
\section{Error Probability Bound}\label{appendix:APPENDIX A}
In this section, we give a direct proof for \Cref{direct lemma1}. Specifically, we bound the error probability of the maximum likelihood decoder, and show that under the condition on $T$ in the lemma, the error probability is indeed approaching $0$ as $N \to \infty$.

Under the assumption that all items are equality likely to be defective, we consider the error probability given that the first $K$ items are defective, that is, \revisedSr{$S_{w=1}$} is the defective set. Denote this probability by $P_{e|1}$. We have
\begin{equation*}
P_{e|1} \leq \sum_{i=1}^{K}P(E_i),
\end{equation*}
where $E_i$ is the event of a decoding error in which the decoder declares a defective set which differs from the true one ($S_1$) in exactly $i$ items.
\revisedSr{Note that the discussion below will apply to any defective set $S_w$ of size $K$, hence the probability of error computed decays exponentially for any ``message $W$".}

In general, we follow the derivation in \cite{atia2012boolean}. However, there is a key difference. In the code construction suggested in \Cref{LowerBound}, for each item there are $M$ possible codewords (a ``bin" of size $M$). Only one of these codewords is selected by the mixer to decide in which pool tests the item will participate. Thus, when viewing this problem as a channel coding problem, if an item is defective, one and only one codeword out of its bin is actually transmitted (and summed with the codewords of the other $K-1$ defective items). Since the decoder does not know which codewords were selected in each bin (the randomness is known only to the mixer), there are multiple error events to consider. E.g., events where the decoder choose the wrong codeword for some items, yet identified parts of the bins correctly, and, of course, events where the codeword selected was from a wrong bin. This complicates the error analysis significantly. Moreover, we wish to employ the correction suggested in \cite{atia2015correction}, which results in a simpler yet stricter bound.

Consider the event $E_i$. Clearly, $E_i$ can be broken down into two disjoint events. The first is $E_i$ \emph{and} the event that the codewords selected for the correct $K-i$ items are the true transmitted ones, and the second is the event of both $E_i$ and the event that \emph{at least one of the codewords selected} for the correct items is wrong. Denote the first event as $E'_i$. Now, consider the case where we have $E_i$, that is, a correct decision on $K-i$ items, yet, out of these $K-i$ items, the decoder identified only $j$ codewords right, $0 \leq j < K-i$, and for the rest, it identified a wrong codeword in the right bin. We claim that the probability for this event is exactly $P(E'_{K-j})$, as the decoder has to mistake $\bf{X'}$ for $\bf{X}_{S_1}$, where both are collections of $K$ codewords, and $\bf{X'}$ shares exactly $j$ codewords with $\bf{X}_{S_1}$. Thus, we have:
\begin{eqnarray}\label{E and E'}
P_{e|1} &\leq& \sum_{i=1}^{K}P(E_i) \nonumber\\
&=& \sum_{i=1}^{K}\Big( P(E'_i) + \sum_{j=0}^{K-i-1} {K-i-1 \choose j}P(E'_{K-j}) \Big) \nonumber\\
&\leq&\revisedr{2^K} \sum_{i=1}^{K}P(E'_i).
\end{eqnarray}
The last inequality in \eqref{E and E'} is loose, yet it suffices for the proof in the regime where $K=O(1)$. A more delicate bounding technique might be required if $K$ might grow with $N$.

We now bound $P(E'_i)$. Particularly, we will establish the following lemma.
\begin{lemma}\label{error lemma2 with E'}
The error probability $P(E'_{i})$ is bounded by
\begin{equation*}
P(E'_{i}) \leq 2^{-T\left(E_{o}(\rho)-\rho\frac{\log\binom{N-K}{i}M^i}{T}-\frac{\log\binom{K}{i}}{T}\right)},
\end{equation*}
where the error exponent $E_{o}(\rho)$ is given by
\ifdouble
\begin{multline}
E_{o}(\rho)= -\log \sum_{Y\in \{0,1\}}\sum_{X_{\mathcal{S}^2}\in \{0,1\}}\Bigg[\sum_{X_{\mathcal{S}^1}\in \{0,1\}}P(X_{\mathcal{S}^1})\\
p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})^{\frac{1}{1+\rho}}\Bigg]^{1+\rho},\text{ } 0 \leq\rho \leq1.\nonumber
\end{multline}
\else
\begin{equation*}
 E_{o}(\rho)= -\log \sum_{Y\in \{0,1\}}\sum_{X_{\mathcal{S}^2}\in \{0,1\}}\Bigg[\sum_{X_{\mathcal{S}^1}\in \{0,1\}}P(X_{\mathcal{S}^1}) p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})^{\frac{1}{1+\rho}}\Bigg]^{1+\rho},\text{ } 0 \leq\rho \leq1.
\end{equation*}
\fi
\end{lemma}
\begin{proof}
Denote by
\begin{equation*}\label{weaker_error1}
\mathcal{A} = \{w \in \revisedSr{\mathcal{W}} : |S_{1^{c},w}|=i,|S_{w}|=K\}
\end{equation*}
the set of indices corresponding to sets of $K$ items that differ from the true defective set $S_{1}$ in exactly $i$ items. $S_{1^{c},w}$ for $w \in \revisedSr{\mathcal{W}}$ denotes the set of items which are in $S_w$ but not in $S_1$.

We have
\ifdouble
\begin{eqnarray}\label{weaker_error2}
&& \Pr[E'_i|w_0=1, \textbf{X}_{\mathcal{S}_1},Y^T]\nonumber\\
& \leq & \sum_{w \in \mathcal{A}} \sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}}) \frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\\
& \leq & \sum_{\mathcal{S}_{1,w}} \sum_{\mathcal{S}_{1^{c},w}}\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle \textbf{X}_{\mathcal{S}_{1^{c},w}}})\frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\nonumber,
\end{eqnarray}
\else
\begin{eqnarray}\label{weaker_error2}
\Pr[E'_i|w_0=1, \textbf{X}_{\mathcal{S}_1},Y^T] & \leq & \sum_{w \in \mathcal{A}} \sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}}) \frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\\
& \leq & \sum_{\mathcal{S}_{1,w}} \sum_{\mathcal{S}_{1^{c},w}}\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle \textbf{X}_{\mathcal{S}_{1^{c},w}}})\frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\nonumber,
\end{eqnarray}
\fi
where \eqref{weaker_error2} is exactly \cite[eq. (25)]{atia2012boolean}, as when considering $E'_i$ we assume the decoder not only got $K-i$ items right, but also the correct codeword in each such bin. Hence
\ifdouble
\begin{eqnarray}
&&\hspace{-0.5cm} \Pr[E_i|w_0=1, \textbf{X}_{\mathcal{S}_1},Y^T]\nonumber\\
&\hspace{-0.5cm} \stackrel{(a)}{\leq} &\hspace{-0.4cm} \Big(\sum_{\mathcal{S}_{1,w}} \sum_{\mathcal{S}_{1^{c},w}}\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}}) \frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\Big)^{\rho}\nonumber\\
&\hspace{-0.5cm} \stackrel{(b)}{\leq} &\hspace{-0.4cm} \Big(\sum_{\mathcal{S}_{1,w}} {\scriptstyle\binom{N-K}{i}M^{i}}\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}})\frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\Big)^{\rho}\nonumber\\
&\hspace{-0.5cm} \stackrel{(c)}{\leq} &\hspace{-0.4cm} {\scriptstyle\binom{N-K}{i}^\rho M^{i\rho}}\sum_{\mathcal{S}_{1,w}}\Big(\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}})\frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\Big)^{\rho}\nonumber
\end{eqnarray}
\else
\begin{eqnarray}
\Pr[E_i|w_0=1, \textbf{X}_{\mathcal{S}_1},Y^T]&\stackrel{(a)}{\leq} & \Big(\sum_{\mathcal{S}_{1,w}} \sum_{\mathcal{S}_{1^{c},w}}\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}}) \frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\Big)^{\rho}\nonumber\\
& \stackrel{(b)}{\leq} & \Big(\sum_{\mathcal{S}_{1,w}} {\scriptstyle\binom{N-K}{i}M^{i}}\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}})\frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\Big)^{\rho}\nonumber\\
&\stackrel{(c)}{\leq} & {\scriptstyle\binom{N-K}{i}^\rho M^{i\rho}}\sum_{\mathcal{S}_{1,w}}\Big(\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}
Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}})\frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\Big)^{\rho}\nonumber
\end{eqnarray}
\fi
for all $s>0$ and $0\leq\rho\leq1$. Note that (a) is since the probability is less than $1$ and can be raised to the power of $\rho$. (b) is critical. It follows from the symmetry of codebook construction, namely, the inner summation depends only on the codewords in $\textbf{X}_{\mathcal{S}_{1^{c},w}}$ but not the ones in $\mathcal{S}_{1^{c},w}$.
Due to the code's construction, i.e., its binning structure, there are exactly $\binom{N-K}{i}M^{i}$ possible sets of codewords to consider for $\mathcal{S}_{1^{c},w}$. (c) follows as the sum of positive numbers raised to the $\rho$-th power is smaller than the sum of the $\rho$-th powers.

We now continue similar to \cite{atia2012boolean}, substituting the conditional error probability just derived in a summation over all codewords and output vectors. We have
\ifdouble
\begin{eqnarray}
 P(E'_i) & = & \sum_{\textbf{X}_{\mathcal{S}_{1}}}\sum_{Y^T}p_1(\textbf{X}_{\mathcal{S}^1},Y^T)\Pr[E'_i|w_0=1, \textbf{X}_{\mathcal{S}_1},Y^T]\nonumber\\
& \leq & {\scriptstyle\binom{N-K}{i}^\rho M^{i\rho}}\sum_{\mathcal{S}_{1,w}}\sum_{Y^T}\sum_{\textbf{X}_{\mathcal{S}_{1}}}p_1({\scriptstyle \textbf{X}_{\mathcal{S}^1},Y^T})\nonumber\\
&& \left(\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}})
\frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}}})^s} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}}})^s}\right)^{\rho}\nonumber.
\end{eqnarray}
\else
\begin{eqnarray}
 P(E'_i) & = & \sum_{\textbf{X}_{\mathcal{S}_{1}}}\sum_{Y^T}p_1(\textbf{X}_{\mathcal{S}^1},Y^T)\Pr[E'_i|w_0=1, \textbf{X}_{\mathcal{S}_1},Y^T]\nonumber\\
& \leq & {\scriptstyle\binom{N-K}{i}^\rho M^{i\rho}}\sum_{\mathcal{S}_{1,w}}\sum_{Y^T}\sum_{\textbf{X}_{\mathcal{S}_{1}}}p_1({\scriptstyle \textbf{X}_{\mathcal{S}^1},Y^T}) \left(\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}Q({\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}})
\frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}}})^s} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}}})^s}\right)^{\rho}\nonumber.
\end{eqnarray}
\fi
There are $\binom{K}{K-i}$ sets $\mathcal{S}_{1,w}$, and the summation does not depend on which set is it, hence, we get
\ifdouble
\begin{multline*}
P(E'_i) \leq {\scriptstyle\binom{N-K}{i}^\rho M^{i\rho}\binom{K}{i}}\sum_{Y^T}\sum_{\textbf{X}_{\mathcal{S}_{1}}}p_1({\scriptstyle\textbf{X}_{\mathcal{S}^1},Y^T})
\\ \left(\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}Q({\scriptstyle{\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}}}) \frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\right)^{\rho}
\end{multline*}
\else
\begin{equation*}
P(E'_i) \leq {\scriptstyle\binom{N-K}{i}^\rho M^{i\rho}\binom{K}{i}}\sum_{Y^T}\sum_{\textbf{X}_{\mathcal{S}_{1}}}p_1({\scriptstyle\textbf{X}_{\mathcal{S}^1},Y^T})
\left(\sum_{\textbf{X}_{\mathcal{S}_{1^{c},w}}}Q({\scriptstyle{\scriptstyle\textbf{X}_{\mathcal{S}_{1^{c},w}}}}) \frac{{\scriptstyle p_{w}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1^{c},w}})^s}} {{\scriptstyle p_{1}(Y^T,\textbf{X}_{\mathcal{S}_{1,w}}|\textbf{X}_{\mathcal{S}_{1,w^{c}}})^s}}\right)^{\rho}
\end{equation*}
\fi
which continue similar to \cite{atia2012boolean}, results in
\ifdouble
\begin{multline*}
P(E'_i) \leq
{\scriptstyle\binom{N-K}{i}^\rho M^{i\rho}\binom{K}{i}}\Bigg[\sum_{Y}\sum_{X_{\mathcal{S}_{1,w}}}
\\
\Big(\sum_{X_{\mathcal{S}_{1,w^{c}}}}Q({\scriptstyle X_{\mathcal{S}_{1^{c},w}}}) p_1^{1/(1+\rho)}({\scriptstyle X_{\mathcal{S}_{1,w}},Y|X_{\mathcal{S}_{1,w^{c}}}})\Big)^{1+\rho}\Bigg]^T.
\end{multline*}
\else
\begin{equation*}
P(E'_i) \leq
{\scriptstyle\binom{N-K}{i}^\rho M^{i\rho}\binom{K}{i}}\Bigg[\sum_{Y}\sum_{X_{\mathcal{S}_{1,w}}}
\Big(\sum_{X_{\mathcal{S}_{1,w^{c}}}}Q({\scriptstyle X_{\mathcal{S}_{1^{c},w}}}) p_1^{1/(1+\rho)}({\scriptstyle X_{\mathcal{S}_{1,w}},Y|X_{\mathcal{S}_{1,w^{c}}}})\Big)^{1+\rho}\Bigg]^T.
\end{equation*}
\fi
Thus, we have
\begin{equation*}
P(E'_i) \leq 2^{-T\left(E_0(\rho) -\rho\left(\frac{\log{N-K \choose i}}{T}+\frac{i\log M}{T} \right) -\frac{\log{K \choose i}}{T}\right)}.
\end{equation*}
\end{proof}

\section{Problem Formulation}\label{formulation}
In \emph{SGT}, a legitimate user desires to identify a small unknown subset $\mathcal{K}$ of defective items from a larger set $\mathcal{N}$, while \revised{minimizing} the number of measurements $T$ and keeping the eavesdropper, which is able to observe a subset of the tests results, ignorant regarding the status of the $\mathcal{N}$ items.
\revised{Let} $N=|\mathcal{N}|$, $K=|\mathcal{K}|$ denote the total number of items, and the number of defective items, respectively.
\revised{As formally defined below, the legitimate user should (with high probability) be able to correctly estimate the set $\mathcal{K}$; on the other hand, from the eavesdropper’s perspective, this set should be ``almost" uniformly distributed over all possible ${N}\choose{K}$ sets. We assume that the number $K$ of defective items in $\mathcal{K}$ is known {\it a priori} to all parties - this is a common assumption in the GT literature \cite{macula1999probabilistic}.}\footnote{\revised{If this is not the case, \cite{damaschke2010competitive,damaschke2010bounds} give methods/bounds on how to ``probably approximately" correctly learn the value of $K$ in a single stage with $O(\log N)$ tests.}}
\off{The status of the items, defective or not, should be kept secure from the eavesdropper, but detectable to the legitimate user. We assume that the number $K$ of defective items in $\mathcal{K}$ is known a priori. This is a common assumption in the GT literature \cite{macula1999probabilistic}.}

Throughout the paper, we use boldface to denote matrices, capital letters to denote random variables, lower case letters to denote their realizations, and calligraphic letters to denote the alphabet. Logarithms are in base $2$ and $h_b(\cdot)$ denotes the binary entropy function.

\Cref{figure:secure-group-testing} gives a graphical representation of the model.
In general, and regardless of security constraints, \revised{non-adaptive} GT is defined by a testing matrix
\begin{equation*}
\textbf{X}=[X_{1}^{T};X_{2}^{T};\ldots; X_{N}^{T}] \in \{0,1\}^{N\times T},
\end{equation*}
where each row corresponds to a separate item $j\in\{1,\ldots,N\}$, and each column corresponds to a separate pool test $t\in\{1,\ldots,T\}$.
For the $j$-th item,
\begin{equation*}
X_{j}^{T}=\{X_{j}(1),\ldots, X_{j}(T)\}
\end{equation*}
is a binary row vector, with the $t$-th entry $X_{j}(t)=1$ if and only if item $j$ participates in the $t$-th test.
\ifdouble
\begin{figure*}
  \centering
  \includegraphics[trim=0cm 0cm 0cm 0cm,clip,scale=0.8]{secure-group-testing4.png}
  \caption{Noiseless non-adaptive secure group-testing setup.}
  \label{figure:secure-group-testing}
\end{figure*}
\else
\begin{figure*}
  \centering
  \includegraphics[trim=0cm 0cm 0cm 0cm,clip,scale=0.78]{secure-group-testing4.png}
  \caption{Noiseless non-adaptive secure group-testing setup.}
  \label{figure:secure-group-testing}
\end{figure*}
\fi
If $A_j\in \{0,1\}$ \revised{denotes} an indicator function for the $j$-th item, determining whether it belongs to the defective set, i.e., $A_j=1$ if $j \in \mathcal{K}$ and $A_j = 0$ otherwise, \revised{the (binary) outcome of the $t \in \{1,\ldots,T\}$ pool test $Y(t)$ equals}
\begin{equation*}
\revised{Y(t)=\bigvee_{j=1}^{N}X_{j}(t)A_j=\bigvee_{d\in \mathcal{K}}X_{d}(t)},
\end{equation*}
where $\bigvee$ is used to denote the boolean OR operation. \off{\revised{The second equality follows since only defective items influence whether or not test outcome is positive.}}

\off{\revised{In our SGT model, as in the Wyer wiretap-$II$ model, the eavesdropper is allowed to  observe {\it any} $\delta T$ test outcomes of its choice.
The adversary’s observations are denoted by $Z^{T}=\{Z(1),\ldots, Z(T)\}$, of which $(1-\delta)T$ are {\it erasures}. Specifically, $Z(t) = Y(t)$ if the $t$-th test is not erased, and $Z(t) = ?$ if it is erased.}}
In SGT, we assume an eavesdropper \revisedSr{who} observes a noisy vector $Z^{T}=\{Z(1),\ldots, Z(T)\}$, generated from the outcome vector $Y^{T}$. In the erasure case considered in the work, the probability of erasure is $1-\delta$, i.i.d.\ for each test.
That is, on average, $T\delta$ outcomes are not erased and are accessible to the eavesdropper via $Z^{T}$. Therefore, in the erasure case, if $B_t\in \{1,?\}$ is an erasure indicator function for the $t$-th pool test, i.e., $B_t=1$ with probability $\delta$, and $B_t=?$ with probability $1-\delta$, the eavesdropper observes
\begin{equation*}
Z(t)=Y(t)B_t= \revised{\left(\bigvee_{j=1}^{N}X_{j}(t)A_j\right)B_t},\text{ }\text{ } t=1,\ldots,T.
\end{equation*}

Denote by \revisedSr{$W \in \mathcal{W} \triangleq \{1,\ldots, {N \choose K}\}$} the index of the \emph{subset of defective items}. We assume $W$ is uniformly distributed, that is, there is no \emph{a priori} bias \revised{towards} any specific subset.\footnote{\revised{This is a common probabilistic model for the set of defectives in group-testing. Another model, called {\it Probabilistic Group Testing}, assumes that items are defective with probability $K/N$. Yet another model assumes that any set of size at most K (rather than exactly $K$) instantiates with equal probability. In many group-testing scenarios results for one probabilistic model for the set of defectives can be translated over to other scenarios, so we focus on the model presented above, where {\it exactly} $K$ items are defective.}}
Further, denote by $\hat{W}(Y^T)$ the index recovered by the legitimate decoder, after observing $Y^T$. In this work, we assume that the mixer may use a \emph{randomized} testing matrix. In this case, the random bits used are know only to the mixer, and are not assumed to be shared with the decoder. In other words, the ``codebook" which consists of all possible testing matrices is known to all parties, Alice, Bob and Eve. \revisedSr{However, if the mixer choose a specific} $\textbf{X}$, the random value is not shared with Bob or Eve. We refer to the codebook consisting of all possible matrices, together with the decoder at Bob's side as SGT algorithm. \off{We refer to the testing matrix, together with the decoder as a \emph{SGT algorithm}.
\revised{Note that all parties (Alice, Bob, and Eve) know the testing matrix {\it a priori}.}}

As we are interested in the asymptotic behavior, \revised{i.e., in ``capacity style" results, with a focus on the number of tests $T$ (as a function of $N$ and $K$) required to guarantee high probability of recovery as the number of items $N$ grows without bound. For simplicity, in the first part of this work, we focus primarily on the regime where $K$ is a constant independent of $N$.} In \Cref{efficient_algorithms}, we give an algorithm which applies to any $K$.\footnote{\revised{Following the lead of~\cite{aldridge2017capacity}, in principle, many of our results in this section as well can be extended to the regime where $K = o(N^{1/3})$, but for ease of presentation we do not do so here).}} The following definition lays out the goals of SGT algorithms.
\begin{definition}
A sequence of SGT algorithms with parameters $N,K$ and $T$ is asymptotically \revised{(in N)} \emph{reliable} and \emph{weakly} or \emph{strongly} secure if,

\hspace{-0.3cm}(1) \emph{Reliable}: \revised{The probability (over the index $W$) of incorrect reconstruction of $W$ at the legitimate receiver converges to zero. That is,}
\begin{equation*}
\lim_{N \to \infty} P(\hat{W}(Y^T) \ne W) = 0.
\end{equation*}
(2) \emph{Weakly secure}: \revised{One potential security goal is so-called {\it weak information-theoretic security} against eavesdropping. Specifically, if the eavesdropper observes $Z^T$, a scheme is said to be weakly secure if}
\begin{equation*}
\lim_{T \to \infty} \frac{1}{T}I(W;Z^T) = 0.
\end{equation*}
(3) \emph{Strongly secure}: \revised{A stronger notion of security is so-called {\it strong information-theoretic security} against eavesdropping. Specifically, if the eavesdropper observes $Z^T$, a scheme is said to be strongly secure if}
\begin{equation*}
\lim_{T \to \infty}I(W;Z^T) = 0.
\end{equation*}
\end{definition}
\revised{
\begin{remark}
  Note that strong security implies that in the limit the distribution over $Z^T$ is essentially statistically independent of the distribution over $W$. Specifically, the {\it KL divergence} between $p_{Z^T,W}$ and $p_{Z^T}p_{W}$ converges to $0$.
\end{remark}
\begin{remark}
  While weak security is a much weaker notation of security against eavesdropping than strong security, and indeed is implied by strong security, nonetheless we consider it in this work for the following reason. Our impossibility result will show that even guaranteeing weak security requires at least a certain number of tests, and our achievability results will show that essentially the same number of tests suffices to guarantee strong security. Hence both our impossibility and achievability results are with regard to the corresponding ``harder to prove" notion of security.
\end{remark}
To conclude, the goal in this work is to design (for parameters $N$ and $K$) an $N \times T$ measurement matrix (which is possibly randomized) and a decoding algorithm $Wˆ(Y^T)$, such that on observing $Y^T$, the legitimate decoder can (with high probability over $W$) identify the subset of defective items, and yet, on observing $Z^T$, the eavesdropper learns essentially nothing about the set of defective items.
}
\off{
To conclude, The goal is to design (for parameters $N$ and $K$) an $N\times T$ measurement matrix and a decoding algorithm $\hat{W}(Y^T)$, such that observing $Y^{T}$, the legitimate user will identify the subset of defective items (with high probability), yet, observing $Z^{T}$, the eavesdropper cannot (asymptotically) identify the status of the items, defective or not.
} 
\section{Conclusions}\label{conc}
In this paper, we proposed a novel non-adaptive SGT algorithm, which with parameters $N,K$ and $T$ is asymptotically \emph{reliable} and \emph{secure}. Specifically, when the fraction of tests observed by Eve is $0 \leq \delta <1$, we prove that the number of tests required for both correct reconstruction at the legitimate user (with high probability) and negligible mutual information at Eve's side is $\frac{1}{1-\delta}$ times the number of tests required with no secrecy constraint.
We further provide sufficiency and necessity bounds on the number of tests required in the SGT model to obtains both, \emph{reliability} and \emph{secrecy} constraints.
Moreover, we analyze in the proposed secure model, computationally efficient algorithms at the legitimate decoder, previously considered for the non-secure GT in the literature which identify the definitely non-defective items.

\section{Efficient Algorithms}\label{efficient_algorithms}
The achievability result given in \Cref{direct theorem1} uses a random codebook and ML decoding at the legitimate party. The complexity burden in ML, however, prohibits the use of this result for large $N$. In this section, we derive and analyze an efficient decoding algorithm, which maintains the reliability result using a much simpler decoding rule, at the price of only slightly more tests. The secrecy constraint, as will be clear, is maintained by construction, as the codebook and mixing process do not change compared to the achievability result given before. Moreover, the result in this section will hold for any $K$, including even the case were $K$ grows linearly with $N$.

Specifically, we assume the same codebook generation and the testing procedure given in \Cref{LowerBound}, and analyze the \emph{Definite Non-Defective} (DND) algorithm, previously considered for the non-secure GT in the literature \cite{chan2014non,aldridge2014group}.
The decoding algorithm at the legitimate user is as follows. Bob attempts to match the rows of \textbf{X} with the outcome vector $Y^T$. If a particular row $j$ of \textbf{X} has the property that all locations $t$ where it has $1$, also corresponds to a $1$ in $Y(t)$, then that row \emph{can correspond to a defective item}. If, however, the row has $1$ at a location $t$ where the output has $0$, then it is not possible that the row corresponds to a defective item. The problem, however, when considering the code construction in this paper for SGT, is that the decoder does not know which row from each bin was selected for any given item. Thus, it takes a conservative approach, and declares an item as defective if at least one of the rows in its bin signals it may be so. An item is not defective only if \emph{all the rows in its bin prevent it from being so}.

It is clear that this decoding procedure has no false negatives, as a defective item will always be detected. It may have, though, false positives. A false positive may occur if all locations with ones in a row corresponding to a non-defective item are hidden by the ones of other rows corresponding to defective items and selected by the mixer. To calculate the error probability, fix a row of $\textbf{X}$ corresponding to a non-defective item (a row in its bin). Let $j_1;\ldots;j_k$ index the rows of $\textbf{X}$ corresponding to the $K$ defective items, and selected by the mixer for these items (that is, the rows which were actually added by the Boolean channel).
An error event associated with the fixed row occurs if at any test where that row has a $1$, at least one of the entries $X_{j_1}(t), \ldots, X_{j_k}(t)$ also has a $1$. The probability for this to happen, per column, is $p(1-(1-p)^K)$. Hence, the probability that a test result in a fixed row is hidden from the decoder, in the sense that it cannot be declared as non defective due to a specific column, is
\[
p(1-(1-p)^K)+(1-p) = 1-p(1-p)^K.
\]
Since this should happen for all $T$ columns, the error probability for a fixed row is $\left(1-p(1-p)^K\right)^T$. Now, to compute the error probability for the entire procedure we take a union bound over all $M(N-K)$ rows corresponding to non-defective items. As a result, we have
\ifdouble
\begin{eqnarray}\label{eq:PeComp}
  P_e &\leq& M(N-K)\left(1-p(1-p)^{K}\right)^T
\nonumber\\
& \stackrel{(a)}{\leq}& MN\left(1-\frac{y}{K}\left(1-\frac{y}{K}\right)^{K}\right)^{\beta K\log N}
\nonumber\\
&=& MN\left(1-\frac{y}{K}\left(1-\frac{y}{K}\right)^{K-1}\left(1-\frac{y}{K}\right)\right)^{\beta K\log N}
\nonumber\\
& \stackrel{(b)}{\leq}& MN\left(\left(1-\frac{y\left(1-\frac{y}{K}\right)}{Ke^{y}}\right)^{K}\right)^{\beta\log N}
\nonumber\\
& \stackrel{(c)}{\leq}& MNe^{-y\left(1-\frac{y}{K}\right)e^{-y}\beta\log N}\nonumber\\
&\leq& MN^{1-y\left(1-\frac{y}{K}\right)e^{-y}\beta\frac{1}{\ln 2}}
\nonumber\\
& \stackrel{(d)}{=}& MN^{1-\frac{1}{2}\beta (1-\frac{\ln2}{K})}
\nonumber\\
&\stackrel{(e)}{=}& 2^{\beta (\delta-\epsilon) \log N}N^{1-\frac{1}{2}\beta (1-\frac{\ln2}{K})}
\nonumber\\
&=& N^{\beta (\delta-\epsilon)}N^{1-\frac{1}{2}\beta (1-\frac{\ln2}{K})}
\nonumber\\
&\leq& N^{1-\beta\left(\frac{1}{2}(1-\frac{\ln 2}{K})-\delta \right)}.
\end{eqnarray}
\else
\begin{eqnarray}\label{eq:PeComp}
  P_e &\leq& M(N-K)\left(1-p(1-p)^{K}\right)^T
\nonumber\\
& \stackrel{(a)}{\leq}& MN\left(1-\frac{y}{K}\left(1-\frac{y}{K}\right)^{K}\right)^{\beta K\log N}
\nonumber\\
&=& MN\left(1-\frac{y}{K}\left(1-\frac{y}{K}\right)^{K-1}\left(1-\frac{y}{K}\right)\right)^{\beta K\log N}
\nonumber\\
& \stackrel{(b)}{\leq}& MN\left(\left(1-\frac{y\left(1-\frac{y}{K}\right)}{Ke^{y}}\right)^{K}\right)^{\beta\log N}
\nonumber\\
& \stackrel{(c)}{\leq}& MNe^{-y\left(1-\frac{y}{K}\right)e^{-y}\beta\log N}\nonumber\\
&\leq& MN^{1-y\left(1-\frac{y}{K}\right)e^{-y}\beta\frac{1}{\ln 2}}
\nonumber\\
& \stackrel{(d)}{=}& MN^{1-\frac{1}{2}\beta (1-\frac{\ln2}{K})}
\nonumber
\end{eqnarray}
\begin{eqnarray}
&\hspace{-3.4cm} \stackrel{(e)}{=}& 2^{\beta (\delta-\epsilon) \log N}N^{1-\frac{1}{2}\beta (1-\frac{\ln2}{K})}
\nonumber\\
&\hspace{-3.4cm}=&N^{\beta (\delta-\epsilon)}N^{1-\frac{1}{2}\beta (1-\frac{\ln2}{K})}
\nonumber\\
&\hspace{-3.4cm}\leq&N^{1-\beta\left(\frac{1}{2}(1-\frac{\ln 2}{K})-\delta \right)}.
\end{eqnarray}
\fi
In the above, (a) follows by taking $p=y/K$ and setting $T$ as $\beta K\log N$, for some positive $y$ and $\beta$, to be defined. (b) follows since $e^{-y} \leq (1-y/n)^{n-1}$ for small $y>0$ and any integer $n >0$. In the sequence below, we will use it with $y=\ln 2$, for which it is true. (c) follows since $e^{-x} \ge (1-x/n)^{n}$ for $x>0$ and any integer $n >0$. (d) follows by choosing $y=\ln 2$. (e) is by setting $M=2^{T\frac{\delta-\epsilon}{K}}$ and substituting the value for $T$.

The result in \eqref{eq:PeComp} can be interpreted as follows. As long as $\delta$, the leakage probability at the eavesdropper, is smaller than $\frac{1}{2}(1-\frac{\ln 2}{K})$, choosing $T=\beta K \log N$ with a large enough $\beta$ results in an exponentially small error probability. For example, for large enough $K$ and $\delta=0.25$, one needs $\beta > 4$, that is, about $4K\log N$ tests to have an exponentially small (with $N$) error probability while using an efficient decoding algorithm. To see the dependence of the error probability on the number of tests, denote
\[
\epsilon = \beta\left(\frac{1}{2}\left(1-\frac{\ln 2}{K}\right)-\delta\right) - 1.
\]
Then, if the number of tests satisfies
\[
T \ge \frac{1+\epsilon}{\frac{1}{2}(1-\frac{\ln 2}{K})-\delta} K \log N
\]
one has
\[
P_e \leq N^{-\epsilon}.
\]
Thus, while the results under ML decoding (\Cref{direct theorem1}) show that any value of $\delta <1$ is possible (with a $\frac{1}{1-\delta}$ toll on $T$ compared to non-secure GT), the analysis herein suggests that using the efficient algorithm, one can have a small error probability only for $\delta < 1/2$, and the toll on $T$ is greater than $\frac{1}{\frac{1}{2}-\delta}$. This is consistent with the fact that this algorithm is known to achieve only half of the capacity for non-secure GT \cite{aldridge2014group}. However, both these results may be due to coarse analysis, and not necessarily due to an inherent deficiency in the algorithm.
\begin{remark}[Complexity]
It is easy to see that the algorithm runs over all rows in the codebook, and compares each one to the vector of tests' results. The length of each row is $T$. There are $N$ items, each having about $2^{\frac{\delta}{K}T}$ rows in its bin. Since $T=O(K \log N)$, we have $O(N^2)$ rows in total. Thus, the number of operations is $O(N^2T)=O(KN^2 \log N)$. This should be compared to $O(KN\log N)$ without any secrecy constraint.
\end{remark}

\Cref{fig:DND_simulation} includes simulation results of the secure DND GT algorithm proposed, compared with ML decoding and the upper and lower bounds on the performance of ML.
\ifdouble
\begin{figure}
  \centering
  \includegraphics[trim= 1.6cm 0.0cm 0cm 0.5cm,clip,scale=0.228]{Success_Prob_of_all_the_DND_ML_items_N_500_K_3_Delta_01_NumIterations_8000_date_2017_3_11_6_54_v3-eps-converted-to.pdf}
  \caption{\emph{Definite Non-Defective} and ML simulation results.}
  \label{fig:DND_simulation}
\end{figure}
\else
\begin{figure}
  \centering
  \includegraphics[trim= 0cm 0.0cm 0cm 0.5cm,clip,scale=0.4]{Success_Prob_of_all_the_DND_ML_items_N_500_K_3_Delta_01_NumIterations_8000_date_2017_3_11_6_54_v3.eps}
  \caption{\emph{Definite Non-Defective} and ML simulation results.}
  \label{fig:DND_simulation}
\end{figure}
\fi


\section{Introduction}\label{intro}
The classical version of Group Testing (GT) was suggested during World War II in order to identify syphilis\revised{-}infected draftees while dramatically reducing the number of required tests \cite{dorfman1943detection}. Specifically, when the number of infected draftees, $K$, is much smaller than the population size, $N$, instead of examining each blood sample individually, one can conduct a small number of of \emph{pooled samples}. Each pool outcome is negative if it contains no infected sample, and positive if it contains at least one infected sample. The problem is thus to identify the infected draftees via as few pooled tests as possible. \Cref{basic_testing} (a)-(c) depicts a small example.

Since its exploitation in WWII, GT \revised{has been} utilized in numerous fields, including biology and chemistry \cite{du1999combinatorial,macula1999probabilistic}, communications \cite{varanasi1995group,cheraghchi2012graph,wu2015partition,wu2014achievable}, sensor networks \cite{bajwa2007joint}, pattern matching \cite{clifford2007k} and web services \cite{tsai2004testing}. GT \revised{has} also found applications in the emerging field of Cyber Security, e.g., detection of significant changes in network traffic \cite{cormode2005s}, Denial of Service attacks \cite{xuan2010detecting} and indexing information for data forensics \cite{goodrich2005indexing}.

Many \revised{scenarios} which utilize GT \revised{involve} sensitive information which should not be revealed if some of the tests leak \revised{(for instance, if one of the several labs to which tests have been distributed for parallel processing is compromised). However, in GT, leakage of even a single pool-test outcome may reveal significant information about the tested items. If the test outcome is negative it indicates that none of the items in the pool is defective;} if it is positive, at least one of the items in the pool is defective (see \Cref{basic_testing} (d) for a short example). Accordingly, \revised{it is critical to} \revisedSr{ensure} that a leakage of a fraction of the pool-tests \revised{outcomes} to undesirable or malicious eavesdroppers does not give them any useful information on the status of the items.
It is very important to note that \emph{protecting GT is different from protecting the communication between the parties}.
\revisedSr{To protect GT, one should make sure that information about the status of individual items is not revealed if a fraction of the test outcomes leaks.}
\off{To protect the communication, one should merely protect the bits transmitted, and can do so by encoding them before the transmission.} However, in GT, we do not want to assume one entity has access to all pool-tests, and can apply some encoding function before they are exposed. We also do not want to assume a mixer can add a certain substance that will prevent a third party from testing the sample. To protect GT, one should make sure that without altering mixed samples, if a fraction of them leaks, either already tested or not, information is not revealed.

While the current literature includes several works on the privacy in GT algorithms for digital objects \cite{atallah2008private,goodrich2005indexing,freedman2004efficient,rachlin2008secrecy}, these works are based on cryptographic schemes, assume the testing matrix is not known to all parties, \revisedSr{impose} a high computational burden, and, last but not least, assume the computational power of the eavesdropper is limited \cite{tagkey2004391,C13}. \emph{Information theoretic security} \revised{considered for secure communication} \cite{C2,C13}, on the other hand, if applied appropriately to GT, can offer privacy at the price of \emph{additional tests}, without keys, obfuscation or assumptions on limited power. \revised{Due to the analogy between channel coding and group-testing regardless of security constraints, \cite{atia2012boolean,baldassini2013capacity}, in \Cref{BooleanCompressed} we present an extensive survey of the literature on secure communication as well.}
\subsection*{Main Contribution}
In this work, we formally define Secure Group Testing (SGT), suggest SGT algorithms based on information\revised{-}theoretic principles and analyse their performance. In the considered model, there is an eavesdropper \revised{Eve who might} observe part of the \revised{vector of pool-tests outcomes}. The goal of the test designer is to design the tests \revised{in a manner} such that a legitimate decoder can decode the status of the items (\revised{whether the items are} defective or not) with an arbitrarily small error probability. \revised{It should {\it also} be the case that as} long as \revised{Eve} the eavesdropper gains only part of the output vector (a fraction $\delta$ \revised{- a bound on the value of $\delta$ is known {\it a priori} to the test designer, but which specific items are observed is not), Eve} cannot (asymptotically, \revised{as the number of items being tested grows without bound}) gain any significant information on the status of \revised{any of} the items.

We propose a SGT code and \revised{corresponding decoding} algorithms which \revised{ensure high of reliability (with high probability over the test design, the legitimate decoder should be able to estimate the status of each item correctly)}, as well as \revised{\emph{strong secrecy}} conditions \revised{(as formally defined in \Cref{formulation}) - which ensures that essentially no information about the status of individual items’ leaks to Eve.}

\revised{Our first SGT code and corresponding decoding algorithm (based on Maximum Likelihood (ML) decoding) requires a number of tests that is essentially information-theoretically optimal in N, K and  $\delta$ (as demonstrated in \Cref{converse} by corresponding information-theoretic converse that we also show for the problem).}

\revised{The second code and corresponding decoding algorithm, while requiring a constant factor larger number of tests than is information-theoretically necessary (by a factor that is a function of $\delta$), is computationally efficient. It maintains the reliability and secrecy guarantees, yet requires only O($N^2T$) decoding time, where $T$ is the number of tests.}
\ifdouble
\begin{figure}
\centering
\begin{subfigure}[b]{0.24\textwidth}
\includegraphics[scale=0.7]{LabPoolTesting2.png}
\caption{}
\end{subfigure}
\begin{subfigure}[b]{0.24\textwidth}
\includegraphics[scale=0.7]{LabPoolTesting3.png}
\caption{}
\end{subfigure}
\begin{subfigure}[b]{0.24\textwidth}
\includegraphics[scale=0.7]{LabPoolTesting4.png}
\caption{}
\end{subfigure}
\begin{subfigure}[b]{0.24\textwidth}
\includegraphics[scale=0.7]{SLabPoolTesting21.png}
\caption{}
\end{subfigure}
\else
\begin{figure}
\begin{flushleft}
\begin{subfigure}[b]{0.232\textwidth}
\includegraphics[scale=0.7]{LabPoolTesting2.pdf}
\caption{}
\end{subfigure}
\begin{subfigure}[b]{0.232\textwidth}
\includegraphics[scale=0.7]{LabPoolTesting3.pdf}
\caption{}
\end{subfigure}
\begin{subfigure}[b]{0.232\textwidth}
\includegraphics[scale=0.7]{LabPoolTesting4.pdf}
\caption{}
\end{subfigure}
\begin{subfigure}[b]{0.232\textwidth}
\includegraphics[scale=0.7]{SLabPoolTesting21.pdf}
\caption{}
\end{subfigure}
\end{flushleft}
\fi
\caption[]{Classical group testing: \textit{An example of test results, a simple decoding procedure at the legitimate decoder and the risk of leakage. The example includes 7 items, out of which at most one defective (the second one in this case; unknown to the decoder). Three pooled tests are conducted. Each row dictates in which pooled tests the corresponding item participates. (a) Since the first result is negative, items 1 and 6 are not defective. (b) The second result is positive, hence at least one of items 2 and 4 is defective. (c) Based on the last result, as item 4 cannot be defective, it is clear that 2 is defective. Note that decoding in this case is simple: any algorithm which will simply rule out each item whose row in the matrix is not compatible with the result will rule out all but the second item, due to the first and last test results being negative, thus identifying the defective item easily. (d) An eavesdropper who has access to part of the results (the first two) can still infer useful information. Our goal is construct a testing matrix such that such an eavesdropper remains ignorant.}}
\label{basic_testing}
\end{figure}

\off{
We further provide sufficiency and necessity bounds on the number of tests required, and show that the code construction, together with Maximum Likelihood (ML) decoding is order-optimal (in $N$, $K$ and $\delta$). The second algorithm, while missing the exact behaviour with respect to $\delta$, is highly efficient, maintains the reliability and secrecy guarantees, yet requires only $O(N^2T)$ operations, where $T$ is the number of tests.}

We do so by proposing a model, which is, in a sense, analogous to a \revised{{\it wiretap channel model}}, as depicted in \Cref{figure:group_testing_model}.
\revised{In this analogy the subset of defective items (unknown {\it a priori} to all parties) takes the place of a confidential message. The testing matrix (representing the design of the pools - each row corresponds to the tests participated in by an item, and each column corresponds to a potential test) is a succinct representation of the \revisedSr{encoder's} codebook. Rows or disjunctive unions of rows of this testing matrix can be considered as codewords.} The decoding algorithm is analogous to a channel decoding process, and the eavesdropped signal is the output of \textit{an erasure channel}, namely, having only any part of the transmitted signal from the legitimate source to the legitimate receiver.

\revised{In classical non-adaptive group-testing, each row of the testing matrix comprises of a length-$T$ binary vector which determines which pool-tests the item is tested in.
In the SGT code constructions proposed in this work, each item instead corresponds to a vector chosen uniformly at random from a pre-specified set of random and independent vectors.}
Namely, we use \emph{stochastic encoding}, and each vector \revised{corresponds to different sets of} pool-tests \revised{an item may participate in}. For each item the lab picks one of the vectors in its set \revised{(we term the set associated with item $j$ as \revisedSr{``Bin j"})} \revised{uniformly} at random, and the item participates in the pool-tests according to this randomly chosen vector.
\revised{The set \revised{(\revisedSr{``}Bin")} is known {\it a priori} to all parties, but the specific vector chosen by the encoder/mixer is only known to the encoder/mixer, and hence is {\it not a shared key/common randomness} in any sense.} A schematic description of our procedure is depicted in \Cref{fig:WiretapCoding}. \off{It is important to note, though, that the randomness is required only at the lab (the ``mixer"), and it is \emph{not a shared key} in any sense.}
\ifdouble
\begin{figure}
  \centering
  \includegraphics[trim=9cm 9.2cm 1cm 9.05cm,clip,scale=0.85]{SecureGroupTestModelE.pdf}
 
  \caption{\revised{An analogy between a wiretap erasure channel and the corresponding SGT model.}}
  \label{figure:group_testing_model}
\end{figure}
\else
\begin{figure}
  \centering
  \includegraphics[trim=6cm 9.2cm 0cm 9.05cm,clip,scale=1]{SecureGroupTestModelE.pdf}
 
  \caption{\revised{An analogy between a wiretap erasure channel and the corresponding SGT model.}}
  \label{figure:group_testing_model}
\end{figure}
\fi

Accordingly, by obtaining a pool-test result, without knowing the specific vectors chosen by the lab for each item, the eavesdropper may gain only negligible information regarding the items themselves. Specifically, we show that \revised{by careful design of the testing procedure,} even though the pool-tests in which each item participated \revised{are} chosen randomly and even though the legitimate user does not know \emph{a-priori} in which pool-tests each item has participated, the legitimate user \revised{will, with high probability over the testing procedure, be able to correctly identify the set of defective items,} while the eavesdropper, observing only a subset of the pool-test results, will have no significant information regarding the status of the items.

The structure of this work is as follows. In \Cref{BooleanCompressed}, we present an extensive survey and summarize the related work. In \Cref{formulation}, a SGT model is formally described. \Cref{main results} includes our main results, with the direct proved in \Cref{LowerBound} and converse proved in \Cref{converse}. \Cref{efficient_algorithms} describes \revised{a computationally} efficient algorithm, and proves an upper bound on its error probability. \Cref{conc} concludes the paper.




\section{Code Construction and a Proof for \Cref{direct theorem1}} \label{LowerBound}
In order to keep the eavesdropper, which obtains only a fraction $\delta$ of the outcomes, ignorant regarding the status of the items, we \emph{randomly} map the items to the tests. Specifically, as depicted in \Cref{fig:WiretapCoding}, for each item we generate a bin, containing several rows. The number of such rows \emph{corresponds} to the number of tests that the eavesdropper can obtain, yet, unlike wiretap channels, \emph{it is not identical} to Eve's capacity, and should be normalized by the number of defective items.
Then, for the $j$-th item, we randomly select a row from the $j$-th bin. This row will determine in which tests the item will participate.

In order to rigorously describe the construction of the matrices and bins, determine the exact values of the parameters (e.g., bin size), and analyze the reliability and secrecy, we first briefly review the representation of the GT problem as a channel coding problem \cite{atia2012boolean}, together with the components required for SGT.

A SGT code consists of an index set \revisedSr{$\mathcal{W} =\{1,2,\ldots \binom{N}{K}\}$}, its $w$-th item corresponding to the $w$-th subset $\mathcal{K}\subset \{1,\ldots,N\}$; A discrete memoryless source of randomness $(\mathcal{R},p_R)$, with known alphabet $\mathcal{R}$ and known statistics $p_R$; An encoder,
\begin{equation*}
f : \revisedSr{\mathcal{W}} \times \mathcal{R} \rightarrow \mathcal{X}_{S_w}\in\{0,1\}^{K\times T}
\end{equation*}
which maps the index $W$ of the defective items to a matrix $\textbf{X}^{T}_{S_{w}}$ of codewords, each of its rows corresponding to a different item in the index set $S_w$\revisedSr{, $w\in \mathcal{W}$, $|S_w|=K$}.
The need for a \emph{stochastic encoder} is similar to most encoders ensuring information theoretic security, as randomness is required to confuse the eavesdropper about the actual information \cite{C13}. Hence, we define by $R_K$ the random variable encompassing the randomness required \emph{for the $K$ defective items}, and by $M$ the number of rows in each bin. Clearly, $M^K=H(R_K)$.

At this point, \revisedSr{an} important clarification is in order. The lab, of course, does not know which items are defective. Thus, operationally, it needs to select a row for each item. However, in \emph{the analysis}, since only the defective items affect the output (that is, only their rows are \revisedSr{ORed together} to give $Y^T$), we refer to the ``message" as the index of the defective set $w$ and refer only to the random variable $R_K$ required to choose the rows in their bins.
In other words, unlike the analogous communication problem, in GT, \emph{nature} performs the actual mapping from $W$ to $\textbf{X}^{T}_{S_{w}}$. The mixer only mixes the blood samples according to the (random in this case) testing matrix it has.  

A decoder at the legitimate user is a map
\begin{equation*}
\hat{W} : \revisedSr{\mathcal{Y}}^{T} \rightarrow \revisedSr{\mathcal{W}}.
\end{equation*}
The probability of error is $P(\hat{W}(Y^{T})\neq W)$. The probability that an outcome test leaks to the eavesdropper is $\delta$. We assume a memoryless model, i.e., each outcome $Y(t)$ depends only on the corresponding input $X_{S_w}(t)$, and the eavesdropper observes $Z(t)$, generated from $Y(t)$ according to
\begin{equation*}
p(Y^T,Z^T|X_{S_w})=\prod_{t=1}^{T}p(Y(t)|X_{S_w}(t))p(Z(t)|Y(t)).
\end{equation*}
We may now turn to the detailed construction and analysis.
\ifdouble
\begin{figure}
  \centering
  \includegraphics[trim= 9.3cm 8cm 2cm 7.6cm,clip,scale=0.9]{Wiretap_coding5_one_col.pdf}
  \caption{Binning and encoding process for a SGT code.}
  \label{fig:WiretapCoding}
\end{figure}
\else
\begin{figure}
  \centering
  \includegraphics[trim= 6.3cm 8cm 2cm 7.6cm,clip,scale=1]{Wiretap_coding5_one_col.pdf}
  \caption{Binning and encoding process for a SGT code.}
  \label{fig:WiretapCoding}
\end{figure}
\fi
\subsubsection{Codebook Generation}
\revisedSr{Choose M such that $$\log_2(M) = T(\delta-\epsilon^{\prime})/(K)$$}\off{Set $M = 2^{T\frac{\delta-\revised{\epsilon^{\prime}}}{K}}$.}\revisedSr{for some $\epsilon^{\prime}>0$. $\epsilon^{\prime}$ will affect the equivocation.}
Using a distribution $P(X^{T})=\prod^{T}_{i=1}P(x_i)$, for each item generate $M$ independent and identically distributed codewords $x^{T}(m)$, $1 \leq m \leq M$\off{, where $\epsilon$ can be chosen arbitrarily small}.
The codebook is depicted in the left hand side of \Cref{fig:WiretapCoding}.
Reveal the codebook to Alice and Bob. We assume Eve may have the codebook as well.
\subsubsection{Testing}
For each item $j$, the mixer/lab selects uniformly at random one codeword $x^{T}(m)$ from the $j$-th bin.
Therefore, the SGT matrix contains $N$ randomly selected codewords of length $T$, one for each item, defective or not. Amongst is an unknown subset $X^{T}_{S_{w}}$, with the index $w$ representing the true \revisedSr{defective items}. An entry of the $j$-th random codeword is $1$ if the $j$-item is a member of the designated pool test and $0$ otherwise.
\subsubsection{Decoding at the Legitimate Receiver}
The decoder looks for a collection of $K$ codewords $X_{S_{\hat{w}}}^{T}$, \textit{one from each bin}, for which $Y^T$ is most likely. Namely,
\begin{equation*}
P(Y^{T}|X_{S_{\hat{w}}}^{T})>P(Y^{T}|X_{S_{w}}^{T}), \forall w \neq \hat{w}.
\end{equation*}
Then, the legitimate user (Bob) declares $\hat{W}(Y^T)$ as the set of bins in which the rows $\hat{w}$ reside.
\subsection{Reliability}
Let $(\mathcal{S}^{1},\mathcal{S}^{2})$ denote a partition of the defective set $S$ into disjoint sets $\mathcal{S}^{1}$ and $\mathcal{S}^{2}$, with cardinalities $i$ and $K-i$, respectively.\footnote{\revisedSr{This partition helps decompose the error events into classes,  where in class $i$ one already knows $K-i$ defective items, and the dominant error event corresponds to missing the other $i$. Thus, it is easier to present the error event as one ``codeword" against another. See Appendix~\ref{appendix:APPENDIX A} for the details.}}
Let $I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y)$ denote the mutual information between $X_{\mathcal{S}^1}$ and $X_{\mathcal{S}^2},Y$, under the i.i.d.\ distribution with which the codebook was generated and remembering that $Y$ is the output of a Boolean channel.
The following lemma is a key step in proving the reliability of the decoding algorithm.
\begin{lemma}\label{direct lemma1}
If the number of tests satisfies
\begin{eqnarray*}
T  \geq (1+\varepsilon)\cdot\max_{i=1,\ldots ,K} \frac{\log\binom{N-K}{i}M^i}{I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y)},
\end{eqnarray*}
then, under the codebook above, as $N\rightarrow \infty$ the average error probability approaches zero.
\end{lemma}
Next, we \revisedn{prove} \Cref{direct lemma1}, which extends the results in \cite{atia2012boolean} to the codebook required for SGT. Specifically, to obtain a bound on the required number of tests as given in \Cref{direct lemma1}, we first state Lemma 2, which bounds the error probability of the ML decoder using a Gallager-type bound \cite{gallager1968information}.
\revisedn{
\begin{definition}
The probability of error event $E_{i}$ in the ML decoder defined, as the event of mistaking the true set for a set which differs from it in exactly $i$ items.
\end{definition}
\begin{lemma}\label{error lemma2}
The error probability $P(E_{i})$ is bounded by
\begin{equation*}
P(E_{i}) \leq 2^{-T\left(E_{o}(\rho)-\rho\frac{\log\binom{N-K}{i}M^i}{T}-\frac{\log\binom{K}{i}}{T}\revisedr{-\frac{K}{T}}\right)},
\end{equation*}
where the error exponent $E_{o}(\rho)$ is given by
\ifdouble
\begin{multline}
E_{o}(\rho)= -\log \sum_{Y\in \{0,1\}}\sum_{X_{\mathcal{S}^2}\in \{0,1\}}\Bigg[\sum_{X_{\mathcal{S}^1}\in \{0,1\}}P(X_{\mathcal{S}^1})\\
p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})^{\frac{1}{1+\rho}}\Bigg]^{1+\rho},\text{ } 0 \leq\rho \leq1.\nonumber
\end{multline}
\else
\begin{equation*}
E_{o}(\rho)= -\log \sum_{Y\in \{0,1\}}\sum_{X_{\mathcal{S}^2}\in \{0,1\}}\Bigg[\sum_{X_{\mathcal{S}^1}\in \{0,1\}}P(X_{\mathcal{S}^1})
p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})^{\frac{1}{1+\rho}}\Bigg]^{1+\rho},\text{ } 0 \leq\rho \leq1.
\end{equation*}
\fi
\end{lemma}
In Appendix \ref{appendix:APPENDIX A} we analyze the bound provided in \Cref{error lemma2}.
Note that there are two main differences compared to non-secured GT. First, the decoder has $\binom{N}{K}M^K$ possible subsets of codewords to choose from, $\binom{N}{K}$ for the number of possible bins and $M^K$ for the number of possible rows to take in each bin. Thus, when fixing the error event, there are $\binom{N-K}{i}M^i$ subsets to confuse the decoder.
Moreover, due to the bin structure of the code, there are also many ``wrong" codewords which are not the one transmitted on the channel, hence create a decoding error codeword-wise, yet the actual bin decoded may still be the right one.}
\begin{proof}[Proof of \Cref{direct lemma1}]
\revisedn{
For this lemma, we follow the derivation in \cite{atia2012boolean}. However, due the different code construction, the details are different.
Specially, for each item there is a \emph{bin} of codewords, from which the decoder has to choose. Define
\begin{equation*}
\emph{f}(\rho) = E_{o}(\rho)-\rho\frac{\log\binom{N-K}{i}M^i}{T}-\frac{\log\binom{K}{i}}{T}\revisedr{-\frac{K}{T}}.
\end{equation*}
We wish to show that  $T\emph{f}(\rho)\rightarrow \infty$ as $N \rightarrow \infty$.
Note that $\log\binom{K}{i}$ is a constant for the fixed $K$ regime. Thus for large $T$ we have $\lim_{T \rightarrow \infty} \emph{f}(0) = 0$.}
Since the function $\emph{f}(\rho)$ is differentiable and has a power series expansion, for a sufficiently small $\alpha$, by Taylor series expansion in the neighborhood of $\rho \in [0,\alpha]$ \revisedn{we have}
\begin{equation*}
\emph{f}(\rho) = \emph{f}(0) + \rho \frac{d\emph{f}}{d\rho} \mid_{\rho = 0} + \Theta(\rho^2).
\end{equation*}
\revisedn{Now,}
\ifdouble
\begin{eqnarray}
&& \hspace{-0.85cm} \frac{\partial E_{o}}{\partial\rho} |_{\rho = 0}\nonumber\\
&\hspace{-0.7cm}  = &\hspace{-0.5cm} \sum_Y \sum_{X_{\mathcal{S}^2}}[\sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})\log p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})\nonumber\\
&\hspace{-0.7cm}  - &\hspace{-0.5cm} \sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1}) \sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})]\nonumber\\
&\hspace{-0.7cm}  = &\hspace{-0.5cm} \sum_Y \sum_{X_{\mathcal{S}^2}}\sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})\nonumber\\
&& \hspace{-0.85cm} \log\frac{p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})}{\sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})
= I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y).\nonumber
\end{eqnarray}
\else
\begin{eqnarray}
&& \hspace{-0.85cm} \frac{\partial E_{o}}{\partial\rho} |_{\rho = 0}\nonumber\\
&\hspace{-0.7cm}  = &\hspace{-0.5cm} \sum_Y \sum_{X_{\mathcal{S}^2}}[\sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})\log p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})\nonumber\\
&\hspace{-0.7cm}  - &\hspace{-0.5cm} \sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1}) \sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})]\nonumber\\
&\hspace{-0.7cm}  = &\hspace{-0.5cm} \sum_Y \sum_{X_{\mathcal{S}^2}}\sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1}) \log\frac{p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})}{\sum_{X_{\mathcal{S}^1}}P(X_{\mathcal{S}^1})p(Y,X_{\mathcal{S}^2}|X_{\mathcal{S}^1})
= I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y).\nonumber
\end{eqnarray}
\fi
\revisedn{
Hence, if
\begin{equation*}
(1+\varepsilon)\frac{\log\binom{N-K}{i}M^i}{T}<I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y)
\end{equation*}
for some constant $\varepsilon > 0$, the exponent is positive for large enough $T$ and we have $P(E_{i})\rightarrow 0$ as $T\rightarrow \infty$ for $\rho > 0$.
Using a union bound one can show that taking the maximum over $i$ will ensure a small error probability in total.}
\end{proof}
\revisedn{The expression $I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y)$ in \Cref{direct lemma1} is critical to understand how many tests are required, yet it is not a function of the problem parameters in any straight forward mannar. We now bound it to get a better handle on $T$.}
\begin{claim}\label{InformationClaim}
For large $K$, and under a fixed input distribution for the testing matrix $(\frac{\ln(2)}{K},1-\frac{\ln(2)}{K})$, the mutual information between $X_{\mathcal{S}^1}$ and $(X_{\mathcal{S}^2},Y)$ is lower bounded by
\begin{equation*}
I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y)\geq \frac{i}{K}.
\end{equation*}
\end{claim}
\begin{proof}[Proof of \Cref{InformationClaim}]\revisedn{First, note that}
\begin{eqnarray*}\label{eq:MutualInfB}
I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y)
&&\hspace{-0.6cm} \stackrel{(a)}{=} I(X_{\mathcal{S}^1};X_{\mathcal{S}^2})+I(X_{\mathcal{S}^1};Y|X_{\mathcal{S}^2})\nonumber\\
&&\hspace{-0.6cm} = H(Y|X_{\mathcal{S}^2})-H(Y|X_{\mathcal{S}})\nonumber\\
&&\hspace{-0.6cm} \stackrel{(b)}{=} q^{K-i}H(q^{i})\nonumber\\
&&\hspace{-0.6cm} = q^{K-i}\left[q^{i}\log\frac{1}{q^{i}}
+  \left( 1 - q^{i}\right)\log\frac{1}{\left(1- q^{i}\right)}\right],
\end{eqnarray*}
\revisedn{where equality (a) follows since the rows of the testing matrix are independent, and (b) follows since $H(Y|X_{\mathcal{S}})$ is the uncertainty of the legitimate receiver given $X_{\mathcal{S}}$, thus when observing the noiseless outcomes of all pool tests, this uncertainty is zero. Also, note that the testing matrix is random and i.i.d.\ with distribution $(1-q,q)$, hence the probability for $i$ zeros is $q^i$.}

\revisedn{Then, under a fixed input distribution for the testing matrix $(p=\frac{\ln(2)}{K},q=1-\frac{\ln(2)}{K})$ and large $K$ it is easy to verify that the bounds meet at the two endpoint of $i=1$ and $i=K$, yet the mutual information is concave in $i$ thus the bound is obtained. This is demonstrated graphically in \Cref{figure:Mutual_Information_Bound}.}
\end{proof}
\ifdouble
\begin{figure}
  \centering
  \includegraphics[trim=2.2cm 14.4cm 1.5cm 7.2cm,clip,scale=0.52]{MATLAB.pdf}
  \caption{Mutual Information Bound}
  \label{figure:Mutual_Information_Bound}
\end{figure}
\else
\begin{figure}
  \centering
  \includegraphics[trim=2.2cm 14.4cm 1.5cm 7.2cm,clip,scale=0.8]{MATLAB.pdf}
  \caption{Mutual Information Bound}
  \label{figure:Mutual_Information_Bound}
\end{figure}
\fi
Applying \Cref{InformationClaim} to the expression in \Cref{direct lemma1}, we have
\begin{equation*}
\frac{\log\binom{N-K}{i}M^i}{I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y)} \leq \frac{\log\binom{N-K}{i}M^i}{\frac{i}{K}}.
\end{equation*}
Hence, substituting $M=2^{T\frac{\delta-\revised{\epsilon_K}}{K}}$, a sufficient condition for reliability is
\begin{eqnarray*}
T &\ge& \max_{1 \leq i \leq K}\frac{1+\varepsilon}{\frac{i}{K}}\left[ \log\binom{N-K}{i} + \frac{i}{K}T(\delta-\revised{\epsilon_K}) \right]
\end{eqnarray*}
Rearranging terms results in
\begin{eqnarray}\label{eq:reduce_h}
T & \ge & \max_{1 \leq i \leq K} \frac{1}{1-\revised{\delta +\epsilon_K-\varepsilon\delta+\varepsilon\epsilon_K}}\frac{1+\varepsilon}{i/K}\log\binom{N-K}{i},\nonumber
\end{eqnarray}
\revised{where by reducing $\epsilon_K$ and $\varepsilon\epsilon_K$ we increase the bound on $T$, and with some constant $\varepsilon > 0$.}
Noting that this is for large $K$ and $N$, and that $\varepsilon$ is independent of them, achieves the bound on $T$ provided in \Cref{direct theorem1} and reliability is established.
\off{
\subsection{Scaling Regime Of $K=o(N)$} \label{K=o(N)}
Now, we point out that the result in \Cref{direct lemma1} can be extended to the more general case where both $N$ and $K$ are allowed to scale simultaneously such that $K=o(N)$.
From the Lagrange form of the Taylor Series expansion, we can write $E_{o}(\rho)$ in terms of its first derivative evaluated at zero and a remainder term which depends on the second derivative.
We have already shown that $E_{o}(0)=0$ and $E_{o}^{\prime}(0)=I(X_{\mathcal{S}^1};Y|X_{\mathcal{S}^2})>0$.
Consequently, we need to lower bound $E_{o}(\rho)$ by taking the worst-case second derivative.
Establishing this result requires a more careful analysis, and hence, we present it in Appendix \ref{appendix:APPENDIX D}.
It is shown that the same sufficient condition on the number of tests in \Cref{direct lemma1} holds up to an extra $polylog(K)$ factor for an arbitrarily small average error probability, thus,
\begin{equation*}
\lim_{\substack{N \rightarrow \infty\\K=o(N)}}P_e\rightarrow 0.
\end{equation*}
Namely,
\begin{lemma}\label{direct lemma3}
If the number of tests satisfies
\begin{eqnarray*}
T & \geq & \max_{1 \leq i \leq K} \frac{\log\binom{N-K}{i}+(\log\binom{K}{i}K\revisedn{+ K})\log^2(K/i)}{(1/2-\delta)i/K},
\end{eqnarray*}
then, under the codebook above, as $N\rightarrow \infty$ and $K=o(N)$ the average error probability approaches zero.
\end{lemma}
\begin{proof}
From the expression of $P(E_i)$ we have that
\begin{multline*}
\hspace{-0.4cm} \sum_{i}P(E_i) \leq K \max_{i} P(E_i)\leq\max_{i}K \revisedn{\exp K}\\
\exp\left(-T\left(E_{o}(\rho)-\rho\frac{\log\binom{N-K}{i}M^{i}}{T}-\frac{\log\binom{K}{i}}{T}\right)\right).
\end{multline*}
Consequently, we need to ensure that
\begin{equation*}
TE_{o}(\rho) \geq \rho\log\binom{N-K}{i}M^{i}+\log\binom{K}{i}+\log K \revisedn{+ K}.
\end{equation*}
Now using the lower bound for $E_{o}(\rho)$ , we have
\begin{eqnarray*}
E_{o}(\rho) &\geq& \rho I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y)-\frac{\rho^2}{2}|(E_{o}(0))^{\prime\prime}|\\
& \geq & \rho I(X_{\mathcal{S}^1};X_{\mathcal{S}^2},Y)-\frac{\rho^2}{2}\frac{i}{K}\log^2\frac{K}{i}\\
& \geq & \rho \frac{i}{K}-\frac{\rho^2}{2}\frac{i}{K}\log^2\frac{K}{i}
\end{eqnarray*}
where the last inequality follows from the lower bound for the mutual information in the noiseless case provided in \Cref{InformationClaim}.
Substituting this lower bound, we obtain
\begin{eqnarray*}
T\rho\frac{i}{K}&&\hspace{-0.7cm} \left( 1 -\frac{\rho}{2}\log^2\frac{K}{i} \right)\\
&& \geq  \rho\log\binom{N-K}{i}M^{i}+\log\binom{K}{i}+\log K \revisedn{+ K}.
\end{eqnarray*}
Hence, with $M=2^{T\frac{\delta}{K}}$, since $\epsilon$ can be chosen arbitrarily small, we have
\begin{eqnarray*}
T\rho\frac{i}{K}&&\hspace{-0.7cm} \left( 1-\frac{\rho}{2}\log^2\frac{K}{i} \right)\\
&& \geq  \rho\log\binom{N-K}{i}2^{T\frac{i\delta}{K}}+\log\binom{K}{i}+\log K  \revisedn{+ K}.
\end{eqnarray*}
By choosing $\rho=\frac{1}{\log^2(K/i)}$ and
\begin{eqnarray*}
T & \geq & \max_{1 \leq i \leq K} \frac{\log\binom{N-K}{i}+(\log\binom{K}{i}K\revisedn{+ K})\log^2(K/i)}{(1-1/2-\delta)i/K},
\end{eqnarray*}
the inequality is satisfied.
Noting that this is for $K = o(N)$, achieves the bound on $T$ provided in \Cref{direct lemma3} and the reliability is established.
\end{proof}
}
\subsection{Information Leakage at the Eavesdropper}\label{LowerBoundLeakage}
We now prove the security constraint is met. Hence, we wish to show that $I(W;Z^{T})/T\rightarrow 0$, as $T\rightarrow \infty$.
Denote by $\mathcal{C}_T$ the random codebook and by $X_{\mathcal{S}}^T$ the set of codewords corresponding to the true defective items. We have,
\begin{eqnarray}
&& \hspace{-0.8cm}\textstyle\textstyle \frac{1}{T}I(W;Z^T|\mathcal{C}_{T}) = \frac{1}{T}\left(I(W,R_K;Z^T|\mathcal{C}_{T})-I(R_K;Z^T|W,\mathcal{C}_{T})\right)\nonumber\\
&\hspace{-0.6cm}  \stackrel{(a)}{=} &\hspace{-0.5cm}\textstyle \frac{1}{T}\left(I(X_{\mathcal{S}}^T;Z^T|\mathcal{C}_{T})-I(R_K;Z^T|W,\mathcal{C}_{T})\right)\nonumber\\
&\hspace{-0.6cm} = &\hspace{-0.5cm}\textstyle \frac{1}{T}(I(X_{\mathcal{S}}^T;Z^T|\mathcal{C}_{T})-H(R_K|W,\mathcal{C}_{T})+H(R_K|Z^T,W,\mathcal{C}_{T}))\nonumber\\
&\hspace{-0.6cm} \stackrel{(b)}{=} & \hspace{-0.5cm}\textstyle \frac{1}{T}\left(I(X_{\mathcal{S}}^T;Z^T|\mathcal{C}_{T})-H(R_K)+H(R_K|Z^T,W,\mathcal{C}_{T})\right)\nonumber\\
&\hspace{-0.6cm} \stackrel{(c)}{=}&\hspace{-0.5cm} I(X_{\mathcal{S}};Z|\mathcal{C}_{T}) - \frac{1}{T}K\log M + \frac{1}{T}H(R_K|Z^T,W,\mathcal{C}_{T})\nonumber\\
&\hspace{-0.6cm} \stackrel{(d)}{\leq}&\hspace{-0.5cm} \delta - \frac{1}{T}K\left(T \frac{\delta-\epsilon^{\prime}}{K}\right) + \frac{1}{T}H(R_K|Z^T,W,\mathcal{C}_{T})\stackrel{(e)}{\leq} \epsilon_T + \revisedSr{\epsilon^{\prime}},\nonumber
\end{eqnarray}
where $\epsilon_T \to 0$ as $T \to \infty$\off{and \revised{$\epsilon_K \to 0$ as $K \to \infty$}}. (a) is since there is a $1:1$ correspondence between $(W,R_K)$ and $X_{\mathcal{S}}^T$; (b) is since $R_K$ is independent of $W$ and $\mathcal{C}_T$; (c) is since in this \emph{direct result} the codebook is defined by the construction and is memoryless, as well as the channel; (d) is since by choosing an i.i.d.\ distribution for the codebook one easily observes that $I(X_{\mathcal{S}};Z| \mathcal{C}_T) \leq \delta$. Finally, (e) is for the following reason: Given $W$ and the codebook, Eve has a perfect knowledge regarding the \emph{bins from which the codewords were selected}. It requires to see whether she can indeed estimate $R_K$. Note that the channel Eve sees in this case is the following \emph{multiple access channel}: each of the defective items can be considered as a ``user" with $M$ messages to transmit. Eve's goal is to decode the messages from all users. This is possible if the rates at which the users transmit are within the capacity region of this MAC. Indeed, this is a (binary) Boolean MAC channel, followed by a simple erasure channel. The sum capacity cannot be larger than $\delta$, and this sum capacity is easily achieved by letting one user transmit at a time, or, in our case, \revised{where the codebook is randomly i.i.d.\ distributed, under a fixed input distribution $p=1-2^{\frac{1}{K}}$. Since actually, we use input distribution for the testing matrix of $(\frac{\ln(2)}{K},1-\frac{\ln(2)}{K})$, and $\lim_{K \to \infty} 1-2^{\frac{1}{K}}/\frac{\ln(2)}{K}=1$, for large $K$, each user obtain the same capacity; namely, each user sees a capacity of $\delta/K$.\off{ Hence Eve may decode if $\frac{1}{T}\log M$ is smaller than that value.}}
\off{
\revised{since the codebook is randomly i.i.d.\ distributed, under a fixed input distribution for the testing matrix $(\frac{\ln(2)}{K},1-\frac{\ln(2)}{K})$ and for large $K$, each user obtain the same capacity, namely, each user sees a capacity of $\delta/K$.} Hence Eve may decode if $\frac{1}{T}\log M$ is smaller than that value.}
\begin{remark}
Under non-secure GT, it is clear that simply adding tests to a given GT code (increasing $T$) can only improve the performance of the code (in terms of reliability). A legitimate decoder can always disregard the added tests. For SGT, however, the situation is different. Simply adding tests to a given code, \emph{while fixing the bin sizes}, might make the vector of results vulnerable to eavesdropping. In order to increase reliability, one should, of course, increase $T$, but also increase the bin sizes proportionally, so the secrecy result above will still hold. This will be true for the efficient algorithm suggested in \Cref{efficient_algorithms} as well.
\end{remark}
\begin{remark}
\revised{To establish the weak secrecy \revisedSr{constraint} we set $M$ to be $2^{T\frac{\delta-\revisedSr{\epsilon^{\prime}}}{K}}$, where the readability is archived without any \revisedSr{constraint} on $\revisedSr{\epsilon^{\prime}}$. However, in Appendix~\ref{strong_secrecy} to establish the strong secrecy \revisedSr{constraint} we require $M$ to be $2^{T\frac{\delta+\revisedSr{\epsilon^{\prime}}}{K}}$.}
\end{remark}

\begin{remark}
\revisedSr{Note that since
\begin{eqnarray*}
  \frac{1}{T}H(R_K|Z^T,W,\mathcal{C}_{T}) \hspace{-0.2cm} &=\hspace{-0.2cm}& \frac{1}{T}H(R_K)-\frac{1}{T}I(R_K;Z^T,W,\mathcal{C}_{T}) \\
   \hspace{-0.2cm}&=\hspace{-0.2cm}& \frac{1}{T}\log M - \frac{1}{T}I(R_K;Z^T,W,\mathcal{C}_{T}),
\end{eqnarray*}
any finite-length approximation for $I(R_K;Z^T,W,\mathcal{C}_{T})$ will give a finite length approximation for the leakage at the eavesdropper.
For example, one can use the results in \cite{polyanskiy2010channel}, to show that the leakage can be approximated as $\frac{1}{\sqrt{T}}+\epsilon^{\prime}$}.
\end{remark}

\section{Main Results}\label{main results}
Under the model definition given in \Cref{formulation}, our main results are the following sufficiency (direct) and necessity (converse) conditions, characterizing the maximal number of tests required to guarantee both reliability and security. The proofs are deferred to \Cref{LowerBound} and \Cref{converse}.
\subsection{Direct (Sufficiency)}
The sufficiency part is given by the following theorem.
\begin{theorem}\label{direct theorem1}
Assume a SGT model with $N$ items, out of which $K=O(1)$ are defective. For any $0 \leq \delta < 1$, if
\begin{equation}\label{main_result_eq}
 T  \geq  \max_{i=1,\ldots ,K} \frac{1+\varepsilon}{1-\delta} \frac{K}{i}\log\binom{N-K}{i},
\end{equation}
for some $\varepsilon \revisedSr{>} 0$ independent of $N$ and $K$, then there exists a sequence of SGT algorithms which are reliable and secure. That is, as $N\rightarrow \infty$, both the average error probability approaches zero \revisedSr{exponentially} and an eavesdropper with leakage probability $\delta$ is kept ignorant.
\end{theorem}
The construction of the SGT algorithm, together with the proofs of reliability and secrecy are deferred to Section \ref{LowerBound}.
\revisedSr{In fact, in \Cref{LowerBound} we actually prove that the maximal error probability decays to $0$.} However, a few important remarks are in order now.

First, rearranging terms in \cref{main_result_eq}, we have
\begin{equation*}\label{main_result}
 T  \geq   \frac{1}{1-\delta} \max_{i=1,\ldots ,K}\frac{(1+\varepsilon)K}{i}\log\binom{N-K}{i}.
\end{equation*}
That is, compared to only a reliability constraint, the number of tests required for \emph{both reliability and secrecy} is increased by the multiplicative factor $\frac{1}{1-\delta}$, where, again, $\delta$ is the leakage probability at the eavesdropper.

\revisedSr{The result given in \Cref{direct theorem1} uses an ML decoding at the legitimate receiver. The complexity burden in ML, however, prohibits the use of this result for large N. In \Cref{direct theorem5}, we suggest an efficient decoding algorithm, which maintains the reliability and the secrecy results using a much simpler decoding rule, at the price of only slightly more tests.}

\revisedSr{Using an upper bound on $\log\binom{N-K}{i}$, the maximization in \Cref{direct theorem1} can be solved easily, leading to simple bound on $T$ with tight scaling and only a moderate constant.
\begin{corollary}\label{corollary}
For SGT with parameters $K << N$ and $T$, reliability and secrecy can be maintained if
\begin{equation*}
 T \geq  \frac{1+\varepsilon}{1-\delta} K \log (N-K)e.
\end{equation*}
\end{corollary}
\begin{proof}
Substituting $\log\binom{N-K}{i} \leq i\log \frac{(N-K)e}{i}$, the maximum over $i$ is easily solved. 
\end{proof}
Note that together with the converse below, this suggests $T= \Theta \left(\frac{K\log N}{1-\delta}\right)$, and, a $\Theta \left(K\log N\right)$ result for $\delta$ bounded away from $1$.
\off{Finally, we note that while the results in \Cref{direct theorem1} are only for the constant $K$ regime, in principle, using the techniques in \cite{aldridge2017capacity}, can be extended to a larger regime, but for ease of presentation, we focus on the constant regime in this paper.}}
\subsection{Converse (Necessity)}
The necessity part is given by the following theorem.
\begin{theorem}\label{converse theorem}
Let $T$ be the minimum number of tests necessary to identify a defective set of cardinality $K$ among population of size $N$ while keeping an eavesdropper, with a leakage probability $\delta < 1$, ignorant regarding the status of the items. Then, \off{for large enough $N$ one must have}\revisedSr{if $\frac{1}{T} I(W;Z^T)<\epsilon$, one must have:}
\begin{eqnarray*}
T \ge \frac{1-\epsilon_T}{1-\delta}\log\binom{N}{K},
\end{eqnarray*}
\revisedSr{where $\epsilon_T = \epsilon +\tilde{\epsilon}_T$, with $\tilde{\epsilon}_T\rightarrow 0$ as $T\rightarrow \infty$.}
\end{theorem}
\revisedn{The lower bound is derived using Fano's inequality to address reliability, assuming a negligible mutual information at the eavesdropper, thus keeping an eavesdropper with leakage probability $\delta$ ignorant, and information inequalities bounding the rate of the message on the one hand, and the data Eve \emph{does not see} on the other. Compared with the lower bound without security constraints, it is increased by the multiplicative factor $\frac{1}{1-\delta}$.}
\subsection{Secrecy capacity in SGT}
Returning to the analogy in \cite{baldassini2013capacity} between channel capacity and group testing, one might define by $C_s$ the (asymptotic) minimal threshold value for $\log\binom{N}{K}/T$, above which no reliable and secure scheme is possible. Under this definition, the result in this paper show that $C_s = (1-\delta)C $, where $C$ is the capacity without the security constraint. Clearly, this can be written as
\begin{equation*}
C_s = C - \delta C,
\end{equation*}
raising the usual interpretation as the \emph{difference} between the capacity to the legitimate decoder and that to the eavesdropper \cite{C13}. Note that as the effective number of tests Eve sees is $T_e = \delta T$, her GT capacity is $\delta C$.
\subsection{Efficient Algorithms}
Under the SGT model definition given in \Cref{formulation}, we further consider a computationally efficient algorithm at the legitimate decoder. Specifically, we analyze the \emph{Definite Non-Defective} (DND) algorithm (originally called \emph{Combinatorial Orthogonal Matching Pursuit} (COMP)), considered for the non-secure GT model in the literature \cite{chan2014non,aldridge2014group}. The theorem below states that indeed efficient decoding (with arbitrarily small error probability) and secrecy are possible, at the price of a higher $T$. Interestingly, the theorem applies to any $K$, and not necessarily only to $K = O(1)$. This is, on top of the reduced complexity, an important benefit of the suggested algorithm.
\begin{theorem}\label{direct theorem5}
Assume a SGT model with $N$ items, out of which $K$ are defective. Then, for any $\delta < \frac{1}{2}\left(1-\frac{\ln 2}{K}\right)$, there exists an efficient decoding algorithm, requiring $O(N^2T)$ operations, such that if the number of tests satisfies
\[
T \ge \frac{1+\epsilon}{\frac{1}{2}(1-\frac{\ln 2}{K})-\delta} K \log N
\]
its error probability is upper bounded by
\[
P_e \leq N^{-\epsilon}.
\]
\end{theorem}
The construction of the DND GT algorithm, together with the proofs of reliability and secrecy are deferred to \Cref{efficient_algorithms}.
\off{\revisedSr{The efficiency of the result given in \Cref{direct theorem5} gain/larger range of $K$ comes at a cost of an increased number of tests/smaller parameter range of $\delta$ where the results are valid.}}
Clearly, the benefits of the algorithm above come at the price of additional tests and a smaller range of $\delta$ it can handle.
\off{
We will note that in the same way that we analyze the DND algorithm in \Cref{efficient_algorithms}, where the decoder consider each of the $MN$ codewords separably, as in the non-secure case for the $N$ codewords, without to take into account the binning structure of the code, we suppose that it is possible to analyze the \emph{Definite Defective} (DD) algorithm proposed in \cite{aldridge2014group} for the case where there is eavesdropper which we want to kept ignorant.

\subsubsection{Secure Definite defective algorithm}
The construction of the Secure-DD GT algorithm, together with the proofs of reliability and secrecy are deferred to Section \ref{DD}.
}

\section{Background and Related Work}\label{BooleanCompressed}
\subsection{Group-testing}
\revised{Group-testing comes in various flavours, and the literature on these is vast. At the risk of leaving out much, we reference here just some of the models that have been considered in the literature, and specify our focus in this work.}
\subsubsection{Performance Bounds}
GT can be \emph{non-adaptive}, where the testing matrix is designed beforehand, \revisedSr{{\it adaptive}}, where each new test can be designed while taking into account previous test \emph{results}, or a combination of the two, where testing is adaptive, yet with batches of non-adaptive tests. It is also important to distinguish between \emph{exact recovery} and a \emph{vanishing probability of error}.
\off{\revisedSid{Adaptive versus non-adaptive, exact recovery versus approximate recovery, zero-error reconstruction versus vanishing error reconstruction, noiseless versus noisy test outcomes, binary versus non-binary test outcomes.}
\revisedSid{2. Adaptive versus non-adaptive group-testing: The items to be tested in a pool may be chosen as a function of previous test outcomes (this model corresponds to {\it adaptive group-testing}), or chosen independently of prior test outcomes (this model corresponds to {\it adaptive group-testing}). Various computationally efficient algorithms for adaptive group-testing algorithms (see for example \cite{aldridge2014group, damaschke2010competitive})}}

To date, the best known lower bound on the number of tests required (non-adaptive, exact recovery) is $\Omega(\frac{K^2}{\log K}\log N)$ \cite{furedi1996onr}. The best known explicit constructions were given in \cite{porat2011explicit}, resulting in $O(K^2 \log N)$. However, focusing on exact recovery requires more tests, and forces a combinatorial nature on the problem. Settling for high probability reconstructions allows one to reduce the number of tests to the order of $K\log N$.\footnote{A simple information theoretic argument explains a lower bound. There are $K$ defectives out of $N$ items, hence $N \choose K$ possibilities to cover: $\log {N \choose K}$ bits of information. Since each test carries at most one bit, this is the amount of tests required. Stirling's approximation easily shows that for $K \ll N$, the leading factor of that is \revisedSr{$K\log(N/K)$}.} For example, see the channel-coding analogy given in \cite{atia2012boolean}. A similar analogy to wiretap channels will be at the basis of this work as well. In fact, probabilistic methods with an error probability guarantee appeared in \cite{sebHo1985two}, without explicitly mentioning GT, yet showed the $O(K \log N)$ bound. Additional probabilistic methods can be found in \cite{scarlett2015limits} for \emph{support recovery}, or in \cite{scarlett2016phase}, when an interesting \emph{phase transition} phenomenon was observed, yielding tight results on the threshold (in terms of the number of tests) between the error probability approaching one or vanishing. \off{Finally, note that the significant difference between exact reconstruction and negligible error probability is also apparent in adaptive GT, e.g., \cite{aldridge2012adaptive}.}
\subsubsection{A Channel Coding Interpretation}
As mentioned, the analogy to channel coding \revisedSr{has} proved useful \cite{atia2012boolean}. \cite{baldassini2013capacity} defined the notion of \emph{group testing capacity}, that is, the value of $\lim_{N \to \infty} \frac{\log{{N}\choose{K}}}{T}$ under which reliable algorithms exist, yet, over which, no reliable reconstruction is possible. A converse result for the Bernoulli, non-adaptive case was given in \cite{aldridge2017capacity}. Strong converse results were given in \cite{tan2014strong,johnson2015strong}, again, building on the channel coding analogy, as well as converses for noisy GT \cite{scarlett2016converse}. In \cite{aldridge2012adaptive}, adaptive GT was analyzed as a channel coding \emph{with feedback} problem.
\subsubsection{Efficient Algorithms}
A wide variety of techniques were used to design efficient GT decoders. Results and surveys for early non-adaptive decoding algorithms were given in \cite{chen2008survey,de2005optimal,indyk2010efficiently}. Moreover, although most of the works described above mainly targeted fundamental limits, some give efficient algorithms as well. In the context of this work, it is important to mention the recent COMP \cite{chan2014non}, DD and SCOMP \cite{aldridge2014group} algorithms, concepts from which we will use herein.
\off{
\subsubsection*{Noisy Group Testing\off{ and Graph Models}}
Since GT has numerous applications, several different models were suggested, with diverse tools being applied to tackle them. Perhaps the most studied extension is that of \emph{noisy} GT. Noisy models can include cases of \emph{false positives}, where with some probability a negative pool is still marked as positive, or \emph{false negatives} if defective items get \emph{diluted}. \cite{atia2012boolean} includes several results in this context. Additional converse results for noisy GT are also in \cite{scarlett2016converse}.
Noise level can also depend on the number of items tested in each pool \cite{Goparaju2016polar}. Analysis of noisy GT from a Signal to Noise ratio perspective is given in \cite{malloy2014near}.}
\off{
In \emph{threshold group testing} \cite{chen2009nonadaptive,cheraghchi2010improved,chan2013near}, the test results are sensitive to the number of defective items within a test, hence, are not necessarily a Boolean sum. A recent work also allowed the presence of \emph{inhibitors}, which can mask test results \cite{de2005optimal,ganesan2015non}.
The capacity of Semi-quantitative group testing was discussed in \cite{6283599}, where the tests' output is not necessarily binary (positive or negative). In a similar context, \cite{sparseGT} considered the case where the testing matrix has to be sparse (either because an item cannot be tested too many times, or because a test cannot include too many items). \cite{damaschke2010competitive} considered the case where the number of defectives, $K$, is unknown in advance. \cite{colbourn1999group} considered the case where the items are ordered, and the defective set is a consecutive subset of the items.

Finally, since at the heart of GT stands a binary testing matrix, dictating in which test each item participates, GT also has a clean bipartite graph representation, when the Left set of vertices may stand for the items, and the Right for the tests. Indeed, such a representation gives a very elegant combinatorial result regarding the number of errors a certain testing matrix can withstand \cite{5707017}. Results on \emph{cover-free families} yield lower bounds for GT as well \cite{stinson2000some}. These definitions also lead to a natural definition for \emph{list GT} \cite{cheraghchi2009noise}, where the goal is to output a list containing all defective items, and perhaps additional ones up to the size of the list. Bipartite graphs for GT and noisy GT where also used in \cite{cai2013grotesque,lee2015saffron}. \cite{wadayama2013analysis} considered a more structured graph model, i.e., when the bipartite graph is regular, with items having degree $l$ and tests having degree $r$.}
\revised{\subsection{Secure communication}
\revised{It is very important to note that {\it making GT secure is different from making communication secure, as \revisedSr{remarked} in \Cref{intro}}. Now, we briefly survey the literature in secure communication, since many of the ideas/models/primitives in secure communication will have analogues in secure group-testing.}
\subsubsection{Information-theoretic secrecy}
In a secure communication setting, transmitter Alice wishes to send a message $m$ to receiver Bob. To do so, she is allowed to encode $m$ into a (potentially random) function $x = f(m)$, and transmit $x$ over a medium. It is desired that the eavesdropper Eve should glean no information about $m$ from its (potentially noisy) observation $z$. This information leakage is typically measured via the mutual information between $m$ and $z$.\off{(we defer a more detailed discussion on secrecy metrics to Section II).} The receiver Bob should be able to reconstruct $m$ based on its (also potentially noisy) observation of $x$ (and, potentially, a shared secret that both Bob and Alice know, but Eve is ignorant of).}

\revised{There are a variety of schemes in the literature for information-theoretically secure communications.}\footnote{\revised{Security in general has many connotations — for instance, in the information-theory literature it can also mean a scheme that is resilient to an {\it active adversary}, for instance a communication scheme that is resilient to jamming against a malicious jammer. In this work we focus our attention on {\it passive eavesdropping adversaries}, and aim to ensure secrecy of communications vis-a-vis such adversaries. We shall thus henceforth use the terms security and secrecy interchangeably.}}
\revised{Such schemes typically make one of several assumptions (or combinations of these):}

\begin{itemize}
\item \revised{{\it Shared secrets/Common randomness/Symmetric-key encryption:} The first scheme guaranteed to provide information-theoretic secrecy was by \cite{C1}, who analyzed the secrecy of one-time pad schemes and showed that they ensure perfect secrecy (no leakage of transmitted message). He also provided lower bounds on the size of this shared key. The primary disadvantage of such schemes is that they require a shared key that is essentially as large as the amount of information to be conveyed, and it be continually refreshed for each new communication. These requirements typically make such schemes untenable in practice.}
\item \revised{{\it Wiretap secrecy/Physical-layer secrecy:} Wyner \emph{et al.} \cite{C2,ozarow1984wire} first considered certain communication models in which the communication channel from Alice to Eve is a degraded (noisier) version of the channel from Alice to Bob, and derived the information-theoretic capacity for communication in such settings. These results have been generalized in a variety of directions. See \cite{csiszar2004secrecy,csiszar2008secrecy,C13} for (relatively) recent results. The primary disadvantage of such schemes is that they require that it be possible to instantiate communication channels from Alice to Bob that are better than the communication channel from Alice to Eve. Further, they require that the channel parameters of both channels be relatively well known to Alice and Bob, since the choice of communication rate depends on these parameters. These assumptions make such schemes also untenable in practice, since on one hand Eve may deliberately situate herself to have a relatively clear view of Alice's transmission than Bob, and on the other hand there are often no clear physically-motivated reasons for Alice and Bob to know the channel parameters of the channel to Eve.}
\item \revised{{\it Public discussion/Public feedback:} A very nice result by Maurer (~\cite{maurer1993secret} and subsequent work - see \cite{C13} for details) significantly alleviated at least one of the charges level against physical-layer security systems, that they required the channel to Bob to be \revisedSr{``}better" than the channel to Eve. Maurer demonstrated that feedback (even public feedback that is noiselessly observable by Eve) and multi-round communication schemes can allow for information-theoretically secure communication from Alice to Bob even if the channel from Alice to Bob is worse than the channel from Alice to Eve. Nonetheless, such public discussion schemes {\it still} require some level of knowledge of the channel parameters of the channel to Eve.}
\end{itemize}
\revised{\subsubsection{Cryptographic security}
Due to the shortcomings highlighted above, modern communication systems usually back off from demanding information-theoretic security, and instead attempt to instantiate {\it computational security}. In these settings, instead of demanding small information leakage to arbitrary eavesdroppers, one instead assumes bounds on the computational power of the eavesdropper (for instance, that it cannot computationally efficiently invert \revisedSr{``}one-way functions"). Under such assumptions one is then often able to provide conditional security, for instance with a public-key infrastructure ~\cite{kocher1996timing,stinson2005cryptography}.}
\revised{Such schemes have their own challenges to instantiate. For one, the computational assumptions they rely on are sometimes unfounded and hence sometimes turn out to be prone to attack \cite{tagkey2004391,C13,dent2006fundamental}. For another, the computational burden of implementing cryptographic primitives with strong guarantees can be somewhat high for Alice and Bob~\cite{bernstein2008attacking}.}
\revised{\subsection{Secure Group-Testing}
On the face of it, the connection between secure communication and secure group-testing is perhaps not obvious. We highlight below scenarios that make these connections explicit.
Paralleling the classification of secure communication schemes above, one can also conceive of a corresponding classification of secure GT schemes.}
\subsubsection{\revised{Information-theoretic schemes}}
\begin{itemize}
\item \revised{{\it Shared secrets/Common randomness/Symmetric-key encryption:} A possible scheme to achieve secure group testing, is to utilize a shared key between Alice and Bob. For example, consider a scenario in which Alice the nurse has a large number of blood samples that need to be tested for the presence of a disease. She sends them to a lab named Eve to be tested. To minimize the number of tests done via the lab, she pools blood samples appropriately. However, while the lab itself will perform the tests honestly, it can't be trusted to keep medical records secure, and so Alice keeps secret the identity of the people tested in each pool.
\footnote{Even in this setting, it can be seen that the {\it number} of diseased individuals can still be inferred by Eve. However, this is assumed to be a publicly known/estimable parameter.}}

\revised{Given the test outcomes, doctor Bob now desires to identify the set of diseased people. To be able to reconstruct this mapping, a relatively large amount of information (the mapping between individuals' identities and pools tested) needs to be securely communicated from Alice to Bob. As in the one-time pad secure communication setting, this need for a large amount of common randomness makes such schemes unattractive in practice. Nonetheless, the question is theoretically interesting, \revisedSr{and} some interesting results have been recently reported in this direction by \cite{atallah2008private,goodrich2005indexing,freedman2004efficient,rachlin2008secrecy}.}

\item \revised{{\it Wiretap secrecy/Physical-layer secrecy:} This is the setting of this paper. Alice does not desire to communicate a large shared key to Bob, and still wishes to maintain secrecy of the identities of the diseased people from \revisedSr{``}honest but curious" Eve. Alice therefore does the following two things: (i) For some $\delta \in (0,1)$, she chooses a $1/\delta$ number of independent labs, and divides the T pools to be tested into $1/\delta$ {\it pool sets} of $T\delta$ pools each, and sends each set to a distinct lab. (ii) For each blood pool, she {\it publicly} reveals to {\it all} parties (Bob, Eve, and anyone else who's interested) a set ${\cal S}(t)$ of {\it possible} combinations of individuals whose blood could constitute that specific pool $t$. As to which specific combination from ${\cal S}(t)$ of individuals the pool actually comprises of, only Alice knows {\it a priori} - Alice generates this private randomness by herself, and does not leak it to anyone (perhaps by destroying all trace of it from her records).}
    \revised{The twin-fold goal is now for Alice to choose pool-sets and set of ${\cal S}(t)$ for each $t \in [T]$ to ensure that as long as no more than one lab leaks information, there is sufficient randomness in the set of ${\cal S}(t)$ so that essentially no information about the diseased individuals identities leaks, but Bob (who has access to the test reports from all the $1/\delta$ labs) can still accurately estimate (using the publicly available information on ${\cal S}(t)$ for each test $t$) the disease status of each individual.
    \revisedSr{This scenario closely parallels the scenario in Wyner's Wiretap channel\off{ \revisedSr{II}}.
    Specifically, this corresponds to Alice communicating a sequence of $T$ test outcomes to Bob, whereas Eve can see only a $\delta$ fraction of test outcomes. To ensure secrecy, Alice injects private randomness (corresponding to which set from ${\cal S}(t)$ corresponds to the combination of individuals that was tested in test $t$) into each test - this is the analogue of the \off{coset-}coding schemes often used for Wyner's wiretap channels.}}
\revised{
\begin{remark}
It is a natural theoretical question to consider corresponding generalizations of this scenario with other types of broadcast channels from Alice to Bob/Eve (not just degraded erasure channels), especially since such problems are well-understood in a wiretap security context. However, the physical motivation of such generalizations is not as clear as in the scenario outlined above. So, even though in principle the schemes we present in \Cref{formulation} can be generalized to other broadcast channels, to keep the presentation in this paper clean we do not pursue these generalizations here.
\end{remark}
\begin{remark}
Note that there are other mechanisms via which Alice could use her private randomness. For instance, she could {\it deliberately} contaminate some fraction of the tests she sends to each lab with blood from diseased individuals. Doing so might reduce the amount of private randomness required to instantiate secrecy. While this is an intriguing direction for future work, we do not pursue such ideas here.
\end{remark}
}
\item \revised{{\it Public discussion/Public feedback:} The analogue of a public discussion communication scheme in the secure group-testing context is perhaps a setting in which Alice sends blood pools to labs in {\it multiple rounds}, also known as {\it adaptive group testing} in the GT literature. Bob, on observing the set of test outcomes in round $i$, then publicly broadcasts (to Alice, Eve, and any other interested parties) some (possibly randomized) function of his observations thus far. This has several potential advantages. Firstly, adaptive group-testing schemes (e.g.\cite{aldridge2014group}) significantly outperform the best-known non-adaptive group-testing schemes (in terms of smaller number of tests required to identify diseased individuals) in regimes where $K=\omega(N^{1/3})$}. \revised{One can hope for similar gains here. Secondly, as in secure communication with public discussion, one can hope that multi-round GT schemes would enable information-theoretic secrecy even in situations where Eve may potentially have access to {\it more} test outcomes than Bob. Finally, such schemes may offer storage/computational complexity advantages over non-adaptive GT schemes. Hence this is an ongoing area of research, but outside the scope of this paper.}
\end{itemize}
\revised{\subsubsection{Cryptographic secrecy}
As in the context of secure communication, the use of cryptographic primitives to keep information about the items being tested secure has also been explored in sparse recovery problems - see, for instance \cite{atallah2008private,goodrich2005indexing,freedman2004efficient,rachlin2008secrecy}. Schemes based on cryptographic primitives have similar weaknesses in the secure GT context as they do in the communication context, and we do not explore them here.}


\section{Information Leakage at the Eavesdropper\\ (Strong Secrecy)}\label{strong_secrecy}
We wish to show that $I(W;Z^{T})\rightarrow 0$.
Denote by $\mathcal{C}_T$ the random codebook and by $\textbf{X}_{\mathcal{S}_w}^T$ the set of codewords corresponding to the true defective items.

We assumed $W \in \{1,\ldots, {N \choose K}\}$ is uniformly distributed, that is, there is no \emph{a-priori} bias to any specific subset.
Further, the codebook includes independent and identically distributed codewords. The eavesdropper, observing $Z^T$, wish to decode the true $K$ independent and identically distributed codewords, which correspond to the defective items, one of ${N \choose K}$ subsets.

To analyze the information leakage at the eavesdropper, we note that the channel Eve sees in this case is the following \emph{multiple access channel}. Each of the items can be considered as a \revisedSr{``}user" with $M$ specific codewords.
Eve's goal is to identify the active users.
Note the Eve's channel can be viewed as (binary) Boolean MAC, followed by a BEC$(1-\delta)$.
 \off{by decode all the transmitted codewords.
This is possible if the rates at which the users transmit are within the capacity region of this MAC. Indeed, this is a (binary) Boolean MAC channel, followed by a simple erasure channel.}
The sum capacity to Eve cannot be larger than $\delta$.
\revised{In fact, since the codebook is randomly i.i.d.\ distributed, under a fixed input distribution for the testing matrix $(\frac{\ln(2)}{K},1-\frac{\ln(2)}{K})$, Eve can obtain from each active user a rate of at most $\delta/K$}.
Consequently, Eve may obtain a sub-matrix $\tilde{\textbf{Z}}$ of possibly transmitted codewords, where from each codeword Eve sees at most a capacity of $\delta/K$.

However, in this analysis, we help Eve even further to get the true sub-matrix $\tilde{\textbf{Z}}$, with the maximum rate $\delta/K$.
That is, we assume Eve gets the full rate, identifies the codewords of the users except for the erasures. We give Eve the power not to be confused from the existence of other, $N-K$ users which did not transmit eventually.
\off{that she can obtain in the Boolean MAC channel followed by erasure channel with erasure probability of $1-\delta$.}
Providing this information to Eve only makes her stronger and thus a coding scheme that succeeds to keep Eve ignorant, will also succeed against the original Eve.

Now, once Eve obtains the true sub-matrix $\tilde{\textbf{Z}}$, since the codebook and the subsets of the items was generated independently and identically, we will analyze the information that leaks at the eavesdropper from each possibly transmitted codeword in $\tilde{\textbf{Z}}$ separately.
Namely, per original codeword $X_j^T$, on average, $\frac{\delta}{K}T $ from the $T$ outcomes are not erased and are accessible to the eavesdropper via $\tilde{Z}_{\tilde{j}}^{T}$.
Thus, out of the $M$ independent and identically distributed codewords, there is an exponential number of codewords, that from eavesdropper perspective, may have participated in $\textbf{X}_{\mathcal{S}_w}^T$ and could have resulted in the same $\tilde{Z}_{\tilde{j}}^{T}$.
These consistent codewords are exactly those that lie in a ball around $\tilde{Z}_{\tilde{j}}^{T}$ of radius $d \approx (1-\frac{\delta}{K}) T$ as depicted in \Cref{figure:StrongSecrecy}.
\ifdouble
\begin{figure}
  \centering
  \includegraphics[trim=0cm 0cm 0cm 0cm,clip,scale=1]{StrongSecrecy3.png}
  \caption{Codewords exactly lie in a ball around $\tilde{Z}_{\tilde{j}}^{T}$ of radius $d \approx (1-\frac{\delta}{K})T$), where $j$ is the codeword index and $1\leq i \leq N$ is the bin index.}
  \label{figure:StrongSecrecy}
\end{figure}
\else
\begin{figure}
  \centering
  \includegraphics[trim=0cm 0cm 0cm 0cm,clip,scale=1.5]{StrongSecrecy3.png}
  \caption{Codewords exactly lie in a ball around $\tilde{Z}_{\tilde{j}}^{T}$ of radius $d \approx (1-\frac{\delta}{K})T$), where $j$ is the codeword index and $1\leq i \leq N$ is the bin index.}
  \label{figure:StrongSecrecy}
\end{figure}
\fi

The eavesdropper does not know what is the codeword $X^T_j$ in $\textbf{X}_{\mathcal{S}_w}^T$, which was selected by the mixer and she even does not know what $d_H = \|X^T_j - \tilde{Z}_{\tilde{j}}^{T}\|$ is exactly (where $\|\cdot\|$ is the hamming distance), other than the fact that $d_H \approx (1-\frac{\delta}{K})T$.
However, we help Eve by providing $d$ and by choosing a small yet exponential set of codewords (of size $2^{T\frac{\epsilon}{K}}$, for an appropriately small $\epsilon$) from the codebook $\mathcal{C}$, chosen from the set of all codewords at distance $d$ from $\tilde{Z}_{\tilde{j}}^{T}$, with the additional guarantee that it also contains the true $X^T_j$.
We refer to this set as the oracle-given set $\textbf{X}_{\mathcal{O}racel}^T$.
Again, providing this information to Eve only makes her stronger and thus a coding scheme that succeeds to keep Eve ignorant, will also succeed against the original Eve.

Conditioned on Eve’s view $\tilde{Z}_{\tilde{j}}^{T}$ and $\textbf{X}_{\mathcal{O}racel}^T$, each of the codewords in $\textbf{X}_{\mathcal{O}racel}^T$ is equally likely to have been participated in the pool tests.
Nonetheless, Eve still has a reasonable amount of uncertainty about which of the $2^{T\frac{\epsilon}{K}}$ codewords was actually participated indeed, this is the uncertainty that we leverage in our analysis.
We define, for any $\tilde{Z}_{\tilde{j}}^{T}$ and $d$,  a ball and a shell as
\begin{equation*}
  \mathcal{V}ol(\tilde{Z}_{\tilde{j}}^{T},d)=\{X^T_j:d_H(X^T_j,\tilde{Z}_{\tilde{j}}^{T})\leq d\},
\end{equation*}
\begin{equation*}
  \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d)=\{X^T_j:d_H(X^T_j,\tilde{Z}_{\tilde{j}}^{T})= d\}.
\end{equation*}
Hence, we define the probability for a codeword to fall in shell as
\ifdouble
\begin{multline*}
Pr(X^T_j \in\mathcal{C} \cap X^T_j\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d))\\
 =  \frac{\mathcal{V}ol(\mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d))}{2^T} = \frac{2^{\left(1-\frac{\delta}{K}\right)T}}{2^{T}}.
\end{multline*}
\else
\begin{equation*}
Pr(X^T_j \in\mathcal{C} \cap X^T_j\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d))
 =  \frac{\mathcal{V}ol(\mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d))}{2^T} = \frac{2^{\left(1-\frac{\delta}{K}\right)T}}{2^{T}}.
\end{equation*}
\fi
For each item we have $M =2^{\left(\frac{\delta+\revised{\revisedSr{\epsilon^{\prime}}}}{K}\right)T}$ codewords. Thus, \emph{on average}, the  number of codewords Eve sees on a shell, per defective item is
\ifdouble
\begin{multline*}
|\{w:X^T_j(w)\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d)\}|\\
 = \frac{2^{\left(\frac{\delta+\revised{\revisedSr{\epsilon^{\prime}}}}{K}\right) T}\cdot 2^{\left(1-\frac{\delta}{K}\right)T}}{2^T} = 2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}}.
\end{multline*}
\else
\begin{equation*}
|\{w:X^T_j(w)\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d)\}|
 = \frac{2^{\left(\frac{\delta+\revised{\revisedSr{\epsilon^{\prime}}}}{K}\right) T}*2^{\left(1-\frac{\delta}{K}\right)T}}{2^T} = 2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}}.
\end{equation*}
\fi
Hence, we can conclude that, on average, for every item, Eve has quite a few options in a particular shell.

Now that we established that the average number of codewords per item $|\{w:X^T_j(w)\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d)\}|$ is $2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}}$, we wish to calculate the probability that the \emph{actual number of options} deviates from the average by more than $\varepsilon$.\off{ is
\begin{equation*}
  (1-\varepsilon)2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}}\leq |\{w:X^T_j(w)\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d)\}| \leq (1+\varepsilon)2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}},
\end{equation*}
which is the probability that the number of the codewords per item is not in the range.}
We define
\ifdouble
\begin{multline*}
 \mathcal{E}_{C_1}(\tilde{Z}_{\tilde{j}}^{T},d):= Pr\{ (1-\varepsilon)2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}}\leq \\
 |\{w:X^T_j(w)\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d)\}| \leq (1+\varepsilon)2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}}\}
\end{multline*}
\else
\begin{equation*}
 \mathcal{E}_{C_1}(\tilde{Z}_{\tilde{j}}^{T},d):= Pr\{ (1-\varepsilon)2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}}\leq
 |\{w:X^T_j(w)\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d)\}| \leq (1+\varepsilon)2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}}\}.
\end{equation*}
\fi
Let us fix a pair $\tilde{Z}_{\tilde{j}}^{T}$ and $d$ for large enough $T$. By the Chernoff bound, and taking union bound over $\tilde{Z}_{\tilde{j}}^{T}$ and $d$, we have
\begin{equation*}
  Pr(\mathcal{E}_{C_1}(\tilde{Z}_{\tilde{j}}^{T},d)) \geq 1- 2^{-\varepsilon^{\prime}2^{T\frac{\revised{\revisedSr{\epsilon^{\prime}}}}{K}}}.
\end{equation*}
Due to the super exponential decay in $T$, even when we take a union bound over all the codewords and all shells, we get that the probability that a codeword will have $|\{w:X^T_j(w)\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d)\}|$ options significantly different than $2^{T\frac{\revised{\epsilon^{\prime}}}{K}}$ is very small.
Actually, with high probability, Eve has almost the same number of options per item. Hence, for Eve\off{, per item $|\{w:X^T_j(w)\in \mathcal{S}h(\tilde{Z}_{\tilde{j}}^{T},d)\}|$,} all the codewords are almost equiprobable.\off{ To conclude, for all the defective items, by the chain rule for entropies, since all the codewords in the codebook are independent:
$H(\textbf{X}_{\mathcal{S}_w}^{T}) = \sum_{j \in\mathcal{K}} H(X^T_j(w))$
and $I(W;Z^{T})\rightarrow 0$.}
In other words, Eve distribution on the items converges super-exponentially fast to a uniform one, hence $H(W|Z^T)\rightarrow H(W)$ and we have $I(W;Z^{T})\rightarrow 0$. 
\section{Converse (Necessity)}\label{converse}
In this section, we derive the necessity bound on the required number of tests.
Let $\bar{Z}$ denote the random variable corresponding to the tests which are not available to the eavesdropper. Hence, $Y = (Z,\bar{Z})$.
By Fano's inequality, if $P_e\rightarrow 0$, we have
\begin{equation*}
H(W|Y) \leq  T\epsilon'_T,
\end{equation*}
where $\epsilon'_T \rightarrow 0$ as $T\rightarrow\infty$. Moreover, the secrecy constraint implies
\begin{equation}\label{eq:Necessity19}
I(W;Z)\leq T\epsilon''_T,
\end{equation}
where $\epsilon''_T\rightarrow 0$  as $T\rightarrow \infty$. Consequently,
\begin{eqnarray}\label{eq:R_s}
\log \binom{N}{K} &=& H(W)                                                               \nonumber\\
&=& I(W;Y) + H(W|Y)                                                                      \nonumber\\
&\stackrel{(a)}{\leq}& I(W;Z,\bar{Z}) + T\epsilon'_T                                      \nonumber\\
&=& I(W;Z) + I(W;\bar{Z}|Z) + T\epsilon'_T                                                \nonumber\\
&\stackrel{(b)}{\leq} & I(W;\bar{Z}|Z) + T\epsilon'_T + T\epsilon''_T                      \nonumber\\
	&\stackrel{(c)}{\leq} & I(\textbf{X}_{\mathcal{S}_w};\bar{Z}|Z) + T(\epsilon'_T + \epsilon''_T)              \nonumber\\
	&=& H(\bar{Z}|Z) - H(\bar{Z}|\textbf{X}_{\mathcal{S}_w},Z) + T(\epsilon'_T + \epsilon''_T)                  \nonumber\\
	&\stackrel{(d)}{\leq} & H(\bar{Z}) + T(\epsilon'_T + \epsilon''_T)     
	\nonumber
\end{eqnarray}
where (a) follows from Fano's inequality and since $Y = (Z,\bar{Z})$, (b) follows from \eqref{eq:Necessity19}, (c) follows from the Markov chain $W\rightarrow X_{\mathcal{S}_w}^{T} \rightarrow Y \rightarrow Z$ and (d) is since conditioning reduces entropy.

We now evaluate $H(\bar{Z})$. Denote by $\mathcal{\bar{E}}$ the set of tests which are not available to Eve and by $\bar{E}_\gamma$ the event $\{|\mathcal{\bar{E}}| \leq T(1-\delta)(1+\gamma)\}$ for some $\gamma >0$. We have
\begin{eqnarray*}
	H(\bar{Z}) &=& P(\bar{E}_\gamma)H(\bar{Z}| \bar{E}_\gamma) + P(\bar{E}^c_\gamma)H(\bar{Z}| \bar{E}^c_\gamma)
\\
	&\leq& T(1-\delta)(1+\gamma) + TP(\bar{E}^c_\gamma)
	\\
	& \leq& T(1-\delta)(1+\gamma) + T2^{-T(1-\delta)f(\gamma)},
\end{eqnarray*}
where the last inequality follows from the Chernoff bound for i.i.d.\ Bernoulli random variables with parameter $(1-\delta)$ and is true for some $f(\gamma)$ such that $f(\gamma)>0$ for any $\gamma > 0$.

Thus, we have
\[
	\log \binom{N}{K} \leq  T(1-\delta)(1+\gamma) + T2^{-T(1-\delta)f(\gamma)} +
T(\epsilon'_T + \epsilon''_T).
	\]
That is,
\[
	T \ge \frac{1-\epsilon_T}{1-\delta}\log \binom{N}{K},
	\] 
for some $\epsilon_T$ such that $\epsilon_T \to 0$ as $T \to \infty$. This completes the converse proof.
\off{(e) is assuming $L$ denotes the set of test which leak to Eve, (f) is since each test has a binary output and (g) is by taking a ...  where we denote $q_e=1-\delta$, as the erasure probability at the eavesdropper per outcome. Furthermore, we define the event
\begin{eqnarray*}
&&\hspace{-0.75cm} \mathcal{E}_{\bar{Z}(t)} := \Bigg\{\left(q_e-\epsilon^{\prime}_{T}\right)T \leq \sum_{t=0}^{T} H(\bar{Z}(t)) \leq \left(q_e+\epsilon^{\prime}_{T}\right)T \Bigg\},
\end{eqnarray*}
as the probability that the actual erasure probability per outcome deviates from the average by more than $\epsilon^{\prime}$.
Thus, by Chernoff bound and taking the union bound over $\sum_{t=0}^{T} H(\bar{Z}(t))$ for large enough $T$, we have,
$P_r(\mathcal{E}_{\bar{Z}(t)})\geq 1-2^{-T\epsilon^{\prime}_{T}}$.
Due to the exponential decay in $T$, even where we take a union bound over all the outcomes the provability of deviates from the average is very small. 
Namely, is necessity
\begin{equation*}\label{eq:Necessity8a}
T \ge \frac{1}{(1-\delta)}\log\binom{N}{K},
\end{equation*}
where $\epsilon^{\prime}_{T}\rightarrow 0$, $\varsigma_T\rightarrow 0$  and $\epsilon_T \rightarrow 0$ as $T\rightarrow \infty$.
Noting that this achieves the secrecy and the necessity bound on the number of pool tests provided in \Cref{converse theorem}.} 
