Linear Key Construction in Finite Fields

• Linear key construction is a method where secret keys are generated as linear functions of common random vectors observed by multiple parties over finite fields.
• It employs non-interactive protocols featuring private linear processing and discussion-optimal public communications to ensure perfect recoverability and secrecy.
• The framework precisely characterizes communication complexity and key capacity, aligning one-shot finite models with classical asymptotic secrecy results.

Linear key construction refers to the methodology by which a secret key is generated as a linear function of the collective observations of multiple users, each of whom has access to a distinct linear function of a common underlying random vector. The discussion and operations are performed over a finite field, and all protocols enforce linearity in the transformations and communications used to achieve perfect secret key agreement. In the one-shot finite linear source model, as investigated in (Chan et al., 2019), both the structure of the linear observations and the linearity constraints on public discussion allow for a precise characterization of the communication complexity required for achieving maximum-length secret key agreement, as well as the explicit construction of such keys.

1. Finite Linear Source Model

Let $V = \{1, \ldots, m\}$ denote the set of users, and fix a finite field $\Bbb F_q$. The common randomness is captured by a base random vector:

$$X = (X_1, \ldots, X_\ell) \sim \text{Uniform}(\Bbb F_q^\ell),$$

with entropy $H(X) = \ell$. Each user $i \in V$ observes

$Z_i = X M_i \in \Bbb F_q^{t_i},$

where $M_i$ is a fixed $\ell \times t_i$ matrix over $\Bbb F_q$. The full system of observations is summarized as

$Z_V = (Z_1, \ldots, Z_m) = X M,$

where $M$ is the concatenation of the individual $M_i$. Redundant rows in $M$ are discarded so that $\text{row rank}(M) = \ell$. All public communications are constrained to be linear: each user $i$ sends

$F_i = Z_i A_i \in \Bbb F_q^{r_i},$

with $A_i$ of size $t_i \times r_i$. Collectively, $F_V = (F_1, \ldots, F_m)$ aggregates the public discussion, and $r_i = \dim F_i$. It is established, via Theorem 1 in (Chan et al., 2019), that no private randomness is needed for achieving the optimal key length.

2. Capacity and Communication Complexity

The unconstrained secret-key length, denoted $K^*$, is defined as the maximum $\log |K|$ for which a linear secret key agreement protocol exists:

$$K^* := \Big\lfloor \min_{\Pi \in \Pi'(V)} \frac{\sum_{C \in \Pi} H(Z_C) - H(Z_V)}{|\Pi| - 1} \Big\rfloor,$$

where $\Pi'(V)$ is the set of all nontrivial partitions of $V$. The communication-for-omniscience cost, $R_{\rm CO}$, is characterized as

$$R_{\rm CO} := \min \left\{ \sum_{i=1}^m r_i\, \bigg|\, r(B) \geq H(Z_B|Z_{V \setminus B}) \ \forall B \subsetneq V \right\},$$

which, by Theorem 2, satisfies

$R_{\rm CO} = H(Z_V) - K^*.$

The exact communication complexity $D^*$—that is, the minimal total linear public discussion required to achieve $K^*$—matches this value:

$D^* = R_{\rm CO}.$

3. Non-Interactive Protocol Structure

The construction achieves secret-key agreement by means of a non-interactive two-step protocol:

a) Private Linear Processing:

Each user applies invertible linear transformations to their observation vectors to obtain a reduced form $Z'_i = Z_i M'_i$. Successive deletions of unrecoverable coordinates and invertible transformations reduce $H(Z_V)$ while preserving $K^*$, as specified in Theorem 4. This process continues until further reduction would decrease $K^*$, resulting in a minimal formulation.

b) Discussion-Optimal Communication-for-Omniscience:

Public communication rates $(r^*_1, \ldots, r^*_m)$ are determined via the solution to the following integer linear program:

• Minimize $\sum_i r_i$
• Subject to:

$$\sum_{i \in B} r_i \geq H(Z'_B | Z'_{V \setminus B}) \quad \forall B \subsetneq V, \quad r_i \in \Bbb Z_{\geq 0}$$

For each $i$, a full-rank matrix $A_i$ of size $t'_i \times r^*_i$ is selected so that the stacked $F_V = (Z'_1 A_1, \ldots, Z'_m A_m)$ enables all users to reconstruct $Z'_V$. Explicitly, the matrices are chosen so that for every $B$,

$$\operatorname{rowspan}\left([M'_i A_i]_{i\in B}\right) \supseteq \operatorname{rowspan}\left([M'_j]_{j\notin B}\right),$$

ensuring each user's omniscience given their private view and the public discussion.

4. Linear Key Extraction

Once omniscience of $Z'_V$ is achieved, the secret key $K$ is defined as the maximal common linear function of all $Z'_i$. This is operationalized by selecting a matrix $G$ whose column space complements the row space of the entire public discussion mapping:

$$[M'_1A_1\;\cdots\;M'_mA_m]\,G = 0, \quad \text{rank}(G) = K^*.$$

The secret key is thus extracted as

$K = Z'_V\,G = X\,(M' G) \in \Bbb F_q^{K^*}.$

This construction guarantees both perfect recoverability—every user can deterministically reconstruct $K$ from their private observation and the public discussion—and perfect secrecy—$K$ is statistically independent from $F_V$.

5. Secrecy and Recoverability Criteria

Correctness and security of the linear key are ensured by the following criteria:

• Perfect Recoverability: For all $i \in V$, $H(K \mid Z_i, F_V) = 0$.
• Perfect Secrecy: $I(K; F_V) = 0$, equivalently $H(K \mid F_V) = H(K) = K^*$. No private randomness is necessary, as formally demonstrated in [(Chan et al., 2019), Thm 1]. The resulting key can always be chosen as a linear function of the base source variables.

6. Relation to Classical Asymptotic Models

In classical (asymptotic, many-sample) models as in Csiszár–Narayan, secret-key rates and public-discussion rates are defined per sample. The asymptotic secrecy capacity for the finite-linear-source model is given by:

$$\min_{\Pi \in \Pi'(V)} \frac{\sum_{C \in \Pi} H(Z_C) - H(Z_V)}{|\Pi| - 1},$$

with requisite public discussion rate $H(Z_V)$ minus the capacity. The one-shot formulas for $K^*$ and $D^*$ agree with these, aside from integer rounding—using the floor for $K^*$ and ceiling for $D^*$. Thus, the linear key construction in the one-shot regime exactly realizes what classical protocols achieve asymptotically across multiple samples. Notably, this linear framework encompasses previously studied models such as hypergraphical and PIN models, which are special cases under this general template (Chan et al., 2019).