}_{(u,d)}^{L}$ and ${\cal R}_{(u,s)}^{L}$ because a sequence of ultimately secure codes is strongly secure. Hence, the aim of this section is to recover the same result as Theorem 3 for ultimately secure codes under a certain condition for our channel. The key point of this problem setting is to exclude the existence of $x^{n}\in\tilde{\cal X}^{n}$ and $m\neq m^{\prime}\in{\cal M}_{n}$ such that $1-\epsilon_{A,m}(x^{n},D)$ and $1-\epsilon_{A,m^{\prime}}(x^{n},D)$ are far from 0. For this aim, we need to assume a distance $d$ on the space $\tilde{\cal X}$ . Then, we may consider functions $\{\xi_{x}\}_{x\in{\cal X}}$ to satisfy the following conditions in addition to (92);

	$\displaystyle\hat{\zeta}_{1}(r):=\inf_{x\in{\cal X},x^{\prime}\in\tilde{\cal X}:d(x,x^{\prime})\geq r}\mathbb{E}_{x^{\prime}}[-\xi_{x}(Y)]>0,$		(98)
	$\displaystyle\hat{\zeta}_{2}:=\sup_{x\in{\cal X},x^{\prime}\in\tilde{\cal X}}\mathbb{V}_{x^{\prime}}[\xi_{x}(Y)]<\infty$		(99)

for $r>0$ . It is not difficult to prove the same result as Theorem 3 when the above functions $\{\xi_{x}\}_{x\in{\cal X}}$ exist. However, it is not so easy to prove the existence of the above functions under natural models including AWGN channel. Therefore, we introduce the following condition instead of (98) and (99).

(W3)

There exist functions $\{\xi_{x}\}_{x\in\tilde{\cal X}}$ to satisfy the following conditions in addition to (92);

	$\displaystyle\bar{\zeta}_{1,t}(r)$
$\displaystyle:=$	$\displaystyle\frac{-1}{t}\log\sup_{x\in{\cal X},x^{\prime}\in\tilde{\cal X}:d(x,x^{\prime})\geq r}\mathbb{E}_{x^{\prime}}[2^{t(\xi_{x}(Y)-\xi_{x^{\prime}}(Y))}]$
$\displaystyle>$	$\displaystyle 0,$	(100)
	$\displaystyle\bar{\zeta}_{2}:=\sup_{x\in\tilde{\cal X}}\mathbb{V}_{x}[\xi_{x}(Y)]<\infty$	(101)

for $r>0$ and $t\in(0,1/2)$ . Indeed, as discussed in Step 1 of our proof of Lemma 16, when functions $\{\xi_{x}\}_{x\in\tilde{\cal X}}$ satisfy the above conditions and the difference between two vectors ${x^{n}}^{\prime}$ and $x^{n}$ satisfy a certain condition, we can distinguish a vector ${x^{n}}^{\prime}$ from $x^{n}$ by using $\xi_{x_{1}}+\cdots+\xi_{x_{n}}$ .

Notice that $\bar{\zeta}_{1,t}(r)$ is monotonically increasing for $r$ .

That is, we have the following theorem.

Theorem 4

Assume the conditions (W2) and (W3). (i) A rate triplet $(R_{1},R_{2},R_{3})$ is ultimately deterministically achievable when there exists a distribution $P\in{\cal P}({\cal X})$ such that

\displaystyle 0<R_{1}-R_{2}<I(X;Y)_{P}\leq R_{1}-R_{3}\leq R_{1}<H(X)_{P}.

(102)

(ii) A rate triplet $(R_{1},R_{2},R_{3})$ is $\alpha$ -ultimately deterministically achievable when there exists a distribution $P\in{\cal P}({\cal X})$ such that

	$\displaystyle 0<$	$\displaystyle R_{1}-R_{2}<I(X;Y)_{P}\leq I_{\alpha}(X;Y)_{P}$
	$\displaystyle\leq$	$\displaystyle R_{1}-R_{3}\leq R_{1}<H(X)_{P}.$		(103)

$\square$

Since ${\cal R}_{(u,d)}^{L}\subset{\cal R}_{(s,d)}^{L}$ and ${\cal R}_{(u,s)}^{L}\subset{\cal R}_{(s,s)}^{L}$ , the combination of Theorems 2 and 4 yields the following corollary in the same way as Corollary 1.

Corollary 2

When Conditions (W2) and (W3) hold, we have the following relations

\displaystyle\overline{{\cal R}_{(u,d)}^{L}}=\overline{{\cal C}},\quad\overline{{\cal R}_{(u,s)}^{L}}\subset\overline{{\cal C}^{s}}

(104)

and

\displaystyle{\cal C}_{\alpha}\subset{\cal R}_{(u,d)}^{L,\alpha}\subset{\cal R}_{(u,s)}^{L,\alpha}.

(105)

$\square$

As an example, we consider an additive noise channel when $\tilde{\cal X}=\mathbb{R}^{d}$ , which equips the standard Euclidean distance $d$ . The output system ${\cal Y}$ is also given as $\mathbb{R}^{d}$ . We fix a distribution $P_{N}$ for the additive noise $N$ on $\tilde{\cal X}$ . Then, we define the additive noise channel $\{W[P_{N}]_{x}\}_{x\in\tilde{\cal X}}$ as $w_{x}(y):=p_{N}(y-x)$ . We assume the following conditions;

	$\displaystyle\infty>\mathbb{E}_{0}[-\log w_{0}(Y)]>-\infty$		(106)
	$\displaystyle\mathbb{V}_{0}[-\log w_{0}(Y)]<\infty.$		(107)

Then, we have the following lemma.

Lemma 5

When the additive noise channel $\{W[P_{N}]_{x}\}_{x\in\tilde{\cal X}}$ satisfies (106) and (107), and when $\xi_{x}$ is chosen as $\xi_{x}(y):=\log w_{x}(y)-\mathbb{E}_{0}[\log w_{0}(Y)]$ , the condition (W3) holds. $\square$

Proof: Since the range of $t$ in the condition (100) is $(0,1/2)$ , we assume thwe assume that the real number $t$ belongs to $(0,1/2)$ in this proof. The conditions (92) and (101) follow from (106) and (107), respectively.

\displaystyle-\frac{1}{t}\log\mathbb{E}_{x^{\prime}}[2^{t(\xi_{x}(Y)-\xi_{x^{\prime}}(Y))}]=D_{1-t}(W_{x^{\prime}}\|W_{x}).

(108)

For an small real number $\epsilon<1/3$ , we choose $r_{0}>0$ such that

\displaystyle W_{0}(\{y\in{\cal Y}|d(y,0)<r_{0}\})\leq\epsilon.

(109)

We define the function $f$ from ${\cal Y}$ to $\{0,1\}$ such that $f^{-1}(\{0\})=\{y\in{\cal Y}|d(y,0)<r_{0}\}$ . When $x_{0}$ satisfies $d(x_{0},0)>2r_{0}$ , we have

\displaystyle W_{x_{0}}\circ f^{-1}(\{0\})\leq\epsilon.

(110)

Since $W_{x_{0}}\circ f^{-1}(\{1\}),W_{0}\circ f^{-1}(\{0\})\leq 1$ , (109) and (110) imply that

	$\displaystyle 2^{-tD_{1-t}(W_{x_{0}}\circ f^{-1}\\|W_{0}\circ f^{-1})}$
$\displaystyle=$	$\displaystyle W_{x_{0}}\circ f^{-1}(\{0\})^{1-t}W_{0}\circ f^{-1}(\{0\})^{t}$
	$\displaystyle+W_{x_{0}}\circ f^{-1}(\{1\})^{1-t}W_{0}\circ f^{-1}(\{1\})^{t}$
$\displaystyle\leq$	$\displaystyle\epsilon^{t}+\epsilon^{1-t}.$	(111)

Thus,

\displaystyle D_{1-t}(W_{x_{0}}\circ f^{-1}\|W_{0}\circ f^{-1})\geq-\frac{1}{t}\log(\epsilon^{t}+\epsilon^{1-t}).

(112)

When $d(x,x^{\prime})>2r_{0}$ , we have

	$\displaystyle-\frac{1}{t}\log\mathbb{E}_{x^{\prime}}[2^{t(\xi_{x}(Y)-\xi_{x^{\prime}}(Y))}]$
$\displaystyle=$	$\displaystyle D_{1-t}(W_{x^{\prime}}\\|W_{x})=D_{1-t}(W_{x^{\prime}-x}\\|W_{0})$
$\displaystyle\geq$	$\displaystyle D_{1-t}(W_{x^{\prime}-x}\circ f^{-1}\\|W_{0}\circ f^{-1})$
$\displaystyle\geq$	$\displaystyle-\frac{1}{t}\log(\epsilon^{t}+\epsilon^{1-t})>0.$	(113)

Therefore,

	$\displaystyle\inf_{x^{\prime}\in\tilde{\cal X}:d(0,x^{\prime})\geq r}\frac{-1}{t}\log\mathbb{E}_{x^{\prime}}[2^{t(\xi_{0}(Y)-\xi_{x^{\prime}}(Y))}]$
$\displaystyle=$	$\displaystyle\min\Big{(}\inf_{x^{\prime}\in\tilde{\cal X}:r_{0}\geq d(0,x^{\prime})\geq r}\frac{-1}{t}\log\mathbb{E}_{x^{\prime}}[2^{t(\xi_{0}(Y)-\xi_{x^{\prime}}(Y))}],$
	$\displaystyle\inf_{x^{\prime}\in\tilde{\cal X}:d(0,x^{\prime})>r_{0}}\frac{-1}{t}\log\mathbb{E}_{x^{\prime}}[2^{t(\xi_{0}(Y)-\xi_{x^{\prime}}(Y))}]\Big{)}$
$\displaystyle\geq$	$\displaystyle\min\Big{(}\min_{x^{\prime}\in\tilde{\cal X}:r_{0}\geq d(0,x^{\prime})\geq r}D_{1-t}(W_{x^{\prime}}\\|W_{0}),$
	$\displaystyle-\frac{1}{t}\log(\epsilon^{t}+\epsilon^{1-t})\Big{)}.$	(114)

Since $D_{1-t}(W_{x^{\prime}}\|W_{0})>0$ for $x^{\prime}\neq 0$ , the set $\{x^{\prime}\in\tilde{\cal X}|r_{0}\geq d(0,x^{\prime})\geq r\}$ is compact, and the map $x^{\prime}\mapsto D_{1-t}(W_{x^{\prime}}\|W_{0})$ continuous, we find that $\min_{x^{\prime}\in\tilde{\cal X}:r_{0}\geq d(0,x^{\prime})\geq r}D_{1-t}(W_{x^{\prime}}\|W_{0})>0$ . Hence, the quantity (114) is strictly positive.

Since

	$\displaystyle\bar{\zeta}_{1,t}(r)=$	$\displaystyle\inf_{x\in{\cal X},x^{\prime}\in\tilde{\cal X}:d(x,x^{\prime})\geq r}\frac{-1}{t}\log\mathbb{E}_{x^{\prime}}[2^{t(\xi_{x}(Y)-\xi_{x^{\prime}}(Y))}]$
	$\displaystyle=$	$\displaystyle\inf_{x^{\prime}\in\tilde{\cal X}:d(0,x^{\prime})\geq r}\frac{-1}{t}\log\mathbb{E}_{x^{\prime}}[2^{t(\xi_{0}(Y)-\xi_{x^{\prime}}(Y))}],$		(115)

the condition (100) holds.

VIII Application to bit-string commitment

VIII-A Bit-string commitment based on secure list decoding

Now, we construct a code for bit-string commitment by using our code $(\phi,D)$ for secure list decoding. (i) The previous studies [8, Theorem 2], [9] considered only the case with a discrete input alphabet ${\cal X}$ and discrete output alphabet ${\cal Y}$ while a continuous generalization of their result was mentioned as an open problem in [9]. We allow a continuous output alphabet ${\cal Y}$ with a discrete input alphabet ${\cal X}$ . (ii) As another setting, we consider the continuous input alphabet ${\cal X}$ . In this case, it is possible to make the capacity infinite, as pointed by the paper [25] in the case of the Gaussian channel. However, it is difficult to manage an input alphabet with infinitely many cardinality. Hence, we consider a restricted finite subset $\tilde{\cal X}$ of the continuous input alphabet ${\cal X}$ so that honest Alice accesses only a restricted finite subset $\tilde{\cal X}$ of the continuous input alphabet ${\cal X}$ and dishonest Alice accesses the continuous input alphabet ${\cal X}$ .

Since the binding condition (BIN) is satisfied by Condition (D) or (D’), it is sufficient to strengthen Condition (B) to Concealing condition (CON). For this aim, we combine a hash function and a code $(\phi,D)$ for secure list decoding. A function $f$ from ${\cal M}$ to ${\cal K}$ is called a regular hash function when $f$ is surjective and the cardinality $|f^{-1}(k)|$ does not depend on $k\in{\cal K}$ . When a code $(\phi,D)$ and a regular hash function $f$ are given, as explained in Fig. 4, we can naturally consider the following protocol for bit-string commitment with message set ${\cal K}$ . Before starting the protocol, Alice and Bob share a code $(\phi,D)$ and a regular hash function $f$ .

(I): (Commit Phase) When $k\in{\cal K}$ is a message to be sent by Alice, she randomly chooses an element $M\in{\cal M}$ subject to uniform distribution on $f^{-1}(k)$ . Then, Alice sends $\phi(M)$ to Bob via a noisy channel.
(II): (Reveal Phase) From Bob’s receiving information in Commit Phase, Bob outputs $\mathsf{L}$ elements of ${\cal M}$ as the list. Alice sends $M$ to Bob via a noiseless channel. The list is required to contain the message $M$ . If the transmitted information via the noiseless channel is contained in Bob’s decoded list, Bob accepts it, and recovers the message $k=f(M)$ . Otherwise, Bob rejects it.

The binding condition (BIN) is evaluated by the parameter $\delta_{C}(\phi,D)$ , $\delta_{D}(D)$ , or $\delta_{D^{\prime}}(D)$ . To discuss the concealing condition (CON), for a deterministic encoder $\phi$ for secure list decoding, we define the conditional distribution $P^{\phi,f}_{Y|K=k}$ and the distribution $P^{\phi,f}_{Y}$ on ${\cal Y}$ as

	$\displaystyle P^{\phi,f}_{Y\|K=k}:=$	$\displaystyle\sum_{m\in f^{-1}(k)}\frac{1}{\|f^{-1}(k)\|}W_{\phi(m)}$		(116)
	$\displaystyle P^{\phi,f}_{Y}:=$	$\displaystyle\sum_{m\in{\cal M}}\frac{1}{\|{\cal M}\|}W_{\phi(m)}.$		(117)

When $\phi$ is given as a stochastic encoder by distributions $\{P_{m}\}_{m\in{\cal M}}$ on ${\cal X}$ , these are defined as

	$\displaystyle P^{\phi,f}_{Y\|K=k}:=$	$\displaystyle\sum_{m\in f^{-1}(k)}\frac{1}{\|f^{-1}(k)\|}\sum_{x\in{\cal X}}P_{m}(x)W_{x}$		(118)
	$\displaystyle P^{\phi,f}_{Y}:=$	$\displaystyle\sum_{m\in{\cal M}}\frac{1}{\|{\cal M}\|}\sum_{x\in{\cal X}}P_{m}(x)W_{x}.$		(119)

The concealing condition (CON) is evaluated by the following quantity;

\displaystyle\delta_{E}(f,\phi):=\max_{k,k^{\prime}\in{\cal K}}\frac{1}{2}\|P^{\phi,f}_{Y|K=k}-P^{\phi,f}_{Y|K=k^{\prime}}\|_{1}.

(120)

Therefore, we say that the tuple $(\phi,D,f)$ is a code for bit-string commitment based on secure list decoding. Then, we have the following theorem, which is shown in Section VIII-B.

Theorem 5

For a code $(\phi,D)$ of secure list code with message set ${\cal M}$ , we assume that the size $\mathsf{M}=|{\cal M}|=|(\phi,D)|_{1}$ is a power of a prime $p$ , i.e., $\mathsf{M}=p^{\mathsf{m}}$ . Then, for an integer $\mathsf{k}$ and a set ${\cal K}$ with $|{\cal K}|=p^{\mathsf{k}}$ , there exist a subset $\bar{\cal K}\subset{\cal K}$ with $|\bar{\cal K}|=p^{\mathsf{k}-1}$ , a subset $\bar{\cal M}\subset{\cal M}$ with $|\bar{\cal K}|=p^{\mathsf{m}-1}$ , and a regular hash function $f$ from ${\cal M}$ to ${\cal K}$ such that $f(\bar{\cal M})=\bar{\cal K}$ and

\displaystyle\delta_{E}(f,\phi|_{\bar{\cal M}})\leq\frac{3p}{p-1}p^{\frac{t\mathsf{k}}{1+t}}2^{-\frac{t}{1+t}H_{1+t}(M|Y)}.

(121)

$\square$

For a code $(\phi,D,f)$ for bit-string commitment based on secure list coding, we define three parameters $|(\phi,D,f)|_{1}:=|(\phi,D)|_{1}$ , $|(\phi,D,f)|_{2}:=|(\phi,D)|_{2}$ , and $|(\phi,D,f)|_{3}:=|\mathop{\rm Im}f|=|{\cal K}|$ . To discuss this type of code in the asymptotic setting, we make the following definitions. A sequence of codes $\{(\phi_{n},D_{n},f_{n})\}$ for bit-string commitment based on secure list coding is called strongly (weakly, ultimately) secure when $\epsilon_{A}(\phi_{n},D_{n})$ , $\delta_{E}(f_{n},\phi_{n})$ , and $\delta_{D}(D_{n})$ ( $\delta_{C}(\phi_{n},D_{n})$ , $\delta_{D^{\prime}}(D_{n})$ ) approach to zero. A rate triple $(R_{1},R_{2},R_{3})$ is strongly (weakly, ultimately) deterministically achievable for bit-string commitment based on secure list coding when there exists a strongly (weakly, ultimately) secure deterministically sequence of codes $\{(\phi_{n},D_{n},f_{n})\}$ such that $\lim_{n\to\infty}\frac{1}{n}\log|(\phi_{n},D_{n},f_{n})|_{i}=R_{i}$ for $i=1,2,3$ . We denote the set of strongly (weakly, ultimately) deterministically achievable rate triple $(R_{1},R_{2},R_{3})$ for bit-string commitment based on secure list coding by ${\cal R}_{(s,d)}^{B}$ ( ${\cal R}_{(w,d)}^{B}$ , ${\cal R}_{(u,d)}^{B}$ ). We define strongly (weakly, ultimately) stochastically achievable rate triple for bit-string commitment based on secure list coding in the same way. Then, we denote the set of strongly (weakly, ultimately) stochastically achievable rate triple $(R_{1},R_{2},R_{3})$ for bit-string commitment based on secure list coding by ${\cal R}_{(s,s)}^{B}$ ( ${\cal R}_{(w,s)}^{B}$ , ${\cal R}_{(u,s)}^{B}$ ). Then, we have

\displaystyle{\cal R}_{(g,d)}^{B}\subset{\cal R}_{(g,s)}^{B}.

(122)

for $g=s,w,u$ . We obtain the following theorem under the above two settings.

Theorem 6

(i) Assume that the input alphabet ${\cal X}$ is discrete. When Condition (W2) holds, we have the following relations for $G\in\{(w,d),(s,d)\}$ .

\displaystyle\overline{{\cal R}_{G}^{B}}=\overline{{\cal C}},\quad\overline{{\cal R}_{(s,s)}^{B}}\subset\overline{{\cal C}^{s}}.

(123)

(ii) Assume that the input alphabet ${\cal X}$ is continuous. We choose a restricted finite subset $\tilde{\cal X}$ of the continuous input alphabet ${\cal X}$ . When the channel $\bm{W}$ with $\tilde{\cal X}\subset{\cal X}$ satisfies Conditions (W2) and (W3), we have the following relations

\displaystyle\overline{{\cal R}_{(u,d)}^{B}}=\overline{{\cal C}},\quad\overline{{\cal R}_{(u,s)}^{B}}\subset\overline{{\cal C}^{s}}.

(124)

$\square$

Also, we define the optimal transmission rate in the above method as

\displaystyle C^{B}_{G}:=\sup_{(R_{1},R_{2},R_{3})\in{\cal R}_{G}^{B}}R_{3}

(125)

for $G\in\{(s,d),(w,d),(u,d),(s,s),(w,s),(u,s)\}$ . Then, Lemma 3, Theorem 6, and (122) imply the relation

\displaystyle C^{B}_{G}=\sup_{P\in{\cal P}({\cal X})}H(X|Y)_{P}

(126)

for $G\in\{(s,d),(w,d),(u,d),(s,s),(u,s)\}$ under the same assumption as Theorem 6. Here, we cannot determine only $C^{B}_{(w,s)}$ because the restriction for Alice is too weak in the setting $(w,s)$ , i.e., Alice is allowed to use a stochastic encoder and Alice’s cheating is not possible only when Alice uses the correct encoder. Fig. 5 shows the numerical plot for AWGN channel with binary phase-shift keying (BPSK) modulation.

Since our setting allows the case with the continuous input and output systems, Theorem 6 can be considered as a generalization of the results by Winter et al [8, Theorem 2], [9] while a continuous generalization of their result was mentioned as an open problem in [9]. Although the paper [25] addressed the Gaussian channel, it considers only the special case when the cardinality of the input alphabet is infinitely many. It did not derive a general capacity formula with a finite input alphabet and a continuous output alphabet. At least, the paper [25] did not consider the case when honest Alice accesses only a restricted finite subset $\tilde{\cal X}$ of the continuous input alphabet ${\cal X}$ and dishonest Alice accesses the continuous input alphabet ${\cal X}$ .

In addition to Theorem 5, to show Theorem 6, we prepare the following lemma, which is shown in Section VIII-C.

Lemma 6

When a sequence of codes $\{(\phi_{n},D_{n},f_{n})\}$ for bit-string commitment based on secure list coding satisfies the condition $\delta_{E}(f_{n},\phi_{n})\to 0$ , we have

\displaystyle\lim_{n\to\infty}\frac{1}{n}\log|(\phi_{n},D_{n},f_{n})|_{3}\leq\lim_{n\to\infty}\frac{1}{n}E(\phi_{n}).

(127)

$\square$

Proof of Theorem 6: The converse part of Theorem 6 follows from the combination of Theorem 2 and Lemma 6, which is shown in Section VIII-C.

The direct part of Theorem 6 can be shown as follows. For a given $\alpha>1$ , the combination of Theorem 5 and Corollary 1 implies ${{\cal C}_{\alpha}}\subset{\cal R}_{G}^{B}$ . Taking the limit $\alpha\to 1$ , we have $\overline{\cal C}\subset\overline{{\cal R}_{G}^{B}}$ . In the same way, using Theorem 5 and Corollary 2, we can show $\overline{\cal C}\subset\overline{{\cal R}_{(u,d)}^{B}}$ . ∎

VIII-B Randomized construction (Proof of Theorem 5)

To show Theorem 5, we treat the set of messages ${\cal M}$ as a vector space $\mathbb{F}_{p}^{\mathsf{m}}$ over the finite field $\mathbb{F}_{p}$ . For a linear regular hash function $f$ from $\mathbb{F}_{p}^{\mathsf{m}}$ to ${\cal K}:=\mathbb{F}_{p}^{\mathsf{k}}$ and a code $\phi$ , we define the following value;

\displaystyle\bar{\delta}_{E}(f,\phi):=\sum_{k\in{\cal K}}\frac{1}{2|{\cal K}|}\|P^{\phi,f}_{Y|K=k}-P^{\phi,f}_{Y}\|_{1}\geq\frac{1}{2}\delta_{E}(f,\phi),

(128)

where the inequality follows from the triangle inequality. We denote the joint distribution of $K$ and $Y$ by $P_{K,Y}^{\phi,f}$ when $K$ is assumed to be subject to the uniform distribution on ${\cal K}$ . Then, the definition of $\bar{\delta}_{E}(f,\phi)$ is rewritten as

\displaystyle\bar{\delta}_{E}(f,\phi)=\frac{1}{2}\|P_{K,Y}^{\phi,f}-P_{K,\mathop{\rm uni}}\times P_{Y}^{\phi,f}\|_{1}.

(129)

In the following, we employ a randomized construction. That is, we randomly choose a linear regular hash function $f_{S}$ from $\mathbb{F}_{p}^{\mathsf{m}}$ to $\mathbb{F}_{p}^{\mathsf{k}}$ , where $S$ is a random seed to identify the function $f_{S}$ . A randomized function $f_{S}$ is called a universal2 hash function when the collision probability satisfies the inequality

\displaystyle{\rm Pr}\{f_{S}(m)=f_{S}(m^{\prime})\}\leq p^{-\mathsf{k}}

(130)

for any distinct elements $m\neq m^{\prime}\in\mathbb{F}_{p}^{\mathsf{m}}$ [19, 20].

When $K$ is subject to the uniform distribution on ${\cal K}$ , the stochastic behavior of $K$ can be simulated as follows. First, $M$ is generated according to the uniform distribution on ${\cal M}$ . Then, the obtained outcome $K=f_{s}(M)$ of $f_{s}$ with a fixed $s$ is subject to the uniform distribution on ${\cal K}$ . When $f_{S}$ is a universal2 hash function with a variable $S$ , the Rényi conditional entropy version of universal hashing lemma [21, (67)][22, Lemma 27] [16, Proposition 21] implies that

\displaystyle{\rm E}_{S}\delta_{E}(f_{S},\phi)\leq\frac{3}{2}|{\cal K}|^{\frac{t}{1+t}}2^{-\frac{t}{1+t}H_{1+t}(M|Y)}.

(131)

Hence, there exists an element $s$ such that

\displaystyle\delta_{E}(f_{s},\phi)\leq\frac{3}{2}|{\cal K}|^{\frac{t}{1+t}}2^{-\frac{t}{1+t}H_{1+t}(M|Y)}.

(132)

Due to Markov inequality, there exists a subset $\bar{\cal K}\subset{\cal K}$ with cardinality $|{\cal K}|/p$ such that any element $k\in\bar{\cal K}$ satisfies that

\displaystyle\frac{1}{2}\|P^{\phi,f_{s}}_{Y|K=k}-P^{\phi,f_{s}}_{Y}\|_{1}\leq\frac{p}{p-1}\delta_{E}(f_{s},\phi).

(133)

This is because the number of elements that does not satisfy (133) is upper bounded by $\frac{p-1}{p}|{\cal K}|$ . Hence, any elements $k,k^{\prime}\in\bar{\cal K}$ satisfy that

\displaystyle\frac{1}{2}\|P^{\phi,f_{s}}_{Y|K=k}-P^{\phi,f_{s}}_{Y|K=k^{\prime}}\|_{1}\leq\frac{2p}{p-1}\delta_{E}(f_{s},\phi).

(134)

The combination of (132) and (134) imply that any elements $k,k^{\prime}\in\bar{\cal K}$ satisfy that

\displaystyle\frac{1}{2}\|P^{\phi,f_{s}}_{Y|K=k}-P^{\phi,f_{s}}_{Y|K=k^{\prime}}\|_{1}\leq\frac{3p}{p-1}|{\cal K}|^{\frac{t}{1+t}}2^{-\frac{t}{1+t}H_{1+t}(M|Y)}.

(135)

Choosing $\bar{\cal M}$ to be $f_{s}^{-1}(\bar{\cal K})$ , we find that (135) is the same as (121) due to the definition (120).

VIII-C Proof of Lemma 6

To show Lemma 6, we prepare the following proposition.

Proposition 3 ([22, Lemma 30])

Any function $f$ defined on ${\cal M}$ and a joint distribution on ${\cal M}\times{\cal Y}$ satisfy the following inequality

		$\displaystyle\frac{1}{2}\\|P_{f(M)Y}-P_{f(M)}\times P_{Y}\\|_{1}$
	$\displaystyle\geq$	$\displaystyle\sup_{\gamma\geq 0}\left[P_{MY}\left\{\log\frac{1}{P_{M\|Y}(m\|y)}<\gamma\right\}-\frac{2^{\gamma}}{\|\mathop{\rm Im}f\|}\right].$		(136)

$\square$

We focus on the joint distribution $P_{MY}$ when Alice generates $M$ according to the uniform distribution on ${\cal M}$ and chooses $X^{n}$ as $\phi(M)$ . Let $p$ be the probability $P_{MY}\left\{\log\frac{1}{P_{M|Y}(m|y)}<\gamma\right\}$ . Then, the conditional entropy $H(M|Y)$ is lower bounded as

\displaystyle H(M|Y)\geq\gamma(1-p).

(137)

The quantity $\delta_{E}(f,\phi)$ is evaluated as

	$\displaystyle\delta_{E}(f,\phi)=\max_{k,k^{\prime}\in{\cal K}}\frac{1}{2}\\|P^{\phi,f}_{Y\|K=k}-P^{\phi,f}_{Y\|K=k^{\prime}}\\|_{1}$
$\displaystyle\geq$	$\displaystyle\sum_{k,k^{\prime}\in{\cal K}}\frac{1}{2\|{\cal K}\|^{2}}\\|P^{\phi,f}_{Y\|K=k}-P^{\phi,f}_{Y\|K=k^{\prime}}\\|_{1}$
$\displaystyle\geq$	$\displaystyle\sum_{k\in{\cal K}}\frac{1}{2\|{\cal K}\|}\\|P^{\phi,f}_{Y\|K=k}-P_{Y}\\|_{1}$
$\displaystyle=$	$\displaystyle\frac{1}{2}\\|P_{f(M)Y}-P_{f(M)}\times P_{Y}\\|_{1}\stackrel{{\scriptstyle(a)}}{{\geq}}p-\frac{2^{\gamma}}{\|\mathop{\rm Im}f\|},$	(138)

where $(a)$ follows from Proposition 3. Hence, we have $\delta_{E}(f,\phi)+\frac{2^{\gamma}}{|\mathop{\rm Im}f|}\geq p$ . Applying this relation to (137), we have

\displaystyle H(M|Y)\geq\gamma\big{(}1-\delta_{E}(f,\phi)-\frac{2^{\gamma}}{|\mathop{\rm Im}f|}\big{)}.

(139)

Therefore,

\displaystyle\gamma\big{(}1-\delta_{E}(f,\phi)-\frac{2^{\gamma}}{|(\phi,D,f)|_{3}}\big{)}\leq E(\phi).

(140)

Choosing $\gamma=\log|(\phi_{n},D_{n},f_{n})|_{3}-\sqrt{n}$ , we have

		$\displaystyle(\log\|(\phi_{n},D_{n},f_{n})\|_{3}-\sqrt{n})(1-\delta_{E}(f_{n},\phi_{n})-2^{-\sqrt{n}})$
	$\displaystyle\leq$	$\displaystyle E(\phi_{n}).$		(141)

Dividing the above by $n$ and taking the limit, we have (127).

IX Proof of Converse Theorem

In order to show Theorem 2, we prepare the following lemma.

Lemma 7

For $X^{n}=(X_{1},\ldots,X_{n})$ , we choose the joint distribution $P_{X^{n}}$ . Let $Y^{n}=(Y_{1},\ldots,Y_{n})$ be the channel output variables of the inputs $X^{n}$ via the channel $\bm{W}$ . Then, using the chain rule, we have

	$\displaystyle I(X^{n};Y^{n})$	$\displaystyle=\sum_{j=1}^{n}I(X_{j};Y_{j}\|Y^{j-1}),$		(142)
	$\displaystyle H(X^{n})$	$\displaystyle\leq\sum_{j=1}^{n}H(X_{j}\|Y^{j-1}).$		(143)

$\square$

The proof of Lemma 7 is given in Appendix C.

Proof of Theorem 2: The proof of Theorem 2 is composed of two parts. The first part is the evaluation of $R_{1}$ . The second part is the evaluation of $R_{1}-R_{2}$ . The key point of the first part is the use of (143) in Lemma 7. The key point of the second part is the meta converse for list decoding [6, Section III-A].

Step 1: Preparation.

We show Theorem 2 by showing the following relations;

	$\displaystyle{\cal R}_{(w,d)}^{L}$	$\displaystyle\subset\overline{\cal C},$		(144)
	$\displaystyle{\cal R}_{(s,s)}^{L}$	$\displaystyle\subset\overline{{\cal C}^{s}}.$		(145)

because ${\cal R}_{(s,d)}\subset\overline{\cal C}$ follows from (144). Assume that a sequence of deterministic codes $\{(\phi_{n},D_{n})\}$ is weakly secure. We assume that $R_{i}:=\lim_{n\to\infty}\frac{1}{n}\log|(\phi_{n},D_{n})|_{i}$ converges for $i=1,2$ . For the definition of $|(\phi_{n},D_{n})|_{i}$ , see the end of Section IV-B. Also, we assume that $R_{3}\leq\lim_{n\to\infty}\frac{1}{n}E(\phi_{n})$ .

Letting $M$ be the random variable of the message, we define the variables $X^{n}=(X_{1},\ldots,X_{n}):=\phi_{n}(M)$ . The random variables $Y^{n}=(Y_{1},\ldots,Y_{n})$ are defined as the output of the channel $\bm{W}^{n}$ , which is the $n$ times use of the channel $\bm{W}$ . Choosing the set ${\cal U}:=\cup_{i=1}^{n}\{i\}\times{\cal Y}^{i-1}$ , we define the joint distribution $P_{n}\in{\cal P}({\cal U}\times{\cal X})$ as follows; $p_{n}(x,u):=\frac{1}{n}p_{Y^{i-1},X}(y^{i-1},x)$ for $u=(i,y^{i-1})$ .

Under the distribution $P_{n}$ , we denote the channel output by $Y$ . In this proof, we use the notations $\mathsf{M}_{n}:=|(\phi_{n},D_{n})|_{1}$ and $\mathsf{L}_{n}:=|(\phi_{n},D_{n})|_{2}$ . Also, instead of $\epsilon_{A}(\phi_{n},D_{n})$ , we employ $\epsilon_{A}^{\prime}(\phi_{n},D_{n}):=\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\epsilon_{A,m}(\phi_{n}(m),D_{n})$ , which goes to zero.

Step 2: Evaluation of $R_{1}$ .

When a code $(\phi_{n},D_{n})$ satisfies $\delta_{C}(\phi_{n},D_{n})\leq 1-\epsilon_{A}(\phi_{n},D_{n})$ , we have

	$\displaystyle\log\|(\phi_{n},D_{n})\|_{1}\stackrel{{\scriptstyle(a)}}{{\leq}}$	$\displaystyle H(X^{n})+\log 2$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{\leq}}$	$\displaystyle nH(X\|U)_{P_{n}}+\log 2,$		(146)

where $(b)$ follows from (143) in Lemma 7 and the variable $U$ is defined in Step 1. Dividing the above by $n$ and taking the limit, we have

\displaystyle\limsup_{n\to\infty}R_{1}-H(X|U)_{P_{n}}\leq 0.

(147)

To show $(a)$ in (146), we consider the following protocol. After converting the message $M$ to $X^{n}$ by the encoder $\phi_{n}(M)$ , Alice sends the $X^{n}$ to Bob $\mathsf{K}$ times. Here, we choose $\mathsf{K}$ to be an arbitrary large integer. Applying the decoder $D_{n}$ , Bob obtains $\mathsf{K}$ lists that contain up to $\mathsf{K}\mathsf{L}_{n}$ messages. Among these messages, Bob chooses $\hat{M}$ as the element that most frequently appears in the $\mathsf{K}$ lists. When $\delta_{C}(\phi_{n},D_{n})<1-\epsilon_{A,M}(\phi_{n}(M),D_{n})$ , the element $M$ has the highest probability to be contained in the list. In this case, when $\mathsf{K}$ is sufficiently large, Bob can correctly decode $M$ by this method because $1-\epsilon_{A,M}(\phi_{n}(M),D_{n})$ is the probability that the list contains $M$ and $\delta_{C}(\phi_{n},D_{n})$ is the maximum of the probability that the list contains $m^{\prime}\neq M$ . Therefore, when $\delta_{C}(\phi_{n},D_{n})\leq 1-\epsilon_{A}(\phi_{n},D_{n})$ , the probability $\epsilon_{\mathsf{K}}$ of the failure of decoding goes to zero as $\mathsf{K}\to\infty$ . Fano inequality shows that $H(M|\hat{M})\leq\epsilon_{\mathsf{K}}\log|(\phi_{n},D_{n})|_{1}+\log 2$ . Then, we have

	$\displaystyle\log\|(\phi_{n},D_{n})\|_{1}-\epsilon_{\mathsf{K}}\log\|(\phi_{n},D_{n})\|_{1}-\log 2$
$\displaystyle\leq$	$\displaystyle\log\|(\phi_{n},D_{n})\|_{1}-H(M\|\hat{M})$
$\displaystyle=$	$\displaystyle I(M;\hat{M})\leq I(M;X^{n})$	(148)
$\displaystyle\leq$	$\displaystyle H(X^{n}),$	(149)

which implies $(a)$ in (146) with the limit $\mathsf{K}\to\infty$ .

Step 3: Evaluation of $R_{1}-R_{2}$ .

Now, we consider the hypothesis testing with two distributions $P(m,y^{n}):=\frac{1}{\mathsf{M}_{n}}W^{n}(y^{n}|\phi_{n}(m))$ and $Q(m,y^{n}):=\frac{1}{\mathsf{M}_{n}^{2}}\sum_{m^{\prime}=1}^{\mathsf{M}_{n}}W^{n}(y^{n}|\phi_{n}(m^{\prime}))$ on ${\cal M}_{n}\times{\cal Y}^{n}$ , where ${\cal M}_{n}:=\{1,\ldots,\mathsf{M}_{n}\}$ . Then, we define the region ${\cal D}_{n}^{*}\subset{\cal M}_{n}\times{\cal Y}^{n}$ as $\cup_{m_{1},\ldots,m_{\mathsf{L}_{n}}}\{m_{1},\ldots,m_{\mathsf{L}_{n}}\}\times{\cal D}_{m_{1},\ldots,m_{\mathsf{L}_{n}}}$ . Using the region ${\cal D}_{n}^{*}$ as our test, we define $\epsilon_{Q}$ as the error probability to incorrectly support $P$ while the true is $Q$ . Also, we define $\epsilon_{P}$ as the error probability to incorrectly support $Q$ while the true is $P$ . When we apply the monotonicity for the KL divergence between $P$ and $Q$ , dropping the term $\epsilon_{P}\log(1-\epsilon_{Q})$ , we have

\displaystyle-\log\epsilon_{Q}\leq\frac{D(P\|Q)+h(1-\epsilon_{P})}{1-\epsilon_{P}},

(150)

where $h$ is the binary entropy, i.e., $h(p):=-p\log(p)-(1-p)\log(1-p)$ . The meta converse for list decoding [6, Section III-A] shows that $\epsilon_{Q}\leq\frac{|(\phi_{n},D_{n})|_{2}}{|(\phi_{n},D_{n})|_{1}}$ and $\epsilon_{P}\leq\epsilon_{A}(\phi_{n},D_{n})$ . Since (143) in Lemma 7 guarantees that $D(P\|Q)=I(X^{n};Y^{n})=nI(X;Y|U)_{P_{n}}$ , the relation (150) is converted to

		$\displaystyle\log\frac{\|(\phi_{n},D_{n})\|_{1}}{\|(\phi_{n},D_{n})\|_{2}}\leq\frac{I(X^{n};Y^{n})+h(1-\epsilon_{P})}{1-\epsilon_{P}}$
	$\displaystyle\leq$	$\displaystyle\frac{nI(X;Y\|U)_{P_{n}}+h(1-\epsilon_{A}(\phi_{n},D_{n}))}{1-\epsilon_{A}(\phi_{n},D_{n})}$		(151)

under the condition that $\epsilon_{A}(\phi_{n},D_{n})\leq\frac{1}{2}$ . Dividing the above by $n$ and taking the limit, we have

\displaystyle\limsup_{n\to\infty}R_{1}-R_{2}-I(X;Y|U)_{P_{n}}\leq 0.

(152)

Step 4: Evaluation of $R_{3}$ .

Since the code $\phi_{n}$ is deterministic, remembering the definition of the variable $U$ given in Step 1, we have

		$\displaystyle\log\|(\phi_{n},D_{n})\|_{1}-E(\phi_{n})=H(M)-H(M\|Y^{n})$
	$\displaystyle=$	$\displaystyle I(M;Y^{n})=I(X^{n};Y^{n})=nI(X;Y\|U)_{P_{n}}.$		(153)

Dividing the above by $n$ and taking the limit, we have

\displaystyle R_{1}-R_{3}\geq\limsup_{n\to\infty}I(X;Y|U)_{P_{n}}.

(154)

Therefore, combining Eqs. (147), (152), and (154), we obtain Eq. (144).

Step 5: Proof of Eq. (145).

Assume that a sequence of stochastic codes $\{(\phi_{n},D_{n})\}$ is strongly secure. Then, there exists a sequence of deterministic encoders $\{\phi_{n}^{\prime}\}$ such that $\epsilon_{A}(\phi_{n}^{\prime},D_{n})\leq\epsilon_{A}(\phi_{n},D_{n})$ and $\delta_{C}(\phi_{n}^{\prime},D_{n})\leq\delta_{D}(D_{n})$ . Since $\epsilon_{A}(\phi_{n}^{\prime},D_{n})$ and $\delta_{C}(\phi_{n}^{\prime},D_{n})$ go to zero, we have Eqs. (147) and (152). However, the derivation of (154) does not hold in this case. Since the code is stochastic, the equality $I(M;Y^{n})=I(X^{n};Y^{n})$ does not hold in general.

Instead of (154), we have the following derivation. Taking the limit $\mathsf{K}\to\infty$ in (148), we have

\displaystyle\log|(\phi_{n},D_{n})|_{1}-\log 2\leq I(M;X^{n}).

(155)

Hence,

	$\displaystyle I(X^{n};Y^{n})=I(X^{n}M;Y^{n})$
$\displaystyle=$	$\displaystyle I(M;Y^{n})+I(X^{n};Y^{n}\|M)$
$\displaystyle\leq$	$\displaystyle I(M;Y^{n})+H(X^{n}\|M)$
$\displaystyle=$	$\displaystyle I(M;Y^{n})+H(X^{n})-I(X^{n};M)$
$\displaystyle\leq$	$\displaystyle I(M;Y^{n})+H(X^{n})-\log\|(\phi_{n},D_{n})\|_{1}+\log 2$
$\displaystyle=$	$\displaystyle H(M)\!-\!H(M\|Y^{n})+H(X^{n})\!-\!\log\|(\phi_{n},D_{n})\|_{1}+\log 2$
$\displaystyle=$	$\displaystyle\log\|(\phi_{n},D_{n})\|_{1}-\log\|(\phi_{n},D_{n})\|_{3}$
	$\displaystyle+H(X^{n})-\log\|(\phi_{n},D_{n})\|_{1}+\log 2$
$\displaystyle=$	$\displaystyle-\log\|(\phi_{n},D_{n})\|_{3}+H(X^{n})+\log 2.$	(156)

Hence, we have

		$\displaystyle\log\|(\phi_{n},D_{n})\|_{3}\leq H(X^{n})+\log 2-I(X^{n};Y^{n})$
	$\displaystyle=$	$\displaystyle H(X^{n}\|Y^{n})+\log 2=nH(X\|YU)_{P_{n}}+\log 2$		(157)

Dividing the above by $n$ and taking the limit, we have

\displaystyle R_{3}\leq\liminf_{n\to\infty}H(X|YU)_{P_{n}}.

(158)

Therefore, combining Eqs. (147), (152), and (158), we obtain Eq. (145).

X Proof of direct theorem

As explained in Section VI-B, we show only the second part (ii) based on the random coding. First, we show Lemma 4. Then, using Lemma 4, we show the second part (ii) by preparing various lemmas, Lemmas 10, 11, 12 and 13. Using Lemmas 11, and 12, we extract an encoder $\phi_{n}$ and messages $m$ that have a small decoding error probability and satisfy two conditions, which will be stated as the conditions (188) and (205). Then, using these two conditions, we show that the code satisfies the binding condition for dishonest Alice (D) and the equivocation version of concealing condition (B). In particular, Lemma 10 is used to derive the binding condition for dishonest Alice (D).

X-A Proof of Lemma 4

Step 1: For our proof of Lemma 4, we prepare the following lemma.

Lemma 8

Let ${\cal S}$ be a closed convex subset of ${\cal P}({\cal Y})$ . Assume that a distribution $P\in{\cal P}({\cal Y})\setminus{\cal S}$ has the full support ${\cal Y}$ . We choose $P^{\prime}$ as

\displaystyle P^{\prime}:=\mathop{\rm argmin}_{Q\in{\cal S}}D(Q\|P).

(159)

(i) We have $\mathop{\rm Supp}(Q)\subset\mathop{\rm Supp}(P^{\prime})$ for $Q\in{\cal S}$ . (ii) For $Q\in{\cal S}$ , we have

\displaystyle D(P^{\prime}\|P)\leq\mathbb{E}_{Q}[\log p^{\prime}(Y)-\log p(Y)].

(160)

$\square$

Proof: Now, we show (i) by contradiction. We choose $Q\in{\cal S}$ such that $\mathop{\rm Supp}(Q)\not\subset\mathop{\rm Supp}(P^{\prime})$ . We define the distribution $\bar{P}_{t}:=tQ+(1-t)P^{\prime}$ . Then, we have

\displaystyle D(\bar{P}_{t}\|P)=\sum_{y\in{\cal Y}}(\eta(\bar{p}_{t}(y))-\bar{p}_{t}(y)\log p(y)),

(161)

where $\eta(x):=x\log x$ . The derivative of $\sum_{y\in{\cal Y}}\bar{p}_{t}(y)\log p(y)$ for $t$ at $t=0$ is a finite value. For $y\in\mathop{\rm Supp}(P^{\prime})$ , the derivative of $\eta(\bar{p}_{t}(y))$ for $t$ at $t=0$ is a finite value. For $y\in\mathop{\rm Supp}(Q)\setminus\mathop{\rm Supp}(P^{\prime})$ , the derivative of $\eta(\bar{p}_{t}(y))$ for $t$ at $t=0$ is $-\infty$ . Hence, the derivative of $D(\bar{P}_{t}\|P)$ for $t$ at $t=0$ is $-\infty$ . It means that there exist a small real number $t_{0}>0$ such that $D(\bar{P}_{t}\|P)\leq D(\bar{P}_{0}\|P)=D(P^{\prime}\|P)$ . Hence, we obtain a contradiction.

Next, we show (ii). Theorem 11.6.1 of [26] shows the following.

\displaystyle D(Q\|P^{\prime})+D(P^{\prime}\|P)\leq D(Q\|P),

(162)

which implies

		$\displaystyle D(P^{\prime}\\|P)\leq D(Q\\|P)-D(Q\\|P^{\prime})$
	$\displaystyle=$	$\displaystyle\mathbb{E}_{Q}[\log p^{\prime}(Y)-\log p(Y)].$		(163)

Hence, we obtain (160).

Step 2: We prove Lemma 4 when ${\cal Y}$ is a finite set and the support of $W_{x}$ does not depend on $x\in{\cal X}$ .

For $x\in{\cal X}$ , we define the distribution $P_{x}\in{\cal P}({\cal X}\setminus\{x\})$ as

\displaystyle P_{x}:=\mathop{\rm argmin}_{P\in{\cal P}({\cal X}\setminus\{x\})}D\bigg{(}\sum_{x^{\prime}\in{\cal X}\setminus\{x\}}P(x^{\prime})W_{x^{\prime}}\bigg{\|}W_{x}\bigg{)}

(164)

We choose $\xi_{x}$ as $\xi_{x}(y):=\log w_{x}(y)-\log w_{P_{x}}(y)-D(W_{x}\|W_{P_{x}})$ , which satisfies (92). Applying (ii) of Lemma 8 to the case when ${\cal S}$ is $\{\sum_{x^{\prime\prime}\in{\cal X}\setminus\{x\}}P(x^{\prime\prime})W_{x^{\prime\prime}}\}_{P\in{\cal P}({\cal X}\setminus\{x\})}$ , we have

$\displaystyle\zeta_{1}$	$\displaystyle=\min_{x\neq x^{\prime}\in{\cal X}}\mathbb{E}_{x^{\prime}}[\log w_{P_{x}}(y)-\log w_{x}(y)]+D(W_{x}\\|W_{P_{x}})$
	$\displaystyle\geq\min_{x\neq x^{\prime}\in{\cal X}}D(W_{P_{x}}\\|W_{x})+D(W_{x}\\|W_{P_{x}})$
$\displaystyle=$	$\displaystyle\min_{x\in{\cal X}}D(W_{P_{x}}\\|W_{x})+D(W_{x}\\|W_{P_{x}})>0.$	(165)

Hence, it satisfies (93). Since the support of $W_{x}$ does not depend on $x\in{\cal X}$ , the function $\xi_{x}$ takes a finite value. Since ${\cal Y}$ is a finite set, $\max_{x,y}\xi_{x}(y)$ exists. Thus, it satisfies (94).

Step 3: We prove Lemma 4 when ${\cal Y}$ is a finite set and the support of $W_{x}$ depends on $x\in{\cal X}$ .

For an element $x\in{\cal X}$ and a small real number $\delta>0$ , we define $W_{x,\delta}$ as

\displaystyle w_{x,\delta}(y):=\left\{\begin{array}[]{ll}(1-\delta)w_{x}(y)&\hbox{ for }y\in\mathop{\rm Supp}(W_{x})\\ \frac{\delta}{|\mathop{\rm Supp}(W_{x})|^{c}}&\hbox{ for }y\in\mathop{\rm Supp}(W_{x})^{c},\end{array}\right.

(168)

where $\mathop{\rm Supp}(P)$ is the support of the distribution $P$ . We define

\displaystyle P_{x,\delta}:=\mathop{\rm argmin}_{P\in{\cal P}({\cal X}\setminus\{x\})}D(W_{P}\|W_{x,\delta}).

(169)

We choose $\delta>0$ to be sufficiently small such that

	$\displaystyle D(W_{P_{x,\delta}}\\|W_{x,\delta})$	$\displaystyle>0$		(170)
	$\displaystyle\log(1-\delta)+\min_{P\in{\cal P}({\cal X}\setminus\{x\})}D(W_{x}\\|W_{P})$	$\displaystyle>0$		(171)

for any $x\in{\cal X}$ .

When $\mathop{\rm Supp}(W_{x})\subset\cup_{x^{\prime}\in{\cal X}\setminus\{x\}}\mathop{\rm Supp}(W_{x^{\prime}})$ , we have $\mathop{\rm Supp}(W_{x})\subset\mathop{\rm Supp}(P_{x,\delta})$ due to (i) of Lemma 8. Then,

	$\displaystyle\mathbb{E}_{x}[\log w_{x,\delta}(Y)-\log w_{P_{x,\delta}}(Y)]$
$\displaystyle=$	$\displaystyle D(W_{x}\\|W_{P_{x,\delta}})+\log(1-\delta)$
$\displaystyle\geq$	$\displaystyle\log(1-\delta)+\min_{P\in{\cal P}({\cal X}\setminus\{x\})}D(W_{x}\\|W_{P})>0.$	(172)

Then, we define $\xi_{x}$ as

	$\displaystyle\xi_{x}(y):=$	$\displaystyle\log w_{x,\delta}(y)-\log w_{P_{x,\delta}}(y)$
		$\displaystyle-\mathbb{E}_{x}[\log w_{x,\delta}(Y)-\log w_{P_{x,\delta}}(Y)].$		(173)

Then, we have

	$\displaystyle\mathbb{E}_{x}[\xi_{x}(Y)]=0,$		(174)
	$\displaystyle\min_{x^{\prime}\in{\cal X}\setminus\{x\}}\mathbb{E}_{x^{\prime}}[-\xi_{x}(Y)]>0,$		(175)
	$\displaystyle\max_{x^{\prime}\in{\cal X}\setminus\{x\}}\mathbb{V}_{x^{\prime}}[\xi_{x}(Y)]<\infty.$		(176)

When $\mathop{\rm Supp}(W_{x})\not\subset\cup_{x^{\prime}\in{\cal X}\setminus\{x\}}\mathop{\rm Supp}(W_{x^{\prime}})$ , we have $\mathop{\rm Supp}(P_{x,\delta})=\cup_{x^{\prime}\in{\cal X}\setminus\{x\}}\mathop{\rm Supp}(W_{x^{\prime}})$ due to (i) of Lemma 8 because $W_{x,\delta}$ has the full support ${\cal Y}$ . Then, we define $\xi_{x}$ as

\displaystyle\xi_{x}(y):=\log w_{x,\delta}(y)-\log w_{P_{x,\delta}}(y)

(177)

for $y\in\mathop{\rm Supp}(P_{x,\delta})$ , and

		$\displaystyle\xi_{x}(y)$
	$\displaystyle:=$	$\displaystyle-\frac{{\displaystyle\sum_{y\in\mathop{\rm Supp}(P_{x,\delta})}}w_{x}(y)(\log w_{x,\delta}(y)-\log w_{P_{x,\delta}}(y))}{W_{x}(\mathop{\rm Supp}(P_{x,\delta})^{c})}$		(178)

for $y\in\mathop{\rm Supp}(P_{x,\delta})^{c}$ . Then, we have (174), (175), and (176). Therefore, our functions $\{\xi_{x}\}_{x\in{\cal X}}$ satisfy the conditions (92), (93), and (94).

Step 4: We prove Lemma 4 when ${\cal Y}$ is not a finite set. Since the channel $\bm{W}$ satisfies Condition (W2), there exists a map $f$ from ${\cal Y}$ to a finite set ${\cal Y}_{0}$ such that the channel $\bm{W}\circ f^{-1}=\{W_{x}\circ f^{-1}\}_{x\in{\cal X}}$ satisfies Condition (W2), where $W_{x}\circ f^{-1}(\{y_{0}\}):=W_{x}(f^{-1}\{y_{0}\})$ for $y_{0}\in{\cal Y}_{0}$ . Applying the result of Step 3 to the channel $\bm{W}\circ f^{-1}$ , we obtain functions $\{\xi_{x,0}\}_{x\in{\cal X}}$ defined on ${\cal Y}_{0}$ . Then, for $x\in{\cal X}$ , we choose a function $\xi_{x}$ on ${\cal Y}$ as $\xi_{x}(y):=\xi_{x,0}(f(y))$ . The functions $\{\xi_{x}\}_{x\in{\cal X}}$ satisfy the conditions (92), (93), and (94).

X-B Preparation

To show Theorem 3, we prepare notations and information quantities. For $P\in{\cal P}({\cal X})$ and $t>0$ , we define

	$\displaystyle G_{P\|x}(t)$	$\displaystyle:=\log(2^{t}P(x)+1-P(x))$		(179)
	$\displaystyle G_{P,P^{\prime}}(t)$	$\displaystyle:=\sum_{x\in{\cal X}}P^{\prime}(x)\log(2^{t}P(x)+1-P(x)).$		(180)

Then, we have the Legendre transformation

\displaystyle L[G_{P,P^{\prime}}](r):=\min_{t>0}G_{P,P^{\prime}}(t)-tr.

(181)

Using the $\epsilon$ -neighborhood $U_{\epsilon,P}$ of $P$ with respect to the variational distance, we define

\displaystyle L^{\epsilon}_{P}(r):=\max_{P^{\prime}\in U_{\epsilon,P}}L[G_{P,P^{\prime}}](r).

(182)

Then, we have the following lemma, which is shown in Appendix D.

Lemma 9

\displaystyle\lim_{\delta\to+0}L[G_{P,P}](1-\delta)=-H(P).

(183)

\displaystyle\lim_{\epsilon\to+0}L^{\epsilon}_{P}(r)=L[G_{P,P}](r).

(184)

$\square$

For $\alpha>1$ , we choose $R_{1}$ , $R_{2}$ , and $R_{3}$ to satisfy the conditions (81), (82), and (83). For our decoder construction, we choose three real numbers $\epsilon_{1},\epsilon_{2}>0$ and $R_{4}$ . The real number $R_{4}$ is chosen as

\displaystyle I(X;Y)_{P}>R_{4}>R_{1}-R_{2}.

(185)

Using Lemma 9, we choose $\epsilon_{2}$ such that

\displaystyle-L[G_{P,P}](1-\epsilon_{2})>R_{1}.

(186)

Then, we choose $\epsilon_{1}$ to satisfy

\displaystyle\zeta_{1}\frac{\epsilon_{2}}{2}-\epsilon_{1}>0.

(187)

Next, we fix the size of message $\mathsf{M}_{n}:=2^{nR_{1}}$ , the list size $\mathsf{L}_{n}:=2^{nR_{2}}$ , and a number $\mathsf{M}_{n}^{\prime}:=2^{nR_{4}}$ , which is smaller than the message size $\mathsf{M}_{n}$ . For $x^{n}=(x^{n}_{1},\ldots,x_{n}^{n})\in{\cal X}^{n}$ , we define $w_{x^{n}}(y^{n}):=w_{x^{n}_{1}}(y_{1}^{n})\cdots w_{x^{n}_{n}}(y_{n}^{n})$ for $y^{n}=(y^{n}_{1},\ldots,y_{n}^{n})$ . We prepare the decoder used in this proof as follows.

Definition 1 (Decoder $D_{\phi_{n}}$ )

Given a distribution $P$ on ${\cal X}$ , we define the decoder $D_{\phi_{n}}$ for a given encoder $\phi_{n}$ (a map from $\{1,\ldots,\mathsf{M}_{n}\}$ to ${\cal X}^{n}$ ) in the following way. Using the condition (96), we define the subset ${\cal D}_{x^{n}}:=\{y^{n}|w_{x^{n}}(y^{n})\geq\mathsf{M}_{n}^{\prime}w_{P^{n}}^{n}(y^{n}),\xi_{x^{n}}(y^{n})\geq-n\epsilon_{1}\}$ . Then, for $y^{n}\in{\cal Y}^{n}$ , we choose up to $\mathsf{L}_{n}$ elements $i_{1},\ldots,i_{\mathsf{L}_{n}^{\prime}}$ $(\mathsf{L}_{n}^{\prime}\leq\mathsf{L}_{n})$ as the decoded messages such that $y^{n}\in{\cal D}_{\phi_{n}(i_{j})}$ for $j=1,\ldots,\mathsf{L}_{n}^{\prime}$ . $\square$

Remember that, for $x^{n}=(x^{n}_{1},\ldots,x^{n}_{n}),{x^{n}}^{\prime}=({x^{n}_{1}}^{\prime},\ldots,{x^{n}_{n}}^{\prime})\in{\cal X}^{n}$ , Hamming distance $d_{H}(x^{n},{x^{n}}^{\prime})$ is defined to be the number of $k$ such that $x_{k}^{n}\neq{x_{k}^{n}}^{\prime}$ in Subsection VI-B. In the proof of Theorem 3, we need to extract an encoder $\phi_{n}$ and elements $m\in{\cal M}_{n}$ that satisfies the following condition;

\displaystyle d_{H}(\phi_{n}(m),\phi_{n}(j))>n\epsilon_{2}\hbox{ for }\forall j\neq m.

(188)

For this aim, given a code $\phi_{n}$ and a real number $\epsilon_{2}>0$ , we define the function $\eta_{\phi_{n},\epsilon_{2}}^{C}$ from ${\cal M}_{n}$ to $\{0,1\}$ as

\displaystyle\eta_{\phi_{n},\epsilon_{2}}^{C}(m)

\displaystyle:=\left\{\begin{array}[]{ll}0&\hbox{ when \eqref{CC2} holds}\\ 1&\hbox{ otherwise. }\end{array}\right.

(191)

As shown in Section X-D, we have the following lemma.

Lemma 10

When a code $\tilde{\phi}_{n}$ defined in a subset $\tilde{{\cal M}}_{n}\subset{\cal M}_{n}$ satisfies

\displaystyle d_{H}(\tilde{\phi}_{n}(m),\tilde{\phi}_{n}(m^{\prime}))>n\epsilon_{2}

(192)

for two distinct elements $m\neq m^{\prime}\in\tilde{{\cal M}}_{n}$ , the decoder $D_{\tilde{\phi}_{n}}$ defined in Definition 1 satisfies

\displaystyle\delta_{D}(D_{\tilde{\phi}_{n}})\leq\frac{\zeta_{2}}{{n}[\zeta_{1}\frac{\epsilon_{2}}{2}-\epsilon_{1}]_{+}^{2}}.

(193)

$\square$

X-C Proof of Theorem 3

Step 1: Lemmas related to random coding.

To show Theorem 3, we assume that the variable $\Phi_{n}(m)$ for $m\in{\cal M}_{n}$ is subject to the distribution $P^{n}$ independently. Then, we have the following four lemmas, which are shown later. In this proof, we treat the code $\Phi_{n}$ as a random variable. Hence, the expectation and the probability for this variable are denoted by ${\rm E}_{\Phi_{n}}$ and ${\rm Pr}_{\Phi_{n}}$ , respectively.

Lemma 11

When

\displaystyle I(X;Y)_{P}>R_{4}>R_{1}-R_{2},

(194)

we have the average version of Verifiable condition (A), i.e.,

\displaystyle\lim_{n\to\infty}{\rm E}_{\Phi_{n}}\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\epsilon_{A,m}(\Phi_{n},D_{\Phi_{n}})=0.

(195)

$\square$

Lemma 12

For $\epsilon_{2}>0$ , we have

\displaystyle\lim_{n\to\infty}{\rm E}_{\Phi_{n}}\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\eta_{\Phi_{n},\epsilon_{2}}^{C}(m)=0.

(196)

$\square$

Lemma 13

We choose $Q_{P,\alpha}\in{\cal P}({\cal Y})$ as

\displaystyle Q_{P,\alpha}:=\mathop{\rm argmin}_{Q\in{\cal P}({\cal Y})}D_{\alpha}(\bm{W}\times P\|Q\times P).

(197)

We have

\displaystyle{\rm E}_{\Phi_{n}}\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}2^{(\alpha-1)D_{\alpha}(W_{\Phi_{n}(i)}\|Q_{P,\alpha}^{n})}=2^{n(\alpha-1)I_{\alpha}(X;Y)_{P}}.

(198)

$\square$

Step 2: Extraction of an encoder $\phi_{n}$ and messages $m$ with a small decoding error probability that satisfies the condition (188).

We define $\epsilon_{3,n}$ as

\displaystyle\epsilon_{3,n}:=9{\rm E}_{\Phi_{n}}\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\Big{(}\epsilon_{A,m}(\phi_{n},D_{\Phi_{n}})+\eta_{\Phi_{n},\epsilon_{2}}^{C}(m)\Big{)}.

(199)

Lemmas 11 and 12 guarantees that $\epsilon_{3,n}\to 0$ . Then, there exists a sequence of codes $\phi_{n}$ such that

	$\displaystyle\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\Big{(}\epsilon_{A,m}(\phi_{n},D_{\phi_{n}})+\eta_{\phi_{n},\epsilon_{2}}^{C}(m)\Big{)}\leq\frac{\epsilon_{3,n}}{3},$		(200)
	$\displaystyle\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}2^{(\alpha-1)D_{\alpha}(W_{\phi_{n}(m)}\\|Q_{P,\alpha}^{n})}\leq 3\cdot 2^{n(\alpha-1)I_{\alpha}(X;Y\|P)}.$		(201)

Due to Eq. (200), Markov inequality guarantees that there exist $2\mathsf{M}_{n}/3$ elements $\tilde{{\cal M}}_{n}:=\{m_{1},\ldots,m_{2\mathsf{M}_{n}/3}\}$ such that every element $m\in\tilde{{\cal M}}_{n}$ satisfies

\displaystyle\epsilon_{A,m}(\phi_{n},D_{\phi_{n}})+\eta_{\phi_{n},\epsilon_{2}}^{C}(m)\leq\epsilon_{3,n},

(202)

which implies that

	$\displaystyle\epsilon_{A,m}(\phi_{n},D_{\phi_{n}})$	$\displaystyle\leq\epsilon_{3,n}$		(203)
	$\displaystyle\eta_{\phi_{n},\epsilon_{2}}^{C}(m)$	$\displaystyle=0$		(204)

because $\eta_{\phi_{n},\epsilon_{2}}^{C}$ takes value 0 or 1. Then, we define a code $\tilde{\phi}_{n}$ on $\tilde{{\cal M}}_{n}$ as $\tilde{\phi}_{n}(m):={\phi}_{n}(m)$ for $m\in\tilde{{\cal M}}_{n}$ . Eq. (203) guarantees Condition (A). Eq. (201) guarantees that

	$\displaystyle\sum_{m\in\tilde{\cal M}_{n}}\frac{1}{\|\tilde{\cal M}_{n}\|}2^{(\alpha-1)D_{\alpha}(W_{\tilde{\phi}_{n}(m)}\\|Q_{P,\alpha}^{n})}$
$\displaystyle=$	$\displaystyle\sum_{m\in\tilde{\cal M}_{n}}\frac{3}{2\mathsf{M}_{n}}2^{(\alpha-1)D_{\alpha}(W_{\phi_{n}(m)}\\|Q_{P,\alpha}^{n})}$
$\displaystyle\leq$	$\displaystyle\frac{9}{2}\cdot 2^{n(\alpha-1)I_{\alpha}(X;Y\|P)}.$	(205)

Step 3: Proof of the binding condition for dishonest Alice (D).

The relation (204) guarantees the condition

\displaystyle d_{H}(\tilde{\phi}_{n}(m),\tilde{\phi}_{n}(m^{\prime}))>n\epsilon_{2}

(206)

for $m\neq m^{\prime}\in\tilde{{\cal M}}_{n}$ . Therefore, Lemma 10 guarantees the binding condition for dishonest Alice (D), i.e.,

\displaystyle\delta_{D}(D_{\tilde{\phi}_{n}})\leq\frac{\zeta_{2}}{{n}[\zeta_{1}\frac{\epsilon_{2}}{2}-\epsilon_{1}]_{+}^{2}}.

(207)

Step 4: Proof of the equivocation version of concealing condition (B).

Eq. (205) guarantees that

	$\displaystyle\min_{Q_{n}\in{\cal P}({\cal Y}^{n})}\sum_{m\in\tilde{\cal M}_{n}}\frac{1}{\|\tilde{{\cal M}}_{n}\|}2^{(\alpha-1)D_{\alpha}(W_{\tilde{\phi}_{n}(m)}\\|Q_{n})}$
$\displaystyle\leq$	$\displaystyle\sum_{m\in\tilde{\cal M}_{n}}\frac{1}{\|\tilde{{\cal M}}_{n}\|}2^{(\alpha-1)D_{\alpha}(W_{\tilde{\phi}_{n}(m)}\\|Q_{P,\alpha}^{n})}$
$\displaystyle\leq$	$\displaystyle\frac{9}{2}\cdot 2^{n(\alpha-1)I_{\alpha}(X;Y)_{P}}.$	(208)

Hence,

\displaystyle\lim_{n\to\infty}\frac{1}{n}E_{\alpha}(\tilde{\phi}_{n})\geq R_{1}-I_{\alpha}(X;Y)_{P}\geq R_{3}.

(209)

X-D Proof of Lemma 10

Step 1: Evaluation of $W^{n}_{x^{n}}({\cal D}_{{x^{n}}^{\prime}})$ .

The conditions (92) and (93) imply that

\displaystyle\mathbb{E}_{{x^{n}}^{\prime}}[\xi_{x^{n}}]

\displaystyle\leq-\zeta_{1}d(x^{n},{x^{n}}^{\prime}).

(210)

The condition (94) implies that

\displaystyle\mathbb{V}_{{x^{n}}^{\prime}}[\xi_{x^{n}}]

\displaystyle\leq n\zeta_{2}.

(211)

Hence, applying Chebyshev inequality to the variable $\xi_{x^{n}}(Y^{n})$ , we have

	$\displaystyle W^{n}_{{x^{n}}^{\prime}}({\cal D}_{{x^{n}}})\leq$	$\displaystyle W^{n}_{{x^{n}}^{\prime}}(\{y^{n}\|\xi_{x^{n}}(y^{n})\geq-n\epsilon_{1}\})$
	$\displaystyle\leq$	$\displaystyle\frac{n\zeta_{2}}{[\zeta_{1}d(x^{n},{x^{n}}^{\prime})-n\epsilon_{1}]_{+}^{2}}.$		(212)

Step 2: Evaluation of smaller value of $W^{n}_{x^{n}}({\cal D}_{\tilde{\phi}_{n}(m)})$ and $W^{n}_{x^{n}}({\cal D}_{\tilde{\phi}_{n}(m^{\prime})})$ . Since Eq. (192) implies

		$\displaystyle n\epsilon_{2}<d(\tilde{\phi}_{n}(m),\tilde{\phi}_{n}(m^{\prime}))$
	$\displaystyle\leq$	$\displaystyle d_{H}(x^{n},\tilde{\phi}_{n}(m))+d_{H}(x^{n},\tilde{\phi}_{n}(m^{\prime})),$		(213)

we have

	$\displaystyle\max([\zeta_{1}d_{H}(x^{n},\tilde{\phi}_{n}(m))-n\epsilon_{1}]_{+},$
	$\displaystyle[\zeta_{1}d_{H}(x^{n},\tilde{\phi}_{n}(m^{\prime}))-n\epsilon_{1}]_{+})$
$\displaystyle\geq$	$\displaystyle[n(\zeta_{1}\frac{\epsilon_{2}}{2}-\epsilon_{1})]_{+}^{2}.$	(214)

Hence, (212) guarantees that

	$\displaystyle\min(W^{n}_{x^{n}}({\cal D}_{\tilde{\phi}_{n}(m)}),W^{n}_{x^{n}}({\cal D}_{\tilde{\phi}_{n}(m^{\prime})}))$
$\displaystyle\leq$	$\displaystyle\frac{n\zeta_{2}}{\max([\zeta_{1}d(x^{n}\!,\tilde{\phi}_{n}(m))\!-\!n\epsilon_{1}]_{+}^{2},[\zeta_{1}d(x^{n}\!,\tilde{\phi}_{n}(m^{\prime}))\!-\!n\epsilon_{1}]_{+}^{2})}$
$\displaystyle\leq$	$\displaystyle\frac{n\zeta_{2}}{[n(\zeta_{1}\frac{\epsilon_{2}}{2}-\epsilon_{1})]_{+}^{2}}=\frac{\zeta_{2}}{{n}[\zeta_{1}\frac{\epsilon_{2}}{2}-\epsilon_{1}]_{+}^{2}},$	(215)

which implies the desired statement.

X-E Proof of Lemma 11

We show Lemma 11 by employing an idea similar to [23, 24]. First, we show the following lemma.

Lemma 14

We have the following inequality;

		$\displaystyle\epsilon_{A}(\Phi_{n},D_{\Phi_{n}})$
	$\displaystyle\leq$	$\displaystyle\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\Big{(}W_{\Phi_{n}(i)}({\cal D}_{\Phi_{n}(i)}^{c})+\sum_{j\neq i}\frac{1}{\mathsf{L}_{n}}W_{\Phi_{n}(i)}({\cal D}_{\Phi_{n}(j)})\Big{)}.$		(216)

$\square$

Proof: When $i$ is sent, there are two cases for incorrect decoding. The first case is the case that the received element $y$ does not belong to ${\cal D}_{\Phi_{n}(i)}$ . The second case is the case that there are more than $\mathsf{L}_{n}$ elements $i^{\prime}$ to satisfy $y\in{\cal D}_{\Phi_{n}(i^{\prime})}$ . In fact, the second case does not always realize incorrect decoding. However, the sum of the probabilities of the first and second cases upper bounds the decoding error probability $\epsilon_{A}(\Phi_{n},D_{\Phi_{n}})$ . Hence, it is sufficient to evaluate these two probabilities. The error probability of the first case is given in the first term of Eq. (216). The error probability of the second case is given in the second term of Eq. (216).

Taking the average in (216) of Lemma 14 with respect to the variable $\Phi_{n}$ , we obtain the following lemma. The following discussion employs the notations ${\rm E}_{\Phi_{n}}$ and ${\rm E}_{X^{n}}$ , which are defined in the middle of Section V.

Lemma 15

We have the following inequality;

		$\displaystyle{\rm E}_{\Phi_{n}}\epsilon_{A}(\Phi_{n},D_{\Phi_{n}})$
	$\displaystyle\leq$	$\displaystyle\sum_{x^{n}\in{\cal X}^{n}}P^{n}(x^{n})\Big{(}W_{x^{n}}({\cal D}_{x_{n}}^{c})+\frac{\mathsf{M}_{n}-1}{\mathsf{L}_{n}}W_{P^{n}}({\cal D}_{x^{n}})\Big{)}.$		(217)

$\square$

Applying Lemma 15, we have

	$\displaystyle{\rm E}_{\Phi_{n}}\epsilon_{A}(\Phi_{n},D_{\Phi_{n}})$
$\displaystyle\leq$	$\displaystyle{\rm E}_{X^{n}}W_{X^{n}}\big{(}\big{\{}y^{n}\big{\|}2^{-nR_{4}}w_{X^{n}}(y^{n})<w^{n}_{P^{n}}(y^{n})\big{\}}\big{)}$
	$\displaystyle+{\rm E}_{X^{n}}W_{X^{n}}\big{(}\big{\{}y^{n}\big{\|}\xi_{x^{n}}(y^{n})<-n\epsilon_{1}\big{\}}\big{)}$
	$\displaystyle+{\rm E}_{X^{n}}2^{n(R_{1}-R_{2})}W_{P^{n}}\big{(}\big{\{}y^{n}\big{\|}$
	$\displaystyle\qquad 2^{-nR_{4}}w_{X^{n}}(y^{n})\geq w_{P^{n}}(y^{n})\big{\}}\big{)}$
$\displaystyle\stackrel{{\scriptstyle(a)}}{{\leq}}$	$\displaystyle{\rm E}_{X^{n}}W_{X^{n}}\big{(}\big{\{}y^{n}\big{\|}\log w_{X^{n}}(y^{n})-\log w^{n}_{P^{n}}(y^{n})<nR_{4}\big{\}}\big{)}$
	$\displaystyle+{\rm E}_{X^{n}}W_{X^{n}}\big{(}\big{\{}y^{n}\big{\|}\xi_{x^{n}}(y^{n})<-n\epsilon_{1}\big{\}}\big{)}$
	$\displaystyle+{\rm E}_{X^{n}}2^{n(R_{1}-R_{2})}2^{-nR_{4}}w_{X^{n}}\big{(}\big{\{}y^{n}\big{\|}$
	$\displaystyle\qquad 2^{-nR_{4}}w_{X^{n}}(y^{n})\geq w_{P^{n}}(y^{n})\big{\}}\big{)}$
$\displaystyle\leq$	$\displaystyle{\rm E}_{X^{n}}W_{X^{n}}\bigg{(}\bigg{\{}y^{n}\bigg{\|}\frac{1}{n}(\log w_{X^{n}}(y^{n})$
	$\displaystyle\qquad-\log w_{P^{n}}(y^{n}))<R_{4}\bigg{\}}\bigg{)}$
	$\displaystyle+{\rm E}_{X^{n}}W_{X^{n}}\bigg{(}\bigg{\{}y^{n}\bigg{\|}\frac{1}{n}\xi_{x^{n}}(y^{n})<-\epsilon_{1}\bigg{\}}\bigg{)}$
	$\displaystyle+2^{n(R_{1}-R_{2}-R_{4})},$	(218)

where $(a)$ follows from the relation

		$\displaystyle W_{P^{n}}\big{(}\big{\{}y^{n}\big{\|}2^{-nR_{4}}w_{X^{n}}(y^{n})\geq w_{P^{n}}(y^{n})\big{\}}\big{)}$
	$\displaystyle\leq$	$\displaystyle 2^{-nR_{4}}W_{X^{n}}\big{(}\big{\{}y^{n}\big{\|}2^{-nR_{4}}w_{X^{n}}(y^{n})\geq w_{P^{n}}(y^{n})\big{\}}\big{)}.$

The variable $\frac{1}{n}(\log w_{X^{n}}(y^{n})-\log w_{P^{n}}(y^{n}))$ is the mean of $n$ independent variables that are identical to the variable $\log w_{X}(Y)-\log w_{P}(Y)$ whose average is $I(X;Y)_{P}>R_{4}$ . The variable $\frac{1}{n}\xi_{x^{n}}(y^{n})$ is the mean of $n$ independent variables that are identical to the variable $\xi_{X}(Y)$ whose average is $0$ . Thus, the law of large number guarantees that the first and the second terms in (218) approaches to zero as $n$ goes to infinity. The third term in (218) also approaches to zero due to the assumption (185). Therefore, we obtain Eq. (195).

X-F Proof of Lemma 13

Eq. (198) can be shown as follows.

	$\displaystyle{\rm E}_{\Phi}\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}2^{(\alpha-1)D_{\alpha}(W_{\Phi_{n}(i)}\\|Q_{P,\alpha}^{n})}$
$\displaystyle=$	$\displaystyle{\rm E}_{\Phi}\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\prod_{j=1}^{n}\mathbb{E}_{\Phi_{n}(i)_{j}}\Big{[}\Big{(}\frac{w_{\Phi_{n}(i)_{j}}(Y)}{q_{P,\alpha}(Y)}\Big{)}^{\alpha-1}\Big{]}$
$\displaystyle=$	$\displaystyle\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\prod_{j=1}^{n}{\rm E}_{\Phi}\mathbb{E}_{\Phi_{n}(i)_{j}}\Big{[}\Big{(}\frac{w_{\Phi_{n}(i)_{j}}(Y)}{q_{P,\alpha}(Y)}\Big{)}^{\alpha-1}\Big{]}$
$\displaystyle=$	$\displaystyle\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\prod_{j=1}^{n}\sum_{x\in{\cal X}}P(x)\mathbb{E}_{x}\Big{[}\Big{(}\frac{w_{x}(Y)}{q_{P,\alpha}(Y)}\Big{)}^{\alpha-1}\Big{]}$
$\displaystyle=$	$\displaystyle\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\prod_{j=1}^{n}2^{(\alpha-1)D_{\alpha}(\bm{W}\times P\\|Q_{P,\alpha}\times P)}$
$\displaystyle\stackrel{{\scriptstyle(a)}}{{=}}$	$\displaystyle\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\prod_{j=1}^{n}2^{(\alpha-1)I_{\alpha}(X;Y)_{P}}$
$\displaystyle=$	$\displaystyle\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}2^{n(\alpha-1)I_{\alpha}(X;Y)_{P}}=2^{n(\alpha-1)I_{\alpha}(X;Y)_{P}},$	(219)

where $(a)$ follows from (30) and (197).

X-G Proof of Lemma 12

The outline of the proof of Lemma 12 is the following. To evaluate the value ${\rm E}_{\Phi_{n}}\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\eta_{\Phi_{n},\epsilon_{2}}^{C}(m)$ , we convert it to the sum of certain probabilities. We evaluate these probabilities by excluding a certain exceptional case. That is, we show that the probability of the exceptional case is small and these probabilities under the condition to exclude the exceptional case is also small. The latter will be shown by evaluating a certain conditional probability. For this aim, we choose $\epsilon_{4},\epsilon_{5}>0$ such that $\epsilon_{4}:=-L[G_{P,P}](1-\epsilon_{2})-R_{1}$ and $-L_{P}^{\epsilon_{5}}(1-\epsilon_{2})>R_{1}+\frac{\epsilon_{4}}{2}$ .

Step 1: Evaluation of a certain conditional probability.

We denote the empirical distribution of $x^{n}$ by $P[x^{n}]$ . That is, $nP[x^{n}](x)$ is the number of index $i=1,\ldots,n$ to satisfy $x^{n}_{i}=x$ . Hence, when $X^{n}=(X_{1}^{n},\ldots,X_{n}^{n})$ are independently subject to $P$ ,

		$\displaystyle{\rm E}_{X^{n}}[2^{t(n-d(X^{n},x^{n}))}]=2^{G_{P\|x_{1}^{n}}(t)+\cdots+G_{P\|x_{n}^{n}}(t)}$
	$\displaystyle=$	$\displaystyle 2^{nG_{P,P[x^{n}]}(t)}.$		(220)

We define two conditions $A_{n,i}$ and $B_{n,i}$ for the encoder $\Phi_{n}$ as

$A_{n,i}$: $P[\Phi_{n}(i)]\in U_{\epsilon_{5},P}$ .
$B_{n,i}$: $\exists j\neq i,d(\Phi_{n}(i),\Phi_{n}(j)|P)\leq n\epsilon_{2}$ .

The aim of this step is the evaluation of the conditional probability ${\rm Pr}_{\Phi_{n}}(B_{n,i}|A_{n,i})$ that expresses the probability that the condition $B_{n,i}$ holds under the condition $A_{n,i}$ .

We choose $j\neq i$ . Markov inequality implies that

	$\displaystyle{\rm Pr}_{\Phi_{n}(j)\|\Phi_{n}(i)}\Big{(}d(\Phi_{n}(i),\Phi_{n}(j))\leq n\epsilon_{2}\Big{)}$
$\displaystyle=$	$\displaystyle{\rm Pr}_{\Phi_{n}(j)\|\Phi_{n}(i)}\Big{(}n-d(\Phi_{n}(i),\Phi_{n}(j))\geq n(1-\epsilon_{2})\Big{)}$
$\displaystyle\leq$	$\displaystyle{\rm E}_{\Phi_{n}(j)\|\Phi_{n}(i)}[2^{t(n-d(\Phi_{n}(i),\Phi_{n}(j)))}]2^{-tn(1-\epsilon_{2})}$
$\displaystyle=$	$\displaystyle 2^{nG_{P,P[\Phi_{n}(i)]}(t)-tn(1-\epsilon_{2})},$	(221)

where ${\rm Pr}_{\Phi_{n}(j)|\Phi_{n}(i)}$ and ${\rm E}_{\Phi_{n}(j)|\Phi_{n}(i)}$ are the conditional probability and the conditional expectation for the random variable $\Phi_{n}(j)$ with the fixed variable $\Phi_{n}(i)$ . The final equation follows from (220). When the fixed variable $\Phi_{n}(i)$ satisfies the condition $A_{n,i}$ , taking the infimum with respect to $s$ , we have

		$\displaystyle{\rm Pr}_{\Phi_{n}(j)\|\Phi_{n}(i)}\Big{(}d(\Phi_{n}(i),\Phi_{n}(j))\leq n\epsilon_{2}\Big{)}$
	$\displaystyle\leq$	$\displaystyle 2^{nL[G_{P,P[\Phi_{n}(i)]}](1-\epsilon_{2})}\leq 2^{nL_{P}^{\epsilon_{5}}(1-\epsilon_{2})}.$		(222)

Hence,

	$\displaystyle{\rm Pr}_{\Phi_{n,i,c}\|\Phi_{n}(i)}(B_{n,i})$
$\displaystyle\leq$	$\displaystyle\sum_{j(\neq i)\in{\cal M}_{n}}{\rm Pr}_{\Phi_{n}(j)\|\Phi_{n}(i)}\Big{(}d(\Phi_{n}(i),\Phi_{n}(j))\leq n\epsilon_{2}\Big{)}$
$\displaystyle\leq$	$\displaystyle\sum_{j(\neq i)\in{\cal M}_{n}}2^{nL_{P}^{\epsilon_{5}}(1-\epsilon_{2})}\leq 2^{n(L_{P}^{\epsilon_{5}}(1-\epsilon_{2})+R_{1})}\leq 2^{-n\epsilon_{4}/2},$	(223)

where $\Phi_{n,i,c}$ expresses the random variables $\{\Phi_{n}(j)\}_{j\neq i}$ . Then, we have

\displaystyle{\rm Pr}_{\Phi_{n}}(B_{n,i}|A_{n,i})\leq 2^{-n\epsilon_{4}/2}.

(224)

Step 2: Evaluation of ${\rm E}_{\Phi_{n}}\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\eta_{\Phi_{n},\epsilon_{2}}^{C}(m)$ .

The quantity ${\rm E}_{\Phi_{n}}\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\eta_{\Phi_{n},\epsilon_{2}}^{C}(m)$ can be evaluated as

	$\displaystyle{\rm E}_{\Phi_{n}}\sum_{m=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\eta_{\Phi_{n},\epsilon_{2}}^{C}(m)$
$\displaystyle=$	$\displaystyle\frac{1}{\mathsf{M}_{n}}{\rm E}_{\Phi_{n}}\|\{i\|B_{n,i}\hbox{ holds. }\}\|=\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}{\rm Pr}_{\Phi_{n}}(B_{n,i})$
$\displaystyle\leq$	$\displaystyle\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}\Big{(}{\rm Pr}_{\Phi_{n}}(A_{n,i}){\rm Pr}_{\Phi_{n}}(B_{n,i}\|A_{n,i})$
	$\displaystyle\qquad+(1-{\rm Pr}_{\Phi_{n}}(A_{n,i}))\Big{)}$
$\displaystyle\stackrel{{\scriptstyle(a)}}{{\leq}}$	$\displaystyle 2^{-n\epsilon_{4}/2}+\sum_{i=1}^{\mathsf{M}_{n}}\frac{1}{\mathsf{M}_{n}}(1-{\rm Pr}(A_{n,i})),$	(225)

where $(a)$ follows from Eq. (224).

Since $P[\Phi_{n}(i)]$ converges to $P$ in probability, we have

\displaystyle{\rm Pr}_{\Phi_{n}}(A_{n,i})\to 1.

(226)

Hence, the combination of Eqs. (225) and (226) implies the desired statement.

XI Proof of Theorem 4

XI-A Main part of proof of Theorem 4

Hamming distance $d_{H}$ plays a central role in our proof of Theorem 3. However, since elements of $\tilde{\cal X}\setminus{\cal X}$ can be sent by dishonest Alice, Hamming distance $d_{H}$ does not work in our proof of Theorem 4. Hence, we introduce an alternative distance on $\tilde{\cal X}^{n}$ . We modify the distance $d$ on $\tilde{\cal X}$ as

\displaystyle\bar{d}(x,x^{\prime}):=\frac{1}{\zeta_{3}}\min(d(x,x^{\prime}),\zeta_{3}),

(227)

where

\displaystyle\zeta_{3}:=\min_{x\neq x^{\prime}\in{\cal X}}d(x,x^{\prime}).

(228)

Then, we define

\displaystyle\bar{d}_{H}(x^{n},{x^{n}}^{\prime}):=\sum_{i=1}^{n}\bar{d}(x_{i}^{n},{x_{i}^{n}}^{\prime}),

(229)

which is the same as Hamming distance $d_{H}$ on ${\cal X}^{n}$ . Instead of Lemma 10, we have the following lemma.

Lemma 16

When a code $\tilde{\phi}_{n}$ defined in a subset $\tilde{{\cal M}}_{n}\subset{\cal M}_{n}$ satisfies

\displaystyle{d}_{H}(\tilde{\phi}_{n}(m),\tilde{\phi}_{n}(m^{\prime}))>n\epsilon_{2}

(230)

for two distinct elements $m\neq m^{\prime}\in\tilde{{\cal M}}_{n}$ , the decoder $D_{\tilde{\phi}_{n}}$ defined in Definition 1 satisfies

\displaystyle\delta_{D^{\prime}}(D_{\tilde{\phi}_{n}})\leq 2^{tn(2\epsilon_{1}-\frac{\epsilon_{2}}{4}\bar{\zeta}_{1,t}(\zeta_{3}\frac{\epsilon_{2}}{4}))}+\frac{n\bar{\zeta}_{2}}{[n\epsilon_{1}]_{+}^{2}}.

(231)

$\square$

In our proof of Theorem 4, we choose the real numbers $R_{4},\epsilon_{2},\epsilon_{1}$ . We fix $s\in(0,1/2)$ . While we choose $R_{4},\epsilon_{2}>0$ in the same way as our proof of Theorem 3, we choose $\epsilon_{1}>0$ to satisfy

\displaystyle\frac{\epsilon_{2}}{4}\bar{\zeta}_{1,t}(\zeta_{3}\frac{\epsilon_{2}}{4})>2\epsilon_{1}.

(232)

In this choice, the RHS of (231) goes to zero. Since the conditions (230) and (231) take the same role as the conditions of Lemma 10, the proof of Theorem 3 works by replacing Lemma 10 by Lemma 16 as a proof of Theorem 4.

XI-B Proof of Lemma 16

Step 1: Evaluation of $W^{n}_{x^{n}}({\cal D}_{{x^{n}}^{\prime}})$ .

As shown in Step 3, when $\bar{d}_{H}(x^{n},{x^{n}}^{\prime})=k$ , for $t\in(0,\frac{1}{2})$ , we have

\displaystyle\frac{-1}{t}\log\mathbb{E}_{x^{\prime}}[2^{t(\xi_{x}(Y)-\xi_{x^{\prime}}(Y))}]\geq\frac{k}{2}\bar{\zeta}_{1,t}(\zeta_{3}\frac{k}{2n}).

(233)

Applying Markov inequality to the variable $2^{t(\xi_{x}(Y)-\xi_{x^{\prime}}(Y))}$ , we have

	$\displaystyle W^{n}_{{x^{n}}^{\prime}}(\{y^{n}\|\xi_{x^{n}}(y^{n})-\xi_{{x^{n}}^{\prime}}(y^{n})\geq-2n\epsilon_{1}\})$
$\displaystyle=$	$\displaystyle W^{n}_{{x^{n}}^{\prime}}(\{y^{n}\|2^{t(\xi_{x^{n}}(y^{n})-\xi_{{x^{n}}^{\prime}}(y^{n}))}\geq 2^{-2tn\epsilon_{1}}\})$
$\displaystyle\leq$	$\displaystyle\mathbb{E}_{x^{\prime}}[2^{t(\xi_{x}(Y)-\xi_{x^{\prime}}(Y))}]2^{2tn\epsilon_{1}}\leq 2^{t(2n\epsilon_{1}-\frac{k}{2}\bar{\zeta}_{1,t}(\zeta_{3}\frac{k}{2n}))}.$	(234)

The condition (92) implies that

\displaystyle\mathbb{E}_{{x^{n}}^{\prime}}[\xi_{{x^{n}}^{\prime}}]=0.

(235)

The condition (101) implies that

\displaystyle\mathbb{V}_{{x^{n}}^{\prime}}[\xi_{{x^{n}}^{\prime}}]

\displaystyle\leq n\bar{\zeta}_{2}.

(236)

Hence, applying Chebyshev inequality to the variable $\xi_{{x^{n}}^{\prime}}(Y^{n})$ , we have

\displaystyle W^{n}_{{x^{n}}^{\prime}}(\{y^{n}|\xi_{{x^{n}}^{\prime}}(y^{n})\leq-n\epsilon_{1}\})\leq\frac{n\bar{\zeta}_{2}}{[n\epsilon_{1}]_{+}^{2}}.

(237)

Hence, we have

	$\displaystyle W^{n}_{{x^{n}}^{\prime}}({\cal D}_{{x^{n}}})$
$\displaystyle\leq$	$\displaystyle W^{n}_{{x^{n}}^{\prime}}(\{y^{n}\|-n\epsilon_{1}\leq\xi_{x^{n}}(y^{n})\})$
$\displaystyle=$	$\displaystyle W^{n}_{{x^{n}}^{\prime}}(\{y^{n}\|-n\epsilon_{1}\leq\xi_{x^{n}}(y^{n})-\xi_{{x^{n}}^{\prime}}(y^{n})+\xi_{{x^{n}}^{\prime}}(y^{n})\})$
$\displaystyle\leq$	$\displaystyle W^{n}_{{x^{n}}^{\prime}}(\{y^{n}\|-2n\epsilon_{1}\leq\xi_{x^{n}}(y^{n})-\xi_{{x^{n}}^{\prime}}(y^{n})\})$
	$\displaystyle+W^{n}_{{x^{n}}^{\prime}}\left(\left\{y^{n}\left\|\begin{array}[]{ll}-n\epsilon_{1}\leq\!\!\!\!&\xi_{x^{n}}(y^{n})-\xi_{{x^{n}}^{\prime}}(y^{n})\\ &+\xi_{{x^{n}}^{\prime}}(y^{n}),\\ -2n\epsilon_{1}>\!\!\!\!&\xi_{x^{n}}(y^{n})-\xi_{{x^{n}}^{\prime}}(y^{n})\end{array}\right\}\right)\right.$	(241)
$\displaystyle\stackrel{{\scriptstyle(a)}}{{\leq}}$	$\displaystyle W^{n}_{{x^{n}}^{\prime}}(\{y^{n}\|-2n\epsilon_{1}\leq\xi_{x^{n}}(y^{n})-\xi_{{x^{n}}^{\prime}}(y^{n})\})$
	$\displaystyle+W^{n}_{{x^{n}}^{\prime}}(\{y^{n}\|\xi_{{x^{n}}^{\prime}}(y^{n})>n\epsilon_{1}\})$
$\displaystyle\stackrel{{\scriptstyle(b)}}{{\leq}}$	$\displaystyle 2^{t(2n\epsilon_{1}-\frac{k}{2}\bar{\zeta}_{1,t}(\zeta_{3}\frac{k}{2n}))}+\frac{n\bar{\zeta}_{2}}{[n\epsilon_{1}]_{+}^{2}},$	(242)

where $(a)$ follows from the fact that the conditions $-n\epsilon_{1}\leq\xi_{x^{n}}(y^{n})-\xi_{{x^{n}}^{\prime}}(y^{n})+\xi_{{x^{n}}^{\prime}}(y^{n})$ and $-2n\epsilon_{1}>\xi_{x^{n}}(y^{n})-\xi_{{x^{n}}^{\prime}}(y^{n})$ imply the condition $\xi_{{x^{n}}^{\prime}}(y^{n})>n\epsilon_{1}$ , and $(b)$ follows from (234) and (237).

Step 2: Evaluation of smaller value of $W^{n}_{x^{n}}({\cal D}_{\tilde{\phi}_{n}(m)})$ and $W^{n}_{x^{n}}({\cal D}_{\tilde{\phi}_{n}(m^{\prime})})$ . We simplify $d(x^{n},\tilde{\phi}_{n}(m))$ and $d(x^{n},\tilde{\phi}_{n}(m^{\prime}))$ to $k_{1}$ and $k_{2}$ . Since Eq. (230) implies

\displaystyle n\epsilon_{2}<d(\tilde{\phi}_{n}(m),\tilde{\phi}_{n}(m^{\prime}))\leq k_{1}+k_{2},

(243)

we have

\displaystyle\frac{n\epsilon_{2}}{2}\leq k_{3}:=\max(k_{1},k_{2}).

(244)

Since $\bar{\zeta}_{1,t}(r)$ is monotonically increasing for $r$ , (244) yields

	$\displaystyle\min\Big{[}t\Big{(}2n\epsilon_{1}-\frac{k_{1}}{2}\bar{\zeta}_{1,t}\Big{(}\zeta_{3}\frac{k_{1}}{2n}\Big{)}\Big{)},$
	$\displaystyle\qquad t\Big{(}2n\epsilon_{1}-\frac{k_{2}}{2}\bar{\zeta}_{1,t}\Big{(}\zeta_{3}\frac{k_{2}}{2n}\Big{)}\Big{)}\Big{]}$
$\displaystyle\leq$	$\displaystyle t\Big{(}2n\epsilon_{1}-\max\Big{[}\frac{k_{1}}{2}\bar{\zeta}_{1,t}\Big{(}\zeta_{3}\frac{k_{1}}{2n}\Big{)},\frac{k_{2}}{2}\bar{\zeta}_{1,t}\Big{(}\zeta_{3}\frac{k_{2}}{2n}\Big{)}\Big{]}\Big{)}$
$\displaystyle=$	$\displaystyle t\Big{(}2n\epsilon_{1}-\frac{k_{3}}{2}\bar{\zeta}_{1,t}\Big{(}\zeta_{3}\frac{k_{3}}{2n}\Big{)}\Big{)}$
$\displaystyle\leq$	$\displaystyle t\Big{(}2n\epsilon_{1}-\frac{n\epsilon_{2}}{4}\bar{\zeta}_{1,t}\Big{(}\zeta_{3}\frac{n\epsilon_{2}}{4n}\Big{)}\Big{)}=tn\Big{(}2\epsilon_{1}-\frac{\epsilon_{2}}{4}\bar{\zeta}_{1,t}\Big{(}\zeta_{3}\frac{\epsilon_{2}}{4}\Big{)}\Big{)}.$	(245)

Thus,

	$\displaystyle\min[W^{n}_{x^{n}}({\cal D}_{\tilde{\phi}_{n}(m)}),W^{n}_{x^{n}}({\cal D}_{\tilde{\phi}_{n}(m^{\prime})})]$
$\displaystyle\stackrel{{\scriptstyle(a)}}{{\leq}}$	$\displaystyle\min\big{[}2^{t(2n\epsilon_{1}-\frac{k_{1}}{2}\bar{\zeta}_{1,t}(\zeta_{3}\frac{k_{1}}{2n}))}2^{t(2n\epsilon_{1}-\frac{k_{2}}{2}\bar{\zeta}_{1,t}(\zeta_{3}\frac{k_{2}}{2n}))}\big{]}$
	$\displaystyle+\frac{n\bar{\zeta}_{2}}{[n\epsilon_{1}]_{+}^{2}}$
$\displaystyle=$	$\displaystyle 2^{\min\big{[}t(2n\epsilon_{1}-\frac{k_{1}}{2}\bar{\zeta}_{1,t}(\zeta_{3}\frac{k_{1}}{2n})),t(2n\epsilon_{1}-\frac{k_{2}}{2}\bar{\zeta}_{1,t}(\zeta_{3}\frac{k_{2}}{2n}))\big{]}}+\frac{n\bar{\zeta}_{2}}{[n\epsilon_{1}]_{+}^{2}}$
$\displaystyle\stackrel{{\scriptstyle(b)}}{{\leq}}$	$\displaystyle 2^{tn(2\epsilon_{1}-\frac{\epsilon_{2}}{4}\bar{\zeta}_{1,t}(\zeta_{3}\frac{\epsilon_{2}}{4}))}+\frac{n\bar{\zeta}_{2}}{[n\epsilon_{1}]_{+}^{2}},$	(246)

where $(a)$ follows (242), and $(b)$ follows from (245). Eq. (246) implies (231), i.e., the desired statement of Lemma 16.

Step 3: Proof of (233). To show (233), we consider the random variable $J$ subject to the uniform distribution $P_{\mathop{\rm uni},n}$ on $\{1,\ldots,n\}$ . The quantity $1-\bar{d}(x_{J}^{n},{x_{J}^{n}}^{\prime})$ can be considered as a non-negative random variable whose expectation is $1-\frac{k}{n}$ . We apply the Markov inequality to the variable $1-\bar{d}(x_{A}^{n},{x_{A}^{n}}^{\prime})$ . Then, we have

	$\displaystyle\Big{\|}\Big{\{}j\in\{1,\ldots,n\}\Big{\|}\bar{d}(x_{j}^{n},{x_{j}^{n}}^{\prime})<\frac{k}{2n}\Big{\}}\Big{\|}$
$\displaystyle=$	$\displaystyle\Big{\|}\Big{\{}j\in\{1,\ldots,n\}\Big{\|}1-\bar{d}(x_{j}^{n},{x_{j}^{n}}^{\prime})>1-\frac{k}{2n}\Big{\}}\Big{\|}$
$\displaystyle\leq$	$\displaystyle n\cdot\frac{1-\frac{k}{n}}{1-\frac{k}{2n}}\leq n\cdot\Big{(}1-\frac{k}{2n}\Big{)}=n-\frac{k}{2},$	(247)

where the final inequality follows from the relation between arithmetic and geometric means. Hence, we have

\displaystyle\Big{|}\Big{\{}j\in\{1,\ldots,n\}\Big{|}\bar{d}(x_{j}^{n},{x_{j}^{n}}^{\prime})\geq\frac{k}{2n}\Big{\}}\Big{|}\geq\frac{k}{2}.

(248)

Since $\bar{d}(x_{j}^{n},{x_{j}^{n}}^{\prime})\geq\frac{k}{2n}$ implies $d(x_{j}^{n},{x_{j}^{n}}^{\prime})\geq\zeta_{3}\frac{k}{2n}$ , (248) implies (233).

XII Conclusion

We have proposed a new concept, secure list decoding, which imposes additional requirements on conventional list decoding to work as a relaxation of bit-string commitment. This scheme has three requirements. Verifiable condition (A), Equivocation version of concealing condition (B), and Binding condition. Verifiable condition (A) means that the message sent by Alice (sender) is contained in the list output by Bob (receiver). Equivocation version of concealing condition (B) is given as a relaxation of the concealing condition of bit-string commitment. That is, it expresses Bob’s uncertainty of Alice’s message. Binding condition has two versions. One is the condition (C) for honest Alice. The other is the condition (D) for dishonest Alice. Since there is a possibility that dishonest Alice uses a different code, we need to guarantee the impossibility of cheating even for such a dishonest Alice. In this paper, we have shown the existence of a code to satisfy these three conditions. Also, we have defined the capacity region as the possible triplet of the rates of the message and the list, and the equivocation rate, and have derived the capacity region when the encoder is given as a deterministic map. Under this condition, we have shown that the conditions (C) and (D) have the same capacity region. However, we have not derived the capacity region when the stochastic encoder is allowed. Therefore, the characterization of the capacity region of this case is an interesting open problem.

As the second contribution, we have formulated the secure list decoding with a general input system. For this formulation, we have assumed that honest Alice accesses only a fixed subset of the general input system and dishonest Alice can access any element of the general input system. Then, we have shown that the capacity region of this setting is the same as the capacity region of the above setting when the encoder is limited to a deterministic map.

As the third contribution, we have proposed a method to convert a code for secure list decoding to a protocol for bit-string commitment. Then, we have shown that this protocol can achieve the same rate of the message size as the equivocation rate of the original code for secure list decoding. This method works even when the input system is a general probability space and dishonest Alice can access any element of the input system. Since many realistic noisy channels have continuous input and output systems, this result extends the applicability of our method for bit-string commitment.

Since the constructed code in this paper is based on random coding, it is needed to construct practical codes for secure list decoding. Fortunately, the existing study [3] systematically constructed several types of codes for list decoding with their algorithms. While their code construction is practical, in order to use their constructed code for secure list decoding and bit-string commitment, we need to clarify their security parameters, i.e., the equivocation rate and the binding parameter $\delta_{D}$ for dishonest Alice in addition to the decoding error probability $\epsilon_{A}$ . It is a practical open problem to calculate these security parameters of their codes.

Acknowledgments

The author is grateful to Dr. Vincent Tan, Dr. Anurag Anshu, Dr. Seunghoan Song, and Dr. Naqueeb Warsi for helpful discussions and helpful comments. In particular, Dr. Naqueeb Warsi informed me the application of Theorem 11.6.1 of [26]. The work reported here was supported in part by Guangdong Provincial Key Laboratory (Grant No. 2019B121203002), Fund for the Promotion of Joint International Research (Fostering Joint International Research) Grant No. 15KK0007, the JSPS Grant-in-Aid for Scientific Research (A) No.17H01280, (B) No. 16KT0017, and Kayamori Foundation of Informational Science Advancement K27-XX-46.

Appendix A Proof of Lemma 1

Step 1: Preparation.

We define the functions

$\displaystyle\bar{\gamma}_{1}(R_{1}):=$	$\displaystyle\min_{P\in{\cal P}({\cal U}\times{\cal X})}\{I(X;Y\|U)_{P}\|H(X\|U)_{P}=R_{1}\}$	(249)
$\displaystyle\bar{\gamma}_{1,o}(R_{1}):=$	$\displaystyle\min_{P\in{\cal P}({\cal X})}\{I(X;Y)_{P}\|H(X)_{P}=R_{1}\}$	(250)
$\displaystyle\bar{\gamma}_{\alpha}(R_{1}):=$	$\displaystyle\min_{P\in{\cal P}({\cal U}\times{\cal X})}\{I_{\alpha}(X;Y\|U)_{P}\|H(X\|U)_{P}=R_{1}\}$	(251)
$\displaystyle\kappa_{1}(R_{1}):=$	$\displaystyle\max\{R_{3}\|(R_{1},R_{3})\in\overline{{\cal C}^{1,3}}\}$	(252)
$\displaystyle\kappa_{1}^{s}(R_{1}):=$	$\displaystyle\max\{R_{3}\|(R_{1},R_{3})\in\overline{{\cal C}^{s,1,3}}\}$	(253)
$\displaystyle\kappa_{\alpha}(R_{1}):=$	$\displaystyle\max\{R_{3}\|(R_{1},R_{3})\in\overline{{\cal C}_{\alpha}^{1,3}}\}.$	(254)

Then, it is sufficient to show the following relations;

$\displaystyle\kappa_{1}(R_{1})$	$\displaystyle=R_{1}-\bar{\gamma}_{1}(R_{1})=\gamma_{1}(R_{1})$	(255)
$\displaystyle\kappa_{1}^{s}(R_{1})$	$\displaystyle=\max_{R\leq R_{1}}\gamma_{1}(R)$	(256)
$\displaystyle\kappa_{\alpha}(R_{1})$	$\displaystyle=R_{1}-\bar{\gamma}_{\alpha}(R_{1})=\gamma_{\alpha}(R_{1}).$	(257)

Since the second equations in (255) and (257) follows from the definitions, it is sufficient to show the first equations in (255) and (257). From the definitions, we have

	$\displaystyle\overline{{\cal C}^{1,3}}$
$\displaystyle=$	$\displaystyle\bigcup_{P\in{\cal P}({\cal U}\times{\cal X})}\left\{(R_{1},R_{3})\!\left\|\!\begin{array}[]{l}0\leq R_{3}\leq R_{1}-I(X;Y\|U)_{P},\!\!\!\\ 0\leq R_{1}\leq H(X\|U)_{P}\end{array}\right.\right\}$	(260)
	$\displaystyle\overline{{\cal C}^{s,1,3}}$
$\displaystyle=$	$\displaystyle\bigcup_{P\in{\cal P}({\cal U}\times{\cal X})}\left\{(R_{1},R_{3})\left\|\begin{array}[]{l}0\leq R_{3}\leq H(X\|YU)_{P},\\ 0\leq R_{1}\leq H(X\|U)_{P}\end{array}\right.\right\}$	(263)
	$\displaystyle\overline{{\cal C}_{\alpha}^{1,3}}$
$\displaystyle=$	$\displaystyle\bigcup_{P\in{\cal P}({\cal U}\times{\cal X})}\!\left\{(R_{1},R_{3})\!\left\|\!\begin{array}[]{l}0\leq R_{3}\leq R_{1}-I_{\alpha}(X;Y\|U)_{P},\!\!\!\\ 0\leq R_{1}\leq H(X\|U)_{P}\end{array}\right.\right\}.$	(266)

Hence, (263) implies (256). To show (255) and (257), we derive the following relations from (260) and (266).

	$\displaystyle\kappa_{1}(R_{1})$	$\displaystyle=\max_{R\leq R_{1}}R_{1}-\bar{\gamma}_{1}(R)$		(267)
	$\displaystyle\kappa_{\alpha}(R_{1})$	$\displaystyle=\max_{R\leq R_{1}}R_{1}-\bar{\gamma}_{\alpha}(R).$		(268)

Step 2: Proof of (255).

Given $R>0$ , we choose $P(R):=\mathop{\rm argmin}_{P\in{\cal P}({\cal X})}\{I(X;Y)_{P}|H(X)_{P}=R\}$ . We have $I(X;Y)_{P(R)}=D(\bm{W}\times P(R)\|W_{P(R)}\times P(R))=\sum_{x\in{\cal X}}P(R)(x)D(W_{x}\|W_{P(R)})$ . As shown later, when $P(R)(x^{\prime})>P(R)(x)$ , we have

\displaystyle D(W_{x^{\prime}}\|W_{P(R)})\leq D(W_{x}\|W_{P(R)}).

(269)

We choose $x_{1}$ and $x_{d}$ such that $D(W_{x_{1}}\|W_{P(R)})\leq D(W_{x}\|W_{P(R)})\leq D(W_{x_{d}}\|W_{P(R)})$ or $x\in{\cal X}$ . Given $\epsilon>0$ , we define the distribution $P(R)_{\epsilon}$ as

	$\displaystyle P(R)_{\epsilon}(x_{1}):=$	$\displaystyle P(R)(x_{1})+\epsilon,$		(270)
	$\displaystyle P(R)_{\epsilon}(x_{d}):=$	$\displaystyle P(R)(x_{d})-\epsilon,~{}P(R)_{\epsilon}(x):=P(R)(x)$		(271)

for $x\neq(x_{1},x_{d})\in{\cal X}$ . We have $H(P(R)_{\epsilon})<H(P(R))=R$ . In particular, when $R_{o}<R$ is sufficiently close to $R$ , there exists $\epsilon>0$ such that $H(P(R)_{\epsilon})=R_{0}$ . Then,

	$\displaystyle\bar{\gamma}_{1,o}(R_{o})=\bar{\gamma}_{1,o}(H(P(R)_{\epsilon}))\leq I(X;Y)_{P(R)_{\epsilon}}$
$\displaystyle=$	$\displaystyle\min_{Q}D(\bm{W}\times P(R)_{\epsilon}\\|Q\times P(R))$
$\displaystyle\leq$	$\displaystyle D(\bm{W}\times P(R)_{\epsilon}\\|W_{P(R)}\times P(R))$
$\displaystyle\leq$	$\displaystyle D(\bm{W}\times P(R)\\|W_{P(R)}\times P(R))$
$\displaystyle=$	$\displaystyle I(X;Y)_{P(R)}=\bar{\gamma}_{1,o}(R).$	(272)

Then, we find that $\bar{\gamma}_{1,o}(R)$ is monotonically increasing for $R$ .

Also, we have

		$\displaystyle\bar{\gamma}_{1}(R)$
	$\displaystyle=$	$\displaystyle\min_{\lambda\in[0,1],R_{1},R_{2}\in[0,\log d]}\{\lambda\bar{\gamma}_{1,o}(R_{1})+(1-\lambda)\bar{\gamma}_{1,o}(R_{2})\|(*)\}.$		(273)

where the condition $(*)$ is given as $\lambda R_{1}+(1-\lambda)R_{2}=R$ . Since $\bar{\gamma}_{1,o}(R)$ is monotonically increasing for $R$ , (273) guarantees that $\bar{\gamma}_{1}(R)$ is also monotonically increasing for $R$ . Hence, (267) yields (255), respectively.

Step 3: Proof of (269).

Assume that there exist $x\neq x^{\prime}\in{\cal X}$ such that $P(R)(x^{\prime})>P(R)(x)$ and the condition (269) does not hold. We define the distribution $\bar{P}(R)$ as follows.

	$\displaystyle\bar{P}(R)(x)$	$\displaystyle:={P}(R)(x^{\prime}),~{}\bar{P}(R)(x^{\prime}):={P}(R)(x),$		(274)
	$\displaystyle\bar{P}(R)(x_{o})$	$\displaystyle:={P}(R)(x_{o})$		(275)

for $x_{o}(\neq x,x^{\prime})\in{\cal X}$ . Then,

		$\displaystyle I(X;Y)_{\bar{P}(R)}=\min_{Q}D(\bm{W}\times\bar{P}(R)\\|Q\times\bar{P}(R))$
	$\displaystyle\leq$	$\displaystyle D(\bm{W}\times\bar{P}(R)\\|W_{P(R)}\times\bar{P}(R))$
	$\displaystyle\leq$	$\displaystyle D(\bm{W}\times{P}(R)\\|W_{P(R)}\times{P}(R))=I(X;Y)_{{P}(R)},$

which implies (269).

Step 4: Proof of (269).

Instead of $\bar{\gamma}_{\alpha}(R_{1})$ and $\bar{\gamma}_{\alpha,o}(R_{1})$ , we define

	$\displaystyle\bar{\gamma}^{p}_{\alpha}(R_{1}):=$	$\displaystyle\min_{P\in{\cal P}({\cal U}\times{\cal X})}\{2^{(\alpha-1)I_{\alpha}(X;Y\|U)_{P}}\|H(X\|U)_{P}\!=\!R_{1}\!\}$		(276)
	$\displaystyle\bar{\gamma}^{p}_{\alpha,o}(R_{1}):=$	$\displaystyle\min_{P\in{\cal P}({\cal X})}\{2^{(\alpha-1)I_{\alpha}(X;Y)_{P}}\|H(X)_{P}=R_{1}\}.$		(277)

Given $R>0$ , we choose $P_{\alpha}(R):=\mathop{\rm argmin}_{P\in{\cal P}({\cal X})}\{I_{\alpha}(X;Y)_{P_{\alpha}(R)}|H(X)_{P}=R\}$ . We choose $Q_{\alpha}(R):=\mathop{\rm argmin}_{Q\in{\cal P}({\cal Y})}D_{\alpha}(\bm{W}\times P_{\alpha}(R)\|Q\times P_{\alpha}(R))$ . We have

\displaystyle 2^{(\alpha-1)I_{\alpha}(X;Y)_{P}}=\sum_{x\in{\cal X}}P(R)(x)2^{(\alpha-1)D_{\alpha}(W_{x}\|Q_{\alpha}(R))}.

(278)

In the same way as (269), when $P_{\alpha}(R)(x^{\prime})>P_{\alpha}(R)(x)$ , we have

\displaystyle D_{\alpha}(W_{x^{\prime}}\|W_{P(R)})\leq D_{\alpha}(W_{x}\|W_{P(R)}).

(279)

In the same way as the case with $\bar{\gamma}_{1,o}$ , we can show that $\bar{\gamma}^{p}_{\alpha,o}(R)$ is monotonically increasing for $R$ . Hence, in the same way as the case with $\bar{\gamma}_{1}$ , we can show that $\bar{\gamma}^{p}_{\alpha}(R)$ is monotonically increasing for $R$ . Therefore, $\bar{\gamma}_{\alpha}(R)$ is monotonically increasing for $R$ . Hence, (268) yields (257).

Appendix B Proof of Lemma 2

The first statement follows from (59). The second statement can be shown as follows. Assume that $\gamma_{\alpha,o}$ is a concave function. We choose

\displaystyle P=\mathop{\rm argmax}_{P\in{\cal P}({\cal U}\times{\cal X})}\{R_{1}-I_{\alpha}(X;Y|U)_{P}|H(X|U)_{P}=R_{1}\}.

(280)

Then, we have

		$\displaystyle\gamma_{\alpha}(R_{1})$
	$\displaystyle=$	$\displaystyle R_{1}-I_{\alpha}(X;Y\|U)_{P}\stackrel{{\scriptstyle(a)}}{{\leq}}R_{1}-\sum_{u\in{\cal U}}P_{U}(u)I_{\alpha}(X;Y)_{P_{X\|U=u}}$
	$\displaystyle=$	$\displaystyle\sum_{u\in{\cal U}}P_{U}(u)(H(X)_{P_{X\|U=u}}-I_{\alpha}(X;Y)_{P_{X\|U=u}})$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{\leq}}$	$\displaystyle\sum_{u\in{\cal U}}P_{U}(u)\gamma_{\alpha,o}(H(X)_{P_{X\|U=u}})\stackrel{{\scriptstyle(c)}}{{\leq}}\gamma_{\alpha,o}(R_{1}),$

where $(a)$ follows from the concavity of $x\mapsto-\log x$ and the relation

2^{(\alpha-1)I_{\alpha}(X;Y|U)_{P}}=\sum_{u\in{\cal U}}P_{U}(u)2^{(\alpha-1)I_{\alpha}(X;Y)_{P_{X|U=u}}},

$(b)$ follows from the definition of $\gamma_{\alpha,o}$ , and $(c)$ follows from the assumption that $\gamma_{\alpha,o}$ is a concave function. Hence, we have $\gamma_{\alpha}(R_{1})=\gamma_{\alpha,o}(R_{1})$ .

Appendix C Lemma 7

Since we have the Markovian chain $Y^{j-1}-(X^{j-1},X_{j+1},\ldots,X_{n})-X_{j}-Y_{j}$ , the relation

\displaystyle I(X^{n};Y_{j}|Y^{j-1})=(X_{j};Y_{j}|Y^{j-1})

(281)

holds. Hence,

		$\displaystyle I(X^{n};Y^{n})=\sum_{j=1}^{n}I(X^{n};Y_{j}\|Y^{j-1})$
	$\displaystyle=$	$\displaystyle\sum_{j=1}^{n}I(X_{j};Y_{j}\|X^{j-1}),$		(282)

which implies (142). Since we have the Markovian chain $X_{j}-X^{j-1}-Y^{j-1}$ , we have

	$\displaystyle H(X_{j}\|Y^{j-1})-H(X_{j}\|X^{j-1})$
$\displaystyle=$	$\displaystyle H(X_{j}\|Y^{j-1})-H(X_{j}\|X^{j-1}Y^{j-1})$
$\displaystyle=$	$\displaystyle I(X_{j};X^{j-1}\|Y^{j-1})\geq 0.$	(283)

Thus,

\displaystyle H(X^{n})

\displaystyle=\sum_{j=1}^{n}H(X_{j}|X^{j-1})\leq\sum_{j=1}^{n}H(X_{j}|Y^{j-1}),

(284)

which implies (143).

Appendix D Proof of Lemma 9

When $s$ is sufficiently large and $\delta>0$ is small, we have

	$\displaystyle G_{P,P}(s)-s(1-\delta)$
$\displaystyle=$	$\displaystyle\bigg{(}\sum_{x\in{\cal X}}P(x)\log(2^{s}P(x)+1-P(x))\bigg{)}-s(1-\delta)$
$\displaystyle=$	$\displaystyle\bigg{(}\sum_{x\in{\cal X}}P(x)\Big{(}s+\log P(x)+\log(1+\frac{1-P(x)}{2^{s}P(x)})\Big{)}\bigg{)}$
	$\displaystyle-s(1-\delta)$
$\displaystyle=$	$\displaystyle\bigg{(}\sum_{x\in{\cal X}}P(x)\Big{(}s+\log P(x)$
	$\displaystyle+\log_{e}(2)^{-1}\log_{e}(1+\frac{1-P(x)}{2^{s}P(x)})\Big{)}\bigg{)}-s(1-\delta)$
$\displaystyle\cong$	$\displaystyle\bigg{(}\sum_{x\in{\cal X}}P(x)\Big{(}s+\log P(x)+\frac{1-P(x)}{\log_{e}(2)2^{s}P(x)}\Big{)}\bigg{)}$
	$\displaystyle-s(1-\delta)$
$\displaystyle=$	$\displaystyle s-H(P)+\bigg{(}\sum_{x\in{\cal X}}\frac{1-P(x)}{2^{s}\log_{e}(2)}\bigg{)}-s(1-\delta)$
$\displaystyle=$	$\displaystyle-H(P)+\bigg{(}\frac{\|{\cal X}\|-1}{2^{s}\log_{e}(2)}\bigg{)}+s\delta.$	(285)

Under the above approximation, the minimum with respect to $s$ is realized when $2^{s}=\frac{|{\cal X}|-1}{\delta}$ . Hence, the minimum is approximated to $-H(P)+\delta\log(\frac{e(|{\cal X}|-1)}{\delta})$ . This value goes to $-H(P)$ when $\delta$ goes to $+0$ . Hence, we have (183).

Also, we have

	$\displaystyle G_{P,P^{\prime}}(s)-sr$
$\displaystyle=$	$\displaystyle\bigg{(}\sum_{x\in{\cal X}}P^{\prime}(x)\log(2^{s}P(x)+1-P(x))\bigg{)}-sr$
$\displaystyle=$	$\displaystyle\bigg{(}\sum_{x\in{\cal X}}P^{\prime}(x)\Big{(}s+\log P(x)+\log(1+\frac{1-P(x)}{2^{s}P(x)})\Big{)}\bigg{)}$
	$\displaystyle-sr$
$\displaystyle=$	$\displaystyle\bigg{(}\sum_{x\in{\cal X}}P^{\prime}(x)\Big{(}s+\log P(x)$
	$\displaystyle+\log_{e}(2)^{-1}\log_{e}(1+\frac{1-P(x)}{2^{s}P(x)})\Big{)}\bigg{)}-sr.$	(286)

For each $x$ , the $\Big{(}s+\log P(x)+\log_{e}(2)^{-1}\log_{e}(1+\frac{1-P(x)}{2^{s}P(x)})\Big{)}$ is bounded even when $s$ goes to infinity. Hence, we have

\displaystyle\lim_{P^{\prime}\to P}\max_{s>0}G_{P,P^{\prime}}(s)-sr=\max_{s>0}G_{P,P}(s)-sr,

(287)

which implies (184).

References

[1] P. Elias, “List decoding for noisy channels,” in WESCON Conv. Rec., 1957, pp. 94- 104.
[2] J.M. Wozencraft, “List decoding,” Quart. Progr. Rep. Res. Lab. Electron., MIT, Cambridge, MA Vol. 48, 1958.
[3] V. Guruswami, “Algorithmic results in list decoding,” Foundations and Trends in Theoretical Computer Science, Vol. 2, No. 2, 107–195 (2007).
[4] S. Nishimura. “The strong converse theorem in the decoding scheme of list size $L$ ,” Kōdai Math. Sem. Rep., 21, 418–25, (1969).
[5] R. Ahlswede, “Channel capacities for list codes,” J. Appl. Probab., vol. 10, 824–836, 1973.
[6] M. Hayashi, “Channel capacities of classical and quantum list decoding,” arXiv:quant-ph/0603031.
[7] C. Crépeau, “Efficient Cryptographic Protocols Based on Noisy Channels,” Advances in Cryptology: Proc. EUROCRYPT 1997 , pp. 306–317, Springer 1997.
[8] A. Winter, A. C. A. Nascimento, and H. Imai, “Commitment Capacity of Discrete Memoryless Channels,” Proc. 9th IMA International Conferenece on Cryptography and Coding (Cirencester 16-18 December 2003), pp. 35-51, 2003.
[9] H. Imai, K. Morozov, A. C. A. Nascimento, and A. Winter, “Efficient Protocols Achieving the Commitment Capacity of Noisy Correlations,” Proc. IEEE ISIT 2006, pp. 1432-1436, July 6-14, 2006.
[10] H. Yamamoto and D. Isami, “Multiplex Coding of Bit Commitment Based on a Discrete Memoryless Channel,” Proc. IEEE ISIT 2007, pp. 721-725, June 24-29, 2007.
[11] V. Y. F. Tan and M. Hayashi, “Analysis of remaining uncertainties and exponents under various conditional Rényi entropies,” IEEE Transactions on Information Theory, Volume 64, Issue 5, 3734 – 3755 (2018).
[12] L. Yu and V. Y. F. Tan, “Rényi Resolvability and Its Applications to the Wiretap Channel,” IEEE Transactions on Information Theory, Volume 65, Issue 3, 1862 – 1897 (2019).
[13] M. Hayashi, “Secure list decoding” Proc. IEEE International Symposium on Information Theory (ISIT2019), Paris, France, July 7 – 12, 2019, pp. 1727 – 1731; https://arxiv.org/abs/1901.02590.
[14] S. Arimoto, “Information measures and capacity of order $\alpha$ for discrete memoryless channels,” Colloquia Mathematica Societatis János Bolyai, 16. Topics in Information Theory 41–52 (1975)
[15] M. Iwamoto and J. Shikata, “Information theoretic security for encryption based on conditional Rényi entropies,” Information Theoretic Security (Lecture Notes in Computer Science), vol. 8317. Berlin, Germany: Springer, 2014, pp. 103–121.
[16] M. Hayashi, “Security analysis of epsilon-almost dual universal2 hash functions: smoothing of min entropy vs. smoothing of Renyi entropy of order 2,” IEEE Trans. Inform. Theory, 62(6) 3451 – 3476 (2016).
[17] I. Csiszár and J. Körner, “Broadcast channels with confidential messages,” IEEE Trans. Inform. Theory, 24(3) 339 – 348 (1978).
[18] R. Sibson, “Information radius,” Z. Wahrscheinlichkeitstheorie und Verw. Geb., vol. 14, pp. 149–161, 1969.
[19] L. Carter and M. Wegman, “Universal classes of hash functions,” J. Comput. System Sci., vol. 18(2), 143–154 (1979).
[20] M. N. Wegman and J. L. Carter, “New Hash Functions and Their Use in Authentication and Set Inequality,” J. Comput. System Sci., 22, 265-279 (1981).
[21] M. Hayashi, “Tight exponential analysis of universally composable privacy amplification and its applications,” IEEE Trans. Inform. Theory, 59(11) 7728 – 7746 (2013).
[22] M. Hayashi and S. Watanabe, “Uniform Random Number Generation from Markov Chains: Non-Asymptotic and Asymptotic Analyses,” IEEE Trans. Inform. Theory, 62(4) 1795 – 1822 (2016).
[23] S. Verdú and T. S. Han, “A general formula for channel capacity,” IEEE Trans. Inform. Theory, 40(6) 1147–1157, (1994).
[24] M. Hayashi and H. Nagaoka, “General formulas for capacity of classical-quantum channels,” IEEE Trans. Inform. Theory, 49(7), 1753–1768 (2003).
[25] A. C. A. Nascimento, J. Barros, S. Skludarek and H. Imai, “The Commitment Capacity of the Gaussian Channel Is Infinite,” IEEE Trans. Inform. Theory, 54(6), 2785 – 2789 (2008).
[26] T. M. Cover and J. A. Thomas, Elements of Information Theory: Second Edition, New York Wiley-Interscience (2006).

Masahito Hayashi (Fellow, IEEE) was born in Japan in 1971. He received the B.S. degree from the Faculty of Sciences in Kyoto University, Japan, in 1994 and the M.S. and Ph.D. degrees in Mathematics from Kyoto University, Japan, in 1996 and 1999, respectively. He worked in Kyoto University as a Research Fellow of the Japan Society of the Promotion of Science (JSPS) from 1998 to 2000, and worked in the Laboratory for Mathematical Neuroscience, Brain Science Institute, RIKEN from 2000 to 2003, and worked in ERATO Quantum Computation and Information Project, Japan Science and Technology Agency (JST) as the Research Head from 2000 to 2006. He worked in the Graduate School of Information Sciences, Tohoku University as Associate Professor from 2007 to 2012. In 2012, he joined the Graduate School of Mathematics, Nagoya University as Professor. In 2020, he joined Shenzhen Institute for Quantum Science and Engineering, Southern University of Science and Technology, Shenzhen, China as Chief Research Scientist. In 2011, he received Information Theory Society Paper Award (2011) for “Information-Spectrum Approach to Second-Order Coding Rate in Channel Coding”. In 2016, he received the Japan Academy Medal from the Japan Academy and the JSPS Prize from Japan Society for the Promotion of Science. In 2006, he published the book “Quantum Information: An Introduction” from Springer, whose revised version was published as “Quantum Information Theory: Mathematical Foundation” from Graduate Texts in Physics, Springer in 2016. In 2016, he published other two books “Group Representation for Quantum Theory” and “A Group Theoretic Approach to Quantum Information” from Springer. He is on the Editorial Board of International Journal of Quantum Information and International Journal On Advances in Security. His research interests include classical and quantum information theory and classical and quantum statistical inference.

	$\displaystyle H(X\|Y)_{P_{X,Y}}$	$\displaystyle:=\sum_{y\in{\cal Y}}P_{Y}(y)H(P_{X\|Y=y}),$		(5)
	$\displaystyle H(P_{X\|Y=y})$	$\displaystyle:=-\sum_{x\in{\cal X}}P_{X\|Y=y}(x)\log P_{X\|Y=y}(x).$		(6)

	$\displaystyle R_{1}-I(X;Y\|U)_{P}<$	$\displaystyle H(X\|U)_{P}-I(X;Y\|U)_{P}$
	$\displaystyle=$	$\displaystyle H(X\|YU)_{P}$		(61)

Secure list decoding and its application to bit-string commitment

Abstract

Index Terms:

I Introduction

II Review of existing results for bit-string commitment

Proposition 1 ([8, Theorem 2], [9])

Proposition 2

III Various types of conditional entropies with general probability space

IV Problem setting

IV-A Our problem setting without explicit description of coding structure

IV-B Our setting with coding-theoretic description

Theorem 1

V Information quantities and regions with general probability space

V-A Information quantities

V-B Regions

Lemma 1

Lemma 2

Lemma 3

VI Results for secure list decoding with discrete input

VI-A Statements of results

Theorem 2

Theorem 3

Corollary 1

VI-B Outline of proof of direct theorem

Lemma 4

VII Results for secure list decoding with continuous input

Theorem 4

Corollary 2

Lemma 5

VIII Application to bit-string commitment

VIII-A Bit-string commitment based on secure list decoding

Theorem 5

Theorem 6

Lemma 6

VIII-B Randomized construction (Proof of Theorem 5)

VIII-C Proof of Lemma 6

Proposition 3 ([22, Lemma 30])

IX Proof of Converse Theorem

Lemma 7

X Proof of direct theorem

X-A Proof of Lemma 4

Lemma 8

X-B Preparation

Lemma 9

Definition 1 (Decoder DϕnD_{\phi_{n}})

Lemma 10

X-C Proof of Theorem 3

Lemma 11

Lemma 12

Lemma 13

X-D Proof of Lemma 10

X-E Proof of Lemma 11

Lemma 14

Lemma 15

X-F Proof of Lemma 13

X-G Proof of Lemma 12

XI Proof of Theorem 4

XI-A Main part of proof of Theorem 4

Lemma 16

XI-B Proof of Lemma 16

XII Conclusion

Acknowledgments

Appendix A Proof of Lemma 1

Appendix B Proof of Lemma 2

Appendix C Lemma 7

Appendix D Proof of Lemma 9

References

Definition 1 (Decoder $D_{\phi_{n}}$ )