Semantically Secure Lattice Codes for Compound MIMO Channels
Antonio Campello, Cong Ling, Jean-Claude Belfiore

TL;DR
This paper introduces lattice codes that achieve near-optimal secrecy capacity for compound MIMO wiretap channels with minimal channel information, ensuring semantic security and reduced complexity through algebraic constructions.
Contribution
It proposes a universal lattice coding scheme for compound MIMO channels that attains secrecy capacity up to a constant gap and simplifies code design via algebraic structures.
Findings
Achieves secrecy capacity within a constant gap proportional to transmit antennas.
Provides a universal lattice coding scheme for compound MIMO wiretap channels.
Reduces code and decoding complexity using algebraic number theory.
Abstract
We consider compound multi-input multi-output (MIMO) wiretap channels where minimal channel state information at the transmitter (CSIT) is assumed. Code construction is given for the special case of isotropic mutual information, which serves as a conservative strategy for general cases. Using the flatness factor for MIMO channels, we propose lattice codes universally achieving the secrecy capacity of compound MIMO wiretap channels up to a constant gap (measured in nats) that is equal to the number of transmit antennas. The proposed approach improves upon existing works on secrecy coding for MIMO wiretap channels from an error probability perspective, and establishes information theoretic security (in fact semantic security). We also give an algebraic construction to reduce the code design complexity, as well as the decoding complexity of the legitimate receiver. Thanks to the algebraic…
Click any figure to enlarge with its caption.
Figure 1
Figure 1
Figure 2
Figure 2Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Semantically Secure Lattice Codes
for Compound MIMO Channels
Antonio Campello, Cong Ling and Jean-Claude Belfiore
This work was presented in part at the International Zurich Seminar on Communications (IZS) 2018 and in part at the International Symposium on Turbo Codes and Iterative Information Processing (ISTC) 2016. A. Campello is with the Department of Electrical and Electronic Engineering, Imperial College London, London SW7 2AZ, U.K. (e-mail: [email protected]). C. Ling is with the Department of Electrical and Electronic Engineering, Imperial College London, London SW7 2AZ, U.K. (e-mail: [email protected]). J.-C. Belfiore is with the Mathematical and Algorithmic Sciences Lab, France Research Center, Huawei Technologies (e-mail: [email protected]).
Abstract
We consider compound multi-input multi-output (MIMO) wiretap channels where minimal channel state information at the transmitter (CSIT) is assumed. Code construction is given for the special case of isotropic mutual information, which serves as a conservative strategy for general cases. Using the flatness factor for MIMO channels, we propose lattice codes universally achieving the secrecy capacity of compound MIMO wiretap channels up to a constant gap (measured in nats) that is equal to the number of transmit antennas. The proposed approach improves upon existing works on secrecy coding for MIMO wiretap channels from an error probability perspective, and establishes information theoretic security (in fact semantic security). We also give an algebraic construction to reduce the code design complexity, as well as the decoding complexity of the legitimate receiver. Thanks to the algebraic structures of number fields and division algebras, our code construction for compound MIMO wiretap channels can be reduced to that for Gaussian wiretap channels, up to some additional gap to secrecy capacity.
I Introduction
Due to the open nature of the wireless medium, wireless communications are inherently vulnerable to eavesdropping attacks. Information theoretic security offers additional protection for wireless data, since it only relies on the physical properties of wireless channels, thus representing a competitive/complementary approach to security compared to traditional cryptography.
The fundamental wiretap channel model was first introduced by Wyner [1]. In this seminal paper, Wyner defined the secrecy capacity and presented the idea of coset coding to encode both data and random bits to mitigate eavesdropping. In recent years, the quest for the secrecy capacity of many classes of channels has been one of the central topics in wireless communications [2, 3, 4, 5, 6, 7, 8].
In the information theory community, a commonly used secrecy notion is strong secrecy: the mutual information between the confidential message and the channel output should vanish when the code length . This common assumption of uniformly distributed messages was relaxed in [9], which considered the concept of semantic security: for any message distribution, the advantage obtained by an eavesdropper from its received signal vanishes for large block lengths. This notion is motivated by the fact that the plaintext can be fixed and arbitrary.
For the Gaussian wiretap channel, [10] introduced the secrecy gain of lattice codes while [11] proposed semantically secure lattice codes based on the lattice Gaussian distribution. To obtain semantic security, the flatness factor of a lattice was introduced in [11] as a fundamental criterion which implies that conditional outputs are indistinguishable for different input messages. Using a random coding argument, it was shown that there exist families of lattice codes which are good for secrecy, meaning that their flatness factor vanishes. Such families achieve semantic security for rates up to nat from the secrecy capacity.
Compared to the Gaussian wiretap channel, the cases of fading and multi-input multi-output (MIMO) wiretap channels are more technically challenging. The fundamental limits of fading wireless channels with secrecy constraints have been investigated in [12, 13, 2], where the achievable rates and the secrecy outage probability were given. The secrecy capacity of the MIMO wiretap channel was derived in [14, 15, 16, 17], assuming full channel state information at the transmitter (CSIT). A code design in this setting was given in [18] by reducing to scalar Gaussian codes. Although CSIT is sometimes available for the legitimate channel, it is hardly possible that it would be available for the eavesdropping channel. An achievability result was given in [19] for varying MIMO wiretap channels with no CSI about the wiretapper, under the condition that the wiretapper has less antennas than the legitimate receiver. Schaefer and Loyka [20] studied the secrecy capacity of the compound MIMO wiretap channel, where a transmitter has no knowledge of the realization of the eavesdropping channel, except that it remains fixed during the transmission block and belongs to a given set (the compound set). The compound model represents a well-accepted reasonable approach to information theoretic security, which assumes minimal CSIT of the eavesdropping channel [21, 22, 23]. It can also model a multicast channel with several eavesdroppers, where the transmitter sends information to all legitimate receivers while keeping it secret from all eavesdroppers [21].
When it comes to code design for fading and MIMO wiretap channels, an error probability criterion was used in several prior works [24, 25, 26], while information theoretic security was only addressed recently with the help of flatness factors [27, 28]. In particular, [28] established strong secrecy over MIMO wiretap channels for secrecy rates that are within a constant gap from the secrecy capacity.
I-A Main Contributions
In this paper, we propose universal codes for compound Gaussian MIMO wiretap channels that complement the recent work reported in [28]. The key method is discrete Gaussian shaping and a “direct” proof of the universal flatness of the eavesdropper’s lattice. This method is similar to that used in [29] to approach the capacity of compound MIMO channels so that the present paper can be considered a companion paper of [29] for wiretap channels. Note that [28] used an “indirect” proof, which was based on an upper bound on the smoothing parameter in terms of the minimum distance of the dual lattice. Besides considering different channel models ([28] is focused on ergodic stationary channels although it also briefly addresses compound channels), the code constructions of this paper and [28] are also different: the construction of [28] is based on a particular sequence of algebraic number fields with increasing degrees, while the algebraic construction of this work combines algebraic number fields of fixed degree and random error correcting codes of increasing lengths. The proposed construction enjoys a significantly smaller gap to secrecy capacity, as well as lower decoding complexity, than [28], over compound MIMO wiretap channels.
We focus on a compound channel formed by the set of all matrices with the same white-input capacity (see (3) for the precise model). Our lattice coding scheme universally achieves rates (in nats) up to , where is the capacity of the legitimate channel, is the capacity of the eavesdropper channel, is the number of transmit antennas and . We believe the -nat gap is an artifact of our proof technique based on the flatness factor, which may be removed by improving the flatness-factor method. This is left as an open problem for future research.
For this special compound model, we also show how to extend the analysis in order to accommodate number-of-antenna mismatch, i.e., security is valid regardless of the number of antennas at the eavesdropper111Previous works [24, 28] required that the number of the eavesdropper’s antennas be greater than or equal to .. This is a very appealing property, since the number of receive antennas of an eavesdropper may be unknown to the transmitter.
We present two techniques to prove universality of the proposed lattice codes. The first technique is based on Construction A (see Sect. V-A for the definition) and the usual argument for compound channels [30, 31], which combines fine quantization of the channel space with mismatch encoding for quantized states. This method is a generic proof of the existence of good codes which potentially incurs large blocklengths and performance loss. The second technique is based on algebraic lattices and assumes that the codes admit an “algebraic reduction” and can absorb the channel state. In fact, any code which is good for the Gaussian wiretap channel can be coupled with this second technique, as long as it also possesses an additional algebraic structure (for precise terms see Definition 6). It is inspired by previous works on algebraic reduction for fading and MIMO channels [32], [33], which are revisited here in terms of secrecy.
I-B Relation to Previous Works
An idea of approaching the secrecy capacity of fading wiretap channels using nested lattice codes was outlined in [34]. Code construction for compound wiretap channels has been further developed in [35], which leads to the current work where proof details are given.
The technique for establishing universality of the codes in [20] over the compound MIMO channel with (uncountably) infinite uncertainty sets consists of quantizing the channel space and designing a (random Gaussian) codebook for the quantized channels. This method is similar to the proof of Theorem 1 in the present paper.
Compound MIMO channels without secrecy constraints have been considered earlier in [30, 31, 36] for random codebooks. Lattice codes are shown to achieve the optimal diversity-multiplexing tradeoff for MIMO channels in [37]. More recently it was proven that precoded integer forcing [38] achieves the compound capacity up to a gap, while algebraic lattice codes [29] achieve the compound capacity with ML decoding and a gap to the compound capacity of MIMO channels with reduced decoding complexity. As mentioned above, some techniques (generalized Construction A and channel quantization) of this paper are similar to those used in [29].
I-C Organization
The technical content of this paper is organized as follows. In Section II we discuss the main problem and notions of security. In Section III, we introduce the main notation on lattices and discrete Gaussians, stating generalized versions of known results for correlated Gaussian distributions. In Section IV we give an overview of the main coding scheme and analyze the information leakage and reliability. The proof of universality, however, is postponed until Section V, where we show that lattice codes can achieve vanishing information leakage under semantic security through the two aforementioned techniques. Section VI concludes the paper with a discussion of other compound models and future work.
I-D Notation
Matrices and column vectors are denoted by upper and lowercase boldface letters, respectively. For a matrix , its Hermitian transpose, inverse, determinant and trace are denoted by , , and , respectively. We denote the Frobenius norm of a matrix by and the spectral norm (i.e., -norm) by , where is the largest eigenvalue of . denotes the identity matrix. We write for a symmetric matrix if it is positive semi-definite. Similarly, we write if . We use the standard asymptotic notation when , when , when , and when . Finally, in this paper, the logarithm is taken with respect to base (where is the Neper number) and information is measured in nats.
II Problem Statement
Consider the following wiretap model. A transmitter (Alice) sends information through a MIMO channel to a legitimate receiver (Bob) and is eavesdropped by an illegitimate user (Eve). The channel equations for Bob and Eve read:
[TABLE]
where is the number of transmit antennas, (, resp.) is the number of receive antennas for Bob (Eve, resp.), is the coherence time, and (, resp.) has circularly symmetric complex Gaussian i.i.d. entries with variance (, resp.) per complex dimension. We can vectorize (1) in a natural way:
[TABLE]
where and are the block diagonal matrices
[TABLE]
[TABLE]
For convenience, we denote the transmit signal-to-noise ratio (SNR) in Bob and Eve’s channels by
[TABLE]
respectively, where is the power constraint, i.e., the transmitted signal satisfies .
We assume that the channel realizations are unknown to Alice but belong to a compound set . From the security perspective, we further make the conservative assumption that Eve knows both and . Under this general scenario the (strong) secrecy capacity is bounded by [20]:
[TABLE]
where the minimum is over all realizations in and the maximum over the matrices such that . Suppose that and are the set of channels with the same isotropic mutual information, i.e.,
[TABLE]
for fixed . In this case, the bound gives . The worst case is achieved by taking a specific “isotropic” realization , , where and are such that and belong to and , respectively. From this we conclude that . The goal of this paper is to construct universal lattice codes that approach the secrecy capacity with semantic security. As a corollary, the semantic security capacity and the strong secrecy capacity of the compound set coincide.
A practical motivation to consider the compound model (3) is the following. Firstly, notice that the secrecy capacity is the same if we replace the equality in the definition of and with upper/lower bounds; more precisely the secrecy capacity of the channel with compound set , where
[TABLE]
is the same as for . Note that the sets , and are compact whereas is not. In other words, universal codes are robust, in the sense that only a lower bound on the legitimate channel capacity and an upper bound on the eavesdropper channel are needed. From the security perspective, this is a safe strategy in the scenario where the capacities are not known precisely. Even if Bob and Eve’s channels are random, an acceptable secrecy-outage probability can be guaranteed by setting and properly. Then, the problem still boils down to the design of universal codes for the compound model (3).
II-A Notions of Security
A secrecy code for the compound MIMO channel can be formally defined as follows.
Definition 1**.**
An -secrecy code for a compound MIMO channel with set consists of
- (i)
A set of messages (the secret message rate is measured in nats and is assumed to be an integer for convenience).
- (ii)
An auxiliary (not necessarily uniform) source taking values in with entropy .
- (iii)
A stochastic encoding function satisfying the power constraint
[TABLE]
for any .
- (iv)
A decoding function with output .
A pair is referred to as a channel state (or channel realization). To ensure reliability for all channel states we require a sequence of codes whose error probability for message vanishes uniformly:
[TABLE]
Let be a message distribution over . For strong secrecy, is usually assumed to be uniform; however, this assumption is not sufficient from the viewpoint of semantic security, which is the standard notion of security in modern cryptography. Let be the output of the channel to the eavesdropper, who is omniscient. The following security notions are adapted from [9, 11] and should hold in the limit :
- •
Mutual Information Security (MIS): Unnormalized mutual information
[TABLE]
for any message distribution and .
- •
Semantic Security (SemanticS): Adversary’s advantage
[TABLE]
for any function from to finite sequences of bits in , and all .
- •
Distinguishing Security (DistS): The maximum variational distance
[TABLE]
We stress that all three notions require a sequence of codes to be universally secure for all channel states. Treating these notions as classes, we have the inclusions , i.e., the sequences of codes satisfying DistS are the same as the ones satisfying SemanticS and also include those satisfying MIS [11, Prop. 1]. Moreover, if in the above notions we require that the convergence rate is , the three sets coincide. We thus define universally secure codes as follows.
Definition 2**.**
A sequence of codes of rate is universally secure for the MIMO wiretap channel if for all , it satisfies the reliability condition (6) and mutual information security (7) uniformly.
Then, semantic security follows as a corollary, which is a direct consequence of established relations between MIS and SemanticS [9]:
Corollary 1**.**
The sequence of codes given in Definition 2 is semantically secure for the compound MIMO wiretap channel.
In what follows we proceed to construct universally secure codes for the MIMO wiretap channel using lattice coset codes.
III Correlated Discrete Gaussian Distributions
In this subsection, we exhibit essential results and concepts for the definition and analysis of our lattice coding scheme.
III-A Preliminary Lattice Definitions
A (complex) lattice with generator matrix is a discrete additive subgroup of given by
[TABLE]
A complex lattice has an equivalent real lattice generated by the matrix obtained by stacking real and imaginary parts of matrix :
[TABLE]
A fundamental region for is any interior-disjoint region that tiles through translates by vectors of . For any we say that iff . By convention, we fix a fundamental region and denote by the unique representative such that . The volume of is defined as the volume of a fundamental region for the equivalent real lattice, given by
Throughout this text, for convenience, we also use the matrix-notation of lattice points. If is a full-rank lattice, the matrix form representation of is
[TABLE]
The dual of a complex lattice is defined as
[TABLE]
III-B The Flatness Factor
The flatness factor has been introduced in [11], and will be used here to bound the information leakage of information transmission of our coding scheme.
The p.d.f. of the complex Gaussian centered at is defined as
[TABLE]
We write for the sum of over . The flatness factor of a lattice quantifies the distance between and the uniform distribution over and, as we will see, bounds the amount of leaked information in a lattice coding scheme.
Definition 3** (Flatness factor for spherical Gaussian distributions).**
For a lattice and a parameter , the flatness factor is defined by:
[TABLE]
where is a fundamental region of .
For a complex lattice , let be the volume-to-noise ratio (VNR). We recall the formulas of the flatness factor and smoothing parameter, adapted to complex lattices. The flatness factor can be written as [11, Prop. 2]:
[TABLE]
where is the theta series of the lattice .
Definition 4** (Smoothing parameter [39]).**
For a lattice and , the smoothing parameter is defined by the function , for the smallest such that .
When we have a correlated Gaussian distribution with covariance matrix
[TABLE]
the flatness factor is similarly defined.
Definition 5** (Flatness factor for correlated Gaussian distributions).**
[TABLE]
where is a fundamental region of .
The usual smoothing parameter in Definition 4 is a scalar. To extend its definition to matrices, we say if . This induces a partial order because if .
When we ignore the index and write . For a covariance matrix we define the generalized-volume-to-noise ratio as
[TABLE]
Clearly, the effect of correlation on the flatness factor may be absorbed if we use a new lattice , i.e., . From this, and from the expression of the flatness factor, we have
[TABLE]
In our applications, the matrix will be determined by the channel realization (1). Figure 1 shows the effect of fading on the lattice Gaussian function. A function (10) which is flat over the Gaussian channel (corresponding to ) need not be flat for a channel in deep fading (corresponding to an ill-conditioned ), in which case an eavesdropper could clearly distinguish one dimension of the signal.
III-C The Discrete Gaussian Distribution
In order to define our coding scheme, we need a last element, which is the distribution of the sent signals. To this end, we define the discrete Gaussian distribution as the distribution assuming values on , such that the probability of each point is given by
[TABLE]
Its relation to the continuous Gaussian distribution can be shown via the smoothing parameter or the flatness factor. For instance, a vanishing flatness factor guarantees that the power per dimension of is approximately [11, Lemma 6].
The next proposition says that the sum of a continuous Gaussian and a discrete Gaussian is approximately a continuous Gaussian, provided that the flatness factor is small. The proof can be found in [28, Appendix I-A]:
Lemma 1**.**
Given sampled from the discrete Gaussian distribution and sampled from the continuous Gaussian distribution . Let and let . If for , then the distribution of is close to :
[TABLE]
IV Coding Scheme and Analysis
IV-A Overview
Given a pair of nested lattices such that
[TABLE]
the transmitter maps a message to a coset of in quotient , then samples a point from that coset. Concretely, one can use a a one-to-one map such that , where is a representative of the coset and then samples the signal broadcasting it to the channels. A block diagram for the transmission until the front-end receivers Bob and Eve is depicted in Figure 2a.
In order to find pairs of sequences of nested lattices and we employ constructions of lattices from error-correcting codes. The analysis and full construction are explained in Section V. Essentially, the lattice controls reliability and has to be chosen in such a way that it is universally good for the legitimate compound channel. The lattice controls the information leakage to the eavesdropper, and has to be chosen in such a way that the flatness factor vanishes universally for any eavesdropper realization (universally good for secrecy). The main result of this section is the following theorem, stating the existence of schemes with vanishing probability of error and vanishing information leakage for all pairs of realizations in the compound set .
Theorem 1**.**
There exists a sequence of pairs of nested lattices , such that as , the lattice coding scheme universally achieves any secrecy rate
[TABLE]
Moreover, we show that both the probability of error and information leakage in Theorem 1 vanishes uniformly for all realizations.
IV-B The Eavesdropper Channel: Security
For a fixed realization , the key element for bounding the information leakage is the following lemma [11, Lem 2]:
Lemma 2**.**
Suppose that there exists a probability density function taking values in such that for all . Then, for all message distributions, the information leakage is bounded as:
[TABLE]
We will show that if the distribution is sufficiently flat, then is statistically close to a multivariate Gaussian for any . Let us assume for now that is an invertible square matrix (we next show how to reduce the other cases to this one). In this case, given a message , we have
[TABLE]
According to Lemma 1, the distribution of is within variational distance from the normal distribution , where and
[TABLE]
We thus have the following bound for the information leakage ((11) with replaced by ):
[TABLE]
Therefore, if , the leakage vanishes as increases for the specific realization . To achieve strong secrecy universally, we must, however, ensure the existence of a lattice with vanishing flatness factor for all possible . We postpone the universality discussion to Section V where it is proven that a vanishing flatness factor is possible simultaneously for all and . This condition implies that semantic security is possible for any VNR,
[TABLE]
[TABLE]
Number-of-Antenna Mismatch. The above analysis assumed that , i.e., the number of eavesdropper receive antennas is equal to the the number of transmit antennas. Although analytically simpler, this assumption is not reasonable in practice, since we expect a compound scheme to perform well for any number of eavesdropper antennas. We show next how to reduce the other cases to the square case.
(i) : Recall that the signal received by the eavesdropper is given in matrix form by
[TABLE]
Let be a completion of such that
[TABLE]
is a full-rank sqaure matrix and is some small number. Let be a matrix corresponding to circularly symmetric Gaussian noise. Consider the following surrogate MIMO channel:
[TABLE]
where is scaled so that the capacity of the new channel is arbitrarily close to the original one. Indeed for any full rank completion , from the matrix determinant lemma, we have
[TABLE]
Therefore, by letting , the left-hand side tends to . For any signal , the information leakage of the surrogate channel is strictly greater than the original one. Indeed, the the eavesdropper’s original channel is stochastically degraded with respect to the augmented one, thus A universally secure code for the MIMO compound channel will have vanishing information leakage for the surrogate channel (for any completion) and therefore will also be secure for the original channel.
(ii) : Performing a rectangular factorization of we have:
[TABLE]
where and are square matrices. Therefore the eavesdropper’s received signal is equivalent to
[TABLE]
where the components of the noise matrices are i.i.d. Gaussian. The leakage is therefore the same as for the square channel and a universal code will also achieve vanishing leakage for the non-square channel.
IV-C The Legitimate Channel: Reliability
It was shown in [29] that if , then the maximum-a-posteriori (MAP) decoder for the signal is equivalent to lattice decoding of , where is the MMSE-GDFE matrix to be defined in the sequel. We cannot claim directly that , since the message distribution in need not be uniform. Nonetheless, we show that reliability is still possible for all individual messages.
The full decoding process is depicted in Figure 2b. Bob first applies a filtering matrix so that
[TABLE]
where and , and the effective noise is
[TABLE]
The next step is to decode in , in order to obtain which is then remapped into the element of the coset through the operation . We can then invert the linear transformation associated to (notice that has full rank) in order to obtain the coset in and re-map it to the message space through .
In the first step, from Lemma 1, the effective noise is statistically close to a Gaussian noise with covariance:
[TABLE]
provided that is small, where
[TABLE]
The probability of error given any message is thus bounded by
[TABLE]
where each entry of is i.i.d. normal with variance . Therefore, if we guarantee that is bounded and if we choose a universally good lattice, the probability vanishes for all possible . This is possible [29] provided that
[TABLE]
namely,
[TABLE]
However, the evaluation of is cumbersome and implies an extra condition for the flatness of . Next we show, instead, how to circumvent this problem by using the fact that that the effective noise is “asymptotically” sub-Gaussian with covariance matrix . We say that a centred random vector is sub-Gaussian with (proxy) parameter if
[TABLE]
for all and all unit norm vectors .
Lemma 3** ([28]).**
Let be a random vector with distribution , and let For any matrix and any vector , we have:
[TABLE]
Notice that the average power per dimension of a sub-Gaussian random variable is always less than or equal to its parameter . Moreover, the sum of two sub-Gaussians is also a sub-Gaussian (for more properties, the reader is referred to [28]). The above lemma, along with (IV-C), allows us to establish that is almost sub-Gaussian with parameter . Therefore, as long as the probability of error tends to zero if we choose to be universally AWGN-good.
IV-D Proof of Theorem 1: Achievable Secrecy Rates
From the previous subsections, semantic security is achievable if and satisfy:
Reliability (22): 2. 2.
Secrecy (14): 3. 3.
Sub-Gaussianity of equivalent noise and power constraint: .
From and (23), the first two conditions can be satisfied for rates up to
[TABLE]
nats per channel use, but the last conditions may, a priori, limit these rates to certain SNR regimes. Fortunately, if condition is satisfied, we automatically satisfy the condition for , since
[TABLE]
Therefore, if is a sequence of nested lattices, where
is universally good for the compound channel with set , 2. 2.
is universally secure for the compound channel with set ,
then nested lattice Gaussian coding achieves any secrecy rate up to
[TABLE]
The existence of such nested pairs is proved subsequently in Section V and Appendix B, which concludes the proof of Theorem 1.
In fact using a method in [40] we can further reduce the gap to approximately . We conjecture that this gap can be completely removed with tighter bounds for the variational distance between the discrete and continuous Gaussians. This is left as an open question.
Remark 1**.**
Theorem 1 is also a slight improvement on the main result of [11, Theormm 5] in the sense that one of the conditions on the SNR of Bob () is not needed any longer. Indeed, for the Gaussian channel, and the SNR condition for non-zero secrecy rates is , which is equivalent to
[TABLE]
V Universally Flat Gaussians
The results in the previous section require the existence of sequences of lattices which are universally good for the wiretap channel. More specifically, we need a sequence which is universally AWGN-good and a sequence whose leakage vanishes for all channel realizations of the eavesdropper. The first condition was studied in [29], where it was shown, through a compactness argument, that random lattices are universal. In this section we deal with the second condition and prove the existence of lattices which are universally good for secrecy of the MIMO channel.
Two methods are provided to establish the main result. The first method relies solely on random lattice coding arguments and achieves secrecy capacity up to a gap of nats per channel use. The second method is based on algebraic reductions and exhibits a larger gap (by a factor of ) to capacity, but has the appealing property of reducing the problem to the one of constructing secrecy-good lattices for the AWGN channel, making it potentially more useful in practice.
V-A Construction A
Construction A (or “mod-”) lattices are certainly the simplest choice for constructing pairs of nested lattices, however generalizations based on algebraic lattices may offer greater flexibility in the code design, which could be leveraged to obtain better decoding complexity, diversity, or other parameters. Moreover, the coding scheme in Section V-C entails an extra condition on the ensemble, which can be satisfied by assuming an algebraic structure. A general “flexible” construction can be defined via “generalized reductions”. Let be a surjective homomorphism from a base lattice of complex dimension to the vector space (also referred to as a reduction). Define the lattice as the pre-image of a linear code ,
[TABLE]
If has length and dimension , the volume of equals to . For instance if , the mapping is the reduction modulo :
[TABLE]
we recover an analogue of Loeliger’s (mod-) Construction A [41]. In this case we obtain a nested lattice beween and . More refined “direct” constructions can be obtained by using number theory and prime ideals of . For instance, if is the embedding of the ring of integers of a number field and is the reduction modulo a prime ideal we can recover the constructions in [29]. Notice that, for this construction, if , we obtain two nested lattices .
It was shown in [42] that if is an infinite sequence of mappings, under mild conditions222More specifically, it is required that that the sequence of lattices corresponding to the kernels of has a non-vanishing Hermite parameter. the ensemble of lattices averaged over all linear codes of same dimension satisfies the Minkowski-Hlawka theorem, namely:
[TABLE]
where is a constant so that all lattices have volume . The result holds for any integrable function which decays sufficiently fast (in particular any function upper bounded by a constant times for some ). Clearly the Gaussian probability density function satisfies this restriction.
V-B Lattices Which Are Good for Secrecy
In what follows we will apply the generalized version of Construction A to construct a sequence of lattices which is good for secrecy, i.e., which has vanishing flatness factor for all eavesdropper channel realizations. As usual, will denote the blocklength (cf. Equation (1)), will be set to (the complex dimension of the coding lattice) and is any positive integer.
Using the above Minkowski-Hlawka theorem, there exists an ensemble of lattices of volume such that
[TABLE]
for any . Equation (25) implies that
[TABLE]
therefore
[TABLE]
Hence as long as is bounded and is bounded by a constant less than , the flatness factor tends to zero exponentially in the proposed lattice coding scheme. The condition for can be achieved, for instance, by choosing sufficiently large in Construction A.
Lemma 4** (Universally Flat Lattice Gaussians).**
Let and as in Equation (12). For any , there exists a sequence of lattices with and universally vanishing flatness factor, i.e.,
[TABLE]
Moreover, the convergence rate is exponential, i.e., for all , .
Proof.
The proof is analogous to the quantization argument for the probability of error in [29], which, in turn follows [36].
(i) Fixed . If is a Minkowski-Hlawka ensemble with volume , then
[TABLE]
which guarantees a sequence (at this point, possibly depending on ) with vanishing flatness factor as long as .
(ii) Finite set. Let be a finite subset of with cardinality . We have
[TABLE]
which guarantees a sequence with exponentially vanishing flatness factor for any .
(iii) Quantization step. By quantizing the channel space, we can extend step (ii) into a universal code for any channel in . This analysis is described in Appendix A. Here we provide a sketch of the argument. Suppose is a -covering for , i.e., for all , there exists such that . From the compactness of , such a covering exists for any arbitrarily small , and the size of the covering depends only on , which is fixed for the whole transmission. Furthermore, the theta series is a continuous function of , which implies that the flatness factor in different channel realizations are also close. From this, we can choose independently of that guarantees that the total exponent is negative. Therefore, the flatness factor tends to zero uniformly as . ∎
The above proof does not rely on a specific realization but rather on the knowledge of the compact compound set . It is reminiscent of a widely used technique in coding for compound channels (e.g., [36]). Essentially, an encoder develops a code for channels, where is the cardinality of a good quantizer of the channel space. However the quantization may increase the effective blocklength for a target information leakage. Moreover, the proof does not give us insights on how to effectively quantize , making algebraic approaches appealing in practice.
Lemma 4 shows the existence of universally flat Gaussians or, in other words, the existence of a sequence of lattices which are good for secrecy. Recall that in our construction IV-A, we required to be nested with , where is a sequence of lattices which are good for the legitimate compound channel. The existence of was proven in [29]. In Appendix B we argue that both conditions can be achieved by a nested pair which is the last missing part of the proof of Theorem 1.
V-C Algebraic Approach
Following [33], we now define a lattice admitting algebraic reduction.
Definition 6** (EU Decomposition).**
We say that admits algebraic reduction if for any unit determinant matrix there exists a matrix decomposition of the form , where and are also unit-determinant satisfying the following properties:
, 2. 2.
* for some absolute constant that does not depend on .*
The Golden Code is one example of a lattice that admits algebraic reduction [33]. Lattices built from generalized versions of Construction A based on number fields and division algebras also admit a similar reduction (if necessary we may relax requirement 1) to include equivalence instead of equality). This property was used in [29] to achieve capacity of the infinite compound MIMO channel. Note that grows with . See [29, Theorem 3] for an upper bound on in the case of number fields, and [33] in the case of division algebras. Next, we show that an ensemble of lattices satisfying Definition 6 achieves the secrecy capacity of the compound MIMO channel up to a constant gap.
Recall the following relation between the spectral norm and the Frobenius norm:
[TABLE]
for the identity matrix of any dimension.
Lemma 5**.**
Suppose that is such that its dual lattice admits algebraic reduction. Then for ,
[TABLE]
Proof.
From the Poisson summation formula and the expression for the flatness factor (9):
[TABLE]
Upon decomposing as in Definition 6, the last equation becomes
[TABLE]
where is due to the bound and the fact that , is due to the inequality between the -norm and the Frobenius norm and follows from Definition 6. ∎
Since
[TABLE]
where and is block-diagonal, we can apply the above lemma. Therefore, if we construct an ensemble of lattices such that their duals admit algebraic reduction for some constant , then there exist lattices with vanishing flatness factor provided that
[TABLE]
This can be achieved if:
[TABLE]
Notice that the right-hand side of (29) depends only on the determinant of or on the capacity of the eavesdropper channel, not on any individual realization. For this condition to hold, we only need a sequence of secrecy-good lattices for a surrogate eavesdropper channel with smaller noise variance (by a factor ). Therefore, by combining (23) and (29), we arrive at the the following result:
Theorem 2**.**
Let be a sequence of nested lattices where: (i) is universally good for the compound MIMO channel and (ii) satisfies Definition 6 and is secrecy good for the AWGN channel (Condition (28)). Then nested lattice Gaussian coding achieves any secrecy rate up to
[TABLE]
Notice that the gap has a different nature than the one in the previous subsection. It consists of two parts: due to the same restriction on the flatness factor in Theorem 1, and due to algebraic reduction. Although we have conjectured that the gap in Theorem 1 can be essentially removed, this is not the case for in Theorem 2. Indeed, since cannot be smaller than [29, Theorem 3], this gap is always larger than . However, the code construction can be reduced to the problem of finding good lattices for the Gaussian wiretap channel (with some additional algebraic structure), making the design potentially more practical.
Notice also that this strategy is closely related to the “decoupled design” for compound MIMO channels [29, Sect. VI]. Both strategies can indeed be combined, i.e., Bob’s code can also benefit from algebraic reduction. In this case both the original channel decoder and the code design can be greatly simplified, at the cost of an extra gap (i.e.,, an extra factor ) to the compound capacity.
VI Discussion
In this paper, we have presented a construction of nested lattice codes to achieve the secrecy capacity of compound MIMO wiretap channels, up to a gap equal to the number of transmit antennas. Compared to [28], the construction in this work is not only more practical, but also enjoys a smaller gap. With algebraic reduction, further simplification has been made, at the cost of an extra gap to the secrecy capacity. Interestingly, the algebraic approach reaffirms the important role of the dual lattice of in wiretap channels, firstly discovered in [28].
Encoding and decoding
Encoding and decoding are not much different from those of lattice codes for compound MIMO channels in [29]. The generalized Construction A employed in this paper may be viewed as a concatenated code, where the inner code is a lattice with some desired properties, while the outer code is an error correction code. Therefore, decoding can be run successively, which greatly reduces the decoding complexity. As for encoding, the discrete Gaussian shaping can be facilitated by choosing a nice base lattice, e.g., a rotated lattice whose Gaussian shaping is easy. There are highly efficient algorithms for Gaussian shaping over specific lattices [43], but more research is needed for Gaussian shaping over generalized Construction A. Practical implementation of the proposed codes is left as future work.
Comparison to other compound models
When the channel is known and the eavesdropper channel has bounded norm, [20] has shown that the eavesdropper’s worst channel is also isotropic. In this case the capacity can be achieved by decomposing the channels into different independent substreams with appropriate power, and applying independent coding for the Gaussian channel. This is also the case when has a linear uncertainty. In these cases, a combination of correct power allocation and a similar argument to Lemma 4 shows that semantic secrecy is also achievable by random lattice codes. On the other hand, the algebraic approach (Theorem 2) heavily relies on the fact that the channels in have the same white-input mutual information.
Finite-length performance
The results of this work are based on asymptotic analysis as . The practical performance of the proposed universal codes at finite block lengths warrants an investigation. In particular, how large is required to approach the promised gap in practice? For given , how far do practical codes perform from secrecy capacity? It may be a challenging problem to design good, practical universal codes.
As a further perspective, one may consider an “outage” analysis of the MIMO wiretap channel in a finite blocklength regime, where the channel matrices and may be random. In other words, one may analyze the probability that the code rate exceeds the secrecy capacity. In such scenarios, we believe that lattices with the non-vanishing determinant property will be able to provide universal bounds for the outage probability. We leave it as an open problem.
Appendix A Quantization of Channel Space
In this appendix we show bounds on the flatness factor in the quantized channel space, formalizing part (iii) in the proof of Lemma 4. Instead of performing the quantization directly in the eavesdropper space , we will consider the corresponding covariance matrices. Following the notation of Lemma 4, we have:
[TABLE]
where and . Let be the space of co-variance matrices of the form , where can be any matrix in the space of eavesdropper matrices :
[TABLE]
By using the definition of the flatness factor, we can show the following:
Lemma 6**.**
Let be two matrices satisfying . If is sufficiently small, then is positive-definite and
[TABLE]
Proof.
For any we have Therefore
[TABLE]
∎
Suppose now that is a -quantizer for with cardinality , i.e., for all there exists such that . For any we have:
[TABLE]
where
[TABLE]
The last upper bound is universal, in the sense that it does not depend on the specific realization . Note that if the VNR condition is satisfied, namely , then the term decays exponentially in with exponent given by
[TABLE]
From this, we obtain the bound
[TABLE]
which holds for any . We can therefore choose a small (independently of ) such that the total exponent is negative. Since does not depend on , and can be made arbitrarily small, we obtain an exponential decay of the flatness factor.
Appendix B Simultaneous Goodness
From Section V, the construction of universally secure codes boils down to finding a sequence of pairs of nested lattices such that
- •
has vanishing probability of error: as ;
- •
has vanishing flatness factor: as ,
where we recall that is the effective noise, sub-Gaussian with co-variance matrix , , and
[TABLE]
First suppose that and are fixed. Let be obtained by choosing uniformly in the set of all codes with parameters . Let be obtained by expurgating columns from . With this process will be also chosen uniformly from all codes. We have:
[TABLE]
Convergence of both terms in the last equation is guaranteed to be exponentially fast. Indeed:
- •
The term tends to zero exponentially provided that , due to AWGN-goodness of .
- •
The term tends to zero exponentially provided that , due to Appendix A, Equation (30).
Furthermore, by considering the quantized channel spaces, similarly to Appendix A, we conclude that the convergence is universal. Therefore, there exists a pair of lattices where is universally AWGN-good and is universally secrecy-good, and Theorem 1 follows.
Remark 2**.**
Although the above argument only demonstrates the existence of a pair of good lattices, it is possible to show a concentration result on the performance of the ensemble of nested lattices. Suppose some exponential bound on (31) for some . Then, using Markov’s inequality, we have that for the ensemble of nested lattices considered,
[TABLE]
That is, with probability higher than over the choice of , (31) stays below . In other words, most of these nested lattices have a performance concentrating around .
Acknowledgment
The authors would like to thank Laura Luzzi and Roope Vehkalahti for helpful discussions.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. D. Wyner, “The wire-tap channel,” Bell System Technical Journal , vol. 54, pp. 1355–1387, Oct. 1975.
- 2[2] M. Bloch, J. Barros, M. R. D. Rodrigues, and S. W. Mc Laughlin, “Wireless information-theoretic security,” IEEE Trans. Inf. Theory , vol. 54, no. 6, pp. 2515–2534, June 2008.
- 3[3] M. Bloch and J. Barros, Physical Layer Security: From Information Theory to Security Engineering . Cambridge University Press, 2011.
- 4[4] Y. Liang, H. Poor, and S. Shamai, Information Theoretic Security . Foundations and Trends in Communications and Information Theory, Now Publishers, 2009.
- 5[5] H. Mahdavifar and A. Vardy, “Achieving the secrecy capacity of wiretap channels using polar codes,” IEEE Trans. Inf. Theory , vol. 57, no. 10, pp. 6428–6443, Oct. 2011.
- 6[6] T. C. Gulcu and A. Barg, “Achieving secrecy capacity of the wiretap channel and broadcast channel with a confidential component,” IEEE Trans. Inform. Theory , vol. 63, no. 2, pp. 1311–1324, Feb. 2017.
- 7[7] Y.-P. Wei and S. Ulukus, “Polar coding for the general wiretap channel,” in Proc. 2015 IEEE Inform. Theory Workshop , Jerusalem, Israel, April 2015, pp. 1–5.
- 8[8] H. Tyagi and A. Vardy, “Universal hashing for information-theoretic security,” Proc. IEEE , vol. 103, no. 10, pp. 1781–1795, Oct. 2015.
