Information Theoretical Cryptogenography

We consider problems where $n$ people are communicating and a random subset of them is trying to leak information, without making it clear who are leaking the information. We introduce a measure of suspicion, and show that the amount of leaked information will always be bounded by the expected increase in suspicion, and that this bound is tight. We ask the question: Suppose a large number of people have some information they want to leak, but they want to ensure that after the communication, an observer will assign probability at most $c$ to the events that each of them is trying to leak the information. How much information can they reliably leak, per person who is leaking? We show that the answer is $- \frac{\log(1-c)}{c} -\log(e)$ bits.


Introduction
The year is 2084 and the world is controlled by a supercomputer called Eve.It makes the laws, carries them out, has surveillance cameras everywhere, can hear everything you say, and can break any kind of cryptography.It was designed to make a world that maximises the total amount of happiness, while still being fair.However, Eve started to make some unfortunate decisions.For example, it thought that to maximise the utility it has been designed to maximise, it must ensure that it survives, so it decided to execute everyone it knew beyond reasonable doubt was trying to plot against Eve (it was designed so it could not punish anyone as long as there is reasonable doubt, and reasonable doubt had been defined to be a 5% chance of being innocent).Everyone agrees that Eve should be shut down.The only person who can shut down Eve is Frank who is sitting in a special control room.Eve cannot hurt him, he has access to everything Eve can see, but he needs a password to shut down Eve.A small number of people, say 100 Londoners, know the password.Eve or Frank have no clue who they are, only that they exist.If one of them simply says the password, Eve will execute the person.So how can they reveal the password, without any of them getting killed?
Suppose it is known that the password is the name of a museum in London.Frank then announces a date and time, and if you have the password, you show up at the correct museum that day and time, and if you do not have the information, you do as you would otherwise have done.If the museum is not too big, Frank will notice that there is one museum with more visitors than usual, so he gets the password.At the same time, if the museum is not too small, a large fraction of the visitors will just be there by chance, so Eve cannot punish any of them.
If the password is not necessarily the name of a museum, Frank can simply define a one-to-one correspondence between possible passwords and museums (or, if there are many possible passwords, take one letter at a time, with different people leaking each letter).We do not actually need museums to use this idea, the important part is that many people sends some messages, that will follow a fixed distribution if they do not think about it, and that if they want to, they can choose a specific message.For example, we could use parity of the minutes in the time we post messages on a blog.The purpose of this paper is to show how much information can be leaked this way.

Previous Work and Our Results
If we assume standard cryptographic assumptions, or if each pair of people had a private channel, we could use multi-party computation to let one person reveal information to a group of n people, in such a way that if more than half of them follow the protocol, a computationally bounded observer will only have a negligible advantage when trying to guess which of the collaborating parties who originally had the information [4,6].If we allow Frank to communicate, we could also use steganography [5] to reveal the information to Frank, again only assuming standard cryptographic assumptions and that the observers have bounded computational power.
However, we assume that the observers have unbounded computational power, and that the observers see all messages sent.In that case, we could let every person sent random messages.People who knows the secret, X, could make their message correlated with X.For example the messages could be "I think X belongs to the set S".However, every time you make a correct hint about what the secret X is, it will increase the observers suspicion that you know X.The more precise the hint is or the more unlikely it is that you would give the hint without knowing X, the more useful the statement is to Frank.But at the same time, such statements would also be the statements that increases Eve suspicion towards you the most (at least if we assume she knows X).Our main contribution is to introduce a measure of suspicion that captures this, and to show that if you want to leak some amount of information about X in the information theoretical sense, then your suspicion will, in expectation, have to increase by exactly the same amount.
The measure of suspicion turns out the be extremely useful for showing upper bounds on how much information you can leak, without making it clear that you are leaking.We show that if n people are known to each know X with probability b independently of each other, and no one wants an observer to assign probability more than c to the event that they were leaking information, they can each leak at most −b log(1−c)+c log (1−b)  Here the authors considered a game where one person among n was randomly chosen and given the result of a coin flip.The goal for the n players is to communicate in such a way that an observer, Frank, would guess the correct result of the coin flip, but another observer, Eve, who has the same information would guess wrong, when asked who of the n originally knew the result of the coin flip.The main method in [2] is a concavity characterisation, and is very different from the information theory methods we use.We generalise the problem to h bits of information and more players l who have the information, and show that if h = o(l) the winning probability tends to 1 and if l = o(h) the winning probability tends to 0.
Finally we show that in general to do cryptogenography, you do not need the non-leakers to collaborate.Instead we can use the fact that people send out random messages anyway, and use this in a similar way to steganography (see [5]).All we need is that people are communicating in a way that involve sufficiently randomness and that they do not change this communication, when we build a protocol on top of that.We can for example assume that they are not aware of the protocol, or they do not care about the leakage.

Paper Outline
We define notation and recall some concepts and theorems from information theory and introduce a communication model in Section 2. In Section 3 we introduce a measure of suspicion and use this to show upper bounds on how much information the players can leak if they want Eve to have reasonable doubt that they are leaking.In Section 4 we turn to reliable leakage, and define and determine the capacity for some cryptogenography problems.In Section 5 we show how our results can be used to analyse a generalisation of the original cryptogenography problem.Finally, in Section 6 we show that we can do equally well, even if the non-leakers are not collaborating in leaking, but are just communicating innocently.

Preliminaries
Unless stated otherwise, all random variables in this paper are assumed to be discrete.Random variables are denoted by capital letters and their support are denoted by the calligraphic version of the same letter (e.g.X is the support of X).If X and Y are random variables and Pr(Y = y) > 0, we let X| Y =y denote the random variable X conditioned on Y = y.That is Pr(X| Y =y = x) = Pr(X = x, Y = y) Pr(Y = y) .
For a tuple or infinite sequence a, we let a i denote the i'th element of a, and let a i = (a 1 , . . ., a i ) be the tuple of the i first elements from a. Similarly if A is a tuple or sequence of random variables.For a tuple a of n elements we let a • a ′ denote the tuple (a 1 , . . ., a n , a ′ ).For a random variable X and a value x ∈ X with Pr(X = x) > 0 the surprisal or the code-length 1 of x is given by where log, as in the rest of this paper, is the base-2 logarithm.The entropy of X, H(X), is the expected code-length of where we define 0 log(0) = 0.If p, q : X → [0, 1] are two probability distributions on X we have the inequality with equality if and only if p = q [3].The interpretation is, if X's distribution is given by p, and you encode values of X using a code optimised to the distribution q, you get the shortest average code-length if and only if p = q.
The entropy of a random variable X can be thought of as the uncertainty about X, or as the amount of information in X.For a tuple of random variables (X 1 , . . .X k ) the entropy H(X 1 , . . .X k ) is simply the entropy of the random variable (X 1 , . . ., X k ).The entropy of X given Y , H(X|Y ) is A simple computation shows that The mutual information I(X; Y ) of two random variables X, Y is given by This is known to be non-negative.The mutual information I(X; Y |Z = z) of X and Y given Z = z is given by where the joint distribution of (X| A simple computation shows that ) is an integer for all x ∈ X , and we want to find an optimal prefix-free binary code for X, the length of the code for x should be − log(Pr(X = x)), thus the name code-length.If they are not integers, we can instead use ⌈− log(Pr(X = x))⌉ and waste at most one bit.
We will need the chain rule for mutual information, Let X and Y be random variables, and f : Y → X a function.We think of f (Y ) as a guess about what X is.The probability of error, P e is now Pr(f (Y ) = X).We will need (a weak version of) Fano's inequality, A discrete memoryless channel (or channel for short) q consist of a finite input set Y, a finite output set Z and for each element y ∈ Y of the input set a probability distribution q(z|y) on the output set.If Alice have some information X that she wants Bob to know, she can use a channel.To do that, Alice and Bob will have to both know a code.An error correcting code, or simply a code, C : X → Y n is a function that for each x ∈ X specifies what Alice should give as input to the channel.Here n is the length of the code.Now the probability that Bob receive When Bob knows q, C and the distribution of X he can compute Pr(X = x|Z C = z).Let X denote the most likely value of X given Z C .A rate R is achievable if for all ǫ > 0 there is a n > 0 such that for X uniformly distributed on {1, . . ., 2 ⌈Rn⌉ } there is a code C of length n for q giving Pr( X = x|X = x) > 1−ǫ for all x ∈ X .For a distribution p on the input set Y we get a joint distribution of (Y, Z) given by Pr(Y = y, Z = z) = p(y)q(z|y).Now define the capacity C of q to be where max is over all distributions p of Y and the joint distribution of (Y, Z) is as above.Shannon's Noisy Coding Theorem says that any rate below C is achievable, and no rate above C is achievable [8].For an introduction to these information theoretical concepts and for proofs, see [3].

Model
In this paper we consider problems where one or more players might be trying to leak information about the outcome of a random variable X.The number of players is denoted n and the players are called plr 1 , . . ., plr n .Sometimes we will call plr 1 Alice and plr 2 Bob.We let L i be the random variable that is 1 if player i knows the information and 0 otherwise.If there is only one player we write L instead of L 1 .The joint distribution of (X, L 1 , . . ., L n ) is known to everyone.
All messages are broadcasted to all players and to two observers, Eve and Frank.The two observers will have exactly the same information, but we will think of them as two people rather than one.We want to reveal information about X to Frank, while at the same time make sure that for all i, Eve does not get too sure that L i = 1.The random variable that is the transcript of a protocol will be denoted T , and specific transcripts t.This is a tuple of messages, so we can use the notation T k , T k , t k , t k as define in the beginning of this section.For example, T k denotes the tuple of the first k messages.
In this section we define the collaborating model.In Section 6 we will define a model, were we do not need the non-leakers to collaborate.The model in Section 6 will be more useful in practice, however when constructing protocols, it is easier first to construct them in the collaboration model.In the collaborating model we can tell all the players including the non-leaking players to follow some communication protocol, called a collaborating cryptogenography protocol.The messages send by leaking player may depend on the value of X, but the messages of non-leaking players have to be independent of X given the previous transcript.Formally, a collaborating cryptogenography protocol π specifies for any possible value t k of the current transcript T k : • Should the communication stop or continue, and if it should continue, • Who is next to send a message, say plr i , and • A distribution p ? and a set of distributions, {p x } x∈X (the distributions p ? and {p x } x∈X depend on π and t k ).Now plr i should choose a message using p ? , if L i = 0 and choose a message using p x if L = 1 and X = x.
Furthermore, for any protocol π, there should a number length(π) such that the protocol will always terminate after at most length(π) messages.We assume that both Frank and Eve know the protocol.They also know the prior distribution of (X, L 1 , . . ., L n ), and we assume that they have computational power to compute (X, L 1 , . . ., L n )| T =t for any transcript t.Notice that this assumption rules out the use of cryptography.One way that everyone can know the protocol, is if one person, e.g.Frank, announces the protocol that they will use, and we assume that everyone follows that protocol.Another possibility is that the players and Frank and Eve (or their ancestors) have played a game about leaking information many times and slowly developed (or evolved) a protocol for leaking information and learned (or evolved) to play the game optimally.In this paper we will not consider the question of if and how the protocol could be developed or evolved.
While we think of different players as different people, two or more different players could be controlled by the same person.For example, if they are communicating in a chatroom with perfect anonymity, except that a profile's identity will be revealed if the profile can be shown to be guilty in leaking with probability > 95%.Here each player would correspond to a profile, but the same person could have more profiles.However, we will use "player" and "person" as synonyms in the paper.
3 Bounds on I(X; T )

Suspicion
First we will look at the problem where only one player is communicating and she may or may not be trying to leak information.We will later use these results when we analyse the many-player problem.
In the one player case, Alice sends one message A. If she is not trying to leak information, she will choose this message in A randomly using a distribution p ? .If she is trying to leak information, and X = x, she will use a distribution p x .For a random variable Y and a value y ∈ Y with Pr(Y = y) > 0 we let c Y =y = Pr(L = 1|Y = y).We usually suppress the random variable, and write c y instead.Here Y could be a tuple of random variables, and y a tuple of values.If y = (y 1 , y 2 ) is a tuple, we write c y1y2 instead of c (y1,y2) .
We want to see how much information Alice can leak to Frank (by choosing the p's), without being too suspicious to Eve.The following measure of suspicion turns out to be useful.We see that susp(Y = y) depends on y and the joint distribution of L and Y , but to keep notation simple, we suppress the dependence on L. The suspicion of Alice measures how suspicious Alice is to someone who knows that Y = y and knows nothing more.For example Y could be the tuple that consists of the secret information X and the current transcript.
We can think of the suspicion as the surprisal of the event, "Alice did not have the information".Next we define the suspicion given a random variable Y , without setting it equal to something.
In each of these, Y can consist of more than one random variable, e.g.Y = (X, A).Finally we can also combine these two definitions, giving susp(X, Where X and A can themselves be tuples of random variables. The definitions imply that susp(X, A) which can be thought of as (4) given X.
When Alice sends a message A this might reveal some information about X, but at the same time, she will also reveal some information about whether she is trying to leak X.We would like to bound I(A; X) by the information A reveals about L. This is not possible.If, for example, we set A = X whenever L = 1 and A = a ∈ X when L = 0, then I(A; X) = Pr(L = 1)H(A) which can be large, but I(A; L) ≤ H(L) ≤ 1.The theorem below shows that instead, I(A; X) can be bounded by the expected increase in suspicion given X, and that this bound is tight.Theorem 1.If Alice sends a message A, we have That is, the amount of information she sends about X is at most her expected increase in suspicion given X.There is equality if and only if the distribution of A is the same as A| L=0 .
Proof.With no information revealed, Alice's suspicion given X is susp We want to compute Alice's suspicion given X and her message A.
Next we want to see how much information A gives about X, that is I(A; X) = H(A) − H(A|X).We claim that this is bounded by the cost in suspicion, or equivalently, H(A) ≤ susp(X, A) − susp(X) + H(A|X).First we compute H(A|X) using (2): We have Here, the last equation follows from the assumption that A does not depend on X when L = 0. From this we conclude susp(X, A) − susp(X) + H(A|X) Here the first equality follows from ( 5) and ( 6), the second follows from (7) and the inequality follows from inequality (1).There is equality if and only if Pr(A = a) = Pr(A = a|L = 0) for all a.
We will now turn to the problem where many people are communicating.We assume that they sent messages one at a time, so we can break the protocol into time periods were only one person is communicating, and see the entire protocol as a sequence of one player protocols.The following Corollary show that a statement similar to Theorem 1 holds for each single message in a protocol with many players.Corollary 2. Let (L, T k−1 , X) have some joint distribution, where T k−1 denotes previous transcript.Let T k be the next message sent by Alice.Then Proof.For a particular value t k−1 of T k−1 we use Theorem 1 with (X, By multiplying each side by Pr(T k−1 = t k−1 ) and summing over all possible T k−1 we get the desired inequality.
A protocol consists of a sequence of messages that each leaks some information and increases the suspicion of the sender.We can add up increases in suspicion, and using the chain rule for mutual information we can also add up the amount of revealed information.However, we have to be aware that Bob's message not only affect his own suspicion, but it might also affect Alice's suspicion.To show an upper bound on the amount of information a group of people can leak, we need to show that one persons message will, in expectation, never make another persons suspicion decrease.We get this from the following proposition by setting Y = (X, T k−1 ) and B = T k .Multiplying each side by Pr(Y = y) and summing over all y ∈ Y gives us the desired inequality.
In the proof of the next theorem we will assume that the protocol runs for a fixed number of messages, and the player to talk in round k only depends on k, not on which previous messages was send.Any protocol π can be turned into such a protocol π ′ by adding dummy messages: In round k of π ′ we let plr k mod n talk.They follow protocol π in the sense that if it is not plr k mod n turn to talk according to π she send some fixed message 1, and if it is her turn, she chooses her message as in π.
Let susp i denote the suspicion of plr i .2 Theorem 4. If T is the transcript of the entire protocol we have Proof.From the chain rule for mutual information, we know that ) for all other i ′ .Summing over all rounds in the protocol, we get the theorem.

Keeping reasonable doubt
Until now we have bounded the amount of information the players can leak by the expected increase in some strange measure, suspicion, that we defined for the purpose.But there is no reason to think that someone who is leaking information cares about the expected suspicion towards her afterwards.A more likely scenario, is that each person leaking wants to ensure that after the leakage, an observer will assign probability at most c to the event that she was leaking information.If this is the case after all possible transcripts t, we see that susp i (X, T ) ≤ − log(1 − c).If we assume that each player before the protocol had probability b < c of leaking independently of X, that is Pr( To reach this bound, we would need to have Pr(L i = 1|X = x, T = t) = c for all x, t, i.But the probability Pr(L i = 1|X = x) = b can also be computed as The following theorem improves the upper bound from (9) by taking this into account.
Theorem 5. Let π be a collaborating cryptogenography protocol, and T be its transcript.If for all players plr i and all x ∈ X and all transcripts t we have This follows from the fact that we have equality when Pr(L i = 1|X = x, T = t) is 0 or c, and the left hand side is convex in Pr(L i = 1|X = x, T = t) while the right hand side is linear.
Let π and T be as in the assumptions.Now we get It is clear that the upper bound from Theorem 5 cannot be achieved for all distributions of (X, c n, that is, the players do not have enough information to send to reach the upper bound.Even if H(X) is high, we may not be able to reach the upper bound.If it is known that the suspicion of the players will not depend on the player, only on the messages sent.So this problem will be equivalent to the case where only one person is sending messages.
We will now give an example where the upper bound from Theorem 5 is achievable.We will refer back to this example when we prove that reliable leakage is possible.
Example 1. Assume that X, L 1 , . . ., L n are all independent, and Pr(L i = 1) = b for all i.Furthermore, assume that 0 We will assume that X is uniformly distributed on {1, . . ., d} n .
Each player plr i now sends one message, independently of which messages the other players send.If L i = 0, plr i chooses a message in {1, . . ., d} uniformly at random.If L i = 1 and X i = x i , then plr i chooses a message in {1 + (x i − 1)a, 2 + (x i − 1)a . . ., x i a} mod d uniformly at random. 3e see that over random choice of X, the message, A i , that plr i sends, is uniformly distributed on {1, . . ., d}, so H(A i ) = log(d).We want to compute H(A i |X).Given X, each of the d − a elements not in {1 + (x i − 1)a, 2 + (x i − 1)a . . ., x i a} mod d can only be send if L = 0, so they will be send with probability 1−b d .Each of the a elements in the set {1 + (x i − 1)a, 2 + (x i − 1)a . . ., x i a} mod d are sent with probability b a + 1−b d .Thus The last equality follows from three uses of The tuples (X i , A i , L i ) where i ranges over {1, . . .n} are independent from each other, so we have c n as wanted.Next we want to compute Pr(L i = 1|T = t, X = x).This is 0 if plr i send a message not in {1 + (x i − 1)a, 2 + (x i − 1)a . . ., x i a} mod d.Otherwise we use independence and then Bayes' Theorem to get As we wanted.

Reliable leakage
In the previous example, Frank would receive some information about X in the sense of information theory: Before he sees the transcript, any value of X would be as likely as any other value, and when he knows the transcript, he has a much better idea about what X is.However, his best guess about what X is, is still very unlikely to be correct.Next we want to show that we can have reliable leakage.That is, no matter what value X is taking, we want Frank to be able to guess the correct value with high probability.We will see that this is possible, even when X have entropy close to −b log(1−c)+c log(1−b) c n. Frank's guess would have to be a function D of the transcript t. Saying that Frank will guess X correct with high probability when X = x is that same as saying that Pr(D(T ) = x|X = x) is close to one.Definition 3. Let L = (L 1 , . . ., L n ) be a tuple of random variables, where the L i takes values in {0, 1}.
A risky (n, h, L, c, ǫ)-protocol is a collaborating cryptogenography protocol together with a function D from the set of possible transcripts to X = {1, . . ., 2 ⌈h⌉ } such that when X and L are distributed independently and X is uniformly distributed on X , then for any x ∈ X , there is probability 1 − ǫ that a random transcript t distributed as T | X=x satisfies That is, no matter the value of X, with high probability Frank can guess the value of X, and with high probability no player will be estimated to have leaked the information with probability > c by Eve.However, there might be a small risk that someone will be estimated to have leaked the information with probability > c.This is the reason we call it a risky protocol.A safe protocol is a protocol where this never happens.Definition 4. A safe (n, h, L, c, ǫ)-protocol is a risky (n, h, L, c, ǫ)-protocol where Pr(L i = 1|T = t, X = x) ≤ c for all i, t, x with Pr(T = t, X = x) > 0.
First we will consider the case where L 1 , . . ., L n are independent, and the L i 's all have the same distribution.Definition 5. Let Indep b (n) be the random variable (L 1 , . . ., L n ) where L 1 , . . ., L n are independent, and each L i is distributed on {0, 1} and Pr(L A rate R is safely/riskily c-achievable for Indep b if for all ǫ > 0 and all n 0 , there exists a safe/risky (n, nR, Indep b (n), c, ǫ)-protocol with n ≥ n 0 .
The safe/risky c-capacity for Indep b is the supremum of all safely/riskily c-achievable rates for Indep b .
It turns out that the safe and the risky c-capacities for Indep b are the same, but at the moment we will only consider the safe capacity.
is safely c-achievable for Indep b , and let π be a safe (n, Rn, . We know from Theorem 5 that By Fano's inequality (3) we get that the probability of error for Frank's guess is P e ≥ δn − 1 nR .
Thus for sufficiently large n 0 and sufficiently small ǫ we cannot have P e ≤ ǫ.
When P e > ǫ there must exist an x ∈ X such that Pr(D(T ) = x|X = x) > ǫ, so R is not safely c-achievable.
Next we want to show that all rates R < −b log(1−c)+c log(1−b) c are safely cachievable for Indep b .To do this, we can consider each person to be a usage of a channel, and use Shannon's Noisy-Channel Theorem.
. Now use b and c ′ to define a and d as in Example 1.We consider the channel that on input j with probability b returns a random uniformly distributed element in {1+(j −1)a, 2+(j −1)a . . ., ja} mod d, and with probability 1 − b it returns a random and uniformly distributed element in {1, . . ., d}.We see that each person sending a message, exactly corresponds to using this channel.The computation (11) from Example 1 shows that when input of this channel is uniformly distributed, the mutual information between input and output is . Thus the capacity of the channel is at least this value (in fact, it is this value).We now use Shannon's Noisy-Channel Coding Theorem [8,3] to get an error correcting code C : X → {1, . . ., d} n for this channel, that achieves rate R and for each x fails with probability < ǫ.Now when X = x any player that is not leaking will send a message chosen uniformly at random from {1, . . ., d} and any player plr i with L i = 1 chooses a message uniformly at random from {1 + (j − 1)a, 2 + (j − 2)a, . . ., ja} mod d, where j = C(x) i is the i'th letter in the codeword for x.This ensures that Frank will be able to guess x with probability 1 − ǫ.We see that given X the random variable For a specific code C, the message A i send by plr i may not be uniform, as some letters might occur more often than others as the i'th letter in C(X).On the other hand, given L i = 0, we know that A i is uniformly distributed, and Theorem 1 then implies that the expected increases in suspicion will be strictly greater than the leaked information.The computation (12) shows that the expected increases in suspicion is the same no matter the distribution of C i , but of course the amount of leaked information is greatest when C i is uniformly distributed.
Proof.Follows from Proposition 6 and Theorem 7.
Corollary 8 shows that if you want information about something that some proportion b of the population knows, but no one wants other people to think that they know it with probability > c, you can still get information about the subject, and at a rate of −b log(1−c)+c log(1−b) c bits per person you ask.What if only l persons in the world have the information?They are allowed to blend into a group of any size n, and observers will think that any person in the larger group is as likely as anyone else to have the information.Only the number of persons with the information is known to everyone.
If they are part of a group of n → ∞ people, then each person in the larger group would have the information with probability b = l n .If we forget that exactly l persons know the information, and instead assumed that all the L i s were independent with Pr(L i = 1) = b they would be able to leak bits of information, where e is the base of the natural logarithm.We will see that even in the case where the number of leakers is known and constant, we can still get this rate.First we define the distribution of (L 1 , . . ., L n ) that we get in this case.
Definition 6.Let Fixed(l, n) be the random variable (L 1 , . . ., L n ) that is distributed such that the set of leakers {plr i |L i = 1} is uniformly distributed over all subsets of {plr 1 , . . ., plr n } of size l.
A rate R is safely/riskily c-achievable for Fixed if for all ǫ > 0 and all l 0 , there exists a safe/risky (n, lR, Fixed(l, n), c, ǫ)-protocol for some l ≥ l 0 and some n.
The safe/risky c-capacity for Fixed is the supremum of all safely/riskily cachievable rates for Fixed.
Notice that in this definition, the rate is measured in bits per leaker rather than bits per person communicating.That is because in this setup we assume that the number of people with the information is the bounded resource, and that they can find an arbitrarily large group of person to hide in.
Again, it turns out that the safe and the risky c-capacity for Fixed are actually the same, but for the proofs it will be convenient to have both definitions.
, where e is the base of the natural logarithm is safely c-achievable for Fixed.
Proof.This proof is very similar to the proof of Proposition 6.
Assume for contradiction that R > − log(1−c) c − log(e) is safely c-achievable.Consider a safe (n, lR, Fixed(l, n), c, ǫ)-protocol π.We know from Theorem 5 that Here the second inequality follows from ln(1+x) ≤ x or equivalently log(1+x) By Fano's inequality we get that the probability of error, P e = Pr(D(t) = x) averages over all possible values of x is Thus if we chose l 0 sufficiently large and ǫ sufficiently small we cannot have l ≥ l 0 and P e ≤ ǫ, so that there must be some value x where the probability of error Pr(D(T ) = x|X = x) is greater than ǫ.
One way, and in the author's opinion the most illuminating way, to prove this is similar to the proof of Theorem 7. Again we would consider each player to be a use of a channel.However, in this case the different usages of the channel would not be independent as we know exactly how many people who are leaking.Intuitively, this should not be a problem, it should only make the channel more reliable.However to show that this work, we would have to go through the proof of Shannon Noisy-Channel Coding Theorem, and show that it still works.Instead we will give a shorter but less natural proof.
The idea is to use the same protocol as when we showed the lower bound in Theorem 7.However, for each particular rate R and number of player n, there is a small probability that Frank fail to guess X.The probability that exactly bn players are leaking, when all the L i 's are independent tends to 0 as n tends to infinity, so we could be unlucky that Frank often fais in this case.Instead of using the protocol from Theorem 7 on all the players, we divide the player onto two groups and use Theorem 7 on each group.
− log(e), then we can find rational b > 0 and rational , and let n 0 , ǫ > 0 be given.By Theorem 7 for any ǫ ′ > 0 and any n ′ 0 there exists a safe (n, nR, Indep b (n), c ′ , ǫ ′ )protocol where n > n ′ 0 .Take such a protocol, where ǫ ′ > 0 is sufficiently small and n ′ 0 is sufficiently large.We can also assume that bn is an integer.Now we will use this to make a risky (2n, 2⌈nR⌉, Fixed(2nb), c, ǫ)-protocol.For such a protocol, X should be uniformly distributed on {1, . . ., 2 2⌈nR⌉ }, but instead we can also think of X as a tuple (X 1 , X 2 ) where the X i are independent and each X i is uniformly distributed on {1, . . ., 2 ⌈nR⌉ }.Now we split the 2n persons into two groups of n, and let the first group use the protocol from the proof of Theorem 7 to leak X 1 , and the second group use the same protocol to leak X 2 .We let Franks guess of the value of X 1 be a function D 1 depending only of the transcript of the communication of the first group, and his guess of X 2 be a function D 2 depending only on the transcript of the second group.These functions are the same as D in the proof of Theorem 7. The total number of leakers is 2nb, but the number of leakers in each half varies.Let S Indep denote random variable that gives the number of leakers among n people, when each is leaking with probability b, independently of each other.So S Indep is binomially distributed, S Indep ∼ B(n, b).Let S Fixed,1 denote the number of leakers in the first group as chosen above.Now we have.
Lemma 11.For each k, Proof.We have which is > 1 for k ≥ l and < 1 for k < l.Thus for fixed n and l the ratio we get Given that S Indep = k = S Fixed,1 , the distribution on (L 1 , . . ., L n ) and transcript is the same in the protocol for Indep b as it is for the first group in the above protocol.As Franks guessing function is the same in the two cases, the probability of error given S Indep = k = S Fixed,1 is the same in the two protocols.Let E k denote the probability of error in the protocol for Indep b given S Indep = k, and let E Fixed,1 denote the probability that Franks guess of X 1 is wrong.
By the same argument, the probability that Frank guess X 2 wrong is at most 2ǫ ′ , so the probability that he guess X = (X 1 , X 2 ) is at most 4ǫ ′ .By choosing a sufficiently low ǫ ′ this is less than ǫ/2 To compute the posterior probability Pr(L i = 1|T = t) that plr i was leaking, we have to take the entire transcript from both groups into account.Given T and X, let K denote the set of players who sent a message consistent with knowing X, and let |K| denote the cardinality of K. Let S be the set of the 2l leaking players, and let s be a set of 2l players.Now This is 0 if s contains players who send a message not consistent with having the information, and is constant for all other s.Thus any two players who send a message consistent with having the information, are equally likely to have known X given T and X, so they will have Pr(L i = 1|T = t, X = x) = 2l |K| .So to ensure that Pr(L i = 1|T = t, X = x) ≤ c with high probability (for each x and random t) we only need to ensure that with high probability, |K| ≥ 2l c .We see that We also see that the variance is (2n − 2l)b(1 − b), so for sufficiently high n (and thus l) Chebyshev's inequality, shows that |K| ≥ 2l c with probability 1 − ǫ/2.Thus for sufficiently large n ′ 0 and sufficiently low ǫ ′ , the resulting protocol is a risky (2n, 2⌈nR⌉, Fixed(2nb), c, ǫ)-protocol.

General L-structures
We have shown that the safe c-capacity for Fixed is ≤ − log(1−c) c − log(e) ≤ the risky c-capacity Fixed.To finish the proof that they are both − log(1−c) c − log(e), we only need to show that the safe capacity is not smaller than the risky.Notice that the corresponding claim is not true if we are only interested in the mutual information between X and transcript T .Here we could construct a collaborating cryptography protocol where with very high probability, Pr(L i = 1|T = t) < 10 −100 , and yet I(X; T ) ≥ 10 100 .To do this we need to take X to have extremely high entropy, and with a very low probability a leaking player will send X in a message, and otherwise just send some fixed message.The point of this section is to show that you cannot do something similar for reliable leakage.We will prove this in a setting that generalise Indep b and Fixed.Remember that the difference between Indep b and Fixed capacity is not only in the distributions on (L 1 , . . .L n ), but also in what we are trying to minimize the use of.In Indep b we want to have as few people communicating as possible, while in Fixed we only care about the number of people who are leaking.Our general definition have to capture this difference as well.
Definition 7.An L-structure (L, C) is a set L of joint distributions of (L 1 , . . ., L n ) (where n do not need to be the same for each element), where each L i is distributed on {0, 1}, together with a cost function Indep b is the L-structure (L Indep b , C # ), where L Indep b is the set of distributions on (L 1 , . . ., L n ) (over n ∈ N) where for all i, Pr(L i = 1) = b and the L i are independent, and C # is the function that sends a distribution on (L 1 , . . ., L n ) to n.
Fixed is the L-structure (L Fixed , C Fixed ) of distributions on (L 1 , . . ., L n ) such that for some number l the set {plr i |L i = 1} is uniformly distributed over all subsets of {plr 1 , . . ., plr n } of size l, and C Fixed sends a distribution on (L 1 , . . ., L n ) to this number l.
For an L-structure (L, C) a rate R is safely/riskily c-achievable for (L, C) if for all ǫ > 0 and all h 0 ≥ 0 there exists a safe/riskily (n, h, L, c, ǫ)-protocol with h ≥ h 0 , h ≥ C(L)R and L ∈ L.
The safe/risky c-capacity for (L, C) is the supremum of all safely/riskily c-achievable rates for (L, C).
We see that Definition 7 agrees with Definition 5 and Definition 6, and is much more general.
Proposition 12. Let (L, C) be an L-structure.The safe c-capacity for (L, C) and the risky c-capacity for (L, C) are non-decreasing functions of c.
Proposition 13.Let (L, C) be an L-structure.The safe c-capacity for (L, C) is at most the risky c-capacity for (L, C).
The opposite inequality almost holds.Before we show that, we need a lemma.Lemma 14.For any risky (n, h, L, c, ǫ)-protocol π, there is a risky (n, h, L, c, ǫ)protocol π ′ where each message is either 0 or 1, and given previous transcript and given that the person sending the message is not leaking, there is at least probability 1/3 of the message being 0 and at least 1/3 of it being 1.
Proof.To restrict to {0, 1} we simply send one bit at a time, so now we only have to ensure that the probability of a message sent by a non-leaker being 0 is always in [ 1 3 , 2  3 ].If the next message is 0 with probability p < 1/3, given that the sender is not leaking we modify the protocol (the case where p > 2/3 is similar).First, the player plr i sending the message decides if she would have send 0 or 1 in the old protocol π.Call this message a.If a = 0 she chooses a number in the interval (0, p) uniformly at random, if a = 1 she chooses a number in (p, 1) uniformly at random.She then sends the bits of the number one bit at a time until • She says 1, or • Given transcript until now, there is probability ≥ 1  3 that a = 0 In the first case we then know that a = 1, and we can go to the next round of π.Each time plr i says 0, she doubles the probability that a = 0, so if we are in the second case (and was not before the last message), Pr(a = 0|T ) < 2 3 .In this case she will simply reveal a in the next message.
Instead of choosing a real number uniformly from (0, p) or (p, 1), which would require access to randomness with infinite entropy, plr i can just in each step compute the probabilities of sending 0 or 1 given that she had chosen such a number.Thus if for every probability p ′ every player has access to a coin that ends head up with probability p ′ , they only need a finite number of coin flips to follow the above protocol.
The following lemma almost says that the safe c-capacity for (L, C) is the same as the risky c-capacity for (L, C).Proof.To show this, it is enough to show that if R is a riskily c-achievable rate for (L, C), then R is safely c ′ -achievable for (L, C).Let R be a riskily cachievable rate for (L, C), and let ǫ ′ > 0 and h ′ 0 be given.We want to show that there exists a safe (n ′ , h ′ , L, c ′ , ǫ ′ )-protocol with h ′ ≥ h ′ 0 , L ∈ L and h ′ ≥ C(L)R.As R is riskily c-achievable for (L, C), there exists a risky (n, h, L, c, ǫ)protocol for any ǫ > 0 and some L ∈ L, h ≥ h ′ 0 , h ≥ C(L)R and n.Let π be such a protocol, where ǫ is a small number to be specified later.
We want to modify π to make it a safe protocol π ′ .First, by Lemma 14 we can assume that all messages send in π are in {0, 1} and given that the sender is not leaking, it has probability at least 1/3 of being 0 and at least probability 1/3 of being 1.
To ensure that for no transcript t and player plr i we have Pr(L i = 1|X = x, T = t) > c ′ , we modify the protocol, such that everyone starts to pretends ignorance if the next message could result in Pr(L i = 1|X = x, T k+1 = t k+1 ) > c ′ .Formally, we define a protocol π ′ that starts of as π but if at some point the transcript is t k and for some i and b ∈ {0, 1} we have Pr(L i = 1|T k+1 = t k • b, X = x) > c ′ all the players pretends ignorance, that is for the rest of the protocol they send messages as if they did not have the information and were following π.Notice that only the players who knows the information x can decide if they should pretend ignorance, but this is not a problem as the players who do not have the information, is already sending messages as if they did not have the information.
First we want to show that π ′ is c ′ -safe.As long as they do not pretend ignorance we know that Pr(L i = 1|T k = t k , X = x) ≤ c ′ for the partial transcript t k and all i.If at some point they starts to pretend ignorance, we have Pr(L i = 1|T k = t k , X = x) ≤ c ′ before they start, and all messages will be chosen as if no one had the information.Eve, who knows X, can compute Pr(L i = 1|T k+1 = t k • b, X = x) > c ′ for each i and b, so she knows if everyone is pretending ignorance.Thus, Eve does not learn anything about L from listening to the rest of the communication, so we will still have Pr( Fix x ∈ X .We want to compute the probability that they pretends ignorance given X = x.Let E par,>c ′ denote the event that for transcript T from the execution of π, we can find some k and some i such that we have Pr( That is, at some point in the execution of π, an observer would say that plr i was leaking with probability > c ′ .Let E tot,>c be that event that for the total transcript there is some i such that Pr(L i = 1|T = t, X = x) > c.For each transcript t where Pr(L i = 1|T k = t k , X = x) > c ′ for some k, i, we consider that smallest k such that Pr(L i = 1|T k = t k , X = x) > c ′ happens for some i.For this fixed t k let T −k denote the random variable that is distributed as the rest of the transcript given that the transcript starts with t k and X = x.Let S t k denote the random variable That is, S t k is a function of T −k .We see that S t k takes values in [0, 1] and for all ǫ 1 > 0. Thus, given that E par,>c ′ happens, E tot,>c will happen with probability where the last inequality follows from the assumption about π.
Let E ig be the event that in the evaluation of π ′ the players pretends ignorance.The players only pretends ignorance if they are one message away from making E par,>c ′ happen.We assumed that in π each possible message get sent with probability at least 1/3 if the sender is not leaking.As there is probability at least 1 − c ′ that he is not leaking, each possible message gets sent with probability at least Let T ′ denote the random variable you get from running π ′ and T the random variable you get from running π, with a joint distribution in such a way that (X, L, T ) = (X, L, T ′ ) unless the players pretends ignorance.We need to show that there is a decoding function D ′ from the set of complete transcripts to possible values of X such that for each x, From the assumptions about π we know that there is a function D from the set of possible transcripts to the support of X such that for each x, Pr(D(T ) = x|X = x) ≥ 1 − ǫ.We know that in π ′ and for fixed x, the players only pretends ignorance with probability . For sufficiently small ǫ (depending only on c and c ′ ) this is less than ǫ ′ and we are done.
If we add a continuity assumption, we get that the safe and the risky c capacity are the same.Proof.By Proposition 12, the safe c-capacity for (L, C) is a monotone function, so it is continuous in all but countably many points.Now 16 implies that it is the same as the risky c-capacity for (L, C) in all but countably many points.
As promised, we can now show that for Indep b the safe and the risky ccapacities are the same.Proof.We know from Proposition 9 that the safe c-capacity for Fixed is at most − log(e), we know from Theorem 10 that the risky c ′ fixed capacity is at least − log(1−c) c − log(e), and from Corollary 17 that they are the same except on at most countably many values.Thus they must both be − log(1−c) c − log(e) on all but countably many values.We know from 12 that both are monotone, so they must both be − log(1−c) c − log(e) without exceptions.

The original cryptogenography problem
In [2] the authors studied the following cryptogenographic problem.We flip a coin, and tell the result to one out of n people.The n − 1 other people do not know who got the information.Formally that means we take L = (L 1 , . . ., L n ) to be the random variable that is uniformly distributed over all {0, 1}-vectors (l 1 , . . ., l n ) containing exactly one 1 and take X to be uniformly distributed over {0, 1} independently from L. We let the group of n people use any collaborating cryptogenography protocol, and afterwards we let Frank guess the result of the coin flip (his guess depends only on the transcript) and then let Eve guess who was leaking (her guess can depend on both transcript and Franks guess).Eve wins if she guess the leaker or if Frank does not guess the result of the coin flip.Otherwise Frank and the n people communicating wins.We assume that both Frank and Eve make there guess to maximise the probability that they win, rather than maximise the probability of being correct. 4n [2] it was shown that the probability that the group wins is below 3/4 and for sufficiently high n it is at least 0.5644.In this section we will generalise the problem to a situation were more people are leaking and X contains more information.It is obvious how to generalise X to more information, we simply take X to be uniformly distributed on {1, . . ., 2 ⌈h⌉ }.It is less obvious to generalise to more leakers.When more people are leaking, it would be unreasonable to require Eve to guess all the leakers.If this was the rule, one of the leaking players could just reveal himself as a leaker and say what X is, while the rest of the leakers behave exactly as the non-leakers.Instead we let Eve guess at one person and if that person is leaking, she wins.Definition 8.For fixed values of h, number of leakers l and number of communicating players n > l and a collaborating cryptogenography protocol π, we let Succ(h, l, n, π) denote the probability that after the players communicate using protocol π, Frank will guess the correct value of X but Eve's guess will not be a leaker, assuming the Frank and Eve each guess using the strategy that maximise their own chance of winning.We define where the supremum is over all collaborating cryptogenography protocols π.
In this section we will investigate the asymptotic behaviour of Succ(h, l) when at least one of l and h tends to infinity.First some propositions.
Proposition 20.The probability that the communicating players wins the game does not change if Eve is told the value of X before they starts to communicate.
Proof.If Frank guesses the correct value of X, Eve was going to assume that that was the correct value anyway (as she wants to maximise the probability that she is correct given that Frank was correct), and if Frank guesses wrong, she would win anyway.
In the rest of this section, we will assume that Eve knows the value of X.
Proposition 21.Succ(h, l, n) and Succ(h, l) are non-increasing in h.
Proof.Let h > h ′ and let π be a protocol for parameters h, l, n and let the secret be denoted X.We construct a protocol π ′ with parameters h ′ , l, n and secret denoted by X ′ .In the first round of π ′ , plr 1 announce h − h ′ independent and uniformly chosen bits Y , and from then on, everyone follows protocol π for Proof.We use the strategy used in [2].Let n ′ > n and let π be a protocol for parameters h, l, n.We now construct a sequence of protocols π ′ k for parameters h, l, n ′ .In the protocol π ′ k each non-leaking player thinks of a uniformly chosen number in {1, . . ., k}.First everyone who thought of the number 1 announce that and they are out, then everyone who thought of the number 2 and so on, until only n players a left.If two or more player thought of the same number, we migth end up with less then n players left.In that case the leakers just announce themselves.If we are left with exactly n players, we know that the l leakers are still among them, and we have no further information about who they are.They then use protocol π, and win with probability Succ(h, l, n).As k → ∞, the probability that two players thought of the same number tends to 0, so Succ(h, l, n ′ , π ′ k ) → Succ(h, l, n, π).
Theorem 23.For all p ∈ (0, 1), Proof.We know from Corollary 19 that the safe c-capacity for Fixed is − log(1−c) c − log(e).If we let ǫ > 0, and use this Corollary for c = 1 − p + ǫ/2 we get that for sufficiently high l, n and h = − log(p) 1−p − log(e) l there is a protocol π that will make Frank's probability of guessing wrong at most ǫ/2, and seen from Eve's prespective, no one is leaking with probability > 1 − p + ǫ/2.By the union bound, the probability that Frank is wrong or Eve is correct5 is at most ǫ/2 + 1 − p + ǫ/2, thus the communicating players win with probability at least p − ǫ.

In particular we have
Corollary 24.Let l → ∞ and h = h(l) be a function of l with h = o(l).Then Succ(h, l) → 1.

Proof. Follows from Theorem 23 and Proposition 21
Definition 9. Let the distribution of (X, L 1 , . . ., L n ) be given and let π be a protocol with transcript T and π ′ a protocol with transcript π ′ .For a transcript t of π let µ t denote the distribution (X, L 1 , . . ., L n )| T =t , and similar for transcripts t ′ of π ′ .We say that π and π ′ are equivalent for (X, L 1 , . . ., L n ) (or just equivalent when it is clear what the distribution of (X, L 1 , . . ., L n ) is) if the distribution of µ T is the same as the distribution of µ T ′ .
That is, the probability that the posterior distribution of (X, L 1 , . . ., L n ) is µ has to be the same for both π and π ′ .Notice that for two different distributions of (X, L 1 , . . ., L n ) with the same support, π and π ′ are equivalent for one of them if and only if they are equivalent for the other distribution.Thus, when the support of (X, L 1 , . . ., L n ) is clear, we can simply say equivalent.
The next lemma show that we can ensure that before any player crosses probability c of having the bit, seen from Eve's perspective, that player lands on this probability.
Lemma 26.Let π be any collaborating cryptogenography protocol, let (X, L 1 , . . ., L n ) have any distribution and let c ∈ (0, 1).Then there exists an equivalent collaborating cryptogenography protocol π ′ such that when we use it on (X, L 1 , . . .L n ) and let T ′ denote its transcript, it satisfies: For all x ∈ X , all plr i and all non-empty partial transcripts t ′k , if then there is a k ′ < k such that Proof.Let π, (X, L 1 , . . ., L n ) and c be given, and assume that (x, i) = (x 0 , i 0 ) is a counterexample to the requirement from the lemma.We will then construct a protocol π ′ such that (x 0 , i 0 ) is not a counterexample for π ′ , and any (x, i) that satisfied the requirement for π also satisfy it for π ′ .By induction, this is enough to prove the lemma.
We can assume that the messages in π are send one bit at a time.We say a partial transcript t k is problematic if for some bit value m.Without loss of generality, assume that m = 1.Let p = Pr(T k+1 = 1|T k = t ′k ).We will use the c-notation from from Section 3, so for example Now we modify π.First, the player plr j , who is going to send to k + 1'th message in π, decides if she would have send 0 or 1 in π.If she would have send 1 she sends the bits 11.If she would have send 0 she send 10 with probability p(1−q) q(1−p) ∈ (0, 1), and otherwise she sends 00.In all cases she sends the bits one at a time.They then continue the protocol π as if only the last of the two bits had been send.If we let T ′ denote the transcript of the protocol with this modification, we get So if plr j sends 11 or 10 in the modified protocol, we land on probability c.Let π ′ be the protocol we get from π by doing this modification for each problematic partial transcript t k in π.It is clear that π and π ′ are equivalent, and that any (x, i) that satisfied the requirement before also do afterwards.
Lemma 27.For any c ∈ (0, 1) and any h, l, n, π, we have Succ(h, l, n, π) ≤ 1 − ch+l log(1−c)+lc log(e)−c h .Proof.As Succ(h, l, n) is non-decreasing in n, we can assume that n > l c , so that Pr(L i = 1) < c at the beginning.By Lemma 26 and Proposition 25 we can assume that π satisfy the requirement for π ′ in 26.
Let π ′ be the protocol that starts of as π, but where the players starts to pretend ignorance (as in the proof of Lemma 15) if Pr(L i = 1|T k = t k , X = x) = c for some i, current transcript t k and the true value x of X.This ensures that Pr(L i = 1|T ′ = t, X = x) for all i and t.Let T ′ be the transcript of π ′ .From Theorem 5 we get We let Frank guess as he would if we used protocol π.By Fano's inequality, (3), Frank's probability of being wrong when he only see the transcript of π ′ is In the cases where Frank are wrong in π ′ there are two possibilities: Either the players did not pretend ignorance, in which case Frank would also be wrong if they used protocol π, or they did pretend ignorance so Pr(L i = 1|T k = t k , X = x) = c for some i and some smallest k.When this first happens Eve can just ignore all further messages in π and guess that plr i is leaking.This way she is wins with probability at least c.Thus, all the situations in π ′ where Frank guesses wrong, corresponds to situations in π where Eve would win with probability at least c.So Eve's probability of winning when the players are using protocol π is at least In particular we have Corollary 29.Let h → ∞ and let l = l(h) be a function of h with l(h) = o(h).
Proof.Follows from Theorem 28 and Proposition 21.

Hiding among innocents
Until now we have assumed, that even the players who are not trying to leak information will collaborate.In this section we will show that we do not need the non-leakers to collaborate.As long as some people are communicating innocently, and that communication is sufficiently non-deterministic, we can use these people as if they were collaborating.Formally, we model the innocent communication by an innocent communication protocol.While protocols usually are designed to compute some function, innocent communication protocols is a way of describing what is already going on.An innocent communication protocol ι is a protocol that for each possible partial transcript s k and each player i gives a finite set A i,s k of possible messages that that person can send in the next round, and a probability distribution on that set.In innocent communication protocols every person sends a message in each round.This assumption is not a restriction: if we have a protocol where only one players sends messages at a time, we can turn it into an innocent communication protocol, by requiring that all the other players sends the message "no message" with probability 1.We will only be interested in innocent communication protocols that continues for infinitely many rounds.This assumption is of course unrealistic but in practice we only need it to be long.
Let S denote the random variable that is the infinite transcript we get from running ι, and let S k denote the partial transcript of the first k rounds.For a player plr j and a partial transcript s k of the first k rounds of ι we define where A j,s k is the message sent by plr j in round k + 1.We say that ι is informative if for a random transcript S and for each player k∈N p max,j (S k ) = 0 with probability 1.In other words, if at each round in the protocol you try to guess what message plr j will send in the next round, then with probability 1 you will eventually fail.Notice that the model for innocent communication here is equivalent to what is used in [5], and the definition of informative is almost the same as the definition of always informative in [5] when one player is communicating. 6e say that a collaborating cryptogenography protocol π is revealing if there is a partial transcript t k and a player plr j that is to send the next message A when the transcript is t k and a message a such that plr j will send message a with positive probability if L j = 1 but not if L j = 0.If this is not the case, we say that π is non-revealing. 7The point in cryptogenography is to hide who is sending the information, so we are only interested in non-revealing protocols.
The main theorem of this section is Theorem 30.Let π be a non-revealing collaborating cryptogenography protocol, and let ι be an informative communication protocol.Then there exists a protocol ι π that is equivalent to π, but where the non-leakers follow the protocol ι.
Proof.We construct the protocol ι π and a the same time an interpretation function i that sends transcripts s of ι π to transcripts t of π.We want them to satisfy.
1.For each partial transcript s k of ι π and each player plr j , ι π gives a probability distribution, depending only on X, L j , s k and j that plr j will use to choose his next message.
2. If L j = 0 then plr j choose her messages in ι π using the same distributions as in ι.
3. The interpretation function i sends (infinite) transcripts s of ι π to either transcripts t of π or to "error".The probability of error is 0.
4. If T denote the transcript of π and S denotes the transcript of ι π , then given that i(S) is not error, (X, L 1 , . . ., L n , i(S)) is distributed as (X, L 1 , . . ., L n , T ).

5.
For each transcript t of π, the random variable (X, L 1 , . . ., L n ) is independent from S given i(S) = t.
Here the second requirement ensures that non-leakers can follow the protocol without knowing X or π.In fact, unlike in the collaborating communication protocol, they might be thinking that everyone is just having an innocent conversation.Thus in ι π we refer to the non-leakers as innocents.Notice the important assumption that first the innocent communication protocol ι is defined and then we create a protocol ι π for leaking information on top of that.This corresponds to assuming that the non-leaking players either do not care about the leak, or that they are oblivious to the protocol.If ι was allowed to depend what the leakers does, the non-leaking players could try to prevent the leak, and it would be a very different problem.
The fourth of the above requirements tells us that ι π reveals at least as much about (X, L 1 , . . ., L n ) as π and the last requirement say that we do not learn anything more.This ensures that Frank and Eve, who both know ι π , learns exactly as much from the transcript of ι π as they would from the transcript of π.
Proposition 31.If ι π satisfy the above requirements, then ι π and π are equivalent.
Proof.i gives error with probability 0, so we can ignore all those cases.By requirement 4, i(S) has the same distribution as T , and by requirement 4 and 5 the distribution µ s of (X, L 1 , . . ., L n ) given S = s equals the distribution µ i(s) .
Before we construct the protocol ι π we will define a function i ′ that sends partial transcripts s k ′ of ι π to tuples (t k , [y, z)) where t k is a partial transcript of π, and [y, z) ⊂ [0, 1) is a half-open interval.When i ′ (s k ′ ) = (t k , [y, z)), we refer to t k as the interpretation of s k ′ .Loosely speaking, the point of the interval is that not all message in ι are sufficiently unlikely that they can correspond to a message in π, so instead of interpreting them to a message in π, we store the information by remembering an interval.For an infinite transcript s, the function i ′ will satisfy Thus every time we reveal one more round from the transcript s, we will either learn one message in π from the interpretation of s, or the interval gets smaller or stays the same.If the interpretation of s k ′ is t k , we let j(s k ′ ) denote the index of the player to send the next message in π when the current transcript is )) we say that at time k ′ plr j(s k ′ ) finished sending the message m in π and at time k ′ + 1 plr j(s k ′ +1 ) start sending a new message in π.
Let A t k denote the set of messages that plr j could send in π after transcript t k , and choose some ordering on this set.We now define a function f : By definition of innocent communication protocol, each message in ι is chosen from a finite set, but to explain the point of the function f , imagine for now that ι said that in the next round plr j should send a random real uniformly from in [0, 1).We could now interpret that as the message f (x) ∈ A t k in π.Then ι π would say that if plr j was innocent he should send a number uniformly from [0, 1) and if he was leaking, he should first choose a ∈ A t k using the distribution specified by π, and then send a number chosen uniformly at random from f −1 (a).More generally, if ι said that plr j should choose his next message M from some continuous distribution on R, we could take the quantile function given L j = 0 of the message m → Pr(M < m|L j = 0) to turn it into a message that is uniform on [0, 1) given L j = 0. Unfortunately, there is only finitely many possible message for plr j to sent in each round, so instead of getting a number out of the quantile function, we define a similar function to get an interval.Let i ′ (s k ′ ) = (t k , [y, z)) and let M j,s k ′ denote the set of possible message that plr j can send in round k ′ + 1 when transcript is s k ′ and choose some ordering on the set.Define g : [y, z) → M j,s k ′ by g −1 (m) = {y + t(z − y)|t ∈ [Pr(M < m|L j = 0), Pr(M ≤ m|L j = 0))}.
Thus instead of getting a number in [0, 1) out of m ∈ M j,s k ′ , we get an interval g −1 (m), whose length is proportional to the probability that an innocent player would send that message.If g −1 (m) ⊂ f −1 (a) for some a ∈ A t k we say that plr j send a in π and define i ′ (s k ′ +1 ) = (t k • a, [0, 1)).Otherwise, plr j is not done sending his message and we define i ′ (s k ′ +1 ) = (t k , g −1 (m)).Now if for some k ′ we have i ′ (s k ′ ) = (t, [0, 1)) where t is a complete transcript of π we define i ′ (s k ′′ ) = (t, [0, 1)) for all k ′′ > k ′ and i(s) = t.If for some s no such k ′ exists, we define i(s) to give "error".
Next we define the protocol ι π .Any non-leaking player chooses his messages as given by ι and when the current transcript is s k ′ all players except plr j(s k ′ ) also choose their messages as in ι.When a leaking player, plr j(s k ′ ) , starts sending a message in π, he first chose the message a ∈ A t k using the distribution given by π (this distribution depends on X = x).Next he chooses a number α randomly and uniform in f −1 (a).Until he has send his message in π he will now send messages m such that α ∈ g −1 (m).This uniquely specifies which messages m to send (notice that g will depend on current transcript in ι π , so m is not necessarily the same for every round).When we get to a transcript s k ′ that is interpreted as a complete transcript t of π all the players will just follow ι.In this figure we see an example of how construct a part of ι π .In π, the next player to send a message is plr j .The message A 1 should come from A = {a 1 , a 2 }.We have Pr(A 1 = a 1 |L j = 0) = 0.4, so f : [0, 1) → A sends x ∈ [0, 0.4) to a 1 , and x ∈ [0.4, 1) to a 2 .Now L j = 1, so plr j first chooses a message from A to send, this happens to be a 1 , and then a number α chosen randomly and uniformly from f −1 (a 1 ).In ι, the next message M 1 that plr j sends should be from M 1 = {m 1  1 , m 2 1 }.If plr j was innocent and was following the protocol ι, we would have Pr(M 1 = m 1 1 ) = 0.6, so g 1 : [0, 1) → M 1 sends x ∈ [0, 0.6) to m 1 1 and the rest to m 2 1 .As α ∈ [0, 0.6), plr j now sends the message m 1  1 .We see that g −1 1 (m 1 1 ) overlaps with both f −1 (a 1 ) and f −1 (a 2 ), so and observer cannot yet determine which message in π plr i was sending, so plr j has not send his message yet.His next message M 2 should be send from M 2 = {m 1 2 , m 2 2 }, and again it happens that if he was following ι then Pr(M 2 = m 1 2 ) = 0.6, so g 2 : [0, 0.6) → M 2 sends x ∈ [0, 0.36) to m 1 2 and the rest to m 2 2 .As α ∈ [0, 0.36), plr j sends the message m 1  2 , and now g −1 2 (m 1 2 ) ⊂ f −1 (a 1 ), so now an observer can see that plr j was sending the message a 1 in π, and plr j is done sending his message in π.
We see that if in π a leaking player's distribution of a is exactly the same as a non-leaking players, then the distribution of the number α chosen by the leaking player in uniform on [0, 1).By the definition of g, the probability that a leaking player sends a particular message m in ι π is exactly the probability given by ι, and thus the same as a non-leaking player.Using this reasoning in the opposite direction, this tells us that we can assume that even the innocents, when starting sending a message in π, chooses a uniformly distributed α ∈ [0, 1) and sends the message m such that α ∈ g(m), until they have send the message in π.They may not do that, but the probability of any transcript is the same as if they did.
Finally we need to check that ι π satisfy the 5 requirements.The first two follows from the construction.To show the third, we need to show that with for a random transcript s of ι π there will with probability 1 exists a k ′ such that i ′ (s k ′ ) = (t, [0, 1)) where t is a complete transcript for π.As π only have finitely many rounds, it is enough to show that for each message of π we start sending in ι π , there is probability 1 that we will finish sending it.Assume that i ′ (s k ′ ) = (t k , [0, 1)) for some k ′ , where t k is an incomplete transcript of π, but for all k ′′ > k ′ the interpretation of s k ′′ is still t k .If plr j(s k ′ ) is innocent, everyone will be following ι, so by the assumption that ι is informative, the set of transcripts where the length of the interval does not go to 0 has probability 0. As stated earlier we can assume that when sending a message in π, even the innocents starts by choosing a random number α uniformly from [0, 1).As f only jumps in finitely many points, there is probability 0 that plr j(s k ′ ) chooses one of these points.If he does not, and the length of the interval goes to 0, he will eventually sent his message in π.Thus there is probability 0 that a nonleaker does not send his message.A leaker chooses his random α ∈ [0, 1) using a different distribution, but we can divide [0, 1) into a finite set of intervals (given by f −1 (a)) such that it is uniform on each of these intervals.This tells us that given s k ′ there is a constant K such that, as long as plr j(s k ′ ) is still sending the same message in π, any continuation of the transcript is at most K times more likely when plr j(s k ′ ) is leaking as when he is not leaking.Thus there is still probability K • 0 = 0 that he will not finish his message in π.
For the fourth requirement, we observe that any leaking player is actually choosing messages in π following the distribution given by π, and then making sure that the message send in ι π will be interpreted as the message he wanted to send in π.The innocent players are not doing this, but we have seen that the distribution on the message they send in ι π are the same as if they did.Thus requirement 4 holds.Finally we see that given i(S) = t a player not sending a message in π always follows ι and a player sending a message in π can be thought of as haven chosen an α uniformly from f −1 (a) where a is the next message in transcript t.This is independent from (X, L 1 , . . ., L n ) and thus the last requirement follows.
To implement the protocol ι π the leaking players do not have to chose all the infinitely many digits in a random number α.Instead they can just for each message compute the probability that they would send each message, given that they had chosen an α.We also see that if i(S) does not give an error, then there is some k such that S k determines i(S).Thus for any particular ι π and any ǫ > 0 there is a length k such that, i(S k ) gives a total transcript for π with probability > 1 − ǫ.
In order to find the protocol ι π you need have a description of the protocol ι.This is a strong assumption: even if you are able to communicate innocently, it does not mean that you are aware of the distribution you use to pick your random messages.In steganography, the weaker assumption that you have a random oracle that takes history and player index as input and gives a message following the innocent distribution as output, is sometimes enough [5].However, it is not clear if this weaker assumption is enough for the propose of cryptogenography.While it may not be possible to find ι for all kinds of innocent communications, there are situations where we can approximate ι very well.For example, if a person post blog posts, we can consider the message to be only parity of the minutes in the sending time.This value will probably, for most people, be close to uniformly distributed on {0, 1}.

Open problems
In this paper we only considered how much information l players can leak in an asymptotic sense, where l tends to infinity, and the proof of the achievability results is not constructive.We have not tried to find any explicit protocols that work well for fixed specific values of l and tolerance of errors ǫ, but that would be an interesting possibility for further research.We assumed that both Eve and Frank knew the true distribution q of (X, L 1 , . . ., L n ).It might be interesting to consider the problem where their beliefs, q E and q F are different from q and from each other.
We have only found the c-capacity for Fixed and for Indep b .It would be interesting to find a way to compute the capacity of more general L-structures.
In the setup we considered here, there are two types of players.Some know the information that we want to leak and some do not.We could also imagine that some people know who knows the information, without knowing the information itself, and some could know who knows who knows the information and so on.We could also have people who would only know X if it belongs to some set S, and otherwise only know that X / ∈ S. It is known from the game theory literature that all of this can be described by having a joint distribution (X, P 1 , . . ., P n ) where X is the information we want to leak and P i is the random variable that player i has as information [1].
A different generalisation would be to have players that tries to prevent the leakage by sending misleading information.Such players would also not want to be discovered.If Frank notice that someone is sending misleading information, he could just ignore all the messages send by that person.

Lemma 15 .
Let c ′ > c.The safe c ′ -capacity for (L, C) is at least the same as the risky c-capacity for (L, C).

Corollary 16 .
Let (L, C) be a L-structure.If the safe c-capacity for (L, C) as a function of c is right-continuous at c 0 , or if the risky c-capacity for (L, C) as a function of c is left-continuous at c 0 then the safe c 0 -capacity for (L, C) and the risky c 0 -capacity for (L, C) are the same.Proof.Assume that the safe c-capacity for (L, C) as a function of c a rightcontinuous at c 0 .Then Lemma 15 shows that the risky c-capacity for (L, C) is at most the safe c ′ -capacity for (L, C) for all c ′ > c.By continuity assumption, this gives us that the risky c-capacity for (L, C) is at most the safe c-capacity for (L, C).Proposition 13 shows the opposite inequality.The proof of the second part of the corollary is similar.Corollary 17.Let (L, C) be a L-structure.The safe c-capacity for (L, C) and the risky c-capacity for (L, C) are the same for all but at most countably many values c ∈ (0, 1).

Corollary 18 .
The safe c-capacity for Indep b and the risky c-capacity for Indep b are the same for all c ∈ (0, 1).Proof.We know from Corollary 8 that the safe c-capacity for Indep b is a continous function of c.Now Corollary 16 implies that it is the same as the risky c-capacity for Indep b .Corollary 19.Let c ∈ (0, 1).The safe c-capacity for Fixed and the risky c-capacity for Fixed are both − log(1−c) c − log(e).

Figure 1 :
Figure 1: Example of how to construct a part of ι π .In this figure we see an example of how construct a part of ι π .In π, the next player to send a message is plr j .The message A 1 should come from A = {a 1 , a 2 }.We have Pr(A 1 = a 1 |L j = 0) = 0.4, so f : [0, 1) → A sends x ∈ [0, 0.4) to a 1 , and x ∈ [0.4, 1) to a 2 .Now L j = 1, so plr j first chooses a message from A to send, this happens to be a 1 , and then a number α chosen randomly and uniformly from f −1 (a 1 ).In ι, the next message M 1 that plr j sends should be from M 1 = {m1  1 , m 2 1 }.If plr j was innocent and was following the protocol ι, we would have Pr(M 1 = m 1 1 ) = 0.6, so g 1 : [0, 1) → M 1 sends x ∈ [0, 0.6) to m 1 1 and the rest to m 2 1 .As α ∈ [0, 0.6), plr j now sends the message m1  1 .We see that g −1 1 (m 1 1 ) overlaps with both f −1 (a 1 ) and f −1 (a 2 ), so and observer cannot yet determine which message in π plr i was sending, so plr j has not send his message yet.His next message M 2 should be send from M 2 = {m 1 2 , m 2 2 }, and again it happens that if he was following ι then Pr(M 2 = m 1 2 ) = 0.6, so g 2 : [0, 0.6) → M 2 sends x ∈ [0, 0.36) to m 1 2 and the rest to m 2 2 .As α ∈ [0, 0.36), plr j sends the message m1  2 , and now g −1 2 (m 1 2 ) ⊂ f −1 (a 1 ), so now an observer can see that plr j was sending the message a 1 in π, and plr j is done sending his message in π.