Semantic Security on Wiretap Channels using Universal Hashing with Fading Applications
Eric Kubischta, Parker Pavlicek, Sanjay Karmakar

TL;DR
This paper introduces a universal hashing-based method to convert error-correcting codes into semantically secure wiretap codes applicable to any channel, with bounds on information leakage valid for any message distribution.
Contribution
It presents a polynomial-time procedure using universal hash families to achieve semantic security from any error-correcting code, with new leakage bounds applicable to all message distributions.
Findings
Achieves semantic security with universal hashing on any channel
Provides bounds on information leakage valid for any message distribution
Establishes new secure rate bounds for various wiretap channels
Abstract
We furnish a procedure based on universal hash families (UHFs) that can convert an error correcting coding scheme (ECC) of rate into a semantically secure wiretap coding scheme of rate where is a parameter derived from the eavesdropper's point-to-point channel. This conversion is shown to be polynomial time efficient with block length and is applicable to any channel. When an ECC is chosen, our procedure induces a wiretap coding scheme that is concrete and efficient as long as the ECC is also such. To prove this induced wiretap coding scheme is semantically secure, we have constructed bounds on the information leaked to the eavesdropper. Our construction is an upgrade of bounds from recent literature: the novelty here being that our leakage bounds hold for any message distribution. Indeed, our wiretap procedure using UHFs and our characterization of its semantic…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsWireless Communication Security Techniques · Cryptography and Data Security · Coding theory and cryptography
Semantic Security on Wiretap Channels using Universal Hashing with Fading Applications
Eric Kubischta, Parker Pavlicek, and Sanjay Karmakar At the time of this writing, all authors were with the Department of Electrical and Computer Engineering, North Dakota State University, Fargo, ND, 58102 USA
Abstract
We furnish a procedure based on universal hash families (UHFs) that can convert an error correcting coding scheme (ECC) of rate into a semantically secure wiretap coding scheme of rate where is a parameter derived from the eavesdropper’s point-to-point channel. This conversion is shown to be polynomial time efficient with block length and is applicable to any channel, i.e., both discrete and continuous channels. When an ECC is chosen, our procedure induces a wiretap coding scheme that is concrete and efficient as long as the ECC is also such. To prove this induced wiretap coding scheme is semantically secure, we have constructed bounds on the information leaked to the eavesdropper. Our construction is an upgrade of bounds from recent literature: the novelty here being that our leakage bounds hold for any message distribution. Indeed, our wiretap procedure using UHFs and our characterization of its semantic leakage is the first main contribution of this work.
The other main contribution of this work is as follows. We apply the aforementioned procedure to a variety of wiretap channels in order to show the procedure’s efficacy, and as a result of such applications, we mirror existing results from literature regarding achievable semantically secure rates. More notably, in some cases our results establish new achievable semantically secure rates. For DMC wiretap channels and No-CSIT (instantaneous channel state information at the transmitter) fast fading wiretap channels, we show how our wiretap scheme can achieve the secrecy capacity in certain cases, but more generally, can always achieve a non-negative rate of under semantic security where is the rate of the ECC on the main channel and is the capacity of the eavesdropper’s point-to-point channel. On partial CSIT fast fading wiretap channels, we show that our wiretap coding scheme can achieve the best known secure achievable rates from literature, even under semantic security. On full CSIT fast fading wiretap channels, we show that our wiretap coding scheme can achieve the secrecy capacity. On AWGN wiretap channels, using a recent ECC from literature, we provide an end-to-end wiretap coding scheme that is concrete, polynomial time efficient in block length, semantically secure, and has both its probability of error and semantic leakage exponentially diminishing with block length. In fact, we prove that the semantic leakage in each of the previous cases is exponentially decreasing with block length.
Index Terms:
Physical layer security, Universal Hashing, UHF, Semantic Security, Secrecy Capacity, Achievable rates, Fast Fading channels, Leakage bounds, Full CSIT, Partial CSIT, No-CSIT
I Introduction
Physical layer security exploits the inherent randomness in a communication environment to derive security; this form of security makes no assumptions on the eavesdropper’s capabilities. This is in direct contrast to computational based security which derives security based on the assumption that the eavesdropper has bounded computational resources.
Computational based security has been the de facto security for communication systems since its inception due especially to its ease of implementation; however, the main assumption of computational boundedness has been scrutinized in recent years more than ever. One of the primary reasons for this scrutiny is the potential advent of practical quantum computers in the near future. On the other hand, physical layer security is impervious to advances in computing, in particular quantum computing, because it makes no underlying assumptions on computational resources. Thus, regardless of the technology the eavesdropper possesses, physical layer security maintains its integrity. In this way, physical layer security is inherent security.
Given this clear advantage of physical layer security, it is still underutilized in modern communication systems. This is primarily because most proposed schemes to implement physical layer security are too impractical. The schemes are most often only theorized to exist with a tangible construction unknown, i.e., proofs are by existence and not by construction. Moreover, even when a construction is given, it is rarely efficient in block length.
Overcoming these hurdles has been one of the primary aims of the physical layer community for quite some time. But there is yet another reason physical layer security has not found common use in new communication systems; this reason is significantly more subtle. The measure of security provided by most physical layer security schemes is insufficient to be used in a practical setting.
There is no direct analog of this problem that arises from computational based security because in that case the underlying assumption that certain decision problems are computationally hard is unproven anyway. Here, in physical layer security where security is rigorously proven, the choice of how security is measured needs to be consistent with reality if the proof of security is to hold any merit.
If a physical layer scheme could be created that is tangible, efficient, utilizes the most realistic measure of security, and achieves an input/output rate near the theoretical maximum, then physical layer security could potentially rival computational based security as the de facto security of modern communication systems, or at the very least could be an indispensable component. Motivated by this, herein we develop a physical layer coding scheme that aims to satisfy all of these properties and in some cases even does.
I-A Background - Security Metrics
Physical layer security is often modeled by a wiretap channel which was introduced in the 1970’s by Wyner [1] and later generalized by Csiszár and Körner [2]. The metric used to measure security in these works is now colloquially referred to as the weak security metric. For years, this was the primary metric used to measure security on wiretap channels, however, it was asserted in the 1990’s in [3] that the weak metric provided an inadequate measure of security to be deemed practical. This led to the creation of the strong security metric, the unnormalized version of the weak metric.
This metric sufficed for awhile, but in 2012, this metric was again shown to be an inadequate measure of security for realistic communication systems by Bellare, Tessaro, and Vardy [4]. In addition to showing this, they created three new security metrics provably stronger than the strong security metric and proved them asymptotically equivalent. For the purposes of this paper, due to their equivalence, we will refer to all three of these metrics collectively as the semantic security metric, the name given in [4]. This metric is now held to be the gold standard of security metrics for the wiretap channel. Moreover, it is argued that a stronger security metric than the semantic security metric does not exist. For these reasons, it is the only measure of security that should be utilized in practice. Admittedly, proving results with this metric tend to be more arduous, therefore many results in literature still use the strong security metric and even the weak security metric, but in this work we will exclusively use the semantic metric to prove security.
I-B Background - Fading Channels
In addition to focusing on physical layer security schemes that are tangible, efficient, and utilize semantic security, we will be primarily concerned with the most realistic of wiretap channel models: the fading wiretap channel. Fading wiretap channels are commonly used to model security of wireless communications. It assumes the input signal is attenuated/amplified then corrupted by some additive noise. The amount of attenuation/amplification is called the channel state. When the channel state changes frequently and independently, we are in the so called fast fading regime. This is one of the most practical fading wiretap channel models and is the main focus of our applications.
Due to the nature of wireless systems, fading wiretap channels sometimes assume that the current channel state is fed back from the receiver to the transmitter (this is abbreviated by CSIT - instantaneous channel state information at the transmitter). However, since there are actually two point-to-point channels within a wiretap channel, the transmitter potentially receives both of these channel states, a channel state corresponding to the intended receiver’s channel and a channel state corresponding to the eavesdropper’s channel.
We denote the case when the transmitter knows neither of these channel states by No-CSIT, although we do assume the transmitter knows the statistics of the channel states as random variables. We denote the case when the transmitter knows the intended receiver’s current channel state but not the eavesdropper’s current channel state (only the statistics) by partial CSIT. Lastly, we denote the case when the transmitter knows both current channel states by full CSIT.
The level of CSIT drastically changes which secure rates are achievable. For this reason, we will treat No-CSIT, partial CSIT, and full CSIT as separate wiretap channels entirely.
I-C Related Work
In [4] and also in [5], a tangible (concrete) and efficient wiretap coding scheme was given that could achieve positive secrecy rates on discrete memoryless wiretap channels under semantic security. In certain cases, this wiretap scheme could also achieve the semantic secrecy capacity [6]. In [7], this scheme was extended for use on the AWGN wiretap channel and was shown to achieve the secrecy capacity, however, the wiretap scheme therein was only able to achieve positive secrecy rates under the strong security metric. In [8], however, this wiretap scheme was shown to achieve the strong secrecy capacity for both continuous and discrete wiretap channels. Their proof is a direct bound on the strong leakage and admits a nice characterization of the secure achievable rates. In [9], a wiretap scheme was shown to achieve the semantic secrecy capacity of AWGN wiretap channels, albeit in a completely different manner than the previously mentioned five papers. To date, there is currently no universal wiretap scheme that achieves the semantic secrecy capacity for both discrete memoryless and AWGN wiretap channels.
Physical layer security for fast fading wiretap channels was arguably started with Liang, Poor, and Shamai in [10] where they found the weak secrecy capacity of the fast fading wiretap channel with the assumption of full CSIT. This was later improved by Bloch and Laneman in [11] where they determined the secrecy capacity of this channel under the strong secrecy metric. In a different direction, Bloch and Laneman [12] considered the case of fast fading wiretap channels with partial CSIT; they gave a set of achievable secrecy rates under the strong secrecy metric for this channel. Their solution relies on an optimization problem that has no closed form solution and thus it represents the best known secrecy rate on the fast fading channel with partial CSIT. In the case of fast fading channels with No-CSIT, it was only recently shown in [13], [14], [15] that positive rates are actually achievable and an upper bound for the secrecy capacity is also derived. For a special class of fast fading No-CSIT channels, [14] actually finds the secrecy capacity of these channels under the weak secrecy constraint. In [16], a positive semantically secure achievable rate is obtained for fast fading channels with No-CSIT. To date, there are few results involving semantic security on fast fading wiretap channels. In particular, no one has constructed a wiretap scheme that achieves the best possible semantically secure rates for each case of CSIT. Moreover, hardly any wiretap schemes exist for fast fading channels that are tangle/efficient and come close to the best possible rates, even in the lesser weak and strong cases.
I-D Summary of Results
The main purpose of this paper is to amplify results of physical layer security into a more practical setting. We prove all of our results using the semantic security metric, the most demanding security metric in this field. Our wiretap coding scheme developed is modular in the sense that it can immediately be adapted to any existing channel to provide semantic security; furthermore, it is shown to be concrete and efficient111As will be made clear in Section III, we only prove the preprocessor is concrete and efficient; however, if the error correcting code is also such, then so is the entire wiretap coding scheme..
To prove our wiretap coding scheme is semantically secure, we bound the semantic leakage asymptotically (1). We do this by upgrading the strong leakage bounds found in [8]. In particular, we optimize over all message distributions. As in [7, 8], our wiretap scheme is a modular scheme consisting of a preprocessor based on UHFs. However, in order to guarantee that our scheme is semantically secure, we require the UHF to also have additional properties (we dub UHFs with these additional properties as semantically secure universal hash families - SS-UHFs). The additional properties are non-restrictive in general and we provide a particular implementation of an SS-UHF based on finite field arithmetic that is concrete and quadratic time efficient. In effect, our SS-UHF based preprocessor is a converter that takes in an off-the-shelf ECC and converts it to a semantically secure wiretap coding scheme (2).
In 1 below, we outline the necessary steps for using our wiretap scheme on an arbitrary wiretap channel. Use of this procedure attains semantic security for any wiretap channel contingent on certain conditions being satisfied which are derived from the wiretap channel. We show that these conditions are indeed satisfied for the DMC, AWGN, and fast fading wiretap channels where we examine the fading channels with various levels of instantaneous channel state information at the transmitter. In other words, we demonstrate this procedure, in effect, proving that our wiretap coding scheme can achieve semantically secure rates on these channels.
The following are our specific contributions on each of the aforementioned channels.
- •
DMC - In 3, we reestablish the result given by Tal and Vardy’s upgrade [6] of Bellare, Tessaro, and Vardy’s original result [4, 5]; that is, we show our wiretap coding scheme achieves the semantic secrecy capacity of any symmetric, degraded, discrete memoryless wiretap channel. However, we allow any ECC for the main point-to-point channel in our construction. This is in contrast to the previous results that impose certain restrictions on the ECC in order to achieve secrecy capacity.
- •
AWGN - In 4, we reestablish [9] by constructing a concrete, end-to-end efficient wiretap scheme and prove that it can achieve the secrecy capacity on the AWGN wiretap channel under semantic security. However, we prefer our wiretap scheme in the fact that it is modular: the same preprocessor used here can be used on any channel without modification.
- •
No-CSIT - In 5, we prove that our wiretap scheme achieves the semantic secrecy capacity here for the case when the eavesdropper’s channel is stochastically degraded (cf. [14]) with respect to the main channel. Furthermore, in other cases, we provide a set of semantically secure achievable rates.
- •
Partial CSIT - In 6, we prove that our wiretap scheme achieves the best known achievable secrecy rates to date (cf. [17]) with semantic security.
- •
Full CSIT - In 7, we prove that our scheme can actually achieve the strong secrecy capacity in this setting with semantic security thereby proving that semantic secrecy capacity is equivalent to the strong secrecy capacity and hence also the weak secrecy capacity.
All of the achievable semantically secure rates on these channels can be attained concretely and efficiently (1 and 2) - since our preprocessor is already such, one only needs to concentrate on finding an error correcting code that is concrete and efficient. Once this is done, the entire wiretap coding scheme is concrete and efficient! In other words, we have converted the problem of finding good wiretap coding schemes into a problem of finding good error correcting coding schemes where good here means concrete and efficient.
To recap, we give in this paper a procedure for attaining semantically secure rates in a concrete and efficient way for arbitrary wiretap channels. We apply this procedure in particular to the five aforementioned channels. Therefore, if the reader desires to attain semantically secure rates on one of these channels, all that remains is to find an error correcting code. As a special case, we have pointed the reader to an ideal error correcting code for the AWGN wiretap channel, thereby completing the procedure in this case in full. If the reader wants to attain semantic security on a wiretap channel not listed above, then the reader must apply 1 in its entirety. Specifically, the reader must check that the hypothesis of 2 is satisfied for that channel.
I-E Outline
The remainder of the paper is organized as follows. Section II introduces notation and gives the preliminary mathematical background necessary to proceed through the rest of the paper. Section III presents our modular wiretap coding scheme and gives a concrete and efficient implementation of the preprocessor based on finite field arithmetic. Section IV analyzes both the security and achievable rates of our proposed wiretap scheme and gives a procedure for how to utilize our main results on an arbitrary (discrete or continuous) wiretap channel. In Section V, we apply this procedure to the DMC and AWGN wiretap channels as a first application and show how our wiretap scheme replicates the best results from literature. Section VI considers fast fading wiretap channels with various levels of CSIT (No-CSIT, partial CSIT, and full CSIT) and gives semantically secure achievable rates for each of these. Moreover, we show how our wiretap scheme in these cases exceeds the best results from literature.
In an attempt to give a more polished presentation, we have assigned nearly all of the proofs to the appendices.
II Preliminaries
II-A Notation and Conventions
We shall write to denote an -dimensional vector where denotes the -th component, i.e., . We use the usual notation to denote the Euclidean norm. We shall denote the indicator (or characteristic) function by or and will take all logarithms in this paper to be base unless we write , for which we mean the logarithm of base . We will write , and to denote the set of natural, real, and complex numbers respectively. With a slight abuse of notation, we will write to denote the set of non-negative reals. We will write to denote the cardinality of set .
We will denote random variables by capital letters and will denote the spaces for which a random variable is defined by a respective scripted letter, e.g., is a random variable with values in . As usual we write to denote that is a uniform random variable over some discrete set ; we write to denote that is a real Gaussian random variable with mean and standard deviation ; we write to denote that is a circularly symmetric complex Gaussian random variable with mean and standard deviation .
We shall use the notation of [2, 8] and let denote the usual mutual information between random variables and . We write when random variable is independent of . We write to denote the probability of event and to denote the expected value of random variable . When we want to be explicit about which random variable we are taking the probability (resp. expected value) with respect to, we shall denote the random variable by a subscript.
We denote all probability densities222Sometimes when we have a probability mass function, instead we will use the notation with appropriate subscripts as necessary. by defined by the Radon-Nykodym derivative with respect to some implicit reference measure; we will almost always denote this reference measure by . We denote the conditional probability density in an analogous way as . As an example of our notation, if and are random variables on and respectively, then denotes the probability density of and denotes the conditional probability density of given .
When algorithms are completed in polynomial time (in the worst case) then we take up the standard convention and call such algorithms efficient.
II-B Channels
Let and be sets. We shall denote a stochastic map by . Given , a stochastic map assigns a likelihood that will map to a certain . For each , this induces the random variable . The support of this random variable, , is the elements in that can map to with non-zero likelihood.
Let be some stochastic map, a random variable on , some reference measure on , and . We will call the conditional density the transition density of the stochastic map and we will call the tuple a channel. We will often abuse language/notation and call itself a channel. The transition density probabilistically tells us how the channel is mapping to . Given that some symbol was sent across the channel, the probability that is in some subset is given by .
For the rest of this paper, we will be considering subnormalized channels: channels with transition densities such that . This is a technical condition that allows us to define the following. Given a channel and subset denote . This induces a restricted channel as follows. Given that was sent across the restricted channel, the probability that is in some subset is given by .
II-C Error Correcting Codes
We will always refer to the number of channel uses333Note that we are only considering discrete-time channels in this work. as the block length (of the code) and denote it by . As usual, we will mainly be considering the -letter extension of channel notated by .
Let be some finite message set. An -length encoder for is an injective function . The image is called the codebook and is denoted . Elements of the codebook are referred to as codewords. An -length decoder for is a function and an -length code is a tuple . The rate of the code is given by . Lastly, a family of codes is called a coding scheme with rate given by , where we assume this limit exists.
The maximum probability of error for code is given by . If is sufficiently small then is called an error correcting code (ECC). If every code in scheme is an ECC, we call an ECC scheme. If as then we say the scheme is reliable. In particular, if for some constants and for every , then we call the ECC scheme exceptionally reliable.
Remark .
It was noted in [4] that “good” error correcting coding schemes in practice should satisfy the reliability condition exponentially fast; they called such ECC schemes “strongly reliable.” Due to the plethora of definitions containing the wording “strong” in the literature, we have instead called such ECC schemes here “exceptionally reliable.”
For continuous channels (i.e. ) we shall always impose the average power constraint as usual. In more detail, for some fixed constant , we shall require the code to satisfy for every .
The supremum of reliable achievable rates over all ECC schemes is known as the (point-to-point) channel capacity. We shall denote the channel capacity of a channel by .
II-D Wiretap Codes
Let be a channel that models the communication between a transmitter Alice and intended receiver Bob. Let be a channel modeling the unintended communication between Alice and a passive eavesdropper Eve. We call the pair of channels the wiretap channel.
Note that we have chosen the letters , , and so as to denote the Transmission channel, Eavesdropper’s channel, and Wiretap channel. We also note that the -letter wiretap channel is given by .
The goal of physical layer security as modeled by a wiretap channel is for Alice to communicate information reliably to Bob while keeping that same information hidden from Eve. Let be the random variable representing the message Alice wants to impart to Bob yet keep secret from Eve. Let be the -letter random variable representing Eve’s output. To measure security, we recall the most common security metrics.
- •
[1] Weak:
[TABLE]
- •
[18] Strong444Strong security is sometimes referred to as MIS-R, cf. [4].:
[TABLE]
- •
[4] Semantic:
[TABLE]
We refer to each of these quantities as leakage and we say that a coding scheme is secure under a given metric if its respective leakage goes to 0 as . In a similar fashion to exceptional reliability, we say that a coding scheme is exceptionally secure if the leakage is vanishing exponentially fast with .
Remark .
The expression for semantic security above is technically called mutual information security (MIS) as originally defined in [4]. Semantic security (in the wiretap context) is actually defined using guessing probabilities. However, therein it was shown for discrete channels (and in [19] for continuous channels) that MIS was equivalent to semantic security asymptotically. Thus, in the asymptotic regime there is no need to differentiate between the two metrics because each implies the other. Hence, our choice of name is technically justified.
However, one may still ask why we call the definition above “semantic security” when it is actually the definition of MIS; the reasoning is as follows. The definition of semantic security in [4] is named such to allude to the gold standard definition from computational based security [20]. However, the definition of semantic security is considerably less tractable than the definition of MIS. In order to get the best of both worlds, we have chosen our naming convention. We note that it is a convention already followed by other works.
Let be a coding scheme for channel (and inherently channel ) using message set . We say is a -wiretap coding scheme, where , if it satisfies each of the following.
- •
Reliability: is a reliable ECC scheme for .
- •
Security: is secure (relative to ) using the -metric.
If these two conditions are satisfied exceptionally, then we say that is an outstanding -wiretap coding scheme.
If is the rate of an wiretap coding scheme, then we say is an ** achievable secrecy rate.** We call the supremum of all achievable secrecy rates the ** secrecy capacity** denoted by C_{\mathit{s}}\bigr{|}_{\mathfrak{X}} or simply when the metric is clear from context.
Fact 1**.**
If all secure rates achievable under the weak secrecy metric are also achievable under the semantic secrecy metric, then:
[TABLE]
II-E Universal Hashing
Let be the set of binary strings of length , and be finite sets, and a uniform random variable on . Consider now a family of a finite number of functions indexed by :
[TABLE]
- (i)
is called a universal hash family (UHF) if for every ,
[TABLE] 2. (ii)
is called uniform if for every and for every ,
[TABLE] 3. (iii)
is called -regular if for every and for every ,
[TABLE] 4. (iv)
is called invertible if for each there exists some stochastic mapping such that for all and , . If is a uniform random variable for every and then we call evenly invertible. 5. (v)
Lastly, we call a semantically secure universal hash family (SS-UHF) if it is: (i) universal, (ii) uniform, (iii) -regular, and (iv) evenly invertible.
Many of the definitions here coincide with those found in computer science literature. The conditions of being a universal hash family (as introduced in [21]) and uniform are found in most textbooks on hash families. The condition of being -regular and invertible can be found in [5] and [8]. That being said, we have invented some terminology. We have dubbed hash families that are universal, uniform, -regular, and evenly invertible as semantically secure universal hash families to emphasize that hash families with these four properties are the proper ones for inducing semantic security (see Section IV).
II-F -smooth -Mutual Information
In order to measure the amount of information leaked to the eavesdropper using our wiretap scheme, we will need to employ the use of a different measure of information, known as -mutual information. -mutual information is defined using Rényi entropy and is actually a generalization of the usual mutual information defined by Shannon.
For a discrete random variable over , the following generalizes Shannon’s entropy and is called Rényi entropy of order [22]: . This can be extended by continuity to the cases of and where is the usual Shannon entropy and is the usual min-entropy. In particular, when is uniform, for any we have , a fact we will use frequently.
In a similar way, one can define conditional Rényi entropy, however, there is no universal notion of such a definition in literature as different definitions can be employed based on the specific properties one desires (cf. [23, 24]). We will be using Arimoto’s definition [25, 26] given as follows.
Let be an arbitrary random variable over (with measure on ) and a discrete random variable over . Then conditional Rényi entropy of order is given by:
[TABLE]
Just as in the case of (unconditioned) Rényi entropy, this definition can be extended to the cases of and by continuity. For , one easily checks using L’Hospitals rule that becomes , the conditional Shannon entropy. For , the definition becomes
[TABLE]
and is often referred to as conditional min-entropy. Another important case for which we would like to emphasize is when :
[TABLE]
which is often referred to as conditional collision entropy.
Now let us finally define -mutual information: the Rényi extension to Shannon’s mutual information. Again, there is no universal definition in literature but we will be using the definition put forth in [26] for the special case when is a uniform random variable.
Let and be random variables as before except now we require to be uniform over . For we define the -mutual information between and by
[TABLE]
Notice that is exactly Shannon’s mutual information so in this case we will drop the subscript. Moreover, for the case of , we will often call collision-information and for the case of , we will often call max-information.
Fact 2**.**
[26, 27]** For any , is monotonically increasing in .
Note that this fact justifies the name of as max-information because it measure the most amount of information of all of the -mutual informations.
The -mutual information also admits several other desirable properties of an “information measure” which can be found in [27]. Note however that this definition of -mutual information is not symmetric in its arguments and does not satisfy the chain rule in general. This of course is in contrast to Shannon’s mutual information.
To facilitate our proofs later on we will also need a concept called -smooth -mutual information. Basically, we will define -mutual information on a portion of the entire space that probabilistically contains enough content up to some . To make this rigorous we first introduce the concept of a typical set.
For , we call a subset a -typical set if
[TABLE]
Furthermore, we will denote the set of all -typical sets by . Typical sets intuitively contain almost all that there is to know about our space up to some , hence the name typical.
For some typical set , we first define the conditional Rényi entropy of order restricted to . This is simply given by
[TABLE]
Given define -smooth -mutual information for uniform over by
[TABLE]
where -mutual information evaluated on is given by
[TABLE]
Given some threshold , we find the smallest value that -mutual information could possibly be when defined on the subnormalized channels corresponding to those sets that contain enough probability with respect to our threshold. Later, we will bound the leakage between the transmitter and eavesdropper as an increasing function of this metric; thus, defining -smooth -mutual information using the infimum provides the tightest bound we should expect when is our threshold.
Note that when , contains only sets equal to the entire space less a set of measure zero and hence .
Analogous to 2 we have the following ordering for -smooth -mutual information, a result we will use in proving our wiretap scheme is secure.
Lemma 1**.**
For any and , is monotonically increasing in .
Proof.
This follows easily from the proof given for [26, Proposition 1] replacing the densities by and noting that all inequalities still hold. ∎
III A Wiretap Coding Scheme
In this section we will furnish a wiretap coding scheme for an arbitrary555Here arbitrary indeed means any discrete-time wiretap channel; however, a positive secrecy rate may not be attainable on some wiretap channels. wiretap channel which is based on a wiretap scheme put forth in [5], [7], and [8]. We will first define each step of this scheme and show that it is reliable (we will show security in the next section). Then we will give a particular implementation and show that this implementation is efficient with respect to the block length .
Over an arbitrary wiretap channel our wiretap coding scheme involves combining an SS-UHF with a reliable ECC already in use over the main point-to-point channel. This modular wiretap scheme is precisely the scheme put forth in [5, 7, 8] except there the UHF was only required to be -regular and evenly invertible. Here, we are also demanding that our UHF be uniform. The necessity of this extra property will be elucidated in the next section when we prove that our scheme is semantically secure.
Consider Figure 1; this describes our wiretap scheme overall. We will now describe in detail each layer.
III-A Preprocessing Layer
Consider the finite sets and with . We shall refer to as the actual message and as the pseudo-message because represents the information the transmitter actually wishes to impart to the intended receiver securely, whereas is some random variation of the actual message necessary for security. We will not assume which distribution the message takes.
Over a fixed arbitrary finite set , the transmitter will first draw a seed to be used for the remainder of transmission. We assume the seed is independent of the message and that the realized seed is publicly available to all parties. All communication must take place over the wiretap channel; however, we show in Appendix C that the transmitter can send the seed before the transmission of an actual message with no asymptotic loss in rate or security.
The transmitter now chooses an SS-UHF . Suppose each function in the SS-UHF has its invertible stochastic mapping given by . Choosing our message as and seed as , we will choose our pseudo-message to be . Since is evenly invertible and -regular, is a uniform random variable on elements of . In particular, .
III-B Coding Layer
The transmitter chooses some reliable ECC scheme666We always assume that the scheme satisfies the power constraint for the channel if there is one. We will assume (as per standard) that each party has full knowledge of . Thus, for a given blocklength , each party knows is the codebook and we have inherently induced new channels: and . We will henceforth be considering these as the main transmission channel and eavesdropper’s channel respectively for the remainder of this work. At this point the transmitter encodes the pseudo-message using , this will be a random variable over . Now the transmitter sends over the wiretap channel ; that is, the channel input is sent across but also across inherently.
III-C Intended Receiver’s Decoding Layer
The intended receiver will receive a noisy version of the channel input . The goal of the intended receiver is to correctly guess which realization of the random variable was sent given the realization of the random variable . This is accomplished using the estimate . Since we have assumed to be reliable, each is an ECC and thus the probability of error is considerably low. In particular, for some finite this means there is a high probability that will equal ; this equality happens almost surely asymptotically with . In short, the intended receiver will be able to undo the coding layer entirely.
Next, the intended receiver shall post-process to an estimate of the actual message using the hash function corresponding to the public seed . That is, given that the intended receiver’s estimate is given as . Since we assumed our SS-UHF to be invertible, if is equal to then the UHF is guaranteed to map to (the original message); however, we showed that this happens almost surely asymptotically with . In this sense, the pre/post processing layers do not subtract anything from our reliability. In more detail, if is reliable to begin with then our entire wiretap scheme will also satisfy reliability. Furthermore, if is exceptionally reliable, then our wiretap scheme is exceptionally reliable as well.
III-D Eavesdropper’s Decoding Layer
Once the eavesdropper receives her channel output she will attempt to decode it in a similar fashion to that of the intended receiver; however, we will not assume how she decodes her output since that could affect our measure of security. As a side note, in contrast to computational based security methods, we also do not assume the boundedness of resources at the eavesdropper.
III-E Discussion
As in [8], we call the preceding scheme modular since the pre/post processing layers are not intrusive to the main channel in any way in terms of either reliability or constructibility. That is, our preprocessing layer could be added to any already existing communication system without changing any core components of the original system.
III-F Explicit Construction
Does such a wiretap scheme exist? By extensions of Shannon’s channel coding theorem we know that if then a reliable ECC scheme exists. Since our wiretap scheme is a concatenation of a pre/post processing layer with a reliable ECC, we now only need to be concerned if such a pre/post processing scheme exists; in particular, if an SS-UHF exists.
In this subsection we give an explicit construction of an SS-UHF. Our construction is inspired by those given in [5, 7, 8]; however, there, the UHF’s can be shown to not satisfy uniformity which is essential to our proof showing our wiretap scheme is semantically secure in the next section.
Consider the following family of functions
[TABLE]
where and and as before. Here, all -length bit strings correspond to their respective elements in the finite field (where and denote addition and multiplication in the field respectively), selects the most significant bits, and denotes the all-[math] bit string of length (which is correspondent to the additive identity in ). As a remark, we note that here is equivalent to modulo-2/bitwise/XOR addition and where .
For some random variable and consider the inverses of given by
[TABLE]
Here is the inverse element of in (which always exists because is non-zero) and represents usual bit-string concatenation.
Proposition 1**.**
The family of functions is an SS-UHF.
Proof.
See Appendix A. ∎
With this we have constructed a concrete (algorithmic) implementation of an SS-UHF: this means that our wiretap coding scheme of the previous subsection always exists. Specifically, our pre/post processing layers are given concretely so that if the reliable ECC is also given concretely, then so is the entire wiretap scheme. Let us emphasize again that this is in contrast to much of the literature wherein wiretap schemes are implicitly defined through proofs by existence.
The fact that our wiretap scheme is explicitly given is necessary for realistic wiretap schemes but not quite enough in terms of practicality. We would also like our scheme to be efficient with block length . Fortunately, our pre/post processing scheme is efficient as proven in the next proposition. In other words, when the reliable ECC scheme is efficient, so is the entire wiretap scheme.
Proposition 2**.**
Given , , and , the inverse can be computed in quadratic-time with respect to . 2. 2.
Given and , the function can be computed in quadratic time with respect to .
Proof.
See Appendix A. ∎
In conclusion of this section, we have constructed a concrete and efficient wiretap scheme that is polynomially time computable with block length . We note that the construction given here is by no means unique and one could use any concrete and efficient SS-UHF as the pre/post processing layers of our wiretap scheme .
IV Achievable Semantically Secure Rates
We have already seen that the wiretap scheme we constructed in Section III satisfies the reliability property of a wiretap scheme as long as the ECC is reliable (and does so exceptionally when is chosen to be exceptionally reliable). Now we need to show that the scheme satisfies the security property of a wiretap scheme as well. In this section we will do just that by constructing leakage bounds for the semantic metric. It will turn out that under certain conditions our leakage bounds asymptotically go to 0 implying that our scheme is a semantically secure wiretap scheme. In particular, under further restrictions, our wiretap scheme is shown to be outstanding.
It is noted that leakage bounds for arbitrary wiretap channels using evenly invertible, -regular UHFs are already given in [8]; however, the leakage there assumes the secret message follows a uniform distribution and hence will only lead to strong security at best. As a reminder, strong security is not a sufficient measure of security in real world applications because often times messages are not uniformly distributed. We therefore need to generalize the leftover hash lemma (channel version) in [8] to overcome this obstacle. What becomes obvious upon proof is that considering UHF’s that are only evenly invertible and -regular is not quite restrictive enough to lead to semantic security; this explains why in our wiretap coding scheme of Section III we chose our UHF to also be uniform.
For the remainder of this section, we will write to be the modular wiretap coding scheme described in Section III.
IV-A Semantic Leakage Bounds
Theorem 1**.**
Using on any wiretap channel , for we have
[TABLE]
Proof.
See Appendix B. ∎
Note the striking resemblance of our first inequality to [28, Theorem 3] for secret key agreements. There, they also used universal hashing to amplify privacy. Also note that our bounds generalize those provided in [8]. Therein, the message was assumed to be uniform, whereas here we make no a priori assumptions on . Admittedly, we require an SS-UHF for the pre/post processors whereas they require an SS-UHF less the uniform requirement for the pre/post processors. However, we have provided in Section III-F an efficient and concrete construction, thereby alleviating any doubts that such a hash family exists. Lastly, we note that an attempt to generalize the bounds of [8] to the ones given here has already been given in literature but was redacted due to an error. Our approach is noticeably different allowing our proof to overcome said error.
We will only be concerned with the second inequality of 1 for the remainder of this paper. It is considerably more tractable computationally and has already been studied in [8].
Recall the wiretap scheme consists of a pre/post processor and an ECC scheme . 1 makes no a priori assumptions on what that ECC scheme is. Once we actually pick the ECC, however, we can characterize 1 more appropriately. In particular, suppose we choose a reliable ECC with each having rate and with the overall rate of each given by . Now since the ECC has been chosen, there is a deterministic bijective mapping between and . Thus if is a random variable on then is a random variable on with the same distribution as . For convenience, define the random variable and note that it is defined only over not . With these observations in mind, we can reformulate 1 as follows.
Corollary 1**.**
Using with reliable deterministic ECC on any wiretap channel , for we have
[TABLE]
IV-B Semantically Secure Rates
With the previous two bounds on the semantic leakage in mind, we would like to know under what conditions they asymptotically (with respect to ) approach 0. In this way, those conditions will tell us precisely when our wiretap coding scheme is semantically secure. It is fortunate that these conditions can be described in terms of (the asymptotic achievable secrecy rate), (the rate of the ECC scheme), and (-smooth max-information per channel symbol).
Let . The following theorem characterizes which secure rates are achievable under semantic security and we will be using its conclusions frequently throughout the rest of this paper.
Theorem 2**.**
Using with a reliable deterministic ECC on any wiretap channel , if is chosen such that as then we have the following.
- (1)
[TABLE]
using semantic security. 2. (2)
If then
[TABLE]
using semantic security. 3. (3)
If is exponentially diminishing to 0 with , then for any secure rates as in (1) and (2), is exceptionally semantically secure. Moreover, if is exceptionally reliable, then is an outstanding semantically secure wiretap scheme.
Proof.
See Appendix B. ∎
Remark .
In Section VI, we will apply this theorem to channels with side information (extra information available to Alice that may help her deduce better security or reliability, of which fading channels are a special case). In that case, we will restate this theorem in a more suitable form (see 3).
Given any wiretap channel, 2.1 says all one needs to do is calculate , then use of the wiretap scheme will guarantee that rates are achievable with semantic security. However, finding this limit is probably not feasible. For fixed , the -smooth max-information is basically an -dimensional integral where each point of the integral is a maximization over a set with roughly elements. This problem is exponentially hard unless one can exactly characterize the “regions” of the integrand that have the same maximum. Characterization of these regions is an interesting line of future work but we do not explore that any further here.
Luckily, we do not need to calculate exactly. 2.2 says an upper bound to this limit suffices. We will primarily be using this result for the remainder of this paper due to its tractability. In forthcoming sections we will see that this still yields surprisingly favorable results.
The leakage bound, , in 2.2 can be thought of as a parameter of the eavesdropper’s channel. Moreover, it can be thought of as the loss we incur when converting an ECC into a semantically secure wiretap code by our procedure. That is, given an ECC of rate , our procedure converts that ECC into a semantically secure wiretap code of rate .
2.3 says that in order to control the speed by which the semantic leakage diminishes with , we only need to control the speed by which diminishes with where we recall that is a parameter that controls how much of the total space (with respect to probability) we are considering. We note that when we are always considering the entire space for every so that the condition of 2.3 is trivially satisfied and we have exceptional semantic security. We will not pursue such an approach in this paper as the case is much more manageable. However, in all of our applications, will be exponentially diminishing with so that we will get exceptional semantic security.
Recall that is the point-to-point channel capacity of Alice and Bob’s channel and is the point-to-point channel capacity of Alice and Eve’s channel. The following is a special case of 2.2.
Corollary 2**.**
If , as , and we pick a reliable deterministic ECC with rate arbitrarily close to then
[TABLE]
with semantic security.
This corollary is particularly satisfying considering that many channels have their weak secrecy capacity given by . Thus in those cases, if we can satisfy the conditions of 2, we can achieve the secrecy capacity using our wiretap scheme and moreover, we immediately have proven that the semantic secrecy capacity is equivalent to the weak secrecy capacity by using 1, a result not known in general.
IV-C Summary of Wiretap Coding Scheme
Let us end this section by summarizing what we have shown for our wiretap scheme so far and explain how this can be applied in practice and in theory.
Our wiretap scheme outlined precisely in Section III is a combination of a pre/post processor based on an SS-UHF together with a reliable ECC scheme. We constructed a concrete and efficient SS-UHF in Section III and showed that it did not affect the reliability of the ECC scheme. Hence, since we always assume the ECC scheme is chosen to be reliable, our entire wiretap scheme is always reliable. Moreover, when the ECC is exceptionally reliable the entire scheme is also exceptionally reliable.
In this section, we showed that over a truly arbitrary wiretap channel, our wiretap scheme’s semantic leakage can be bounded using 1 or 1. Moreover, if the threshold probability of our space (a parameter solely designed to aide in the proof) is chosen so that as then 2 gives us a precise characterization of when our wiretap coding scheme is semantically secure over any wiretap channel.
To this end, we find it beneficial to outline the steps one shall take in applying our wiretap scheme to a wiretap channel of their choice.
Procedure 1**.**
The following is the general procedure one should take when using our wiretap scheme over an arbitrary wiretap channel .
Find which achievable rates are supported on .
- •
For each , construct a -typical set where as .
- –
Preferably* construct so that is exponentially diminishing to 0 so that we induce exceptional semantic security.*
- •
Find an upper bound such that
[TABLE]
- –
Ideally, one should find the smallest possible as to guarantee higher achievable rates.
- –
One could also compute directly as mentioned previously, but currently this is seemingly intractable. 2. 2.
Choose operating point .
- •
We can achieve all rates R_{\mathit{s}}<\big{(}R_{\mathcal{C}}-\xi\big{)}^{+} with semantic security (2.2).
- –
We must choose in order to have positive secrecy rates using our wiretap scheme over . However, if this is not possible then either was chosen poorly or the channel does not allow a positive semantic secrecy rate with our wiretap scheme. 3. 3.
Build the wiretap coding scheme .
- •
Find a reliable ECC scheme of rate for use over the main point-to-point channel.
- –
Preferably* choose as follows:*
Concrete, so that the entire wiretap scheme is concrete.
- *
Efficient, so that the entire wiretap scheme is efficient.
- *
Exceptionally reliable, so that the entire wiretap scheme is exceptionally reliable.
- •
Use the finite field SS-UHF of 1 as the pre/post processor of this wiretap scheme.
- –
One could use any SS-UHF in practice but it is preferable to use one like ours that is concrete and efficient.
Remark .
Note that if is exponentially diminishing to 0 and is chosen exceptionally reliable then is an outstanding wiretap scheme.
V Applications I
In this section, we show how to actually use 1. We apply 1 to both the discrete memoryless wiretap channel (DMWC) and the memoryless additive white Gaussian noise wiretap channel (AWGN). In particular, on the AWGN and symmetric, degraded DMWCs, we achieve the semantic secrecy capacity. Lastly, we explain how our scheme can be applied in theory in the finite regime; i.e. we explain results for finite .
Before we begin, we will write max-information in a more convenient form. This is both so that we can use the supporting results of [8], but also because this alternative form will have a better interpretation here.
Lemma 2**.**
The -smooth max-information can alternatively be written as the infimum of
[TABLE]
over all -typical sets .
Proof.
See Appendix D. ∎
V-A Semantic security on a DMWC
For our first application of 2 and 1, we consider DMWCs. This is the case when both the intended receiver’s channel and the eavesdropper’s channel are given by distinct point-to-point discrete memoryless channels (DMC). We represent the input signal by the discrete random variable , Bob’s output signal by the discrete random variable , and Eve’s output signal by the discrete random variable .
Fact 3**.**
(cf. [29]) The point-to-point capacity of a DMC with input and output is given as
[TABLE]
In particular we denote and . As described in 1, in order to characterize a set of semantically secure rates, we need to asymptotically bound the max-information per channel symbol of Eve’s channel. The following lemma provides this bound.
Lemma 3**.**
Using a reliable ECC scheme , the max-information per channel symbol of the DMC is asymptotically bounded as
[TABLE]
where is exponentially decreasing to 0 with .
Proof.
Using Lemma 2 (where is the counting measure) we can write
[TABLE]
for any -typical set .
Luckily, [8, Lemma 5] proved a bound on this right hand term for the same modular pre/post processing scheme less our uniform requirement. Thus, by their result we immediately have that there exists a constant such that for :
[TABLE]
where is a term diminishing to [math] as . This completes the claim asymptotically with . ∎
With this bound we can apply 2.2 immediately to describe the semantically secure rates our wiretap scheme can achieve. However, in certain cases we can achieve the secrecy capacity (with semantic security), i.e. the best possible semantically secure rate. In order to describe this, let us recall the following fact.
Fact 4**.**
[30]** The secrecy capacity of a DMWC where the eavesdropper’s channel is noisier than the main channel and both channels are weakly symmetric is given by
[TABLE]
With this fact, we can state our main result of this subsection, a characterization of semantically secure achievable rates for the DMWC. Note that this result was already proven in [5] and [6], but we restate this here to show the efficacy of our proposed wiretap coding scheme and the fact that our proof differs significantly.
Theorem 3**.**
On any DMWC, our wiretap scheme can achieve all secure rates,
[TABLE]
with exceptional777Recall that exceptional here means that the semantic leakage diminishes to 0 exponentially fast with .* semantic security.* 2. 2.
On a DMWC where both channels are weakly symmetric and the eavesdropper’s channel is noisier than the main channel we can achieve the secrecy capacity under exceptional semantic security when achieves the main channel capacity .
Proof.
This follows from 2.2 and 2 combined with Lemma 3 and 4. ∎
The first part of this proposition emphasizes that our wiretap scheme acts as a converter. If we input an ECC scheme for the DMC of rate , then our procedure converts that ECC scheme into an exceptionally semantically secure wiretap code for a DMWC of rate .
The second part of this proposition says that on degraded symmetric DMWCs, our conversion respects the optimality of rates. Specifically, it says that given an optimal ECC scheme, i.e. an ECC scheme achieving the point-to-point main channel capacity, our procedure converts this ECC scheme into an exceptionally semantically secure wiretap code of optimal rate, i.e. a wiretap scheme achieving the secrecy capacity.
With this, we again emphasize that our conversion is concrete and efficient. Thus, if the ECC scheme is such, so is the entire wiretap scheme. Moreover, if the ECC scheme is exceptionally reliable, the wiretap scheme is outstanding888Recall the definition of an outstanding wiretap coding scheme from Section II-D..
V-B Semantic security for AWGN wiretap channels
We consider now the additive white Gaussian noise (AWGN) memoryless wiretap channel where both the intended receiver’s channel and eavesdropper’s channel are given by distinct AWGN memoryless channels. We represent the input signal by the real random variable (where we suppose it satisfies the average power constraint ) and the additive white Gaussian noise by the real random variable . The channels and can be described by their outputs given respectively as
[TABLE]
The random variables and are assumed mutually independent and sampled i.i.d. according to and respectively.
Fact 5**.**
(cf. [29]) The capacity of an AWGN channel with average input power constraint and additive noise variance is given by
[TABLE]
In particular, this means the capacity of the intended receiver’s point-to-point channel is given by and the capacity of the eavesdropper’s point-to-point channel is given by .
Our goal of this subsection is to describe the semantically secure achievable rates that our wiretap scheme can achieve. Using 1 we already have a prescription of how to do this by bounding the max-information per channel symbol.
Lemma 4**.**
Using a reliable ECC scheme , the max-information per channel symbol of an AWGN eavesdropper channel is asymptotically bounded as
[TABLE]
where is exponentially decreasing to 0 with .
Proof.
Using Lemma 2 (where is the Lebesgue measure) we can write
[TABLE]
for any -typical set .
Again, [8, Lemma 6] proved a bound on this right hand term for the same modular pre/post processing scheme less our uniform requirement. Thus, by their result we immediately have the following bound for every small:
[TABLE]
Here and is a term diminishing to 0 as .
Since this holds for every this completes the claim asymptotically with . ∎
Remark .
A reworked proof of [8, Lemma 6] can be found in our Appendix D (Lemma D1). We feel it is worthwhile to see the proof of this statement for the AWGN wiretap channel, since later (specifically in 5 and 6), we prove a more complicated analogous result for the No-CSIT and partial CSIT wiretap channels.
Again, now that we have this bound in hand, we can apply 2.2 to describe the semantically secure rates our wiretap scheme can achieve. However, we notice that we can actually achieve the best possible rates after considering the following fact.
Fact 6**.**
[31]** On an AWGN wiretap channel , the weak secrecy capacity is given as:
[TABLE]
Remark .
This fact can be upgraded to strong secrecy using the usual technique (cf. [17]). Only recently was this fact upgraded to semantic secrecy [9].
Using this fact, we have the following main result of this subsection.
Theorem 4**.**
On an AWGN wiretap channel, our wiretap scheme can achieve all secure rates
[TABLE]
with exceptional semantic security as long as . 2. 2.
In particular, when achieves the main channel capacity , then our wiretap scheme achieves the secrecy capacity under exceptional semantic security.
Proof.
This follows from 2.2 and 2 combined with Lemma 4 and 6. ∎
Remark .
In an independent way from [9], 4.2 shows that the semantic secrecy capacity is equivalent to the weak secrecy capacity for the AWGN wiretap channel using 1.
Note that is exceptionally semantically secure so that if is also chosen to be exceptionally reliable, then our entire wiretap coding scheme is outstanding999Again recall the definition of an outstanding wiretap coding scheme from Section II-D..
Indeed an ECC scheme is given in [32] that is concrete, reliable, and has quadratic time complexity with respect to block length in both encoding and decoding. Moreover, it has probability of error exponentially decreasing to 0 so that it is exceptionally reliable. Thus using this particular ECC scheme with our SS-UHF implementation given in 1 gives an end-to-end wiretap coding scheme for the AWGN wiretap channel that is concrete, efficient, outstanding, semantically secure, and can achieve the secrecy capacity.
Note that the wiretap scheme used in [9] has every single one of these properties as well. However, their wiretap coding scheme is based on polar lattices and is not modular. In contrast, our scheme is modular: the exact same pre/post processor used here (that is, the SS-UHF of 1) can be used on any channel (discrete or continuous); one just needs to find a reliable ECC scheme for the given point-to-point channel.
V-C Finite Analysis
Thus far we have exclusively focused on asymptotic analysis of our wiretap scheme. Despite this, 1 gives an extremely useful bound of security and rates in the finite regime, that is, for a fixed finite coding blocklength . We do not pursue this line any further here, but for an interesting look into finite block length analysis see Yang, Schaefer, and Poor’s result [33] which also uses a UHF based scheme to derive upper and lower bounds on the achievable rates in the finite regime.
VI Applications II - Fading
In this section, we will consider even more applications of 2 and 1, specifically, applications to fading wiretap channels. Fading wiretap channels are the prototypical physical layer security models of wireless communication.
It is standard to assume some feedback of channel state information to Alice that will help her deduce the current fade and increase her overall secure transmission rate. In this sense it is obvious that fading wiretap channels are only a particular instance of a much more general case of wiretap channels: wiretap channels with side information. Side information is any information in the form of a random variable available to Alice before transmission that may be advantageous. In this way, it may help her induce more reliability or security, which in turn may help her ascertain a higher secure achievable rate. Hence, by studying wiretap channels with side information, we are inherently considering fading wiretap channels by inclusion.
To study wiretap channels with side information we will first need to manipulate the language we have introduced thus far. Let represent the pieces of side information that may be advantageous to the transmitter. Because we always deal in the worst case for security, it is necessary to assume that the eavesdropper also knows , thus we will need to convert the previously defined security metrics in the obvious way to account for this. However, as is a common trick in fading, we can consider the entire tuple to be the eavesdropper’s output instead of only as before. Thus, for wiretap channels with side information, the semantic security metric has its leakage given by .
With this trick, we can also consider our main result, 2, redone for side information, however, we will only need part 2 and part 3 of that theorem.
Corollary 3** (2 redux).**
Using with a reliable deterministic ECC on any wiretap channel , if is chosen such that as we have the following.
- •
If then101010As a reminder, .**
[TABLE]
using semantic security.
- •
If is exponentially diminishing to 0 with , then for any secure rates above, is exceptionally semantically secure. In particular, if is exceptionally reliable, then is an outstanding semantically secure wiretap scheme.
Remark .
- •
We call this a corollary due to the numerous references hereafter; however, it is in itself just 2 in the case where side information is present.
- •
Recall that is defined as the infimum of over all -typical sets . To be precise, we note that now .
It will be beneficial in the sequel to characterize in the following way.
Lemma 5**.**
Let be a random variable over and be some side information. If then
[TABLE]
Proof.
See Appendix F. ∎
Remark .
Indeed seems to be a restrictive assumption, however, it is not, as the forthcoming proofs will make clear.
Until this point, we have been general with respect to side information. We really do allow any extra information available to the transmitter that could be used to aide in a higher secure rate. However, we will now be focusing on fading wiretap channels, that is, when side information is a tuple of fading coefficients.
VI-A Fading Preliminaries
The general channel model used to model wireless communication environments is that of the fading channel, where the output signal is an attenuation of the input signal layered with additive white Gaussian noise. The attenuation, input, and noise are represented using the complex random variables , , and respectively. The output of this channel at time is then given as
[TABLE]
where , , and . Here, is a circularly-symmetric normal distribution with [math] mean and variance . We shall refer to the random variable representing attenuation, , as the channel coefficient.
For the purposes of this paper, we will only be considering fast fading channels, that is, the fading coefficient is sampled i.i.d. for each use of the channel (cf. [34]). In particular, we will consider the case of fast fading wiretap channels, i.e., channels and are both taken to be fast fading channels. More specifically, during the -th symbol of the codeword, the output at Bob from channel and the output at Eve from channel are given respectively by
[TABLE]
where and are i.i.d. and additive noise respectively, is subject to the power constraint , and the coefficients are also i.i.d. and for all . For technical reasons we assume that the second order moment of exists, i.e., . We note that this is not a very limiting constraint since it can be interpreted as the channel having an attenuation with finite energy. Apart from this, we do not assume which distribution the channel coefficients follow so as to remain as general as possible. Note that this is in contrast to much of the fast fading literature that a priori assumes a distribution on both and .
Achievability results for fading channels depend on which parties have instantaneous access to the realizations of and , or rather, which parties have full channel state information. If a party only has access to the statistics of or we say that party has no channel state information.
Fact 7**.**
On a complex fast fading channel, if the receiver has full channel state information (CSIR) then the channel can be decomposed into two real parallel channels.
Proof.
See Appendix F for the usual proof. ∎
For the remainder of this paper, we will assume both the intended receiver and the eavesdropper have full channel state information (CSIR) about their respective channels. In particular, this means that we will only be considering the real fast fading channels given at time as and due to 7. Since carrying around the modulus on the channel coefficients is cumbersome, we shall simply write and for the remainder of the paper where it will be clear that both are non-negative real random variables instead of complex as previously mentioned. An illustration of our setup is given in Figure 2.
Thus far, we have made no assumptions as to what information the transmitter has about the channel coefficients and . We shall notate full channel state information at the transmitter by CSIT and will focus on three separate cases. The first case we will consider is No-CSIT where the transmitter has knowledge only of the main channel and eavesdropper channel statistics. Next we will consider partial CSIT, where the transmitter has instantaneous knowledge of the main channel’s realizations of at each time but no knowledge of the eavesdropper’s instantaneous channel coefficient - only its statistics. Finally, we will consider full CSIT, where the transmitter has instantaneous knowledge of both the main channel’s and eavesdropper channel’s realizations of and respectively.
For each of these scenarios, we wish to characterize a set of achievable secure rates. To do so, we utilize 3 with Lemma 5 where we take the side information to be .
VI-B Fading: No-CSIT
The case of No-CSIT, where the transmitter knows only the channel statistics of both the main and eavesdropper channels, is arguably the most realistic scenario of a modern wireless communication environment. It requires no special real-time feedback implementation for the main channel and assumes that the eavesdropper is purely a malicious party (although still passive). Under this assumption, in this subsection we give a set of semantically secure achievable rates for the fast fading wiretap channel. To the best of the authors’ knowledge, this is the first time semantic security has been characterized on the fast fading wiretap channel with No-CSIT in general. To do so, we find an asymptotic upper bound, , to the leakage max-information per channel symbol, i.e., , for any choice of code so as to use 3 and 1. In particular, we will be focused on , where denotes the point-to-point channel capacity of the eavesdropper’s channel.
We start by first simplifying the expression for max-information of Lemma 5 in the case of No-CSIT.
Lemma 6**.**
On the No-CSIT real fast fading channel, max-information can be simplified as
[TABLE]
where is a random variable over .
Proof.
See Appendix F. ∎
With codeword power constraint and noise variance , we note the following fact.
Fact 8**.**
[34]** The point-to-point capacity of a real fast fading channel with No-CSIT is given by
[TABLE]
where is the random variable representing the channel coefficient.
To this end, our goal for the remainder of this section will be to show
[TABLE]
such that denotes the eavesdropper’s average signal to noise ratio . In particular, we need to show the above holds for some -typical set such that is exponentially decreasing to [math] as .
We begin by constructing such a set and showing that it is typical in an exponential fashion with respect to . The set is made up of three constituent sets; one each concerning the output power, noise power, and eavesdropper channel coefficient power.
We define111111Motivation for defining these typical sets is based on a sphere packing argument and can be found in Appendix E. the following sets for small:
- •
as the set of tuples such that
[TABLE]
- •
as the set of that satisfy
[TABLE]
given a fixed and ,
- •
as the set of that satisfy
[TABLE]
Intuitively, corresponds to the set of eavesdropper output powers and channel coefficients most likely to occur in conjunction. corresponds to the least amount of noise added to during transmission. corresponds to the set of eavesdropper channel coefficients that we expect to occur and is needed for technical reasons. The following lemma proves that events from each of these sets occur with sufficiently high probability.
Lemma 7**.**
Consider121212 is a parameter of the channel defined in Appendix G, 12. the constant .
Let . For any ,
[TABLE] 2. 2.
Let . For any and ,
[TABLE] 3. 3.
Let . Then,
[TABLE]
Proof.
See Appendix G. ∎
We now use the sets constructed above to create our typical set. Define each of the following sets:
[TABLE]
We can think of each of these three sets as the expansion set that corresponds to each of the previous three sets , , and but lives in the space , the tuple of all codewords, eavesdropper channel coefficients, and eavesdropper outputs.
We now take the intersection of these sets to construct one final set
[TABLE]
The following lemma shows that the tuple of main channel coefficients and the previous set, , is typical for any . The main channel coefficients must be taken into account as well since we are on a fast fading wiretap channel but we will see shortly that in the case of No-CSIT, it plays little part.
Lemma 8**.**
Let then
[TABLE]
for any . That is, is a -typical set where is exponentially decreasing to [math] as .
Proof.
See Appendix G. ∎
With our typical set in hand, we are ready to prove the main result of this section and determine a characterization for semantically secure achievable rates for the fast fading wiretap channel with No-CSIT.
Theorem 5**.**
Consider the fast fading wiretap channel with No-CSIT and let and be defined as in Lemma 8. It follows that:
[TABLE]
Proof.
See Appendix G. ∎
The following corollary then tells us what semantically secure rates we can achieve given this bound.
Corollary 4**.**
The wiretap coding scheme of Section III can achieve an overall semantic secrecy rate of on the No-CSIT fast fading wiretap channel when and is chosen arbitrarily close to .
Proof.
We can combine the previous theorem with 3 and note that can be chosen in such a way that exponentially as . ∎
Note that to the best of the authors’ knowledge, this is the best semantically secure achievable rate on a No-CSIT fast fading wiretap channel to date. Going further, we actually have achieved the secrecy capacity for a specific class of wiretap channels.
Fact 9**.**
[14]** The weak secrecy capacity of a stochastically degraded fast fading wiretap channel with No-CSIT is given by
[TABLE]
Immediately this fact with the previous corollary implies that we can achieve the secrecy capacity with our wiretap coding scheme of Section III on stochastically degraded fast fading channels with No-CSIT.
Corollary 5**.**
Using the wiretap coding scheme of Section III on any fast fading stochastically degraded wiretap channel with No-CSIT we have the following:
It is possible to achieve the semantic secrecy capacity. 2. 2.
C_{\mathit{s}}\big{|}_{\text{weak}}=C_{\mathit{s}}\big{|}_{\text{semantic}}.
VI-C Fading: Partial CSIT
We now turn to the case of partial CSIT, where the transmitter has access to full CSI about the main channel but knows only the statistics of Eve’s channel. Our goal in this subsection is the same as in the previous subsection - we wish to characterize a set of semantically secure rates for the wiretap channel at hand and we use 3 to do so.
Since the transmitter has access to CSI about the main channel, every party can demultiplex the fast fading wiretap channel into a set of parallel channels by partitioning the channel coefficients of the main channel into intervals as done in [17, 35]. Each parallel wiretap channel is then composed of a time-invariant, constant gain Gaussian main channel with a fast fading eavesdropper channel characterized by as depicted in Figure 3.
More specifically, we assume the fading gain of the main channel is bounded as usual and divide the possible realizations of into intervals with . Let
[TABLE]
Let be the random variable representing the number of times channel is actually used, i.e., the number of times belongs to the -th interval over all channel uses. Let be a real number, where is chosen sufficiently large so that is greater than with high probability and as . In short, represents the number of times we plan on the channel coefficients being realized in the -th interval, whereas the realization of is how many times the the channel coefficients actually do occur in the -th interval. For every index , the transmitter and legitimate receiver will publicly agree on a transmit power where is chosen such that
[TABLE]
For , the transmitter and legitimate receiver also publicly agree upon an ECC (with codebook ) designed to operate on the Gaussian point-to-point channel with constant channel gain . We denote by the rate of and the overall rate over the main channel to be
[TABLE]
The full coding scheme is then outlined as follows: a message is chosen which passes through the preprocessing layer to produce an -length pseudo-message . These bits are then divided into sets of bits such that
[TABLE]
A codeword is then generated for each of these sets by their respective and the multiplexing strategy outlined in [17, 35] is then employed to transmit the th codeword when the channel state is in the th interval. In more detail, at each time instant the multiplexer will determine what the channel state is and send one symbol from the codeword associated with that channel gain.
The reliability of this scheme comes from the aggregate reliability of all the ECC’s being employed on the parallel channels and the fact that we are choosing with high probability. Since we are assuming an ECC is chosen to be reliable over the th point-to-point main channel, we know that the probability of error will be negligible:
[TABLE]
In other words, the receiver will be able to recover each -length codeword with high probability. Thus the probability of error for the entire -length transmission is just probability of error for each individual -length codeword weighted by the probability that that code is used:
[TABLE]
since grows with . Now that this scheme has been shown to be reliable, we now address its security.
We wish to asymptotically bound of this fast fading channel by considering the set of parallel wiretap channels outlined above and each of their individual associated max-information terms for which we already know the bound found in 5. This is due to the fact that 5 did not impose any restrictions on the main channel distribution, it only required Eve’s channel to be given arbitrarily as . Thus having a constant gain main channel and no CSIT of Eve’s channel is a special case of No-CSIT. The only way this differs from that of Section VI-B is that in the case of No-CSIT, we are not allowed to vary the power we are transmitting at due to our lack of knowledge of instantaneous CSIT, whereas in the case of partial CSIT, we can vary our power to align with what the current main channel gain is.
Similarly to the case of No-CSIT, we wish to create a typical set which will contain enough content about our space of inputs, outputs, and channel coefficients. We accomplish this by creating typical sets for each of the subchannels and taking the Cartesian product of these to generate the typical set for the entire wiretap channel.
Define the following sets:
[TABLE]
where is defined in Section VI-B.
Lemma 9**.**
* as defined above is a typical set where is exponentially decreasing with .*
Proof.
See Appendix H. ∎
With the typical set in hand, we now aim to find an asymptotic bound for the average max-information for the entire uses of the wiretap channel .
Theorem 6**.**
Consider a fast fading wiretap channel where the transmitter has partial CSIT with and as defined in Lemma 9. Using the multiplexing scheme above, it follows that:
[TABLE]
Proof.
See Appendix H. ∎
Now that we have found , 3 immediately tells us that by using the SS-UHF based preprocessing scheme we can achieve any positive rate, , with semantic security satisfying
[TABLE]
Let’s see how this compares to previous results.
Fact 10**.**
[12, 17]** For the fast fading wiretap channel where the CSI of the main channel but not the CSI of the eavesdropper channel is known at the transmitter, all rates such that
[TABLE]
where obeys the constraint are achievable secrecy rates under the strong (and weak) secrecy metric.
To the extent of the authors’ knowledge, the secure achievable rates given in 10 have never been extended to semantic security. However, the next corollary remedies this.
Corollary 6**.**
The wiretap coding scheme of Section III can achieve all rates given in 10 with semantic security on the partial CSIT fast fading wiretap channel when the rate of the ECC, , is taken arbitrarily close to
[TABLE]
for any power allocation . Moreover, these rates are achieved with exceptional semantic security.
Proof.
The result follows immediately after combining 3 with 6 and noting that there does exist some ECC which can achieve this rate due to the fact that the above expression is less than or equal to the point-to-point capacity of the fast fading channel. ∎
VI-D Fading: Full CSIT
In this subsection, we shall assume full CSIT; that is, we assume the transmitter knows instantaneously the realizations at time instance of both the main and eavesdropper channel coefficients. The strategy used to find a set of semantically secure rates in this scenario is almost identical to that used in Section VI-C thus we omit most of the redundant explanations and proofs here. We now demultiplex the wiretap channel into parallel constant gain Gaussian wiretap channels determined by the channel coefficients of both channel and channel . Since each of the parallel wiretap channels are now Gaussian wiretap channels, we no longer use the bounds found in 5, but rather use the bounds from Lemma 4 to bound the max-information of each of the parallel wiretap channels.
As before, we define a typical set for this channel as the Cartesian product of simpler sets:
[TABLE]
Note that and are defined in Section VI-B. The following lemma, which is analogous to Lemma 9 from Section VI-C, shows that is a typical set.
Lemma 10**.**
* as defined above is a typical set where is exponentially decreasing with .*
Now in an analogous way to 5 and 6, we have the following theorem for the full CSIT scenario.
Theorem 7**.**
Consider the fast fading wiretap channel with full CSIT at the transmitter with and as defined in Lemma 10. Using the multiplexing scheme above, it follows that:
[TABLE]
Now that we have found the bound , 3 again tells us that by using the SS-UHF based preprocessing scheme we can achieve any positive rate, , with semantic security satisfying
[TABLE]
Once again, let’s see how this compares to previous results.
Fact 11**.**
With full CSI for both the main channel and the eavesdropper channels available at the transmitter, the strong secrecy capacity of the fast fading wiretap channel is:
[TABLE]
where obeys the power constraint .
This fact was originally given in [10] under the weak security metric but was upgraded to the strong security metric in [11]. However, to the extent of the authors’ knowledge, this result has never been upgraded to semantic security. We provide such a generalization in the next corollary.
Corollary 7**.**
The semantic secrecy capacity of the fast fading wiretap channel with full CSIT is given by:
[TABLE]
Furthermore, the transmission scheme of Section III can achieve the semantic secrecy capacity of the fast fading wiretap channel with full CSIT exceptionally fast.
Proof.
Let be the power allocation function that maximizes the expression in 11 as found in [10]. Let the rate of the ECC, , be taken arbitrarily close to
[TABLE]
We know by Shannon’s noisy channel coding theorem that some ECC will exist which satisfies this rate due to the above expression being less than or equal to the point-to-point capacity of the main fast fading channel. Since the bound found in 7 holds for any power allocation function , it holds for in particular. In 7 we found an upper bound to the right hand term of the difference in 11, thus invoking 3 we know we can achieve any rate arbitrarily close to the secrecy capacity given in 11. Therefore the semantic secrecy capacity is equal to the weak secrecy capacity by 1 in the case of full CSIT and the given wiretap coding scheme achieves it. ∎
VII Future Work
For wiretap channels that do not fall into the purview of the previously listed channels, one must apply 1 in its entirety. Hopefully however, the proof techniques employed here will help guide those pursuits.
As another interesting line of future work, one may try to find a tighter upper bound to the max-information per channel symbol on the fast fading wiretap channel with No-CSIT. Indeed, we proved the case when (the capacity of the eavesdropper’s point-to-point channel), but perhaps this can be improved by clever power allocation techniques.
VIII Conclusion
The main purpose of this paper has been to amplify the results of physical layer security into a more practical setting. In particular, we have developed a concrete and efficient converter that takes as input an error correcting code and outputs a semantically secure wiretap code. We have addressed five separate wiretap channels that are arguably the most popular in literature and have shown for each which semantically secure rates are achievable.
Acknowledgment
The authors would like to thank Himanshu Tyagi of the Indian Institute of Science and Alexander Vardy of UC San Diego upon whose work this paper is largely motivated.
Appendix A Our Construction is an efficient SS-UHF: Proof of 1 and 2
In this beginning appendix, we will prove that our UHF construction based on finite field arithmetic is an SS-UHF (1) and that it is efficient (2).
Proof of 1
.
We will show is universal, uniform, -regular, and evenly invertible.
- •
Universality: Fix . We wish to count how many satisfy:
[TABLE]
Since is equivalent to bitwise addition, we can distribute and reduce the equation to:
[TABLE]
where is addition over . This reduces even further to , however, this is an equation that does not involve so that indeed, any choice of satisfies the original equation. This equation can be rewritten as
[TABLE]
where we have defined . Now since then . Moreover, by assumption so that for each choice of , the multiplication is a unique element in . Note that since there are elements in where the first bits set to [math], then there are choices of that satisfy . In summary, we have choices for and choices for , thus we have choices for that satisfy . However, since so that (noting ) we have proved that is a universal hash family.
- •
Uniformity: Fix and . We wish to count how many satisfy:
[TABLE]
We can distribute and view this as the equation . For each choice of the first bits of are fixed and the last bits are free; thus there are choices for . Since there are no restrictions at all on , we can choose any of the -length bits strings (excluding ) for . In aggregate there are choices of that satisfy . Noting again that we have proven that our family is uniform.
- •
Regularity: Fix some , , and . We wish to count how many satisfy:
[TABLE]
As usual, break up this equation to . Since we are working in and , for each choice of the product will be a unique element in . But by the previous equation, the first bits of are fixed at while the last bits are completely free. Hence there will be choices of that satisfy the original equation.
Therefore, is -regular.
- •
Invertibility: Let , , and . Then,
[TABLE]
Hence, is invertible.
- •
Even Invertibility: Suppose we are given a , , and . Then is a unique element for every choice of . Since the pseudo-message will be uniform.
In summary, we have proven that is an SS-UHF, thus concluding the proof of 1. ∎
Proof of 2
.
First recall that and are functions of the block length .
Concatenation has time complexity and thus is linear with : . Addition in operates as bitwise addition (or XOR) and thus the time complexity is also linear with : . Therefore, the operation has linear time complexity.
Now inversion and multiplication in is known to be computed in at worst quadratic time in (cf. [36, Chapter 2]). Thus computing the entire inverse is . 2. 2.
Using the same arguments as above, the operation can be implemented in quadratic time and addition can be implemented in linear time. Clearly, can be implemented in : linear time with . Thus, the entire post-processing scheme also can be implemented in quadratic time in .
This concludes the proof of 2. ∎
Appendix B Security and Rates: Proof of 1 and 2
In this appendix, we will prove the two main statements related to the security and achievable rates of our wiretap coding scheme of Section III. Before we begin, we will need the following lemma. Not only do we use it several times in the proofs of the aforementioned results, but also, this lemma justifies our definition of -mutual information as we required to be uniform there.
Lemma B1**.**
The pseudo-message is a uniform random variable over the set where , i.e., .
Proof.
We claim that is a uniform random variable over the set . We already argued in Section III that given and , is a uniform random variable over , hence, we simply need to show that . Consider the following string of equalities:
[TABLE]
Justification .
Marginal density properties. 2. 2)
* by assumption.* 3. 3)
* as mentioned in Section III.* 4. 4)
The term for any and by the uniform property of our SS-UHF. Moreover .
This concludes the proof of Lemma B1. ∎
Proof of 1
.
This theorem is the primary tool of this paper. The proof is similar at times to the proof given in [8] (for the analogous result for strong security only) and is a very straightforward application of our SS-UHF to the definition of mutual information. Notwithstanding, the proof is rather long and as a point of convenience we note that the proof ends on page B.
We first need the following fact which follows immediately from the chain rule of mutual information:
[TABLE]
Thus, it is sufficient to bound .
We will split the proof into two parts, and , starting with the case. As mentioned previously, -typical sets are equal to the entire space less a set of measure [math], so that . To show our claim is valid, it is therefore sufficient in the case of to show:
[TABLE]
To begin, suppose has some arbitrary distribution. Since and are finite the definition of conditional mutual information is given by
[TABLE]
where is some measure on .
From the chain rule of mutual information, since by assumption, we have . It then follows that
[TABLE]
Let us now expand each conditional density of the numerator and denominator of the logarithm in Equation 1. Starting with the numerator we have:
[TABLE]
Equation 2 follows from the fact that we can take as an intermediate node and sum over all possible realizations of ; by assumption, since we are given and , then can only be found in where is the even-inverse of . Equation 3 follows from the fact that once given and , the density of is uniform on a set with elements which follows from the fact that our SS-UHF is -regular and evenly invertible.
The expansion of the conditional density in the denominator of the logarithm of Equation 1 is given by:
[TABLE]
Justification .
Marginal density property. 2. 2.
By assumption, . 3. 3.
When is fixed, is a well defined function. Thus, inside the sum over , can map to only a single . Therefore, the indicator is only for a single value of ; namely, when .
We now continue expanding the leakage (Equation 1) using these two conditional densities.
[TABLE]
Justification .
We will break with our convention slightly. Here we have written as shorthand for ; analogously for . We will stick with this new convention for the remainder of the proof; i.e. and will be shorthand for densities with respect to . 2. 5.
By assumption, . 3. 6.
By assumption, .
At this point we can expand the conditional density (from Equation 4) and continue:
[TABLE]
Justification .
The entire summand is 0 unless , so we can replace the in the indicator function of the log as such as long as we stick with the convention that as the limit suggests. 2. 8.
As in Equation 5, the indicator will filter all but a single ; namely, when . 3. 9.
We can break up the logarithm into a subtraction where we change indices of the summation so as not to become confused.
We will now consider each of expressions within the square brackets of Equation 7 separately, starting with the first. The first square bracket can be written (after multiplying by the unit ) as
[TABLE]
Our goal now will be to move the sum over inside of the logarithm via Jensen’s inequality. However, Jensen’s incurs a multiplicative penalty if the weights do not sum to 1. Fortunately, our weights do sum to 1 as shown next. Our preprocessor is an SS-UHF and hence it is uniform. Thus for any we have:
[TABLE]
Thus we can aptly apply Jensen’s inequality (without carrying around any extra factors) and move the preceding term inside of the logarithm at the expense of an inequality. This yields:
[TABLE]
If in Equation 9, it is clear that the indicator will always return 1 regardless of so that the argument of the logarithm becomes
[TABLE]
where we have again used the fact that our preprocessor is a SS-UHF and is hence uniform.
On the contrary, if in Equation 9, the indicator will only return 1 some of the time, and a nice simplification of the expression is not obvious at this time; we will address this in a bit.
Combining these cases together, the entire first square bracket of Equation 7 is less than or equal to:
[TABLE]
Let us now move onto the second square bracket of Equation 7 above. We can write this term as
[TABLE]
where the inequality follows from the log-sum inequality. Now again using the fact that our preprocessor is an SS-UHF and hence uniform we have the formula for any . Using this, the entire second square bracket of Equation 7 becomes less than or equal to
[TABLE]
We are now at a point where each square bracket of Equation 7 is properly simplified. Thus:
[TABLE]
We will now simplify the inside of the logarithm. Consider the first summand given by
[TABLE]
Conditional densities are defined as . By Lemma B1, for every so that . Then by the marginal property of densities, . Moreover, using Bayes theorem and Lemma B1 again we can write
[TABLE]
The term appears both in the numerator and denominator and thus cancels out. Hence the entire first summand of the logarithm in Equation 10 becomes
[TABLE]
Now the second summand of the logarithm of Equation 10 is given by
[TABLE]
Using the same argument as in the preceding paragraph we have and . Again, the term appears in both the numerator and denominator thus canceling each other out. Thus the second summand of the logarithm of Equation 10 simplifies immediately to:
[TABLE]
Now note that
[TABLE]
However,
[TABLE]
where Equation 14 follows immediately from the uniform property of our SS-UHF. From this we also have:
[TABLE]
Thus, combining Equation 13 and Equation 15 together with Equation 12 simplifies the entire second summand of the logarithm in Equation 10 to
[TABLE]
Then it follows, (continuing on from Equation 10):
[TABLE]
Justification .
Equation 11* and .* 2. 11.
Jensen’s inequality on the sum over . 3. 12.
Use the bound for all . 4. 13.
By Lemma B1, is uniform so that for any and . Also recall . 5. 14.
By 2, for any . In particular, here proves the second part of our claim for the case.
With this, we have constructed an upper bound to for an arbitrary message distribution . However, since the bound did not depend on the specific choice of , the bound also holds for . Therefore, we have concluded the case.
Let us move onto the case. Fix some and consider some typical set .
Now consider Equation 6 in the previous string of inequalities written as:
[TABLE]
Inside of the square bracket of Equation 16, and can be considered fixed, and thus, each of the 3 sums over can be considered as a sum over two other sets:
[TABLE]
[TABLE]
where denotes the complement of in .
With this, we can then apply the log-sum inequality to Equation 16 to yield the following:
[TABLE]
Now define by
[TABLE]
so that Equation 16 yields:
[TABLE]
When considering just we can continue where we left off from Equation 6 of the previous proof ( case). In fact, it is not hard to see that almost nothing changes and we end up with
[TABLE]
for .
Now let’s focus on . It follows that:
[TABLE]
Justification .
In the numerator of the logarithm, we have used the trivial bound for all . 2. 16.
Log-sum inequality. 3. 17.
Our preprocessor is a SS-UHF and hence it is uniform. 4. 18.
We chose to be a typical set and there are pseudo-messages.
Again, just as in the case, we have provided an upper bound to for an arbitrary message distribution so that the upper bound also holds for . This concludes the case.
Combining both cases, we have for any , :
[TABLE]
Since this inequality was derived using an arbitrary -typical set , we may as well optimize our choice of while keeping fixed so as to obtain the tightest possible bound. With this we have proven the claim of 1. ∎
Proof of 2
.
Consider 1: we need the right hand side of the inequality to approach [math] as to show our wiretap coding scheme is semantically secure. We have as that and . Since is finite then by the assumption that as . Now if then the first term in the sum on the right hand side of 1 will also go to 0. But this is equivalent to
[TABLE]
If the right hand side is non-positive however, we will instead choose since rates must be non-negative. 2. 2.
Consider 1 again. Since by assumption, we can bound the asymptotic leakage as
[TABLE]
At this point we can continue exactly as in part 1). 3. 3.
Clearly the first of the two summands on the right hand side of the conclusion of 1 is exponentially decreasing when satisfies the rates given in either (1) or (2) above. Thus, if is exponentially decreasing with , the semantic leakage is exponentially decreasing to 0; i.e. is exceptionally semantically secure. For to be exponentially decreasing, it suffices for to be exponentially decreasing.
This concludes the proof of 2. ∎
Appendix C Removing the assumption of a public seed
In this appendix we shall overview a method that removes the assumption of a public seed without rate/security/reliability loss. This method is called seed recycling and can be found in [5] and [8].
We have seen in 2 that our wiretap coding scheme can provide semantic security for certain achievable rates (provided that we prove a bound on the max-information rate), however, we have assumed hitherto that the seed was publicly available to all parties. This is in strict violation of assumptions on a wiretap channel; that is, all communication must take place over the wiretap channel. In this section, we remove this assumption and transmit the seed over the wiretap channel. We will show asymptotically that no rate, security, or reliability is lost.
As a first attempt to resolve this violation, suppose the seed is transmitted before beginning transmission of an actual message. This is a problem, however, because it leads to information rate loss as follows. Suppose the seed can be transmitted with a probability of error less than some to the intended receiver in channel uses for some constant . Then the transmitter sends message bits of information in another channel uses. Overall, bits of information were transferred in channel uses, thus our overall secure information rate in this case is given asymptotically by
[TABLE]
where is the previous secure achievable rate assuming the seed was public. In other words, the possible asymptotic rates now achievable when sending the seed before message transmission are strictly less than before. Therefore, in this case, the rates achieved using 2 are no longer possible.
As a better attempt to resolve this problem, suppose we use the same seed to send messages using independent instances of the wiretap channel. First we will pick a block-length and on the first instance of the wiretap channel, we will send the seed over in channel uses, where is chosen so that the seed’s probability of error at the intended receiver is less than or equal to . Pessimistically (from the point of view at the transmitter), we will assume that the eavesdropper always receives a perfect copy of the seed. Now on each of the independent channel instances, we will send a corresponding message using the same scheme as outlined in section III except using the same seed for each instance. Let be the vector consisting of the messages and let where is the -letter eavesdropper output corresponding to the -th message (also to the -th channel instance).
Consider first the rate of this new procedure. In each of the channel uses, we are sending bits of information. Moreover, we will end up using the channel times for the messages and times for the seed. Overall, the asymptotic secure rate of this new procedure is thus given by
[TABLE]
where is again the previous asymptotic secure achievable rate when the seed was public. Since is a constant, the only way to avoid information rate loss asymptotically is if as .
Consider next the reliability of this new procedure. If each message has probability of error at the intended receiver bounded by , then the probability that M is in error is given in the next lemma.
Lemma C1** (Reliability).**
The probability that M is in error is upper bounded by
[TABLE]
Proof.
Let be the event corresponding to the -th message being in error. Then is the event corresponding to at least one of the messages being in error. Hence is the probability of error of M.
Then since each instance of the wiretap channel is independent, we have the following.
[TABLE]
This concludes the proof of Lemma C1. ∎
With this lemma, we see that in order to transmit reliably, we have another constraint on , that is, we must choose so that as .
Consider last the leakage of this new procedure.
Lemma C2** (Security).**
For some the following holds:
[TABLE]
Proof.
Let M have an arbitrary distribution . By the chain rule of mutual information,
[TABLE]
Since for each , then . Then by the chain rule of mutual information again, we have,
[TABLE]
Now are mutually independent once we are given , thus by a standard mutual information inequality we have
[TABLE]
We want to maximize over all probability distributions . However, that is equivalent to maximizing over each choice of individually. The above becomes:
[TABLE]
Here represents an instance of the wiretap channel. Choose the channel instance that corresponds to the most leakage leaked to the eavesdropper. The above then becomes
[TABLE]
This concludes the proof of Lemma C2. ∎
This lemma intuitively says that the message leakage of all wiretap channel instances is no more than the number of channel instances multiplied by the leakage over the “worst case” wiretap channel (worst here is with respect to the transmitter). Combining this result with 1 and 1 gives the following proposition.
Proposition 3**.**
Let be the wiretap channel instance where the transmitter leaks the most information to the eavesdropper. Let be the rate of the ECC and the secure rate of transmission for that wiretap channel instance. It follows that
[TABLE]
With this, just as in 2, we see that if for each , then so long as grows with strictly slower than exponential, the first term will go to 0. Furthermore, must be chosen slow enough so that as .
In summary, with regards to how must grow with we need the following as :
- •
to guarantee negligible rate loss,
- •
to guarantee negligible reliability loss,
- •
must grow slower than exponential in and to guarantee negligible security loss.
It will depend on the specific choice of and in each case in order to properly determine , however, if for example is exponentially diminishing with and diminishes on the order of , then picking on the order of will be sufficient to satisfy all of the previous requirements. Indeed, there is significant flexibility in these three parameters and finding them to satisfy the previous requirements should not be too intrusive.
Intuitively, the previous has a nice interpretation. It says that as long as we keep on adding new independent messages when increasing the block length, we can still achieve the same rate, reliability, and security asymptotically as before when we assumed the seed to be public.
Appendix D Proofs from Section V
In this appendix we will prove two statements from the first applications section. We first prove Lemma 2, which simplifies the expression of max information. Then we provide a reworked proof of [8, Lemma 6] (Lemma D1) as an aid for our proof of 5 in Appendix G.
Proof of Lemma 2
.
Recall that is a random variable over with the same distribution as . By Lemma B1, this means is uniform over . Since has elements then . Now consider the following string of equalities.
[TABLE]
This proves the validity of Lemma 2. ∎
Lemma D1** ([8, Lemma 6]).**
Let small. Then for any typical set where , the asymptotic -smooth average max-information of an AWGN eavesdropper channel is bounded by the point-to-point capacity:
[TABLE]
Proof.
Define a set
[TABLE]
Also for each define a set
[TABLE]
Now let be sets defined as and . Then define a set .
It was shown in [8] that is a -typical set using the given . Note that exponentially fast with . With this we have the following.
[TABLE]
Justification .
On an AWGN channel, given that was sent, we know that each output is a normal random variable with mean and variance . Since we assume the channel is memoryless, we can split this density simply into a product. 2. 2.
We are working on in the integral and thus . Thus, . 3. 3.
The indicator function returns either 0 or 1 in the area of interest and 0 elsewhere. Thus, we can simply upper bound the indicator by 1 everywhere inside of . 4. 4.
Consider the following equalities:
[TABLE] 5. 5.
* is clearly a ball in real space of radius . The volume of an ball of radius is given by*
[TABLE]
where here is the gamma function (generalized factorial) from analysis.
Taking the logarithm of both sides of the preceding and dividing by yields:
[TABLE]
Fortunately, as . Moreover, our choice of is not restricted and can be made arbitrarily small. This completes the proof of Lemma D1. ∎
Appendix E Sphere Packing Argument for No-CSIT Channels
In this appendix we provide motivation for how we constructed the typical set in the No-CSIT scenario. We provide sphere packing bounds in this case that are analogous to their AWGN counterparts (cf. [29, 34]).
The capacity expression for an additive white Gaussian noise channel (AWGN) is motivated by an intuitive argument called sphere packing. The argument asserts that due to properties of Gaussian random variables, a received output vector should be contained in some small -dimensional ball around the transmitted codeword with high probability. In other words, the noise of the channel will only disturb the input vector by a certain amount (the radius of the small ball) with high probability. Furthermore, all received outputs should be contained in some larger ball with high probability since we are assuming that all the codewords are being transmitted while obeying the power constraint. If we use maximum likelihood decoding, given an output that resides in one of the small balls, the receiver assumes it came from the codeword that generated said ball. Therefore, the maximum number of small spheres we can pack into the larger ball roughly corresponds to how many codewords we can transmit reliably. This technique is called sphere packing since we are attempting to pack the larger ball with smaller spheres. Exact calculation is quite challenging; however, simply dividing the volume of the large ball by the volume in a small sphere gives an upper bound. What is perhaps surprising is that as the block length approaches infinity, this upper bound is actually achievable and is exactly the capacity of the AWGN channel.
We will provide a symmetric argument for the fast fading channel as justification for how and why we choose our typical sets the way we do in the No-CSIT case. Given an input and channel coefficient , we know the output will reside in some small ball about the point with high probability since we assume the noise follows a Gaussian distribution. In fact, such a ball will have radius for small.
In the case of the AWGN channel, the larger ball’s dimensions were derived using the fact that we expect our channel to obey the law of conservation of energy; that is, the maximum output energy should be equal to the summation of the maximum input energy and noise energy. We expect a similar phenomenon to hold on the fast fading channel; however, the input energy will also depend on the channel coefficient realization. During the th symbol transmission, suppose is the realized channel coefficient; then the effective maximum input power is given by so that the effective maximum average output power is given by . Therefore we expect the realization to be less than .
Since is a coordinate of the vector , we should then expect to be found in some volume where each component is bounded by . Because is changing for each use of the channel, each of these bounds will be different. Therefore, in contrast to the AWGN channel where each upper bound was constant with respect to each component, the volume in this case is actually an -dimensional ellipsoid with radii . Thus, if we try to pack as many spheres into this ellipsoid as possible as illustrated in the (2-dimensional) Figure 4, we should come up with the maximum number of codewords we can transmit reliably, i.e., an expression for capacity.
Using the same technique as [29], we simply divide the volume of the ellipsoid by the volume of the small balls. That is, since the volume of an ellipsoid with radii is given by where is the same constant factor used to calculate the volume of an -dimensional ball, it follows that an upper bound to the max number of codewords is given by:
[TABLE]
Since rate is usually defined as the logarithm of the number of codewords normalized by , an upper bound to the max achievable rate is given by:
[TABLE]
where the convergence follows from the law of large numbers.
Since the above characterizations correctly estimated the asymptotic upper bound for the fast fading channel using the same sphere packing argument as in the AWGN case, we are confident moving forward that these bounds will produce sets that are typical in the proper sense.
Appendix F Fading: Proof of Lemma 5, 7, and Lemma 6
In this appendix we prove results related to fading. In particular we prove Lemma 5 (a simplification of max information on fast fading channels), 7 (the usual result converting complex fast fading channels into real parallel fading channels when CSIR is available), and Lemma 6 (further simplification of max-information in the No-CSIT case).
Proof of Lemma 5
.
The proof follows directly.
[TABLE]
Justification .
First recall that . Next, has the same distribution as ; that is, by Lemma B1. Thus, we can move the inside of the maximization then convert to . Moreover, we can move inside of the maximization since it does not depend on the maximizing variable . Lastly note that each here is not equivalent to each other or the measure from the previous line, it is denoted such simply for notational convenience. 2. 2)
We can multiply by the unit inside of the maximization. Then we can pull out since it does not depend on the maximizing variable . 3. 3)
Here we are using the assumption that so that . Then we use the definition of a conditional probability density function.
This concludes the proof of Lemma 5. ∎
Proof of 7.
.
Without loss of generality, consider the intended receiver’s channel given above and drop the index for simplicity. Therefore, we are working with the complex fading channel . Since we can write and thus, the receiver will receive the random variable . However, since we are assuming channel state information is available at the receiver, the receiver actually knows the realization of and hence knows the value . The receiver thus adjusts his output accordingly: . Also, the additive white Gaussian noise is assumed to be circularly symmetric, so that is actually distributed the same way as was . Therefore, if we define as the new output and as the rotated noise, under the assumption of CSIR, the receiver can convert the original channel into the new channel: . Now we can break up this channel into its real and imaginary parts:
[TABLE]
Combining the real and imaginary parts respectively yields two parallel channels
[TABLE]
Here each output is identically given as
[TABLE]
where , , and . This concludes the proof of 7. ∎
Proof of Lemma 6.
.
From Lemma 5 and recalling that , we have:
[TABLE]
Justification .
Independence of and . Also, and is not a function of the channel coefficients since we have No-CSIT; therefore, is independent of .
This concludes the proof of Lemma 6. ∎
Appendix G No-CSIT: Proof of Lemma 7, Lemma 8, and 5
In this appendix we prove the main results related to the No-CSIT fast fading wiretap channel. In particular, we prove Lemma 7, Lemma 8 (proves that the sets we defined for No-CSIT are actually typical), and 5 (one of our main results that proves a bound on max-information in the No-CSIT scenario).
Proof of Lemma 7
To prove Lemma 7, we will first need a fact and a lemma. The fact is due to [37] where we have modified its form so as to be easily utilized in the following proofs. It can be considered a generalization of Hoeffding’s inequality [38] to the case of unbounded random variables.
Fact 12**.**
[37, Theorem 2.1]** Let be a sequence of independent random variables. Suppose for all there exists a such that Then for any sufficiently small ,
[TABLE]
where and .
The second item that will be needed for the proof of Lemma 7 is the following.
Lemma G1**.**
The following inequality holds:
[TABLE]
Proof.
[TABLE]
Justification .
Follows from independence of , . 2. 2)
* is i.i.d. and .* 3. 3)
Follows from the power constraint on all codewords.
This completes the proof of Lemma G1. ∎
With these tools in hand, we now give the proof of Lemma 7.
.
*Proof of Lemma 7.1.
*Let131313Note that is the mean here, i.e. it is a number, and is not related to the measure . \hat{\mu}=\mathbb{E}\left[\frac{1}{n}\sum_{i=1}^{n}\frac{Z_{i}^{2}}{\sigma_{E}^{2}+H_{E,i}^{2}P}\,\biggr{|}\,X^{n}=x^{n}\right]. Then,
[TABLE]
where the inequality follows from Lemma G1.
Since is a constant and and are each mutually independent, the term
[TABLE]
is an independent random variable. Let us show that it also satisfies the main condition of 12 (dropping the subscript on and to reduce clutter).
[TABLE]
Justification .
* implies .* 2. 2)
, 1) implies that is a non-central random variable. 3. 3)
Choosing appropriately ensures the moment generating function is finite.
Since a finite moment generating function implies every moment is finite, exists for all so that is well defined. Therefore, using 12, it follows immediately that
[TABLE]
thereby completing the proof of Lemma 8.1. ∎ 2. 2.
.
Proof of Lemma 7.2.
[TABLE]
Justification .
Chi-squared tail bounds **[39, Lemma 1]**.
∎ 3. 3.
.
*Proof of Lemma 7.3.
*To prove this, we will use 12 reduced to the i.i.d. case. We have that is a sequence of i.i.d. random variables; to employ 12 it remains to prove that for some .
[TABLE]
Then 12 gives us:
[TABLE]
where
[TABLE]
∎
At this point we have finished the proof of Lemma 7.
Proof of Lemma 8.
.
[TABLE]
Justification .
Fréchet inequality for Cartesian products. 2. 2.
Fréchet inequality for intersections. 3. 3.
The second term of the sum is explained here:
[TABLE] 4. 4.
This line follows immediately from Lemma 7.
This completes the proof of Lemma 8. ∎
Proof of 5
.
The proof of 5 follows directly and is analogous to our proof of Lemma D1 found in Appendix D.
[TABLE]
Justification .
* is a typical set; however, it may not be the set corresponding to the “smallest” smooth max-information. Note that here we are labeling our typical set as just for ease and dropping the subscript on .* 2. 2.
Lemma 6*. Since we no longer have any dependencies on , we will henceforth write our typical set as just .* 3. 3.
Each output, given and , is . This is simply a normal random variable that is shifted in mean by with variance . Thus, the density for each transmission is given as
[TABLE]
Since we assume the channel is memoryless, we can split this density simply into a product. 4. 4.
We are working on and thus ; thus, . 5. 5.
* are defined in Section VI-B.*
Let us gain some intuition of what is happening at this point. In Equation 18, suppose and let us understand the term
[TABLE]
If we temporarily fix and , then this maximization is simply asking if there exists some codeword that makes the sequence an element of the set . If there does exist such an then this function returns 1; otherwise, it returns 0. If we now relax and only fix , can be thought of as a typical set as well: it is the set of typical input-output pairs. Thus the above function takes some output and asks if there is possibly any codewords that could have generated such an output knowing the channel coefficient is . It follows then, that the integral
[TABLE]
roughly “counts” the number of valid input-output pairs given some .
To calculate such an integral, we need to know the shape of and it is clear that so that we can replace the with a in the above integral at the expense of an inequality. However, this has removed the maximization since has no dependence on codewords. Therefore the above integration is less than or equal to
[TABLE]
Given some , by definition this integral is equal to the Lebesgue measure of which is precisely the volume of . Since is actually an ellipsoid with radii, , then this integration is actually calculating the volume of said ellipsoid, which is calculated to be
[TABLE]
where is the usual gamma function of analysis.
Let us return to Equation 18; using the aforementioned reasoning above we have:
[TABLE]
Justification .
Due to the bounds of integration we know that every value of will satisfy the definition of , thus it satisfies:
[TABLE]
Continuing from the last string of inequalities and equalities, we take the logarithm of the beginning and end, and divide by :
[TABLE]
Let us see the asymptotic behavior of these first two terms.
- A1.
If we choose and as at rates sufficiently slow (so as to allow and resp.), then as .
- A2.
It can be shown that as so that as .
Since we can choose in such a way so that and as , it follows that as . Combing these previous steps yields our claim:
[TABLE]
Thus, we have completed the proof of 5. ∎
Appendix H Partial CSIT: Proof of Lemma 9 and 6
In this final appendix, we shall prove results related to partial CSIT. In particular, we will prove Lemma 9 (proves that the sets we defined for partial CSIT are actually typical) and 6 (another main result of our paper that proves an upper bound on max-information in the the partial CSIT scenario).
Proof of Lemma 9.
.
We first see that is typical directly from Section VI-B. Then:
[TABLE]
Since is going to [math] with and we are free to choose , we see that is a typical set.
Justification .
Fréchet inequality for Cartesian products. 2. 2.
We know that is a typical set for all thus:
[TABLE]
and we sum over all .
This concludes the proof of Lemma 9. ∎
Proof of 6
.
The proof follows in a similar fashion to both Lemma 2 and 5.
[TABLE]
Justification .
* is a typical set; however, it may not be the set corresponding to the “smallest” smooth max-information.* 2. 2.
We wish to integrate over all and to do so, we break up the integral into integrals over each .
- (a)
*Suppose . In this case, we have transmitted a full length codeword over the *th channel and choose to not send information over the channel during the remaining channel uses. Then:
[TABLE]
Thus, if then we obtain equality at this line. 2. (b)
*Suppose . In this case, the *th channel did not appear often enough for the transmitter to send an entire length codeword. By not sending the full codeword, we are inherently limiting the amount of information sent across the channel and therefore the amount of information that can be leaked to the eavesdropper. Hence, sending the full length codeword allows more information (or equal amount of information) to be leaked to the eavesdropper and therefore serves as an upper bound to the actual value. More clearly:
[TABLE] 3. 3.
Due to the partitioning of the channel coefficients, we know that for each , .
Continuing on we have:
[TABLE]
Taking the logarithm of each side and dividing by we have:
[TABLE]
as and .
Justification .
We can split up the conditional density as
[TABLE]
where the first equality follows from the fact that is independent of . Note that was indeed used to determine which codebook to use on this channel, but at this point that has been determined and we have restricted the integration of to take this into account, i.e. is independent of . Thus the multiplicand becomes:
[TABLE]
The equality follows from the fact that we know for each component of the length vector for every . Therefore integrating over the whole space where is guaranteed to be will yield for each of the integrals. We then rewrite the integral over in the form of expected value. 2. 5.
Definition of and Lemma 6. 3. 6.
Upper bound as found in 5. 4. 7.
* can be made arbitrarily large and thus the channel coefficient intervals can be made arbitrarily small, hence the convergence of the first term to the expected value. For the second term:*
[TABLE]
Since is constant with respect to and . Also, (from Theorem 1) can be chosen in such a way that as .
This concludes the proof of 6. ∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. D. Wyner, “The wire-tap channel,” Bell System Technical Journal , vol. 54, no. 8, pp. 1355–1387, 1975. [Online]. Available: http://dx.doi.org/10.1002/j.1538-7305.1975.tb 02040.x
- 2[2] I. Csiszar and J. Korner, “Broadcast channels with confidential messages,” IEEE Transactions on Information Theory , vol. 24, no. 3, pp. 339–348, May 1978.
- 3[3] U. M. Maurer, The Strong Secret Key Rate of Discrete Random Triples . Boston, MA: Springer US, 1994, pp. 271–285. [Online]. Available: https://doi.org/10.1007/978-1-4615-2694-0_27
- 4[4] M. Bellare, S. Tessaro, and A. Vardy, “A cryptographic treatment of the wiretap channel,” Co RR , vol. abs/1201.2205, 2012. [Online]. Available: http://arxiv.org/abs/1201.2205
- 5[5] M. Bellare and S. Tessaro, “Polynomial-time, semantically-secure encryption achieving the secrecy capacity,” Co RR , vol. abs/1201.3160, 2012. [Online]. Available: http://arxiv.org/abs/1201.3160
- 6[6] I. Tal and A. Vardy, “Channel upgrading for semantically-secure encryption on wiretap channels,” in 2013 IEEE International Symposium on Information Theory , July 2013, pp. 1561–1565.
- 7[7] H. Tyagi and A. Vardy, “Explicit capacity-achieving coding scheme for the gaussian wiretap channel,” in 2014 IEEE International Symposium on Information Theory , June 2014, pp. 956–960.
- 8[8] ——, “Universal hashing for information-theoretic security,” Proceedings of the IEEE , vol. 103, no. 10, pp. 1781–1795, Oct 2015.
