Papers
Topics
Authors
Recent
Search
2000 character limit reached

Distributed Source Encryption

Updated 6 July 2026
  • Distributed Source Encryption is a framework that secures data at the source while ensuring compatibility with distributed coding, storage, and computation.
  • It employs post‐encryption compression using linear and affine mappings to achieve uniform ciphertexts and minimal leakage over public channels.
  • The method balances Slepian–Wolf constraints with key entropy limits, ensuring reliable decoding and robust information-theoretic security.

Searching arXiv for recent and foundational papers on distributed source encryption and closely related formulations. Distributed source encryption denotes a class of multi-terminal security mechanisms in which information observed at separated sources is protected at the source side while remaining compatible with distributed coding, distributed storage, or distributed computation. In the information-theoretic formulation introduced for two correlated sources and correlated keys, it is posed as distributed secure source coding based on the common key cryptosystem, with ciphertexts sent over public channels and keys sent over private channels (Oohama et al., 2021). In broader systems literature, the term also covers source-side protection for shared storage, policy-bound encryption of distributed objects, and threshold partitioning of source data across multiple nodes (Shah et al., 2015, Alston, 2017, Parakh et al., 2010). Across these formulations, a recurrent theme is that security is enforced near the data source rather than delegated to a centralized trusted storage or computation layer.

1. Formal information-theoretic model

The core information-theoretic model considers two discrete memoryless sources (X1,t,X2,t)X1×X2(X_{1,t},X_{2,t})\in\mathcal{X}_1\times\mathcal{X}_2, i.i.d. over time with joint pmf pX1X2p_{X_1X_2}, and two key sources (K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_2, i.i.d. with joint pmf pK1K2p_{K_1K_2} (Oohama et al., 2021). For blocklength nn, the source blocks are X1n,X2nX_1^n,X_2^n, the key blocks are K1n,K2nK_1^n,K_2^n, the source pair is independent of the key pair, and X1,X2\mathcal{X}_1,\mathcal{X}_2 are finite fields with operations \oplus and \ominus (Oohama et al., 2021).

Without encryption, the baseline is distributed lossless source coding of Slepian–Wolf type. Encoders

pX1X2p_{X_1X_2}0

map source blocks to compressed representations, and a joint decoder

pX1X2p_{X_1X_2}1

attempts exact reconstruction (Oohama et al., 2021). The correct-decoding set pX1X2p_{X_1X_2}2 contains source pairs that decode exactly, and its cardinality satisfies

pX1X2p_{X_1X_2}3

(Oohama et al., 2021).

With encryption, each node pX1X2p_{X_1X_2}4 applies

pX1X2p_{X_1X_2}5

the ciphertexts pX1X2p_{X_1X_2}6 traverse public channels, and the keys pX1X2p_{X_1X_2}7 are delivered to the joint sink over private channels (Oohama et al., 2021). Decryption is performed by

pX1X2p_{X_1X_2}8

A defining structural condition is compatibility with an underlying distributed source code: for every distributed encryption system pX1X2p_{X_1X_2}9, there must exist (K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_20 such that for all source and key sequences,

(K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_21

Hence (K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_22 for every key pair (Oohama et al., 2021). This ties distributed source encryption directly to distributed source coding rather than treating encryption as an unrelated overlay.

A related older formulation, "Generalized Secure Distributed Source Coding with Side Information" (Salimi et al., 2010), replaces common-key encryption by stochastic encoders and equivocation constraints. There, Alice and Charlie send compressed descriptions of (K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_23 and (K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_24 to Bob while Eve observes one channel at a time and has side information (K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_25. That model does not use explicit cryptographic keys, but it captures distributed source encryption in a broader information-theoretic sense: secrecy arises from coding structure, source correlation, and receiver side information rather than from a separate secret key (Salimi et al., 2010).

2. Post-encryption compression and affine constructions

The concrete construction emphasized in the framework of Oohama and Santoso uses post-encryption compression (PEC) with linear and affine mappings (Oohama et al., 2021). One first chooses linear maps

(K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_26

and then affine maps

(K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_27

where (K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_28 (Oohama et al., 2021). Encryption is applied to the one-time-pad ciphertext: (K1,t,K2,t)X1×X2(K_{1,t},K_{2,t})\in\mathcal{X}_1\times\mathcal{X}_29 By linearity,

pK1K2p_{K_1K_2}0

with pK1K2p_{K_1K_2}1 and pK1K2p_{K_1K_2}2 (Oohama et al., 2021).

At the sink, one computes pK1K2p_{K_1K_2}3, subtracts it from the public ciphertext,

pK1K2p_{K_1K_2}4

and finally applies the Slepian–Wolf decoder pK1K2p_{K_1K_2}5 (Oohama et al., 2021). The same construction is described in the earlier secrecy-amplification paper as a way to overlay a compression layer on top of a distributed one-time-pad system with correlated keys (Santoso et al., 2018).

The central significance of PEC is that it serves two purposes simultaneously. First, it acts as distributed lossless compression of the sources. Second, it acts as secrecy amplification because it “flattens” the distribution of pK1K2p_{K_1K_2}6, making pK1K2p_{K_1K_2}7 close to uniform even when the original keys are correlated (Oohama et al., 2021). In the 2018 formulation, this is expressed as the application of affine encoders constructed from certain linear encoders to encode the ciphertexts before sending them to public communication channels, yielding negligible leakage and negligible decoding error when the rates lie in the appropriate region (Santoso et al., 2018).

The Slepian–Wolf decoder in this scheme is a minimum-entropy decoder: among all source pairs mapping to the observed compressed outputs, it chooses one having minimum empirical entropy pK1K2p_{K_1K_2}8 (Oohama et al., 2021). This choice is standard in universal Slepian–Wolf coding and is used to establish exponential error decay.

3. Security criteria and their interpretation

A major development in distributed source encryption is the replacement of the conventional leakage measure by a stricter source-distribution-independent criterion. The conventional metric is

pK1K2p_{K_1K_2}9

with perfect secrecy defined by nn0 or asymptotic secrecy by nn1 (Oohama et al., 2021). This criterion depends on the actual source distribution nn2.

The 2021 framework introduces a source-distribution-independent maximum mutual information criterion. Let nn3 be any random pair with support equal to the correct-decoding set nn4, and let nn5 be the resulting ciphertexts. Then

nn6

(Oohama et al., 2021). A looser variant maximizes over all source distributions on nn7. The basic inequalities are

nn8

This criterion is described as generally more strict than the commonly used mutual-information criterion because it depends only on the cryptosystem and key distribution, not on the actual source law (Oohama et al., 2021). The paper proves that if the actual source support contains all correctly decodable pairs and

nn9

then necessarily X1n,X2nX_1^n,X_2^n0 (Oohama et al., 2021). It also establishes the lower bound

X1n,X2nX_1^n,X_2^n1

which forces leakage to be large whenever the compressed ciphertext lengths exceed the available key entropy (Oohama et al., 2021).

The 2025 paper returns to the standard mutual information criterion and shows that essentially the same entropic rate boundaries can be derived under this standard criterion, with strong converse results obtained through the information spectrum method and a variant of the Birkhoff–von Neumann theorem (Oohama et al., 17 Jul 2025). It defines leakage as

X1n,X2nX_1^n,X_2^n2

and studies X1n,X2nX_1^n,X_2^n3-reliable and secure rates under fixed non-vanishing error and leakage thresholds (Oohama et al., 17 Jul 2025). This suggests that the earlier non-standard metric and the standard MI criterion are aligned at the level of the fundamental rate region, even though they express secrecy in different ways.

A common misconception is that small mutual information alone captures the whole structure of secure distributed encryption. The 2021 framework explicitly links perfect independence to ciphertext uniformity, and its commentary explains that X1n,X2nX_1^n,X_2^n4 can be viewed as a sum of mutual information and divergence of the ciphertext distribution from uniformity (Oohama et al., 2021). A plausible implication is that secrecy proofs that ignore ciphertext non-uniformity can miss an essential operational constraint in multi-terminal common-key systems.

4. Achievable rate regions and converse theorems

The fundamental rate pair is

X1n,X2nX_1^n,X_2^n5

(Oohama et al., 2021). Reliability is measured by the decoding error probability

X1n,X2nX_1^n,X_2^n6

Two regions determine feasibility. The source side contributes the Slepian–Wolf region

X1n,X2nX_1^n,X_2^n7

(Oohama et al., 2021). The key side contributes the key region

X1n,X2nX_1^n,X_2^n8

(Oohama et al., 2021).

The main 2021 theorem states that for each X1n,X2nX_1^n,X_2^n9,

K1n,K2nK_1^n,K_2^n0

so the reliable and secure rate region under the new security criterion is exactly the intersection of Slepian–Wolf constraints and key-entropy constraints (Oohama et al., 2021). The result is a strong converse: outside that region, either the decoding error tends to K1n,K2nK_1^n,K_2^n1 or the leakage exceeds any fixed K1n,K2nK_1^n,K_2^n2 (Oohama et al., 2021).

The 2025 reformulation under standard mutual information obtains a matching inner bound and several strong converse statements. It defines

K1n,K2nK_1^n,K_2^n3

and

K1n,K2nK_1^n,K_2^n4

again, then proves exact characterization in the key-rich regime K1n,K2nK_1^n,K_2^n5, K1n,K2nK_1^n,K_2^n6, and exact characterization on the Slepian–Wolf sum-rate boundary in the general case (Oohama et al., 17 Jul 2025).

The following table summarizes the entropic structure that recurs across the 2021 and 2025 frameworks.

Component Constraint set Interpretation
Source coding K1n,K2nK_1^n,K_2^n7 Rates required for distributed lossless recovery
Key resources K1n,K2nK_1^n,K_2^n8 Rates supportable by individual and joint key entropy
Secure region K1n,K2nK_1^n,K_2^n9 Simultaneously reliable and secure operation

This characterization makes clear that distributed source encryption is not merely Slepian–Wolf coding followed by a cryptographic wrapper. It is a joint source–key resource allocation problem in which source correlation lowers communication cost while key correlation constrains secure throughput.

5. Structural lemmas, uniformity, and secrecy amplification

A technical hallmark of the theory is the structural lemma derived from an extension of the Birkhoff–von Neumann theorem. For each key pair and ciphertext pair, one defines a stochastic matrix X1,X2\mathcal{X}_1,\mathcal{X}_20 from plaintext pairs to ciphertext pairs. Lemma 1 in the 2021 paper states that for each ciphertext pair,

X1,X2\mathcal{X}_1,\mathcal{X}_21

(Oohama et al., 2021). The 2025 paper gives a related inequality,

X1,X2\mathcal{X}_1,\mathcal{X}_22

and interprets it as a Birkhoff–von Neumann-type restriction induced by decodability (Oohama et al., 17 Jul 2025).

This structure yields an especially important special case. If X1,X2\mathcal{X}_1,\mathcal{X}_23 is uniformly distributed over X1,X2\mathcal{X}_1,\mathcal{X}_24, then the ciphertext pair is exactly uniform over X1,X2\mathcal{X}_1,\mathcal{X}_25 (Oohama et al., 2021). The 2021 paper uses this to show that perfect independence between plaintext and ciphertext forces ciphertext uniformity under the stricter metric. The 2025 paper uses related entropy lower bounds, together with information-spectrum methods, to derive strong converse outer bounds under the standard MI criterion (Oohama et al., 17 Jul 2025).

For affine PEC schemes, the upper bound on leakage is expressed through divergence of compressed keys from uniform: X1,X2\mathcal{X}_1,\mathcal{X}_26 (Oohama et al., 2021). Since Santoso–Oohama had shown that this divergence decays exponentially in the interior of the intersection region, the new criterion also vanishes there (Oohama et al., 2021). The 2018 paper phrases the same phenomenon as secrecy amplification for distributed encrypted sources with correlated keys using affine encoders (Santoso et al., 2018).

This suggests a useful way to view the construction: the affine maps are simultaneously privacy amplifiers and distributed compressors. They reduce the effective correlation of the keys while preserving enough structure for legitimate Slepian–Wolf decoding.

6. Broader variants across storage, access control, and secret sharing

The phrase distributed source encryption also appears in several systems-oriented forms. These do not share a single formal model, but they exhibit a common pattern: source-side protection is made compatible with a distributed backend.

In Lamassu, encryption is performed on the same physical hardware as the primary application, but the ciphertext is intentionally structured to preserve storage-based deduplication (Shah et al., 2015). Each block X1,X2\mathcal{X}_1,\mathcal{X}_27 is hashed, a convergent key is derived using an inner secret key X1,X2\mathcal{X}_1,\mathcal{X}_28,

X1,X2\mathcal{X}_1,\mathcal{X}_29

and the block is encrypted with AES-256 in CBC mode with a fixed IV: \oplus0 (Shah et al., 2015). Metadata are protected separately under an outer key \oplus1 with AES-GCM (Shah et al., 2015). This is a distributed source encryption design in the systems sense: encryption is pushed to hosts, VMs, or gateways, while backend storage still performs content-based deduplication.

In distributed storage systems using ciphertext-policy attribute-based encryption, each file or object is encrypted at the source under its own access policy, and service nodes enforce access through cryptography rather than centralized ACLs (Alston, 2017). The CP-ABE interface is abstracted by \oplus2, \oplus3, \oplus4, and \oplus5, with decryption condition \oplus6 for an attribute set \oplus7 and policy \oplus8 (Alston, 2017). The protocol adds authorization nodes, service nodes, and Master Session Tokens, so that source-side encryption is policy-centric and stateless at the service layer (Alston, 2017).

Another lineage omits conventional encryption keys altogether. In the sensor-network storage scheme of Parakh and Kak, data \oplus9 is embedded as the constant term of

\ominus0

with roots \ominus1 satisfying

\ominus2

(Parakh et al., 2010). Knowledge of any \ominus3 roots does not provide information about \ominus4 with probability greater than \ominus5, and a linear-algebra redundancy layer yields an \ominus6-like threshold scheme (Parakh et al., 2010). This is distributed source encryption in a threshold-partition sense: confidentiality arises from algebraic splitting rather than from a separate key.

A related secret-sharing-based operational design is the Serial Interpolation Filter, which stores each set element via Shamir secret sharing across repositories and supports membership tests without reconstructing the set at any single host (Zage et al., 2015). The data are protected in an information-theoretic sense against fewer than \ominus7 repositories, while a computational extension using discrete logarithms protects against colluding repositories during online queries (Zage et al., 2015).

These variants illustrate an important boundary of the term. In the narrow information-theoretic coding sense, distributed source encryption is a Slepian–Wolf/common-key problem with entropic rate regions (Oohama et al., 2021, Oohama et al., 17 Jul 2025). In systems usage, it can denote source-side encryption compatible with deduplication, policy-based storage, or distributed query processing (Shah et al., 2015, Alston, 2017, Zage et al., 2015). The commonality lies in the location of protection—at the source—and the necessity of preserving some distributed functionality after protection is applied.

7. Relation to adjacent research areas

Distributed source encryption sits at an intersection of distributed source coding, Shannon-style secrecy, secret sharing, and systems cryptography.

Relative to classical Slepian–Wolf coding, the secure version adds key-entropy constraints on top of the usual lossless compression constraints (Oohama et al., 2021). Relative to Shannon’s cipher system, it generalizes the requirement “key length at least message length” into

\ominus8

for two terminals with correlated keys (Oohama et al., 2021). Relative to secure distributed source coding with side information, it clarifies when security can be obtained without explicit keys, by exploiting asymmetry between Bob’s and Eve’s side information (Salimi et al., 2010).

A plausible implication of the 2025 strong-converse results is that the entropic boundary is robust to the choice between the stricter source-distribution-independent metric and the standard mutual-information criterion, at least in the cases fully proved there (Oohama et al., 17 Jul 2025). This narrows the gap between operational information-theoretic security and more conventional MI-based secrecy analyses.

At the systems level, the topic also touches message-locked encryption, attribute-based encryption, and computational secret sharing under key exposure. The key-exposure-resistant sharing model in "Revisiting Shared Data Protection Against Key Exposure" defines SAKE security, requiring indistinguishability both with all shares but no key and with the key plus all but one share (Kapusta et al., 2019). That work proposes encryption-then-sharing schemes, including SSAKE and a sponge-based alternative, for distributed storage settings in which confidentiality must survive key exposure as long as one share remains unavailable (Kapusta et al., 2019). Although its formalism is different from the common-key Slepian–Wolf setting, it belongs to the same broader family of source-side protection mechanisms designed for distributed environments.

More recent learning-oriented work extends the theme to encrypted optimization and federated learning. In "Distributed Additive Encryption and Quantization for Privacy Preserving Federated Deep Learning," key pairs are collaboratively generated without a trusted third party, and a threshold-based secret sharing technique ensures that no one can hold the global private key for decryption while aggregated ciphertexts can be successfully decrypted by a threshold number of clients even if some clients are offline (Zhu et al., 2020). This suggests a convergence between distributed source encryption and secure aggregation: the protected source is now a gradient or model update rather than a source sequence.

Across these domains, a recurring misconception is that distributed source encryption is synonymous either with ordinary end-to-end encryption or with generic distributed storage security. The literature instead shows several distinct technical meanings: common-key secure source coding with correlated sources and keys (Oohama et al., 2021, Oohama et al., 17 Jul 2025), source-side cryptographic enforcement of distributed policies (Alston, 2017), host-side encryption compatible with backend storage functions (Shah et al., 2015), and threshold partitioning of data into algebraically protected shares (Parakh et al., 2010, Zage et al., 2015). The term is therefore best understood as an umbrella concept whose most rigorous rate-theoretic form has been developed in the Oohama–Santoso line of work, while adjacent systems papers instantiate related source-side protection principles in storage and distributed computation.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Distributed Source Encryption.