Wiretap channel capacity: Secrecy criteria, strong converse, and phase change
Eric Graves, Tan F. Wong

TL;DR
This paper analyzes the capacity of the discrete memoryless wiretap channel under four secrecy criteria using equal-image-size source partitioning, revealing differences in capacity and phase change phenomena depending on the criteria and tolerances.
Contribution
It introduces a unified approach to derive capacities under various secrecy criteria and uncovers phase change phenomena and conditions for the strong converse property.
Findings
Capacities differ under various secrecy criteria with non-zero error and secrecy tolerances.
Strong converse property holds only under tail probability-based criteria.
Phase change phenomenon occurs as secrecy tolerances vary.
Abstract
This paper employs equal-image-size source partitioning techniques to derive the capacities of the general discrete memoryless wiretap channel (DM-WTC) under four different secrecy criteria. These criteria respectively specify requirements on the expected values and tail probabilities of the differences, in absolute value and in exponent, between the joint probability of the secret message and the eavesdropper's observation and the corresponding probability if they were independent. Some of these criteria reduce back to the standard leakage and variation distance constraints that have been previously considered in the literature. The capacities under these secrecy criteria are found to be different when non-vanishing error and secrecy tolerances are allowed. Based on these new results, we are able to conclude that the strong converse property generally holds for the DM-WTC only under…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Wiretap channel capacity: Secrecy criteria, strong converse,
and phase change
Eric Graves and Tan F. Wong Eric Graves is with Army Research Lab, Adelphi, MD 20783, U.S.A. [email protected] F. Wong is with Department of Electrical and Computer Engineering, University of Florida, Gainesville, FL 32611, U.S.A. [email protected]. F. Wong was supported by the National Science Foundation under Grant CCF-1320086. Eric Graves was supported by a National Research Council Research Associateship Award at Army Research Lab.
Abstract
This paper employs equal-image-size source partitioning techniques to derive the capacities of the general discrete memoryless wiretap channel (DM-WTC) under four different secrecy criteria. These criteria respectively specify requirements on the expected values and tail probabilities of the differences, in absolute value and in exponent, between the joint probability of the secret message and the eavesdropper’s observation and the corresponding probability if they were independent. Some of these criteria reduce back to the standard leakage and variation distance constraints that have been previously considered in the literature. The capacities under these secrecy criteria are found to be different when non-vanishing error and secrecy tolerances are allowed. Based on these new results, we are able to conclude that the strong converse property generally holds for the DM-WTC only under the two secrecy criteria based on constraining the tail probabilities. Under the secrecy criteria based on the expected values, an interesting phase change phenomenon is observed as the tolerance values vary.
I Introduction
The discrete memoryless wiretap channel (DM-WTC) consists of a sender , a legitimate receiver , and an eavesdropper . A message is to be sent reliably from to and discreetly against eavesdropping by . Over uses of the DM-WTC, let and be the encoding and decoding functions respectively employed at and , where is the message set and is uniformly distributed over . The transmission reliability requirement is specified by
[TABLE]
where denotes the error tolerance. The secrecy requirement assesses how much one may learn about from . This requirement is often quantified by measuring the level of “independence” between and based on either the variation distance
[TABLE]
or the divergence between and . Another way of quantifying the secrecy requirement is to view the problem as a binary hypothesis testing of the alternate hypothesis of and being independent against the null hypothesis of and being correlated. This is an interesting case in which we would like the false positive probability given by the likelihood ratio test
[TABLE]
111Hereafter, convergence of any quantity indexed by means convergence as . For example, means converges to [math] as .
where the decision threshold serves as a measure of secrecy with being the most secret situation. Note that the log-likelihood may also be used in the hypothesis testing problem above.
For every , define
[TABLE]
where equals if and [math] otherwise, and
[TABLE]
All the secrecy requirements discussed above can be compactly specified in terms of the tail probabilities and expected values of and :
[TABLE]
where , , and denotes the expectation w.r.t. . Note that and are the variation distance and divergence (leakage) constraints, respectively, while and correspond to the secrecy requirements specified by the hypothesis testing problem using the likelihood and log-likelihood ratios, respectively.
Clearly these secrecy requirements are related to each other. For example, we have . Also, implies . By Markov’s inequality, implies if . Thus for vanishing tolerances (i.e., ), , , and are essentially equivalent. In addition, by Pinsker’s inequality, implies if .
Special cases of these secrecy requirements have been considered in the literature. For example, requiring in (1), is the equivocation constraint originally considered in [1]. Six secrecy requirements – are more recently considered222Note that in [2] seems problematic as it can always be trivially satisfied. in [2]. Setting , is for some , is for some , is for some , is for some , and is for some .
The majority of known secrecy capacity results under the above secrecy requirements are for cases with vanishing error tolerance, , and secrecy tolerance, , , or . These results are nicely summarized in [2], which shows that the secrecy capacities under – (see footnote 2) of the DM-WTC are all given by , where U\operatorname{\begin{picture}(1.0,1.0)\put(0.0,0.22){\line(1,0){1.0}} \put(0.5,0.22){\circle{0.3}} \end{picture}}X\operatorname{\begin{picture}(1.0,1.0)\put(0.0,0.22){\line(1,0){1.0}} \put(0.5,0.22){\circle{0.3}} \end{picture}}Y,Z. Here we are mainly interested in cases where both the error tolerance and secrecy tolerance , or are non-vanishing, on which only a few partial results exist. The oldest such result dates back to Wyner’s original paper [1], in which the secrecy capacity under , where denotes the leakage rate, of the degraded DM-WTC () is calculated for the case of . The -secrecy capacity under of the degraded DM-WTC is obtained in [3] for the case of . This case has also been extended to the general DM-WTC in [4] and [5]. The -secrecy capacity under of the degraded DM-WTC is found in [6].
In this paper, we determine the secrecy capacities for the general DM-WTC under the above four security requirements, –, with non-vanishing tolerances. The converses of all of these capacity results are new, and are straightforwardly obtained using our recently developed equal-image-size source partitioning techniques [4, 7]. Further, the -secrecy capacity for each of these four requirements is unique. Under and the strong converse property holds, while it does not under and in general. In addition, under and , the capacity can be broken into distinct phases depending on the error tolerance. For instance, under the capacity of the channel is either equal to the capacity of the channel with vanishing error, or the capacity of the channel with no secrecy requirement. We call this interesting phenomenon a phase change.
II Main results
For , we call a -code if the domain of (i.e., ) is of cardinality , and the pair satisfy both (1) and . Further we say the rate error secrecy (RES)-triple is -achievable if there exists a sequence of -codes such that if , and if . Then the -secrecy capacity under the appropriate is the maximum such that the RES-triple is -achievable.
Note that for and , the above definition corresponds to what is called “weak” secrecy in the literature [2]. If “strong” secrecy is desired, the definition could be modified to that the RES-triple is -achievable when there exists a sequence of -codes such that , for . We have instead chosen to present the “weak” versions of these criteria, simply because their proofs trivially recover their “strong” counterparts.
Write to denote the capacity of the wiretap channel subject to the weak leakage constraint . In specific,
[TABLE]
where and . Two values of distinction which will arise in our results are that of and for which
[TABLE]
Next, restrict and , and . Then the following theorems give our main results regarding the secrecy capacities:
Theorem 1**.**
The -secrecy capacity under of the DM-WTC is given by
[TABLE]
for all .
Theorem 2**.**
The -secrecy capacity under of the DM-WTC is given by
[TABLE]
Theorem 3**.**
The -secrecy capacity under of the DM-WTC is given by
[TABLE]
for all .
Theorem 4**.**
The -secrecy capacity under of the DM-WTC is given by
[TABLE]
As mentioned before, the main new contributions are the converses of the theorems. Theorem 2 extends the result in [6] from the degraded DM-WTC to the general DM-WTC. Theorems 3 and 4 extend the results in [2] and in [4, 5] to the case of , respectively.
Theorems 1 and 3 state that the -secrecy capacities of the DM-WTC under and are invariant to the value of for all valid values of and , respectively. In other words, the strong converse property holds under and . Although invariant of the error tolerance, the -secrecy capacity under is non-trivially dependent on the leakage rate . In specific, the -secrecy capacity under increases linearly as a function of from until it saturates at , the (non-secret) capacity of the discrete memoryless channel (DMC) .
For the secrecy requirements and , Theorems 2 and 4 respectively show that the strong converse property no longer holds for the DM-WTC as the -secrecy capacities generally depend on the value of . Under , the -secrecy capacity remains at as long as . However, for , the -secrecy capacity value experiences an abrupt phase change, increasing to as if there is no secrecy requirement. Restricting to within either of the two value ranges, the -secrecy capacity under is invariant to .
Under , the -secrecy capacity remains at when for all . Note that this also includes the cases of strong secrecy ( with ) and bounded leakage ( with ). Thus the strong converse property holds when as proven in [4] and [5]. For any fixed , the -secrecy capacity increases from to and then levels off as increases in the range . The DM-WTC exhibits a phase change from where the strong converse property holds to where it does not. When , the -secrecy capacity value remains at for all , and the DM-WTC exhibits another phase change after which the strong converse property holds again.
III Proofs of Theorems
We prove the converses in Theorems 1–4 by employing the following strong Fano’s inequality developed in [4] and information stabilization result developed in [7]:
Strong Fano’s inequality**.**
For any of rate that gives over the DM-WTC, there exist a random index (correlated with , , and ) that ranges over an index set whose cardinality is at most polynomial in , , and an index subset
[TABLE]
satisfying .
Information stabilization**.**
For the pair, random index , and index set above, there exist and an index subset satisfying :333For any non-negative , , and , means .
, where \mathcal{\hat{Z}}^{n}(q_{n})\triangleq\big{\{}z^{n}\in\mathcal{Z}^{n}:P_{Z^{n}|Q_{n}}(z^{n}|q_{n})\doteq_{\tiny{\xi_{n}}}2^{-H(Z^{n}|Q_{n}=q_{n})}\big{\}}, 2. 2.
there exists a satisfying , and for each , and 3. 3.
* where \mathcal{\tilde{Z}}^{n}(m,q_{n})\triangleq\big{\{}z^{n}\in\mathcal{Z}^{n}:P_{Z^{n}|M,Q_{n}}(z^{n}|m,q_{n})\doteq_{\tiny{\xi_{n}}}2^{-H(Z^{n}|M,Q_{n}=q_{n})}\big{\}},*
for each .
Obtained through the information stabilization result in the appendix, the following lemma will also be needed:
Lemma 5**.**
For any , there exist , , and satisfying such that by defining
[TABLE]
and
[TABLE]
then
[TABLE]
For proving achievability in Theorems 2 and 4, we will make use of the following lemma to simplify discussions:
Lemma 6**.**
For , if the RES-triple is -achievable, then the RES-triple is also -achievable for any .
III-A Proof of Theorem 1
**(Direct) **For any and , the RES-triple being -achievable follows directly from [8, Theorem 17.11], which in particular shows the RES-triple is -achievable. On the other hand, the RES-triple is -achievable since is the channel capacity for the DMC , and corresponds to no secrecy constraint.
(Converse) To prove that is an upper bound on the -secrecy capacity under , first apply Lemma 5 to obtain values , , and which converge to [math] as increases, such that , for sets and as defined in Lemma 5. We also have that for some , due to . Thus and Lemma 5 together imply that
[TABLE]
But then the strong Fano’s inequality and (2) together give the existence of a such that
[TABLE]
since for large enough and . Combining Equations (3) and (4) gives
[TABLE]
for all . On the other hand, when , the strong Fano’s inequality (i.e., (3)) gives
[TABLE]
for all , as in the standard strong converse argument for the DMC .
III-B Proof of Theorem 2
(Direct) The RES-triple is -achievable, once again, by [8, Theorem 17.11], for . For , the RES-triple is -achievable by Lemma 6, since the RES-triple is -achievable.
(Converse) On the other hand, to prove that is an upper bound on the -secrecy capacity under , observe that implies
[TABLE]
Thus combining Lemma 5 and (5) gives
[TABLE]
As a result, if , then there must exist a such that (3) and (4) are simultaneously satisfied since
[TABLE]
for all sufficiently large . And therefore,
[TABLE]
if . If though , then the strong Fano’s inequality (i.e., (3)) gives .
III-C Proof of Theorem 3
(Direct) The RES-triple is since by definition is achievable.
(Converse) On the other hand, to prove that is an upper bound on the -secrecy capacity under of the DM-WTC, we note that Lemma 5 and directly imply
[TABLE]
for some . Thus as before the strong Fano’s inequality and (6) together give the existence of a satisfying (3) and
[TABLE]
since . Now
[TABLE]
for all , follows directly as a result of Equations (3) and (7).
III-D Proof of Theorem 4
(Direct) First note the RES-triple is achievable due to [8, Theorem 17.13]. Hence the RES-triple is -achievable by Lemma 6.
(Converse) To prove upper-bounds the -secrecy capacity under of the DM-WTC, notice that implies
[TABLE]
where is the cardinality bound on . But from the strong Fano’s inequality, we have . This together with (8) implies that there must be a such that
[TABLE]
Again by the strong Fano’s inequality, for this we also have (3). Combining (3) and (8) gives
[TABLE]
IV Conclusions
Employing the recently developed techniques of equal-image-size partitioning, we obtained the -secrecy capacities under , , , and of the DM-WTC for non-vanishing , , and . The secrecy criteria considered include the standard leakage and variation distance secrecy constraints often employed in the literature. Our new results show that both the capacity value and the strong converse property of the DM-WTC are in fact dependent on the secrecy criterion adopted. We conjecture that the interesting phase change phenomenon observed in cases where the strong converse property does not hold is commonplace in many other multi-terminal DMCs.
-A Proof of Lemma 5
We need the following lemma to prove Lemma 5:
Lemma 7**.**
Let be a random index ranging over , whose cardinality is at most polynomial in , and be any discrete random variable distributed over . Then there exist and such that and
[TABLE]
Note that and both depend only on the polynomial cardinality bound on .
Proof:
Let be such that . First write and . Then
[TABLE]
where . Thus the lemma is verified by (10) if we can show that . In particular, we do so by bounding and , and setting .
To bound , note that for all ,
[TABLE]
since
[TABLE]
Then the upper bound on follows from (11) as below:
[TABLE]
The upper bound on follows similarly in that
[TABLE]
∎
Apply Lemma 7 three times with , , and , respectively. Writing
[TABLE]
where is obtained in Lemma 7, we have
[TABLE]
Next define
[TABLE]
with the corresponding , , , and as given in the information stabilization result summarized in Section III. Similar to before,
[TABLE]
[TABLE]
From here note that for any ,
[TABLE]
implies
[TABLE]
because . And then in turn, for all ,
[TABLE]
since . Thus Lemma 5 results from (16) by setting and , because we have from (14)
[TABLE]
-B Proof of Lemma 6
For , we can construct a -code , given that there exists a -code . Whence the lemma follows by the definition of the RES-triples. Letting be a random variable distributed identical, but independent, to . The new encoder, , is constructed by setting it equal to with probability and to with probability . While the new decoder .
Clearly, an error will likely occur if is set equal to . On the other hand, the probability of error will revert to that of if is set equal to . Thus the probability of error for is at most .
Letting be the joint distribution of for induced by , we can write the joint distribution of for as , while the marginals remain and . But then, for the variation distance,
[TABLE]
And for divergence
[TABLE]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. Wyner, “The wire-tap channel,” Bell Syst. Tech. J. , vol. 54, pp. 1355–1387, Oct. 1975.
- 2[2] M. Bloch and J. Laneman, “Strong secrecy from channel resolvability,” IEEE Trans. Info. Theory , vol. 59, pp. 8077–8098, Dec. 2013.
- 3[3] V. Tan and M. Bloch, “Information spectrum approach to strong converse theorems for degraded wiretap channels,” in Proc. 52nd Annual Allerton Conf. Comm., Con., and Comp. , pp. 747–754, Sep. 2014.
- 4[4] E. Graves and T. F. Wong, “Equal-image-size source partitioning: Creating strong fano’s inequalities for multi-terminal discrete memoryless channels,” Ar Xiv e-prints , Dec. 2015. Available at https://arxiv.org/abs/1512.00824 .
- 5[5] Y.-P. Wei and S. Ulukus, “Partial Strong Converse for the Non-Degraded Wiretap Channel,” Ar Xiv e-prints , Oct. 2016. Available at https://arxiv.org/abs/1610.04215 .
- 6[6] M. Hayashi, H. Tyagi, and S. Watanabe, “Strong converse for a degraded wiretap channel via active hypothesis testing,” in Proc. 52nd Annual Allerton Conf. Comm., Con., and Comp. , pp. 148–151, Sep. 2014.
- 7[7] E. Graves and T. F. Wong, “Information stabilization of images over discrete memoryless channels,” in Proc. IEEE Int. Symp. Info. Theory , pp. 2619–2623, Jun. 2016.
- 8[8] I. Csiszár and J. Körner, Information Theory: Coding Theorems for Discrete Memoryless Systems . Cambridge University Press, 2nd ed., 2011.
