Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
LDPC-BASED SECRET-SHARING SCHEMES FOR WIRETAP CHANNELS
By
CHAN WONG WONG
A DISSERTATION PRESENTED TO THE GRADUATE SCHOOLOF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR THE DEGREE OFDOCTOR OF PHILOSOPHY
UNIVERSITY OF FLORIDA
2011
c⃝ 2011 Chan Wong Wong
2
To my family
3
ACKNOWLEDGMENTS
First of all, I thank my advisers, Professor John Mark Shea and Professor Tan Foon
Wong.
In the past five years, I have acquired from Professor Shea a theoretical but also
practical approach towards research. I have also learned from Professor Shea how to
technically report and present my research findings. Until now, I still remember clearly
when I was struggling with my research, Professor Shea shown enormous care and
patience to guide me through all the difficulties. I sincerely thank Professor Shea for his
support and guidance during my days in University of Florida.
I am also indebted to Professor Wong who scrutinizes my research and makes
sure that there are no mistakes. I thank Professor Wong for spending numerous hours
meeting with me, teaching me not only to appreciate my research but also to think hard
and criticize my research to achieve better results. I am grateful to have the opportunity
to work with Professor Wong who is a role model for an enthusiastic, diligent and
independent researcher.
I thank Professor Yuguang Fang for his interest and valuable comments on my
research. I remember Professor Fang once told me in a class that we should all be
proud of who and where we are. I can say loud enough that I was, am and will always be
proud of being a Florida Gator.
I am grateful to have Professor Andrew Rosalsky from department of statistics in my
committee. Professor Rosalsky taught one of the best courses, measure theoretic
probability, I have ever had in my whole life. His course inspires me to explore a
relatively new area, statistics, for my future career and I would like to thank him for
all the suggestions he has given me.
I also want to thank all WING members including Surendra Boppana, Dedeep
Chatterjee and Leenhapat Navararong for providing me not only a place to discuss
my research but also a place to relax and have fun. Special thanks should be given
4
to Byonghyok Choi who always acts like an elder brother to me and teaches me many
things which are invaluable to my life. I will never forget those wonderful afternoons we
walked together to Reitz Union to have Starbucks Coffee.
Looking back, meeting my wife, Hsuan Hsu, is the best thing that has happened
to me at the University of Florida. I can’t fully express how grateful I am to have her
in my life. For me, the best thing in the world is to experience all the up-and-down,
happiness-and-sadness in my life with her. I am also greatly appreciative to Shih-Fen
Yeh, my aunt-in-law, for her care and support over the last couple of years.
The list of thank-you won’t be complete without mentioning my life-long friends:
Chan-Ip Chan, Ivy Ip and Kaman Leong. I am lucky enough to meet them when I was
young. Although we are far away from each other, they are always the ones whom I can
trust and rely on.
In closing I want to thank my family for their love, care and support over the years.
My parents never stop me from pursuing my dream, even if it is often the case that they
need to scarify themselves. Without them, none of the achievements in my life would
have ever materialized. I left my family to study abroad when I was 18. The only single
thing I have ever regretted is that I am not able to witness the growth and development
of my brother and sister. I thank them for taking over and shouldering my responsibilities
as the oldest son for the family so that I can concentrate on fulfilling my phD degree.
I dedicate this dissertation to my family.
5
TABLE OF CONTENTS
page
ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
CHAPTER
1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2 FUNDAMENTALS OF SECRET SHARING . . . . . . . . . . . . . . . . . . . . 21
2.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.2 Permissible Secret-Sharing Strategies and Relaxed Key Capacity . . . . . 212.3 Low-Density Parity-Check (LDPC) codes . . . . . . . . . . . . . . . . . . 24
3 SECRET-SHARING LDPC CODES FOR BPSK-CONSTRAINED GAUSSIANWIRETAP CHANNEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.1 BPSK-constrained Gaussian Wiretap Channel . . . . . . . . . . . . . . . 303.2 Secret-Sharing Scheme Employing Regular LDPC Code Ensembles . . . 323.3 Secret-Sharing Scheme Employing Fixed Practical LDPC Codes . . . . . 39
3.3.1 Secret-Sharing Regular LDPC Codes . . . . . . . . . . . . . . . . 413.3.2 Secret-Sharing Irregular LDPC Codes . . . . . . . . . . . . . . . . 44
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4 AN LDPC-BASED SECRET-SHARING SCHEME OVER GAUSSIAN WIRETAPCHANNEL WITH PAM SYMBOLS . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.1 Gaussian wiretap channel with PAM symbols . . . . . . . . . . . . . . . . 514.2 LDPC-based Key-Agreement Scheme . . . . . . . . . . . . . . . . . . . . 554.3 LDPC Codes Design and Performance . . . . . . . . . . . . . . . . . . . . 624.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5 AN LDPC-BASED SECRET-SHARING SCHEME OVER FAST-FADING WIRETAPCHANNEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.1 Fast-Fading Wiretap Channel . . . . . . . . . . . . . . . . . . . . . . . . . 745.2 LDPC-based Key-Agreement Scheme . . . . . . . . . . . . . . . . . . . . 775.3 LDPC Codes Design and Performance . . . . . . . . . . . . . . . . . . . . 805.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
6 CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
APPENDIX
6
A PROOF OF THEOREM 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
A.1 Random Code Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 90A.2 Secret Sharing Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 91A.3 Analysis of Probability of Error . . . . . . . . . . . . . . . . . . . . . . . . 93A.4 Secrecy Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
B PROOF OF LEMMA 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
C PROOFS OF (3-2) AND (3-3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
C.1 Proof of (3-2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110C.2 Proof of (3-3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
D LDPC CODE DESIGN FOR THE BPSK-CONSTRAINED GAUSSIAN WIRETAPCHANNEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
D.1 BPSK-constrained Gaussian wiretap channel . . . . . . . . . . . . . . . . 115D.2 Secret LDPC coding scheme . . . . . . . . . . . . . . . . . . . . . . . . . 116D.3 Codes design and performance . . . . . . . . . . . . . . . . . . . . . . . . 119D.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
BIOGRAPHICAL SKETCH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
7
LIST OF TABLES
Table page
3-1 Degree distribution pairs of the rate-0.25 and rate-0.12 secret-sharing irregularLDPC codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4-1 Degree distribution pairs of the rate-0.195 and rate-0.538 irregular LDPC codes. 65
4-2 Degree distribution pairs of the rate-0.096 and rate-0.436 irregular LDPC codes. 68
4-3 Degree distribution pairs of the rate-0.108, rate-0.432 and rate-0.689 irregularLDPC codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4-4 Degree distribution pairs of the rate-0.078, rate-0.415 and rate-0.687 irregularLDPC codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5-1 Degree distribution pairs of the rate-0.426, rate-0.362, rate-0.276 irregular LDPCcodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
D-1 Degree distribution pairs of the rate-0.541, rate-0.508, rate-0.505 irregular LDPCcodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
8
LIST OF FIGURES
Figure page
2-1 Examples of bipartite graphs of LDPC codes. . . . . . . . . . . . . . . . . . . . 26
2-2 The first and the second half iteration of belief propagation algorithm. . . . . . 27
3-1 Comparison between the relaxed key capacities Cb and Cbq over the BPSKconstrained Gaussian wiretap channel. . . . . . . . . . . . . . . . . . . . . . . 33
3-2 Plot of the (Rk ,Rl)-trajectories achieved by the proposed secret-sharing schemeemploying secret-sharing regular LDPC codes (C,W). . . . . . . . . . . . . . . 42
3-3 Plot of the (Rk ,Rl)-trajectory achieved by the proposed secret-sharing schemeemploying the rate-0.25 secret-sharing irregular LDPC code. . . . . . . . . . . 47
3-4 Plot of the (Rk ,Rl)-trajectory achieved by the proposed secret-sharing schemeemploying the rate-0.12 secret-sharing irregular LDPC code. . . . . . . . . . . 49
4-1 Examples of M-ary Gray-mapped PAM constellation. . . . . . . . . . . . . . . . 52
4-2 Comparison between the Rl -relaxed (symmetric) key rate Rpq and the relaxedkey capacity Ck of the Gaussian wiretap channel when α2 = 0 dB and Rl = 0. . 55
4-3 Comparison between the Rl -relaxed (symmetric) key rate Rp and Rpq of theGaussian wiretap channel whn Rl = 0. . . . . . . . . . . . . . . . . . . . . . . . 56
4-4 Comparison between the Rl -relaxed key capacity Cpk and Rl -relaxed (symmetric)key rate Rpq of the Gaussian wiretap channel when Rl = 0. . . . . . . . . . . . 57
4-5 Plot of (Rk ,Rl) pair achieved by the modified key-agreement scheme employingthe rate-0.195 and rate-0.538 irregular LDPC codes. . . . . . . . . . . . . . . . 66
4-6 Plot of (Rk ,Rl) pair achieved by the modified key-agreement scheme employingthe rate-0.096 and rate-0.436 irregular LDPC codes. . . . . . . . . . . . . . . . 69
4-7 Plot of (Rk ,Rl) pair achieved by the modified key-agreement scheme employingthe rate-0.108, rate-0.432 and rate-0.689 irregular LDPC codes. . . . . . . . . . 71
4-8 Plot of (Rk ,Rl) pair achieved by the modified key-agreement scheme employingthe rate-0.078, rate-0.415 and rate-0.687 irregular LDPC codes. . . . . . . . . . 73
5-1 The Rl -relaxed key capacity Cq of the fast Rayleigh fading wiretap channel fordifferent value of α2, where Rl = 0. . . . . . . . . . . . . . . . . . . . . . . . . . 76
5-2 Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.426 irregular LDPC code. . . . . . . . . . . . . . . . . . . 82
5-3 Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.362 irregular LDPC code. . . . . . . . . . . . . . . . . . . 83
9
5-4 Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.276 irregular LDPC code. . . . . . . . . . . . . . . . . . . 84
D-1 The secrecy capacity Cb of the BPSK-constrained Gaussian wiretap channelfor different value of α2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
D-2 Plot of (Rs , Re) pairs achieved by the proposed coding scheme and by thecoding scheme in [20] when P/σ2 = 3.55 dB and α2 = −4.4 dB. . . . . . . . . 120
D-3 Plot of the (Rs , Re) pair achieved by the proposed coding scheme when P/σ2 =1.0 dB and α2 = −1.0 dB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
10
Abstract of Dissertation Presented to the Graduate Schoolof the University of Florida in Partial Fulfillment of theRequirements for the Degree of Doctor of Philosophy
LDPC-BASED SECRET-SHARING SCHEMES FOR WIRETAP CHANNELS
By
Chan Wong Wong
December 2011
Chair: John M. SheaCochair: Tan F. WongMajor: Electrical and Computer Engineering
This dissertation examines the practical design of secret-sharing schemes that
allows a source and a destination to share secret information over a wireless channel
so that the knowledge about that information at an eavesdropper or a wiretapper
is minimized. This model is the classical wiretap channel. When the objective of
secret-sharing is for the source and destinaion to agree upon with a secret key, it is
assumed that a public channel exists between the source and destination that they can
use to exchange information without any rate and power constraints; however, all public
communications are perfectly observed by the wiretapper. We propose a low-density
parity-check (LPDC)-based scheme to support secret-key agreement through a
combination of direct transmission from the source to destination over the wiretap
channel and information exchanges between them over the public channel. To rigorously
quantify the secrecy performance of the proposed key-agreement scheme, we introduce
the notion of relaxed key capacity, which is defined as the maximum achievable key rate
over the wiretap channel subject to the constraint that the leakage rate (about the key)
is bounded below a fixed value. We prove that the proposed key-agreement scheme,
which employs an ensemble of regular LDPC codes, can asymptotically achieve the
relaxed key capacity of the Gaussian wiretap channel with the constraints of binary
phase-shift-keyed (BPSK) source symbols and destination hard-decision quantization.
This asymptotic result provides us a solid theoretical foundation that motivates us to
11
construct practically implementable key-agreement scheme using both fixed regular and
irregular LDPC codes. Moreover, the coding structure in the proposed key-agreement
scheme allows us to systematically and efficiently design good irregular LDPC codes
using a density-evolution based linear program. We demonstrate by simulation results
that the irregular LDPC codes obtained from the code search process outperform other
existing key-agreement schemes and provide secrecy performance close to the relaxed
key capacity of the Gaussian wiretap channel.
In this dissertation, we also suggest that the proposed key-agreement scheme
can be further improved by considering the use of punctured irregular LDPC codes.
Moreover, we extend the proposed key-agreement scheme to work in the Gaussian
wiretap channel with M-ary pulse-amplitude modulated (PAM) source symbols. We
show that the M-ary transmission can be transformed into M binary-input channels.
As a result, we can then assign the target key rate to the M binary-input channels
accordingly, and each of the M irregular LDPC codes will be designed individually for
the corresponding binary-input channel. The proposed key-agreement scheme can also
be applied to the fast Rayleigh fading wiretap channel in which the source is restricted
to transmit quadrature phase-shift-keyed (QPSK) symbols. We show that in such a
case, the in-phase (I) and quadrature-phase (Q-) components of the wiretap channel
can be separately considered. Thus we only need to design irregular LDPC codes for
the I-component, and the resulting codes will also work well for the Q-component. In
both cases, we present simulation results to show that the proposed key-agreement
scheme provides excellent secrecy performance by employing the irregular LDPC codes
obtained through the aforementioned code search process.
Finally, we demonstrate that the proposed secret-sharing scheme can be adopted
to the case when the objective of secret sharing is for the source to send a secret
message to the destination wihtout the help of the public channel. An LDPC-based
12
coding scheme is proposed and a density-based linear program are also developed to
find irregular LDPC codes to achieve good secrecy performance.
13
CHAPTER 1INTRODUCTION
The growth of and demand for wireless technologies, devices and networks over
the last decade have fostered an increasing need for reliable and secure communication
schemes. Privacy and security issues are even more critical in wireless communications
than in wired networks because wireless communication is vulnerable to attacks like
channel jamming, unauthorized channel access and eavesdropping. Over the years,
solutions to these attacks have been engineered using a layered approach to simply the
design of communication schemes. As examples of layered-specified security solutions,
spread spectrum modulation techniques are used with a spreading code to provide
features like low probability of detection, interception and localization to mitigate channel
jamming at the physical layer (PHY); admission control is handled at the medium access
control layer (MAC) to prevent unauthorized access; and cryptographic protocols like
RSA and AES are designed and implemented at the application layer (API) to prevent
eavesdropping. The performance of cryptographic protocols is traditionally assessed
using the notion of computational security, which relies on the assumption that the
computing resources at the eavesdropper are limited. Essentially, computational security
ensures that the amount of computing time and/or memory required to recover some
information exceeds the value of that information.
Physical-layer security, on the other hand, is a new paradigm that focuses on
providing solutions to various issues of privacy and security using traditional physical
layer techniques. Physical-layer security aims at developing secure communication
schemes by exploiting channel characteristics such as channel fading and noises,
which have historically been viewed as impairments for data communication between
terminals. In addition, physical-layer security schemes are designed to provide
information-theoretic security or unconditional security, which offers a stricter sense
of security than conventional cryptography since no assumption on the computational
14
power of the eavesdropper (wiretapper) is required. In his seminal paper [1], Shannon
provided the first rigorous statistical and mathematical treatment of secrecy. He
considered a cryptographic system in which a source intends to send a message M
to a destination through an insecure channel. It is assumed that a wiretapper has perfect
access to the insecure channel, i.e., the wiretapper receives an identical copy of the
encoded message C received by the destination, where C is obtained as a function of
the message M. We note that M and C are usually referred to as plaintext and cipher-
text, respectively, in a cryptographic system. We also note that a secret key K is shared
between the source and destination. When the encoded message C is statistically
independent of the message M, i.e., I (C ;M) = 0, perfect secrecy is achieved [1].
Shannon proved that perfect secrecy can be achieved only when the secret key K is
at least as long as the message M, i.e., H(K) > H(M). As a result, he stated that the
only encryption scheme satisfying the unconditional security criterion is the one-time
pad [1] in which the above entropy condition is met. Shannon’s result presents a very big
challenge for achieving perfect secrecy because of the pessimistic assumption that the
wiretapper has access to precisely the same information as the destination. However,
this assumption is much more restrictive than has generally been realized. Wyner [2]
and later Csiszar and Korner [3] considered a more reasonable scenario in which the
wiretapper is assumed to receive the message through a channel that is noisier than
that of the destination. An even more general model in which the observations at the
destination and wiretapper are different but correlated is discussed in [4]. Moreover,
a weaker, but more convenient, notion of security was employed in [2–4], where the
objective of secure transmission is to have the wiretapper’s equivocation rate to be as
large as the information rate from the source to destination.
The wiretap channel, which was first introduced by Wyner [2] and later refined
by Csiszar and Korner [3], is probably the simplest and most well-known example
to illustrate the idea of physical-layer security. In the wiretap channel, a source
15
tries to send (secret) information to a destination in the presence of a wiretapper.
When the source-to-wiretapper channel 1 is a (physically) degraded version of the
source-to-destination channel, Wyner [2] showed that the source can transmit a
message at a positive (secrecy) rate to the destination by hiding the message under
the additional noise level seen by the wiretapper. Generalization of Wyner’s work to
the Gaussian wiretap channel was considered in [5]. The degradedness condition was
removed in [3], which showed that a positive secrecy rate is possible for the case where
the destination channel is “more capable” than the wiretapper channel.
In Wyner’s original paper, he described a code design based on group codes
for the wiretap channel. In [6], a code design based on coset codes was suggested
for the type II binary erasure wiretap channel, in which the destination channel is
error free. However, practical codes to achieve secrecy have only been found for a
very limited set of channels. The authors of [7] constructed low-density parity-check
(LDPC)-based wiretap codes for certain binary erasure channel (BEC) and binary
symmetric channel (BSC). Reference [8] considered the design of secure nested codes
for type-II wiretap channels. Recently, references [9] and [10] concurrently established
the result that polar codes [11] can achieve the secrecy capacity of the degraded
binary-input symmetric-output (BISO) wiretap channels. Note that all these designs are
for codes with asymptotically large block lengths.
In some scenarios, it is sufficient for two nodes to agree upon a common secret
(a key), instead of having to send secret information from one to the other. Under
this relaxed criterion, it is shown in [12] that, with the use of a feedback channel, a
positive key rate is achievable when the destination and wiretapper channels are
two conditionally independent (given the source input symbols) memoryless binary
1 The source-to-wiretapper and source-to-destination channels will hereafter bereferred to as wiretapper and destination channels, respectively.
16
channels, even if the destination channel is not more capable than the wiretapper
channel. This notion of secret sharing is formalized in [4] based on the concept of
common randomness between the source and destination, where two different system
models, namely the “source model with wiretapper” (SW) model and the “channel
model with wiretapper” (CW) model, are studied. The CW model is similar to the
(discrete memoryless) wiretap channel model that we have discussed above. The
SW model differs in that the random symbols observed at the source, destination, and
wiretapper are realizations of a discrete memoryless source with multiple components.
Assuming the availability of an interactive, authenticated public channel with unlimited
capacity between the source and destination, a three-phase process of achieving secret
sharing over the wiretap channel is suggested in [12]. The three phases are advantage
distillation, information reconciliation and privacy amplification, in that order. Advantage
distillation aims to provide the destination an advantage over the wiretapper. Information
reconciliation aims at generating an identical random sequence between the source
and destination by exploiting the public channel. Privacy amplification is the step that
extracts a secret key from the identical random sequence agreed by the source and
destination.
Information reconciliation is the most studied and most essential part of any
secret-sharing scheme. It falls into the category of secrecy extraction from correlated
sources and has close connections to the problem of source coding with side information.
Perhaps the most well-known practical application of reconciliation protocols is quantum
cryptography, where nonorthogonal states of a quantum system provide two terminals
correlated observations of randomness which are at least partially secret from a
potential eavesdropper. Many works [13]–[19] have been devoted to the study of
information reconciliation for both discrete and continuous random variables in quantum
key distribution (QKD) schemes. For the case of discrete random variables, Cascade
is an iterative reconciliation protocol first proposed by Brassard and Salvail in [13].
17
Despite being highly interactive, Cascade is the most widely used reconciliation protocol
in practical QKD setups because of its simplicity and reasonable efficiency. Variations
around the principle of interactive reconciliation used in Cascade have since been
proposed to limit the interactivity. For example, LDPC codes have been employed in [19]
to reduce the interactivity and improve the efficiency of Cascade. On the other hand,
the work on slice error correction (SEC) [15], which converts continuous variables
into binary strings and makes use of interactive error correcting codes is the first
reconciliation protocol for continuous random variables. Modern coding techniques
like turbo codes [14], and LDPC codes [16–18] have been used extensively within
information reconciliation protocols for continuous random variables.
Another area of application of reconciliation protocols is (secret) key agreement
over wireless channels. Many LDPC-based works have been proposed to exploit
channel reciprocity for secrecy. An LDPC-based method for secrecy extracting
from jointly Gaussian random sources generated by a Rayleigh fading model has
been studied in [17]. In [18], multilevel coding/multistage decoding (MLC/MSD)-like
reconciliation using LDPC codes has been proposed for a quasi-static Rayleigh fading
wiretap channel.
In [20], a coding scheme based on punctured LDPC codes for Gaussian wiretap
channels was presented to reduce the security gap, which expresses the quality
difference between the destination channel and wiretapper channel required to achieve
a sufficient level of security. In this scheme, information to be be kept secret is punctured
at the output of the channel encoder to make it more difficult for the wiretapper to
recover. To further reduce the security gap, non-systematic LDPC codes have also
been exploited to perform reconciliation in Gaussian wiretap channel in [21], where the
information bits are scrambled before encoding. Unfortunately, the criterion of security
gap does not readily translate into the notion of information-theoretic secrecy employed
by Wyner [2].
18
In this dissertation, we consider the problem of secret sharing (secret key
agreement) over wiretap channels. Our main goal is to develop a coding structure
based on which practical “close-to-capacity” secret-sharing (key-agreement) codes can
be constructed. Finite block length and moderate encoder/decoder complexity are the
two main practical constraints that we consider when designing these codes. Moreover,
the ability to admit a systematic and efficient code design is another focus on developing
such a coding structure. In accordance with Wyner’s notion of information-theoretic
secrecy, the performance of our designs will be measured by the rate of secret
information shared between the source and destination (which will be referred to as
the key rate) as well as the rate of information that is leaked to the wiretapper through
all its observations of the wiretap and public channels (which will be referred to as the
leakage rate).
The organization of this dissertation is as follows. To rigorously gauge the secrecy
performance of our code designs, Chapter 2 reviews the classes of permissible
secret-sharing strategies suggested in [4] and then introduce the notion of relaxed key
capacity, which is the maximum key rate that can be achieved over the wiretap channel
provided that the leakage rate is bounded below a fixed value. LDPC codes, which are
used extensively throughout this dissertation, are also summarized and discussed in
Chapter 2. Chapter 3 presents a secret-sharing scheme employing an ensemble of
regular LDPC codes for Gaussian wiretap channel with binary phase-shift-keyed (BPSK)
source symbols and hard-decision destination quantization. We prove that the proposed
secret-sharing scheme achieves the relaxed key capacity with asymptotically large
block length. We note that a similar LDPC-based key-agreement scheme employing
observations of correlated discrete stationary sources at the source, destination, and
wiretapper was studied in [16]. A more detailed comparison between our scheme and
the one proposed in [16] will be provided in the sequel. The aforementioned asymptotic
result provides us a reasonable theoretical justification to design practical secret-sharing
19
schemes based on the proposed coding structure. We thus propose to replace
the regular LDPC code ensemble with fixed LDPC codes that are more amenable
to practical implementation. We also describe a code search process based on
density-evolution analysis to obtain good irregular LDPC codes for use in the proposed
secret-sharing scheme. In Chapter 4, the proposed secret-sharing scheme is extended
and improved to include the case in which the source transmits M-ary equiprobable
pulse-amplitude modulation (PAM) symbols. We show that the secret-sharing problem
can be translated into the design of M irregular LDPC codes and each of them is
designed to work over the corresponding equivalent binary-input wiretap channels. The
proposed code search process will then be modified to systematically design irregular
LDPC codes to achieve good secrecy performance. In Chapter 5, the fast-fading wiretap
channel is considered. We show that the in-phase and quadrature-phase components
of the fast-fading wiretap channel can be considered separately. Slight modifications are
also made to the proposed secret-sharing scheme and code search process to work
over the fast-fading wiretap channel. Finally, conclusions will be given in Chapter 6.
20
CHAPTER 2FUNDAMENTALS OF SECRET SHARING
2.1 Notations
We start by introducing some commonly used notations in this dissertation. Scalars
are denoted by normal letters x , random variables are denoted by capital letters X ,
matrices are denoted by boldface letters X. In the rest of dissertation, we use xn
and x to represent the row vector constructed from the sequence {x1, x2, ... , xn}
interchangeably. We also use (·)T , (·)∗ and (·)−1 to denote transpose, conjugate
transpose and inverse of any matrix respectively. The (Shannon) entropy of a random
variable and the (Shannon) mutual information between two random variables are
denoted by H(·) and I (·; ·), respectively. We use Pr{A} to denote the probability of an
event A. The probability density function (pdf) of a (continuous) random variable X is
denoted by pX (x) and the conditional density of X given another (continuous) random
variable Y is denoted by pX |Y (x |y). Throughout this dissertation, we drop the subscripts
in pdfs whenever the concerned random variables are well specified by the arguments of
the pdfs.
2.2 Permissible Secret-Sharing Strategies and Relaxed Key Capacity
In [2], Wyner introduced the classical wiretap channel which consists of three
terminals, namely a source, a destination and an eavesdropper (wiretapper). The source
attempts to send a secret message to a destination in the presence of a wiretapper.
The wiretap channel is defined by a triple (X ,Y ,Z), where X is the symbol sent by the
source, and Y and Z denote the corresponding symbols observed by the destination
and wiretapper, respectively. In this dissertation, we consider the wiretap channel to
be memoryless and specified by the conditional pdf pY ,Z |X (y , z |x). In addition, we
restrict ourselves to cases in which Y and Z are conditionally independent given X ,
i.e., pY ,Z |X (y , z |x) = pY |X (y |x)pZ |X (z |x), which is a reasonable model for the nature of
broadcasting in wireless communication. In addition to the wiretap channel, there is an
21
interactive, authenticated, pubic channel with unlimited capacity between the source
and destination. Here, interactive means that the channel is two-way and can be used
multiple times, authenticated and public mean that the wiretapper can perfectly observe
all communications over the public channel but cannot tamper with the messages
transmitted, and unlimited capacity means that the channel is noiseless and has infinite
capacity. The objective of secret sharing is for the source and destination to share secret
information, that is obscure to the wiretapper, by exploiting common randomness [4]
available to them through the wiretap channel. The common randomness is to be
extracted by a proper combination of transmission from the source to the destination
through the wiretap channel (X ,Y ,Z) and information exchanges between them over
the public channel. To systematically tackle the problem of secret sharing, a class of
permissible secret-sharing strategies, which is described in detail below, is elegantly
suggested in [4]. Consider t time instants labeled by 1, 2, ... , t, respectively. The wiretap
channel is used n times during these t time instants at i1 < i2 < · · · < in. Set in+1 = t.
The public channel is used for the other (t − n) time instants. Before the secret-sharing
process starts, the source and destination generate, respectively, independent random
variable MX and MY . Then a permissible strategy proceeds as follows:
• At time instant 0 < i < i1, the source sends message Φi = Φi(MX ,Ψi−1) to thedestination, and the destination sends message Ψi = Ψi(MY , Φi−1) to the source.Both transmissions are carried over the public channel.
• At time instant i = ij for j = 1, 2, ... , n, the source sends the symbol Xj =Xj(MX ,Ψ
ij−1) to the wiretap channel. The destination and wiretapper observe thecorresponding symbols Yj and Zj . There is no message exchange via the publicchannel; i.e., Φi and Ψi are both null.
• At time instant ij < i < ij+1 for j = 1, 2, ... , n, the source sends messageΦi = Φi(MX ,Ψ
i−1) to the destination, and the destination sends messageΨi = Ψi(MY ,Y
j , Φi−1) to the source. Both transmissions are carried over thepublic channel.
22
At the end of the t time instants, the source generates its secret key K = K(MX ,Ψt),
and the destination generates its secret key L = L(MY ,Y n, Φt), where K and L takes
values from the same finite set K.
Slightly extending the achievable key rate definition in [4], for Rl ≥ 0, we call (R,Rl)
an achievable key-leakage rate pair through the wiretap channel (X ,Y ,Z) if for every
ε > 0, there exists a permissible secret-sharing strategy of the form described above
such that
1. Pr{K = L} < ε,
2. 1nI (K ; Φt , Ψt) < ε,
3. 1nI (K ;Z n|Φt ,Ψt) < Rl + ε,
4. 1nH(K) > R − ε, and
5. 1nlog2 |K| < 1
nH(K) + ε
for sufficiently large n. Condition 1 means that the source and the destination have
indeed generated a common key with a small probability of error. Condition 2 restricts
that the public messages (the messages conveyed through the public channel) contain
negligible rate of information about the key, while Condition 3 limits to Rl the rate of key
information that the wiretapper can extract from its own channel observations given the
public messages. Note that Condition 3) is trivially satisfied if Rl ≥ 1nlog2 |K|. When
Rl = 0, we note that Conditions 2 and 3 combine to essentially give the original condition
1nI (K ;Z n, Φt ,Ψt) < ε of the achievable key rate definition in [4]1 . Condition 4 defines the
rate of the secret key achieved, and Condition 5 means that the distribution of the key in
1 When Rl > 0, if the combined condition 1nI (K ;Z n, Φt ,Ψt) < Rl + ε is employed
instead of Conditions 2 and 3, then it is easy to see that if (R,Rl) is an achievablekey-leakage rate pair, (R + r ,Rl + r) is also achievable, for any r ≥ 0, by simplytransmitting the additional key information (of rate r ) through the public channel.Separating the two conditions as suggested avoids such artificial consequence of thecombined condition.
23
nearly uniform. For the cases in which the alphabet of X is not finite, we also impose the
following power constraint to the symbol sequence X n sent out by the source:
1
n
n∑j=1
|Xj |2 ≤ P (2–1)
with probability one (w.p.1) for sufficiently large n. We note that the idea of key-leakage
rate pair is similar to that of the secrecy-equivocation rate pair originally defined in [2].
The Rl -relaxed key capacity is defined as the maximum value of R such that
(R,Rl) is an achievable key-leakage rate pair. The main reason for us to introduce the
notion of relaxed key capacity is to employ it as a gauge to measure the performance
of practical codes later presented in this dissertation. Since these codes have finite
block lengths and are to be decoded by the belief propagation (BP) algorithm, they do
not achieve zero leakage rate. Thus using the relaxed key capacity provides a more
suitable comparison than using the original “straight” key capacity in [4]. Also, since
these practical codes do not give zero leakage rate, their use could be considered as an
information-reconciliation step. The secrecy performance could be further improved by
additional privacy amplification.
In general, the (secret) key capacity for wiretap channels remains a challenging
open problem. On the other hand, for wiretap channels that satisfy the aforementioned
conditional independence requirement, we have the following result, whose proof is
given in Appendix A:
Theorem 2.1. The Rl -relaxed key capacity of the memoryless wiretap channel (X ,Y ,Z)
with conditional pdf p(y , z |x) = p(y |x)p(z |x) is given by
CK(Rl) = maxX :E [|X |2]≤P
[min{I (X ;Y )− I (Y ;Z) + Rl , I (X ;Y )}] .
2.3 Low-Density Parity-Check (LDPC) codes
One of the major reasons for making secret-sharing schemes practically implementable
was the development of capacity-approaching codes with reasonable encoding/decoding
24
complexity. In the section, we provide a review of an important class of capacity
approaching codes, namely low-density parity-check (LDPC) codes [22, 23], which
will be used extensively throughout this dissertation. LDPC codes were proposed by
Gallager in 1962 [22, 24]. However, the full potential of these codes was not realized
until almost 35 years later when they were “rediscovered” by McKay and Neal [23]. The
primary reason that these codes were forgotten by the coding community is that at the
time of their development by Gallager, these codes could not be used in any practical
communication scheme because of insufficient computational power.
LDPC codes are linear block codes characterized by the corresponding parity-
check matrix H, which is a non-systematic and sparse matrix. The set of codewords
of an LDPC code can be expressed as the null space of the corresponding H, i.e., x
is a codeword if and only if xHT = 0. Gallager proposed a class of LDPC codes that
are now referred to as regular LDPC codes because they have an equal number of 1s
in each row and column of their parity-check matrices. An (n, l) (j , k)-regular LDPC
code has a parity-check matrix with n columns, n − l rows, j 1’s per column, and k 1’s
per row. A useful observation is that an LDPC code can be represented as a Tanner
graph [25], which is a bipartite graph, between a set of variable nodes and check nodes.
For example, Figure 2-1A shows the bipartite graph of the (12, 6) (3, 6)-regular LDPC
code with parity-check matrix
H =
1 1 1 0 0 1 1 0 0 0 1 0
1 1 1 1 1 0 0 0 0 0 0 1
0 0 0 0 0 1 1 1 0 1 1 1
1 0 0 1 0 0 0 1 1 1 0 1
0 1 0 1 1 0 1 1 1 0 0 0
0 0 1 0 1 1 0 0 1 1 1 0
. (2–2)
In Figure 2-1, the variable nodes correspond to the code symbols, and the check nodes
correspond to the parity-check constraints from the parity-check matrix. For regular
25
A Bipartite graph of the (12, 6)(3, 6)-regular LDPC code.
B Bipartite graph of an irregu-lar LDPC code.
Figure 2-1. Examples of bipartite graphs of LDPC codes.
LDPC codes, each type of nodes has the same number of connections to the other
type of nodes. The number of connections is called the degree of the nodes. Since the
parity-check matrix has low density, the degree of each type of nodes is small.
The performance of LDPC codes was further improved by their generalization to
irregular LDPC codes that have varying numbers of 1’s in the rows and columns of
their parity-check matrices. This is equivalent to allowing different nodes in the Tanner
graph to have different degrees. Irregular LDPC codes are specified by their variable-
26
Vj
Ci
L jy
k jk i
l di jl d
A The first half iteration.
Vj
i l l jl d i jl d
Ci
B The second half iteration.
Figure 2-2. The first and the second half iteration of belief propagation algorithm.
and check-node degree distribution polynomials, namely λ(x) =∑dvi=2 λix
i−1 and
ρ(x) =∑dci=2 ρix
i−1, where λi (ρi) represents the fraction of edges emanating from
the variable (check) nodes of degree i . The code rate associated with the (irregular)
LDPC codes with degree distribution pairs (λ, ρ) is given by 1 −∫ρ(x)dx∫λ(x)dx
. The bipartite
graph of an irregular lDPC code with degree distribution pairs λ(x) = 0.4x + 0.6x2 and
ρ(x) = 0.6x2 + 0.4x3 is shown in Figure 2-1B. The early work on irregular LDPC codes
was focused on the design of codes for the erasure channel that have good performance
and low encoding and decoding complexity [26–28]. Rather than finding specific codes,
however, the techniques in [26–28] give ways to find degree distributions for ensembles
of codes that offer good average performance. This approach was extended in [29, 30]
to many other channels, including the binary-input additive white Gaussian noise
(AWGN) channel. By optimizing the degree distribution, irregular LDPC codes can
achieve performance extremely close to the channel capacity. For example, irregular
LDPC codes have been designed that can achieve performance within 0.0045 dB of the
capacity of the binary-input AWGN channel [31].
LDPC codes can be decoded using belief propagation algorithms (BPAs), which
can be visualized as computing and exchanging soft-information iteratively among the
variable and check nodes in the Tanner graph. Let d = (d1, ... , dn) be the transmitted
codeword, and y = d + n be the received sequence. The BPAs estimate the a posteriori
27
LLRs for the coded bits,
L (di) = log
(Pr {di = +1| y}Pr {di = −1|y}
), (2–3)
for i = 1, ... , n. Note that unlike turbo codes [32], LDPC codes are typically non-systematic
codes, and the BPA estimates the values for the coded bits, not the message bits. The
message bits can be recovered from the estimated codeword through matrix operations.
In BPAs, computation is performed at each vertex of the graph, and messages are
exchanged along the edges. For the LDPC codes, the vertices are either check nodes
or variable nodes. Although many different message-passing schedules are possible,
it is convenient to discuss the BPA as an iterative process in which each iteration
consists of two steps. In the first step, the check nodes perform computations on
messages received from the variable nodes. In the second step, the variable nodes
perform computation on messages received from the check nodes. BPAs are usually
performed under the assumption that the messages involved in the algorithm are
independent. Although this is true for certain types of graphs, such as trees, it is not true
for most codes of interest, including the LDPC codes. Thus, the resulting algorithm is an
approximation to the MAP decoder, even if the computations performed at the variable
and check nodes are done according to the MAP rule.
The sum-product algorithm (SPA) (cf. [33]) is the most popular form of BPA to
decode LDPC codes because of its simple implementation. We now briefly overview
the SPA as follows. The variable nodes input messages consisting of the channel
LLRs L (yj) and extrinsic information from the check nodes. Let lk(dj) be the extrinsic
information from the k th check node about coded bit j , and let l i(dj) be the sum of the
channel LLR and extrinsic information about code bit j to the i th check node. Then by
applying the independence assumption, l i(dj) is the sum of the LLRs received on all of
the edges into the variable node j , except for the LLR received on the edge from check
28
node i . That is,
l i(dj) = L(yj) +∑k =i
lk(dj).
This processing is illustrated in Figure 2-2A. Note that at the beginning of the first
iteration, the variable nodes have not received any messages yet, so the variable node
j has only the LLR of the channel observation L(yj). Each variable node passes a
message equal to the channel LLR L(yj) on the vertices to each of the check nodes to
which it is connected.
Each check node enforces a parity check equation from the low density parity-check
matrix of the LDPC codes. Let si ∈ {+1,−1} denotes the associated parity of the
i -th parity check equation2 . The check nodes use the messages from the variable
nodes to compute extrinsic information to pass back to the variable nodes. The extrinsic
information about bit dj from check node i , li(dj), is given by [34]
li(dj) = 2 tanh−1
{si∏ℓ =j
tanh
(l i (dℓ)
2
)}(2–4)
and illustrated in Figure 2-2B. After some stopping criterion has been met, the decoder
computes the LLR and makes a decision on the bits dj according to
dj = sgn
{L(yj) +
∑i
li(dj)
},
where sgn is the signum function. We note that the above SPA is known as the
probability-domain SPA. Similar to the probability-domain Viterbi [35] and
Bahl-Cocke-Jelinek-Raviv (BCJR) [36] algorithms, the probability-domain SPA suffers
from numerical instability because of involving multiplications of probabilities. Thus, a
log-domain version of SPA is usually preferred for practical implementation.
2 In conventional LDPC codes, si = +1 for all i .
29
CHAPTER 3SECRET-SHARING LDPC CODES FOR BPSK-CONSTRAINED GAUSSIAN WIRETAP
CHANNEL
Inspired by the achievability proof of Theorem 2.1 (cf. Appendix A), we will develop
a secret-sharing scheme employing the powerful LDPC codes in this chapter. Our main
goal is to develop a practical secret-sharing scheme such that a systematic and efficient
approach to code design can be constructed to find LDPC codes that give good secrecy
performance.
3.1 BPSK-constrained Gaussian Wiretap Channel
In this chapter, we focus on the Gaussian wiretap channel in which the destination
and wiretapper channels are both AWGN channels. We also restrict the source to
transmit only BPSK symbols. More specifically, let Xi ∈ {±1} be the i th transmit
symbol from the source, and let Yi and Zi be the corresponding received symbols at
the destination and wiretapper, respectively. The Gaussian wiretap channel can then be
modeled as
Yi = βXi + Ni
Zi = αβXi + Ni ,
(3–1)
where Ni and Ni are i.i.d. zero-mean Gaussian random variables of variance σ2. Note
that β is the gain of the BPSK symbols transmitted by the source. By the source power
constraint (2–1), we have β2 ≤ P. Also, α is a positive constant which models the
gain advantage of the wiretapper over the destination. Let the (noise) normalized
gain be β = β/σ. Then the received signal-to-noise ratios (SNRs) at the destination
and wiretapper are β2/σ2 and α2β2/σ2, respectively. Clearly, the Gaussian wiretap
channel satisfies the memoryless and conditional independent properties required in
Theorem 2.1.
30
Specializing Theorem 2.1 to the BPSK-constrained Gaussian wiretap channel, it is
not hard to show 1 that the Rl -relaxed key capacity is given by
Cb(Rl) = max0≤β≤
√P
σ2
{min
{1
2π
∫ ∞
0
∫ ∞
0
H2
(1 + e−2βy · e−2αβz
[1 + e−2βy ][1 + e−2αβz ]
)[1 + e−2βy
]
·[1 + e−2αβz
]exp
[−(y − β)2
2− (z − αβ)2
2
]dydz + Rl , 1
}
− 1√2π
∫ ∞
0
H2
(1
1 + e−2βy
)(1 + e−2βy
)exp
[−(y − β)2
2
]dy
},
(3–2)
where H2(p) = −p log2 p − (1 − p) log2(1 − p) is the binary entropy function. We note
that Cb(Rl) is achieved when X is equiprobable; however, it is not necessarily achieved
by transmitting at the maximum allowable power P.
The achievability proof of Theorem 2.1 (cf. Appendix A) employs random Wyner-Ziv
coding, in which the received symbols at the destination need to be quantized due to
the fact that the channel alphabet at the destination in the Gaussian wiretap channel
is continuously distributed. In this chapter, we consider a simple symbol-by-symbol
hard-decision quantization scheme in which the i th quantized destination symbol
Yi = sgn(Yi). Note that this quantization is suboptimal and leads to a loss in key
capacity. We quantify this loss by applying Theorem 2.1 to the BPSK-constrained
Gaussian wiretap channel with hard-decision quantization at the destination to calculate
the Rl -relaxed key capacity Cbq(Rl). Using the standard notation Q(x) =∫∞xe−u
2/2√2πdu, it
is not hard to establish1 that
Cbq(Rl) = max0≤β≤
√P
σ2
[min{Cs(β)− Cw(β) + Rl ,Cs(β)}
], (3–3)
1 For the proofs of (3–2) and (3–3), see Appendix C.
31
where
Cs(β) = 1− H2(Q(β)) (3–4)
Cw(β) = 1− 1√2π
∫ ∞
0
H2
(Q(β) + [1−Q(β)]e−2αβz
1 + e−2αβz
)[1 + e−2αβz ]
· exp
[−(z − αβ)2
2
]dz . (3–5)
are, respectively, the capacities of the quantized-destination-to-source and
quantized-destination-to-wiretapper channels at normalized gain β. Like before, Cbq(Rl)
is achieved when X is equiprobable, but it is not necessarily achieved by transmitting at
the maximum allowable power P.
To visualize the loss in key capacity, Figure 3-1 illustrates Cb(Rl) and Cbq(Rl) versus
the maximum allowable SNR (P/σ2) for different values of Rl . We can see that the
loss in key capacity due to the hard-decision quantization is no more than 0.07 bits per
(wiretap) channel use (bpcu) for the cases shown.
3.2 Secret-Sharing Scheme Employing Regular LDPC Code Ensembles
As mentioned above, the achievability proof of Theorem 2.1 in Appendix A employs
a secret-sharing scheme with random Wyner-Ziv coding. For the BPSK-constrained
Gaussian wiretap channel with destination hard-decision quantization, we show in this
section that a secret-sharing scheme that employs a properly constructed ensemble of
regular LDPC codes can also asymptotically achieve the Rl -relaxed key capacity. We
design practical secret-sharing schemes for the BPSK-constrained Gaussian wiretap
channel in Section 3.3 based on the LDPC coding structure proposed here.
To start describing the proposed secret-sharing scheme, let us consider an
(n, l) binary linear block code C with 2l distinct codewords of length n and an (l −
k)-dimensional subspace W in C. The pair (C,W) defines what we call an (n, l , k)
secret-sharing binary linear block code. Given any such (C,W) pair, let K be the
quotient of C by W. Then K is a linear space of 2k distinct cosets of the form xn +W,
32
−8 −7 −6 −5 −4 −3 −2 −1 0 1 2
0.05
0.1
0.15
0.2
0.25
0.3
P/σ2 (dB)
Cb o
r C
bq (
bpcu
)
Cb,R
l=0,α2=0dB
Cbq
,Rl=0,α2=0dB
Cb,R
l=0,α2=5dB
Cbq
,Rl=0,α2=5dB
Cb,R
l=0.1,α2=0dB
Cbq
,Rl=0.1,α2=0dB
Cb,R
l=0.1,α2=5dB
Cbq
,Rl=0.1,α2=5dB
Figure 3-1. Comparison between the relaxed key capacities Cb and Cbq over the BPSKconstrained Gaussian wiretap channel.
where xn ∈ C. We will use the coset index in K as the secret key. We will see later that
the ordering of the cosets in K is immaterial. The ratios Rc = ln
and Rk = kn
will be
referred to as the code rate and key rate of the (n, l , k) secret-sharing binary linear block
code, respectively.
Next, we consider the following random ensemble of (n, l , k) secret-sharing binary
linear block codes:
• The (n, l) linear block code C is chosen uniformly from the ensemble of (dv , dc)-regularLDPC codes considered in [29]. That is, we consider that C is chosen uniformlyfrom the set of all bipartite graphs [25] with n degree-dv variable nodes and n − ldegree-dc check nodes.
33
• The subspace W is chosen uniformly over the set of all possible (l−k)-dimensionalsubspaces in C.
Note that a realization of the randomly chosen C may actually have 2l ′ distinct codewords,
where l ′ > l . In such case, K will be of dimension k + l ′ − l ; so the actual key rate will be
larger than Rk . Hence, we can conservatively assume C is always an (n, l) linear code
with 2l distinct codewords to simplify the notation below.
Consider the following secret-sharing scheme:
1. Random source transmission and destination quantization: The sourcerandomly generates a sequence X n of n i.i.d. equally likely BPSK symbols andtransmits them consecutively over the Gaussian wiretap channel (X ,Y ,Z).The destination receives the sequence Y n and obtains the quantized sequenceY n by performing symbol-by-symbol hard-decision quantization on Y n, i.e.,Yj = sgn(Yj). This quantization effectively turns the source-to-destination channelinto a BSC, whose cross-over probability depends on the SNR of the originalsource-to-destination channel. We note that the wiretapper also observes Z n
through the source-to-wiretapper channel.
2. Syndrome generation through LDPC encoding at destination: The next stepis for the destination to feed a compressed version of Y n back to the sourcethrough the public channel so that the source can resolve the differences betweenX n and Y n. This is similar to the problem considered in [37] of compressing anequiprobable memoryless binary source with side information using LDPC codes.More precisely, the destination selects (C,W) randomly from the ensemble ofsecret-sharing (dv , dc)-regular LDPC codes described above. It then generates thesyndrome sequence Sn−l = Y nHT , where H is a parity-check matrix of C. We notethat each Sn−l uniquely corresponds to a coset E nS + C. Further, the destinationdetermines which coset in K that X n0 = Y n + E nS ∈ C belongs. Denote that cosetby X n0 +W. Finally, the destination sends E nS , C, and W back to the source via thepublic channel.
3. Decoding at source: The source then tries to decode for X n0 from observing X n
and E nS according to (C,W). Treating X n + E nS as a noisy version of X n0 , it performsmaximum likelihood (ML) decoding to obtain a codeword in C and then determinesto which coset in K the decoded codeword belongs. Denote that coset by X n +W.
4. Key generation at source and destination: The destination sets its key L to beindex of X n0 +W in K. Similarly, the source sets its key K to be the index of X n+Win K.
34
It is clear that this secret-sharing scheme is permissible. Indeed, under the notation of
Section 2.2, for the proposed secret-sharing scheme, t = n + 1, ij = j for j = 1, 2, ... , n,
MX = Xn, MY = (C,W), and Ψn+1 = (E nS , C,W) is the only message sent via the public
channel. Hence, we can evaluate the secrecy performance of the scheme in the context
of its achievable key rate defined in Section 2.2 as follows.
First, based on the linearity of LDPC codes, the memoryless nature of the
Gaussian wiretap channel, the chosen distribution of X n, and the symbol-by-symbol
hard decision performed to obtain Y n at the destination, it is easy to check that
H(Y n) = n, H(E nS |C,W) = n − l , H(L|C,W) = k , and I (L;E nS |C,W) = 0. Then,
0 ≤ I (L;E nS , C,W) = I (L; C,W) = H(L) − H(L|C,W) ≤ k − k = 0. Hence,
I (L;E nS , C,W) = 0, I (L; C,W) = 0, and H(L) = k . If the decoding process at the source
achieves the ensemble average error probability ϵs , then we have Pr{K = L} ≤ ϵs .
Thus, H(K |L) ≤ 1 + k ϵs and H(L|K) ≤ 1 + k ϵs by Fano’s inequality [38]. That in turn
implies 1nI (K ;E nS , C,W) = 1
n[I (L;E nS , C,W) + I (K ;E nS , C,W|L) − I (L;E nS , C,W|K)] ≤
1nI (K ;E nS , C,W|L) ≤ 1
nH(K |L) ≤ Rk ϵs + 1
nand
1
nH(K) =
1
n[H(L) + H(K |L)− H(L|K)] ≥ Rk − Rk ϵs −
1
n. (3–6)
Hence, Conditions 2 and 5 in Section 2.2 are satisfied when n is sufficiently large if ϵs
can be made arbitrarily small. Similarly,
I (K ;Z n,E nS , C,W) = I (L;Z n,E nS , C,W) + I (K ;Z n,E nS , C,W|L)− I (L;Z n,E nS , C,W|K)
≤ I (L;Z n,E nS , C,W) + I (K ;Z n,E nS , C,W|L)
≤ I (L;Z n,E nS , C,W) + H(K |L)
≤ I (L;Z n,E nS , C,W) + k ϵs + 1
= I (L;Z n,E nS |C,W) + k ϵs + 1, (3–7)
35
where the last line is due to the fact that I (L; C,W) = 0. Here,
I (L;Z n,E nS |C,W) = H(L|C,W) + H(E nS |Z n, C,W)− H(L,E nS |Z n, C,W)
= H(L|C,W) + H(E nS |Z n, C,W) + H(Y n|Z n,L,E nS , C,W)
−H(L,E nS , Y n|Z n, C,W)
≤ H(L|C,W) + H(E nS |C,W) + H(Y n|Z n,L,E nS )− H(Y n|Z n, C,W)
= H(L|C,W) + H(E nS |C,W) + H(Y n|Z n,L,E nS )− H(Y n) + I (Y n;Z n),
(3–8)
where the last equality follows from the fact that (Y n,Z n) is independent of (C,W). Also
I (Y n;Z n) = nI (Y ;Z) = nCw(β) because of the memoryless nature of the channel
from Y n to Z n and of the fact that the Pr(Y = +1) = Pr(Y = −1) = 0.5 achieves the
capacity of this channel. Moreover, consider a fictitious receiver at the wiretapper trying
to decode for Y n from observing Z n, E nS , and X n0 (or L equivalently). Suppose that the
ensemble average error probability achieved by this receiver, employing ML decoding, is
ϵw . Then we have H(Y n|Z n,L,E nS ) ≤ 1 + (l − k)ϵw again by Fano’s inequality. Putting all
these and (3–8) back into (3–7), we obtain
1
nI (K ;Z n|E nS , C,W) ≤ 1
nI (K ;Z n,E nS , C,W)
≤ Cw(β)− (Rc − Rk) + Rk ϵs + (Rc − Rk)ϵw +2
n. (3–9)
The preceding secrecy analysis of the proposed secret-sharing scheme based on
the secret-sharing regular LDPC code ensembles allows us to arrive at the following
result:
Theorem 3.1. Fix β > 0. Suppose that Cw(β) ≤ Rc ≤ Cs(β). For any Rl ≥ 0, choose
Rk = min{Rc − Cw(β) + Rl , Rc}. Then (Rk ,Rl) is an achievable key-leakage rate
pair through the BPSK-constrained Gaussian wiretap channel with symbol-by-symbol
hard-decision destination quantization. Moreover, this rate pair can be achieved by the
36
aforementioned secret-sharing scheme using the secret-sharing (dv , dc)-regular LDPC
code ensemble described before when n increases.
Proof. First, suppose that Rc < Cs(β) and Rl > 0. Since Rc ≥ Cw(β), Rk > 0. Then
Rc − Rk = max{Cw(β) − Rl , 0} < Cw(β). Thus, by (3–9), if we can show that there is a
pair (dv , dc) such that Rc = 1− dvdc
, and both ϵs and ϵw in the preceding discussion vanish
as n increases, then Condition 3 in Section 2.2 will be satisfied when n is sufficiently
large. From the preceding discussion, Conditions 1, 2, and 5 will also be satisfied.
Comparing (3–6) and Condition 4, we see then that (Rk ,Rl) will be an achievable
key-leakage pair. The existence of such pair (dv , dc) results from the following lemma,
whose proof is an adaptation of the arguments in [39, Theorem 3] to the proposed
secret-sharing (dv , dc)-regular LDPC code ensemble. The details are presented in
Appendix B.
Lemma 1. Consider the ensemble average error probabilities ϵw and ϵs achieved by
the respective ML decoders at the source and wiretapper of the secret-sharing (dv , dc)-
regular LDPC code ensemble mentioned above. For any fixed β > 0, suppose that
Rc < Cs(β) and Rc − Rk < Cw(β). Then, there exists a choice of (dv , dc) such that
1. Rc = 1− dvdc
,
2. ϵw decreases exponentially (polynomially) with increasing n for Rk > 0 (forRk = 0), and
3. ϵs decreases polynomially with increasing n.
Finally, note that the before-imposed restrictions Rc < Cs(β) and Rl > 0 can be
removed since the key-leakage rate region is closed.
A comparison of Theorem 3.1 and (3–3) shows that the restriction to the secret
sharing regular LDPC code ensemble described in this section does not reduce
the relaxed key capacity of the BPSK-constrained Gaussian wiretap channel with
destination hard-decision quantization.
37
As mentioned in Chapter 1, a similar LDPC-based key-agreement scheme
employing observations of correlated discrete stationary sources at the source,
destination, and wiretapper was studied in [16]. After Step 1) of our proposed secret
sharing scheme, the observations X n, Y n, and Z n at the three terminals can be
viewed as generated from correlated sources; thus reducing our model to the one
considered in [16]2 , except that the wiretapper alphabet is continuous in our case. As
in our scheme, the scheme in [16] has the syndrome Sn−l of Y n sent to the source.
On the other hand, the key in [16] is obtained by calculating the syndrome of Y n with
respect to another independently selected LDPC code. The scheme in [16] is shown to
achieve key capacity via a similar approach as ours. First, the consideration of leakage
information is converted to that of the error probabilities achieved by decoders at the
source and wiretapper by an upper bound similar to (3–9) for a pair of fixed LDPC
codes (cf. Eqn. (3–10)). Then, the existence of a fixed code pair with vanishing error
probabilities is shown via a ML decoding error analysis of the code ensemble based
on the method of types [40]. Because of the continuous wiretapper alphabet, the ML
decoding error analysis in [16] does not directly apply to our case. Hence, we have
opted for the combined union and Shulman-Feder bounding technique in [39], which
does, however, require the BISO nature of the channel from the (quantized) destination
to the wiretapper. Obviously, Lemma 1 also implies the existence of a fixed (C,W)
from the secret-sharing regular LDPC ensemble with vanishing decoding errors in our
design, and hence the use of this fixed (C,W) is also sufficient to achieve the relaxed
key capacity in our case.
2 Our destination and source correspond to the sender and receiver in [16],respectively. For convenience, we employ our terminology here when referring to thescheme in [16].
38
Expressed in our notation, elements in the LDPC code ensemble of [16] are also
of the form (C,W). For our ensemble, W is (conditionally) uniformly distributed over
the set of all subspaces of a given C. For the ensemble of [16], W is (conditionally)
uniformly distributed over the set of subspaces of C specified by the concatenation of
the parity matrices of C and another properly chosen regular LDPC code. While each
element in the ensemble of [16] is also an element of our ensemble, the two ensembles
are different since the respective (conditional) uniform distributions for W are defined
over two different sets of subspaces. In a sense, the ensemble of [16] is more restrictive
since W also needs to be an LDPC code. The discussion in this section shows that the
LDPC structure needs to be imposed only on C but not on W. This bears significance in
the design of practical codes because the design based on one LDPC structure derived
from our ensemble is much simpler, as will be illustrated in the following section.
3.3 Secret-Sharing Scheme Employing Fixed Practical LDPC Codes
In practice, it is not realistic to employ the secret-sharing regular LDPC code
ensemble and ML decoding at the source as suggested in Section 3.2, for even
moderate values of n. In this section, we investigate the secrecy performance of a
secret-sharing scheme similar to the one suggested in Section 3.2, but with fixed
choices of (C,W) from the secret-sharing regular LDPC code ensemble and more
practical BP decoding. In addition, from the proof of Lemma 1 in Appendix B, the values
of dv and dc need to be large in order for the ensemble average error probabilities ϵw
and ϵs to decrease with n, and hence to achieve the relaxed key capacity. As large
values of dv and dc increase the graph complexity of a LDPC code, and hence the
complexity of BP decoding, we have to limit ourselves to small values of dv and dc . To
alleviate the shortcoming of regular LDPC codes with small dv and dc , we also consider
the use of more-efficient irregular LDPC codes in the proposed secret-sharing scheme.
We consider the secret-sharing scheme described in Section 3.2, except that
the secret-sharing code (C,W) is fixed and is known to the source and destination
39
(and also the wiretapper) beforehand. Here, we consider the (fixed) code C chosen
from ensembles of regular and irregular LDPC codes. The details will be discussed
later. For convenience in the key generation step (and later in the search of good
irregular LDPC codes), the subspace W is chosen as follows. Referring back to Step
2) of the scheme, choose a lower triangular version3 of H, for example by performing
Gaussian elimination on the connection matrix of the bipartite graph of C as discussed
in [41]. Hence, H = [A,B] where B is an (n − l)× (n − l) lower triangular matrix.
Write Y n = [d l , en−l ] where d l and en−l are row vectors containing l and n − l elements,
respectively. Then the syndrome Sn−l = d lAT+en−lBT , codeword X n0 = [d l , d lAT (B−1)T ]
and coset leader E nS = [0T ,Sn−l(B−1)T ]. Note that d l contains the systematic bits of the
codeword X n0 while d lAT (B−1)T contains the parity bits. The subspace W is chosen to
be the set of codewords obtained by setting the first k bits4 in the vector d l above to
zero. The quotient space K is isomorphic to the set of codewords obtained by setting
the last l − k bits in the vector d l to zero. Hence we can use the first k bits in d l as the
key. Since (C,W) is known to the source beforehand, there is no need to feed it back to
the source via the public channel in Step 2) of the secret-sharing scheme. Step 3) of the
scheme is modified to replace ML decoding by the practical BP decoding.
First, it is unlikely that the above fixed choice of W results in an LDPC code. Hence,
the fixed coding scheme suggested here is different from that of [16]. Second, the
secrecy analysis of Section 3.2 can be easily modified to reflect the use of the fixed
secret-sharing code (C,W) mentioned above. In particular, the upper bound on the
3 We can, without loss of generality, assume H to be of full rank as discussed before.Alternatively, an approximate lower triangular version of H as described in [41] can alsobe used if efficient encoding is needed.
4 It is easy to see that the secrecy performance is the same for any choice of k bits ind l for the BP decoders described below.
40
leakage rate in (3–9) becomes
1
nI (K ;Z n|E nS ) ≤ Cw(β)− (Rc − Rk) + Rkϵs + (Rc − Rk)ϵw +
2
n, (3–10)
where ϵs and ϵw are now the error probabilities achieved by the BP decoders at the
source and wiretapper, respectively. Since the bound above is derived from Fano’s
inequality, it applies for any decoder (ML, BP, etc.), and the value of the bound depends
on the choices of decoders only through ϵs and ϵw . Below, we perform computer
simulation to estimate ϵs and ϵw and then employ (3–10) to bound the leakage rates
achieved by (C,W) constructed from different choices of finite block length LDPC codes
as described above. More specifically, suppose that the key rate of a secret-sharing
LDPC code (C,W) is Rk and ϵs obtained from simulation is small. By setting Rl to be
the value of the bound (3–10) obtained as described, then (Rk ,Rl) will be considered a
key-leakage rate pair achievable by (C,W).
3.3.1 Secret-Sharing Regular LDPC Codes
We start by evaluating the secrecy performance of using regular LDPC codes with
small dv and dc in the secret-sharing scheme described above. First, we pick C from
the rate-0.25 (3, 4)-regular LDPC code ensemble by realizing the random bipartite
graph experiment described in [29] and then remove all length-4 loops in the realization.
The block length n of the LDPC code is set to 105. As mentioned above, we need to
estimate the values of ϵs and ϵw from computer simulation. To get ϵs , BP decoding is
implemented at the source. Similarly, a BP decoder is implemented for the fictitious
receiver at the wiretapper to obtain ϵw . In order to provide information about L to the
latter decoder, the intrinsic log-likelihood ratios (LLRs) of the first k elements in d l , which
are associated with L, are explicitly set to ±∞ according to the true bit values. While
this method may not be the optimal way to feed information of L to the BP decoder, we
choose to employ it because of its simplicity and the fact that this method also allows
41
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.50
0.1
0.2
0.3
0.4
0.5
Rl(bpcu)
Rk o
r C
bq (
bpcu
)
Proposed scheme:rate−0.25 (3,4)−regular LDPC code
Cbq
at P/σ2 = −0.15 dB, α2 = 0dB
Proposed scheme:rate−0.4 (3,5)−regular LDPC code
Cbq
at P/σ2 = 2 dB, α2 = 0dB
[16] : (3,5)/(1,3)−regular LDPC code
Figure 3-2. Plot of the (Rk ,Rl)-trajectories achieved by the proposed secret-sharingscheme employing secret-sharing regular LDPC codes (C,W).
simple density evolution analysis, which will be used to search for good irregular LDPC
codes in Section 3.3.2 below.
Figure 3-2 shows the trajectory of (Rk ,Rl) achievable by the rate-0.25 secret-sharing
(3, 4)-regular LDPC code (C,W) when the maximum allowable SNR P/σ2 is limited to
−0.15 dB and α2 = 0 dB. Different values of Rk on the trajectory shown are obtained
by varying the value of k (i.e., the dimension of W also changes). When obtaining each
shown pair (Rk ,Rl), we choose β2, up to P/σ2, such that ϵs ≤ 0.01, ϵw ≤ 0.01 and the
bound in (3–10) is minimized. For any so-obtained pair (Rk ,Rl) located to the right of the
45◦ line in Figure 3-2, the bound (3–10) becomes too loose, and the pair is not plotted.
From Figure 3-2, we observe that the pair (Rk ,Rl) = (0.2, 0.139) gives the smallest
42
(bound on) leakage rate that is achievable by the rate-0.25 secret-sharing (3, 4)-regular
LDPC code in the proposed scheme.
Next, we try to compare the secrecy performance of our secret-sharing scheme
to that of [16]. As discussed near the end of Section 3.2, the scheme of [16] requires
a pair of independently chosen regular LDPC codes. Since no practical code designs
or examples are provided in [16], we choose an LDPC code pair for the scheme of [16]
that is similar to the choice of our secret-sharing code above for comparison. For the
scheme of [16], the first LDPC code is set to be C above (i.e., the rate-0.25 (3, 4)-regular
LDPC code). The other code C ′ (from which the secret key is generated) is chosen
independently from another regular LDPC code ensemble such that the result achieves
a desired key rate Rk (cf. [7]). Note that only a few values of Rk are possible if dv and dc
are restricted to have small values. Again, as discussed near the end of Section 3.2, the
pair (C, C ′) can be expressed in our (C,W) notation. As such, the LDPC subcode W is
obtained from concatenating parity-check matrices of C and C ′. Note that W is in general
an irregular LDPC code. To clearly distinguish between our scheme and the one of [16]
in the discussion below, we will employ the notation (C, C ′) when referring to the latter.
The bound (3–10) is employed to determine the rate pairs (Rk ,Rl) that can be achieved
by (C, C ′), as described previously.
Under the parameter setting above (P/σ2 = −0.15 dB, α2 = 0 dB, and n = 105),
we are not able to find a choice of C ′ (with small dv and dc ) that satisfies the requirement
ϵw ≤ 0.01. In order to illustrate the comparison between the two schemes, we increase
the value of P/σ2 to 2.0 dB. For this case, we pick C to be a rate-0.4 (3, 5)-regular LDPC
code. The (Rk ,Rl)-trajectory achieved by our secret-sharing scheme with (C,W) is
overlaid in Figure 3-2. We see that the lowest leakage rate achieved by this choice
of (C,W) is at the pair (Rk ,Rl) = (0.22, 0.173). For the scheme of [16], picking C ′ to
be an (1, 3)-regular LDPC code, the pair (C, C ′) achieves the key-leakage rate pair
43
(Rk ,Rl) = (0.333, 0.286) as shown by the square symbol in Figure 3-2. This value of Rl
is the lowest that we can obtain from picking many different C ′ with small dv and dc .
Summarizing the above results, our secret-sharing scheme outperforms the scheme
of [16] when the respective code employed in each scheme is restricted among the
choices of regular LDPC codes with small node degrees and finite block lengths.
However, we can observe that there is a significant gap between the (Rk ,Rl) pairs
achieved by the proposed scheme and the maximally achievable (Cbq,Rl) key-leakage
pair boundary. This illustrates that regular LDPC codes with small dv and dc and finite
block length do not provide good secret-sharing performance.
3.3.2 Secret-Sharing Irregular LDPC Codes
To improve secret-sharing performance, we search for “good” irregular LDPC
codes to be used as C in the proposed scheme. The structure of a secret-sharing code
(C,W) described in the beginning of this section facilitates the code search process
because only the LDPC structure of C needs to be optimized. Such optimization can
be performed by employing the density-evolution based linear programming technique
suggested in [31]. The search objective is to find an irregular LDPC secret-sharing
code (C,W) with maximum Rc , given a fixed Rk , such that both the decoding error
probabilities ϵs and ϵw in (3–10) are vanishing as the BP decoders iterate. By (3–10), this
results in minimization of the bound on Rl for the fixed Rk .
Recall from Section 2.3 that the variable- and check-node degree distribution
polynomials of an irregular LDPC code ensemble are, respectively, λ(x) =∑dvi=2 λix
i−1
and ρ(x) =∑dci=2 ρix
i−1. We are to design an irregular LDPC code C and its subcode
W that work well for the channel from the (quantized) destination to source and the
channel from the (quantized) destination to wiretapper, corresponding to the error
probabilities ϵs and ϵw , respectively. Fix ρ(x), and let es(ℓ) and ew(ℓ) denote the bit error
probabilities obtained by the BP decoders at the source and wiretapper, respectively,
at the ℓth density evolution iteration [29, 31] when an initial λ(x) =∑dvi=2 λix
i−1 is
44
used. Now, let Aℓ,j denote the bit error probability obtained at the source by running
the density evolution for ℓ iterations, in which λ(x) is used as the variable-node degree
distribution for the first ℓ − 1 iterations and the variable-node degree distribution with
a singleton of unit mass at degree j is used for the final iteration. Let Bℓ,j denote the
similar quantity for bit error probability obtained at the wiretapper. Then, we have
es(ℓ) =∑dvj=2 Aℓ,j λj and ew(ℓ) =
∑dvj=2 Bℓ,j λj . Note that the values of Aℓ,j and Bℓ,j are
obtained via (discretized) density evolution, which is discussed in detail in [31, Chapter
5]. To account for the availability of perfect information of the k bits corresponding to the
key at the wiretapper’s BP decoder, the intrinsic LLR distribution entered into the density
evolution analysis for the wiretapper’s decoder is set to be a mixture of the distribution
of the channel outputs at the wiretapper (with the quantized destination symbols as the
channel input) and an impulse at +∞. The weights of the two components in the mixture
are determined by the value of Rk .
Let ϵ > 0 be a small prescribed error tolerance. Suppose that λ(x) satisfies the
property that es(Ms) ≤ ϵ and ew(Mw) ≤ ϵ, for some integers Ms and Mw . Then, we can
frame the Rc -maximizing code design problem as the following linear program:
maxλ(x)
dv∑j=2
λjj
subject to
dv∑j=2
λj = 1, λi ≥ 0 for 2 ≤ i ≤ dv ,∣∣∣∣∣dv∑j=2
Aℓ,jλj − es(ℓ)
∣∣∣∣∣ ≤ max[0, δ(es(ℓ− 1)− es(ℓ))], anddv∑j=2
Aℓ,jλj ≤ es(ℓ− 1),
for 1 ≤ ℓ ≤ Ms∣∣∣∣∣dv∑j=2
Bℓ,jλj − ew(ℓ)
∣∣∣∣∣ ≤ max[0, δ(ew(ℓ− 1)− ew(ℓ))], anddv∑j=2
Bℓ,jλj ≤ ew(ℓ− 1),
for 1 ≤ ℓ ≤ Mw ,
45
where dv here is the maximum allowable degree of λ(x) and δ is a small positive
number. The solution λ(x) of the above linear program is then employed as the initial
λ(x) for the next search round. The search process continues this way until es(Ms) or
ew(Mw) becomes larger than ϵ, or until λ(x) converges. We can also fix λ(x) and obtain
a similar linear programming problem for ρ(x). The iterative search can then alternate
between the linear programs for λ(x) and ρ(x), respectively.
The secret-sharing irregular LDPC codes presented below are obtained from the
code search procedure described above starting with BSC-optimized LDPC codes,
which are available from Urbanke’s website [42]. Figure 3-3 shows the (Rk ,Rl)-trajectory
achieved by a rate-0.25 secret-sharing irregular LDPC code obtained by performing the
above search with Rk set to 0.155 for the BPSK-constrained Gaussian wiretap channel
when P/σ2 = −1.5 dB and α2 = 0 dB. The degree distribution pair of this secret-sharing
irregular LDPC code is shown in Table 3-1. We obtain an instance of the irregular
code by randomly generating a bipartite graph which satisfies the two given degree
distribution constraints. Similar to the case of regular codes, the block length n = 105,
and all length-4 loops are removed. Each shown (Rk ,Rl) pair is obtained in the same
manner as described in Section 3.3.1 by using (3–10). From Figure 3-3, we observe
that the pair (Rk ,Rl) = (0.155, 0.025) gives the lowest leakage rate achievable by this
secret-sharing irregular LDPC code. For comparison, we also plot in Figure 3-3 the
(Rk ,Rl)-trajectory achieved by the proposed secret-sharing scheme using a rate-0.25
BSC-optimized irregular LDPC code in place of the secret-sharing irregular LDPC code
obtained from the code search described above. Note that since the channel from the
(quantized) destination to the source is a BSC, the use of the BSC-optimized LDPC
code is essentially the same as the reconciliation method proposed in [19]. For the
BSC-optimized code, the pair (Rk ,Rl) = (0.2, 0.071) gives the lowest achievable leakage
rate.
46
0 0.05 0.1 0.150
0.05
0.1
0.15
0.2
0.25
0.3
Rl(bpcu)
Rk o
r C
bq (
bpcu
)
Proposed scheme:rate−0.25 irregular LDPC code
BSC optimized:rate−0.25 irregular LDPC code
Cbq
at P/σ2 = −1.5dB, α2 = 0dB
Figure 3-3. Plot of the (Rk ,Rl)-trajectory achieved by the proposed secret-sharingscheme employing the rate-0.25 secret-sharing irregular LDPC code.
Similarly, Figure 3-4 shows the secrecy performance of the proposed scheme when
P/σ2 = −4.9 dB and α2 = 5 dB. A rate-0.12 secret-sharing irregular LDPC code is
obtained by fixing Rk to 0.06 in the code search. The degree distribution pair of this
secret-sharing irregular LDPC code is also shown in Table 3-1. We observe that the
lowest leakage rate achieved by this code is given by the pair (Rk ,Rl) = (0.062, 0.019).
Again, for comparison, the (Rk ,Rl)-trajectory achieved by replacing the secret-sharing
irregular LDPC code obtained from the code search with a rate-0.12 BSC-optimized
irregular LDPC code is also shown in Figure 3-4. For the BSC-optimized irregular LDPC
code, the pair (Rk ,Rl) = (0.095, 0.052) gives the lowest achievable leakage rate.
In conclusion, the secret-sharing irregular LDPC codes obtained from the proposed
code search procedure significantly outperform, in terms of secrecy performance,
47
Table 3-1. Degree distribution pairs of the rate-0.25 and rate-0.12 secret-sharingirregular LDPC codes.
rate-0.25 rate-0.12λ2 0.2807 0.3651λ3 0.1490 0.1610λ4 0.0725λ5 0.1081λ6 0.0540λ7 0.0599λ8 0.1343λ11 0.1123λ12 0.0057λ21 0.0697λ22 0.0872λ28 0.0650λ29 0.0403λ70 0.0006λ71 0.0264λ72 0.1197λ87 0.0806λ88 0.0079ρ4 0.9705ρ5 0.4637 0.0295ρ6 0.5363
secret-sharing regular LDPC codes with small node degrees as well as irregular LDPC
codes that are optimized just for information reconciliation.
3.4 Summary
In this chapter, we developed schemes based on LDPC codes to allow a source and
a destination to share secret information over a BPSK-constrained Gaussian wiretap
channel. In the proposed secret-sharing schemes, the source first sends a random
BPSK symbol sequence to the destination through the Gaussian wiretap channel. Then,
the destination generates a syndrome of its quantized received sequence using an
LDPC code and sends this syndrome back to the source via the public channel. Finally,
the source performs decoding to recover the quantized destination sequence based on
48
0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09 0.10
0.05
0.1
0.15R
k or
Cbq
(bp
cu)
Rl(bpcu)
Proposed scheme: rate−0.12 irregular LDPC code
BSC optimized: rate−0.12 irregular LDPC code
Cbq
at P/σ2 = −4.9dB, α2 = 5dB
Figure 3-4. Plot of the (Rk ,Rl)-trajectory achieved by the proposed secret-sharingscheme employing the rate-0.12 secret-sharing irregular LDPC code.
its transmitted sequence, as well as the syndrome that it receives from the destination.
The secret key is obtained as the index of a coset in a quotient space of the LDPC code.
To evaluate the performance of the proposed secret-sharing scheme, we employed
an upper bound on the leakage information rate that depends on the decoding error
probabilities of the decoder at the source and of a fictitious decoder at the wiretapper,
which observes the wiretapper received sequence, the syndrome in the public channel,
as well as the secret key. The design was then converted to making these error
probabilities small. For a suitably chosen ensemble of regular LDPC codes, we
showed that these error probabilities can indeed be made vanishing, as the block
length increases, by ML decoding. As a result, this established that the key capacity
49
of the BPSK-constrained Gaussian wiretap channel can be achieved by employing the
secret-sharing regular LDPC code ensemble in the proposed scheme.
Considering the practical constraints of finite block length and using BP decoding
instead of ML decoding, we employed a density-evolution based linear program to
search for good irregular LDPC codes that can be used in the secret-sharing scheme.
Simulation results showed that the secret-sharing irregular LDPC codes obtained from
our search can get relatively close to the relaxed key capacity of the BPSK-constrained
Gaussian wiretap channel, significantly outperforming regular LDPC codes as well as
irregular LDPC codes that are optimized just for information reconciliation.
50
CHAPTER 4AN LDPC-BASED SECRET-SHARING SCHEME OVER GAUSSIAN WIRETAP
CHANNEL WITH PAM SYMBOLS
To achieve higher key rate, high-order modulation could be employed at the source.
In this chapter, we extend the secret-sharing scheme proposed in Chapter 3 to the
case when the source are allowed to transmit equiprobable M-ary PAM symbols. First,
multilevel coding (MLC) and multistage decoding (MSD) are employed to transform the
M-ary transmission into M binary-input channels. Second, the modified secret-sharing
scheme for PAM source symbols employing irregular LDPC codes is presented, and it is
shown that the key-agreement problem can be translated into the problem of designing
M irregular LDPC codes such that each of them works well for the corresponding
binary-input wiretap channels. Moreover, puncturing is applied to the secret-sharing
scheme to improve its secrecy performance.
4.1 Gaussian wiretap channel with PAM symbols
The model considered in this chapter is the same as described in Section 3.1
except that the source is allowed to send equiprobable M-ary PAM symbols, i.e.,
Xi ∈ S = {s1, s2, · · · , sM} where sm = 2m−1−M√A
and A =∑Mm=1
(2m−1−M)2M
. The reason
to consider only equiprobable signalling will be justified later in this section. Moreover,
Gray mapping is employed in the source to map a binary vector b to a signal point in
S 1 . Figure 4-1 shows the examples of Gray-mapped 4- and 8-PAM constellation.
1 To simplify notations, we use Xji to denote the corresponding j th element of theGray-mapped vector of Xi .
51
A Gray-mapped 4-PAM constellation.
B Gray-mapped 8-PAM constellation.
Figure 4-1. Examples of M-ary Gray-mapped PAM constellation.
Specializing Theorem 2.1 to the Gaussian wiretap channel with equiprobable PAM
source symbols, the corresponding Rl -relaxed (symmetric) key rate 2 Rp(Rl) is given by,
Rp(Rl) = max0≤β≤
√P
σ2
1
M
[min
{−∫ ∞
−∞
∫ ∞
−∞log2
(∑Mm=1 fm(z)qm(y)∑Mm=1 fm(z)
)(M∑m=1
fm(z)qm(y)
)
dydz +MRl ,−∫ ∞
−∞log2
(M∑m=1
qm(y)
M
)(M∑m=1
qm(y)
)dy
}
+
∫ ∞
−∞
M∑m=1
log2(qm(y))qm(y)dy
],
(4–1)
2 The term “symmetric key rate” is used to reflect the assumption of equiprobablePAM signalling.
52
where
qm(y) =1√2πexp
[−(y − βsm)
2
2
]and
fm(z) =1√2πexp
[−(z − αβsm)
2
2
]
denote the conditional densities p(y |X = sm) and p(z |X = sm) for m ∈ {1, 2, · · · ,M}
that specify the destination and wiretapper channels, respectively. As mentioned in
Section 3.1, it is needed to quantize the received symbols such that the resulting
quantized sequences are uniformly distributed. To achieve this, we adopt symbol by
symbol, multilevel quantization at the destination in which the i th quantized destination
symbol Yi = Q(Yi), where Q is a quantizer which generates output from the set S 3
and is described by the set of decision levels T = {T1,T2, · · · ,TM+1}. More specifically,
the index of the output at the quantizer Q is m if its input U lies inside the partition cell
Jm : {Tm < U ≤ Tm+1} for m ∈ {1, 2, · · · ,M}. The set T is chosen such that the
outputs from the quantizer Q are equiprobable and can be obtained using the following
procedure:
1. Set T1 = −∞.
2. For n = {1, 2, · · · , M2−1}, find Tn+1 such that
∑Mm=1[Q(Tn−βsm)−Q(Tn+1−βsm)] =
1.
3. Set TM2+1 = 0 and TM+1−m = −Tm+1 for m = {0, 1, · · · , M
2− 1}.
Note that when M = 2, the quantizer Q degenerates to the signum function. Similar
to Section 3.1, employing the quantizer Q results in a loss in the (symmetric) key rate.
The loss can again be quantified by applying Theorem 2.1 to the Gaussian wiretap
channel with PAM source symbols and multilevel quantization at the destination. The
3 Throughout this chapter, we may use the value sm, the index m or the correspondingGray-mapped binary vector b to represent any signal point in S.
53
corresponding (symmetric) key rate Rpq(Rl) is then given by
Rpq(Rl) = max0≤β≤
√P
σ2
[min{Cs(β)− Cw(β) + Rl ,Cs(β)}
](4–2)
where
Cs(β) = M +1
M
M∑n=1
M∑m=1
log2(qn,m)qn,m, and
Cw(β) = Cs(β)−M − 1M
∫ ∞
−∞
(M∑m=1
fm(z)qn,m
)M∑n=1
log2
(∑Mm=1 fm(z)qn,m∑Mm=1 fm(z)
)dz
are, respectively, the (symmetric) capacities of the quantized-source-to-destination
and the quantized-source-to-wiretapper channels at the normalized gain β and
qn,m = Q(Tn − βsm) − Q(Tn+1 − βsm) is the transition probability from sm to sn of the
quantized-source-to-destination channel. We note that when M = 2, which corresponds
to BPSK signalling, Eqn.(4–1) and (4–2) degenerate to (3–2) and (3–3), respectively (cf.
Section 3.1).
To visualize the loss in key rate, Figure 4-3 shows the plot of Rp(Rl) and Rpq(Rl)
versus maximum allowable SNR P/σ2 for different values of M and α2. We can see that
the loss in (symmetric) key rate due to the quantizer Q is no more than 0.07 bpcu for
the cases shown. Moreover, let Cpk(Rl) be the Rl -relaxed key capacity of the Gaussian
wiretap channel with PAM symbols and multilevel quantization, it is not hard to see that
Cpk(Rl) is generally achieved when the input symbols are not equally likely because of
the non-symmetric properties of I (X ;Y ) and I (Y ;Z) involved in the capacity calculation.
Hence, the restriction of equiprobable PAM signalling results in an additional loss in key
rate, i.e., Rpq(Rl) ≤ Cpk(Rl). Fortunately, the difference between Cpk(Rl) and Rpq(Rl) is
usually negligible. For example, as shown in Figure 4-4, the difference is less than 0.003
bpcu for the two cases shown when M = 4. Finally, we compare the (symmetric) key
rate Rpq to the (unconstrained) relaxed key capacity Ck in Figure 4-2 for different values
of M when Rl = 0 and α2 = 0 dB. Using Theorem 2.1, it is not hard to see that the
54
(unconstrained) Rl -relaxed key capacity of Gaussian wiretap channel is achieved when
X is Gaussian distributed and is given by
Ck(Rl) = min
[1
2log2
(1 +
Pσ2
1 + α2Pσ2
)+ Rl ,
1
2log2
(1 +P
σ2
)].
From Figure 4-2, we can see that the (symmetric) key rate Rpq gets closer to the
(unconstrained) relaxed key capacity Ck when M becomes bigger.
−5 0 5 10 15 200.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
P/σ2 (dB)
Ck o
r R
pq (
bpcu
)
C
k
Rpq
, M=4
Rpq
, M=8
Rpq
, M=16
Rpq
, M=32
Rpq
, M=128
Figure 4-2. Comparison between the Rl -relaxed (symmetric) key rate Rpq and therelaxed key capacity Ck of the Gaussian wiretap channel when α2 = 0 dBand Rl = 0.
4.2 LDPC-based Key-Agreement Scheme
In this section, we modify our proposed key-agreement scheme for the Gaussian
wiretap channel to the case when the source can transmit M-ary PAM symbols. The
modified key-agreement scheme employs (punctured) irregular LDPC codes, and its
55
−5 0 5 10 150.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
P/σ2 (dB)
Cp o
r C
pq (
bpcu
)R
l = 0
C
pq,α2=0dB,M=4
Cpq
,α2=5dB,M=4
Cp,α2=0dB,M=4
Cp,α2=5dB,M=4
Cpq
,α2=0dB,M=8
Cp,α2=0dB,M=8
Cpq
,α2=3dB, M=8
Cp,α2 = 3dB, M=8
Figure 4-3. Comparison between the Rl -relaxed (symmetric) key rate Rp and Rpq of theGaussian wiretap channel whn Rl = 0.
secrecy performance will still be evaluated by measuring the rate of information about
the secret key leaked to the wiretapper.
The modified key-agreement scheme employs the (n, l , k) secret-sharing binary
linear block code (C,W) described in Section 3.2. However, the pair (C,W) is chosen in
a slightly different way. This change is inspired by the observation that the key-agreement
proposed in Chapter 3 allows the wiretapper to have “direct” channel observations of
the secret key used by the destination. We note that such a “direct transmission” is
undesirable [20] and has a negative effect to the key-agreement scheme in terms of
secrecy performance. Hence, we modify the proposed key-agreement scheme to use
puncturing to avoid any “direct transmission”. More specifically, we first choose an (m, l)
linear block code C ′ from an ensemble of irregular LDPC codes, where m = n + k .
56
−8 −6 −4 −2 0 2 4 6 8 100.05
0.1
0.15
0.2
0.25
0.3
P/σ2 (dB)
Cpk
or
Cpq
(bp
cu)
Rl = 0, M = 4
Cpk
,α2 = 5 dB
Cpq
,α2 = 5 dB
Cpk
,α2 = 0 dB
Cpq
,α2 = 0 dB
Figure 4-4. Comparison between the Rl -relaxed key capacity Cpk and Rl -relaxed(symmetric) key rate Rpq of the Gaussian wiretap channel when Rl = 0.
Similar to Section 3.2, let H be the parity-check matrix associated with C ′ and assume
H = [A,B] where B is an (m − l)×(m − l) lower triangular matrix. Let um = [ck , dn]
denote a generic codeword of C ′ where ck and dn are row vectors containing k and n
bits, respectively. Then, the (n, l) linear block code C is chosen to be set of codewords
obtained by removing ck from um. That is, C is a punctured version of C ′. The subspace
W is chosen to be the subset of punctured codewords obtained by setting ck to zero.
The bit vector ck serves as a component of the secret key in the key-agreement scheme
described below:
1. Random source transmission and destination quantization: The source firstrandomly generates a sequence X n of n i.i.d. equally likely M-ary PAM symbolsand sends them consecutively through the Gaussian wiretap channel. Thedestination then obtains the quantized sequence Y n by performing symbol-by-symbol,
57
multilevel quantization using the quantizer Q on the receive sequence Y n. We notethat the wiretapper observes Z n.
2. Syndrome generation through LDPC encoding at destination: For j ={1, 2, · · · ,M}, the destination first randomly chooses a kj -bit sequence Lkjj withi.i.d. equally likely bits. Note that all M sequences are chosen independently. Itthen generates the syndrome sequence Smj−ljj = [L
kjj , Y
nj ]H
Tj , where Hj is the
corresponding parity-check matrix of an LDPC code C ′j . Again, we note that each
Smj−ljj uniquely corresponds to a coset Emjj + C ′
j , where Emjj = [0lj ,S
mj−ljj (B−1
j )T ] is
the coset leader. Finally, the destination sends {Emjj }Mj=1 4 back to the sourcevia the public channel. We note that the above description corresponds tothe well-known coded modulation scheme, namely multilevel coding, which isproposed to achieve both power and bandwidth efficiency for communications overa Gaussian channel [43, 44].
3. Decoding at source: Multistage belief propagation (BP) decoding is performed atthe source. More specifically, for j = {1, 2, · · · ,M}, the source tries to decode forthe codeword Umjj = [L
kjj , Y
nj ] + E
mjj (∈ C′
j ) from observing X nj ,Emjj and {Umii }j−1i=1,where Umii denote the decoded codeword for Umii .
4. Key generation at source and destination: The destination uses [Lk11 ,Lk22 , · · · ,L
kMM ]
as its key. The source sets its key to be [K k11 ,Kk22 , · · · ,K
kMM ], where K kjj contains the
respective first kj bits of Umjj for j = 1, 2, · · · ,M.
We note that the above scheme is permissible with t = n + 1, K = [K k11 ,Kk22 , · · · ,K
kMM ],
L = [Lk11 ,Lk22 , · · · ,L
kMM ], and Ψn+1 = {Emjj }Mj=1 is the only message sent via the public
channel at last time instant n + 1, as described in Section 2.2. Thus, we can evaluate
the secrecy performance of the scheme in the context of achievable key-leakage rate
pair. In other words, we derive an upper bound of the amount of the information about
the secret key leaked to the wiretapper. First, based on the chosen distributions of
{Lkjj }Mj=1 and X n, the memoryless nature of the Gaussian wiretap channel, and the
quantizer Q employed to obtain Y n at the destination, it is easy to check that H(Lkjj ) = kj ,
H(Lkjj , Y
nj ) = mj , and H(Emjj ) = mj − lj for j = 1, 2, · · · ,M. Suppose that the multistage
4 To simplify notations, we use {Emjj }Mj=1 to represent the sequence of vector{Em11 ,E
m22 , · · · ,E
mMM }.
58
decoding process at the source achieves the error probability ϵs at each stage, then we
have Pr{K = L} ≤ Mϵs . Hence, Condition 1 in Section 2.2 is satisfied. Moreover, we
also have H(K |L) ≤ M + (∑Mj=1 kj)ϵs , H(L|K) ≤ M + (
∑Mj=1 kj)ϵs by Fano’s inequality.
That in turn implies 1nH(K) ≥
∑Mj=1 Rkj −
∑Mj=1 Rkj ϵs −
Mn
. Further using the fact that
I (L; {Emjj }Mj=1) = 0, we have 1nI (K ; {Emjj }Mj=1) ≤
∑Mj=1 Rkj ϵs +
Mn
. Thus, Conditions 2, 4,
and 5 in Section 2.2 are satisfied when n is sufficiently large and ϵs is small enough.
Next, consider
I (K ;Z n, {Emjj }Mj=1)
≤ I (L;Z n, {Emjj }Mj=1) + I (K ;Z n, {Emjj }Mj=1|L)
≤ I (L;Z n, {Emjj }Mj=1) + H(K |L)
≤ I (L;Z n, {Emjj }Mj=1) +M∑j=1
Rkj ϵs +M. (4–3)
Further,
I (L;Z n, {Emjj }Mj=1)
= H(L) + H({Emjj }Mj=1|Z n)− H(L, {Emjj }Mj=1|Z n)
= H(L) + H({Emjj }Mj=1|Z n)− H(L, Y n, {Emjj }Mj=1|Z n) + H(Y n|Z n,L, {E
mjj }Mj=1)
≤ H(L) + H({Emjj }Mj=1)− H(Y n|Z n) + H({Y nj }Mj=1|Z n,L, {Emjj }Mj=1)
= H(L) + H({Emjj }Mj=1)− H(Y n|Z n) +M∑j=1
H(Y nj |Z n,L, {Emii }Mi=1, {Y ni }
j−1i=1)
≤M∑j=1
H(Lkjj ) +
M∑j=1
H(Emjj )− H(Y
n) + I (Y n;Z n) +
M∑j=1
H(Y nj |Z n,Lkjj ,E
mjj , {Y
ni }j−1i=1),
(4–4)
where the second to last equality is due to the chain rule for entropy. Now, because the
channel from Y n to Z n is memoryless, we have I (Y n;Z n) ≤ nCw(β). In addition, let’s
consider a multistage fictitious decoder at the wiretapper trying to decode for Y nj from
observing (Z n,Emjj ,Lkjj , {Y ni }
j−1i=1) for j = 1, 2, · · · ,M. Suppose that the decoder achieves
59
the error probability ϵw at each stage. Then we have H(Y nj |Z n,Lkjj ,E
mjj , {Y ni }
j−1i=1) ≤
1 + (lj − kj)ϵw for j = 1, 2, · · · ,M by Fano’s inequality. Putting all these and (4–4) back
into (4–3), we obtain
1
nI (K ;Z n|{Emjj }Mj=1) ≤ 1
nI (K ;Z n, {Emjj }Mj=1)
≤ Cw(β)−M∑j=1
(Rcj − Rkj ) +M∑j=1
Rkj ϵs +M∑j=1
(Rcj − Rkj )ϵw +2M
n.
(4–5)
Let Rl = Cw(β) −∑Mj=1(Rcj − Rkj ), Condition 3 in Section 2.2 is then satisfied if ϵs and
ϵw is small enough and n is large enough, showing that (∑Mj=1 Rkj ,Rl) is an achievable
key-leakage rate pair as a result. Moreover, we note that the above upper bound applies
for any decoder both at the source and at the fictitious receiver since the value of the
bound depends on the choice of decoder only through ϵs and ϵw .
In the next section, we perform computer simulation to estimate (upper bounds on)
ϵs and ϵw . To get ϵs , a multistage BP decoder described above is implemented at the
source. Note that for the j th level decoder, the estimates of {Y ni }j−1i=1 obtained from the
previous level decoders are used in calculating the LLRs of the variable nodes. Similarly,
to get ϵw , a multistage BP decoder is implemented for the fictitious receiver at the
wiretapper. In order to provide information about the secret key Lkjj to the BP decoder,
for example, for Y nj , the intrinsic LLRs of the variable nodes corresponding to Lkjj are
explicitly set to ±∞ according to the true bit values. Moreover, {Y ni }j−1i=1 are assumed
available to the j th stage decoder for calculating the LLRs of the variable nodes.
We note that a similar MLC/MSD reconciliation method was proposed in [18] to
reconcile and correct the differences between nonbinary random variables X n and
random variables Y n by sending X n through a quasi-static Rayleigh fading channel.
In [18], MLC and MSD are employed to transform the M-ary transmission into M
parallel binary-input channels so that binary LDPC codes can be used for reconciliation.
60
However, there are two fundamental differences between our proposed scheme and
the reconciliation method discussed in [18]. First, as mentioned above, the proposed
key-agreement scheme considers both the (quantized) channel from the destination to
the source and the (quantized) channel from the destination to the wiretapper (given
the key), while the method in [18] only focuses on the channel from the source to
the destination 5 . Reference [18] uses irregular LDPC codes optimized for antipodal
signalling over the AWGN channel as component codes, while we propose to design
LDPC codes which work well for both the quantized destination-to-source channel and
the quantized destination-to-wiretapper channel given the secret key. As revealed in
Section 3.3.2, codes designed solely for information reconciliation do not necessary
work well in the case of key agreement when the secrecy performance is evaluated by
measuring the leakage rate. More seriously, reference [18] fails to consider the fact that
the M binary-input channels have totally different channel characteristics. Hence the
design in [18] does not readily translate into our context of interest and most likely those
irregular LDPC codes will provide poor secrecy performance in terms of achievable
leakage-rate pair. Second, the method proposed in [18] also neglects the fact that the M
binary-input channels do not possess the symmetry properties required for employing
density evolution to predict the actual decoder behavior. Instead, reference [18] uses
Extrinsic Information Transfer (EXIT) charts to perform analysis of the decoding process
despite the fact that the theoretical result sustaining EXIT charts does not exist for
Gaussian channel. On the other hand, as mentioned in the next section, we adopt an
analytical tool, namely i.i.d. channel adapters, to the proposed key-agreement scheme
to force the required symmetry properties of the M binary-input channels for valid
5 In [18], the authors consider only forward reconciliation, thus the destination doesnot quantize its received symbols and the decoding is performed at the destinationinstead.
61
density-evolution analysis. To summarize, although MLC and MSD are employed in [18]
to construct a reconciliation method for correlated random variables, no design rules
are offered to find irregular LDPC codes which are suitable for use in the proposed
key-agreement scheme.
4.3 LDPC Codes Design and Performance
In this section, we design irregular LDPC codes for use in the modified key-agreement
scheme to achieve good secrecy performance. As revealed later in this section, our task
is to design M irregular LDPC codes such that the j th pair (Cj ,Wj), which is generated
from the j th LDPC codes C ′j , works well for the channel from Y nj to X nj and the channel
from Y nj to Z n given Lkjj and {Y ni }j−1i=1.
Let R ′cj=
ljmj= 1 −
∫ρj (x)dx∫λj (x)dx
be the code rate of C ′j , where λj(x) and ρj(x) denote
the variable- and check-node degree distribution polynomials of C ′j , respectively. In
this dissertation, we consider applying uniform puncturing to C ′j with pj denoting the
corresponding fraction of punctured variable nodes, which correspond to Lkjj . Note that
Rkj =pj1−pj
and Rcj =R′cj
1−pj.
From the mutual information chain rule [38], we know
I (X ; Y )− I (Y ;Z) = I (X ; Y1, Y2, · · · , YM)− I (Y1, Y2, · · · , YM ;Z)
=
M∑j=1
I (X ; Yj |Y1, Y2, · · · , Yj−1)−M∑j=1
I (Yj ;Z |Y1, Y2, · · · , Yj−1)
=
M∑j=1
[I (X ; Yj |Y1, Y2, · · · , Yj−1)− I (Yj ;Z |Y1, Y2, · · · , Yj−1)
].
(4–6)
Compare (4–6) to the expression of Rl -relaxed key capacity in Theorem 2.1, it implies
that the wiretap channel can be separated into M parallel binary-input wiretap channels,
provided that {Yi}j−1i=1 are known to the j th channel. Accordingly, for a fixed value of
Rk =∑Mj=1 Rkj , we can use (4–6), which defines the optimal (key) rate assignment
among the M binary-input wiretap channels to be the corresponding mutual information
62
difference, to distribute the target key rates {Rkj}Mj=1 among the M irregular LDPC codes.
For example, for M = 2, we assign the key rates Rk1 and Rk2 among the two irregular
LDPC codes C ′1 and C ′
2 using the ratio Rk1/Rk2 = (I (X ; Y1) − I (Y1;Z))/(I (X ; Y2|Y1) −
I (Y2;Z |Y1)). After fixing each Rkj (which in turn fixes pj ), if we want to minimize the
achievable leakage rate Rl , Eqn. (4–5) suggests that we should maximize∑Mj=1 Rcj ,
or equivalently∑Mj=1 R
′cj
. In fact, the maximization of∑Mj=1 R
′cj
can be broken into
maximizing each R ′cj
individually, again by the implication of (4–6). More specifically,
given Rkj for j = 1, 2, · · · ,M, we are to find (λj(x), ρj(x)) such that R ′cj
is maximized
subject to the constraint that ϵsj and ϵwj vanish as the multistage BP decoders at the
source and the wiretapper iterate, where ϵsj and ϵwj are the error probability of the j th
stage decoder at the source and wiretapper, respectively. Trivially, the above conditions
combine to guarantee the vanishing of ϵs and ϵw defined in Section 4.2.
To design good irregular LDPC codes, we employ the density-evolution based
code search process proposed in Section 3.3.2 here, but two major changes are
made. First, to account for the puncturing of Lkjj at the source’s j th stage BP decoder,
the intrinsic LLR distribution entered into the density evolution analysis is set to be a
mixture of the original LLR distribution and an impulse at 0 with weights determined
by the value of pj . Second, we note that using density evolution to predict the average
decoder behavior implicitly requires the underlying channels to have appropriate
symmetric properties [29]. However, the M binary-input channels mentioned above
are not necessarily symmetric. As a result, it is not sufficient to consider only the
performance of the all zeros-codeword to predict the average decoder behavior and
the application of density evolution in such a scenario becomes very complicated.
Fortunately, an analytical tool: i.i.d. channel adapters, which were proposed in [45]
to tackle the problem of LDPC code design for coded modulation schemes, can be
easily adopted into the modified key-agreement scheme to force the symmetry of
those binary-input channels. Let’s consider the channel from Y nj to X nj , the j th i.i.d.
63
channel adapter works on j th binary-input channel as follows. Each i.i.d. channel
adapter has three modules. The first one is an i.i.d. source which generates binary
symbolsWji for all i , according to an i.i.d. equiprobable distribution. The second one
is a mod-2 adder at the destination such that Vji = Wji ⊕ Yji . The third module is a
mod-2 adjuster at the source to perform Uji = (1 − 2Wji)Gji , where Gji is the log a
posteriori probability ratio (LAPPR) of Yji (given Xji ). Then by [45, Theorem 1], the newly
augmented channel from Vji to Uji is symmetric. Next, consider the channel from Y nj to
Z n and let Uji = (1−2Wji)Jji , where Jji is LAPPR of Yji (given Zi ). Again by [45, Theorem
1], the newly augmented channel from Vji to Uji also satisfies the symmetric condition.
Thus, the analysis and design of the M irregular LDPC codes are greatly simplified.
Furthermore, by [45, Theorem 2], the capacity of the new augmented binary-input
channel is equal to the mutual information of the original binary-input channel with i.i.d
equiprobable input distribution. Hence, if we can design good irregular LDPC codes,
which work well for both the channel V nj to Unj and V nj to Unj , the irregular LDPC codes
also work well for both the channel from Y nj to X nj and Y nj to Z n.
From now on, the description of the modified code search process focuses on the
j th binary-input wiretap channel, and the code search process on all other binary-input
wiretap channels follows exactly the same procedure. Similar to Section 3.3.2, for a fix
ρj(x) and a target value of Rkj , the code search process can be formulated to optimize
λj(x) using density-evolution based linear programing. Again, let ϵ > 0 be a small
prescribed error tolerance and suppose that an initial λj(x) (call it λj(x)) satisfies the
property that es(Ms) ≤ ϵ and ew(Mw) ≤ ϵ. for some integers Ms and Mw , where es(ℓ)
and ew(ℓ) denote the bit error probabilities obtained by the BP decoders (with i.i.d.
channel adapters) at the source and wiretapper, respectively, at the ℓth density evolution
iteration. The code search proceeds to maximize the code rate R ′cj
of the irregular
LDPC code by updating λj(x) while maintaining the following constraints using linear
programming (Refer to Section 3.3.2 for mathematical description):
64
Table 4-1. Degree distribution pairs of the rate-0.195 and rate-0.538 irregular LDPCcodes.
rate-0.195 rate-0.538λ2 0.3583 0.1910λ3 0.1739 0.1373λ4 0.0202 0.0334λ5 0.1205λ6 0.1226λ7 0.0270λ9 0.1573λ10 0.0086λ12 0.1229λ13 0.0091λ28 0.1242λ29 0.1423 0.0394λ30 0.0189λ89 0.1491λ90 0.0440ρ4 0.6747ρ5 0.3253ρ11 0.7570ρ12 0.2430
1.∑dvi=2 λji = 1 and λji ≥ 0 for 2 ≤ i ≤ dv ;
2. λj(x) is not significantly different from λj(x);
3. λj(x) produces smaller error probability than λj(x),
where λji represents the fraction of edges emanating from the variable nodes of degree
i and dv is the maximum allowable degree of λj(x). The code search process continues
until es(Ms) or ew(Mw) becomes larger than ϵ, or until λj(x) converges. As mentioned in
Section 3.3.2, we can also fix λj(x) and obtain a similar linear programming problem for
ρj(x) and iterative search can then alternate between the linear programs for λj(x) and
ρj(x), respectively.
To illustrate the secrecy performance of the modified key-agreement scheme, we
consider the code design for 4-PAM and 8-PAM modulation. For the case of 4-PAM
modulation, we consider two different channel settings: (a) P/σ2 = 5 dB and α2 = 0 dB
65
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.80
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Rl (bpcu)
Rpq
or
Rk (
bpcu
)
Achievable (Rk,R
l) pair of the rate−0.195 and rate−0.538
irregular LDPC codes
Rpq
for 4−PAM at P/σ2 = 5dB, α2 = 0dB
Figure 4-5. Plot of (Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.195 and rate-0.538 irregular LDPC codes.
and (b) P/σ2 = 1.8 dB and α2 = 5 dB, which corresponds to situations where the
wiretapper’s SNR is moderate and strong relative to the destination’s SNR. We apply
the aforementioned code search process to obtain the irregular LDPC codes shown
below. For channel setting (a), Figure 4-5 shows the rate-leakage pair (Rk ,Rl) achieved
by the irregular LDPC codes obtained by setting Rk = 0.29 in the code search process.
By (4–6), we have Rk1 = 0.15 and Rk2 = 0.14. The code rates of the LDPC codes,
whose degree distribution pairs are shown in Table 4-1, are R ′c1= 0.195 and R ′
c2= 0.538,
respectively. As usual, we obtain an instance of the irregular LDPC codes by randomly
generated a bipartite graph which satisfies the corresponding degree distributions.
The block length of the LDPC codes is m = 106, and all length-4 loops are removed.
Computer simulation is performed to obtain an estimate of ϵs and ϵw , which are then
66
employed to calculate an achievable leakage rate as in (4–5), provided that ϵs ≤ 0.01
and ϵw ≤ 0.01. The resulting achievable key-leakage rate pair (Rk ,Rl) are plotted
against the corresponding boundary of the (Rpq,Rl) region, which is shown by the solid
curve in the figure. From Figure 4-5, we can see that the pair (Rk ,Rl) = (0.29, 0.03) is
achieved by using the rate-0.195 and rate-0.538 irregular LDPC codes.
Next, we consider the more challenging channel setting (b) in which the wiretapper’s
SNR is 5 dB more than that of the destination. Figure 4-6 shows the rate-leakage pair
(Rk ,Rl) achieved by the irregular LDPC codes obtained by performing the code search
process with Rk = 0.12. Using (4–6), we get Rk1 = 0.05 and Rk2 = 0.07. The code
rates of the LDPC codes, whose degree distribution pairs are shown in Table 4-2, are
R ′c1= 0.096 and R ′
c2= 0.436, respectively. From Figure 4-5, we can see that the pair
(Rk ,Rl) = (0.12, 0.015) is achieved by using the rate-0.096 and rate-0.436 irregular
LDPC codes.
For the case of 8-PAM modulation, we also consider two different channel settings:
(c) P/σ2 = 9 dB and α2 = 0 dB and (d) P/σ2 = 8 dB and α2 = 3 dB. For channel
setting (c), Figure 4-7 shows the rate-leakage pair (Rk ,Rl) achieved by the irregular
LDPC codes obtained by setting Rk = 0.365 in the code search process. By (4–6), we
have Rk1 = 0.1, Rk2 = 0.176 and Rk3 = 0.689. The code rates of the LDPC codes,
whose degree distribution pairs are shown in Table 4-3, are R ′c1= 0.108,R ′
c2= 0.432
and R ′c3= 0.689, respectively. From Figure 4-7, we can see that the pair (Rk ,Rl) =
(0.365, 0.033) is achieved by using the rate-0.108, rate-0.432 and rate-0.689 irregular
LDPC codes. For channel setting (d), Figure 4-8 shows the rate-leakage pair (Rk ,Rl)
achieved by the irregular LDPC codes obtained by setting Rk = 0.22 in the code search
process. By (4–6), we have Rk1 = 0.057, Rk2 = 0.109 and Rk3 = 0.054. The code
rates of the LDPC codes, whose degree distribution pairs are shown in Table 4-4, are
R ′c1= 0.078,R ′
c2= 0.415 and R ′
c3= 0.687, respectively. From Figure 4-8, we can see
67
Table 4-2. Degree distribution pairs of the rate-0.096 and rate-0.436 irregular LDPCcodes.
rate-0.096 rate-0.436λ2 0.3718 0.2702λ3 0.1547 0.1570λ4 0.0222 0.0705λ5 0.0787 0.0638λ6 0.0584λ7 0.0120λ8 0.0469λ9 0.1628λ11 0.0906λ12 0.0267λ26 0.0512λ27 0.1776λ29 0.0526λ30 0.0518λ89 0.0805ρ3 0.0944ρ4 0.9031ρ5 0.0025ρ7 0.9185ρ8 0.0589ρ9 0.0226
that the pair (Rk ,Rl) = (0.22, 0.026) is achieved by using the rate-0.078, rate-0.415 and
rate-0.687 irregular LDPC codes.
4.4 Summary
In this chapter, we extend and further improve our proposed key-agreement scheme
to the case when the source is allowed to send M-ary equiprobable PAM symbols. The
modified key-agreement scheme employs punctured irregular LDPC codes to avoid
directly exposing the (secret) key to the wiretapper. By invoking the idea of MLC and
MSD, we show that the design of LDPC codes over the original wiretap channel can be
transformed into the design of LDPC codes for the M binary-input wiretap channels.
Hence, the proposed code search process can be adopted to design good irregular
68
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.80
0.1
0.2
0.3
0.4
0.5
0.6
Rl (bpcu)
Rpq
or
Rk (
bpcu
)
Achievable (Rk,R
l) pair of the rate−0.096 and rate−0.436
irregular LDPC codes
Rpq
for 4−PAM at P/σ2 = 1.8dB, α2 = 5dB
Figure 4-6. Plot of (Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.096 and rate-0.436 irregular LDPC codes.
LDPC codes to give secrecy performance close to the (symmetric) relaxed key rate, as
demonstrated by the simulation results.
69
Table 4-3. Degree distribution pairs of the rate-0.108, rate-0.432 and rate-0.689 irregularLDPC codes.
rate-0.108 rate-0.432 rate-0.689λ2 0.3626 0.2852 0.2219λ3 0.1599 0.1608 0.1211λ4 0.0892 0.1338λ5 0.1063λ6 0.0436λ7 0.1637λ8 0.0587 0.1114λ9 0.1398λ10 0.1073λ20 0.0492λ21 0.1932λ26 0.1176 0.0764λ27 0.0019 0.19546λ100 0.1008ρ4 0.9881ρ5 0.0119ρ6 0.2382ρ7 0.7589ρ14 0.6828ρ15 0.3172ρ20 0.0029
70
0 0.5 1 1.50
0.5
1
1.5
Rl (bpcu)
Rpq
or
Rk (
bpcu
)
Achievable (Rk,R
l) pair of the rate−0.108, rate−0.432 and
rate−0.689 irregular LDPC codes
Rpq
for 8−PAM at P/σ2=9dB, α2=0dB
Figure 4-7. Plot of (Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.108, rate-0.432 and rate-0.689 irregular LDPC codes.
71
Table 4-4. Degree distribution pairs of the rate-0.078, rate-0.415 and rate-0.687 irregularLDPC codes.
rate-0.078 rate-0.415 rate-0.687λ2 0.4081 0.2644 0.2208λ3 0.1677 0.1729 0.1254λ4 0.1256λ5 0.1342 0.1397λ6 0.0181 0.0195λ8 0.1542λ9 0.0291 0.0943λ10 0.0787 0.0888λ11 0.1042λ21 0.0695λ22 0.0157λ26 0.2541λ27 0.0256λ31 0.1374λ32 0.0731λ54 0.0293λ55 0.0496ρ3 0.3915ρ4 0.6085ρ6 0.0668ρ7 0.9093ρ8 0.0210ρ9 0.0010ρ14 0.7449ρ15 0.2551ρ20 0.0019
72
0 0.5 1 1.50
0.2
0.4
0.6
0.8
1
1.2
1.4
Rl (bpcu)
Rpq
or
Rk (
bpcu
)
Achievable (Rk,R
l) pair of the rate−0.078, rate−0.415 and
rate−0.687 irrregular LDPC codes
Rbq
for 8−PAM at P/σ2 = 8dB,α2 = 3dB
Figure 4-8. Plot of (Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.078, rate-0.415 and rate-0.687 irregular LDPC codes.
73
CHAPTER 5AN LDPC-BASED SECRET-SHARING SCHEME OVER FAST-FADING WIRETAP
CHANNEL
In this chapter, we further extend our secret-sharing design to develop a practical
key-agreement scheme for the fast Rayleigh fading wiretap channel. We impose two
constraints on the channel between the source and destination. First, the source is
limited to transmit quadrature phase-shift-keyed (QPSK) symbols. Second, symbol
by symbol, component-by-component hard-decision quantization is applied to the
received symbols at the destination. We show that the in-phase and quadrature-phase
components of the fast-fading wiretap channel can be considered separately. The
secrecy performance of the proposed scheme is again measured in terms of the rate of
secret key agreed between the source and destination against the rate of information
about the secret key leaked to the wiretapper.
5.1 Fast-Fading Wiretap Channel
In this chapter, we consider the wiretap channel in which the destination and
wiretapper channel are both fast Rayleigh fading channels. Here, Xi denotes the i th
complex-valued symbol transmitted by the source, i.e., Xi = XIi + jXQi where XIi and
XQi are the in-phase (I) and quadrature-phase (Q) components, respectively. The
baseband-equivalent fast Rayleigh fading wiretap channel can then be modeled as
Yi = βGiXi + Ni
Zi = αβGiXi + Ni ,
(5–1)
where the channel noises are now modeled respectively by Ni and Ni , which are i.i.d.
zero-mean, complex-symmetric complex Gaussian-distributed (ZMCSCGD) random
variables with variance σ2, and the fading coefficients are represented by Gi and Gi ,
which are i.i.d. ZMCSCGD random variables with unit variance. It is assumed that
perfect CSI of the respective channels is available to the destination and wiretapper, i.e.,
the destination knows Gi and the wiretapper knows Gi . We restrict the source to transmit
74
only QPSK symbols, i.e. {XIi ,XQi} ∈ ±√12, with β being the gain. Similarly, we also
impose the source power constraint (2–1) such that β2 ≤ P, where P is the maximum
power available to the source. The channel gain difference between the destination
and wiretapper is again modeled by the positive constant α. Similar to Chapter 3, it is
assumed that there is an interactive, authenticated and public channel with unlimited
capacity between the source and the destination.
As will be described in Section 5.2, we perform symbol-by-symbol, component
by component hard-decision quantization at the destination in which the i th quantized
destination symbol Yi = YIi + j YQi is given by YIi = sgn(ℜ(YiG ∗i )) and YQi =
sgn(ℑ(YiG ∗i )). Since the received symbols at the destination and wiretapper are
conditionally independent given the source symbols, it can be shown 1 that the
Rl -relaxed key capacity is given by
Cq(Rl) = max0≤β≤
√P
σ2
[min{Cs(β)− Cw(β) + Rl , Cs(β)}
], (5–2)
where
Cs(β) = 2−∫ ∞
0
H2(Q(βh)) · 4he−h2
dh and
Cw(β) = 2− 1√2π
∫ ∞
0
∫ ∞
0
∫ ∞
0
[1 + e−2αβgz ] e−(z−αβg)2
2
· H2
(Q(βh) + [1−Q(βh)]e−2αβgz
1 + e−2αβgz
)· 8hge−(h2+g2)dgdhdz
are, respectively, the capacities of the quantized destination-to-source and
quantized destination-to-wiretapper channels at the normalized gain β. We again note
that Cq(Rl) is achieved when Xi is equiprobable, but it is not necessarily achieved by
1 The proof of (5–2) can be easily, though rather tediously, extended from the proofof (3–3) by checking the concavity and symmetry of I (X ;Y ) − I (Y ;Z) as a function ofthe QPSK source distribution.
75
−4 −3 −2 −1 0 1 2 3 4 5 60.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
P/σ2 (dB)
Cq (
bpcu
)
Rl = 0
α2 = −5 dB
α2 = 0 dB
α2 = 5 dB
Figure 5-1. The Rl -relaxed key capacity Cq of the fast Rayleigh fading wiretap channelfor different value of α2, where Rl = 0.
transmitting at the maximum allowable power P. The equiprobable distribution and
symmetry of the QPSK symbols imply that we can consider instead the transmission
of BPSK symbols with equal rates separately over the I- and Q-components. For
illustration, Figure 5-1 shows the plot of Cq(Rl), in units of bpcu, versus the maximum
allowable SNR P/σ2 for α2 = −5, 0, and 5 dB, respectively. Note that for each value of
α, we should design the key-agreement system to operate near the “corner point” where
the key capacity is just about to level off.
76
5.2 LDPC-based Key-Agreement Scheme
The proposed key-agreement scheme is a modification of the one presented in
Chapter 4. Under the notations developed in Section 4.2, we describe the proposed
key-agreement scheme as follows,
1. Random source transmission and destination quantization: The source firstrandomly generates a sequence X n of n i.i.d. equally likely QPSK symbols andsends them consecutively through the fast-fading wiretap channel. The destinationthen obtains the quantized sequence Y n by performing symbol-by-symbol,component-by-component hard-decision quantization on the receive sequence Y n.We note that this quantization separates the received symbol Yi into the quantizedI-component YIi = sgn(ℜ(YiG ∗
i )) and Q-component YQi = sgn(ℑ(YiG ∗i )). We also
note that the wiretapper observes Z n and G n.
2. Syndrome generation through LDPC encoding at destination: The destinationfirst randomly chooses the k-bit sequence LkI with i.i.d. equal-likely bits. It thengenerates the syndrome sequence Sm−l
I = [LkI , YnI ]H
T . We note that each Sm−lI
uniquely corresponds to a coset EmI + C ′, where EmI = [0l ,Sm−lI (B−1)T ] is the
coset leader. A similar encoding process is performed on [LkQ , YnQ ] to obtain Sm−l
Q
and EmQ , where LkQ is another random sequence of i.i.d. equal-likely bits, chosenindependent of LkI . Finally, the destination sends EmI , EmQ , and G n back to thesource via the public channel.
3. Decoding at source: The source performs belief propagation (BP) decoding todecode for the codeword UmI = [L
kI , Y
nI ] + E
mI (∈ C ′) from observing X nI , EmI and
G n. Similar, it also separately decode for the codeword UmQ = [LkQ , Y
nQ ] + E
mQ from
observing X nQ , EmQ and G n. Let UmI and UmQ denote the decoded codewords for UmIand UmQ , respectively.
4. Key generation at source and destination: The destination uses [LkI ,LkQ ] as
its key. The source sets its key to be [K kI ,KkQ ], where K kI and K kQ contain the
respective first k bits of UmI and UmQ .
We note that the above scheme is permissible with t = n+ 1, K = [K kI ,KkQ ], L = [L
kI ,L
kQ ],
and Ψn+1 = (EmI ,EmQ ,G
n) is the only message sent via the public channel at the last time
instant n + 1, as described in Section 2.2.
Similar to Section 4.2, we evaluate the secrecy performance of the scheme in
terms of the achievable key-leakage rate pair defined in Section 2.2. First, based on
the chosen distributions of LkI , LkQ , and X n, the memoryless nature of the fast-fading
77
wiretap channel, and the symbol-by-symbol, component-by-component hard decision
performed to obtain Y n at the destination, it is easy to check that H(LkI ) = H(LkQ) = k ,
H(LkI , YnI |G n) = H(LkQ , Y nQ |G n) = m, and I (LkI ,L
kQ ;G
n) = 0. Together with the linearity
of LDPC codes, we can also conclude that H(EmI |G n) = H(EmQ |G n) = m − l and
I (LkI ,LkQ ;E
mI ,E
mQ ,G
n) = I (LkI ,LkQ ;G
n) + I (LkI ,LkQ ;E
mI ,E
mQ |G n) = 0, since (EmI ,E
mQ ) are
conditionally uniform distributed and independent of (LkI ,LkQ) given Gn.
Next, consider
I (K kI ,KkQ ;Z
n, G n,EmI ,EmQ ,G
n)
≤ I (LkI ,LkQ ;Z
n, G n,EmI ,EmQ ,G
n) + I (K kI ,KkQ ;Z
n, G n,EmI ,EmQ ,G
n|LkI ,LkQ)
≤ I (LkI ,LkQ ;Z
n, G n,EmI ,EmQ ,G
n) + H(K kI ,KkQ |LkI ,LkQ)
≤ I (LkI ,LkQ ;Z
n, G n,EmI ,EmQ |G n) + 2kϵs + 2, (5–3)
where the last line is due to Fano’s inequality and the result that I (LkI ,LkQ ;G
n) = 0.
Further, define ZIi = ℜ{Zi G ∗i } and ZQi = ℑ{Zi G ∗
i }. Then, we have
I (LkI ,LkQ ;Z
n, G n,EmI ,EmQ |G n)
= H(LkI ,LkQ |G n) + H(EmI ,EmQ |Z n, G n,G n)− H(LkI ,LkQ ,EmI ,EmQ |Z n, G n,G n)
= H(LkI ,LkQ) + H(E
mI ,E
mQ |Z n, G n,G n) + H(Y nI , Y nQ |Z n, G n,EmI ,EmQ ,G n,LkI ,LkQ)
−H(LkI ,LkQ ,EmI ,EmQ , Y nI , Y nQ |Z n,G n, G n)
≤ H(LkI ,LkQ) + H(E
mI ,E
mQ |G n) + H(Y nI , Y nQ |Z n, G n,EmI ,EmQ ,G n,LkI ,LkQ)
−H(LkI ,LkQ , Y nI , Y nQ |Z n,G n, G n)
≤ H(LkI ) + H(LkQ) + H(E
mI |G n) + H(EmQ |G n) + H(Y nI , Y nQ |Z nI ,Z nQ ,LkI ,LkQ ,EmI ,EmQ ,G n, G n)
−H(LkI , Y nI |G n)− H(LkQ , Y nQ |G n) + I (Y nI , Y nQ ;Z n|G n, G n)
≤ I (Y n;Z n|G n, G n)− 2(l − k) + H(Y nI |Z nI ,LkI ,EmI ,G n, G n) + H(Y nQ |Z nQ ,LkQ ,EmQ ,G n, G n),
(5–4)
78
where the second last inequality is due to the facts that (LkI , YnI ) and (LkQ , Y
nQ) are
conditionally independent given G n, and that I (LkI ,LkQ ;Z
n|Y nI , Y nQ ,G n, G n) = 0 as LkI and
LkQ are independent of all channel observations made by the destination and wiretapper.
Suppose that the decoding process at the source achieves the error probability ϵs for
both the I- and Q-channels. Then we have Pr{K kI = LkI } ≤ ϵs and Pr{K kQ = LkQ} ≤ ϵs ,
which implies Pr{[K kI ,K kQ ] = [LkI ,LkQ ]} ≤ 2ϵs . Hence, Condition 1 in Section 2.2
is satisfied. Moreover, we also have H(K kI |LkI ) ≤ 1 + kϵs , H(LkI |K kI ) ≤ 1 + kϵs ,
H(K kQ |LkQ) ≤ 1 + kϵs and H(LkQ |K kQ) ≤ 1 + kϵs by Fano’s inequality. That in turn
implies that 1nH(K kI ,K
kQ) ≥ 2Rk − 2Rkϵs − 2
n. Further using the above result that
I (LkI ,LkQ ;E
mI ,E
mQ ,G
n) = 0, we get 1nI (K kI ,K
kQ ;E
mI ,E
mQ ,G
n) ≤ 2Rkϵs + 2n. Thus, Conditions
2, 4, and 5 in Section 2.2 are satisfied when n is sufficiently large and ϵs is small
enough.
Now, because the channel from Y n to Z n is memoryless, we have I (Y n;Z n|G n, G n) ≤
nCw(β). In addition, let’s consider a pair of fictitious decoders at the wiretapper
trying to decode 1) for Y nI from observing (Z nI ,EmI ,L
kI ,G
n, G n), and 2) for Y nQ from
observing (Z nQ ,EmQ ,L
kQ ,G
n, G n). Suppose that both decoders achieve the error
probability ϵw . Then we have H(Y nI |Z nI ,LkI ,EmI ,G n, G n) ≤ 1 + (l − k)ϵw and
H(Y nQ |Z nQ ,LkQ ,EmQ ,G n, G n) ≤ 1 + (l − k)ϵw by Fano’s inequality. Putting all these
and (5–4) back into (5–3), we obtain
1
nI (K kI ,K
kQ ;Z
n, G n|EmI ,EmQ ,G n)
≤ 1
nI (K kI ,K
kQ ;Z
n, G n,EmI ,EmQ ,G
n)
≤ Cw(β)− 2(Rc − Rk) + 2Rkϵs + 2(Rc − Rk)ϵw +4
n. (5–5)
Letting Rl = Cw(β)−2(Rc −Rk), Condition 3 in Section 2.2 is then satisfied if ϵs and ϵw is
small enough and n is large enough, showing that (2Rk ,Rl) is an achievable key-leakage
rate pair as a result.
79
Table 5-1. Degree distribution pairs of the rate-0.426, rate-0.362, rate-0.276 irregularLDPC codes.
rate-0.426 rate-0.362 rate-0.276λ2 0.2613 0.2427 0.2543λ3 0.1803 0.1769 0.1534λ4 0.0247λ5 0.1342 0.0977λ6 0.0355 0.1238 0.0484λ7 0.0614λ9 0.0401λ10 0.0900λ11 0.1144λ12 0.0707λ15 0.1066λ16 0.0718λ25 0.1031λ26 0.0600λ32 0.2036λ48 0.0814λ49 0.1107λ89 0.1179λ90 0.0351ρ6 0.0009 0.2849 0.9143ρ7 0.9704 0.6085 0.0857ρ8 0.1066ρ11 0.0287
5.3 LDPC Codes Design and Performance
In this section, we design irregular LDPC codes for use in the proposed key
agreement scheme to achieve good secrecy performance. As described in Section 5.2,
we can design good LDPC codes for the I-component and the resulting codes will also
work well for the Q-component. To that end, we apply the code search procedure as
described in Section 4.3. Again, our goal is to design irregular LDPC code C ′ so that
the pair (C,W) works well for the channel from Y nI to X nI and the channel from Y nI to Z nI
given LkI . For a target Rk , in order to minimize the achievable leakage rate Rl , Eqn. (5–5)
suggests that we should maximize Rc subject to the constraint that both ϵs and ϵw vanish
as the BP decoders at the source and wiretapper iterate.
80
To illustrate the secrecy performance for the proposed key-agreement scheme
over the fast fading wiretap channel, we consider three different channel scenarios: (a)
P/σ2 = 5 dB and α2 = −5 dB, (b) P/σ2 = 2.5 dB and α2 = 0 dB, and (c) P/σ2 = 0 dB
and α2 = 5 dB. The three scenarios correspond to cases in which the wiretapper’s
average SNR is weak, moderate and strong relative to the destination’s average SNR.
We apply the code search process described above in these three scenarios to obtain
the irregular LDPC codes presented below. For scenario (a), Figure 5-2 shows the
key-leakage rate pair (2Rk ,Rl) achieved by an irregular LDPC code obtained by setting
Rk = 0.34 in the code search process. The code rate R ′c of this irregular LPDC code is
0.426 and the corresponding degree distribution pair is shown in Table 5-1. The block
length of the LDPC code is m = 106, and all length-4 loops are removed. Similarly,
computer simulation is performed to obtain an estimate of ϵs and ϵw , which are then
employed to calculate an achievable leakage rate as in (5–5), provided that ϵs ≤ 0.01
and ϵw ≤ 0.01. The resulting achievable key-leakage rate pair (2Rk ,Rl) are plotted
against the corresponding boundary of the (Cq,Rl) region, which is shown by the solid
curve in the figure. From Figure 5-2, we see that the pair (2Rk ,Rl) = (0.68, 0.036) is
achieved by using this rate-0.426 irregular LDPC code.
Next, we consider the more challenging scenario (b) in which the wiretapper’s
average SNR is as strong as that of the destination. Figure 5-3 shows the secrecy
performance of a rate-0.362 irregular LDPC code obtained by performing the code
search process with Rk = 0.193. The degree distribution pair of this irregular LDPC code
can also be found in Table 5-1. From Figure 5-3, we observe that the pair (2Rk ,Rl) =
(0.386, 0.03) is achievable by this code.
Finally, we consider the hardest scenario (c) in which the wiretapper’s average SNR
is much stronger than that of the destination. Figure 5-4 shows the achievable (2Rk ,Rl)
pair of a rate-0.276 irregular LDPC code obtained by performing the code search
process with Rk = 0.095. The degree distribution pair of this irregular LDPC code is
81
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.90
0.2
0.4
0.6
0.8
1
1.2
Cq o
r 2R
k (bp
cu)
Rl (bpcu)
Cq(R
l) at P/σ2 = 5 dB, α2 = −5 dB
Achievable (2Rk,R
l) pair of the rate−0.426 irregular LDPC code
Figure 5-2. Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.426 irregular LDPC code.
again shown in Table 5-1. From Figure 5-4, we see that the pair (2Rk ,Rl) = (0.19, 0.024)
is achieved using this code. In conclusion, we can design good irregular LDPC codes
for use in the modified key-agreement scheme to achieve good secrecy performance by
performing the code process described above under different channel scenarios.
5.4 Summary
In this chapter, we extend and modify the proposed LDPC-based key-agreement
scheme for Gaussian wiretap channel to work in the fast Rayleigh fading wiretapper
channel. The modified key-agreement scheme employs irregular punctured LDPC codes
separately for the I- and Q-components of the wiretap channel. A density-evolution
based linear program is also used to systematically design good irregular LDPC codes
82
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.80
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9C
q or
2Rk (
bpcu
)
Rl (bpcu)
Cq(R
l) at P/σ2 = 2.5 dB, α2 = 0 dB
Achievable (2Rk,R
l) pair of the rate−0.362 irregular LDPC code
Figure 5-3. Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.362 irregular LDPC code.
for use in the proposed scheme. Simulation results demonstrate that the irregular LDPC
codes obtained from the code search process achieve secrecy performance close to the
relaxed key capacity of the fast Rayleigh fading wiretap channel under various channel
settings.
83
0 0.1 0.2 0.3 0.4 0.5 0.60
0.1
0.2
0.3
0.4
0.5
0.6
Rl (bpcu)
Cq o
r 2R
k (bp
cu)
Cq(R
l) at P/σ2 = 0 dB, α2 = 5 dB
Achievable (2Rk,R
l) pair of the rate−0.276 irregular LDPC code
Figure 5-4. Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.276 irregular LDPC code.
84
CHAPTER 6CONCLUSIONS
In this dissertation research, we designed practical secret-sharing schemes to allow
a source and destination to share secret information (a key) over a noisy channel in the
presence of an eavesdropper, or wiretapper.
Chapter 2 of this dissertation introduced the concept of relaxed key capacity, which
was defined as the maximum achievable key rate when the leakage rate was bounded
below a fixed value. The relaxed key capacity was employed in this dissertation as a
better benchmark than the “straight” key capacity to evaluate the secrecy performance
of practical secret-sharing schemes since they admit non-zero leakage rate because of
various practical implementation constraints.
In Chapter 3, we presented the proposed key-agreement scheme for the BPSK
constrained Gaussian wiretap channel with hard-decision quantization at the destination.
The proposed scheme employs an ensemble of regular LDPC codes to support key
agreement. We proved that the proposed key-agreement scheme achieves the relaxed
key capacity with asymptotically large block length. This asymptotic result motivated
us to develop practical implementations of the proposed key-agreement scheme using
fixed irregular LDPC codes with finite block length and the more practical BP decoders.
Under these practical constraints, we obtained an upper bound on the amount of
information about the key leaked to the wiretapper to evaluate the secrecy performance
of the practical key-agreement schemes. We noticed that a similar LDPC-based
key-agreement scheme was proposed in [16], and a careful comparison to our proposed
scheme was also given in Chapter 3. We show that the scheme discussed in [16] is
more restrictive than our proposed key-agreement scheme. Simulation results confirmed
that the proposed scheme outperforms the scheme of [16] when restricting our attention
to fixed regular LDPC codes with small node degree and finite block length. However,
simulation results also show that fixed regular LDPC codes with small node degree and
85
finite block length do not provide good enough secrecy performance. To compensate,
we thus proposed the use of irregular LDPC codes in the proposed key-agreement
scheme to achieve better secrecy performance. Moreover, a density-evolution based
linear program was also proposed to systematically and efficiently design good irregular
LDPC codes to achieve a target key rate so that that the amount of information leaked
to the wiretapper is minimized. Simulation results show that the secret-sharing irregular
LDPC codes obtained from our search perform relatively close to the relaxed key
capacity of the BPSK-constrained Gaussian wiretap channel, significantly outperformed
regular LDPC codes as well as irregular LDPC codes that were optimized just for
information reconciliation.
In Chapter 4, the proposed key-agreement schemes were extended to the case
when the source transmits M-ary PAM symbols, as a means to achieve higher key
rate. Multilevel coding and multistage decoding were employed to transform the M-ary
transmission into M binary-input wiretap channels. We used the density-evolution
based linear program to design M irregular LDPC codes such that each of them worked
well for the corresponding binary-input wiretap channel. Moreover, punctured irregular
LDPC codes were adopted to the proposed key-agreement scheme to protect the
secret key from direct exposure to the wiretapper. Chapter 5 applied the proposed
key-agreement scheme to the fast-fading wiretap channel. We showed that the I-
and Q-components of the fast Rayleigh fading wiretap channel were considered
separately in the key-agreement scheme. We also designed good LDPC codes for
use in the fast fading Rayleigh wiretap channel by using the density-evolution based
linear program. To summarize, we demonstrated in Chapter 4 and Chapter 5 that the
proposed key-agreement scheme and code search process were flexible enough to
take into account the cases when the source transmitted PAM symbols and when
the destination and wiretapper channels were both fast Rayleigh fading channels.
Simulation results show that the proposed key-agreement scheme achieves a leakage
86
rate of only 10% of the associated key rate in most of the channel settings considered,
even if the wiretapper channel was much stronger than the destination channel.
Finally, we point out that the arguments in the proof of Theorem 2.1 can be modified
to show the existence of an LDPC code (from the same regular LDPC code ensemble
considered in Section 3.2) that achieves the secrecy capacity [2, 5] of the Gaussian
wiretap channel with the BPSK source-symbol constraint. In Appendix D, we develop
a coding scheme for sending secret messages over the BPSK-constrained Gaussian
wiretap channel. Moreover, we demonstrate that the density-evolution based linear
program used extensively in this dissertation can be employed to find irregular LDPC
codes that give secrecy performance close to the boundary of the secrecy-equivocation
rate region of the BPSK-constrained Gaussian wiretap channel.
87
APPENDIX APROOF OF THEOREM 2.1
The case with discrete channel alphabets is established in [4, Corollary 2 of
Theorem 2]. The converse proof in [4] is directly applicable to continuous channel
alphabets, provided the average power constraint (2–1) can be incorporated into the
arguments in [4, pp. 1129–1130]. This latter requirement is simplified by the additive and
symmetric nature of the average power constraint [46, Section 3.6]. To avoid too much
repetition, we outline below only the steps of the proof that are not directly available in
[4, pp. 1129–1130]. For every permissible strategy with achievable key rate R, we have
1
nI (K ;L) =
1
nH(K)− 1
nH(K |L)
≥ 1
nH(K)− 1
n[1 + Pr{K = L} · log |K|]
>1
nH(K)− 1
n− ε
[1
nH(K) + ε
]> (1− ε)(R − ε)− 1
n− ε2,
where the second line follows from Fano’s inequality, the third line results from
Conditions 1 and 5 in the definition of achievable key-leakage rate pair, and the last
line is due to Condition 4. In other words, every permissible secret-sharing strategy that
achieves the key-leakage rate pair (R,Rl) must satisfy
R <1
1− ε
[1
nI (K ;L) +
1
n+ ε2
]+ ε. (A–1)
Thus it suffices to upper bound I (K ;L). From Conditions 2, 3 and the chain rule, we
have
1
nI (K ;L) ≤ 1
nI (K ;L|Z n, Φt ,Ψt) + 1
nI (K ;Z n|Φt ,Ψt) + 1
nI (K ; Φt ,Ψt)
≤ 1
nI (K ;L|Z n, Φt ,Ψt) + Rl + 2ε ≤
1
n
n∑j=1
I (Xj ;Yj |Zj) + Rl + 2ε,
88
where the last inequality is due to the bound I (K ;L|Z n, Φt ,Ψt) ≤∑nj=1 I (Xj ;Yj |Zj) which
is shown in [4, pp. 1129–1130]. Similarly, using the chain rule and Condition 2, we also
have
1
nI (K ;L) ≤ 1
nI (K ;L|Φt , Ψt) + 1
nI (K ; Φt ,Ψt)
≤ 1
nI (K ;L|Φt , Ψt) + ε ≤ 1
n
n∑j=1
I (Xj ;Yj) + ε,
where the last inequality is due to the bound I (K ;L|Φt ,Ψt) ≤∑nj=1 I (Xj ;Yj), which again
can be shown by a simple modification to [4, pp. 1129–1130].
Now let Q be a uniform random variable that takes value from {1, 2, ... , n} and is
independent of all other random quantities. Define (X , Y , Z) = (Xj ,Yj ,Zj) if Q = j . Then
pY ,Z |X (y , z |x) = pY ,Z |X (y , z |x). Combining the two upper bounds on 1nI (K ;L) above, we
have
1
nI (K ;L) ≤ min
{I (X ; Y |Z ,Q) + Rl , I (X ; Y |Q)
}+ 2ε
≤ min{I (X ; Y |Z) + Rl , I (X ; Y )
}+ 2ε, (A–2)
where the last inequality is due to the fact that Q → X → (Y , Z) forms a Markov chain.
The power constraint (2–1) implies that E [|X |2] ≤ P. Combining (A–1) and (A–2), we
obtain
R <1
1− ε
[min
{I (X ; Y |Z) + Rl , I (X ; Y )
}+ 2ε+
1
n
]. (A–3)
Since ε can be arbitrarily small, (A–3) implies the converse result, i.e.,
R ≤ min{I (X ; Y |Z) + Rl , I (X ; Y )
}≤ max
X :E [|X |2]≤P]min {I (X ;Y |Z) + Rl , I (X ;Y )}
= maxX :E [|X |2]≤P]
min {I (X ;Y )− I (Y ;Z) + Rl , I (X ;Y )} ,
where the last line is due to the fact that p(y , z |x) = p(y |x)p(z |x).
89
The achievability proof provided in [4] (also the ones in [47, 48]) for discrete channel
alphabets does not readily extend to continuous channel alphabets. Nevertheless
the same single backward message strategy suggested in [4] is still applicable for
continuous alphabets. That strategy uses k = n + 1 time instants with ij = j for
j = 1, 2, ... , n. That is, the source first sends n symbols through the (X ,Y ,Z) channel;
after receiving these n symbols, the destination feeds back a single message at the last
time instant to the source over the public channel. We provide a carefully structured
Wyner-Ziv code to support this secret-sharing strategy. The main steps of the key
agreement procedure are the following:
1. The source sends a sequence of i.i.d. symbols X n;
2. The destination “quantizes” its received sequence Y n into Y n with a Wyner-Zivcompression scheme;
3. The destination uses a binning scheme with the quantized symbol sequences todetermine the secret key and the information to feed back to the source over thepublic channel;
4. The source exploits the information sent by the destination to reconstruct thedestination’s quantized sequence Y n and uses the same binning scheme togenerate its secret key.
For the memoryless wiretap channel (X ,Y ,Z) specified by the joint pdf
p(y |x)p(z |x)p(x), consider the quadruple (X ,Y , Y ,Z) defined by the joint pdf
p(x , y , y , z) = p(y |y)p(y |x)p(z |x)p(x) with p(y |y) to be specified later. Given a
sequence of n elements xn = (x1, x2, ... , xn), p(xn) =∏nj=1 p(xj) unless otherwise
specified. Similar notation and convention apply to all other sequences as well as their
corresponding pdfs and conditional pdfs considered hereafter.
A.1 Random Code Generation
Fix the source distribution p(x) to achieve the maximum in the Rl -relaxed key
capacity expression, choose p(y |y) such that I (X ; Y ) − I (Y ;Z) > 0 and I (Y ;Z) > 0,
and let p(y) denote the corresponding marginal. Note that the existence of such p(y |y)
can be assumed without loss of generality if I (X ;Y ) − I (Y ;Z) > 0 and I (Y ;Z) > 0. If
90
I (X ;Y )− I (Y ;Z) = 0, there is nothing to prove. Similarly, if I (Y ;Z) = 0, the construction
below can be trivially modified to show that I (X ;Y ) is an achievable key rate.
Fix a small (small enough so that the various rate definitions and bounds on
probabilities below make sense and are non-trivial) ε > 0. If Rl < I (Y ;Z), let us define
R1∆= I (Y ; Y ) + 4ε
R2∆= I (Y ; Y )− I (X ; Y ) + 22ε
R3∆= I (X ; Y )− I (Y ;Z) + Rl − ε
R4∆= I (Y ;Z)− Rl − 17ε. (A–4)
For each j = 1, 2, ... , 2nR2 and l = 1, 2, ... , 2nR3, generate 2nR4 codewords
Y n(j , ℓ, 1), Y n(j , ℓ, 2), ... , Y n(j , ℓ, 2nR4) according to p(y n). The set of codewords
{Y n(j , ℓ, k)} with k = 1 ... 2nR4 forms a subcode denoted by C(j , ℓ). The union of all
subcodes C(j , ℓ) for j = 1, 2, ... , 2nR2 and ℓ = 1, 2, ... , 2nR3 forms the code C. For
convenience, we denote the 2nR1 codewords in C as Y n(1), Y n(2), ... , Y n(2nR1), where
Y n(j + (ℓ− 1)2nR2 + (w − 1)2n(R2+R3)) = Y n(j , ℓ,w) for j = 1, 2, ... , 2nR2, ℓ = 1, 2, ... , 2nR3,
and w = 1, 2, ... , 2nR4 . The code C and its subcodes C(j , ℓ) are revealed to the source,
destination, and wiretapper. In the following, we refer to a codeword or its index in C
interchangeably. Under this convention, the subcode C(j , ℓ) is also the set that contains
all the indices of its codewords. Denote C(j) =∪2nR3
ℓ=1 C(j , ℓ) and C(l) =∪2nR2j=1 C(j , ℓ).
A.2 Secret Sharing Procedure
For convenience, we define the joint typicality indicator function Tε(·) that takes in
a number of sequences as its arguments. The value of Tε(·) is 1 if the sequences are
ε-jointly typical, and the value is 0 otherwise. Further define the indicator function for the
sequence pair (y n, y n):
Sε(yn, y n) =
1 if Pr{Tε(Xn, y n, y n,Z n) = 1} ≥ 1− ε
0 otherwise
91
where (X n,Z n) is distributed according to p(xn, zn|y n, y n) in the definition above.
The source generates a random sequence X n distributed according to p(xn). If X n
satisfies the average power constraint (2–1), the source sends X n through the (X ,Y ,Z)
channel. Otherwise, it ends the secret-sharing process. Since p(x) satisfies E [|X |2] ≤ P,
the law of large numbers implies that the probability of the latter event can be made
arbitrarily small by increasing n. Hence we can assume below, with no loss of generality,
that X n satisfies (2–1) and is sent by the source. This assumption helps to make the
probability calculations in later sections less tedious.
Upon reception of the sequence Y n, the destination tries to quantize the received
sequence. Let M be the output of its quantizer. Specifically, if there is a unique
sequence Y n(m) ∈ C for some m ∈ {1, 2, ... , 2nR1} such that Sε(Y n, Y n(m)) = 1,
then it sets the output of the quantizer to M = m. If there is more than one such
sequence, M is set to be the smallest sequence index m. If there is no such sequence,
it sets M = 0. Let L and J be the unique indices such that Y n(M) ∈ C(J,L). The index
L will be used as the key while the index J is fed back to the source over the public
channel, i.e. Ψk = J. If M = 0, set J = 0 and choose L randomly over {1, 2, ... , 2nR3} with
uniform probabilities.
After receiving the feedback information J via the public channel, the source
attempts to find a unique Y n(m) ∈ C such that Tε(Xn, Y n(m)) = 1 and m ∈ C(J). If there
is such a unique Y n(m), the source decodes M = m. If there is no such sequence or
more than one such sequence, the source sets M = 0. If J = 0, it sets M = 0. Finally,
if M > 0, the source generates its key K = k , such that M ∈ C(J, k). If M = 0, it sets
K = 0.
We also consider a fictitious receiver who observes the sequence Z n and obtains
both indices J and L via the public channel. This receiver sets M = 0 if J = 0.
Otherwise, it attempts to find a unique Y n(m) ∈ C such that Tε(Yn(m),Z n) = 1 and
92
m ∈ C(J,L). If there is such a unique Y n(m), the source decodes M = m. If there is no
such sequence or more than one such sequence, the source sets M = 0.
A.3 Analysis of Probability of Error
We use a random coding argument to establish the existence of a code with rates
given by (A–4) such that Pr{K = L} and Pr{M = M} vanish in the limit of large block
length n. Without further clarification, we note that the probabilities of the events below,
except otherwise stated, are over the joint distribution of the codebook C, codewords,
and all other random quantities involved.
Before we proceed, we introduce the following lemma regarding the indicator
function Sε.
Lemma 2. 1. If (Y n, Y n) distributes according to p(y n, y n), then Pr{Sε(Y n, Y n) =1} > 1− ε for sufficiently large n.
2. If Y n distributes according to p(y n), then Pr{Sε(y n, Y n) = 1} ≤ 2−n(R1−7ε)
1−εfor all y n.
3. If Y n distributes according to p(y n), then Pr{Sε(Y n, y n) = 1} ≤ 2−n(R1−7ε)
1−εfor all y n.
4. If (Y n, Y n) distributes according to p(y n)p(y n), then Pr{Sε(Y n, Y n) = 1} >(1− ε) · 2−n(R1−ε) for sufficiently large n.
Proof. 1. This claim is actually shown in [49]. We briefly sketch the proof hereusing our notation for completeness and easy reference. By the reverse Markovinequality [49],
Pr{Sε(Y n, Y n) = 1} ≥ 1− 1− Pr{Tε(Xn,Y n, Y n,Z n) = 1}
1− (1− ε)> 1− ε
where the second inequality is due to that fact that Pr{Tε(Xn,Y n, Y n,Z n) = 1} >
1− ε2 for sufficiently large n.
93
2. First, we only need to consider typical y n since the bound is trivial when y n is nottypical. Notice that for any such y n,
1 ≥∫Tε(x
n, y n, y n, zn)p(xn, y n, zn|y n)dxndzndy n
=
∫Pr{Tε(X
n, y n, y n,Z n) = 1} · p(yn, y n)
p(y n)dy n
≥∫Pr{Tε(X
n, y n, y n,Z n) = 1} · 2−n(h(Y ,Y )+ε)
2−n(h(Y )−ε)dy n
= 2−n(h(Y |Y )+2ε)∫Pr{Tε(X
n, y n, y n,Z n) = 1}dy n.
Hence
2n(h(Y |Y )+2ε) ≥∫Pr{Tε(X
n, y n, y n,Z n) = 1}dy n
≥∫Sε(y
n, y n) · Pr{Tε(Xn, y n, y n,Z n) = 1}dy n
≥ (1− ε)
∫Sε(y
n, y n)dy n. (A–5)
Now
Pr{Sε(y n, Y n) = 1} =∫Sε(y
n, y n)p(y n)dy n
≤∫Sε(y
n, y n)2−n(h(Y )−ε)dy n
≤ 2−n(I (Y ;Y )−3ε)
1− ε,
where the last inequality is due to (A–5).
3. Same as Part 2), interchanging the roles of y n and y n.
4. From Part 1), we get
1− ε <
∫Sε(y
n, y n)p(y n, y n)dy ndy n
=
∫Sε(y
n, y n)p(y n, y n)
p(y n)p(y n)p(y n)p(y n)dy ndy n
≤∫Sε(y
n, y n) · 2−n(h(Y ,Y )−ε)
2−n(h(Y )+ε) · 2−n(h(Y )+ε)· p(y n)p(y n)dy ndy n
= 2n(I (Y ;Y )−3ε) Pr{Sε(Y n, Y n) = 1}.
94
Moreover we need to bound the probabilities of the following events pertaining to M.
Lemma 3. 1. Pr{M = 0} < 2ε for sufficiently large n.
2. For m = 1, 2, ... , 2nR1, Pr{M = m} ≤ 2−n(R1−7ε)
1−ε.
3. When n is sufficiently large, Pr{M = m} ≥[1− 2−n(R1−7ε)
1−ε
]m−1· (1 − ε)2−n(R1−ε)
uniformly for all m = 1, 2, ... , 2nR1.
4. When n is sufficiently large, Pr{J = j ,L = ℓ} > (1 − ε)4 · 2−n(R1−R4+6ε) uniformlyfor all j = 1, 2, ... , 2nR2 and ℓ = 1, 2, ... , 2nR3.
Proof. 1. We will use an argument similar to the one in the achievability proof ofthe rate distortion function in [38, Section 10.5] to bound Pr{M = 0}. First note that{M = 0} is the event that Sε(Y n, Y n(m)) = 0 for all m ∈ {1, 2, ... ,R1}, and hence
Pr{M = 0} = Pr
2nR1∩m=1
{Sε(Y n, Y n(m)) = 0}
=
∫ [Pr{Sε(y n, Y n(1)) = 0}
]2nR1p(y n)dy n, (A–6)
where the second equality is due to the fact that Y n(1), ... , Y n(2nR1) are i.i.d. giveneach fixed y n. But
[Pr{Sε(y n, Y n(1)) = 0}
]2nR1=
[1−
∫Sε(y
n, y n)p(y n)dy n]2nR1
=
[1−
∫Sε(y
n, y n)p(y n|y n)p(yn)p(y n)
p(y n, y n)dy n
]2nR1≤
[1−
∫Sε(y
n, y n)p(y n|y n)2−n(h(Y )+ε)−n(h(Y )+ε)
2−n(h(Y ,Y )−ε)dy n
]2nR1
=
[1− 2−n(I (Y ;Y )+3ε)
∫Sε(y
n, y n)p(y n|y n)dy n]2nR1
≤ 1−∫Sε(y
n, y n)p(y n|y n)dy n + exp (−2nε) ,
(A–7)
where the inequality on the third line is due to the fact that Sε(y n, y n) = 1 impliesTε(y
n, y n) = 1, and the last line results from the inequality (1− xy)k ≤ 1− x + e−kyfor all 0 ≤ x , y ≤ 1 and positive integer k [38, Lemma 10.5.3]. Substituting (A–7)
95
back into (A–6) and using Lemma 2 Part 1), we get
Pr{M = 0} ≤ 1− Pr{Sε(Y n, Y n) = 1}+ exp (−2nε) < ε+ ε = 2ε
for sufficiently large n.
2. Notice that for m = 1, 2, ... , 2nR1,
Pr{M = m} = Pr{Sε(Y n, Y n(m)) = 1,Sε(Y n, Y n(m − 1)) = 0, ... ,Sε(Y n, Y n(1)) = 0}
=
∫Pr{Sε(y n, Y n(1)) = 1}
[Pr{Sε(y n, Y n(1)) = 0}
]m−1p(y n)dy n (A–8)
where the second equality results from the i.i.d. nature of Y n(1), ... , Y n(m). Thuswe have
Pr{M = m} ≤ Pr{Sε(Y n, Y n(1)) = 1} ≤ 2−n(R1−7ε)
1− ε,
where the last inequality is due to Part 2) of Lemma 2 since Y n and Y n(1) areindependent.
3. From (A–8), we have the lower bound
Pr{M = m} ≥[1− 2
−n(R1−7ε)
1− ε
]m−1
Pr{Sε(Y n, Y n(1)) = 1}
≥[1− 2
−n(R1−7ε)
1− ε
]m−1
· (1− ε)2−n(R1−ε),
where the first inequality is due to Part 2) of Lemma 2, and the second inequalityis from Part 4) of Lemma 2 when n is sufficiently large. Note that the samesufficiently large n is enough to guarantee the validity of the lower bound above forall m = 1, 2, ... , 2nR1.
4. First note that, for j = 1, 2, ... , 2nR2 and ℓ = 1, 2, ... , 2nR3,
Pr{J = j ,L = ℓ} =∑
m∈C(j ,ℓ)
Pr{M = m}
=
2nR4∑w=1
Pr{M = j + (ℓ− 1)2nR2 + (w − 1)2n(R2+R3)
}.
96
Thus applying Part 3) of the lemma, we get
Pr{J = j ,L = ℓ}
≥ (1− ε)2−n(R1−ε) ·2nR4∑w=1
[1− 2
−n(R1−7ε)
1− ε
]j−1+(ℓ−1)2nR2+(w−1)2n(R2+R3)
≥ (1− ε)2−n(R1−ε)
[1− 2
−n(R1−7ε)
1− ε
]2n(R2+R3)1−
[1− 2−n(R1−7ε)/(1− ε)
]2nR11− [1− 2−n(R1−7ε)/(1− ε)]
2n(R2+R3)
≥ (1− ε)2−n(R1−ε)
[1− 2
−n(R4−7ε)
1− ε
]·1−
[1− 2−n(R1−7ε)/(1− ε)
]2nR11− [1− 2−n(R4−7ε)/(1− ε)]
≥ (1− ε)2 · 2−n(R1−R4+6ε)[1− 2
−n(R4−7ε)
1− ε
] [1− exp(−2
7nε)
1− ε
]> (1− ε)4 · 2−n(R1−R4+6ε) (A–9)
uniformly for all j = 1, 2, ... , 2nR2 and l = 1, 2, ... , 2nR3, when n is sufficiently large.The lower bound on the fourth line of (A–9) above is obtained from the inequality(1− x)k ≥ 1− kx for any 0 ≤ x ≤ 1 and positive integer k . The lower bound on thefifth line is in turn based on the inequality (1− x)k ≤ e−kx for 0 ≤ x ≤ 1 and positiveinteger k .
We first consider the error event {K = L}. Note that
Pr{K = L} = Pr{M = 0}+ Pr{M > 0,K = L}
= Pr{M = 0}+2nR1∑m=1
Pr{Em ∪ Em,M = m
}≤ Pr{M = 0}+
2nR1∑m=1
Pr{Em,M = m
}+
2nR1∑m=1
Pr {Em,M = m} , (A–10)
97
where Em is the event {Tε(Xn, Y n(m)) = 0}, and Em is the event that there is an
m′ ∈ C(j) such that m ∈ C(j), m′ = m, and Tε(Xn, Y n(m′)) = 1. From (A–8), we have
Pr{Em,M = m
}= Pr
{Tε(X
n, Y n(m)) = 0,Sε(Yn, Y n(m)) = 1,
Sε(Yn, Y n(m − 1)) = 0, ... ,Sε(Y n, Y n(1)) = 0
}≤ Pr
{Tε(X
n,Y n, Y n(m),Z n) = 0,Sε(Yn, Y n(m)) = 1,
Sε(Yn, Y n(m − 1)) = 0, ... ,Sε(Y n, Y n(1)) = 0
}=
∫ [∫Pr{Tε(x
n, y n, Y n(m), zn) = 0,Sε(yn, Y n(m)) = 1
}p(xn, zn|y n)dxndzn
]·m−1∏m′=1
Pr{Sε(y n, Y n(m′)) = 0}p(y n)dy n
=
∫ ({∫[1− Tε(x
n, y n, y n, zn)]p(xn, zn|y n, y n)dxndzn}· Sε(y n, y n)p(y n)dy n
)·m−1∏m′=1
Pr{Sε(y n, Y n(m′)) = 0}p(y n)dy n
≤ ε · Pr{Sε(Y
n, Y n(m)) = 1,Sε(Yn, Y n(m − 1)) = 0, ... ,Sε(Y n, Y n(1)) = 0
}= ε · Pr{M = m},
(A–11)
where the equality on the fourth line is due to the i.i.d. nature of Y n(1), ... , Y n(2nR1), the
equality on the fifth line results from the fact that p(xn, zn|y n) = p(xn, zn|y n, y n) (since
(X ,Z) → Y → Y ), and the inequality on the second last line is from the definition of the
indicator function Sε.
98
Similarly assuming m ∈ C(j), we have from (A–8)
Pr{Em,M = m} ≤∑m′ ∈ C(j)
m′ = m
Pr{Tε(X
n, Y n(m′)) = 1,Sε(Yn, Y n(m)) = 1
}
=∑m′ ∈ C(j)
m′ = m
∫Pr{Tε(x
n, Y n(m′)) = 1}
· Pr{Sε(y n, Y n(m)) = 1}p(xn, y n)dxndy n
≤ 2n(R1−R2) · 2−n(I (X ;Y )−3ε) · 2−n(R1−7ε)
1− ε=2−n(R1+8ε)
1− ε, (A–12)
where the equality on the second line is due to the independence between Y n(m′)
and Y n(m), and the last inequality results from Part 2) of Lemma 2 and the bound
Pr{Tε(xn, Y n(m′)) = 1} ≤ 2−n(I (X ;Y )−3ε), which is a direct result of [38, Theorem 15.2.2].
Hence, substituting the bounds in (A–11) and (A–12) back into (A–10) and using Part 1)
of Lemma 3, we obtain
Pr{K = L} ≤ 2ε+ ε ·2nR1∑m=1
Pr{M = m}+2nR1∑m=1
2−n(R1+8ε)
1− ε= 2ε+ ε+
2−8nε
1− ε< 4ε (A–13)
for n is sufficiently large.
Next we consider the event {M = M}. Define Fm as the event {Tε(Yn(m),Z n) = 0}
and Fm as the event that there is an m′ ∈ C(ℓ, j) such that m ∈ C(ℓ, j), m′ = m,
and Tε(Yn(m′),Z n) = 1. Then we have, when n is sufficiently large, uniformly for all
99
j = 1, 2, ... , 2nR2 and l = 1, 2, ... , 2nR3,
Pr{M = M|J = j ,L = ℓ}
≤∑
m∈C(j ,ℓ)
Pr{Fm,M = m|J = j ,L = ℓ
}+
∑m∈C(j ,ℓ)
Pr {Fm,M = m|J = j ,L = ℓ}
≤∑
m∈C(j ,ℓ)
ε · Pr{M = m|J = j ,L = ℓ}+∑
m∈C(j ,ℓ)
2−n(R1+7ε)
1− ε· 1
Pr{J = j ,L = ℓ}
≤ ε+2−n(R1+7ε)
1− ε· 2nR4
(1− ε)4 · 2−n(R1−R4+6ε)
= ε+2−nε
(1− ε)5< 2ε. (A–14)
Note that the inequality on the third line of (A–14) results from upper bounds of
Pr{Fm,M = m} and Pr{Fm,M = m}, which can be obtained in ways almost identical to
the derivations in (A–11) and (A–12) respectively. The inequality on the fourth line is, on
the other hand, due to Part 4) of Lemma 3.
By expurgating the random code ensemble, we obtain the following lemma.
Lemma 4. For any ϵ > 0 and n sufficiently large, there exists a code Cn with the rates R1,
R2, R3, and R4 given by (A–4) such that
1. Pr{K = L|C = Cn} < 8ε,
2. Pr{M = M|C = Cn} < 8ε,
3. Pr{M = m|C = Cn} ≤ 2−n(R1−7ε)
1−εfor all m = 1, 2, ... , 2nR1, and
4. Pr{L = ℓ|C = Cn} < 2−n(R3−8ε) for all ℓ = 1, 2, ... , 2nR3.
Proof. Combining Part 1) of Lemma 3, (A–13), and (A–14), we have
Pr{M = 0}+ Pr{K = L}+ Pr{M = M} < 8ε
for sufficiently large n. This implies that there must exist a Cn satisfying Pr{K = L|C =
Cn} < 8ε, Pr{M = M|C = Cn} < 8ε, and Pr{M = 0|C = Cn} < 8ε. Thus, Parts 1) and 2)
are proved.
100
Now, fix this Cn. For m = 1, 2, ... , 2nR1, let y n(m) be the mth codeword of Cn. Then,
by Part 3) of Lemma 2,
Pr{M = m|C = Cn} ≤ Pr{Sε(Y n, y n(m)) = 1} ≤ 2−n(R1−7ε)
1− ε;
hence, Part 3) results.
Note that, for ℓ = 1, 2, ... , 2nR3,
Pr{L = ℓ|C = Cn} = Pr{L = ℓ|M = 0, C = Cn}Pr{M = 0|C = Cn}+Pr{L = ℓ,M > 0|C = Cn}.
(A–15)
We know from the discussion above that Pr{L = ℓ|M = 0, C = Cn}Pr{M = 0|C = Cn} <
2−nR3 · 8ε. Also from Part 3) of the lemma,
Pr{L = ℓ,M > 0|C = Cn} =∑m∈Cn(ℓ)
Pr{M = m|C = Cn} ≤ 2n(R1−R3) · 2−n(R1−7ε)
1− ε=2−n(R3−7ε)
1− ε.
Putting these back into (A–15), we get
Pr{L = ℓ|C = Cn} < 2−n(R3−7ε)[8ε · 2−7nε + 1
1− ε
]< 2−n(R3−8ε)
for sufficiently large n. Thus, Part 4) is proved.
In the remainder of the paper, we use a fixed code Cn identified by Lemma 4. For
convenience, we drop the conditioning on Cn.
A.4 Secrecy Analysis
First we proceed to bound H(K). Note that
H(K) = H(L) + H(K |L)− H(L|K)
≥ H(L)− H(L|K). (A–16)
Using Part 1) of Lemma 4 together with Fano’s inequality gives H(L|K) ≤ 1 + 8nεR3.
Moreover Part 4) of Lemma 4 implies that H(L) > n(R3 − 8ε). Putting these bounds back
101
into (A–16), we have
R3 − (8R3 + 8)ε−1
n<1
nH(K) ≤ R3. (A–17)
Next we bound I (K ;Z n, J). Note that
I (K ;Z n, J) = I (L;Z n, J) + I (K ;Z n, J|L)− I (L;Z n, J|K)
≤ I (L;Z n, J) + I (K ;Z n, J|L)
≤ I (L;Z n, J) + H(K |L)
≤ I (L;Z n, J) + 8nεR3 + 1, (A–18)
where the last inequality is obtained from Part 1) of Lemma 4 and Fano’s inequality like
before. In addition, it holds that
I (L;Z n, J) = H(L)− H(L|Z n, J)
= H(L)− H(L, J|Z n) + H(J|Z n)
= H(L) + H(J|Z n)− H(L, J,M|Z n) + H(M|Z n,L, J)
≤ H(L) + H(J)− H(M|Z n)− H(L, J|M,Z n) + H(M|Z n,L, J)
≤ H(L) + H(J) + I (M;Z n)− H(M) + 8nR1ε+ 1,
where the second last inequality follows from H(J|Z n) ≤ H(J), and the last inequality
follows from H(L, J|M,Z n) = 0 (by definition of J and L) and H(M|Z n,L, J) ≤ 1 + 8nR1ε
(by Fano’s inequality applied to the fictitious receiver). By construction of the code Cn,
it holds that H(L) ≤ nR2 and H(J) ≤ nR3. In addition, Part 3) of Lemma 4 implies
H(M) ≥ n(R1 − 8ε). Finally, note that I (M;Z n) ≤ I (Y n;Z n) = nI (Y ;Z) by the
data-processing inequality applied to the Markov chain Y n → Y n → Z n and the
memoryless property of the channel between Y n and Z n. Combining these observations
102
and substituting the values of R1, R2, and R3 given by (A–4) back into (A–18), we obtain
1
nI (K ;Z n, J) ≤ R2 + R3 − R1 + I (Y ;Z) + (8R1 + 8R3 + 8)ε+
2
n
≤ Rl + I (Y ;Z)− I (Y ;Z) + (8R1 + 8R3 + 9)ε,
when n is sufficiently large. Without any rate limitation on the public channel, we can
choose the transition probability p(y |y) such that I (Y ;Z)− I (Y ;Z) ≤ ε; therefore,
1
nI (K ;Z n, J) ≤ Rl + n(8R1 + 8R3 + 9)ε. (A–19)
Next we consider the asymptotic negligibility of 1nI (K ; J) conditioned on the code Cn.
Similar to (A–18) we have
I (K ; J) ≤ I (L; J) + 8nεR3 + 1. (A–20)
Then for j = 1, 2, ... , 2nR2 and l = 1, 2, ... , 2nR3, we have
Pr{J = j ,L = l} =2nR4∑w=1
Pr{M = j + (l − 1)2nR2 + (w − 1)2n(R2+R3)
}≤ 2−n(R2+R3−7ε)
1− ε< 2−n(R2+R3−8ε)
for sufficiently large n, where the first inequality is from Part 3) of Lemma 4. In other
words, H(J,L) > n(R2 + R3 − 8ε) for sufficiently large n. Hence, together with the facts
H(L) < nR3 and H(J) < nR2, we have
I (L; J) = H(L) + H(J)− H(J,L) ≤ nR3 + nR2 − n(R2 + R3 − 8ε) = 8nε. (A–21)
Putting this bound back to (A–20), we obtain 1nI (K ; J) ≤ 8ε(R3 + 1) + 1
n. Since ε can
be chosen arbitrarily, Part 1) of Lemma 4, (A–17), (A–19), and (A–21), we establish
the achievability of the relaxed key capacity. On the other hand, if Rl ≥ I (Y ;Z), the
code construction described above can be trivially modified to achieve the relaxed key
capacity. That is, set R4 = 0 and R3 arbitrarily close to I (X ; Y ).
103
APPENDIX BPROOF OF LEMMA 1
As mentioned in the proof of Theorem 3.1, we adapt the proof of [39, Theorem 3]
to prove this lemma. The main argument is to establish that there is a secret-sharing
(dv , dc)-regular LDPC code ensemble (C,W) for which the ensemble average error
probabilities ϵs and ϵw simultaneously vanish as n increases under the assumptions
stated in the lemma.
To that end, we first examine the average weight spectra of the code C and
subspace W in the LDPC code ensemble:
Lemma 5. Consider the ensemble of (n, l , k) secret-sharing code (C,W) described in
Section 3.2. For 0 < m ≤ n, let Sm and Tm be the average numbers of codewords of
Hamming weight m in C and W, respectively. Then, we have
Sm =
(n
m
)Pr(xn ∈ C|w(xn) = m) (B–1)
Tm =2l−k − 12l − 1
· Sm ≤ 2−k Sm (B–2)
where w(xn) is the Hamming weight of xn.
Proof. Eqn. (B–1), given in [39], is obvious. It is also clear from the description of the
code ensemble in Section 3.2 that
Tm =
(n
m
)Pr(xn ∈ W|x ∈ C,w(xn) = m) Pr(xn ∈ C|w(xn) = m)
= Sm · Pr(xn ∈ W|xn ∈ C,w(xn) = m). (B–3)
For any xn0 = 0n ∈ C, Pr(xn0 ∈ W|xn0 ∈ C) equals the ratio of the number of (l −
k)-dimensional subspaces in C that contain xn0 to the number of (l − k)-dimensional
subspaces in C. The number of (l − k)-dimensional subspaces in C isl−k∏u=1
2l−u+1 − 12l−k−u+1 − 1
(see [50, Theorem 7.1]). Further, let X0 = {0n, xn0 }, and let C ′ = C/X0 be the quotient of
C by X0. Then C ′ is a (l − 1)-dimensional linear space. If W is an (l − k)-dimensional
subspace in C that contains xn0 , then W ′ =W/X0 is an (l − k − 1)-dimensional subspace
104
in C ′. On the other hand, suppose that W ′ is an (l − k − 1)-dimensional subspace in C ′.
Then W = ∪wn+X0∈W ′ w n+X0 is an (l − k)-dimensional subspace in C that contains xn0 . It
is also easy to see that the correspondence between W ′ and W above is one-to-one. As
a result, the number of (l − k)-dimensional subspaces in C that contain xn0 must be the
same as the number of (l − k − 1)-dimensional subspaces in C ′, i.e.,l−k−1∏u=1
2l−u − 12l−k−u − 1
. So
we have
Pr(xn0 ∈ W|xn0 ∈ C) = 2l−k − 12l − 1
for all xn0 = 0 ∈ C. This implies
Pr(xn ∈ W|xn ∈ C,w(xn) = m) = 2l−k − 12l − 1
≤ 2−k
for 0 < m ≤ n. Putting this back into (B–3), we obtain (B–2).
For C chosen uniformly from the (dv , dc)-regular LDPC code ensemble as described
in Section 3.2, an upper bound on Pr(xn ∈ C|w(xn) = m) is also available in [39, Lemma
2]:
• If mdv is odd, Pr(xn ∈ C|w(xn) = m) = 0.
• If mdv is even,
Pr(xn ∈ C|w(xn) = m) ≤
(n−lmdv2
) [mdv2(n−l)
]mdvfor mdv ≤ 2(n − l)
[(n − l)dc + 1][1+(1− 2mn )
dc
2
]n−lotherwise.
In addition, Pr(xn ∈ C|w(xn) = m) = Pr(xn ∈ C|w(xn) = n −m) (and hence Sn−m = Sm) if
dc is even.
Next, we employ Lemma 5 and the combined union and Shulman-Feder bound
in [39, Theorem 1] to bound ϵs and ϵw . To bound ϵw , consider the channel with Y n as
input and Z n as output. First, note that Y n contains i.i.d. equally likely binary elements.
Hence, this channel is a memoryless BISO channel, and is specified by the conditional
pdf pZ |Y (z |y) = pZ |X (z |1)pX |Y (1|y) + pZ |X (z | − 1)pX |Y (−1|y). Since E nS + Xn0 +W is
105
a coset and the channel is memoryless BISO, it suffices to assume Y n = X n0 ∈ W. In
addition, note that all possible X n0 sequences are equally likely. Now, let K = 6dvln dv1−Rc
and β = 2(1−Rc)dve−12−K . For any β < γ < 1
2, applying the bound in [39, Theorem 1] to the
subcode W, the ensemble average decoding error probability of the ML decoder at the
wiretapper can be upper-bounded as
ϵw ≤
τ1 + τ2 + 2
−nEwr (Rc−Rk+ 1n log2 αw) for odd dc∑5i=1 τi + 2
−nEwr (Rc−Rk+ 1n log2 αw) for even dc ,(B–4)
where τ1 =∑βnm=1 TmD
mw , τ2 =
∑γn
m=βn+1TmD
mw , τ3 =
∑n−βn−1m=n−γn TmD
mw , τ4 =∑n−1
m=n−βn TmDmw , τ5 = TnDnw , Dw =
∫ √pZ |Y (z |1) · pZ |Y (z | − 1) dz ,
αw =
maxm∈{γn+1,...,n}
Tm2l−k−1 ·
2n
(nm)for odd dc
maxm∈{γn+1,...,n−γn−1}Tm2l−k−1 ·
2n
(nm)for even dc ,
and Ewr (R) = maxqmax0≤ρ≤1{Ew0 (ρ, q)− ρR} is the random coding error exponent with
Ew0 (ρ, q) = − log2∫ [q(1)pZ |Y (z |1)1/(1+ρ) + q(−1)pZ |Y (z | − 1)1/(1+ρ)
]1+ρdz ,
and q is the probability mass function (pmf) of the channel input Y . It is known that the
optimal q is q(1) = q(−1) = 0.5.
Employing Lemma 5 and the bound on Pr(xn ∈ C|w(xn) = m) that follows (see also
[39, Lemma 2]), it is not hard to further bound the various terms in (B–4):
τ1 ≤
2−nRk n1−dv/2 (1− Rc)−dv/2 Dw
1−Dw(dv/2)dv
(dv/2)!for even dv
2−nRk n2−dv (1− Rc)−dv D2w2(1−D2w )
(dv )2dv
dv !for odd dv ,
log2 τ2n
≤ 1
n{log2 n + log2[(n − k)dc + 1]} − Rk + max
β≤x≤γ{x log2Dw + H2(x)
+ (1− Rc)(log2[1 + (1− 2x)dc ]− 1
)},
106
and for even dc ,
τ4 =
βn∑m=1
TmDmwD
n−2mw ≤ τ1D
n(1−2β)w ,
log2 τ3n
≤ log2 τ2n+ (1− 2γ) log2Dw ,
and
τ6 ≤ 2−nRkDnw = 2−n(Rk−log2 Dw ).
Also,
log2 αwn
≤
(1− Rc) max
γ≤x≤1log2[1 + (1− 2x)dc ] +
1
n{1 + log2[(n − l)dc + 1]} for odd dc
(1− Rc) maxγ≤x≤1−γ
log2[1 + (1− 2x)dc ] +1
n{1 + log2[(n − l)dc + 1]} for even dc
≤ (1− Rc) log2[1 + (1− 2γ)dc ] +1
n{1 + log2[(n − l)dc + 1]}.
For bounding ϵs , note that the channel with Y n as input and X n as output is a
memoryless BSC and is specified by the conditional pmf pX |Y (x |y) = pY |X (y |x). Again,
since E nS + C is a coset and the channel is memoryless BISO, it suffices to assume
Y n = X n0 ∈ C. With this identification, the resulting bound on ϵs follows the same line of
arguments as above, and is essentially given in [39]. We summarize the bound below for
later reference:
ϵs ≤
σ1 + σ2 + 2
−nE sr (Rc+ 1n log2 αs) for odd dc
σ1 + σ2 + σ3 + σ4 + σ5 + 2−nE sr (Rc+ 1n log2 αs) for even dc ,
(B–5)
where
σ1 ≤
n1−dv/2 (1− Rc)−dv/2 Ds
1−Ds(dv/2)dv
(dv/2)!for even dv
n2−dv (1− Rc)−dv D2s2(1−D2s )
(dv )2dv
dv !for odd dv ,
107
log2 σ2n
≤ 1
n{log2 n + log2[(n − l)dc + 1]}+ max
β≤x≤γ{x log2Ds + H2(x)
+ (1− Rc)(log2[1 + (1− 2x)dc ]− 1
)},
and for even dc ,
σ4 =
βn∑m=1
TmDms D
n−2ms ≤ σ1D
n(1−2β)s ,
log2 σ3n
≤ log2 σ2n
+ (1− 2γ) log2Ds ,
σ5 ≤ Dns = 2n log2 Ds ,
and
log2 αsn
≤ 1
n{1 + log2[(n − l)dc + 1]}+ (1− Rc) log2[1 + (1− 2γ)dc ],
with Ds = 2√pX |Y (1|1) · pX |Y (1| − 1), and E sr (R) = maxqmax0≤ρ≤1{E s0 (ρ, q) − ρR} is the
random coding error exponent of the channel of interest based on
E s0 (ρ, q) = − log2{[q(1)pX |Y (1|1)1/(1+ρ) + q(−1)pX |Y (1| − 1)1/(1+ρ)]1+ρ
+ [q(1)pX |Y (−1|1)1/(1+ρ) + q(−1)pX |Y (−1| − 1)1/(1+ρ)]1+ρ}.
Recall that Rc < Cs(β) and Rc − Rk < Cw(β). Choose ε > 0 small enough such that
Rc +2ε < Cs(β) and Rc −Rk +2ε < Cw(β). For any 0 < γ < 0.5, there exist large enough
dv and dc such that
1. dvdc= 1− Rc ,
2. 0 < β < γ,
3. K < ε, and
4. log2[1 + (1− 2γ)dc
]< ε.
108
With this choice of (dv , dc), we have
maxβ≤x≤γ
{H2(x) + (1− Rc)
(log2[1 + (1− 2x)dc ]− 1
)}≤ H2(γ) + (1− Rc)
{log2[1 + (1− 2β)dc ]− 1
}≤ H2(γ) + (1− Rc)
[log2
(1 + e−2dc β
)− 1]
≤ H2(γ) + (1− Rc)[log2
(1 + e−4e
−12−ε)− 1]
for any 0 < γ < 0.5, where the second inequality follows from the inequality 1−2x < e−2x
and the last inequality follows from the definition of β. Hence, we can make
maxβ≤x≤γ
{H2(x) + (1− Rc)
(log2[1 + (1− 2x)dc ]− 1
)}< 0
by choosing γ small enough since Cs(β) ≤ 1. Thus for sufficiently large n, we get the
following results,
1. 1nlog2 τ2 < 0 and 1
nlog2 τ3 < 0,
2. 1nlog2 σ2 < 0 and 1
nlog2 σ3 < 0,
3. Rc − Rk + 1nlog2 αw ≤ Rc − Rk + (1− Rc)ε+ ε < Cw(β), and
4. Rc +1nlog2 αs ≤ Rc + (1− Rc)ε+ ε < Cs(β).
Further, by employing the well known fact that the random coding exponent is positive if
its rate argument is below channel capacity, we obtain the stated asymptotic behaviors
of ϵs and ϵw .
109
APPENDIX CPROOFS OF (3-2) AND (3-3)
The proofs of (3–2) and (3–3) are established by checking the concavity and
symmetry of I (X ;Y ) − I (Y ;Z) as a function of the binary source distribution in the
respective cases.
C.1 Proof of (3-2)
The channel model described in (3–1) restricts all BPSK source symbols to have
the fixed power β2. However, β can be chosen to be any value as long as it is less than√P. This means that the source distribution is characterized by s = Pr{X = −1} and β.
For convenience, write s = 1− s. Let’s further define the conditional densities p(y |X = 1)
and p(y |X = −1) that specify the destination channel, respectively, as
q+(y) =1√2πσexp
[−(y − β)2
2σ2
]q−(y) =
1√2πσexp
[−(y + β)2
2σ2
].
Then we have
I (X ;Y ) = H(Y )− H(Y |X )
=
∫ ∞
−∞− log2 (sq+(y) + sq−(y)) · [sq+(y) + sq−(y)] dy −
1
2log2 2πeσ
2.
For a fixed value of β, let g(s) = −∫∞−∞ log2 [sq+(y) + sq−(y)] [sq+(y) + sq−(y)] dy be
a function of s . It is easy to check that g(s) is symmetric in the sense that g(s) = g(s).
Moreover, it can be shown that the second derivative of g(s) with respect to (w.r.t.) s is
non-positive over [0, 1] for any y . This implies that g(s) is concave over [0, 1]. Hence,
g(s) is Schur-concave [51] and is maximized by choosing s = s = 0.5. As a result, we
110
have
max0≤s≤1
I (X ;Y ) = g(0.5)− 12log2 2πeσ
2
= [H(X )− H(X |Y )]s=0.5
= 1−∫ ∞
−∞H2
(q+(y)
q+(y) + q−(y)
)·[q+(y) + q−(y)
2
]dy
= 1− 1√2π
∫ ∞
0
H2
(1
1 + e−2βy
)(1 + e−2βy
)exp
[−(y − β)2
2
]dy ,
where β = βσ. Similarily,
I (X ;Y )− I (Y ;Z)
= H(Y |Z)− H(Y |X )
=
∫ ∞
−∞
∫ ∞
−∞− log2
(sq+(y)p+(z) + sq−(y)p−(z)
sp+(z) + sp−(z)
)·
[sq+(y)p+(z) + sq−(y)p−(z)] dydz −1
2log2 2πeσ
2.
For a fixed value of β, let
f (s) =
∫ ∞
−∞
∫ ∞
−∞− log2
(sq+(y)p+(z) + sq−(y)p−(z)
sp+(z) + sp−(z)
)·[sq+(y)p+(z) + sq−(y)p−(z)] dydz .
111
By a similar argument as above, we conclude that f (s) is Schur-concave and maximized
by choosing s = s = 0.5, and we have
max0≤s≤1
[I (X ;Y )− I (Y ;Z)]
= f (0.5)− 12log2 2πeσ
2
=
∫ ∞
−∞
∫ ∞
−∞− log2
(q+(y)p+(z) + q−(y)p−(z)
[q+(y) + q−(y)][p+(z) + p−(z)]
)·[q+(y)p+(z) + q−(y)p−(z)
2
]dydz
+ g(0.5)− 12log2 2πeσ
2 − 1
=
∫ ∞
0
∫ ∞
0
H2
(q+(y)p+(z) + q−(y)p−(z)
[q+(y) + q−(y)][p+(z) + p−(z)]
)[q+(y) + q−(y)] [p+(z) + p−(z)] dydz
− 1√2π
∫ ∞
0
H2
(1
1 + e−2βy
)(1 + e−2βy
)exp
[−(y − β)2
2
]dy
=1
2π
∫ ∞
0
∫ ∞
0
H2
(1 + e−2βy · e−2αβz
[1 + e−2βy ][1 + e−2αβz ]
)exp
[−(y − β)2
2− (z − αβ)2
2
] [1 + e−2βy
][1 + e−2αβz
]dydz − 1√
2π
∫ ∞
0
H2
(1
1 + e−2βy
)(1 + e−2βy
)exp
[−(y − β)2
2
]dy .
Putting all these back to Theorem 2.1, the Rl -relaxed key capacity of the BPSK-constrained
wiretap channel is thus given by
Cb(Rl)
= max0≤β≤
√Pmax0≤s≤1
min{I (X ;Y )− I (Y ;Z) + Rl , I (X ;Y )}
= max0≤β≤
√P
σ2
[min
{1
2π
∫ ∞
0
∫ ∞
0
H2
(1 + e−2βy · e−2αβz
[1 + e−2βy ][1 + e−2αβz ]
)[1 + e−2βy
] [1 + e−2αβz
]
· exp
[−(y − β)2
2− (z − αβ)2
2
]dydz + Rl , 1
}
− 1√2π
∫ ∞
0
H2
(1
1 + e−2βy
)(1 + e−2βy
)exp
[−(y − β)2
2
]dy
],
where the third line is due to the fact that s = s = 0.5 simultaneously maximizes both
terms inside the min operator. Note that the maximum above may occur at an interior
112
point of the interval[0,√Pσ2
]. That means the key capacity may be achieved by not
transmitting at the maximum allowable source power.
C.2 Proof of (3-3)
To find the Rl -relaxed key capacity of the BPSK-constrained Gaussian wiretap
channel with destination hard-decision quantization, first note that the destination
channel is a BSC with cross-over probability q = Q(βσ
). Similarly, write q = 1 − q and
define the conditional densities p(Z |X = 1) and p(Z |X = −1) that specify the wiretapper
channel, respectively, as
p+(z) =1√2πσexp
[−(z − αβ)2
2σ2
]p−(z) =
1√2πσexp
[−(z + αβ)2
2σ2
].
Then we have
I (X ; Y )− I (Y ;Z) = H(Y |Z)− H(Y |X )
=
∫ ∞
−∞H2
(sqp+(z) + sqp−(z)
sp+(z) + sp−(z)
)· [sp+(z) + sp−(z)] dz − H2(q).
Again, let f (s) =∫∞−∞H2
(sqp+(z)+sqp−(z)sp+(z)+sp−(z)
)[sp+(z) + sp−(z)] dz be a function of s. Note
that f (s) is again Schur-concave and is maximized by choosing s = s = 0.5. Hence,
max0≤s≤1
I (X ; Y )− I (Y ;Z) = f (0.5)− H2(q).
Moreover, it is well known that
I (X ; Y ) = H2(sq + sq)− H2(q),
which achieves its maximum 1 − H2(q), for any fixed value of β, by choosing s = s =
0.5. Finally, putting the above into Theorem 2.1, the Rl -relaxed key capacity of the
BPSK-constrained wiretap channel with hard-decision quantization at destination is thus
113
given by
Cbq(Rl)
= max0≤β≤
√Pmax0≤s≤1
min{I (X ; Y )− I (Y ;Z) + Rl , I (X ; Y )}
= max0≤β≤
√Pmin{f (0.5)− H2(q) + Rl , 1− H2(q)}
= max0≤β≤
√P
[min
{∫ ∞
−∞H2
(qp+(z) + qp−(z)
p+(z) + p−(z)
)·(p+(z) + p−(z)
2
)dz + Rl , 1
}− H2(q)
]= max
0≤β≤√P/σ2
[min
{1√2π
∫ ∞
0
H2
(Q(β) + [1−Q(β)]e−2αβz
1 + e−2αβz
)(1 + e−2αβz
)exp
[−(z − αβ)2
2
]dz + Rl , 1
}− H2(Q(β))
],
where the third line is due to the fact that s = s = 0.5 simultaneously maximizes both
terms inside the min operator. Note that again the maximum above may occur at an
interior point of the interval[0,√Pσ2
], and the key capacity may be achieved by not
transmitting at the maximum allowable source power.
114
APPENDIX DLDPC CODE DESIGN FOR THE BPSK-CONSTRAINED GAUSSIAN WIRETAP
CHANNEL
In this appendix, we design LDPC codes for sending secret messages over the
Gaussian wiretap channel with BPSK source symbols. As mentioned in Section ??,
Theorem 2.1 can be modified to show the existence of regular LDPC code ensembles
with increasing block lengths that achieve the secrecy capacity [2, 5] of the BPSK
constrained Gaussian wiretap channel. Based on this observation, we propose
a coding scheme which employs irregular LDPC codes with finite block lengths to
support practical secret transmission over the Gaussian wiretap channel. The proposed
coding structure allows efficient design of irregular LDPC codes that give good secrecy
performance as measured in terms of equivocation about the secret message at the
wiretapper.
D.1 BPSK-constrained Gaussian wiretap channel
The model of BPSK-constrained Gaussian wiretap channel used here is the same
as that of Section 3.1 except that there is no feedback channel between the source and
destination. Moreover, the objective of secret sharing considered here is for the source
to send secret information to the destination.
Assuming a uniform message distribution, the rate of the secret message is
Rs =kn. Let M denote the estimate of the message at the destination. The level of
knowledge of the wiretapper possesses about the secret message can be quantified by
the equivocation rate 1nH(M|Z n). A rate-equivocation pair (Rs ,Re) is achievable if for all
ϵ > 0, there exists a rate-Rs code sequence such that
1. Pr{M = M} < ϵ, and
2. Re <1nH(M|Z n) + ϵ
for sufficiently large n. When the equivocation rate at the wiretapper is as large as the
secret message rate, i.e. Rs = Re , we say that the equivocation-rate pair is achievable
with perfect secrecy [2]. The capacity-equivocation region of a wiretap channel contains
115
all achievable rate-equivocation pairs (Rs ,Re). When α ≤ 1, specializing the result
in [3] to the BPSK-constrained Gaussian wiretap channel shows that the corresponding
capacity-equivocation region is given by
0 ≤ Re ≤ Cb
Re ≤ Rs ≤ C
(√P
σ2
), (D–1)
where
Cb = max0≤β≤
√P
σ2
{C(β)− C(αβ)
}, (D–2)
and
C(t) = 1− 1√2π
∫ ∞
−∞e−
(y−t)22 log2
(e−2yt
)dy
is the channel capacity of AWGN channel with BPSK input. The secrecy capacity of the
wiretap channel is defined as the maximum secret message rate such that the condition
of perfect secrecy is satisfied. For the BPSK-constrained Gaussian wiretap channel, the
secrecy capacity is given by Cb if α ≤ 1.
We note that Cb is achieved when Xi is equiprobable; but it is not necessarily
achieved by transmitting at the maximum allowable power P. Figure D-1 shows the plot
of Cb, in units of bits per (wiretap) channel use (bpcu), versus the maximum allowable
SNR P/σ2 for α2 = −1.0,−2.5 and −4.4 dB, respectively.
D.2 Secret LDPC coding scheme
In this section, we describe the proposed coding scheme for the BPSK-constrained
Gaussian wiretap channel. The proposed coding scheme employs the pair (C,W),
which is chosen as described in Section 4.2, and its secrecy performance will be
evaluated by measuring the equivocation rate of the secret message at the wiretapper.
The proposed coding scheme is described as follows,
1. Encoding: The source sets ck to be the k-bit secret message M and choosesd l−k randomly according to a uniform distribution. Let H = [A B] be the associatedparity-check matrix of an LDPC code. Then it calculates em−l = [ck , d l−k ]AT (B−1)T
116
−6 −4 −2 0 2 4 60
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
P/σ2 (dB)
Cb (
bpcu
)
α2 = −1.0dB
α2 = −2.5dB
α2 = −4.7dB
Figure D-1. The secrecy capacity Cb of the BPSK-constrained Gaussian wiretap channelfor different value of α2.
and sends X n = [d l−k , em−l ] to the destination through the Gaussian wiretapchannel.
2. Decoding: The destination performs belief propagation (BP) decoding to decodeXm using its channel observation Y n. The first k bits of the decoded codeword givethe estimate M of the secret message.
We evaluate the secrecy performance of the proposed coding scheme in the context
of achievable rate-equivocation pair defined in Section D.1. First, if the BP decoder
at the destination achieves block error probability ϵd , then we have Pr{M = M} ≤
ϵd . Hence, Condition 1 in Section D.1 is satisfied if ϵd is small enough. Second, the
117
uncertainty about the message M at the wiretapper given his received sequence Z n is
H(M|Z n) = H(X n|Z n) + H(M|Z n,X n)− H(X n|M,Z n)
= H(X n)− I (X n;Z n) + H(M|Z n,X n)− H(X n|M,Z n). (D–3)
Based on the memoryless nature of the source-to-wiretapper channel and the encoding
process, we have I (X n;Z n) ≤ nC(αβ), H(X n) = l 1 and H(M|Z n,X n) ≤ H(M|X n) = 0,
respectively. Moreover, consider a fictitious receiver at the wiretapper trying to decode
for X n from observing Z n and M. Suppose that the block error probability achieved by
this receiver is ϵw . Then we have H(X n|M,Z n) ≤ 1 + (l − k)ϵw by Fano’s inequality.
Putting all these back to (D–3), we obtain
1
nH(M|Z n) ≥ Rc − C(αβ)− (Rc − Rs)ϵw − 1
n. (D–4)
Let Re = Rc − C(αβ). Then Condition 2 in Section D.1 is satisfied if ϵw is small enough
and n is large enough. Hence, (Rs ,Re) is an achievable rate-equivocation pair through
the BPSK-constrained Gaussian wiretap channel. Moreover, we note that the above
lower bound is derived from the Fano’s inequality; thus it applies to any decoder at the
fictitious receiver. In fact, the value of the bound depends on the choice of decoders only
through ϵw . In the next section, we perform computer simulation to estimate ϵw and then
employ (D–4) to bound the equivocation rate achieved by the proposed coding scheme
as described above. To get ϵw , a BP decoder is implemented for the fictitious receiver at
the wiretapper. In order to provide information about the secret message M to the BP
decoder, the intrinsic LLRs of ck are explicitly set to ±∞ according to the true bit values.
1 This is valid when C contains 2l distinct codewords, which is in turn the case withvery high probability if C ′ is chosen randomly in the usual manner described in [30].
118
D.3 Codes design and performance
In [20], the authors use a systematic irregular LDPC code to encode the secret
message M (along with some random bits) and then puncture the secret message bits
in the codeword prior to transmission in order to “hide” the secret message from the
wiretapper. The puncturing pattern is designed to minimize the security gap. Such a
coding scheme can be viewed as an unoptimized special case of our scheme proposed
in Section D.2. We show in this section that the generalization in Section D.2 allows
us to systematically optimize the irregular LDPC code for good secrecy performance.
To that end, let us apply the code search process proposed in Section 4.3 to the
present case. Again, our objective is to design the irregular LDPC code C ′ so that
the secret LDPC code (C,W) works well for both the channel from the source to
the destination and the channel from the source to the wiretapper (given the secret
message). Similarly, we consider uniform puncturing of the systematic bits of C ′, with p
denoting the corresponding fraction of punctured variable nodes. Note that the secret
rate Rs = p1−p . Also, write the rate of C ′ as R ′
c =lm
. Then R ′c =
Rc1+Rs
. For any fixed Rs , the
discussion just below (D–4) at the end of the previous section suggests that we should
maximize Rc , or equivalently R ′c , in order to maximize the achievable equivocation rate.
For illustration, we apply the above code search procedure to two different wiretap
channel settings: (i) P/σ2 = 3.55 dB and α2 = −4.4 dB, and (ii) P/σ2 = 1.0 dB and
α2 = −1.0 dB. In both cases, the code search process starts with the AWGN-optimized
LDPC codes reported in [30]. Figure D-2 shows the secrecy performance of a rate-0.541
irregular LDPC code obtained by performing the code search process with Rs = 0.33
under the first channel setting. The degree distribution pair of this irregular LDPC code
is shown in Table D-1. We obtain an instance of the irregular LDPC code by randomly
generating a bipartite graph that satisfies the two given degree distributions. The block
length of the LDPC code is m = 106, and all length-4 loops are removed. Computer
simulation is performed on this code to estimate ϵd and ϵw as described before. The
119
Table D-1. Degree distribution pairs of the rate-0.541, rate-0.508, rate-0.505 irregularLDPC codes.
rate-0.541 rate-0.508 rate-0.505λ2 0.3013 0.2762 0.2599λ3 0.1846 0.2804 0.2837λ4 0.1510 0.0281λ9 0.0614λ10 0.3017 0.4434 0.4283ρ7 0.3892 0.6086 0.6315ρ8 0.6054 0.3914 0.3532ρ10 0.0054 0.0153
0 0.1 0.2 0.3 0.4 0.5 0.6 0.70
0.2
0.4
0.6
0.8
1
Rs (bpcu)
Re/R
s
P/σ2 = 3.55dB, α2 = −4.4dB
Proposed coding scheme:rate−0.541 irregular LDPC code
Proposed coding scheme:rate−0.508 irregular LDPC code
The coding scheme in [15] when p = 0.3
Figure D-2. Plot of (Rs , Re) pairs achieved by the proposed coding scheme and by thecoding scheme in [20] when P/σ2 = 3.55 dB and α2 = −4.4 dB.
120
estimated value of ϵw is employed to calculate an achievable equivocation rate as
in (D–4), provided that ϵd ≤ 0.01 and ϵw ≤ 0.01. The resulting achievable pair (Rs , Re)
(where Re = ReRs
is the fractional equivocation) is plotted against the capacity-(fractional)
equivocation region, whose boundary is shown by the solid curve in the figure. From
Figure D-2, we see that the pair (Rs , Re) = (0.33, 0.89) (shown by the square marker) is
achieved by this rate-0.541 LDPC code.
Next, we consider the more challenging case under the second channel setting, in
which the wiretapper’s SNR is not much weaker than that of the destination. Figure D-3
shows the secrecy performance of a rate-0.505 irregular LDPC code obtained by
performing the code search process described above with Rs = 0.076. The degree
distribution pair of this irregular LDPC code can be found in Table D-1. We observe that
the pair (Rs , Re) = (0.076, 0.76) (denoted by the square marker) is achieved by this
code. In conclusion, the code search process described above gives irregular LDPC
codes with relatively good secrecy performance for different values of α2. We note that
a similar code search process can also be formulated to include optimization of the
puncturing pattern. However, we have not been able to obtain significantly better codes
with the modified search. One possible reason for this result is that the optimization of
degree distributions implicitly takes the uniform puncturing pattern into account, and thus
limiting the gain when including the optimization of the puncturing pattern in the linear
program.
As mentioned before, the codes suggested in [20] are “unoptimized” special cases
of the coding scheme described here. In particular, a rate-0.5 irregular LDPC code with
p = 0.3 is employed in [20], resulting in secret rate Rs = 0.43. The secrecy performance
of the coding scheme in [20] is evaluated by the security gap. In our notation, that is
to find the values β and α such that the decoding (bit) error probability of the secret
message at the destination is smaller than a prescribed value, and the decoding (bit)
error probability of the secret message at the wiretapper is close to 0.5. The security
121
0 0.1 0.2 0.3 0.4 0.50
0.2
0.4
0.6
0.8
1
Rs (bpcu)
Re/R
s
P/σ2 = 1.0dB, α2 = −1.0dB
Proposed coding scheme:rate−0.505 irregular LDPC code
Figure D-3. Plot of the (Rs , Re) pair achieved by the proposed coding scheme whenP/σ2 = 1.0 dB and α2 = −1.0 dB.
gap is then defined as the ratio of the SNR of the destination to that of the wiretapper,
i.e. 1α2
. As reported in [20], the security gap, with uniform puncturing over all variable
nodes of different degree for p = 0.3 is about 4.4 dB.
To compare with our optimized codes, Figure D-2 shows the secrecy performance
of the rate-0.5 code in [20] with p = 0.3 evaluated by using (D–4) as before under
channel setting (i). The pair (Rs , Re) = (0.43, 0.68) (denoted by the circle marker) is
achieved by this code. We also perform a code search under this channel setting with
Rs = 0.43 for comparison. The pair (Rs , Re) = (0.43, 0.70) (denoted by the diamond
marker) is achieved using the resulting rate-0.508 irregular LDPC code. We see that
122
the irregular LDPC code obtained from the proposed code search process also slightly
outperforms the “unoptimized” one used in [20] in terms of equivocation rate.
Consulting back to Figure D-1, we see that for α2 = −4.4 dB, the secrecy capacity
of the BPSK-constrained Gaussian wiretap channel never exceeds 0.34 bpcu. Hence,
the fractional equivocation Re is strictly below 1 at Rs = 0.43. In fact, the highest
achievable Re at Rs = 0.43 under this channel setting is only 0.78 (cf. Figure D-2).
That means that we should not operate at this rate if the target is to achieve perfect
secrecy. In summary, the proposed coding scheme and code search process provide
a much more systematic and flexible means to designing irregular LDPC codes for the
BPSK-constrained wiretap channel than the approach in [20].
D.4 Summary
In this appendix, we developed a coding scheme for sending secret messages
over the BPSK-constrained Gaussian wiretap channel. The proposed coding scheme
employs punctured systematic irregular LDPC codes in which secret message bits are
punctured. To systematically address the secret code design problem, we presented a
density-evolution based linear program to search for good irregular LDPC codes to be
used in the proposed coding scheme. Simulation results showed that the irregular LDPC
codes obtained from our search can achieve secrecy performance relatively close to the
boundary of the capacity-equivocation region of the BPSK-constrained Gaussian wiretap
channel.
123
REFERENCES
[1] C. Shannon, “Communication theory of secrecy systems,” Bell Systems TechnicalJournal, vol. 28, pp. 656–715, 1949.
[2] A. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, pp. 1355–1387, Oct.1975.
[3] I. Csiszar and J. Korner, “Broadcast channels with confidential messages,” IEEETrans. Inform. Theory, vol. 24, no. 3, pp. 339–348, May 1978.
[4] R. Ahlswede and I. Csiszar, “Common randomness in information theory andcryptography. I. Secret sharing,” IEEE Trans. Inform. Theory, vol. 39, no. 4, pp.1121–1132, July 1993.
[5] S. K. Leung-Yan-Cheong and M. E. Hellman, “The Gaussian wire-tap channel,”IEEE Trans. Inform. Theory, vol. 24, no. 4, pp. 451–456, Jul 1978.
[6] L. Ozarow and A. D. Wyner, “Wire-tap channel II,” Bell Syst. Tech. J., vol. 63,no. 10, pp. 2135–2157, Dec. 1984.
[7] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. McLaughlin, and J. M. Merolla,“Applications of LDPC codes to the wiretap channel,” IEEE Trans. Inform. Theory,vol. 53, no. 8, pp. 2933–2945, Aug. 2007.
[8] R. Liu, Y. Liang, H. Poor, and P. Spasojevic, “Secure nested codes for type IIwiretap channels,” Proc. IEEE 2007 Inform. Theory Workshop, pp. 337–342, Sept.2007.
[9] H. Mahdavifar and V. Vardy, “Achieving the secrecy capacity of wiretap channelsusing polar codes,” Proc. IEEE Int. Symp. Inform. Theory (ISIT 2010), pp. 913–917,June 2010.
[10] O. O. Koyluoglu and H. E. Gamal, “Polar coding for secure transmission and keyagreement,” Proc. IEEE Int. Symp. Personal, Indoor and Mobile Radio Commun.,pp. 2698–2703, Sept 2010.
[11] E. Arikan, “Channel polarization: A method for contructing capacity-achievingcodes for symmetric binary-input memoryless channels,” IEEE Trans. Inform.Theory, vol. 55, pp. 3051–3073, Jul. 2009.
[12] U. M. Maurer, “Secret key agreement by public discussion from commoninformation,” IEEE Trans. Inform. Theory, vol. 39, no. 3, pp. 733–742, May 1993.
[13] G. Brassard and L. Salvail, “Secret-key reconciliation by public discussion,” Ad-vances in Crypotology - Eurocrypt’93, pp. 410–423, 1994.
124
[14] K. C. Nguyen, G. Van Assche, and N. J. Cerf, “Side-information coding with turbocodes and its application to quantum key distribution,” in Proc. 2004 IEEE Int.Symp. Inform. Theory and Applicat., Param, Italy, Oct. 2004.
[15] G. Van Assche, J. Cardinal, and N. J. Cerf, “Reconciliation of a quantum-distributedGaussian key,” IEEE Trans. Inform. Theory, vol. 50, no. 2, pp. 394–400, Feb. 2004.
[16] J. Muramatsu, “Secret key agreement from correlated source outputs using lowdensity parity check matrices,” IEICE Transactions on Fundamentals of Electronics,Communications and Computer Sciences, vol. E89-A, pp. 2036–2046, July 2006.
[17] C. Ye, A. Reznik, and Y. Shah, “Extracting secrecy from jointly Gaussian randomvariables,” in Proc. IEEE Int. Symp. Inform. Theory (ISIT 2006), July 2006, pp.2593–2597.
[18] M. Bloch, J. Barros, M. Rodrigues, and S. McLaughlin, “Wirelessinformation-theoretic security,” IEEE Trans. Inform. Theory, vol. 54, no. 6, pp.2515–2534, June 2008.
[19] D. Elkouss, A. Leverrier, R. Alleaume, and J. Boutros, “Efficient reconciliationprotocol for discrete-variable quantum key distribution,” Proc. IEEE Int. Symp.Inform. Theory (ISIT 2009), pp. 1879–1883, July 2009.
[20] D. Klinc, J. Ha, S. M. McLaughlin, J. Barros, and B. J. Kwak, “LDPC codes for theGaussian wiretap channel,” Proc. IEEE 2009 Inform. Theory Workshop, pp. 95–99,Oct. 2009.
[21] M. Baldi, M. Bianchi, and F. Chiaraluce, “Non-systematic codes for physical layersecurity,” Proc. IEEE 2010 Inform. Theory Workshop, pp. 1–5, Sept. 2010.
[22] R. Gallager, “Low-density parity-check codes,” IEEE Trans. Inform. Theory, vol. 8,no. 1, pp. 21–28, Jan 1962.
[23] D. MacKay and R. Neal, “Near Shannon limit performance of low density paritycheck codes,” IEE Electron. Lett., vol. 33, no. 6, pp. 457–458, Mar. 1997.
[24] R. G. Gallager, Low-Density Parity-Check Codes. Cambridge, MA: MIT Press,1963.
[25] R. Tanner, “A recursive approach to low complexity codes,” IEEE Trans. Inform.Theory, vol. 27, no. 5, pp. 533–547, Sept. 1981.
[26] M. G. Luby, M. Mitzenmacher, M. A. Shokrollahi, D. A. Spielman, and V. Stemann,“Practical loss-resilient codes,” in Proc. ACM Symp. Theory Computing, El Paso,TX, May 1997, pp. 150–159.
[27] M. G. Luby, M. Mitzenmacher, M. A. Shokrollahi, and D. A. Spielman, “Analysisof low density codes and improved designs using irregular graphs,” in Proc. ACMSymp. Theory Computing, Dallas, TX, May 1998, pp. 249–258.
125
[28] ——, “Efficient erasure correcting codes,” IEEE Trans. Inform. Theory, vol. 47,no. 2, pp. 569–584, Feb. 2001.
[29] T. Richardson and R. Urbanke, “The capacity of low-density parity-check codesunder message-passing decoding,” IEEE Trans. Inform. Theory, vol. 47, no. 2, pp.599–618, Feb. 2001.
[30] T. Richardson, M. Shokrollahi, and R. Urbanke, “Design of capacity-approachingirregular low-density parity-check codes,” IEEE Trans. Inform. Theory, vol. 47, no. 2,pp. 619–637, Feb. 2001.
[31] S. Chung, G. D. Forney, Jr., T. J. Richardson, and R. Urbanke, “On the designof low-density parity-check codes within 0.0045 dB of the Shannon limit,” IEEECommun. Lett., vol. 5, no. 2, pp. 58–60, Feb. 2001.
[32] C. Berrou, A. Glavieux, and P. Thitimajshima, “Near Shannon limit error-correctingcoding and decoding,” in Proc. IEEE Int. Conf. Commun., vol. 2, Geneva,Switzerland, May 1993, pp. 1064–1070.
[33] F. R. Kschischang, B. J. Frey, and H. A. Loeliger, “Factor graphs and thesum-product algorithm,” IEEE Trans. Inform. Theory, vol. 47, no. 2, pp. 498–519,Feb 2001.
[34] J. Hagenauer, E. Offer, and L. Papke, “Iterative decoding of binary block andconvolutional codes,” IEEE Trans. Inform. Theory, vol. 42, no. 2, pp. 429–445, Mar.1996.
[35] A. J. Viterbi, “Error bounds for convolutional codes and an asymptoticallyoptimumdecoding algorithm,” IEEE Trans. Inform. Theory, vol. 13, no. 2, pp. 260–269, April1967.
[36] L. R. Bahl, J. Cocke, F. Jelinek, and J. Raviv, “Optimal decoding of linear codesfor minimizing symbol error rates,” IEEE Trans. Inform. Theory, vol. 20, no. 2, pp.284–287, Mar. 1974.
[37] A. Liveris, Z. Xiong, and C. Georghiades, “Compression of binary sources with sideinformation at the decoder using LDPC codes,” IEEE Commun. Lett., vol. 6, no. 10,pp. 440–442, Oct. 2002.
[38] T. Cover and J. Thomas, Elements of Information Theory, 2nd ed. New York:Wiley-Interscience, 2006.
[39] G. Miller and D. Burshtein, “Bounds on the maximum-likelihood decoding errorprobability of low-density parity-check codes,” IEEE Trans. Inform. Theory, vol. 47,no. 7, pp. 2696–2710, Nov. 2001.
[40] A. Bennatan and D. Burshtein, “On the application of LDPC codes to arbitrarydiscrete-memoryless channels,” IEEE Trans. Inform. Theory, vol. 50, no. 3, pp.417–438, Mar. 2004.
126
[41] T. Richardson and R. Urbanke, “Efficient encoding of low-density parity-checkcodes,” IEEE Trans. Inform. Theory, vol. 47, no. 2, pp. 638–656, Feb. 2001.
[42] R. Urbanke, “Degree distribution optimizer for LDPC code ensembles,” 2001.[Online]. Available: http://ipgdemos.epfl.ch/ldpcopt/
[43] H. Imai and S. Hirakawa, “A new multilevel coding method using error correctingcodes,” IEEE Trans. Inform. Theory, vol. 23, pp. 371–377, May 1977.
[44] U. Wachsmann, R. F. H. Fischer, and J. B. Huber, “Multilevel codes: Theoreticalconcepts and practical design rules,” IEEE Trans. Inform. Theory, vol. 45, pp.1361–1391, July 1999.
[45] J. Hou, P. H. Siegel, L. B. Milstein, and H. D. Pfister, “Capacity-approachingbandwidth-efficient coded modulation schemes based on low-density parity-checkcodes,” IEEE Trans. Inform. Theory, vol. 49, no. 9, pp. 2141–2155, Sept. 2003.
[46] T. Han, Information-Spectrum methods in information theory. Berlin:Springer-Verlag, 2003.
[47] I. Csiszar and P. Narayan, “Secrecy capacities for multiple terminals,” IEEE Trans.Inform. Theory, vol. 50, no. 12, pp. 3047–3061, Dec. 2004.
[48] ——, “Secrecy capacities for multiterminal channel models,” IEEE Trans. Inform.Theory, vol. 54, no. 6, pp. 2437–2452, June 2008.
[49] Y. Oohama, “Gaussian multiterminal source coding,” IEEE Trans. Inform. Theory,vol. 43, no. 6, pp. 1912–1923, Nov. 1997.
[50] V. Kac and P. Cheung, Quantum Calculus. New York: Springer-Verlag, 2002.
[51] A. Marshall and I. Olkin, Inequalities: theory of majorization and its applications.Academic Press, 1979.
127
BIOGRAPHICAL SKETCH
Chan Wong Wong received the B.S. and M.S. degrees in electrical engineering from
National Taiwan University (NTU), Taipei, Taiwan in 2002 and 2004, respectively.
From 2002 to 2004, he was a teaching and research assistant at the Graduate
Institute of Communications Engineering (GICE), NTU. During 2003 to 2006 he was
with Afa Technologies, Inc., Taipei, Taiwan, as a DSP system engineer in developing
demodulators for various digital video broadcasting standards. He has been a teaching
and graduate assistant in University of Florida, Gainesville, FL since 2007. His research
interests lie in the area of communication theory applied to equalization, coding and
security for wireless communication.
Chan Wong is a member of the Phi Tau Phi Scholastic Honor Society of the
Republic of China.
128