LDPC-BASED SECRET-SHARING SCHEMES FOR WIRETAP CHANNELS

By

CHAN WONG WONG

A DISSERTATION PRESENTED TO THE GRADUATE SCHOOLOF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT

OF THE REQUIREMENTS FOR THE DEGREE OFDOCTOR OF PHILOSOPHY

UNIVERSITY OF FLORIDA

2011

c⃝ 2011 Chan Wong Wong

2

To my family

3

ACKNOWLEDGMENTS

First of all, I thank my advisers, Professor John Mark Shea and Professor Tan Foon

Wong.

In the past five years, I have acquired from Professor Shea a theoretical but also

practical approach towards research. I have also learned from Professor Shea how to

technically report and present my research findings. Until now, I still remember clearly

when I was struggling with my research, Professor Shea shown enormous care and

patience to guide me through all the difficulties. I sincerely thank Professor Shea for his

support and guidance during my days in University of Florida.

I am also indebted to Professor Wong who scrutinizes my research and makes

sure that there are no mistakes. I thank Professor Wong for spending numerous hours

meeting with me, teaching me not only to appreciate my research but also to think hard

and criticize my research to achieve better results. I am grateful to have the opportunity

to work with Professor Wong who is a role model for an enthusiastic, diligent and

independent researcher.

I thank Professor Yuguang Fang for his interest and valuable comments on my

research. I remember Professor Fang once told me in a class that we should all be

proud of who and where we are. I can say loud enough that I was, am and will always be

proud of being a Florida Gator.

I am grateful to have Professor Andrew Rosalsky from department of statistics in my

committee. Professor Rosalsky taught one of the best courses, measure theoretic

probability, I have ever had in my whole life. His course inspires me to explore a

relatively new area, statistics, for my future career and I would like to thank him for

all the suggestions he has given me.

I also want to thank all WING members including Surendra Boppana, Dedeep

Chatterjee and Leenhapat Navararong for providing me not only a place to discuss

my research but also a place to relax and have fun. Special thanks should be given

4

to Byonghyok Choi who always acts like an elder brother to me and teaches me many

things which are invaluable to my life. I will never forget those wonderful afternoons we

walked together to Reitz Union to have Starbucks Coffee.

Looking back, meeting my wife, Hsuan Hsu, is the best thing that has happened

to me at the University of Florida. I can’t fully express how grateful I am to have her

in my life. For me, the best thing in the world is to experience all the up-and-down,

happiness-and-sadness in my life with her. I am also greatly appreciative to Shih-Fen

Yeh, my aunt-in-law, for her care and support over the last couple of years.

The list of thank-you won’t be complete without mentioning my life-long friends:

Chan-Ip Chan, Ivy Ip and Kaman Leong. I am lucky enough to meet them when I was

young. Although we are far away from each other, they are always the ones whom I can

trust and rely on.

In closing I want to thank my family for their love, care and support over the years.

My parents never stop me from pursuing my dream, even if it is often the case that they

need to scarify themselves. Without them, none of the achievements in my life would

have ever materialized. I left my family to study abroad when I was 18. The only single

thing I have ever regretted is that I am not able to witness the growth and development

of my brother and sister. I thank them for taking over and shouldering my responsibilities

as the oldest son for the family so that I can concentrate on fulfilling my phD degree.

I dedicate this dissertation to my family.

5

TABLE OF CONTENTS

page

ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

CHAPTER

1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2 FUNDAMENTALS OF SECRET SHARING . . . . . . . . . . . . . . . . . . . . 21

2.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.2 Permissible Secret-Sharing Strategies and Relaxed Key Capacity . . . . . 212.3 Low-Density Parity-Check (LDPC) codes . . . . . . . . . . . . . . . . . . 24

3 SECRET-SHARING LDPC CODES FOR BPSK-CONSTRAINED GAUSSIANWIRETAP CHANNEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.1 BPSK-constrained Gaussian Wiretap Channel . . . . . . . . . . . . . . . 303.2 Secret-Sharing Scheme Employing Regular LDPC Code Ensembles . . . 323.3 Secret-Sharing Scheme Employing Fixed Practical LDPC Codes . . . . . 39

3.3.1 Secret-Sharing Regular LDPC Codes . . . . . . . . . . . . . . . . 413.3.2 Secret-Sharing Irregular LDPC Codes . . . . . . . . . . . . . . . . 44

3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4 AN LDPC-BASED SECRET-SHARING SCHEME OVER GAUSSIAN WIRETAPCHANNEL WITH PAM SYMBOLS . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.1 Gaussian wiretap channel with PAM symbols . . . . . . . . . . . . . . . . 514.2 LDPC-based Key-Agreement Scheme . . . . . . . . . . . . . . . . . . . . 554.3 LDPC Codes Design and Performance . . . . . . . . . . . . . . . . . . . . 624.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

5 AN LDPC-BASED SECRET-SHARING SCHEME OVER FAST-FADING WIRETAPCHANNEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

5.1 Fast-Fading Wiretap Channel . . . . . . . . . . . . . . . . . . . . . . . . . 745.2 LDPC-based Key-Agreement Scheme . . . . . . . . . . . . . . . . . . . . 775.3 LDPC Codes Design and Performance . . . . . . . . . . . . . . . . . . . . 805.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6 CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

APPENDIX

6

A PROOF OF THEOREM 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

A.1 Random Code Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 90A.2 Secret Sharing Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 91A.3 Analysis of Probability of Error . . . . . . . . . . . . . . . . . . . . . . . . 93A.4 Secrecy Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

B PROOF OF LEMMA 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

C PROOFS OF (3-2) AND (3-3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

C.1 Proof of (3-2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110C.2 Proof of (3-3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

D LDPC CODE DESIGN FOR THE BPSK-CONSTRAINED GAUSSIAN WIRETAPCHANNEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

D.1 BPSK-constrained Gaussian wiretap channel . . . . . . . . . . . . . . . . 115D.2 Secret LDPC coding scheme . . . . . . . . . . . . . . . . . . . . . . . . . 116D.3 Codes design and performance . . . . . . . . . . . . . . . . . . . . . . . . 119D.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

BIOGRAPHICAL SKETCH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

7

LIST OF TABLES

Table page

3-1 Degree distribution pairs of the rate-0.25 and rate-0.12 secret-sharing irregularLDPC codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4-1 Degree distribution pairs of the rate-0.195 and rate-0.538 irregular LDPC codes. 65

4-2 Degree distribution pairs of the rate-0.096 and rate-0.436 irregular LDPC codes. 68

4-3 Degree distribution pairs of the rate-0.108, rate-0.432 and rate-0.689 irregularLDPC codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

4-4 Degree distribution pairs of the rate-0.078, rate-0.415 and rate-0.687 irregularLDPC codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

5-1 Degree distribution pairs of the rate-0.426, rate-0.362, rate-0.276 irregular LDPCcodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

D-1 Degree distribution pairs of the rate-0.541, rate-0.508, rate-0.505 irregular LDPCcodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

8

LIST OF FIGURES

Figure page

2-1 Examples of bipartite graphs of LDPC codes. . . . . . . . . . . . . . . . . . . . 26

2-2 The first and the second half iteration of belief propagation algorithm. . . . . . 27

3-1 Comparison between the relaxed key capacities Cb and Cbq over the BPSKconstrained Gaussian wiretap channel. . . . . . . . . . . . . . . . . . . . . . . 33

3-2 Plot of the (Rk ,Rl)-trajectories achieved by the proposed secret-sharing schemeemploying secret-sharing regular LDPC codes (C,W). . . . . . . . . . . . . . . 42

3-3 Plot of the (Rk ,Rl)-trajectory achieved by the proposed secret-sharing schemeemploying the rate-0.25 secret-sharing irregular LDPC code. . . . . . . . . . . 47

3-4 Plot of the (Rk ,Rl)-trajectory achieved by the proposed secret-sharing schemeemploying the rate-0.12 secret-sharing irregular LDPC code. . . . . . . . . . . 49

4-1 Examples of M-ary Gray-mapped PAM constellation. . . . . . . . . . . . . . . . 52

4-2 Comparison between the Rl -relaxed (symmetric) key rate Rpq and the relaxedkey capacity Ck of the Gaussian wiretap channel when α2 = 0 dB and Rl = 0. . 55

4-3 Comparison between the Rl -relaxed (symmetric) key rate Rp and Rpq of theGaussian wiretap channel whn Rl = 0. . . . . . . . . . . . . . . . . . . . . . . . 56

4-4 Comparison between the Rl -relaxed key capacity Cpk and Rl -relaxed (symmetric)key rate Rpq of the Gaussian wiretap channel when Rl = 0. . . . . . . . . . . . 57

4-5 Plot of (Rk ,Rl) pair achieved by the modified key-agreement scheme employingthe rate-0.195 and rate-0.538 irregular LDPC codes. . . . . . . . . . . . . . . . 66

4-6 Plot of (Rk ,Rl) pair achieved by the modified key-agreement scheme employingthe rate-0.096 and rate-0.436 irregular LDPC codes. . . . . . . . . . . . . . . . 69

4-7 Plot of (Rk ,Rl) pair achieved by the modified key-agreement scheme employingthe rate-0.108, rate-0.432 and rate-0.689 irregular LDPC codes. . . . . . . . . . 71

4-8 Plot of (Rk ,Rl) pair achieved by the modified key-agreement scheme employingthe rate-0.078, rate-0.415 and rate-0.687 irregular LDPC codes. . . . . . . . . . 73

5-1 The Rl -relaxed key capacity Cq of the fast Rayleigh fading wiretap channel fordifferent value of α2, where Rl = 0. . . . . . . . . . . . . . . . . . . . . . . . . . 76

5-2 Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.426 irregular LDPC code. . . . . . . . . . . . . . . . . . . 82

5-3 Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.362 irregular LDPC code. . . . . . . . . . . . . . . . . . . 83

9

5-4 Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.276 irregular LDPC code. . . . . . . . . . . . . . . . . . . 84

D-1 The secrecy capacity Cb of the BPSK-constrained Gaussian wiretap channelfor different value of α2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

D-2 Plot of (Rs , Re) pairs achieved by the proposed coding scheme and by thecoding scheme in [20] when P/σ2 = 3.55 dB and α2 = −4.4 dB. . . . . . . . . 120

D-3 Plot of the (Rs , Re) pair achieved by the proposed coding scheme when P/σ2 =1.0 dB and α2 = −1.0 dB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

10

Abstract of Dissertation Presented to the Graduate Schoolof the University of Florida in Partial Fulfillment of theRequirements for the Degree of Doctor of Philosophy

LDPC-BASED SECRET-SHARING SCHEMES FOR WIRETAP CHANNELS

By

Chan Wong Wong

December 2011

Chair: John M. SheaCochair: Tan F. WongMajor: Electrical and Computer Engineering

This dissertation examines the practical design of secret-sharing schemes that

allows a source and a destination to share secret information over a wireless channel

so that the knowledge about that information at an eavesdropper or a wiretapper

is minimized. This model is the classical wiretap channel. When the objective of

secret-sharing is for the source and destinaion to agree upon with a secret key, it is

assumed that a public channel exists between the source and destination that they can

use to exchange information without any rate and power constraints; however, all public

communications are perfectly observed by the wiretapper. We propose a low-density

parity-check (LPDC)-based scheme to support secret-key agreement through a

combination of direct transmission from the source to destination over the wiretap

channel and information exchanges between them over the public channel. To rigorously

quantify the secrecy performance of the proposed key-agreement scheme, we introduce

the notion of relaxed key capacity, which is defined as the maximum achievable key rate

over the wiretap channel subject to the constraint that the leakage rate (about the key)

is bounded below a fixed value. We prove that the proposed key-agreement scheme,

which employs an ensemble of regular LDPC codes, can asymptotically achieve the

relaxed key capacity of the Gaussian wiretap channel with the constraints of binary

phase-shift-keyed (BPSK) source symbols and destination hard-decision quantization.

This asymptotic result provides us a solid theoretical foundation that motivates us to

11

construct practically implementable key-agreement scheme using both fixed regular and

irregular LDPC codes. Moreover, the coding structure in the proposed key-agreement

scheme allows us to systematically and efficiently design good irregular LDPC codes

using a density-evolution based linear program. We demonstrate by simulation results

that the irregular LDPC codes obtained from the code search process outperform other

existing key-agreement schemes and provide secrecy performance close to the relaxed

key capacity of the Gaussian wiretap channel.

In this dissertation, we also suggest that the proposed key-agreement scheme

can be further improved by considering the use of punctured irregular LDPC codes.

Moreover, we extend the proposed key-agreement scheme to work in the Gaussian

wiretap channel with M-ary pulse-amplitude modulated (PAM) source symbols. We

show that the M-ary transmission can be transformed into M binary-input channels.

As a result, we can then assign the target key rate to the M binary-input channels

accordingly, and each of the M irregular LDPC codes will be designed individually for

the corresponding binary-input channel. The proposed key-agreement scheme can also

be applied to the fast Rayleigh fading wiretap channel in which the source is restricted

to transmit quadrature phase-shift-keyed (QPSK) symbols. We show that in such a

case, the in-phase (I) and quadrature-phase (Q-) components of the wiretap channel

can be separately considered. Thus we only need to design irregular LDPC codes for

the I-component, and the resulting codes will also work well for the Q-component. In

both cases, we present simulation results to show that the proposed key-agreement

scheme provides excellent secrecy performance by employing the irregular LDPC codes

obtained through the aforementioned code search process.

Finally, we demonstrate that the proposed secret-sharing scheme can be adopted

to the case when the objective of secret sharing is for the source to send a secret

message to the destination wihtout the help of the public channel. An LDPC-based

12

coding scheme is proposed and a density-based linear program are also developed to

find irregular LDPC codes to achieve good secrecy performance.

13

CHAPTER 1INTRODUCTION

The growth of and demand for wireless technologies, devices and networks over

the last decade have fostered an increasing need for reliable and secure communication

schemes. Privacy and security issues are even more critical in wireless communications

than in wired networks because wireless communication is vulnerable to attacks like

channel jamming, unauthorized channel access and eavesdropping. Over the years,

solutions to these attacks have been engineered using a layered approach to simply the

design of communication schemes. As examples of layered-specified security solutions,

spread spectrum modulation techniques are used with a spreading code to provide

features like low probability of detection, interception and localization to mitigate channel

jamming at the physical layer (PHY); admission control is handled at the medium access

control layer (MAC) to prevent unauthorized access; and cryptographic protocols like

RSA and AES are designed and implemented at the application layer (API) to prevent

eavesdropping. The performance of cryptographic protocols is traditionally assessed

using the notion of computational security, which relies on the assumption that the

computing resources at the eavesdropper are limited. Essentially, computational security

ensures that the amount of computing time and/or memory required to recover some

information exceeds the value of that information.

Physical-layer security, on the other hand, is a new paradigm that focuses on

providing solutions to various issues of privacy and security using traditional physical

layer techniques. Physical-layer security aims at developing secure communication

schemes by exploiting channel characteristics such as channel fading and noises,

which have historically been viewed as impairments for data communication between

terminals. In addition, physical-layer security schemes are designed to provide

information-theoretic security or unconditional security, which offers a stricter sense

of security than conventional cryptography since no assumption on the computational

14

power of the eavesdropper (wiretapper) is required. In his seminal paper [1], Shannon

provided the first rigorous statistical and mathematical treatment of secrecy. He

considered a cryptographic system in which a source intends to send a message M

to a destination through an insecure channel. It is assumed that a wiretapper has perfect

access to the insecure channel, i.e., the wiretapper receives an identical copy of the

encoded message C received by the destination, where C is obtained as a function of

the message M. We note that M and C are usually referred to as plaintext and cipher-

text, respectively, in a cryptographic system. We also note that a secret key K is shared

between the source and destination. When the encoded message C is statistically

independent of the message M, i.e., I (C ;M) = 0, perfect secrecy is achieved [1].

Shannon proved that perfect secrecy can be achieved only when the secret key K is

at least as long as the message M, i.e., H(K) > H(M). As a result, he stated that the

only encryption scheme satisfying the unconditional security criterion is the one-time

pad [1] in which the above entropy condition is met. Shannon’s result presents a very big

challenge for achieving perfect secrecy because of the pessimistic assumption that the

wiretapper has access to precisely the same information as the destination. However,

this assumption is much more restrictive than has generally been realized. Wyner [2]

and later Csiszar and Korner [3] considered a more reasonable scenario in which the

wiretapper is assumed to receive the message through a channel that is noisier than

that of the destination. An even more general model in which the observations at the

destination and wiretapper are different but correlated is discussed in [4]. Moreover,

a weaker, but more convenient, notion of security was employed in [2–4], where the

objective of secure transmission is to have the wiretapper’s equivocation rate to be as

large as the information rate from the source to destination.

The wiretap channel, which was first introduced by Wyner [2] and later refined

by Csiszar and Korner [3], is probably the simplest and most well-known example

to illustrate the idea of physical-layer security. In the wiretap channel, a source

15

tries to send (secret) information to a destination in the presence of a wiretapper.

When the source-to-wiretapper channel 1 is a (physically) degraded version of the

source-to-destination channel, Wyner [2] showed that the source can transmit a

message at a positive (secrecy) rate to the destination by hiding the message under

the additional noise level seen by the wiretapper. Generalization of Wyner’s work to

the Gaussian wiretap channel was considered in [5]. The degradedness condition was

removed in [3], which showed that a positive secrecy rate is possible for the case where

the destination channel is “more capable” than the wiretapper channel.

In Wyner’s original paper, he described a code design based on group codes

for the wiretap channel. In [6], a code design based on coset codes was suggested

for the type II binary erasure wiretap channel, in which the destination channel is

error free. However, practical codes to achieve secrecy have only been found for a

very limited set of channels. The authors of [7] constructed low-density parity-check

(LDPC)-based wiretap codes for certain binary erasure channel (BEC) and binary

symmetric channel (BSC). Reference [8] considered the design of secure nested codes

for type-II wiretap channels. Recently, references [9] and [10] concurrently established

the result that polar codes [11] can achieve the secrecy capacity of the degraded

binary-input symmetric-output (BISO) wiretap channels. Note that all these designs are

for codes with asymptotically large block lengths.

In some scenarios, it is sufficient for two nodes to agree upon a common secret

(a key), instead of having to send secret information from one to the other. Under

this relaxed criterion, it is shown in [12] that, with the use of a feedback channel, a

positive key rate is achievable when the destination and wiretapper channels are

two conditionally independent (given the source input symbols) memoryless binary

1 The source-to-wiretapper and source-to-destination channels will hereafter bereferred to as wiretapper and destination channels, respectively.

16

channels, even if the destination channel is not more capable than the wiretapper

channel. This notion of secret sharing is formalized in [4] based on the concept of

common randomness between the source and destination, where two different system

models, namely the “source model with wiretapper” (SW) model and the “channel

model with wiretapper” (CW) model, are studied. The CW model is similar to the

(discrete memoryless) wiretap channel model that we have discussed above. The

SW model differs in that the random symbols observed at the source, destination, and

wiretapper are realizations of a discrete memoryless source with multiple components.

Assuming the availability of an interactive, authenticated public channel with unlimited

capacity between the source and destination, a three-phase process of achieving secret

sharing over the wiretap channel is suggested in [12]. The three phases are advantage

distillation, information reconciliation and privacy amplification, in that order. Advantage

distillation aims to provide the destination an advantage over the wiretapper. Information

reconciliation aims at generating an identical random sequence between the source

and destination by exploiting the public channel. Privacy amplification is the step that

extracts a secret key from the identical random sequence agreed by the source and

destination.

Information reconciliation is the most studied and most essential part of any

secret-sharing scheme. It falls into the category of secrecy extraction from correlated

sources and has close connections to the problem of source coding with side information.

Perhaps the most well-known practical application of reconciliation protocols is quantum

cryptography, where nonorthogonal states of a quantum system provide two terminals

correlated observations of randomness which are at least partially secret from a

potential eavesdropper. Many works [13]–[19] have been devoted to the study of

information reconciliation for both discrete and continuous random variables in quantum

key distribution (QKD) schemes. For the case of discrete random variables, Cascade

is an iterative reconciliation protocol first proposed by Brassard and Salvail in [13].

17

Despite being highly interactive, Cascade is the most widely used reconciliation protocol

in practical QKD setups because of its simplicity and reasonable efficiency. Variations

around the principle of interactive reconciliation used in Cascade have since been

proposed to limit the interactivity. For example, LDPC codes have been employed in [19]

to reduce the interactivity and improve the efficiency of Cascade. On the other hand,

the work on slice error correction (SEC) [15], which converts continuous variables

into binary strings and makes use of interactive error correcting codes is the first

reconciliation protocol for continuous random variables. Modern coding techniques

like turbo codes [14], and LDPC codes [16–18] have been used extensively within

information reconciliation protocols for continuous random variables.

Another area of application of reconciliation protocols is (secret) key agreement

over wireless channels. Many LDPC-based works have been proposed to exploit

channel reciprocity for secrecy. An LDPC-based method for secrecy extracting

from jointly Gaussian random sources generated by a Rayleigh fading model has

been studied in [17]. In [18], multilevel coding/multistage decoding (MLC/MSD)-like

reconciliation using LDPC codes has been proposed for a quasi-static Rayleigh fading

wiretap channel.

In [20], a coding scheme based on punctured LDPC codes for Gaussian wiretap

channels was presented to reduce the security gap, which expresses the quality

difference between the destination channel and wiretapper channel required to achieve

a sufficient level of security. In this scheme, information to be be kept secret is punctured

at the output of the channel encoder to make it more difficult for the wiretapper to

recover. To further reduce the security gap, non-systematic LDPC codes have also

been exploited to perform reconciliation in Gaussian wiretap channel in [21], where the

information bits are scrambled before encoding. Unfortunately, the criterion of security

gap does not readily translate into the notion of information-theoretic secrecy employed

by Wyner [2].

18

In this dissertation, we consider the problem of secret sharing (secret key

agreement) over wiretap channels. Our main goal is to develop a coding structure

based on which practical “close-to-capacity” secret-sharing (key-agreement) codes can

be constructed. Finite block length and moderate encoder/decoder complexity are the

two main practical constraints that we consider when designing these codes. Moreover,

the ability to admit a systematic and efficient code design is another focus on developing

such a coding structure. In accordance with Wyner’s notion of information-theoretic

secrecy, the performance of our designs will be measured by the rate of secret

information shared between the source and destination (which will be referred to as

the key rate) as well as the rate of information that is leaked to the wiretapper through

all its observations of the wiretap and public channels (which will be referred to as the

leakage rate).

The organization of this dissertation is as follows. To rigorously gauge the secrecy

performance of our code designs, Chapter 2 reviews the classes of permissible

secret-sharing strategies suggested in [4] and then introduce the notion of relaxed key

capacity, which is the maximum key rate that can be achieved over the wiretap channel

provided that the leakage rate is bounded below a fixed value. LDPC codes, which are

used extensively throughout this dissertation, are also summarized and discussed in

Chapter 2. Chapter 3 presents a secret-sharing scheme employing an ensemble of

regular LDPC codes for Gaussian wiretap channel with binary phase-shift-keyed (BPSK)

source symbols and hard-decision destination quantization. We prove that the proposed

secret-sharing scheme achieves the relaxed key capacity with asymptotically large

block length. We note that a similar LDPC-based key-agreement scheme employing

observations of correlated discrete stationary sources at the source, destination, and

wiretapper was studied in [16]. A more detailed comparison between our scheme and

the one proposed in [16] will be provided in the sequel. The aforementioned asymptotic

result provides us a reasonable theoretical justification to design practical secret-sharing

19

schemes based on the proposed coding structure. We thus propose to replace

the regular LDPC code ensemble with fixed LDPC codes that are more amenable

to practical implementation. We also describe a code search process based on

density-evolution analysis to obtain good irregular LDPC codes for use in the proposed

secret-sharing scheme. In Chapter 4, the proposed secret-sharing scheme is extended

and improved to include the case in which the source transmits M-ary equiprobable

pulse-amplitude modulation (PAM) symbols. We show that the secret-sharing problem

can be translated into the design of M irregular LDPC codes and each of them is

designed to work over the corresponding equivalent binary-input wiretap channels. The

proposed code search process will then be modified to systematically design irregular

LDPC codes to achieve good secrecy performance. In Chapter 5, the fast-fading wiretap

channel is considered. We show that the in-phase and quadrature-phase components

of the fast-fading wiretap channel can be considered separately. Slight modifications are

also made to the proposed secret-sharing scheme and code search process to work

over the fast-fading wiretap channel. Finally, conclusions will be given in Chapter 6.

20

CHAPTER 2FUNDAMENTALS OF SECRET SHARING

2.1 Notations

We start by introducing some commonly used notations in this dissertation. Scalars

are denoted by normal letters x , random variables are denoted by capital letters X ,

matrices are denoted by boldface letters X. In the rest of dissertation, we use xn

and x to represent the row vector constructed from the sequence {x1, x2, ... , xn}

interchangeably. We also use (·)T , (·)∗ and (·)−1 to denote transpose, conjugate

transpose and inverse of any matrix respectively. The (Shannon) entropy of a random

variable and the (Shannon) mutual information between two random variables are

denoted by H(·) and I (·; ·), respectively. We use Pr{A} to denote the probability of an

event A. The probability density function (pdf) of a (continuous) random variable X is

denoted by pX (x) and the conditional density of X given another (continuous) random

variable Y is denoted by pX |Y (x |y). Throughout this dissertation, we drop the subscripts

in pdfs whenever the concerned random variables are well specified by the arguments of

the pdfs.

2.2 Permissible Secret-Sharing Strategies and Relaxed Key Capacity

In [2], Wyner introduced the classical wiretap channel which consists of three

terminals, namely a source, a destination and an eavesdropper (wiretapper). The source

attempts to send a secret message to a destination in the presence of a wiretapper.

The wiretap channel is defined by a triple (X ,Y ,Z), where X is the symbol sent by the

source, and Y and Z denote the corresponding symbols observed by the destination

and wiretapper, respectively. In this dissertation, we consider the wiretap channel to

be memoryless and specified by the conditional pdf pY ,Z |X (y , z |x). In addition, we

restrict ourselves to cases in which Y and Z are conditionally independent given X ,

i.e., pY ,Z |X (y , z |x) = pY |X (y |x)pZ |X (z |x), which is a reasonable model for the nature of

broadcasting in wireless communication. In addition to the wiretap channel, there is an

21

interactive, authenticated, pubic channel with unlimited capacity between the source

and destination. Here, interactive means that the channel is two-way and can be used

multiple times, authenticated and public mean that the wiretapper can perfectly observe

all communications over the public channel but cannot tamper with the messages

transmitted, and unlimited capacity means that the channel is noiseless and has infinite

capacity. The objective of secret sharing is for the source and destination to share secret

information, that is obscure to the wiretapper, by exploiting common randomness [4]

available to them through the wiretap channel. The common randomness is to be

extracted by a proper combination of transmission from the source to the destination

through the wiretap channel (X ,Y ,Z) and information exchanges between them over

the public channel. To systematically tackle the problem of secret sharing, a class of

permissible secret-sharing strategies, which is described in detail below, is elegantly

suggested in [4]. Consider t time instants labeled by 1, 2, ... , t, respectively. The wiretap

channel is used n times during these t time instants at i1 < i2 < · · · < in. Set in+1 = t.

The public channel is used for the other (t − n) time instants. Before the secret-sharing

process starts, the source and destination generate, respectively, independent random

variable MX and MY . Then a permissible strategy proceeds as follows:

• At time instant 0 < i < i1, the source sends message Φi = Φi(MX ,Ψi−1) to thedestination, and the destination sends message Ψi = Ψi(MY , Φi−1) to the source.Both transmissions are carried over the public channel.

• At time instant i = ij for j = 1, 2, ... , n, the source sends the symbol Xj =Xj(MX ,Ψ

ij−1) to the wiretap channel. The destination and wiretapper observe thecorresponding symbols Yj and Zj . There is no message exchange via the publicchannel; i.e., Φi and Ψi are both null.

• At time instant ij < i < ij+1 for j = 1, 2, ... , n, the source sends messageΦi = Φi(MX ,Ψ

i−1) to the destination, and the destination sends messageΨi = Ψi(MY ,Y

j , Φi−1) to the source. Both transmissions are carried over thepublic channel.

22

At the end of the t time instants, the source generates its secret key K = K(MX ,Ψt),

and the destination generates its secret key L = L(MY ,Y n, Φt), where K and L takes

values from the same finite set K.

Slightly extending the achievable key rate definition in [4], for Rl ≥ 0, we call (R,Rl)

an achievable key-leakage rate pair through the wiretap channel (X ,Y ,Z) if for every

ε > 0, there exists a permissible secret-sharing strategy of the form described above

such that

1. Pr{K = L} < ε,

2. 1nI (K ; Φt , Ψt) < ε,

3. 1nI (K ;Z n|Φt ,Ψt) < Rl + ε,

4. 1nH(K) > R − ε, and

5. 1nlog2 |K| < 1

nH(K) + ε

for sufficiently large n. Condition 1 means that the source and the destination have

indeed generated a common key with a small probability of error. Condition 2 restricts

that the public messages (the messages conveyed through the public channel) contain

negligible rate of information about the key, while Condition 3 limits to Rl the rate of key

information that the wiretapper can extract from its own channel observations given the

public messages. Note that Condition 3) is trivially satisfied if Rl ≥ 1nlog2 |K|. When

Rl = 0, we note that Conditions 2 and 3 combine to essentially give the original condition

1nI (K ;Z n, Φt ,Ψt) < ε of the achievable key rate definition in [4]1 . Condition 4 defines the

rate of the secret key achieved, and Condition 5 means that the distribution of the key in

1 When Rl > 0, if the combined condition 1nI (K ;Z n, Φt ,Ψt) < Rl + ε is employed

instead of Conditions 2 and 3, then it is easy to see that if (R,Rl) is an achievablekey-leakage rate pair, (R + r ,Rl + r) is also achievable, for any r ≥ 0, by simplytransmitting the additional key information (of rate r ) through the public channel.Separating the two conditions as suggested avoids such artificial consequence of thecombined condition.

23

nearly uniform. For the cases in which the alphabet of X is not finite, we also impose the

following power constraint to the symbol sequence X n sent out by the source:

1

n

n∑j=1

|Xj |2 ≤ P (2–1)

with probability one (w.p.1) for sufficiently large n. We note that the idea of key-leakage

rate pair is similar to that of the secrecy-equivocation rate pair originally defined in [2].

The Rl -relaxed key capacity is defined as the maximum value of R such that

(R,Rl) is an achievable key-leakage rate pair. The main reason for us to introduce the

notion of relaxed key capacity is to employ it as a gauge to measure the performance

of practical codes later presented in this dissertation. Since these codes have finite

block lengths and are to be decoded by the belief propagation (BP) algorithm, they do

not achieve zero leakage rate. Thus using the relaxed key capacity provides a more

suitable comparison than using the original “straight” key capacity in [4]. Also, since

these practical codes do not give zero leakage rate, their use could be considered as an

information-reconciliation step. The secrecy performance could be further improved by

additional privacy amplification.

In general, the (secret) key capacity for wiretap channels remains a challenging

open problem. On the other hand, for wiretap channels that satisfy the aforementioned

conditional independence requirement, we have the following result, whose proof is

given in Appendix A:

Theorem 2.1. The Rl -relaxed key capacity of the memoryless wiretap channel (X ,Y ,Z)

with conditional pdf p(y , z |x) = p(y |x)p(z |x) is given by

CK(Rl) = maxX :E [|X |2]≤P

[min{I (X ;Y )− I (Y ;Z) + Rl , I (X ;Y )}] .

2.3 Low-Density Parity-Check (LDPC) codes

One of the major reasons for making secret-sharing schemes practically implementable

was the development of capacity-approaching codes with reasonable encoding/decoding

24

complexity. In the section, we provide a review of an important class of capacity

approaching codes, namely low-density parity-check (LDPC) codes [22, 23], which

will be used extensively throughout this dissertation. LDPC codes were proposed by

Gallager in 1962 [22, 24]. However, the full potential of these codes was not realized

until almost 35 years later when they were “rediscovered” by McKay and Neal [23]. The

primary reason that these codes were forgotten by the coding community is that at the

time of their development by Gallager, these codes could not be used in any practical

communication scheme because of insufficient computational power.

LDPC codes are linear block codes characterized by the corresponding parity-

check matrix H, which is a non-systematic and sparse matrix. The set of codewords

of an LDPC code can be expressed as the null space of the corresponding H, i.e., x

is a codeword if and only if xHT = 0. Gallager proposed a class of LDPC codes that

are now referred to as regular LDPC codes because they have an equal number of 1s

in each row and column of their parity-check matrices. An (n, l) (j , k)-regular LDPC

code has a parity-check matrix with n columns, n − l rows, j 1’s per column, and k 1’s

per row. A useful observation is that an LDPC code can be represented as a Tanner

graph [25], which is a bipartite graph, between a set of variable nodes and check nodes.

For example, Figure 2-1A shows the bipartite graph of the (12, 6) (3, 6)-regular LDPC

code with parity-check matrix

H =

1 1 1 0 0 1 1 0 0 0 1 0

1 1 1 1 1 0 0 0 0 0 0 1

0 0 0 0 0 1 1 1 0 1 1 1

1 0 0 1 0 0 0 1 1 1 0 1

0 1 0 1 1 0 1 1 1 0 0 0

0 0 1 0 1 1 0 0 1 1 1 0

. (2–2)

In Figure 2-1, the variable nodes correspond to the code symbols, and the check nodes

correspond to the parity-check constraints from the parity-check matrix. For regular

25

A Bipartite graph of the (12, 6)(3, 6)-regular LDPC code.

B Bipartite graph of an irregu-lar LDPC code.

Figure 2-1. Examples of bipartite graphs of LDPC codes.

LDPC codes, each type of nodes has the same number of connections to the other

type of nodes. The number of connections is called the degree of the nodes. Since the

parity-check matrix has low density, the degree of each type of nodes is small.

The performance of LDPC codes was further improved by their generalization to

irregular LDPC codes that have varying numbers of 1’s in the rows and columns of

their parity-check matrices. This is equivalent to allowing different nodes in the Tanner

graph to have different degrees. Irregular LDPC codes are specified by their variable-

26

Vj

Ci

L jy

k jk i

l di jl d

A The first half iteration.

Vj

i l l jl d i jl d

Ci

B The second half iteration.

Figure 2-2. The first and the second half iteration of belief propagation algorithm.

and check-node degree distribution polynomials, namely λ(x) =∑dvi=2 λix

i−1 and

ρ(x) =∑dci=2 ρix

i−1, where λi (ρi) represents the fraction of edges emanating from

the variable (check) nodes of degree i . The code rate associated with the (irregular)

LDPC codes with degree distribution pairs (λ, ρ) is given by 1 −∫ρ(x)dx∫λ(x)dx

. The bipartite

graph of an irregular lDPC code with degree distribution pairs λ(x) = 0.4x + 0.6x2 and

ρ(x) = 0.6x2 + 0.4x3 is shown in Figure 2-1B. The early work on irregular LDPC codes

was focused on the design of codes for the erasure channel that have good performance

and low encoding and decoding complexity [26–28]. Rather than finding specific codes,

however, the techniques in [26–28] give ways to find degree distributions for ensembles

of codes that offer good average performance. This approach was extended in [29, 30]

to many other channels, including the binary-input additive white Gaussian noise

(AWGN) channel. By optimizing the degree distribution, irregular LDPC codes can

achieve performance extremely close to the channel capacity. For example, irregular

LDPC codes have been designed that can achieve performance within 0.0045 dB of the

capacity of the binary-input AWGN channel [31].

LDPC codes can be decoded using belief propagation algorithms (BPAs), which

can be visualized as computing and exchanging soft-information iteratively among the

variable and check nodes in the Tanner graph. Let d = (d1, ... , dn) be the transmitted

codeword, and y = d + n be the received sequence. The BPAs estimate the a posteriori

27

LLRs for the coded bits,

L (di) = log

(Pr {di = +1| y}Pr {di = −1|y}

), (2–3)

for i = 1, ... , n. Note that unlike turbo codes [32], LDPC codes are typically non-systematic

codes, and the BPA estimates the values for the coded bits, not the message bits. The

message bits can be recovered from the estimated codeword through matrix operations.

In BPAs, computation is performed at each vertex of the graph, and messages are

exchanged along the edges. For the LDPC codes, the vertices are either check nodes

or variable nodes. Although many different message-passing schedules are possible,

it is convenient to discuss the BPA as an iterative process in which each iteration

consists of two steps. In the first step, the check nodes perform computations on

messages received from the variable nodes. In the second step, the variable nodes

perform computation on messages received from the check nodes. BPAs are usually

performed under the assumption that the messages involved in the algorithm are

independent. Although this is true for certain types of graphs, such as trees, it is not true

for most codes of interest, including the LDPC codes. Thus, the resulting algorithm is an

approximation to the MAP decoder, even if the computations performed at the variable

and check nodes are done according to the MAP rule.

The sum-product algorithm (SPA) (cf. [33]) is the most popular form of BPA to

decode LDPC codes because of its simple implementation. We now briefly overview

the SPA as follows. The variable nodes input messages consisting of the channel

LLRs L (yj) and extrinsic information from the check nodes. Let lk(dj) be the extrinsic

information from the k th check node about coded bit j , and let l i(dj) be the sum of the

channel LLR and extrinsic information about code bit j to the i th check node. Then by

applying the independence assumption, l i(dj) is the sum of the LLRs received on all of

the edges into the variable node j , except for the LLR received on the edge from check

28

node i . That is,

l i(dj) = L(yj) +∑k =i

lk(dj).

This processing is illustrated in Figure 2-2A. Note that at the beginning of the first

iteration, the variable nodes have not received any messages yet, so the variable node

j has only the LLR of the channel observation L(yj). Each variable node passes a

message equal to the channel LLR L(yj) on the vertices to each of the check nodes to

which it is connected.

Each check node enforces a parity check equation from the low density parity-check

matrix of the LDPC codes. Let si ∈ {+1,−1} denotes the associated parity of the

i -th parity check equation2 . The check nodes use the messages from the variable

nodes to compute extrinsic information to pass back to the variable nodes. The extrinsic

information about bit dj from check node i , li(dj), is given by [34]

li(dj) = 2 tanh−1

{si∏ℓ =j

tanh

(l i (dℓ)

2

)}(2–4)

and illustrated in Figure 2-2B. After some stopping criterion has been met, the decoder

computes the LLR and makes a decision on the bits dj according to

dj = sgn

{L(yj) +

∑i

li(dj)

},

where sgn is the signum function. We note that the above SPA is known as the

probability-domain SPA. Similar to the probability-domain Viterbi [35] and

Bahl-Cocke-Jelinek-Raviv (BCJR) [36] algorithms, the probability-domain SPA suffers

from numerical instability because of involving multiplications of probabilities. Thus, a

log-domain version of SPA is usually preferred for practical implementation.

2 In conventional LDPC codes, si = +1 for all i .

29

CHAPTER 3SECRET-SHARING LDPC CODES FOR BPSK-CONSTRAINED GAUSSIAN WIRETAP

CHANNEL

Inspired by the achievability proof of Theorem 2.1 (cf. Appendix A), we will develop

a secret-sharing scheme employing the powerful LDPC codes in this chapter. Our main

goal is to develop a practical secret-sharing scheme such that a systematic and efficient

approach to code design can be constructed to find LDPC codes that give good secrecy

performance.

3.1 BPSK-constrained Gaussian Wiretap Channel

In this chapter, we focus on the Gaussian wiretap channel in which the destination

and wiretapper channels are both AWGN channels. We also restrict the source to

transmit only BPSK symbols. More specifically, let Xi ∈ {±1} be the i th transmit

symbol from the source, and let Yi and Zi be the corresponding received symbols at

the destination and wiretapper, respectively. The Gaussian wiretap channel can then be

modeled as

Yi = βXi + Ni

Zi = αβXi + Ni ,

(3–1)

where Ni and Ni are i.i.d. zero-mean Gaussian random variables of variance σ2. Note

that β is the gain of the BPSK symbols transmitted by the source. By the source power

constraint (2–1), we have β2 ≤ P. Also, α is a positive constant which models the

gain advantage of the wiretapper over the destination. Let the (noise) normalized

gain be β = β/σ. Then the received signal-to-noise ratios (SNRs) at the destination

and wiretapper are β2/σ2 and α2β2/σ2, respectively. Clearly, the Gaussian wiretap

channel satisfies the memoryless and conditional independent properties required in

Theorem 2.1.

30

Specializing Theorem 2.1 to the BPSK-constrained Gaussian wiretap channel, it is

not hard to show 1 that the Rl -relaxed key capacity is given by

Cb(Rl) = max0≤β≤

√P

σ2

{min

{1

2π

∫ ∞

0

∫ ∞

0

H2

(1 + e−2βy · e−2αβz

[1 + e−2βy ][1 + e−2αβz ]

)[1 + e−2βy

]

·[1 + e−2αβz

]exp

[−(y − β)2

2− (z − αβ)2

2

]dydz + Rl , 1

}

− 1√2π

∫ ∞

0

H2

(1

1 + e−2βy

)(1 + e−2βy

)exp

[−(y − β)2

2

]dy

},

(3–2)

where H2(p) = −p log2 p − (1 − p) log2(1 − p) is the binary entropy function. We note

that Cb(Rl) is achieved when X is equiprobable; however, it is not necessarily achieved

by transmitting at the maximum allowable power P.

The achievability proof of Theorem 2.1 (cf. Appendix A) employs random Wyner-Ziv

coding, in which the received symbols at the destination need to be quantized due to

the fact that the channel alphabet at the destination in the Gaussian wiretap channel

is continuously distributed. In this chapter, we consider a simple symbol-by-symbol

hard-decision quantization scheme in which the i th quantized destination symbol

Yi = sgn(Yi). Note that this quantization is suboptimal and leads to a loss in key

capacity. We quantify this loss by applying Theorem 2.1 to the BPSK-constrained

Gaussian wiretap channel with hard-decision quantization at the destination to calculate

the Rl -relaxed key capacity Cbq(Rl). Using the standard notation Q(x) =∫∞xe−u

2/2√2πdu, it

is not hard to establish1 that

Cbq(Rl) = max0≤β≤

√P

σ2

[min{Cs(β)− Cw(β) + Rl ,Cs(β)}

], (3–3)

1 For the proofs of (3–2) and (3–3), see Appendix C.

31

where

Cs(β) = 1− H2(Q(β)) (3–4)

Cw(β) = 1− 1√2π

∫ ∞

0

H2

(Q(β) + [1−Q(β)]e−2αβz

1 + e−2αβz

)[1 + e−2αβz ]

· exp

[−(z − αβ)2

2

]dz . (3–5)

are, respectively, the capacities of the quantized-destination-to-source and

quantized-destination-to-wiretapper channels at normalized gain β. Like before, Cbq(Rl)

is achieved when X is equiprobable, but it is not necessarily achieved by transmitting at

the maximum allowable power P.

To visualize the loss in key capacity, Figure 3-1 illustrates Cb(Rl) and Cbq(Rl) versus

the maximum allowable SNR (P/σ2) for different values of Rl . We can see that the

loss in key capacity due to the hard-decision quantization is no more than 0.07 bits per

(wiretap) channel use (bpcu) for the cases shown.

3.2 Secret-Sharing Scheme Employing Regular LDPC Code Ensembles

As mentioned above, the achievability proof of Theorem 2.1 in Appendix A employs

a secret-sharing scheme with random Wyner-Ziv coding. For the BPSK-constrained

Gaussian wiretap channel with destination hard-decision quantization, we show in this

section that a secret-sharing scheme that employs a properly constructed ensemble of

regular LDPC codes can also asymptotically achieve the Rl -relaxed key capacity. We

design practical secret-sharing schemes for the BPSK-constrained Gaussian wiretap

channel in Section 3.3 based on the LDPC coding structure proposed here.

To start describing the proposed secret-sharing scheme, let us consider an

(n, l) binary linear block code C with 2l distinct codewords of length n and an (l −

k)-dimensional subspace W in C. The pair (C,W) defines what we call an (n, l , k)

secret-sharing binary linear block code. Given any such (C,W) pair, let K be the

quotient of C by W. Then K is a linear space of 2k distinct cosets of the form xn +W,

32

−8 −7 −6 −5 −4 −3 −2 −1 0 1 2

0.05

0.1

0.15

0.2

0.25

0.3

P/σ2 (dB)

Cb o

r C

bq (

bpcu

)

Cb,R

l=0,α2=0dB

Cbq

,Rl=0,α2=0dB

Cb,R

l=0,α2=5dB

Cbq

,Rl=0,α2=5dB

Cb,R

l=0.1,α2=0dB

Cbq

,Rl=0.1,α2=0dB

Cb,R

l=0.1,α2=5dB

Cbq

,Rl=0.1,α2=5dB

Figure 3-1. Comparison between the relaxed key capacities Cb and Cbq over the BPSKconstrained Gaussian wiretap channel.

where xn ∈ C. We will use the coset index in K as the secret key. We will see later that

the ordering of the cosets in K is immaterial. The ratios Rc = ln

and Rk = kn

will be

referred to as the code rate and key rate of the (n, l , k) secret-sharing binary linear block

code, respectively.

Next, we consider the following random ensemble of (n, l , k) secret-sharing binary

linear block codes:

• The (n, l) linear block code C is chosen uniformly from the ensemble of (dv , dc)-regularLDPC codes considered in [29]. That is, we consider that C is chosen uniformlyfrom the set of all bipartite graphs [25] with n degree-dv variable nodes and n − ldegree-dc check nodes.

33

• The subspace W is chosen uniformly over the set of all possible (l−k)-dimensionalsubspaces in C.

Note that a realization of the randomly chosen C may actually have 2l ′ distinct codewords,

where l ′ > l . In such case, K will be of dimension k + l ′ − l ; so the actual key rate will be

larger than Rk . Hence, we can conservatively assume C is always an (n, l) linear code

with 2l distinct codewords to simplify the notation below.

Consider the following secret-sharing scheme:

1. Random source transmission and destination quantization: The sourcerandomly generates a sequence X n of n i.i.d. equally likely BPSK symbols andtransmits them consecutively over the Gaussian wiretap channel (X ,Y ,Z).The destination receives the sequence Y n and obtains the quantized sequenceY n by performing symbol-by-symbol hard-decision quantization on Y n, i.e.,Yj = sgn(Yj). This quantization effectively turns the source-to-destination channelinto a BSC, whose cross-over probability depends on the SNR of the originalsource-to-destination channel. We note that the wiretapper also observes Z n

through the source-to-wiretapper channel.

2. Syndrome generation through LDPC encoding at destination: The next stepis for the destination to feed a compressed version of Y n back to the sourcethrough the public channel so that the source can resolve the differences betweenX n and Y n. This is similar to the problem considered in [37] of compressing anequiprobable memoryless binary source with side information using LDPC codes.More precisely, the destination selects (C,W) randomly from the ensemble ofsecret-sharing (dv , dc)-regular LDPC codes described above. It then generates thesyndrome sequence Sn−l = Y nHT , where H is a parity-check matrix of C. We notethat each Sn−l uniquely corresponds to a coset E nS + C. Further, the destinationdetermines which coset in K that X n0 = Y n + E nS ∈ C belongs. Denote that cosetby X n0 +W. Finally, the destination sends E nS , C, and W back to the source via thepublic channel.

3. Decoding at source: The source then tries to decode for X n0 from observing X n

and E nS according to (C,W). Treating X n + E nS as a noisy version of X n0 , it performsmaximum likelihood (ML) decoding to obtain a codeword in C and then determinesto which coset in K the decoded codeword belongs. Denote that coset by X n +W.

4. Key generation at source and destination: The destination sets its key L to beindex of X n0 +W in K. Similarly, the source sets its key K to be the index of X n+Win K.

34

It is clear that this secret-sharing scheme is permissible. Indeed, under the notation of

Section 2.2, for the proposed secret-sharing scheme, t = n + 1, ij = j for j = 1, 2, ... , n,

MX = Xn, MY = (C,W), and Ψn+1 = (E nS , C,W) is the only message sent via the public

channel. Hence, we can evaluate the secrecy performance of the scheme in the context

of its achievable key rate defined in Section 2.2 as follows.

First, based on the linearity of LDPC codes, the memoryless nature of the

Gaussian wiretap channel, the chosen distribution of X n, and the symbol-by-symbol

hard decision performed to obtain Y n at the destination, it is easy to check that

H(Y n) = n, H(E nS |C,W) = n − l , H(L|C,W) = k , and I (L;E nS |C,W) = 0. Then,

0 ≤ I (L;E nS , C,W) = I (L; C,W) = H(L) − H(L|C,W) ≤ k − k = 0. Hence,

I (L;E nS , C,W) = 0, I (L; C,W) = 0, and H(L) = k . If the decoding process at the source

achieves the ensemble average error probability ϵs , then we have Pr{K = L} ≤ ϵs .

Thus, H(K |L) ≤ 1 + k ϵs and H(L|K) ≤ 1 + k ϵs by Fano’s inequality [38]. That in turn

implies 1nI (K ;E nS , C,W) = 1

n[I (L;E nS , C,W) + I (K ;E nS , C,W|L) − I (L;E nS , C,W|K)] ≤

1nI (K ;E nS , C,W|L) ≤ 1

nH(K |L) ≤ Rk ϵs + 1

nand

1

nH(K) =

1

n[H(L) + H(K |L)− H(L|K)] ≥ Rk − Rk ϵs −

1

n. (3–6)

Hence, Conditions 2 and 5 in Section 2.2 are satisfied when n is sufficiently large if ϵs

can be made arbitrarily small. Similarly,

I (K ;Z n,E nS , C,W) = I (L;Z n,E nS , C,W) + I (K ;Z n,E nS , C,W|L)− I (L;Z n,E nS , C,W|K)

≤ I (L;Z n,E nS , C,W) + I (K ;Z n,E nS , C,W|L)

≤ I (L;Z n,E nS , C,W) + H(K |L)

≤ I (L;Z n,E nS , C,W) + k ϵs + 1

= I (L;Z n,E nS |C,W) + k ϵs + 1, (3–7)

35

where the last line is due to the fact that I (L; C,W) = 0. Here,

I (L;Z n,E nS |C,W) = H(L|C,W) + H(E nS |Z n, C,W)− H(L,E nS |Z n, C,W)

= H(L|C,W) + H(E nS |Z n, C,W) + H(Y n|Z n,L,E nS , C,W)

−H(L,E nS , Y n|Z n, C,W)

≤ H(L|C,W) + H(E nS |C,W) + H(Y n|Z n,L,E nS )− H(Y n|Z n, C,W)

= H(L|C,W) + H(E nS |C,W) + H(Y n|Z n,L,E nS )− H(Y n) + I (Y n;Z n),

(3–8)

where the last equality follows from the fact that (Y n,Z n) is independent of (C,W). Also

I (Y n;Z n) = nI (Y ;Z) = nCw(β) because of the memoryless nature of the channel

from Y n to Z n and of the fact that the Pr(Y = +1) = Pr(Y = −1) = 0.5 achieves the

capacity of this channel. Moreover, consider a fictitious receiver at the wiretapper trying

to decode for Y n from observing Z n, E nS , and X n0 (or L equivalently). Suppose that the

ensemble average error probability achieved by this receiver, employing ML decoding, is

ϵw . Then we have H(Y n|Z n,L,E nS ) ≤ 1 + (l − k)ϵw again by Fano’s inequality. Putting all

these and (3–8) back into (3–7), we obtain

1

nI (K ;Z n|E nS , C,W) ≤ 1

nI (K ;Z n,E nS , C,W)

≤ Cw(β)− (Rc − Rk) + Rk ϵs + (Rc − Rk)ϵw +2

n. (3–9)

The preceding secrecy analysis of the proposed secret-sharing scheme based on

the secret-sharing regular LDPC code ensembles allows us to arrive at the following

result:

Theorem 3.1. Fix β > 0. Suppose that Cw(β) ≤ Rc ≤ Cs(β). For any Rl ≥ 0, choose

Rk = min{Rc − Cw(β) + Rl , Rc}. Then (Rk ,Rl) is an achievable key-leakage rate

pair through the BPSK-constrained Gaussian wiretap channel with symbol-by-symbol

hard-decision destination quantization. Moreover, this rate pair can be achieved by the

36

aforementioned secret-sharing scheme using the secret-sharing (dv , dc)-regular LDPC

code ensemble described before when n increases.

Proof. First, suppose that Rc < Cs(β) and Rl > 0. Since Rc ≥ Cw(β), Rk > 0. Then

Rc − Rk = max{Cw(β) − Rl , 0} < Cw(β). Thus, by (3–9), if we can show that there is a

pair (dv , dc) such that Rc = 1− dvdc

, and both ϵs and ϵw in the preceding discussion vanish

as n increases, then Condition 3 in Section 2.2 will be satisfied when n is sufficiently

large. From the preceding discussion, Conditions 1, 2, and 5 will also be satisfied.

Comparing (3–6) and Condition 4, we see then that (Rk ,Rl) will be an achievable

key-leakage pair. The existence of such pair (dv , dc) results from the following lemma,

whose proof is an adaptation of the arguments in [39, Theorem 3] to the proposed

secret-sharing (dv , dc)-regular LDPC code ensemble. The details are presented in

Appendix B.

Lemma 1. Consider the ensemble average error probabilities ϵw and ϵs achieved by

the respective ML decoders at the source and wiretapper of the secret-sharing (dv , dc)-

regular LDPC code ensemble mentioned above. For any fixed β > 0, suppose that

Rc < Cs(β) and Rc − Rk < Cw(β). Then, there exists a choice of (dv , dc) such that

1. Rc = 1− dvdc

,

2. ϵw decreases exponentially (polynomially) with increasing n for Rk > 0 (forRk = 0), and

3. ϵs decreases polynomially with increasing n.

Finally, note that the before-imposed restrictions Rc < Cs(β) and Rl > 0 can be

removed since the key-leakage rate region is closed.

A comparison of Theorem 3.1 and (3–3) shows that the restriction to the secret

sharing regular LDPC code ensemble described in this section does not reduce

the relaxed key capacity of the BPSK-constrained Gaussian wiretap channel with

destination hard-decision quantization.

37

As mentioned in Chapter 1, a similar LDPC-based key-agreement scheme

employing observations of correlated discrete stationary sources at the source,

destination, and wiretapper was studied in [16]. After Step 1) of our proposed secret

sharing scheme, the observations X n, Y n, and Z n at the three terminals can be

viewed as generated from correlated sources; thus reducing our model to the one

considered in [16]2 , except that the wiretapper alphabet is continuous in our case. As

in our scheme, the scheme in [16] has the syndrome Sn−l of Y n sent to the source.

On the other hand, the key in [16] is obtained by calculating the syndrome of Y n with

respect to another independently selected LDPC code. The scheme in [16] is shown to

achieve key capacity via a similar approach as ours. First, the consideration of leakage

information is converted to that of the error probabilities achieved by decoders at the

source and wiretapper by an upper bound similar to (3–9) for a pair of fixed LDPC

codes (cf. Eqn. (3–10)). Then, the existence of a fixed code pair with vanishing error

probabilities is shown via a ML decoding error analysis of the code ensemble based

on the method of types [40]. Because of the continuous wiretapper alphabet, the ML

decoding error analysis in [16] does not directly apply to our case. Hence, we have

opted for the combined union and Shulman-Feder bounding technique in [39], which

does, however, require the BISO nature of the channel from the (quantized) destination

to the wiretapper. Obviously, Lemma 1 also implies the existence of a fixed (C,W)

from the secret-sharing regular LDPC ensemble with vanishing decoding errors in our

design, and hence the use of this fixed (C,W) is also sufficient to achieve the relaxed

key capacity in our case.

2 Our destination and source correspond to the sender and receiver in [16],respectively. For convenience, we employ our terminology here when referring to thescheme in [16].

38

Expressed in our notation, elements in the LDPC code ensemble of [16] are also

of the form (C,W). For our ensemble, W is (conditionally) uniformly distributed over

the set of all subspaces of a given C. For the ensemble of [16], W is (conditionally)

uniformly distributed over the set of subspaces of C specified by the concatenation of

the parity matrices of C and another properly chosen regular LDPC code. While each

element in the ensemble of [16] is also an element of our ensemble, the two ensembles

are different since the respective (conditional) uniform distributions for W are defined

over two different sets of subspaces. In a sense, the ensemble of [16] is more restrictive

since W also needs to be an LDPC code. The discussion in this section shows that the

LDPC structure needs to be imposed only on C but not on W. This bears significance in

the design of practical codes because the design based on one LDPC structure derived

from our ensemble is much simpler, as will be illustrated in the following section.

3.3 Secret-Sharing Scheme Employing Fixed Practical LDPC Codes

In practice, it is not realistic to employ the secret-sharing regular LDPC code

ensemble and ML decoding at the source as suggested in Section 3.2, for even

moderate values of n. In this section, we investigate the secrecy performance of a

secret-sharing scheme similar to the one suggested in Section 3.2, but with fixed

choices of (C,W) from the secret-sharing regular LDPC code ensemble and more

practical BP decoding. In addition, from the proof of Lemma 1 in Appendix B, the values

of dv and dc need to be large in order for the ensemble average error probabilities ϵw

and ϵs to decrease with n, and hence to achieve the relaxed key capacity. As large

values of dv and dc increase the graph complexity of a LDPC code, and hence the

complexity of BP decoding, we have to limit ourselves to small values of dv and dc . To

alleviate the shortcoming of regular LDPC codes with small dv and dc , we also consider

the use of more-efficient irregular LDPC codes in the proposed secret-sharing scheme.

We consider the secret-sharing scheme described in Section 3.2, except that

the secret-sharing code (C,W) is fixed and is known to the source and destination

39

(and also the wiretapper) beforehand. Here, we consider the (fixed) code C chosen

from ensembles of regular and irregular LDPC codes. The details will be discussed

later. For convenience in the key generation step (and later in the search of good

irregular LDPC codes), the subspace W is chosen as follows. Referring back to Step

2) of the scheme, choose a lower triangular version3 of H, for example by performing

Gaussian elimination on the connection matrix of the bipartite graph of C as discussed

in [41]. Hence, H = [A,B] where B is an (n − l)× (n − l) lower triangular matrix.

Write Y n = [d l , en−l ] where d l and en−l are row vectors containing l and n − l elements,

respectively. Then the syndrome Sn−l = d lAT+en−lBT , codeword X n0 = [d l , d lAT (B−1)T ]

and coset leader E nS = [0T ,Sn−l(B−1)T ]. Note that d l contains the systematic bits of the

codeword X n0 while d lAT (B−1)T contains the parity bits. The subspace W is chosen to

be the set of codewords obtained by setting the first k bits4 in the vector d l above to

zero. The quotient space K is isomorphic to the set of codewords obtained by setting

the last l − k bits in the vector d l to zero. Hence we can use the first k bits in d l as the

key. Since (C,W) is known to the source beforehand, there is no need to feed it back to

the source via the public channel in Step 2) of the secret-sharing scheme. Step 3) of the

scheme is modified to replace ML decoding by the practical BP decoding.

First, it is unlikely that the above fixed choice of W results in an LDPC code. Hence,

the fixed coding scheme suggested here is different from that of [16]. Second, the

secrecy analysis of Section 3.2 can be easily modified to reflect the use of the fixed

secret-sharing code (C,W) mentioned above. In particular, the upper bound on the

3 We can, without loss of generality, assume H to be of full rank as discussed before.Alternatively, an approximate lower triangular version of H as described in [41] can alsobe used if efficient encoding is needed.

4 It is easy to see that the secrecy performance is the same for any choice of k bits ind l for the BP decoders described below.

40

leakage rate in (3–9) becomes

1

nI (K ;Z n|E nS ) ≤ Cw(β)− (Rc − Rk) + Rkϵs + (Rc − Rk)ϵw +

2

n, (3–10)

where ϵs and ϵw are now the error probabilities achieved by the BP decoders at the

source and wiretapper, respectively. Since the bound above is derived from Fano’s

inequality, it applies for any decoder (ML, BP, etc.), and the value of the bound depends

on the choices of decoders only through ϵs and ϵw . Below, we perform computer

simulation to estimate ϵs and ϵw and then employ (3–10) to bound the leakage rates

achieved by (C,W) constructed from different choices of finite block length LDPC codes

as described above. More specifically, suppose that the key rate of a secret-sharing

LDPC code (C,W) is Rk and ϵs obtained from simulation is small. By setting Rl to be

the value of the bound (3–10) obtained as described, then (Rk ,Rl) will be considered a

key-leakage rate pair achievable by (C,W).

3.3.1 Secret-Sharing Regular LDPC Codes

We start by evaluating the secrecy performance of using regular LDPC codes with

small dv and dc in the secret-sharing scheme described above. First, we pick C from

the rate-0.25 (3, 4)-regular LDPC code ensemble by realizing the random bipartite

graph experiment described in [29] and then remove all length-4 loops in the realization.

The block length n of the LDPC code is set to 105. As mentioned above, we need to

estimate the values of ϵs and ϵw from computer simulation. To get ϵs , BP decoding is

implemented at the source. Similarly, a BP decoder is implemented for the fictitious

receiver at the wiretapper to obtain ϵw . In order to provide information about L to the

latter decoder, the intrinsic log-likelihood ratios (LLRs) of the first k elements in d l , which

are associated with L, are explicitly set to ±∞ according to the true bit values. While

this method may not be the optimal way to feed information of L to the BP decoder, we

choose to employ it because of its simplicity and the fact that this method also allows

41

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.50

0.1

0.2

0.3

0.4

0.5

Rl(bpcu)

Rk o

r C

bq (

bpcu

)

Proposed scheme:rate−0.25 (3,4)−regular LDPC code

Cbq

at P/σ2 = −0.15 dB, α2 = 0dB

Proposed scheme:rate−0.4 (3,5)−regular LDPC code

Cbq

at P/σ2 = 2 dB, α2 = 0dB

[16] : (3,5)/(1,3)−regular LDPC code

Figure 3-2. Plot of the (Rk ,Rl)-trajectories achieved by the proposed secret-sharingscheme employing secret-sharing regular LDPC codes (C,W).

simple density evolution analysis, which will be used to search for good irregular LDPC

codes in Section 3.3.2 below.

Figure 3-2 shows the trajectory of (Rk ,Rl) achievable by the rate-0.25 secret-sharing

(3, 4)-regular LDPC code (C,W) when the maximum allowable SNR P/σ2 is limited to

−0.15 dB and α2 = 0 dB. Different values of Rk on the trajectory shown are obtained

by varying the value of k (i.e., the dimension of W also changes). When obtaining each

shown pair (Rk ,Rl), we choose β2, up to P/σ2, such that ϵs ≤ 0.01, ϵw ≤ 0.01 and the

bound in (3–10) is minimized. For any so-obtained pair (Rk ,Rl) located to the right of the

45◦ line in Figure 3-2, the bound (3–10) becomes too loose, and the pair is not plotted.

From Figure 3-2, we observe that the pair (Rk ,Rl) = (0.2, 0.139) gives the smallest

42

(bound on) leakage rate that is achievable by the rate-0.25 secret-sharing (3, 4)-regular

LDPC code in the proposed scheme.

Next, we try to compare the secrecy performance of our secret-sharing scheme

to that of [16]. As discussed near the end of Section 3.2, the scheme of [16] requires

a pair of independently chosen regular LDPC codes. Since no practical code designs

or examples are provided in [16], we choose an LDPC code pair for the scheme of [16]

that is similar to the choice of our secret-sharing code above for comparison. For the

scheme of [16], the first LDPC code is set to be C above (i.e., the rate-0.25 (3, 4)-regular

LDPC code). The other code C ′ (from which the secret key is generated) is chosen

independently from another regular LDPC code ensemble such that the result achieves

a desired key rate Rk (cf. [7]). Note that only a few values of Rk are possible if dv and dc

are restricted to have small values. Again, as discussed near the end of Section 3.2, the

pair (C, C ′) can be expressed in our (C,W) notation. As such, the LDPC subcode W is

obtained from concatenating parity-check matrices of C and C ′. Note that W is in general

an irregular LDPC code. To clearly distinguish between our scheme and the one of [16]

in the discussion below, we will employ the notation (C, C ′) when referring to the latter.

The bound (3–10) is employed to determine the rate pairs (Rk ,Rl) that can be achieved

by (C, C ′), as described previously.

Under the parameter setting above (P/σ2 = −0.15 dB, α2 = 0 dB, and n = 105),

we are not able to find a choice of C ′ (with small dv and dc ) that satisfies the requirement

ϵw ≤ 0.01. In order to illustrate the comparison between the two schemes, we increase

the value of P/σ2 to 2.0 dB. For this case, we pick C to be a rate-0.4 (3, 5)-regular LDPC

code. The (Rk ,Rl)-trajectory achieved by our secret-sharing scheme with (C,W) is

overlaid in Figure 3-2. We see that the lowest leakage rate achieved by this choice

of (C,W) is at the pair (Rk ,Rl) = (0.22, 0.173). For the scheme of [16], picking C ′ to

be an (1, 3)-regular LDPC code, the pair (C, C ′) achieves the key-leakage rate pair

43

(Rk ,Rl) = (0.333, 0.286) as shown by the square symbol in Figure 3-2. This value of Rl

is the lowest that we can obtain from picking many different C ′ with small dv and dc .

Summarizing the above results, our secret-sharing scheme outperforms the scheme

of [16] when the respective code employed in each scheme is restricted among the

choices of regular LDPC codes with small node degrees and finite block lengths.

However, we can observe that there is a significant gap between the (Rk ,Rl) pairs

achieved by the proposed scheme and the maximally achievable (Cbq,Rl) key-leakage

pair boundary. This illustrates that regular LDPC codes with small dv and dc and finite

block length do not provide good secret-sharing performance.

3.3.2 Secret-Sharing Irregular LDPC Codes

To improve secret-sharing performance, we search for “good” irregular LDPC

codes to be used as C in the proposed scheme. The structure of a secret-sharing code

(C,W) described in the beginning of this section facilitates the code search process

because only the LDPC structure of C needs to be optimized. Such optimization can

be performed by employing the density-evolution based linear programming technique

suggested in [31]. The search objective is to find an irregular LDPC secret-sharing

code (C,W) with maximum Rc , given a fixed Rk , such that both the decoding error

probabilities ϵs and ϵw in (3–10) are vanishing as the BP decoders iterate. By (3–10), this

results in minimization of the bound on Rl for the fixed Rk .

Recall from Section 2.3 that the variable- and check-node degree distribution

polynomials of an irregular LDPC code ensemble are, respectively, λ(x) =∑dvi=2 λix

i−1

and ρ(x) =∑dci=2 ρix

i−1. We are to design an irregular LDPC code C and its subcode

W that work well for the channel from the (quantized) destination to source and the

channel from the (quantized) destination to wiretapper, corresponding to the error

probabilities ϵs and ϵw , respectively. Fix ρ(x), and let es(ℓ) and ew(ℓ) denote the bit error

probabilities obtained by the BP decoders at the source and wiretapper, respectively,

at the ℓth density evolution iteration [29, 31] when an initial λ(x) =∑dvi=2 λix

i−1 is

44

used. Now, let Aℓ,j denote the bit error probability obtained at the source by running

the density evolution for ℓ iterations, in which λ(x) is used as the variable-node degree

distribution for the first ℓ − 1 iterations and the variable-node degree distribution with

a singleton of unit mass at degree j is used for the final iteration. Let Bℓ,j denote the

similar quantity for bit error probability obtained at the wiretapper. Then, we have

es(ℓ) =∑dvj=2 Aℓ,j λj and ew(ℓ) =

∑dvj=2 Bℓ,j λj . Note that the values of Aℓ,j and Bℓ,j are

obtained via (discretized) density evolution, which is discussed in detail in [31, Chapter

5]. To account for the availability of perfect information of the k bits corresponding to the

key at the wiretapper’s BP decoder, the intrinsic LLR distribution entered into the density

evolution analysis for the wiretapper’s decoder is set to be a mixture of the distribution

of the channel outputs at the wiretapper (with the quantized destination symbols as the

channel input) and an impulse at +∞. The weights of the two components in the mixture

are determined by the value of Rk .

Let ϵ > 0 be a small prescribed error tolerance. Suppose that λ(x) satisfies the

property that es(Ms) ≤ ϵ and ew(Mw) ≤ ϵ, for some integers Ms and Mw . Then, we can

frame the Rc -maximizing code design problem as the following linear program:

maxλ(x)

dv∑j=2

λjj

subject to

dv∑j=2

λj = 1, λi ≥ 0 for 2 ≤ i ≤ dv ,∣∣∣∣∣dv∑j=2

Aℓ,jλj − es(ℓ)

∣∣∣∣∣ ≤ max[0, δ(es(ℓ− 1)− es(ℓ))], anddv∑j=2

Aℓ,jλj ≤ es(ℓ− 1),

for 1 ≤ ℓ ≤ Ms∣∣∣∣∣dv∑j=2

Bℓ,jλj − ew(ℓ)

∣∣∣∣∣ ≤ max[0, δ(ew(ℓ− 1)− ew(ℓ))], anddv∑j=2

Bℓ,jλj ≤ ew(ℓ− 1),

for 1 ≤ ℓ ≤ Mw ,

45

where dv here is the maximum allowable degree of λ(x) and δ is a small positive

number. The solution λ(x) of the above linear program is then employed as the initial

λ(x) for the next search round. The search process continues this way until es(Ms) or

ew(Mw) becomes larger than ϵ, or until λ(x) converges. We can also fix λ(x) and obtain

a similar linear programming problem for ρ(x). The iterative search can then alternate

between the linear programs for λ(x) and ρ(x), respectively.

The secret-sharing irregular LDPC codes presented below are obtained from the

code search procedure described above starting with BSC-optimized LDPC codes,

which are available from Urbanke’s website [42]. Figure 3-3 shows the (Rk ,Rl)-trajectory

achieved by a rate-0.25 secret-sharing irregular LDPC code obtained by performing the

above search with Rk set to 0.155 for the BPSK-constrained Gaussian wiretap channel

when P/σ2 = −1.5 dB and α2 = 0 dB. The degree distribution pair of this secret-sharing

irregular LDPC code is shown in Table 3-1. We obtain an instance of the irregular

code by randomly generating a bipartite graph which satisfies the two given degree

distribution constraints. Similar to the case of regular codes, the block length n = 105,

and all length-4 loops are removed. Each shown (Rk ,Rl) pair is obtained in the same

manner as described in Section 3.3.1 by using (3–10). From Figure 3-3, we observe

that the pair (Rk ,Rl) = (0.155, 0.025) gives the lowest leakage rate achievable by this

secret-sharing irregular LDPC code. For comparison, we also plot in Figure 3-3 the

(Rk ,Rl)-trajectory achieved by the proposed secret-sharing scheme using a rate-0.25

BSC-optimized irregular LDPC code in place of the secret-sharing irregular LDPC code

obtained from the code search described above. Note that since the channel from the

(quantized) destination to the source is a BSC, the use of the BSC-optimized LDPC

code is essentially the same as the reconciliation method proposed in [19]. For the

BSC-optimized code, the pair (Rk ,Rl) = (0.2, 0.071) gives the lowest achievable leakage

rate.

46

0 0.05 0.1 0.150

0.05

0.1

0.15

0.2

0.25

0.3

Rl(bpcu)

Rk o

r C

bq (

bpcu

)

Proposed scheme:rate−0.25 irregular LDPC code

BSC optimized:rate−0.25 irregular LDPC code

Cbq

at P/σ2 = −1.5dB, α2 = 0dB

Figure 3-3. Plot of the (Rk ,Rl)-trajectory achieved by the proposed secret-sharingscheme employing the rate-0.25 secret-sharing irregular LDPC code.

Similarly, Figure 3-4 shows the secrecy performance of the proposed scheme when

P/σ2 = −4.9 dB and α2 = 5 dB. A rate-0.12 secret-sharing irregular LDPC code is

obtained by fixing Rk to 0.06 in the code search. The degree distribution pair of this

secret-sharing irregular LDPC code is also shown in Table 3-1. We observe that the

lowest leakage rate achieved by this code is given by the pair (Rk ,Rl) = (0.062, 0.019).

Again, for comparison, the (Rk ,Rl)-trajectory achieved by replacing the secret-sharing

irregular LDPC code obtained from the code search with a rate-0.12 BSC-optimized

irregular LDPC code is also shown in Figure 3-4. For the BSC-optimized irregular LDPC

code, the pair (Rk ,Rl) = (0.095, 0.052) gives the lowest achievable leakage rate.

In conclusion, the secret-sharing irregular LDPC codes obtained from the proposed

code search procedure significantly outperform, in terms of secrecy performance,

47

Table 3-1. Degree distribution pairs of the rate-0.25 and rate-0.12 secret-sharingirregular LDPC codes.

rate-0.25 rate-0.12λ2 0.2807 0.3651λ3 0.1490 0.1610λ4 0.0725λ5 0.1081λ6 0.0540λ7 0.0599λ8 0.1343λ11 0.1123λ12 0.0057λ21 0.0697λ22 0.0872λ28 0.0650λ29 0.0403λ70 0.0006λ71 0.0264λ72 0.1197λ87 0.0806λ88 0.0079ρ4 0.9705ρ5 0.4637 0.0295ρ6 0.5363

secret-sharing regular LDPC codes with small node degrees as well as irregular LDPC

codes that are optimized just for information reconciliation.

3.4 Summary

In this chapter, we developed schemes based on LDPC codes to allow a source and

a destination to share secret information over a BPSK-constrained Gaussian wiretap

channel. In the proposed secret-sharing schemes, the source first sends a random

BPSK symbol sequence to the destination through the Gaussian wiretap channel. Then,

the destination generates a syndrome of its quantized received sequence using an

LDPC code and sends this syndrome back to the source via the public channel. Finally,

the source performs decoding to recover the quantized destination sequence based on

48

0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09 0.10

0.05

0.1

0.15R

k or

Cbq

(bp

cu)

Rl(bpcu)

Proposed scheme: rate−0.12 irregular LDPC code

BSC optimized: rate−0.12 irregular LDPC code

Cbq

at P/σ2 = −4.9dB, α2 = 5dB

Figure 3-4. Plot of the (Rk ,Rl)-trajectory achieved by the proposed secret-sharingscheme employing the rate-0.12 secret-sharing irregular LDPC code.

its transmitted sequence, as well as the syndrome that it receives from the destination.

The secret key is obtained as the index of a coset in a quotient space of the LDPC code.

To evaluate the performance of the proposed secret-sharing scheme, we employed

an upper bound on the leakage information rate that depends on the decoding error

probabilities of the decoder at the source and of a fictitious decoder at the wiretapper,

which observes the wiretapper received sequence, the syndrome in the public channel,

as well as the secret key. The design was then converted to making these error

probabilities small. For a suitably chosen ensemble of regular LDPC codes, we

showed that these error probabilities can indeed be made vanishing, as the block

length increases, by ML decoding. As a result, this established that the key capacity

49

of the BPSK-constrained Gaussian wiretap channel can be achieved by employing the

secret-sharing regular LDPC code ensemble in the proposed scheme.

Considering the practical constraints of finite block length and using BP decoding

instead of ML decoding, we employed a density-evolution based linear program to

search for good irregular LDPC codes that can be used in the secret-sharing scheme.

Simulation results showed that the secret-sharing irregular LDPC codes obtained from

our search can get relatively close to the relaxed key capacity of the BPSK-constrained

Gaussian wiretap channel, significantly outperforming regular LDPC codes as well as

irregular LDPC codes that are optimized just for information reconciliation.

50

CHAPTER 4AN LDPC-BASED SECRET-SHARING SCHEME OVER GAUSSIAN WIRETAP

CHANNEL WITH PAM SYMBOLS

To achieve higher key rate, high-order modulation could be employed at the source.

In this chapter, we extend the secret-sharing scheme proposed in Chapter 3 to the

case when the source are allowed to transmit equiprobable M-ary PAM symbols. First,

multilevel coding (MLC) and multistage decoding (MSD) are employed to transform the

M-ary transmission into M binary-input channels. Second, the modified secret-sharing

scheme for PAM source symbols employing irregular LDPC codes is presented, and it is

shown that the key-agreement problem can be translated into the problem of designing

M irregular LDPC codes such that each of them works well for the corresponding

binary-input wiretap channels. Moreover, puncturing is applied to the secret-sharing

scheme to improve its secrecy performance.

4.1 Gaussian wiretap channel with PAM symbols

The model considered in this chapter is the same as described in Section 3.1

except that the source is allowed to send equiprobable M-ary PAM symbols, i.e.,

Xi ∈ S = {s1, s2, · · · , sM} where sm = 2m−1−M√A

and A =∑Mm=1

(2m−1−M)2M

. The reason

to consider only equiprobable signalling will be justified later in this section. Moreover,

Gray mapping is employed in the source to map a binary vector b to a signal point in

S 1 . Figure 4-1 shows the examples of Gray-mapped 4- and 8-PAM constellation.

1 To simplify notations, we use Xji to denote the corresponding j th element of theGray-mapped vector of Xi .

51

A Gray-mapped 4-PAM constellation.

B Gray-mapped 8-PAM constellation.

Figure 4-1. Examples of M-ary Gray-mapped PAM constellation.

Specializing Theorem 2.1 to the Gaussian wiretap channel with equiprobable PAM

source symbols, the corresponding Rl -relaxed (symmetric) key rate 2 Rp(Rl) is given by,

Rp(Rl) = max0≤β≤

√P

σ2

1

M

[min

{−∫ ∞

−∞

∫ ∞

−∞log2

(∑Mm=1 fm(z)qm(y)∑Mm=1 fm(z)

)(M∑m=1

fm(z)qm(y)

)

dydz +MRl ,−∫ ∞

−∞log2

(M∑m=1

qm(y)

M

)(M∑m=1

qm(y)

)dy

}

+

∫ ∞

−∞

M∑m=1

log2(qm(y))qm(y)dy

],

(4–1)

2 The term “symmetric key rate” is used to reflect the assumption of equiprobablePAM signalling.

52

where

qm(y) =1√2πexp

[−(y − βsm)

2

2

]and

fm(z) =1√2πexp

[−(z − αβsm)

2

2

]

denote the conditional densities p(y |X = sm) and p(z |X = sm) for m ∈ {1, 2, · · · ,M}

that specify the destination and wiretapper channels, respectively. As mentioned in

Section 3.1, it is needed to quantize the received symbols such that the resulting

quantized sequences are uniformly distributed. To achieve this, we adopt symbol by

symbol, multilevel quantization at the destination in which the i th quantized destination

symbol Yi = Q(Yi), where Q is a quantizer which generates output from the set S 3

and is described by the set of decision levels T = {T1,T2, · · · ,TM+1}. More specifically,

the index of the output at the quantizer Q is m if its input U lies inside the partition cell

Jm : {Tm < U ≤ Tm+1} for m ∈ {1, 2, · · · ,M}. The set T is chosen such that the

outputs from the quantizer Q are equiprobable and can be obtained using the following

procedure:

1. Set T1 = −∞.

2. For n = {1, 2, · · · , M2−1}, find Tn+1 such that

∑Mm=1[Q(Tn−βsm)−Q(Tn+1−βsm)] =

1.

3. Set TM2+1 = 0 and TM+1−m = −Tm+1 for m = {0, 1, · · · , M

2− 1}.

Note that when M = 2, the quantizer Q degenerates to the signum function. Similar

to Section 3.1, employing the quantizer Q results in a loss in the (symmetric) key rate.

The loss can again be quantified by applying Theorem 2.1 to the Gaussian wiretap

channel with PAM source symbols and multilevel quantization at the destination. The

3 Throughout this chapter, we may use the value sm, the index m or the correspondingGray-mapped binary vector b to represent any signal point in S.

53

corresponding (symmetric) key rate Rpq(Rl) is then given by

Rpq(Rl) = max0≤β≤

√P

σ2

[min{Cs(β)− Cw(β) + Rl ,Cs(β)}

](4–2)

where

Cs(β) = M +1

M

M∑n=1

M∑m=1

log2(qn,m)qn,m, and

Cw(β) = Cs(β)−M − 1M

∫ ∞

−∞

(M∑m=1

fm(z)qn,m

)M∑n=1

log2

(∑Mm=1 fm(z)qn,m∑Mm=1 fm(z)

)dz

are, respectively, the (symmetric) capacities of the quantized-source-to-destination

and the quantized-source-to-wiretapper channels at the normalized gain β and

qn,m = Q(Tn − βsm) − Q(Tn+1 − βsm) is the transition probability from sm to sn of the

quantized-source-to-destination channel. We note that when M = 2, which corresponds

to BPSK signalling, Eqn.(4–1) and (4–2) degenerate to (3–2) and (3–3), respectively (cf.

Section 3.1).

To visualize the loss in key rate, Figure 4-3 shows the plot of Rp(Rl) and Rpq(Rl)

versus maximum allowable SNR P/σ2 for different values of M and α2. We can see that

the loss in (symmetric) key rate due to the quantizer Q is no more than 0.07 bpcu for

the cases shown. Moreover, let Cpk(Rl) be the Rl -relaxed key capacity of the Gaussian

wiretap channel with PAM symbols and multilevel quantization, it is not hard to see that

Cpk(Rl) is generally achieved when the input symbols are not equally likely because of

the non-symmetric properties of I (X ;Y ) and I (Y ;Z) involved in the capacity calculation.

Hence, the restriction of equiprobable PAM signalling results in an additional loss in key

rate, i.e., Rpq(Rl) ≤ Cpk(Rl). Fortunately, the difference between Cpk(Rl) and Rpq(Rl) is

usually negligible. For example, as shown in Figure 4-4, the difference is less than 0.003

bpcu for the two cases shown when M = 4. Finally, we compare the (symmetric) key

rate Rpq to the (unconstrained) relaxed key capacity Ck in Figure 4-2 for different values

of M when Rl = 0 and α2 = 0 dB. Using Theorem 2.1, it is not hard to see that the

54

(unconstrained) Rl -relaxed key capacity of Gaussian wiretap channel is achieved when

X is Gaussian distributed and is given by

Ck(Rl) = min

[1

2log2

(1 +

Pσ2

1 + α2Pσ2

)+ Rl ,

1

2log2

(1 +P

σ2

)].

From Figure 4-2, we can see that the (symmetric) key rate Rpq gets closer to the

(unconstrained) relaxed key capacity Ck when M becomes bigger.

−5 0 5 10 15 200.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5

P/σ2 (dB)

Ck o

r R

pq (

bpcu

)

C

k

Rpq

, M=4

Rpq

, M=8

Rpq

, M=16

Rpq

, M=32

Rpq

, M=128

Figure 4-2. Comparison between the Rl -relaxed (symmetric) key rate Rpq and therelaxed key capacity Ck of the Gaussian wiretap channel when α2 = 0 dBand Rl = 0.

4.2 LDPC-based Key-Agreement Scheme

In this section, we modify our proposed key-agreement scheme for the Gaussian

wiretap channel to the case when the source can transmit M-ary PAM symbols. The

modified key-agreement scheme employs (punctured) irregular LDPC codes, and its

55

−5 0 5 10 150.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

P/σ2 (dB)

Cp o

r C

pq (

bpcu

)R

l = 0

C

pq,α2=0dB,M=4

Cpq

,α2=5dB,M=4

Cp,α2=0dB,M=4

Cp,α2=5dB,M=4

Cpq

,α2=0dB,M=8

Cp,α2=0dB,M=8

Cpq

,α2=3dB, M=8

Cp,α2 = 3dB, M=8

Figure 4-3. Comparison between the Rl -relaxed (symmetric) key rate Rp and Rpq of theGaussian wiretap channel whn Rl = 0.

secrecy performance will still be evaluated by measuring the rate of information about

the secret key leaked to the wiretapper.

The modified key-agreement scheme employs the (n, l , k) secret-sharing binary

linear block code (C,W) described in Section 3.2. However, the pair (C,W) is chosen in

a slightly different way. This change is inspired by the observation that the key-agreement

proposed in Chapter 3 allows the wiretapper to have “direct” channel observations of

the secret key used by the destination. We note that such a “direct transmission” is

undesirable [20] and has a negative effect to the key-agreement scheme in terms of

secrecy performance. Hence, we modify the proposed key-agreement scheme to use

puncturing to avoid any “direct transmission”. More specifically, we first choose an (m, l)

linear block code C ′ from an ensemble of irregular LDPC codes, where m = n + k .

56

−8 −6 −4 −2 0 2 4 6 8 100.05

0.1

0.15

0.2

0.25

0.3

P/σ2 (dB)

Cpk

or

Cpq

(bp

cu)

Rl = 0, M = 4

Cpk

,α2 = 5 dB

Cpq

,α2 = 5 dB

Cpk

,α2 = 0 dB

Cpq

,α2 = 0 dB

Figure 4-4. Comparison between the Rl -relaxed key capacity Cpk and Rl -relaxed(symmetric) key rate Rpq of the Gaussian wiretap channel when Rl = 0.

Similar to Section 3.2, let H be the parity-check matrix associated with C ′ and assume

H = [A,B] where B is an (m − l)×(m − l) lower triangular matrix. Let um = [ck , dn]

denote a generic codeword of C ′ where ck and dn are row vectors containing k and n

bits, respectively. Then, the (n, l) linear block code C is chosen to be set of codewords

obtained by removing ck from um. That is, C is a punctured version of C ′. The subspace

W is chosen to be the subset of punctured codewords obtained by setting ck to zero.

The bit vector ck serves as a component of the secret key in the key-agreement scheme

described below:

1. Random source transmission and destination quantization: The source firstrandomly generates a sequence X n of n i.i.d. equally likely M-ary PAM symbolsand sends them consecutively through the Gaussian wiretap channel. Thedestination then obtains the quantized sequence Y n by performing symbol-by-symbol,

57

multilevel quantization using the quantizer Q on the receive sequence Y n. We notethat the wiretapper observes Z n.

2. Syndrome generation through LDPC encoding at destination: For j ={1, 2, · · · ,M}, the destination first randomly chooses a kj -bit sequence Lkjj withi.i.d. equally likely bits. Note that all M sequences are chosen independently. Itthen generates the syndrome sequence Smj−ljj = [L

kjj , Y

nj ]H

Tj , where Hj is the

corresponding parity-check matrix of an LDPC code C ′j . Again, we note that each

Smj−ljj uniquely corresponds to a coset Emjj + C ′

j , where Emjj = [0lj ,S

mj−ljj (B−1

j )T ] is

the coset leader. Finally, the destination sends {Emjj }Mj=1 4 back to the sourcevia the public channel. We note that the above description corresponds tothe well-known coded modulation scheme, namely multilevel coding, which isproposed to achieve both power and bandwidth efficiency for communications overa Gaussian channel [43, 44].

3. Decoding at source: Multistage belief propagation (BP) decoding is performed atthe source. More specifically, for j = {1, 2, · · · ,M}, the source tries to decode forthe codeword Umjj = [L

kjj , Y

nj ] + E

mjj (∈ C′

j ) from observing X nj ,Emjj and {Umii }j−1i=1,where Umii denote the decoded codeword for Umii .

4. Key generation at source and destination: The destination uses [Lk11 ,Lk22 , · · · ,L

kMM ]

as its key. The source sets its key to be [K k11 ,Kk22 , · · · ,K

kMM ], where K kjj contains the

respective first kj bits of Umjj for j = 1, 2, · · · ,M.

We note that the above scheme is permissible with t = n + 1, K = [K k11 ,Kk22 , · · · ,K

kMM ],

L = [Lk11 ,Lk22 , · · · ,L

kMM ], and Ψn+1 = {Emjj }Mj=1 is the only message sent via the public

channel at last time instant n + 1, as described in Section 2.2. Thus, we can evaluate

the secrecy performance of the scheme in the context of achievable key-leakage rate

pair. In other words, we derive an upper bound of the amount of the information about

the secret key leaked to the wiretapper. First, based on the chosen distributions of

{Lkjj }Mj=1 and X n, the memoryless nature of the Gaussian wiretap channel, and the

quantizer Q employed to obtain Y n at the destination, it is easy to check that H(Lkjj ) = kj ,

H(Lkjj , Y

nj ) = mj , and H(Emjj ) = mj − lj for j = 1, 2, · · · ,M. Suppose that the multistage

4 To simplify notations, we use {Emjj }Mj=1 to represent the sequence of vector{Em11 ,E

m22 , · · · ,E

mMM }.

58

decoding process at the source achieves the error probability ϵs at each stage, then we

have Pr{K = L} ≤ Mϵs . Hence, Condition 1 in Section 2.2 is satisfied. Moreover, we

also have H(K |L) ≤ M + (∑Mj=1 kj)ϵs , H(L|K) ≤ M + (

∑Mj=1 kj)ϵs by Fano’s inequality.

That in turn implies 1nH(K) ≥

∑Mj=1 Rkj −

∑Mj=1 Rkj ϵs −

Mn

. Further using the fact that

I (L; {Emjj }Mj=1) = 0, we have 1nI (K ; {Emjj }Mj=1) ≤

∑Mj=1 Rkj ϵs +

Mn

. Thus, Conditions 2, 4,

and 5 in Section 2.2 are satisfied when n is sufficiently large and ϵs is small enough.

Next, consider

I (K ;Z n, {Emjj }Mj=1)

≤ I (L;Z n, {Emjj }Mj=1) + I (K ;Z n, {Emjj }Mj=1|L)

≤ I (L;Z n, {Emjj }Mj=1) + H(K |L)

≤ I (L;Z n, {Emjj }Mj=1) +M∑j=1

Rkj ϵs +M. (4–3)

Further,

I (L;Z n, {Emjj }Mj=1)

= H(L) + H({Emjj }Mj=1|Z n)− H(L, {Emjj }Mj=1|Z n)

= H(L) + H({Emjj }Mj=1|Z n)− H(L, Y n, {Emjj }Mj=1|Z n) + H(Y n|Z n,L, {E

mjj }Mj=1)

≤ H(L) + H({Emjj }Mj=1)− H(Y n|Z n) + H({Y nj }Mj=1|Z n,L, {Emjj }Mj=1)

= H(L) + H({Emjj }Mj=1)− H(Y n|Z n) +M∑j=1

H(Y nj |Z n,L, {Emii }Mi=1, {Y ni }

j−1i=1)

≤M∑j=1

H(Lkjj ) +

M∑j=1

H(Emjj )− H(Y

n) + I (Y n;Z n) +

M∑j=1

H(Y nj |Z n,Lkjj ,E

mjj , {Y

ni }j−1i=1),

(4–4)

where the second to last equality is due to the chain rule for entropy. Now, because the

channel from Y n to Z n is memoryless, we have I (Y n;Z n) ≤ nCw(β). In addition, let’s

consider a multistage fictitious decoder at the wiretapper trying to decode for Y nj from

observing (Z n,Emjj ,Lkjj , {Y ni }

j−1i=1) for j = 1, 2, · · · ,M. Suppose that the decoder achieves

59

the error probability ϵw at each stage. Then we have H(Y nj |Z n,Lkjj ,E

mjj , {Y ni }

j−1i=1) ≤

1 + (lj − kj)ϵw for j = 1, 2, · · · ,M by Fano’s inequality. Putting all these and (4–4) back

into (4–3), we obtain

1

nI (K ;Z n|{Emjj }Mj=1) ≤ 1

nI (K ;Z n, {Emjj }Mj=1)

≤ Cw(β)−M∑j=1

(Rcj − Rkj ) +M∑j=1

Rkj ϵs +M∑j=1

(Rcj − Rkj )ϵw +2M

n.

(4–5)

Let Rl = Cw(β) −∑Mj=1(Rcj − Rkj ), Condition 3 in Section 2.2 is then satisfied if ϵs and

ϵw is small enough and n is large enough, showing that (∑Mj=1 Rkj ,Rl) is an achievable

key-leakage rate pair as a result. Moreover, we note that the above upper bound applies

for any decoder both at the source and at the fictitious receiver since the value of the

bound depends on the choice of decoder only through ϵs and ϵw .

In the next section, we perform computer simulation to estimate (upper bounds on)

ϵs and ϵw . To get ϵs , a multistage BP decoder described above is implemented at the

source. Note that for the j th level decoder, the estimates of {Y ni }j−1i=1 obtained from the

previous level decoders are used in calculating the LLRs of the variable nodes. Similarly,

to get ϵw , a multistage BP decoder is implemented for the fictitious receiver at the

wiretapper. In order to provide information about the secret key Lkjj to the BP decoder,

for example, for Y nj , the intrinsic LLRs of the variable nodes corresponding to Lkjj are

explicitly set to ±∞ according to the true bit values. Moreover, {Y ni }j−1i=1 are assumed

available to the j th stage decoder for calculating the LLRs of the variable nodes.

We note that a similar MLC/MSD reconciliation method was proposed in [18] to

reconcile and correct the differences between nonbinary random variables X n and

random variables Y n by sending X n through a quasi-static Rayleigh fading channel.

In [18], MLC and MSD are employed to transform the M-ary transmission into M

parallel binary-input channels so that binary LDPC codes can be used for reconciliation.

60

However, there are two fundamental differences between our proposed scheme and

the reconciliation method discussed in [18]. First, as mentioned above, the proposed

key-agreement scheme considers both the (quantized) channel from the destination to

the source and the (quantized) channel from the destination to the wiretapper (given

the key), while the method in [18] only focuses on the channel from the source to

the destination 5 . Reference [18] uses irregular LDPC codes optimized for antipodal

signalling over the AWGN channel as component codes, while we propose to design

LDPC codes which work well for both the quantized destination-to-source channel and

the quantized destination-to-wiretapper channel given the secret key. As revealed in

Section 3.3.2, codes designed solely for information reconciliation do not necessary

work well in the case of key agreement when the secrecy performance is evaluated by

measuring the leakage rate. More seriously, reference [18] fails to consider the fact that

the M binary-input channels have totally different channel characteristics. Hence the

design in [18] does not readily translate into our context of interest and most likely those

irregular LDPC codes will provide poor secrecy performance in terms of achievable

leakage-rate pair. Second, the method proposed in [18] also neglects the fact that the M

binary-input channels do not possess the symmetry properties required for employing

density evolution to predict the actual decoder behavior. Instead, reference [18] uses

Extrinsic Information Transfer (EXIT) charts to perform analysis of the decoding process

despite the fact that the theoretical result sustaining EXIT charts does not exist for

Gaussian channel. On the other hand, as mentioned in the next section, we adopt an

analytical tool, namely i.i.d. channel adapters, to the proposed key-agreement scheme

to force the required symmetry properties of the M binary-input channels for valid

5 In [18], the authors consider only forward reconciliation, thus the destination doesnot quantize its received symbols and the decoding is performed at the destinationinstead.

61

density-evolution analysis. To summarize, although MLC and MSD are employed in [18]

to construct a reconciliation method for correlated random variables, no design rules

are offered to find irregular LDPC codes which are suitable for use in the proposed

key-agreement scheme.

4.3 LDPC Codes Design and Performance

In this section, we design irregular LDPC codes for use in the modified key-agreement

scheme to achieve good secrecy performance. As revealed later in this section, our task

is to design M irregular LDPC codes such that the j th pair (Cj ,Wj), which is generated

from the j th LDPC codes C ′j , works well for the channel from Y nj to X nj and the channel

from Y nj to Z n given Lkjj and {Y ni }j−1i=1.

Let R ′cj=

ljmj= 1 −

∫ρj (x)dx∫λj (x)dx

be the code rate of C ′j , where λj(x) and ρj(x) denote

the variable- and check-node degree distribution polynomials of C ′j , respectively. In

this dissertation, we consider applying uniform puncturing to C ′j with pj denoting the

corresponding fraction of punctured variable nodes, which correspond to Lkjj . Note that

Rkj =pj1−pj

and Rcj =R′cj

1−pj.

From the mutual information chain rule [38], we know

I (X ; Y )− I (Y ;Z) = I (X ; Y1, Y2, · · · , YM)− I (Y1, Y2, · · · , YM ;Z)

=

M∑j=1

I (X ; Yj |Y1, Y2, · · · , Yj−1)−M∑j=1

I (Yj ;Z |Y1, Y2, · · · , Yj−1)

=

M∑j=1

[I (X ; Yj |Y1, Y2, · · · , Yj−1)− I (Yj ;Z |Y1, Y2, · · · , Yj−1)

].

(4–6)

Compare (4–6) to the expression of Rl -relaxed key capacity in Theorem 2.1, it implies

that the wiretap channel can be separated into M parallel binary-input wiretap channels,

provided that {Yi}j−1i=1 are known to the j th channel. Accordingly, for a fixed value of

Rk =∑Mj=1 Rkj , we can use (4–6), which defines the optimal (key) rate assignment

among the M binary-input wiretap channels to be the corresponding mutual information

62

difference, to distribute the target key rates {Rkj}Mj=1 among the M irregular LDPC codes.

For example, for M = 2, we assign the key rates Rk1 and Rk2 among the two irregular

LDPC codes C ′1 and C ′

2 using the ratio Rk1/Rk2 = (I (X ; Y1) − I (Y1;Z))/(I (X ; Y2|Y1) −

I (Y2;Z |Y1)). After fixing each Rkj (which in turn fixes pj ), if we want to minimize the

achievable leakage rate Rl , Eqn. (4–5) suggests that we should maximize∑Mj=1 Rcj ,

or equivalently∑Mj=1 R

′cj

. In fact, the maximization of∑Mj=1 R

′cj

can be broken into

maximizing each R ′cj

individually, again by the implication of (4–6). More specifically,

given Rkj for j = 1, 2, · · · ,M, we are to find (λj(x), ρj(x)) such that R ′cj

is maximized

subject to the constraint that ϵsj and ϵwj vanish as the multistage BP decoders at the

source and the wiretapper iterate, where ϵsj and ϵwj are the error probability of the j th

stage decoder at the source and wiretapper, respectively. Trivially, the above conditions

combine to guarantee the vanishing of ϵs and ϵw defined in Section 4.2.

To design good irregular LDPC codes, we employ the density-evolution based

code search process proposed in Section 3.3.2 here, but two major changes are

made. First, to account for the puncturing of Lkjj at the source’s j th stage BP decoder,

the intrinsic LLR distribution entered into the density evolution analysis is set to be a

mixture of the original LLR distribution and an impulse at 0 with weights determined

by the value of pj . Second, we note that using density evolution to predict the average

decoder behavior implicitly requires the underlying channels to have appropriate

symmetric properties [29]. However, the M binary-input channels mentioned above

are not necessarily symmetric. As a result, it is not sufficient to consider only the

performance of the all zeros-codeword to predict the average decoder behavior and

the application of density evolution in such a scenario becomes very complicated.

Fortunately, an analytical tool: i.i.d. channel adapters, which were proposed in [45]

to tackle the problem of LDPC code design for coded modulation schemes, can be

easily adopted into the modified key-agreement scheme to force the symmetry of

those binary-input channels. Let’s consider the channel from Y nj to X nj , the j th i.i.d.

63

channel adapter works on j th binary-input channel as follows. Each i.i.d. channel

adapter has three modules. The first one is an i.i.d. source which generates binary

symbolsWji for all i , according to an i.i.d. equiprobable distribution. The second one

is a mod-2 adder at the destination such that Vji = Wji ⊕ Yji . The third module is a

mod-2 adjuster at the source to perform Uji = (1 − 2Wji)Gji , where Gji is the log a

posteriori probability ratio (LAPPR) of Yji (given Xji ). Then by [45, Theorem 1], the newly

augmented channel from Vji to Uji is symmetric. Next, consider the channel from Y nj to

Z n and let Uji = (1−2Wji)Jji , where Jji is LAPPR of Yji (given Zi ). Again by [45, Theorem

1], the newly augmented channel from Vji to Uji also satisfies the symmetric condition.

Thus, the analysis and design of the M irregular LDPC codes are greatly simplified.

Furthermore, by [45, Theorem 2], the capacity of the new augmented binary-input

channel is equal to the mutual information of the original binary-input channel with i.i.d

equiprobable input distribution. Hence, if we can design good irregular LDPC codes,

which work well for both the channel V nj to Unj and V nj to Unj , the irregular LDPC codes

also work well for both the channel from Y nj to X nj and Y nj to Z n.

From now on, the description of the modified code search process focuses on the

j th binary-input wiretap channel, and the code search process on all other binary-input

wiretap channels follows exactly the same procedure. Similar to Section 3.3.2, for a fix

ρj(x) and a target value of Rkj , the code search process can be formulated to optimize

λj(x) using density-evolution based linear programing. Again, let ϵ > 0 be a small

prescribed error tolerance and suppose that an initial λj(x) (call it λj(x)) satisfies the

property that es(Ms) ≤ ϵ and ew(Mw) ≤ ϵ. for some integers Ms and Mw , where es(ℓ)

and ew(ℓ) denote the bit error probabilities obtained by the BP decoders (with i.i.d.

channel adapters) at the source and wiretapper, respectively, at the ℓth density evolution

iteration. The code search proceeds to maximize the code rate R ′cj

of the irregular

LDPC code by updating λj(x) while maintaining the following constraints using linear

programming (Refer to Section 3.3.2 for mathematical description):

64

Table 4-1. Degree distribution pairs of the rate-0.195 and rate-0.538 irregular LDPCcodes.

rate-0.195 rate-0.538λ2 0.3583 0.1910λ3 0.1739 0.1373λ4 0.0202 0.0334λ5 0.1205λ6 0.1226λ7 0.0270λ9 0.1573λ10 0.0086λ12 0.1229λ13 0.0091λ28 0.1242λ29 0.1423 0.0394λ30 0.0189λ89 0.1491λ90 0.0440ρ4 0.6747ρ5 0.3253ρ11 0.7570ρ12 0.2430

1.∑dvi=2 λji = 1 and λji ≥ 0 for 2 ≤ i ≤ dv ;

2. λj(x) is not significantly different from λj(x);

3. λj(x) produces smaller error probability than λj(x),

where λji represents the fraction of edges emanating from the variable nodes of degree

i and dv is the maximum allowable degree of λj(x). The code search process continues

until es(Ms) or ew(Mw) becomes larger than ϵ, or until λj(x) converges. As mentioned in

Section 3.3.2, we can also fix λj(x) and obtain a similar linear programming problem for

ρj(x) and iterative search can then alternate between the linear programs for λj(x) and

ρj(x), respectively.

To illustrate the secrecy performance of the modified key-agreement scheme, we

consider the code design for 4-PAM and 8-PAM modulation. For the case of 4-PAM

modulation, we consider two different channel settings: (a) P/σ2 = 5 dB and α2 = 0 dB

65

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.80

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

Rl (bpcu)

Rpq

or

Rk (

bpcu

)

Achievable (Rk,R

l) pair of the rate−0.195 and rate−0.538

irregular LDPC codes

Rpq

for 4−PAM at P/σ2 = 5dB, α2 = 0dB

Figure 4-5. Plot of (Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.195 and rate-0.538 irregular LDPC codes.

and (b) P/σ2 = 1.8 dB and α2 = 5 dB, which corresponds to situations where the

wiretapper’s SNR is moderate and strong relative to the destination’s SNR. We apply

the aforementioned code search process to obtain the irregular LDPC codes shown

below. For channel setting (a), Figure 4-5 shows the rate-leakage pair (Rk ,Rl) achieved

by the irregular LDPC codes obtained by setting Rk = 0.29 in the code search process.

By (4–6), we have Rk1 = 0.15 and Rk2 = 0.14. The code rates of the LDPC codes,

whose degree distribution pairs are shown in Table 4-1, are R ′c1= 0.195 and R ′

c2= 0.538,

respectively. As usual, we obtain an instance of the irregular LDPC codes by randomly

generated a bipartite graph which satisfies the corresponding degree distributions.

The block length of the LDPC codes is m = 106, and all length-4 loops are removed.

Computer simulation is performed to obtain an estimate of ϵs and ϵw , which are then

66

employed to calculate an achievable leakage rate as in (4–5), provided that ϵs ≤ 0.01

and ϵw ≤ 0.01. The resulting achievable key-leakage rate pair (Rk ,Rl) are plotted

against the corresponding boundary of the (Rpq,Rl) region, which is shown by the solid

curve in the figure. From Figure 4-5, we can see that the pair (Rk ,Rl) = (0.29, 0.03) is

achieved by using the rate-0.195 and rate-0.538 irregular LDPC codes.

Next, we consider the more challenging channel setting (b) in which the wiretapper’s

SNR is 5 dB more than that of the destination. Figure 4-6 shows the rate-leakage pair

(Rk ,Rl) achieved by the irregular LDPC codes obtained by performing the code search

process with Rk = 0.12. Using (4–6), we get Rk1 = 0.05 and Rk2 = 0.07. The code

rates of the LDPC codes, whose degree distribution pairs are shown in Table 4-2, are

R ′c1= 0.096 and R ′

c2= 0.436, respectively. From Figure 4-5, we can see that the pair

(Rk ,Rl) = (0.12, 0.015) is achieved by using the rate-0.096 and rate-0.436 irregular

LDPC codes.

For the case of 8-PAM modulation, we also consider two different channel settings:

(c) P/σ2 = 9 dB and α2 = 0 dB and (d) P/σ2 = 8 dB and α2 = 3 dB. For channel

setting (c), Figure 4-7 shows the rate-leakage pair (Rk ,Rl) achieved by the irregular

LDPC codes obtained by setting Rk = 0.365 in the code search process. By (4–6), we

have Rk1 = 0.1, Rk2 = 0.176 and Rk3 = 0.689. The code rates of the LDPC codes,

whose degree distribution pairs are shown in Table 4-3, are R ′c1= 0.108,R ′

c2= 0.432

and R ′c3= 0.689, respectively. From Figure 4-7, we can see that the pair (Rk ,Rl) =

(0.365, 0.033) is achieved by using the rate-0.108, rate-0.432 and rate-0.689 irregular

LDPC codes. For channel setting (d), Figure 4-8 shows the rate-leakage pair (Rk ,Rl)

achieved by the irregular LDPC codes obtained by setting Rk = 0.22 in the code search

process. By (4–6), we have Rk1 = 0.057, Rk2 = 0.109 and Rk3 = 0.054. The code

rates of the LDPC codes, whose degree distribution pairs are shown in Table 4-4, are

R ′c1= 0.078,R ′

c2= 0.415 and R ′

c3= 0.687, respectively. From Figure 4-8, we can see

67

Table 4-2. Degree distribution pairs of the rate-0.096 and rate-0.436 irregular LDPCcodes.

rate-0.096 rate-0.436λ2 0.3718 0.2702λ3 0.1547 0.1570λ4 0.0222 0.0705λ5 0.0787 0.0638λ6 0.0584λ7 0.0120λ8 0.0469λ9 0.1628λ11 0.0906λ12 0.0267λ26 0.0512λ27 0.1776λ29 0.0526λ30 0.0518λ89 0.0805ρ3 0.0944ρ4 0.9031ρ5 0.0025ρ7 0.9185ρ8 0.0589ρ9 0.0226

that the pair (Rk ,Rl) = (0.22, 0.026) is achieved by using the rate-0.078, rate-0.415 and

rate-0.687 irregular LDPC codes.

4.4 Summary

In this chapter, we extend and further improve our proposed key-agreement scheme

to the case when the source is allowed to send M-ary equiprobable PAM symbols. The

modified key-agreement scheme employs punctured irregular LDPC codes to avoid

directly exposing the (secret) key to the wiretapper. By invoking the idea of MLC and

MSD, we show that the design of LDPC codes over the original wiretap channel can be

transformed into the design of LDPC codes for the M binary-input wiretap channels.

Hence, the proposed code search process can be adopted to design good irregular

68

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.80

0.1

0.2

0.3

0.4

0.5

0.6

Rl (bpcu)

Rpq

or

Rk (

bpcu

)

Achievable (Rk,R

l) pair of the rate−0.096 and rate−0.436

irregular LDPC codes

Rpq

for 4−PAM at P/σ2 = 1.8dB, α2 = 5dB

Figure 4-6. Plot of (Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.096 and rate-0.436 irregular LDPC codes.

LDPC codes to give secrecy performance close to the (symmetric) relaxed key rate, as

demonstrated by the simulation results.

69

Table 4-3. Degree distribution pairs of the rate-0.108, rate-0.432 and rate-0.689 irregularLDPC codes.

rate-0.108 rate-0.432 rate-0.689λ2 0.3626 0.2852 0.2219λ3 0.1599 0.1608 0.1211λ4 0.0892 0.1338λ5 0.1063λ6 0.0436λ7 0.1637λ8 0.0587 0.1114λ9 0.1398λ10 0.1073λ20 0.0492λ21 0.1932λ26 0.1176 0.0764λ27 0.0019 0.19546λ100 0.1008ρ4 0.9881ρ5 0.0119ρ6 0.2382ρ7 0.7589ρ14 0.6828ρ15 0.3172ρ20 0.0029

70

0 0.5 1 1.50

0.5

1

1.5

Rl (bpcu)

Rpq

or

Rk (

bpcu

)

Achievable (Rk,R

l) pair of the rate−0.108, rate−0.432 and

rate−0.689 irregular LDPC codes

Rpq

for 8−PAM at P/σ2=9dB, α2=0dB

Figure 4-7. Plot of (Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.108, rate-0.432 and rate-0.689 irregular LDPC codes.

71

Table 4-4. Degree distribution pairs of the rate-0.078, rate-0.415 and rate-0.687 irregularLDPC codes.

rate-0.078 rate-0.415 rate-0.687λ2 0.4081 0.2644 0.2208λ3 0.1677 0.1729 0.1254λ4 0.1256λ5 0.1342 0.1397λ6 0.0181 0.0195λ8 0.1542λ9 0.0291 0.0943λ10 0.0787 0.0888λ11 0.1042λ21 0.0695λ22 0.0157λ26 0.2541λ27 0.0256λ31 0.1374λ32 0.0731λ54 0.0293λ55 0.0496ρ3 0.3915ρ4 0.6085ρ6 0.0668ρ7 0.9093ρ8 0.0210ρ9 0.0010ρ14 0.7449ρ15 0.2551ρ20 0.0019

72

0 0.5 1 1.50

0.2

0.4

0.6

0.8

1

1.2

1.4

Rl (bpcu)

Rpq

or

Rk (

bpcu

)

Achievable (Rk,R

l) pair of the rate−0.078, rate−0.415 and

rate−0.687 irrregular LDPC codes

Rbq

for 8−PAM at P/σ2 = 8dB,α2 = 3dB

Figure 4-8. Plot of (Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.078, rate-0.415 and rate-0.687 irregular LDPC codes.

73

CHAPTER 5AN LDPC-BASED SECRET-SHARING SCHEME OVER FAST-FADING WIRETAP

CHANNEL

In this chapter, we further extend our secret-sharing design to develop a practical

key-agreement scheme for the fast Rayleigh fading wiretap channel. We impose two

constraints on the channel between the source and destination. First, the source is

limited to transmit quadrature phase-shift-keyed (QPSK) symbols. Second, symbol

by symbol, component-by-component hard-decision quantization is applied to the

received symbols at the destination. We show that the in-phase and quadrature-phase

components of the fast-fading wiretap channel can be considered separately. The

secrecy performance of the proposed scheme is again measured in terms of the rate of

secret key agreed between the source and destination against the rate of information

about the secret key leaked to the wiretapper.

5.1 Fast-Fading Wiretap Channel

In this chapter, we consider the wiretap channel in which the destination and

wiretapper channel are both fast Rayleigh fading channels. Here, Xi denotes the i th

complex-valued symbol transmitted by the source, i.e., Xi = XIi + jXQi where XIi and

XQi are the in-phase (I) and quadrature-phase (Q) components, respectively. The

baseband-equivalent fast Rayleigh fading wiretap channel can then be modeled as

Yi = βGiXi + Ni

Zi = αβGiXi + Ni ,

(5–1)

where the channel noises are now modeled respectively by Ni and Ni , which are i.i.d.

zero-mean, complex-symmetric complex Gaussian-distributed (ZMCSCGD) random

variables with variance σ2, and the fading coefficients are represented by Gi and Gi ,

which are i.i.d. ZMCSCGD random variables with unit variance. It is assumed that

perfect CSI of the respective channels is available to the destination and wiretapper, i.e.,

the destination knows Gi and the wiretapper knows Gi . We restrict the source to transmit

74

only QPSK symbols, i.e. {XIi ,XQi} ∈ ±√12, with β being the gain. Similarly, we also

impose the source power constraint (2–1) such that β2 ≤ P, where P is the maximum

power available to the source. The channel gain difference between the destination

and wiretapper is again modeled by the positive constant α. Similar to Chapter 3, it is

assumed that there is an interactive, authenticated and public channel with unlimited

capacity between the source and the destination.

As will be described in Section 5.2, we perform symbol-by-symbol, component

by component hard-decision quantization at the destination in which the i th quantized

destination symbol Yi = YIi + j YQi is given by YIi = sgn(ℜ(YiG ∗i )) and YQi =

sgn(ℑ(YiG ∗i )). Since the received symbols at the destination and wiretapper are

conditionally independent given the source symbols, it can be shown 1 that the

Rl -relaxed key capacity is given by

Cq(Rl) = max0≤β≤

√P

σ2

[min{Cs(β)− Cw(β) + Rl , Cs(β)}

], (5–2)

where

Cs(β) = 2−∫ ∞

0

H2(Q(βh)) · 4he−h2

dh and

Cw(β) = 2− 1√2π

∫ ∞

0

∫ ∞

0

∫ ∞

0

[1 + e−2αβgz ] e−(z−αβg)2

2

· H2

(Q(βh) + [1−Q(βh)]e−2αβgz

1 + e−2αβgz

)· 8hge−(h2+g2)dgdhdz

are, respectively, the capacities of the quantized destination-to-source and

quantized destination-to-wiretapper channels at the normalized gain β. We again note

that Cq(Rl) is achieved when Xi is equiprobable, but it is not necessarily achieved by

1 The proof of (5–2) can be easily, though rather tediously, extended from the proofof (3–3) by checking the concavity and symmetry of I (X ;Y ) − I (Y ;Z) as a function ofthe QPSK source distribution.

75

−4 −3 −2 −1 0 1 2 3 4 5 60.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

P/σ2 (dB)

Cq (

bpcu

)

Rl = 0

α2 = −5 dB

α2 = 0 dB

α2 = 5 dB

Figure 5-1. The Rl -relaxed key capacity Cq of the fast Rayleigh fading wiretap channelfor different value of α2, where Rl = 0.

transmitting at the maximum allowable power P. The equiprobable distribution and

symmetry of the QPSK symbols imply that we can consider instead the transmission

of BPSK symbols with equal rates separately over the I- and Q-components. For

illustration, Figure 5-1 shows the plot of Cq(Rl), in units of bpcu, versus the maximum

allowable SNR P/σ2 for α2 = −5, 0, and 5 dB, respectively. Note that for each value of

α, we should design the key-agreement system to operate near the “corner point” where

the key capacity is just about to level off.

76

5.2 LDPC-based Key-Agreement Scheme

The proposed key-agreement scheme is a modification of the one presented in

Chapter 4. Under the notations developed in Section 4.2, we describe the proposed

key-agreement scheme as follows,

1. Random source transmission and destination quantization: The source firstrandomly generates a sequence X n of n i.i.d. equally likely QPSK symbols andsends them consecutively through the fast-fading wiretap channel. The destinationthen obtains the quantized sequence Y n by performing symbol-by-symbol,component-by-component hard-decision quantization on the receive sequence Y n.We note that this quantization separates the received symbol Yi into the quantizedI-component YIi = sgn(ℜ(YiG ∗

i )) and Q-component YQi = sgn(ℑ(YiG ∗i )). We also

note that the wiretapper observes Z n and G n.

2. Syndrome generation through LDPC encoding at destination: The destinationfirst randomly chooses the k-bit sequence LkI with i.i.d. equal-likely bits. It thengenerates the syndrome sequence Sm−l

I = [LkI , YnI ]H

T . We note that each Sm−lI

uniquely corresponds to a coset EmI + C ′, where EmI = [0l ,Sm−lI (B−1)T ] is the

coset leader. A similar encoding process is performed on [LkQ , YnQ ] to obtain Sm−l

Q

and EmQ , where LkQ is another random sequence of i.i.d. equal-likely bits, chosenindependent of LkI . Finally, the destination sends EmI , EmQ , and G n back to thesource via the public channel.

3. Decoding at source: The source performs belief propagation (BP) decoding todecode for the codeword UmI = [L

kI , Y

nI ] + E

mI (∈ C ′) from observing X nI , EmI and

G n. Similar, it also separately decode for the codeword UmQ = [LkQ , Y

nQ ] + E

mQ from

observing X nQ , EmQ and G n. Let UmI and UmQ denote the decoded codewords for UmIand UmQ , respectively.

4. Key generation at source and destination: The destination uses [LkI ,LkQ ] as

its key. The source sets its key to be [K kI ,KkQ ], where K kI and K kQ contain the

respective first k bits of UmI and UmQ .

We note that the above scheme is permissible with t = n+ 1, K = [K kI ,KkQ ], L = [L

kI ,L

kQ ],

and Ψn+1 = (EmI ,EmQ ,G

n) is the only message sent via the public channel at the last time

instant n + 1, as described in Section 2.2.

Similar to Section 4.2, we evaluate the secrecy performance of the scheme in

terms of the achievable key-leakage rate pair defined in Section 2.2. First, based on

the chosen distributions of LkI , LkQ , and X n, the memoryless nature of the fast-fading

77

wiretap channel, and the symbol-by-symbol, component-by-component hard decision

performed to obtain Y n at the destination, it is easy to check that H(LkI ) = H(LkQ) = k ,

H(LkI , YnI |G n) = H(LkQ , Y nQ |G n) = m, and I (LkI ,L

kQ ;G

n) = 0. Together with the linearity

of LDPC codes, we can also conclude that H(EmI |G n) = H(EmQ |G n) = m − l and

I (LkI ,LkQ ;E

mI ,E

mQ ,G

n) = I (LkI ,LkQ ;G

n) + I (LkI ,LkQ ;E

mI ,E

mQ |G n) = 0, since (EmI ,E

mQ ) are

conditionally uniform distributed and independent of (LkI ,LkQ) given Gn.

Next, consider

I (K kI ,KkQ ;Z

n, G n,EmI ,EmQ ,G

n)

≤ I (LkI ,LkQ ;Z

n, G n,EmI ,EmQ ,G

n) + I (K kI ,KkQ ;Z

n, G n,EmI ,EmQ ,G

n|LkI ,LkQ)

≤ I (LkI ,LkQ ;Z

n, G n,EmI ,EmQ ,G

n) + H(K kI ,KkQ |LkI ,LkQ)

≤ I (LkI ,LkQ ;Z

n, G n,EmI ,EmQ |G n) + 2kϵs + 2, (5–3)

where the last line is due to Fano’s inequality and the result that I (LkI ,LkQ ;G

n) = 0.

Further, define ZIi = ℜ{Zi G ∗i } and ZQi = ℑ{Zi G ∗

i }. Then, we have

I (LkI ,LkQ ;Z

n, G n,EmI ,EmQ |G n)

= H(LkI ,LkQ |G n) + H(EmI ,EmQ |Z n, G n,G n)− H(LkI ,LkQ ,EmI ,EmQ |Z n, G n,G n)

= H(LkI ,LkQ) + H(E

mI ,E

mQ |Z n, G n,G n) + H(Y nI , Y nQ |Z n, G n,EmI ,EmQ ,G n,LkI ,LkQ)

−H(LkI ,LkQ ,EmI ,EmQ , Y nI , Y nQ |Z n,G n, G n)

≤ H(LkI ,LkQ) + H(E

mI ,E

mQ |G n) + H(Y nI , Y nQ |Z n, G n,EmI ,EmQ ,G n,LkI ,LkQ)

−H(LkI ,LkQ , Y nI , Y nQ |Z n,G n, G n)

≤ H(LkI ) + H(LkQ) + H(E

mI |G n) + H(EmQ |G n) + H(Y nI , Y nQ |Z nI ,Z nQ ,LkI ,LkQ ,EmI ,EmQ ,G n, G n)

−H(LkI , Y nI |G n)− H(LkQ , Y nQ |G n) + I (Y nI , Y nQ ;Z n|G n, G n)

≤ I (Y n;Z n|G n, G n)− 2(l − k) + H(Y nI |Z nI ,LkI ,EmI ,G n, G n) + H(Y nQ |Z nQ ,LkQ ,EmQ ,G n, G n),

(5–4)

78

where the second last inequality is due to the facts that (LkI , YnI ) and (LkQ , Y

nQ) are

conditionally independent given G n, and that I (LkI ,LkQ ;Z

n|Y nI , Y nQ ,G n, G n) = 0 as LkI and

LkQ are independent of all channel observations made by the destination and wiretapper.

Suppose that the decoding process at the source achieves the error probability ϵs for

both the I- and Q-channels. Then we have Pr{K kI = LkI } ≤ ϵs and Pr{K kQ = LkQ} ≤ ϵs ,

which implies Pr{[K kI ,K kQ ] = [LkI ,LkQ ]} ≤ 2ϵs . Hence, Condition 1 in Section 2.2

is satisfied. Moreover, we also have H(K kI |LkI ) ≤ 1 + kϵs , H(LkI |K kI ) ≤ 1 + kϵs ,

H(K kQ |LkQ) ≤ 1 + kϵs and H(LkQ |K kQ) ≤ 1 + kϵs by Fano’s inequality. That in turn

implies that 1nH(K kI ,K

kQ) ≥ 2Rk − 2Rkϵs − 2

n. Further using the above result that

I (LkI ,LkQ ;E

mI ,E

mQ ,G

n) = 0, we get 1nI (K kI ,K

kQ ;E

mI ,E

mQ ,G

n) ≤ 2Rkϵs + 2n. Thus, Conditions

2, 4, and 5 in Section 2.2 are satisfied when n is sufficiently large and ϵs is small

enough.

Now, because the channel from Y n to Z n is memoryless, we have I (Y n;Z n|G n, G n) ≤

nCw(β). In addition, let’s consider a pair of fictitious decoders at the wiretapper

trying to decode 1) for Y nI from observing (Z nI ,EmI ,L

kI ,G

n, G n), and 2) for Y nQ from

observing (Z nQ ,EmQ ,L

kQ ,G

n, G n). Suppose that both decoders achieve the error

probability ϵw . Then we have H(Y nI |Z nI ,LkI ,EmI ,G n, G n) ≤ 1 + (l − k)ϵw and

H(Y nQ |Z nQ ,LkQ ,EmQ ,G n, G n) ≤ 1 + (l − k)ϵw by Fano’s inequality. Putting all these

and (5–4) back into (5–3), we obtain

1

nI (K kI ,K

kQ ;Z

n, G n|EmI ,EmQ ,G n)

≤ 1

nI (K kI ,K

kQ ;Z

n, G n,EmI ,EmQ ,G

n)

≤ Cw(β)− 2(Rc − Rk) + 2Rkϵs + 2(Rc − Rk)ϵw +4

n. (5–5)

Letting Rl = Cw(β)−2(Rc −Rk), Condition 3 in Section 2.2 is then satisfied if ϵs and ϵw is

small enough and n is large enough, showing that (2Rk ,Rl) is an achievable key-leakage

rate pair as a result.

79

Table 5-1. Degree distribution pairs of the rate-0.426, rate-0.362, rate-0.276 irregularLDPC codes.

rate-0.426 rate-0.362 rate-0.276λ2 0.2613 0.2427 0.2543λ3 0.1803 0.1769 0.1534λ4 0.0247λ5 0.1342 0.0977λ6 0.0355 0.1238 0.0484λ7 0.0614λ9 0.0401λ10 0.0900λ11 0.1144λ12 0.0707λ15 0.1066λ16 0.0718λ25 0.1031λ26 0.0600λ32 0.2036λ48 0.0814λ49 0.1107λ89 0.1179λ90 0.0351ρ6 0.0009 0.2849 0.9143ρ7 0.9704 0.6085 0.0857ρ8 0.1066ρ11 0.0287

5.3 LDPC Codes Design and Performance

In this section, we design irregular LDPC codes for use in the proposed key

agreement scheme to achieve good secrecy performance. As described in Section 5.2,

we can design good LDPC codes for the I-component and the resulting codes will also

work well for the Q-component. To that end, we apply the code search procedure as

described in Section 4.3. Again, our goal is to design irregular LDPC code C ′ so that

the pair (C,W) works well for the channel from Y nI to X nI and the channel from Y nI to Z nI

given LkI . For a target Rk , in order to minimize the achievable leakage rate Rl , Eqn. (5–5)

suggests that we should maximize Rc subject to the constraint that both ϵs and ϵw vanish

as the BP decoders at the source and wiretapper iterate.

80

To illustrate the secrecy performance for the proposed key-agreement scheme

over the fast fading wiretap channel, we consider three different channel scenarios: (a)

P/σ2 = 5 dB and α2 = −5 dB, (b) P/σ2 = 2.5 dB and α2 = 0 dB, and (c) P/σ2 = 0 dB

and α2 = 5 dB. The three scenarios correspond to cases in which the wiretapper’s

average SNR is weak, moderate and strong relative to the destination’s average SNR.

We apply the code search process described above in these three scenarios to obtain

the irregular LDPC codes presented below. For scenario (a), Figure 5-2 shows the

key-leakage rate pair (2Rk ,Rl) achieved by an irregular LDPC code obtained by setting

Rk = 0.34 in the code search process. The code rate R ′c of this irregular LPDC code is

0.426 and the corresponding degree distribution pair is shown in Table 5-1. The block

length of the LDPC code is m = 106, and all length-4 loops are removed. Similarly,

computer simulation is performed to obtain an estimate of ϵs and ϵw , which are then

employed to calculate an achievable leakage rate as in (5–5), provided that ϵs ≤ 0.01

and ϵw ≤ 0.01. The resulting achievable key-leakage rate pair (2Rk ,Rl) are plotted

against the corresponding boundary of the (Cq,Rl) region, which is shown by the solid

curve in the figure. From Figure 5-2, we see that the pair (2Rk ,Rl) = (0.68, 0.036) is

achieved by using this rate-0.426 irregular LDPC code.

Next, we consider the more challenging scenario (b) in which the wiretapper’s

average SNR is as strong as that of the destination. Figure 5-3 shows the secrecy

performance of a rate-0.362 irregular LDPC code obtained by performing the code

search process with Rk = 0.193. The degree distribution pair of this irregular LDPC code

can also be found in Table 5-1. From Figure 5-3, we observe that the pair (2Rk ,Rl) =

(0.386, 0.03) is achievable by this code.

Finally, we consider the hardest scenario (c) in which the wiretapper’s average SNR

is much stronger than that of the destination. Figure 5-4 shows the achievable (2Rk ,Rl)

pair of a rate-0.276 irregular LDPC code obtained by performing the code search

process with Rk = 0.095. The degree distribution pair of this irregular LDPC code is

81

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.90

0.2

0.4

0.6

0.8

1

1.2

Cq o

r 2R

k (bp

cu)

Rl (bpcu)

Cq(R

l) at P/σ2 = 5 dB, α2 = −5 dB

Achievable (2Rk,R

l) pair of the rate−0.426 irregular LDPC code

Figure 5-2. Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.426 irregular LDPC code.

again shown in Table 5-1. From Figure 5-4, we see that the pair (2Rk ,Rl) = (0.19, 0.024)

is achieved using this code. In conclusion, we can design good irregular LDPC codes

for use in the modified key-agreement scheme to achieve good secrecy performance by

performing the code process described above under different channel scenarios.

5.4 Summary

In this chapter, we extend and modify the proposed LDPC-based key-agreement

scheme for Gaussian wiretap channel to work in the fast Rayleigh fading wiretapper

channel. The modified key-agreement scheme employs irregular punctured LDPC codes

separately for the I- and Q-components of the wiretap channel. A density-evolution

based linear program is also used to systematically design good irregular LDPC codes

82

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.80

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9C

q or

2Rk (

bpcu

)

Rl (bpcu)

Cq(R

l) at P/σ2 = 2.5 dB, α2 = 0 dB

Achievable (2Rk,R

l) pair of the rate−0.362 irregular LDPC code

Figure 5-3. Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.362 irregular LDPC code.

for use in the proposed scheme. Simulation results demonstrate that the irregular LDPC

codes obtained from the code search process achieve secrecy performance close to the

relaxed key capacity of the fast Rayleigh fading wiretap channel under various channel

settings.

83

0 0.1 0.2 0.3 0.4 0.5 0.60

0.1

0.2

0.3

0.4

0.5

0.6

Rl (bpcu)

Cq o

r 2R

k (bp

cu)

Cq(R

l) at P/σ2 = 0 dB, α2 = 5 dB

Achievable (2Rk,R

l) pair of the rate−0.276 irregular LDPC code

Figure 5-4. Plot of the (2Rk ,Rl) pair achieved by the modified key-agreement schemeemploying the rate-0.276 irregular LDPC code.

84

CHAPTER 6CONCLUSIONS

In this dissertation research, we designed practical secret-sharing schemes to allow

a source and destination to share secret information (a key) over a noisy channel in the

presence of an eavesdropper, or wiretapper.

Chapter 2 of this dissertation introduced the concept of relaxed key capacity, which

was defined as the maximum achievable key rate when the leakage rate was bounded

below a fixed value. The relaxed key capacity was employed in this dissertation as a

better benchmark than the “straight” key capacity to evaluate the secrecy performance

of practical secret-sharing schemes since they admit non-zero leakage rate because of

various practical implementation constraints.

In Chapter 3, we presented the proposed key-agreement scheme for the BPSK

constrained Gaussian wiretap channel with hard-decision quantization at the destination.

The proposed scheme employs an ensemble of regular LDPC codes to support key

agreement. We proved that the proposed key-agreement scheme achieves the relaxed

key capacity with asymptotically large block length. This asymptotic result motivated

us to develop practical implementations of the proposed key-agreement scheme using

fixed irregular LDPC codes with finite block length and the more practical BP decoders.

Under these practical constraints, we obtained an upper bound on the amount of

information about the key leaked to the wiretapper to evaluate the secrecy performance

of the practical key-agreement schemes. We noticed that a similar LDPC-based

key-agreement scheme was proposed in [16], and a careful comparison to our proposed

scheme was also given in Chapter 3. We show that the scheme discussed in [16] is

more restrictive than our proposed key-agreement scheme. Simulation results confirmed

that the proposed scheme outperforms the scheme of [16] when restricting our attention

to fixed regular LDPC codes with small node degree and finite block length. However,

simulation results also show that fixed regular LDPC codes with small node degree and

85

finite block length do not provide good enough secrecy performance. To compensate,

we thus proposed the use of irregular LDPC codes in the proposed key-agreement

scheme to achieve better secrecy performance. Moreover, a density-evolution based

linear program was also proposed to systematically and efficiently design good irregular

LDPC codes to achieve a target key rate so that that the amount of information leaked

to the wiretapper is minimized. Simulation results show that the secret-sharing irregular

LDPC codes obtained from our search perform relatively close to the relaxed key

capacity of the BPSK-constrained Gaussian wiretap channel, significantly outperformed

regular LDPC codes as well as irregular LDPC codes that were optimized just for

information reconciliation.

In Chapter 4, the proposed key-agreement schemes were extended to the case

when the source transmits M-ary PAM symbols, as a means to achieve higher key

rate. Multilevel coding and multistage decoding were employed to transform the M-ary

transmission into M binary-input wiretap channels. We used the density-evolution

based linear program to design M irregular LDPC codes such that each of them worked

well for the corresponding binary-input wiretap channel. Moreover, punctured irregular

LDPC codes were adopted to the proposed key-agreement scheme to protect the

secret key from direct exposure to the wiretapper. Chapter 5 applied the proposed

key-agreement scheme to the fast-fading wiretap channel. We showed that the I-

and Q-components of the fast Rayleigh fading wiretap channel were considered

separately in the key-agreement scheme. We also designed good LDPC codes for

use in the fast fading Rayleigh wiretap channel by using the density-evolution based

linear program. To summarize, we demonstrated in Chapter 4 and Chapter 5 that the

proposed key-agreement scheme and code search process were flexible enough to

take into account the cases when the source transmitted PAM symbols and when

the destination and wiretapper channels were both fast Rayleigh fading channels.

Simulation results show that the proposed key-agreement scheme achieves a leakage

86

rate of only 10% of the associated key rate in most of the channel settings considered,

even if the wiretapper channel was much stronger than the destination channel.

Finally, we point out that the arguments in the proof of Theorem 2.1 can be modified

to show the existence of an LDPC code (from the same regular LDPC code ensemble

considered in Section 3.2) that achieves the secrecy capacity [2, 5] of the Gaussian

wiretap channel with the BPSK source-symbol constraint. In Appendix D, we develop

a coding scheme for sending secret messages over the BPSK-constrained Gaussian

wiretap channel. Moreover, we demonstrate that the density-evolution based linear

program used extensively in this dissertation can be employed to find irregular LDPC

codes that give secrecy performance close to the boundary of the secrecy-equivocation

rate region of the BPSK-constrained Gaussian wiretap channel.

87

APPENDIX APROOF OF THEOREM 2.1

The case with discrete channel alphabets is established in [4, Corollary 2 of

Theorem 2]. The converse proof in [4] is directly applicable to continuous channel

alphabets, provided the average power constraint (2–1) can be incorporated into the

arguments in [4, pp. 1129–1130]. This latter requirement is simplified by the additive and

symmetric nature of the average power constraint [46, Section 3.6]. To avoid too much

repetition, we outline below only the steps of the proof that are not directly available in

[4, pp. 1129–1130]. For every permissible strategy with achievable key rate R, we have

1

nI (K ;L) =

1

nH(K)− 1

nH(K |L)

≥ 1

nH(K)− 1

n[1 + Pr{K = L} · log |K|]

>1

nH(K)− 1

n− ε

[1

nH(K) + ε

]> (1− ε)(R − ε)− 1

n− ε2,

where the second line follows from Fano’s inequality, the third line results from

Conditions 1 and 5 in the definition of achievable key-leakage rate pair, and the last

line is due to Condition 4. In other words, every permissible secret-sharing strategy that

achieves the key-leakage rate pair (R,Rl) must satisfy

R <1

1− ε

[1

nI (K ;L) +

1

n+ ε2

]+ ε. (A–1)

Thus it suffices to upper bound I (K ;L). From Conditions 2, 3 and the chain rule, we

have

1

nI (K ;L) ≤ 1

nI (K ;L|Z n, Φt ,Ψt) + 1

nI (K ;Z n|Φt ,Ψt) + 1

nI (K ; Φt ,Ψt)

≤ 1

nI (K ;L|Z n, Φt ,Ψt) + Rl + 2ε ≤

1

n

n∑j=1

I (Xj ;Yj |Zj) + Rl + 2ε,

88

where the last inequality is due to the bound I (K ;L|Z n, Φt ,Ψt) ≤∑nj=1 I (Xj ;Yj |Zj) which

is shown in [4, pp. 1129–1130]. Similarly, using the chain rule and Condition 2, we also

have

1

nI (K ;L) ≤ 1

nI (K ;L|Φt , Ψt) + 1

nI (K ; Φt ,Ψt)

≤ 1

nI (K ;L|Φt , Ψt) + ε ≤ 1

n

n∑j=1

I (Xj ;Yj) + ε,

where the last inequality is due to the bound I (K ;L|Φt ,Ψt) ≤∑nj=1 I (Xj ;Yj), which again

can be shown by a simple modification to [4, pp. 1129–1130].

Now let Q be a uniform random variable that takes value from {1, 2, ... , n} and is

independent of all other random quantities. Define (X , Y , Z) = (Xj ,Yj ,Zj) if Q = j . Then

pY ,Z |X (y , z |x) = pY ,Z |X (y , z |x). Combining the two upper bounds on 1nI (K ;L) above, we

have

1

nI (K ;L) ≤ min

{I (X ; Y |Z ,Q) + Rl , I (X ; Y |Q)

}+ 2ε

≤ min{I (X ; Y |Z) + Rl , I (X ; Y )

}+ 2ε, (A–2)

where the last inequality is due to the fact that Q → X → (Y , Z) forms a Markov chain.

The power constraint (2–1) implies that E [|X |2] ≤ P. Combining (A–1) and (A–2), we

obtain

R <1

1− ε

[min

{I (X ; Y |Z) + Rl , I (X ; Y )

}+ 2ε+

1

n

]. (A–3)

Since ε can be arbitrarily small, (A–3) implies the converse result, i.e.,

R ≤ min{I (X ; Y |Z) + Rl , I (X ; Y )

}≤ max

X :E [|X |2]≤P]min {I (X ;Y |Z) + Rl , I (X ;Y )}

= maxX :E [|X |2]≤P]

min {I (X ;Y )− I (Y ;Z) + Rl , I (X ;Y )} ,

where the last line is due to the fact that p(y , z |x) = p(y |x)p(z |x).

89

The achievability proof provided in [4] (also the ones in [47, 48]) for discrete channel

alphabets does not readily extend to continuous channel alphabets. Nevertheless

the same single backward message strategy suggested in [4] is still applicable for

continuous alphabets. That strategy uses k = n + 1 time instants with ij = j for

j = 1, 2, ... , n. That is, the source first sends n symbols through the (X ,Y ,Z) channel;

after receiving these n symbols, the destination feeds back a single message at the last

time instant to the source over the public channel. We provide a carefully structured

Wyner-Ziv code to support this secret-sharing strategy. The main steps of the key

agreement procedure are the following:

1. The source sends a sequence of i.i.d. symbols X n;

2. The destination “quantizes” its received sequence Y n into Y n with a Wyner-Zivcompression scheme;

3. The destination uses a binning scheme with the quantized symbol sequences todetermine the secret key and the information to feed back to the source over thepublic channel;

4. The source exploits the information sent by the destination to reconstruct thedestination’s quantized sequence Y n and uses the same binning scheme togenerate its secret key.

For the memoryless wiretap channel (X ,Y ,Z) specified by the joint pdf

p(y |x)p(z |x)p(x), consider the quadruple (X ,Y , Y ,Z) defined by the joint pdf

p(x , y , y , z) = p(y |y)p(y |x)p(z |x)p(x) with p(y |y) to be specified later. Given a

sequence of n elements xn = (x1, x2, ... , xn), p(xn) =∏nj=1 p(xj) unless otherwise

specified. Similar notation and convention apply to all other sequences as well as their

corresponding pdfs and conditional pdfs considered hereafter.

A.1 Random Code Generation

Fix the source distribution p(x) to achieve the maximum in the Rl -relaxed key

capacity expression, choose p(y |y) such that I (X ; Y ) − I (Y ;Z) > 0 and I (Y ;Z) > 0,

and let p(y) denote the corresponding marginal. Note that the existence of such p(y |y)

can be assumed without loss of generality if I (X ;Y ) − I (Y ;Z) > 0 and I (Y ;Z) > 0. If

90

I (X ;Y )− I (Y ;Z) = 0, there is nothing to prove. Similarly, if I (Y ;Z) = 0, the construction

below can be trivially modified to show that I (X ;Y ) is an achievable key rate.

Fix a small (small enough so that the various rate definitions and bounds on

probabilities below make sense and are non-trivial) ε > 0. If Rl < I (Y ;Z), let us define

R1∆= I (Y ; Y ) + 4ε

R2∆= I (Y ; Y )− I (X ; Y ) + 22ε

R3∆= I (X ; Y )− I (Y ;Z) + Rl − ε

R4∆= I (Y ;Z)− Rl − 17ε. (A–4)

For each j = 1, 2, ... , 2nR2 and l = 1, 2, ... , 2nR3, generate 2nR4 codewords

Y n(j , ℓ, 1), Y n(j , ℓ, 2), ... , Y n(j , ℓ, 2nR4) according to p(y n). The set of codewords

{Y n(j , ℓ, k)} with k = 1 ... 2nR4 forms a subcode denoted by C(j , ℓ). The union of all

subcodes C(j , ℓ) for j = 1, 2, ... , 2nR2 and ℓ = 1, 2, ... , 2nR3 forms the code C. For

convenience, we denote the 2nR1 codewords in C as Y n(1), Y n(2), ... , Y n(2nR1), where

Y n(j + (ℓ− 1)2nR2 + (w − 1)2n(R2+R3)) = Y n(j , ℓ,w) for j = 1, 2, ... , 2nR2, ℓ = 1, 2, ... , 2nR3,

and w = 1, 2, ... , 2nR4 . The code C and its subcodes C(j , ℓ) are revealed to the source,

destination, and wiretapper. In the following, we refer to a codeword or its index in C

interchangeably. Under this convention, the subcode C(j , ℓ) is also the set that contains

all the indices of its codewords. Denote C(j) =∪2nR3

ℓ=1 C(j , ℓ) and C(l) =∪2nR2j=1 C(j , ℓ).

A.2 Secret Sharing Procedure

For convenience, we define the joint typicality indicator function Tε(·) that takes in

a number of sequences as its arguments. The value of Tε(·) is 1 if the sequences are

ε-jointly typical, and the value is 0 otherwise. Further define the indicator function for the

sequence pair (y n, y n):

Sε(yn, y n) =

1 if Pr{Tε(Xn, y n, y n,Z n) = 1} ≥ 1− ε

0 otherwise

91

where (X n,Z n) is distributed according to p(xn, zn|y n, y n) in the definition above.

The source generates a random sequence X n distributed according to p(xn). If X n

satisfies the average power constraint (2–1), the source sends X n through the (X ,Y ,Z)

channel. Otherwise, it ends the secret-sharing process. Since p(x) satisfies E [|X |2] ≤ P,

the law of large numbers implies that the probability of the latter event can be made

arbitrarily small by increasing n. Hence we can assume below, with no loss of generality,

that X n satisfies (2–1) and is sent by the source. This assumption helps to make the

probability calculations in later sections less tedious.

Upon reception of the sequence Y n, the destination tries to quantize the received

sequence. Let M be the output of its quantizer. Specifically, if there is a unique

sequence Y n(m) ∈ C for some m ∈ {1, 2, ... , 2nR1} such that Sε(Y n, Y n(m)) = 1,

then it sets the output of the quantizer to M = m. If there is more than one such

sequence, M is set to be the smallest sequence index m. If there is no such sequence,

it sets M = 0. Let L and J be the unique indices such that Y n(M) ∈ C(J,L). The index

L will be used as the key while the index J is fed back to the source over the public

channel, i.e. Ψk = J. If M = 0, set J = 0 and choose L randomly over {1, 2, ... , 2nR3} with

uniform probabilities.

After receiving the feedback information J via the public channel, the source

attempts to find a unique Y n(m) ∈ C such that Tε(Xn, Y n(m)) = 1 and m ∈ C(J). If there

is such a unique Y n(m), the source decodes M = m. If there is no such sequence or

more than one such sequence, the source sets M = 0. If J = 0, it sets M = 0. Finally,

if M > 0, the source generates its key K = k , such that M ∈ C(J, k). If M = 0, it sets

K = 0.

We also consider a fictitious receiver who observes the sequence Z n and obtains

both indices J and L via the public channel. This receiver sets M = 0 if J = 0.

Otherwise, it attempts to find a unique Y n(m) ∈ C such that Tε(Yn(m),Z n) = 1 and

92

m ∈ C(J,L). If there is such a unique Y n(m), the source decodes M = m. If there is no

such sequence or more than one such sequence, the source sets M = 0.

A.3 Analysis of Probability of Error

We use a random coding argument to establish the existence of a code with rates

given by (A–4) such that Pr{K = L} and Pr{M = M} vanish in the limit of large block

length n. Without further clarification, we note that the probabilities of the events below,

except otherwise stated, are over the joint distribution of the codebook C, codewords,

and all other random quantities involved.

Before we proceed, we introduce the following lemma regarding the indicator

function Sε.

Lemma 2. 1. If (Y n, Y n) distributes according to p(y n, y n), then Pr{Sε(Y n, Y n) =1} > 1− ε for sufficiently large n.

2. If Y n distributes according to p(y n), then Pr{Sε(y n, Y n) = 1} ≤ 2−n(R1−7ε)

1−εfor all y n.

3. If Y n distributes according to p(y n), then Pr{Sε(Y n, y n) = 1} ≤ 2−n(R1−7ε)

1−εfor all y n.

4. If (Y n, Y n) distributes according to p(y n)p(y n), then Pr{Sε(Y n, Y n) = 1} >(1− ε) · 2−n(R1−ε) for sufficiently large n.

Proof. 1. This claim is actually shown in [49]. We briefly sketch the proof hereusing our notation for completeness and easy reference. By the reverse Markovinequality [49],

Pr{Sε(Y n, Y n) = 1} ≥ 1− 1− Pr{Tε(Xn,Y n, Y n,Z n) = 1}

1− (1− ε)> 1− ε

where the second inequality is due to that fact that Pr{Tε(Xn,Y n, Y n,Z n) = 1} >

1− ε2 for sufficiently large n.

93

2. First, we only need to consider typical y n since the bound is trivial when y n is nottypical. Notice that for any such y n,

1 ≥∫Tε(x

n, y n, y n, zn)p(xn, y n, zn|y n)dxndzndy n

=

∫Pr{Tε(X

n, y n, y n,Z n) = 1} · p(yn, y n)

p(y n)dy n

≥∫Pr{Tε(X

n, y n, y n,Z n) = 1} · 2−n(h(Y ,Y )+ε)

2−n(h(Y )−ε)dy n

= 2−n(h(Y |Y )+2ε)∫Pr{Tε(X

n, y n, y n,Z n) = 1}dy n.

Hence

2n(h(Y |Y )+2ε) ≥∫Pr{Tε(X

n, y n, y n,Z n) = 1}dy n

≥∫Sε(y

n, y n) · Pr{Tε(Xn, y n, y n,Z n) = 1}dy n

≥ (1− ε)

∫Sε(y

n, y n)dy n. (A–5)

Now

Pr{Sε(y n, Y n) = 1} =∫Sε(y

n, y n)p(y n)dy n

≤∫Sε(y

n, y n)2−n(h(Y )−ε)dy n

≤ 2−n(I (Y ;Y )−3ε)

1− ε,

where the last inequality is due to (A–5).

3. Same as Part 2), interchanging the roles of y n and y n.

4. From Part 1), we get

1− ε <

∫Sε(y

n, y n)p(y n, y n)dy ndy n

=

∫Sε(y

n, y n)p(y n, y n)

p(y n)p(y n)p(y n)p(y n)dy ndy n

≤∫Sε(y

n, y n) · 2−n(h(Y ,Y )−ε)

2−n(h(Y )+ε) · 2−n(h(Y )+ε)· p(y n)p(y n)dy ndy n

= 2n(I (Y ;Y )−3ε) Pr{Sε(Y n, Y n) = 1}.

94

Moreover we need to bound the probabilities of the following events pertaining to M.

Lemma 3. 1. Pr{M = 0} < 2ε for sufficiently large n.

2. For m = 1, 2, ... , 2nR1, Pr{M = m} ≤ 2−n(R1−7ε)

1−ε.

3. When n is sufficiently large, Pr{M = m} ≥[1− 2−n(R1−7ε)

1−ε

]m−1· (1 − ε)2−n(R1−ε)

uniformly for all m = 1, 2, ... , 2nR1.

4. When n is sufficiently large, Pr{J = j ,L = ℓ} > (1 − ε)4 · 2−n(R1−R4+6ε) uniformlyfor all j = 1, 2, ... , 2nR2 and ℓ = 1, 2, ... , 2nR3.

Proof. 1. We will use an argument similar to the one in the achievability proof ofthe rate distortion function in [38, Section 10.5] to bound Pr{M = 0}. First note that{M = 0} is the event that Sε(Y n, Y n(m)) = 0 for all m ∈ {1, 2, ... ,R1}, and hence

Pr{M = 0} = Pr

2nR1∩m=1

{Sε(Y n, Y n(m)) = 0}

=

∫ [Pr{Sε(y n, Y n(1)) = 0}

]2nR1p(y n)dy n, (A–6)

where the second equality is due to the fact that Y n(1), ... , Y n(2nR1) are i.i.d. giveneach fixed y n. But

[Pr{Sε(y n, Y n(1)) = 0}

]2nR1=

[1−

∫Sε(y

n, y n)p(y n)dy n]2nR1

=

[1−

∫Sε(y

n, y n)p(y n|y n)p(yn)p(y n)

p(y n, y n)dy n

]2nR1≤

[1−

∫Sε(y

n, y n)p(y n|y n)2−n(h(Y )+ε)−n(h(Y )+ε)

2−n(h(Y ,Y )−ε)dy n

]2nR1

=

[1− 2−n(I (Y ;Y )+3ε)

∫Sε(y

n, y n)p(y n|y n)dy n]2nR1

≤ 1−∫Sε(y

n, y n)p(y n|y n)dy n + exp (−2nε) ,

(A–7)

where the inequality on the third line is due to the fact that Sε(y n, y n) = 1 impliesTε(y

n, y n) = 1, and the last line results from the inequality (1− xy)k ≤ 1− x + e−kyfor all 0 ≤ x , y ≤ 1 and positive integer k [38, Lemma 10.5.3]. Substituting (A–7)

95

back into (A–6) and using Lemma 2 Part 1), we get

Pr{M = 0} ≤ 1− Pr{Sε(Y n, Y n) = 1}+ exp (−2nε) < ε+ ε = 2ε

for sufficiently large n.

2. Notice that for m = 1, 2, ... , 2nR1,

Pr{M = m} = Pr{Sε(Y n, Y n(m)) = 1,Sε(Y n, Y n(m − 1)) = 0, ... ,Sε(Y n, Y n(1)) = 0}

=

∫Pr{Sε(y n, Y n(1)) = 1}

[Pr{Sε(y n, Y n(1)) = 0}

]m−1p(y n)dy n (A–8)

where the second equality results from the i.i.d. nature of Y n(1), ... , Y n(m). Thuswe have

Pr{M = m} ≤ Pr{Sε(Y n, Y n(1)) = 1} ≤ 2−n(R1−7ε)

1− ε,

where the last inequality is due to Part 2) of Lemma 2 since Y n and Y n(1) areindependent.

3. From (A–8), we have the lower bound

Pr{M = m} ≥[1− 2

−n(R1−7ε)

1− ε

]m−1

Pr{Sε(Y n, Y n(1)) = 1}

≥[1− 2

−n(R1−7ε)

1− ε

]m−1

· (1− ε)2−n(R1−ε),

where the first inequality is due to Part 2) of Lemma 2, and the second inequalityis from Part 4) of Lemma 2 when n is sufficiently large. Note that the samesufficiently large n is enough to guarantee the validity of the lower bound above forall m = 1, 2, ... , 2nR1.

4. First note that, for j = 1, 2, ... , 2nR2 and ℓ = 1, 2, ... , 2nR3,

Pr{J = j ,L = ℓ} =∑

m∈C(j ,ℓ)

Pr{M = m}

=

2nR4∑w=1

Pr{M = j + (ℓ− 1)2nR2 + (w − 1)2n(R2+R3)

}.

96

Thus applying Part 3) of the lemma, we get

Pr{J = j ,L = ℓ}

≥ (1− ε)2−n(R1−ε) ·2nR4∑w=1

[1− 2

−n(R1−7ε)

1− ε

]j−1+(ℓ−1)2nR2+(w−1)2n(R2+R3)

≥ (1− ε)2−n(R1−ε)

[1− 2

−n(R1−7ε)

1− ε

]2n(R2+R3)1−

[1− 2−n(R1−7ε)/(1− ε)

]2nR11− [1− 2−n(R1−7ε)/(1− ε)]

2n(R2+R3)

≥ (1− ε)2−n(R1−ε)

[1− 2

−n(R4−7ε)

1− ε

]·1−

[1− 2−n(R1−7ε)/(1− ε)

]2nR11− [1− 2−n(R4−7ε)/(1− ε)]

≥ (1− ε)2 · 2−n(R1−R4+6ε)[1− 2

−n(R4−7ε)

1− ε

] [1− exp(−2

7nε)

1− ε

]> (1− ε)4 · 2−n(R1−R4+6ε) (A–9)

uniformly for all j = 1, 2, ... , 2nR2 and l = 1, 2, ... , 2nR3, when n is sufficiently large.The lower bound on the fourth line of (A–9) above is obtained from the inequality(1− x)k ≥ 1− kx for any 0 ≤ x ≤ 1 and positive integer k . The lower bound on thefifth line is in turn based on the inequality (1− x)k ≤ e−kx for 0 ≤ x ≤ 1 and positiveinteger k .

We first consider the error event {K = L}. Note that

Pr{K = L} = Pr{M = 0}+ Pr{M > 0,K = L}

= Pr{M = 0}+2nR1∑m=1

Pr{Em ∪ Em,M = m

}≤ Pr{M = 0}+

2nR1∑m=1

Pr{Em,M = m

}+

2nR1∑m=1

Pr {Em,M = m} , (A–10)

97

where Em is the event {Tε(Xn, Y n(m)) = 0}, and Em is the event that there is an

m′ ∈ C(j) such that m ∈ C(j), m′ = m, and Tε(Xn, Y n(m′)) = 1. From (A–8), we have

Pr{Em,M = m

}= Pr

{Tε(X

n, Y n(m)) = 0,Sε(Yn, Y n(m)) = 1,

Sε(Yn, Y n(m − 1)) = 0, ... ,Sε(Y n, Y n(1)) = 0

}≤ Pr

{Tε(X

n,Y n, Y n(m),Z n) = 0,Sε(Yn, Y n(m)) = 1,

Sε(Yn, Y n(m − 1)) = 0, ... ,Sε(Y n, Y n(1)) = 0

}=

∫ [∫Pr{Tε(x

n, y n, Y n(m), zn) = 0,Sε(yn, Y n(m)) = 1

}p(xn, zn|y n)dxndzn

]·m−1∏m′=1

Pr{Sε(y n, Y n(m′)) = 0}p(y n)dy n

=

∫ ({∫[1− Tε(x

n, y n, y n, zn)]p(xn, zn|y n, y n)dxndzn}· Sε(y n, y n)p(y n)dy n

)·m−1∏m′=1

Pr{Sε(y n, Y n(m′)) = 0}p(y n)dy n

≤ ε · Pr{Sε(Y

n, Y n(m)) = 1,Sε(Yn, Y n(m − 1)) = 0, ... ,Sε(Y n, Y n(1)) = 0

}= ε · Pr{M = m},

(A–11)

where the equality on the fourth line is due to the i.i.d. nature of Y n(1), ... , Y n(2nR1), the

equality on the fifth line results from the fact that p(xn, zn|y n) = p(xn, zn|y n, y n) (since

(X ,Z) → Y → Y ), and the inequality on the second last line is from the definition of the

indicator function Sε.

98

Similarly assuming m ∈ C(j), we have from (A–8)

Pr{Em,M = m} ≤∑m′ ∈ C(j)

m′ = m

Pr{Tε(X

n, Y n(m′)) = 1,Sε(Yn, Y n(m)) = 1

}

=∑m′ ∈ C(j)

m′ = m

∫Pr{Tε(x

n, Y n(m′)) = 1}

· Pr{Sε(y n, Y n(m)) = 1}p(xn, y n)dxndy n

≤ 2n(R1−R2) · 2−n(I (X ;Y )−3ε) · 2−n(R1−7ε)

1− ε=2−n(R1+8ε)

1− ε, (A–12)

where the equality on the second line is due to the independence between Y n(m′)

and Y n(m), and the last inequality results from Part 2) of Lemma 2 and the bound

Pr{Tε(xn, Y n(m′)) = 1} ≤ 2−n(I (X ;Y )−3ε), which is a direct result of [38, Theorem 15.2.2].

Hence, substituting the bounds in (A–11) and (A–12) back into (A–10) and using Part 1)

of Lemma 3, we obtain

Pr{K = L} ≤ 2ε+ ε ·2nR1∑m=1

Pr{M = m}+2nR1∑m=1

2−n(R1+8ε)

1− ε= 2ε+ ε+

2−8nε

1− ε< 4ε (A–13)

for n is sufficiently large.

Next we consider the event {M = M}. Define Fm as the event {Tε(Yn(m),Z n) = 0}

and Fm as the event that there is an m′ ∈ C(ℓ, j) such that m ∈ C(ℓ, j), m′ = m,

and Tε(Yn(m′),Z n) = 1. Then we have, when n is sufficiently large, uniformly for all

99

j = 1, 2, ... , 2nR2 and l = 1, 2, ... , 2nR3,

Pr{M = M|J = j ,L = ℓ}

≤∑

m∈C(j ,ℓ)

Pr{Fm,M = m|J = j ,L = ℓ

}+

∑m∈C(j ,ℓ)

Pr {Fm,M = m|J = j ,L = ℓ}

≤∑

m∈C(j ,ℓ)

ε · Pr{M = m|J = j ,L = ℓ}+∑

m∈C(j ,ℓ)

2−n(R1+7ε)

1− ε· 1

Pr{J = j ,L = ℓ}

≤ ε+2−n(R1+7ε)

1− ε· 2nR4

(1− ε)4 · 2−n(R1−R4+6ε)

= ε+2−nε

(1− ε)5< 2ε. (A–14)

Note that the inequality on the third line of (A–14) results from upper bounds of

Pr{Fm,M = m} and Pr{Fm,M = m}, which can be obtained in ways almost identical to

the derivations in (A–11) and (A–12) respectively. The inequality on the fourth line is, on

the other hand, due to Part 4) of Lemma 3.

By expurgating the random code ensemble, we obtain the following lemma.

Lemma 4. For any ϵ > 0 and n sufficiently large, there exists a code Cn with the rates R1,

R2, R3, and R4 given by (A–4) such that

1. Pr{K = L|C = Cn} < 8ε,

2. Pr{M = M|C = Cn} < 8ε,

3. Pr{M = m|C = Cn} ≤ 2−n(R1−7ε)

1−εfor all m = 1, 2, ... , 2nR1, and

4. Pr{L = ℓ|C = Cn} < 2−n(R3−8ε) for all ℓ = 1, 2, ... , 2nR3.

Proof. Combining Part 1) of Lemma 3, (A–13), and (A–14), we have

Pr{M = 0}+ Pr{K = L}+ Pr{M = M} < 8ε

for sufficiently large n. This implies that there must exist a Cn satisfying Pr{K = L|C =

Cn} < 8ε, Pr{M = M|C = Cn} < 8ε, and Pr{M = 0|C = Cn} < 8ε. Thus, Parts 1) and 2)

are proved.

100

Now, fix this Cn. For m = 1, 2, ... , 2nR1, let y n(m) be the mth codeword of Cn. Then,

by Part 3) of Lemma 2,

Pr{M = m|C = Cn} ≤ Pr{Sε(Y n, y n(m)) = 1} ≤ 2−n(R1−7ε)

1− ε;

hence, Part 3) results.

Note that, for ℓ = 1, 2, ... , 2nR3,

Pr{L = ℓ|C = Cn} = Pr{L = ℓ|M = 0, C = Cn}Pr{M = 0|C = Cn}+Pr{L = ℓ,M > 0|C = Cn}.

(A–15)

We know from the discussion above that Pr{L = ℓ|M = 0, C = Cn}Pr{M = 0|C = Cn} <

2−nR3 · 8ε. Also from Part 3) of the lemma,

Pr{L = ℓ,M > 0|C = Cn} =∑m∈Cn(ℓ)

Pr{M = m|C = Cn} ≤ 2n(R1−R3) · 2−n(R1−7ε)

1− ε=2−n(R3−7ε)

1− ε.

Putting these back into (A–15), we get

Pr{L = ℓ|C = Cn} < 2−n(R3−7ε)[8ε · 2−7nε + 1

1− ε

]< 2−n(R3−8ε)

for sufficiently large n. Thus, Part 4) is proved.

In the remainder of the paper, we use a fixed code Cn identified by Lemma 4. For

convenience, we drop the conditioning on Cn.

A.4 Secrecy Analysis

First we proceed to bound H(K). Note that

H(K) = H(L) + H(K |L)− H(L|K)

≥ H(L)− H(L|K). (A–16)

Using Part 1) of Lemma 4 together with Fano’s inequality gives H(L|K) ≤ 1 + 8nεR3.

Moreover Part 4) of Lemma 4 implies that H(L) > n(R3 − 8ε). Putting these bounds back

101

into (A–16), we have

R3 − (8R3 + 8)ε−1

n<1

nH(K) ≤ R3. (A–17)

Next we bound I (K ;Z n, J). Note that

I (K ;Z n, J) = I (L;Z n, J) + I (K ;Z n, J|L)− I (L;Z n, J|K)

≤ I (L;Z n, J) + I (K ;Z n, J|L)

≤ I (L;Z n, J) + H(K |L)

≤ I (L;Z n, J) + 8nεR3 + 1, (A–18)

where the last inequality is obtained from Part 1) of Lemma 4 and Fano’s inequality like

before. In addition, it holds that

I (L;Z n, J) = H(L)− H(L|Z n, J)

= H(L)− H(L, J|Z n) + H(J|Z n)

= H(L) + H(J|Z n)− H(L, J,M|Z n) + H(M|Z n,L, J)

≤ H(L) + H(J)− H(M|Z n)− H(L, J|M,Z n) + H(M|Z n,L, J)

≤ H(L) + H(J) + I (M;Z n)− H(M) + 8nR1ε+ 1,

where the second last inequality follows from H(J|Z n) ≤ H(J), and the last inequality

follows from H(L, J|M,Z n) = 0 (by definition of J and L) and H(M|Z n,L, J) ≤ 1 + 8nR1ε

(by Fano’s inequality applied to the fictitious receiver). By construction of the code Cn,

it holds that H(L) ≤ nR2 and H(J) ≤ nR3. In addition, Part 3) of Lemma 4 implies

H(M) ≥ n(R1 − 8ε). Finally, note that I (M;Z n) ≤ I (Y n;Z n) = nI (Y ;Z) by the

data-processing inequality applied to the Markov chain Y n → Y n → Z n and the

memoryless property of the channel between Y n and Z n. Combining these observations

102

and substituting the values of R1, R2, and R3 given by (A–4) back into (A–18), we obtain

1

nI (K ;Z n, J) ≤ R2 + R3 − R1 + I (Y ;Z) + (8R1 + 8R3 + 8)ε+

2

n

≤ Rl + I (Y ;Z)− I (Y ;Z) + (8R1 + 8R3 + 9)ε,

when n is sufficiently large. Without any rate limitation on the public channel, we can

choose the transition probability p(y |y) such that I (Y ;Z)− I (Y ;Z) ≤ ε; therefore,

1

nI (K ;Z n, J) ≤ Rl + n(8R1 + 8R3 + 9)ε. (A–19)

Next we consider the asymptotic negligibility of 1nI (K ; J) conditioned on the code Cn.

Similar to (A–18) we have

I (K ; J) ≤ I (L; J) + 8nεR3 + 1. (A–20)

Then for j = 1, 2, ... , 2nR2 and l = 1, 2, ... , 2nR3, we have

Pr{J = j ,L = l} =2nR4∑w=1

Pr{M = j + (l − 1)2nR2 + (w − 1)2n(R2+R3)

}≤ 2−n(R2+R3−7ε)

1− ε< 2−n(R2+R3−8ε)

for sufficiently large n, where the first inequality is from Part 3) of Lemma 4. In other

words, H(J,L) > n(R2 + R3 − 8ε) for sufficiently large n. Hence, together with the facts

H(L) < nR3 and H(J) < nR2, we have

I (L; J) = H(L) + H(J)− H(J,L) ≤ nR3 + nR2 − n(R2 + R3 − 8ε) = 8nε. (A–21)

Putting this bound back to (A–20), we obtain 1nI (K ; J) ≤ 8ε(R3 + 1) + 1

n. Since ε can

be chosen arbitrarily, Part 1) of Lemma 4, (A–17), (A–19), and (A–21), we establish

the achievability of the relaxed key capacity. On the other hand, if Rl ≥ I (Y ;Z), the

code construction described above can be trivially modified to achieve the relaxed key

capacity. That is, set R4 = 0 and R3 arbitrarily close to I (X ; Y ).

103

APPENDIX BPROOF OF LEMMA 1

As mentioned in the proof of Theorem 3.1, we adapt the proof of [39, Theorem 3]

to prove this lemma. The main argument is to establish that there is a secret-sharing

(dv , dc)-regular LDPC code ensemble (C,W) for which the ensemble average error

probabilities ϵs and ϵw simultaneously vanish as n increases under the assumptions

stated in the lemma.

To that end, we first examine the average weight spectra of the code C and

subspace W in the LDPC code ensemble:

Lemma 5. Consider the ensemble of (n, l , k) secret-sharing code (C,W) described in

Section 3.2. For 0 < m ≤ n, let Sm and Tm be the average numbers of codewords of

Hamming weight m in C and W, respectively. Then, we have

Sm =

(n

m

)Pr(xn ∈ C|w(xn) = m) (B–1)

Tm =2l−k − 12l − 1

· Sm ≤ 2−k Sm (B–2)

where w(xn) is the Hamming weight of xn.

Proof. Eqn. (B–1), given in [39], is obvious. It is also clear from the description of the

code ensemble in Section 3.2 that

Tm =

(n

m

)Pr(xn ∈ W|x ∈ C,w(xn) = m) Pr(xn ∈ C|w(xn) = m)

= Sm · Pr(xn ∈ W|xn ∈ C,w(xn) = m). (B–3)

For any xn0 = 0n ∈ C, Pr(xn0 ∈ W|xn0 ∈ C) equals the ratio of the number of (l −

k)-dimensional subspaces in C that contain xn0 to the number of (l − k)-dimensional

subspaces in C. The number of (l − k)-dimensional subspaces in C isl−k∏u=1

2l−u+1 − 12l−k−u+1 − 1

(see [50, Theorem 7.1]). Further, let X0 = {0n, xn0 }, and let C ′ = C/X0 be the quotient of

C by X0. Then C ′ is a (l − 1)-dimensional linear space. If W is an (l − k)-dimensional

subspace in C that contains xn0 , then W ′ =W/X0 is an (l − k − 1)-dimensional subspace

104

in C ′. On the other hand, suppose that W ′ is an (l − k − 1)-dimensional subspace in C ′.

Then W = ∪wn+X0∈W ′ w n+X0 is an (l − k)-dimensional subspace in C that contains xn0 . It

is also easy to see that the correspondence between W ′ and W above is one-to-one. As

a result, the number of (l − k)-dimensional subspaces in C that contain xn0 must be the

same as the number of (l − k − 1)-dimensional subspaces in C ′, i.e.,l−k−1∏u=1

2l−u − 12l−k−u − 1

. So

we have

Pr(xn0 ∈ W|xn0 ∈ C) = 2l−k − 12l − 1

for all xn0 = 0 ∈ C. This implies

Pr(xn ∈ W|xn ∈ C,w(xn) = m) = 2l−k − 12l − 1

≤ 2−k

for 0 < m ≤ n. Putting this back into (B–3), we obtain (B–2).

For C chosen uniformly from the (dv , dc)-regular LDPC code ensemble as described

in Section 3.2, an upper bound on Pr(xn ∈ C|w(xn) = m) is also available in [39, Lemma

2]:

• If mdv is odd, Pr(xn ∈ C|w(xn) = m) = 0.

• If mdv is even,

Pr(xn ∈ C|w(xn) = m) ≤

(n−lmdv2

) [mdv2(n−l)

]mdvfor mdv ≤ 2(n − l)

[(n − l)dc + 1][1+(1− 2mn )

dc

2

]n−lotherwise.

In addition, Pr(xn ∈ C|w(xn) = m) = Pr(xn ∈ C|w(xn) = n −m) (and hence Sn−m = Sm) if

dc is even.

Next, we employ Lemma 5 and the combined union and Shulman-Feder bound

in [39, Theorem 1] to bound ϵs and ϵw . To bound ϵw , consider the channel with Y n as

input and Z n as output. First, note that Y n contains i.i.d. equally likely binary elements.

Hence, this channel is a memoryless BISO channel, and is specified by the conditional

pdf pZ |Y (z |y) = pZ |X (z |1)pX |Y (1|y) + pZ |X (z | − 1)pX |Y (−1|y). Since E nS + Xn0 +W is

105

a coset and the channel is memoryless BISO, it suffices to assume Y n = X n0 ∈ W. In

addition, note that all possible X n0 sequences are equally likely. Now, let K = 6dvln dv1−Rc

and β = 2(1−Rc)dve−12−K . For any β < γ < 1

2, applying the bound in [39, Theorem 1] to the

subcode W, the ensemble average decoding error probability of the ML decoder at the

wiretapper can be upper-bounded as

ϵw ≤

τ1 + τ2 + 2

−nEwr (Rc−Rk+ 1n log2 αw) for odd dc∑5i=1 τi + 2

−nEwr (Rc−Rk+ 1n log2 αw) for even dc ,(B–4)

where τ1 =∑βnm=1 TmD

mw , τ2 =

∑γn

m=βn+1TmD

mw , τ3 =

∑n−βn−1m=n−γn TmD

mw , τ4 =∑n−1

m=n−βn TmDmw , τ5 = TnDnw , Dw =

∫ √pZ |Y (z |1) · pZ |Y (z | − 1) dz ,

αw =

maxm∈{γn+1,...,n}

Tm2l−k−1 ·

2n

(nm)for odd dc

maxm∈{γn+1,...,n−γn−1}Tm2l−k−1 ·

2n

(nm)for even dc ,

and Ewr (R) = maxqmax0≤ρ≤1{Ew0 (ρ, q)− ρR} is the random coding error exponent with

Ew0 (ρ, q) = − log2∫ [q(1)pZ |Y (z |1)1/(1+ρ) + q(−1)pZ |Y (z | − 1)1/(1+ρ)

]1+ρdz ,

and q is the probability mass function (pmf) of the channel input Y . It is known that the

optimal q is q(1) = q(−1) = 0.5.

Employing Lemma 5 and the bound on Pr(xn ∈ C|w(xn) = m) that follows (see also

[39, Lemma 2]), it is not hard to further bound the various terms in (B–4):

τ1 ≤

2−nRk n1−dv/2 (1− Rc)−dv/2 Dw

1−Dw(dv/2)dv

(dv/2)!for even dv

2−nRk n2−dv (1− Rc)−dv D2w2(1−D2w )

(dv )2dv

dv !for odd dv ,

log2 τ2n

≤ 1

n{log2 n + log2[(n − k)dc + 1]} − Rk + max

β≤x≤γ{x log2Dw + H2(x)

+ (1− Rc)(log2[1 + (1− 2x)dc ]− 1

)},

106

and for even dc ,

τ4 =

βn∑m=1

TmDmwD

n−2mw ≤ τ1D

n(1−2β)w ,

log2 τ3n

≤ log2 τ2n+ (1− 2γ) log2Dw ,

and

τ6 ≤ 2−nRkDnw = 2−n(Rk−log2 Dw ).

Also,

log2 αwn

≤

(1− Rc) max

γ≤x≤1log2[1 + (1− 2x)dc ] +

1

n{1 + log2[(n − l)dc + 1]} for odd dc

(1− Rc) maxγ≤x≤1−γ

log2[1 + (1− 2x)dc ] +1

n{1 + log2[(n − l)dc + 1]} for even dc

≤ (1− Rc) log2[1 + (1− 2γ)dc ] +1

n{1 + log2[(n − l)dc + 1]}.

For bounding ϵs , note that the channel with Y n as input and X n as output is a

memoryless BSC and is specified by the conditional pmf pX |Y (x |y) = pY |X (y |x). Again,

since E nS + C is a coset and the channel is memoryless BISO, it suffices to assume

Y n = X n0 ∈ C. With this identification, the resulting bound on ϵs follows the same line of

arguments as above, and is essentially given in [39]. We summarize the bound below for

later reference:

ϵs ≤

σ1 + σ2 + 2

−nE sr (Rc+ 1n log2 αs) for odd dc

σ1 + σ2 + σ3 + σ4 + σ5 + 2−nE sr (Rc+ 1n log2 αs) for even dc ,

(B–5)

where

σ1 ≤

n1−dv/2 (1− Rc)−dv/2 Ds

1−Ds(dv/2)dv

(dv/2)!for even dv

n2−dv (1− Rc)−dv D2s2(1−D2s )

(dv )2dv

dv !for odd dv ,

107

log2 σ2n

≤ 1

n{log2 n + log2[(n − l)dc + 1]}+ max

β≤x≤γ{x log2Ds + H2(x)

+ (1− Rc)(log2[1 + (1− 2x)dc ]− 1

)},

and for even dc ,

σ4 =

βn∑m=1

TmDms D

n−2ms ≤ σ1D

n(1−2β)s ,

log2 σ3n

≤ log2 σ2n

+ (1− 2γ) log2Ds ,

σ5 ≤ Dns = 2n log2 Ds ,

and

log2 αsn

≤ 1

n{1 + log2[(n − l)dc + 1]}+ (1− Rc) log2[1 + (1− 2γ)dc ],

with Ds = 2√pX |Y (1|1) · pX |Y (1| − 1), and E sr (R) = maxqmax0≤ρ≤1{E s0 (ρ, q) − ρR} is the

random coding error exponent of the channel of interest based on

E s0 (ρ, q) = − log2{[q(1)pX |Y (1|1)1/(1+ρ) + q(−1)pX |Y (1| − 1)1/(1+ρ)]1+ρ

+ [q(1)pX |Y (−1|1)1/(1+ρ) + q(−1)pX |Y (−1| − 1)1/(1+ρ)]1+ρ}.

Recall that Rc < Cs(β) and Rc − Rk < Cw(β). Choose ε > 0 small enough such that

Rc +2ε < Cs(β) and Rc −Rk +2ε < Cw(β). For any 0 < γ < 0.5, there exist large enough

dv and dc such that

1. dvdc= 1− Rc ,

2. 0 < β < γ,

3. K < ε, and

4. log2[1 + (1− 2γ)dc

]< ε.

108

With this choice of (dv , dc), we have

maxβ≤x≤γ

{H2(x) + (1− Rc)

(log2[1 + (1− 2x)dc ]− 1

)}≤ H2(γ) + (1− Rc)

{log2[1 + (1− 2β)dc ]− 1

}≤ H2(γ) + (1− Rc)

[log2

(1 + e−2dc β

)− 1]

≤ H2(γ) + (1− Rc)[log2

(1 + e−4e

−12−ε)− 1]

for any 0 < γ < 0.5, where the second inequality follows from the inequality 1−2x < e−2x

and the last inequality follows from the definition of β. Hence, we can make

maxβ≤x≤γ

{H2(x) + (1− Rc)

(log2[1 + (1− 2x)dc ]− 1

)}< 0

by choosing γ small enough since Cs(β) ≤ 1. Thus for sufficiently large n, we get the

following results,

1. 1nlog2 τ2 < 0 and 1

nlog2 τ3 < 0,

2. 1nlog2 σ2 < 0 and 1

nlog2 σ3 < 0,

3. Rc − Rk + 1nlog2 αw ≤ Rc − Rk + (1− Rc)ε+ ε < Cw(β), and

4. Rc +1nlog2 αs ≤ Rc + (1− Rc)ε+ ε < Cs(β).

Further, by employing the well known fact that the random coding exponent is positive if

its rate argument is below channel capacity, we obtain the stated asymptotic behaviors

of ϵs and ϵw .

109

APPENDIX CPROOFS OF (3-2) AND (3-3)

The proofs of (3–2) and (3–3) are established by checking the concavity and

symmetry of I (X ;Y ) − I (Y ;Z) as a function of the binary source distribution in the

respective cases.

C.1 Proof of (3-2)

The channel model described in (3–1) restricts all BPSK source symbols to have

the fixed power β2. However, β can be chosen to be any value as long as it is less than√P. This means that the source distribution is characterized by s = Pr{X = −1} and β.

For convenience, write s = 1− s. Let’s further define the conditional densities p(y |X = 1)

and p(y |X = −1) that specify the destination channel, respectively, as

q+(y) =1√2πσexp

[−(y − β)2

2σ2

]q−(y) =

1√2πσexp

[−(y + β)2

2σ2

].

Then we have

I (X ;Y ) = H(Y )− H(Y |X )

=

∫ ∞

−∞− log2 (sq+(y) + sq−(y)) · [sq+(y) + sq−(y)] dy −

1

2log2 2πeσ

2.

For a fixed value of β, let g(s) = −∫∞−∞ log2 [sq+(y) + sq−(y)] [sq+(y) + sq−(y)] dy be

a function of s . It is easy to check that g(s) is symmetric in the sense that g(s) = g(s).

Moreover, it can be shown that the second derivative of g(s) with respect to (w.r.t.) s is

non-positive over [0, 1] for any y . This implies that g(s) is concave over [0, 1]. Hence,

g(s) is Schur-concave [51] and is maximized by choosing s = s = 0.5. As a result, we

110

have

max0≤s≤1

I (X ;Y ) = g(0.5)− 12log2 2πeσ

2

= [H(X )− H(X |Y )]s=0.5

= 1−∫ ∞

−∞H2

(q+(y)

q+(y) + q−(y)

)·[q+(y) + q−(y)

2

]dy

= 1− 1√2π

∫ ∞

0

H2

(1

1 + e−2βy

)(1 + e−2βy

)exp

[−(y − β)2

2

]dy ,

where β = βσ. Similarily,

I (X ;Y )− I (Y ;Z)

= H(Y |Z)− H(Y |X )

=

∫ ∞

−∞

∫ ∞

−∞− log2

(sq+(y)p+(z) + sq−(y)p−(z)

sp+(z) + sp−(z)

)·

[sq+(y)p+(z) + sq−(y)p−(z)] dydz −1

2log2 2πeσ

2.

For a fixed value of β, let

f (s) =

∫ ∞

−∞

∫ ∞

−∞− log2

(sq+(y)p+(z) + sq−(y)p−(z)

sp+(z) + sp−(z)

)·[sq+(y)p+(z) + sq−(y)p−(z)] dydz .

111

By a similar argument as above, we conclude that f (s) is Schur-concave and maximized

by choosing s = s = 0.5, and we have

max0≤s≤1

[I (X ;Y )− I (Y ;Z)]

= f (0.5)− 12log2 2πeσ

2

=

∫ ∞

−∞

∫ ∞

−∞− log2

(q+(y)p+(z) + q−(y)p−(z)

[q+(y) + q−(y)][p+(z) + p−(z)]

)·[q+(y)p+(z) + q−(y)p−(z)

2

]dydz

+ g(0.5)− 12log2 2πeσ

2 − 1

=

∫ ∞

0

∫ ∞

0

H2

(q+(y)p+(z) + q−(y)p−(z)

[q+(y) + q−(y)][p+(z) + p−(z)]

)[q+(y) + q−(y)] [p+(z) + p−(z)] dydz

− 1√2π

∫ ∞

0

H2

(1

1 + e−2βy

)(1 + e−2βy

)exp

[−(y − β)2

2

]dy

=1

2π

∫ ∞

0

∫ ∞

0

H2

(1 + e−2βy · e−2αβz

[1 + e−2βy ][1 + e−2αβz ]

)exp

[−(y − β)2

2− (z − αβ)2

2

] [1 + e−2βy

][1 + e−2αβz

]dydz − 1√

2π

∫ ∞

0

H2

(1

1 + e−2βy

)(1 + e−2βy

)exp

[−(y − β)2

2

]dy .

Putting all these back to Theorem 2.1, the Rl -relaxed key capacity of the BPSK-constrained

wiretap channel is thus given by

Cb(Rl)

= max0≤β≤

√Pmax0≤s≤1

min{I (X ;Y )− I (Y ;Z) + Rl , I (X ;Y )}

= max0≤β≤

√P

σ2

[min

{1

2π

∫ ∞

0

∫ ∞

0

H2

(1 + e−2βy · e−2αβz

[1 + e−2βy ][1 + e−2αβz ]

)[1 + e−2βy

] [1 + e−2αβz

]

· exp

[−(y − β)2

2− (z − αβ)2

2

]dydz + Rl , 1

}

− 1√2π

∫ ∞

0

H2

(1

1 + e−2βy

)(1 + e−2βy

)exp

[−(y − β)2

2

]dy

],

where the third line is due to the fact that s = s = 0.5 simultaneously maximizes both

terms inside the min operator. Note that the maximum above may occur at an interior

112

point of the interval[0,√Pσ2

]. That means the key capacity may be achieved by not

transmitting at the maximum allowable source power.

C.2 Proof of (3-3)

To find the Rl -relaxed key capacity of the BPSK-constrained Gaussian wiretap

channel with destination hard-decision quantization, first note that the destination

channel is a BSC with cross-over probability q = Q(βσ

). Similarly, write q = 1 − q and

define the conditional densities p(Z |X = 1) and p(Z |X = −1) that specify the wiretapper

channel, respectively, as

p+(z) =1√2πσexp

[−(z − αβ)2

2σ2

]p−(z) =

1√2πσexp

[−(z + αβ)2

2σ2

].

Then we have

I (X ; Y )− I (Y ;Z) = H(Y |Z)− H(Y |X )

=

∫ ∞

−∞H2

(sqp+(z) + sqp−(z)

sp+(z) + sp−(z)

)· [sp+(z) + sp−(z)] dz − H2(q).

Again, let f (s) =∫∞−∞H2

(sqp+(z)+sqp−(z)sp+(z)+sp−(z)

)[sp+(z) + sp−(z)] dz be a function of s. Note

that f (s) is again Schur-concave and is maximized by choosing s = s = 0.5. Hence,

max0≤s≤1

I (X ; Y )− I (Y ;Z) = f (0.5)− H2(q).

Moreover, it is well known that

I (X ; Y ) = H2(sq + sq)− H2(q),

which achieves its maximum 1 − H2(q), for any fixed value of β, by choosing s = s =

0.5. Finally, putting the above into Theorem 2.1, the Rl -relaxed key capacity of the

BPSK-constrained wiretap channel with hard-decision quantization at destination is thus

113

given by

Cbq(Rl)

= max0≤β≤

√Pmax0≤s≤1

min{I (X ; Y )− I (Y ;Z) + Rl , I (X ; Y )}

= max0≤β≤

√Pmin{f (0.5)− H2(q) + Rl , 1− H2(q)}

= max0≤β≤

√P

[min

{∫ ∞

−∞H2

(qp+(z) + qp−(z)

p+(z) + p−(z)

)·(p+(z) + p−(z)

2

)dz + Rl , 1

}− H2(q)

]= max

0≤β≤√P/σ2

[min

{1√2π

∫ ∞

0

H2

(Q(β) + [1−Q(β)]e−2αβz

1 + e−2αβz

)(1 + e−2αβz

)exp

[−(z − αβ)2

2

]dz + Rl , 1

}− H2(Q(β))

],

where the third line is due to the fact that s = s = 0.5 simultaneously maximizes both

terms inside the min operator. Note that again the maximum above may occur at an

interior point of the interval[0,√Pσ2

], and the key capacity may be achieved by not

transmitting at the maximum allowable source power.

114

APPENDIX DLDPC CODE DESIGN FOR THE BPSK-CONSTRAINED GAUSSIAN WIRETAP

CHANNEL

In this appendix, we design LDPC codes for sending secret messages over the

Gaussian wiretap channel with BPSK source symbols. As mentioned in Section ??,

Theorem 2.1 can be modified to show the existence of regular LDPC code ensembles

with increasing block lengths that achieve the secrecy capacity [2, 5] of the BPSK

constrained Gaussian wiretap channel. Based on this observation, we propose

a coding scheme which employs irregular LDPC codes with finite block lengths to

support practical secret transmission over the Gaussian wiretap channel. The proposed

coding structure allows efficient design of irregular LDPC codes that give good secrecy

performance as measured in terms of equivocation about the secret message at the

wiretapper.

D.1 BPSK-constrained Gaussian wiretap channel

The model of BPSK-constrained Gaussian wiretap channel used here is the same

as that of Section 3.1 except that there is no feedback channel between the source and

destination. Moreover, the objective of secret sharing considered here is for the source

to send secret information to the destination.

Assuming a uniform message distribution, the rate of the secret message is

Rs =kn. Let M denote the estimate of the message at the destination. The level of

knowledge of the wiretapper possesses about the secret message can be quantified by

the equivocation rate 1nH(M|Z n). A rate-equivocation pair (Rs ,Re) is achievable if for all

ϵ > 0, there exists a rate-Rs code sequence such that

1. Pr{M = M} < ϵ, and

2. Re <1nH(M|Z n) + ϵ

for sufficiently large n. When the equivocation rate at the wiretapper is as large as the

secret message rate, i.e. Rs = Re , we say that the equivocation-rate pair is achievable

with perfect secrecy [2]. The capacity-equivocation region of a wiretap channel contains

115

all achievable rate-equivocation pairs (Rs ,Re). When α ≤ 1, specializing the result

in [3] to the BPSK-constrained Gaussian wiretap channel shows that the corresponding

capacity-equivocation region is given by

0 ≤ Re ≤ Cb

Re ≤ Rs ≤ C

(√P

σ2

), (D–1)

where

Cb = max0≤β≤

√P

σ2

{C(β)− C(αβ)

}, (D–2)

and

C(t) = 1− 1√2π

∫ ∞

−∞e−

(y−t)22 log2

(e−2yt

)dy

is the channel capacity of AWGN channel with BPSK input. The secrecy capacity of the

wiretap channel is defined as the maximum secret message rate such that the condition

of perfect secrecy is satisfied. For the BPSK-constrained Gaussian wiretap channel, the

secrecy capacity is given by Cb if α ≤ 1.

We note that Cb is achieved when Xi is equiprobable; but it is not necessarily

achieved by transmitting at the maximum allowable power P. Figure D-1 shows the plot

of Cb, in units of bits per (wiretap) channel use (bpcu), versus the maximum allowable

SNR P/σ2 for α2 = −1.0,−2.5 and −4.4 dB, respectively.

D.2 Secret LDPC coding scheme

In this section, we describe the proposed coding scheme for the BPSK-constrained

Gaussian wiretap channel. The proposed coding scheme employs the pair (C,W),

which is chosen as described in Section 4.2, and its secrecy performance will be

evaluated by measuring the equivocation rate of the secret message at the wiretapper.

The proposed coding scheme is described as follows,

1. Encoding: The source sets ck to be the k-bit secret message M and choosesd l−k randomly according to a uniform distribution. Let H = [A B] be the associatedparity-check matrix of an LDPC code. Then it calculates em−l = [ck , d l−k ]AT (B−1)T

116

−6 −4 −2 0 2 4 60

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

P/σ2 (dB)

Cb (

bpcu

)

α2 = −1.0dB

α2 = −2.5dB

α2 = −4.7dB

Figure D-1. The secrecy capacity Cb of the BPSK-constrained Gaussian wiretap channelfor different value of α2.

and sends X n = [d l−k , em−l ] to the destination through the Gaussian wiretapchannel.

2. Decoding: The destination performs belief propagation (BP) decoding to decodeXm using its channel observation Y n. The first k bits of the decoded codeword givethe estimate M of the secret message.

We evaluate the secrecy performance of the proposed coding scheme in the context

of achievable rate-equivocation pair defined in Section D.1. First, if the BP decoder

at the destination achieves block error probability ϵd , then we have Pr{M = M} ≤

ϵd . Hence, Condition 1 in Section D.1 is satisfied if ϵd is small enough. Second, the

117

uncertainty about the message M at the wiretapper given his received sequence Z n is

H(M|Z n) = H(X n|Z n) + H(M|Z n,X n)− H(X n|M,Z n)

= H(X n)− I (X n;Z n) + H(M|Z n,X n)− H(X n|M,Z n). (D–3)

Based on the memoryless nature of the source-to-wiretapper channel and the encoding

process, we have I (X n;Z n) ≤ nC(αβ), H(X n) = l 1 and H(M|Z n,X n) ≤ H(M|X n) = 0,

respectively. Moreover, consider a fictitious receiver at the wiretapper trying to decode

for X n from observing Z n and M. Suppose that the block error probability achieved by

this receiver is ϵw . Then we have H(X n|M,Z n) ≤ 1 + (l − k)ϵw by Fano’s inequality.

Putting all these back to (D–3), we obtain

1

nH(M|Z n) ≥ Rc − C(αβ)− (Rc − Rs)ϵw − 1

n. (D–4)

Let Re = Rc − C(αβ). Then Condition 2 in Section D.1 is satisfied if ϵw is small enough

and n is large enough. Hence, (Rs ,Re) is an achievable rate-equivocation pair through

the BPSK-constrained Gaussian wiretap channel. Moreover, we note that the above

lower bound is derived from the Fano’s inequality; thus it applies to any decoder at the

fictitious receiver. In fact, the value of the bound depends on the choice of decoders only

through ϵw . In the next section, we perform computer simulation to estimate ϵw and then

employ (D–4) to bound the equivocation rate achieved by the proposed coding scheme

as described above. To get ϵw , a BP decoder is implemented for the fictitious receiver at

the wiretapper. In order to provide information about the secret message M to the BP

decoder, the intrinsic LLRs of ck are explicitly set to ±∞ according to the true bit values.

1 This is valid when C contains 2l distinct codewords, which is in turn the case withvery high probability if C ′ is chosen randomly in the usual manner described in [30].

118

D.3 Codes design and performance

In [20], the authors use a systematic irregular LDPC code to encode the secret

message M (along with some random bits) and then puncture the secret message bits

in the codeword prior to transmission in order to “hide” the secret message from the

wiretapper. The puncturing pattern is designed to minimize the security gap. Such a

coding scheme can be viewed as an unoptimized special case of our scheme proposed

in Section D.2. We show in this section that the generalization in Section D.2 allows

us to systematically optimize the irregular LDPC code for good secrecy performance.

To that end, let us apply the code search process proposed in Section 4.3 to the

present case. Again, our objective is to design the irregular LDPC code C ′ so that

the secret LDPC code (C,W) works well for both the channel from the source to

the destination and the channel from the source to the wiretapper (given the secret

message). Similarly, we consider uniform puncturing of the systematic bits of C ′, with p

denoting the corresponding fraction of punctured variable nodes. Note that the secret

rate Rs = p1−p . Also, write the rate of C ′ as R ′

c =lm

. Then R ′c =

Rc1+Rs

. For any fixed Rs , the

discussion just below (D–4) at the end of the previous section suggests that we should

maximize Rc , or equivalently R ′c , in order to maximize the achievable equivocation rate.

For illustration, we apply the above code search procedure to two different wiretap

channel settings: (i) P/σ2 = 3.55 dB and α2 = −4.4 dB, and (ii) P/σ2 = 1.0 dB and

α2 = −1.0 dB. In both cases, the code search process starts with the AWGN-optimized

LDPC codes reported in [30]. Figure D-2 shows the secrecy performance of a rate-0.541

irregular LDPC code obtained by performing the code search process with Rs = 0.33

under the first channel setting. The degree distribution pair of this irregular LDPC code

is shown in Table D-1. We obtain an instance of the irregular LDPC code by randomly

generating a bipartite graph that satisfies the two given degree distributions. The block

length of the LDPC code is m = 106, and all length-4 loops are removed. Computer

simulation is performed on this code to estimate ϵd and ϵw as described before. The

119

Table D-1. Degree distribution pairs of the rate-0.541, rate-0.508, rate-0.505 irregularLDPC codes.

rate-0.541 rate-0.508 rate-0.505λ2 0.3013 0.2762 0.2599λ3 0.1846 0.2804 0.2837λ4 0.1510 0.0281λ9 0.0614λ10 0.3017 0.4434 0.4283ρ7 0.3892 0.6086 0.6315ρ8 0.6054 0.3914 0.3532ρ10 0.0054 0.0153

0 0.1 0.2 0.3 0.4 0.5 0.6 0.70

0.2

0.4

0.6

0.8

1

Rs (bpcu)

Re/R

s

P/σ2 = 3.55dB, α2 = −4.4dB

Proposed coding scheme:rate−0.541 irregular LDPC code

Proposed coding scheme:rate−0.508 irregular LDPC code

The coding scheme in [15] when p = 0.3

Figure D-2. Plot of (Rs , Re) pairs achieved by the proposed coding scheme and by thecoding scheme in [20] when P/σ2 = 3.55 dB and α2 = −4.4 dB.

120

estimated value of ϵw is employed to calculate an achievable equivocation rate as

in (D–4), provided that ϵd ≤ 0.01 and ϵw ≤ 0.01. The resulting achievable pair (Rs , Re)

(where Re = ReRs

is the fractional equivocation) is plotted against the capacity-(fractional)

equivocation region, whose boundary is shown by the solid curve in the figure. From

Figure D-2, we see that the pair (Rs , Re) = (0.33, 0.89) (shown by the square marker) is

achieved by this rate-0.541 LDPC code.

Next, we consider the more challenging case under the second channel setting, in

which the wiretapper’s SNR is not much weaker than that of the destination. Figure D-3

shows the secrecy performance of a rate-0.505 irregular LDPC code obtained by

performing the code search process described above with Rs = 0.076. The degree

distribution pair of this irregular LDPC code can be found in Table D-1. We observe that

the pair (Rs , Re) = (0.076, 0.76) (denoted by the square marker) is achieved by this

code. In conclusion, the code search process described above gives irregular LDPC

codes with relatively good secrecy performance for different values of α2. We note that

a similar code search process can also be formulated to include optimization of the

puncturing pattern. However, we have not been able to obtain significantly better codes

with the modified search. One possible reason for this result is that the optimization of

degree distributions implicitly takes the uniform puncturing pattern into account, and thus

limiting the gain when including the optimization of the puncturing pattern in the linear

program.

As mentioned before, the codes suggested in [20] are “unoptimized” special cases

of the coding scheme described here. In particular, a rate-0.5 irregular LDPC code with

p = 0.3 is employed in [20], resulting in secret rate Rs = 0.43. The secrecy performance

of the coding scheme in [20] is evaluated by the security gap. In our notation, that is

to find the values β and α such that the decoding (bit) error probability of the secret

message at the destination is smaller than a prescribed value, and the decoding (bit)

error probability of the secret message at the wiretapper is close to 0.5. The security

121

0 0.1 0.2 0.3 0.4 0.50

0.2

0.4

0.6

0.8

1

Rs (bpcu)

Re/R

s

P/σ2 = 1.0dB, α2 = −1.0dB

Proposed coding scheme:rate−0.505 irregular LDPC code

Figure D-3. Plot of the (Rs , Re) pair achieved by the proposed coding scheme whenP/σ2 = 1.0 dB and α2 = −1.0 dB.

gap is then defined as the ratio of the SNR of the destination to that of the wiretapper,

i.e. 1α2

. As reported in [20], the security gap, with uniform puncturing over all variable

nodes of different degree for p = 0.3 is about 4.4 dB.

To compare with our optimized codes, Figure D-2 shows the secrecy performance

of the rate-0.5 code in [20] with p = 0.3 evaluated by using (D–4) as before under

channel setting (i). The pair (Rs , Re) = (0.43, 0.68) (denoted by the circle marker) is

achieved by this code. We also perform a code search under this channel setting with

Rs = 0.43 for comparison. The pair (Rs , Re) = (0.43, 0.70) (denoted by the diamond

marker) is achieved using the resulting rate-0.508 irregular LDPC code. We see that

122

the irregular LDPC code obtained from the proposed code search process also slightly

outperforms the “unoptimized” one used in [20] in terms of equivocation rate.

Consulting back to Figure D-1, we see that for α2 = −4.4 dB, the secrecy capacity

of the BPSK-constrained Gaussian wiretap channel never exceeds 0.34 bpcu. Hence,

the fractional equivocation Re is strictly below 1 at Rs = 0.43. In fact, the highest

achievable Re at Rs = 0.43 under this channel setting is only 0.78 (cf. Figure D-2).

That means that we should not operate at this rate if the target is to achieve perfect

secrecy. In summary, the proposed coding scheme and code search process provide

a much more systematic and flexible means to designing irregular LDPC codes for the

BPSK-constrained wiretap channel than the approach in [20].

D.4 Summary

In this appendix, we developed a coding scheme for sending secret messages

over the BPSK-constrained Gaussian wiretap channel. The proposed coding scheme

employs punctured systematic irregular LDPC codes in which secret message bits are

punctured. To systematically address the secret code design problem, we presented a

density-evolution based linear program to search for good irregular LDPC codes to be

used in the proposed coding scheme. Simulation results showed that the irregular LDPC

codes obtained from our search can achieve secrecy performance relatively close to the

boundary of the capacity-equivocation region of the BPSK-constrained Gaussian wiretap

channel.

123

REFERENCES

[1] C. Shannon, “Communication theory of secrecy systems,” Bell Systems TechnicalJournal, vol. 28, pp. 656–715, 1949.

[2] A. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, pp. 1355–1387, Oct.1975.

[3] I. Csiszar and J. Korner, “Broadcast channels with confidential messages,” IEEETrans. Inform. Theory, vol. 24, no. 3, pp. 339–348, May 1978.

[4] R. Ahlswede and I. Csiszar, “Common randomness in information theory andcryptography. I. Secret sharing,” IEEE Trans. Inform. Theory, vol. 39, no. 4, pp.1121–1132, July 1993.

[5] S. K. Leung-Yan-Cheong and M. E. Hellman, “The Gaussian wire-tap channel,”IEEE Trans. Inform. Theory, vol. 24, no. 4, pp. 451–456, Jul 1978.

[6] L. Ozarow and A. D. Wyner, “Wire-tap channel II,” Bell Syst. Tech. J., vol. 63,no. 10, pp. 2135–2157, Dec. 1984.

[7] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. McLaughlin, and J. M. Merolla,“Applications of LDPC codes to the wiretap channel,” IEEE Trans. Inform. Theory,vol. 53, no. 8, pp. 2933–2945, Aug. 2007.

[8] R. Liu, Y. Liang, H. Poor, and P. Spasojevic, “Secure nested codes for type IIwiretap channels,” Proc. IEEE 2007 Inform. Theory Workshop, pp. 337–342, Sept.2007.

[9] H. Mahdavifar and V. Vardy, “Achieving the secrecy capacity of wiretap channelsusing polar codes,” Proc. IEEE Int. Symp. Inform. Theory (ISIT 2010), pp. 913–917,June 2010.

[10] O. O. Koyluoglu and H. E. Gamal, “Polar coding for secure transmission and keyagreement,” Proc. IEEE Int. Symp. Personal, Indoor and Mobile Radio Commun.,pp. 2698–2703, Sept 2010.

[11] E. Arikan, “Channel polarization: A method for contructing capacity-achievingcodes for symmetric binary-input memoryless channels,” IEEE Trans. Inform.Theory, vol. 55, pp. 3051–3073, Jul. 2009.

[12] U. M. Maurer, “Secret key agreement by public discussion from commoninformation,” IEEE Trans. Inform. Theory, vol. 39, no. 3, pp. 733–742, May 1993.

[13] G. Brassard and L. Salvail, “Secret-key reconciliation by public discussion,” Ad-vances in Crypotology - Eurocrypt’93, pp. 410–423, 1994.

124

[14] K. C. Nguyen, G. Van Assche, and N. J. Cerf, “Side-information coding with turbocodes and its application to quantum key distribution,” in Proc. 2004 IEEE Int.Symp. Inform. Theory and Applicat., Param, Italy, Oct. 2004.

[15] G. Van Assche, J. Cardinal, and N. J. Cerf, “Reconciliation of a quantum-distributedGaussian key,” IEEE Trans. Inform. Theory, vol. 50, no. 2, pp. 394–400, Feb. 2004.

[16] J. Muramatsu, “Secret key agreement from correlated source outputs using lowdensity parity check matrices,” IEICE Transactions on Fundamentals of Electronics,Communications and Computer Sciences, vol. E89-A, pp. 2036–2046, July 2006.

[17] C. Ye, A. Reznik, and Y. Shah, “Extracting secrecy from jointly Gaussian randomvariables,” in Proc. IEEE Int. Symp. Inform. Theory (ISIT 2006), July 2006, pp.2593–2597.

[18] M. Bloch, J. Barros, M. Rodrigues, and S. McLaughlin, “Wirelessinformation-theoretic security,” IEEE Trans. Inform. Theory, vol. 54, no. 6, pp.2515–2534, June 2008.

[19] D. Elkouss, A. Leverrier, R. Alleaume, and J. Boutros, “Efficient reconciliationprotocol for discrete-variable quantum key distribution,” Proc. IEEE Int. Symp.Inform. Theory (ISIT 2009), pp. 1879–1883, July 2009.

[20] D. Klinc, J. Ha, S. M. McLaughlin, J. Barros, and B. J. Kwak, “LDPC codes for theGaussian wiretap channel,” Proc. IEEE 2009 Inform. Theory Workshop, pp. 95–99,Oct. 2009.

[21] M. Baldi, M. Bianchi, and F. Chiaraluce, “Non-systematic codes for physical layersecurity,” Proc. IEEE 2010 Inform. Theory Workshop, pp. 1–5, Sept. 2010.

[22] R. Gallager, “Low-density parity-check codes,” IEEE Trans. Inform. Theory, vol. 8,no. 1, pp. 21–28, Jan 1962.

[23] D. MacKay and R. Neal, “Near Shannon limit performance of low density paritycheck codes,” IEE Electron. Lett., vol. 33, no. 6, pp. 457–458, Mar. 1997.

[24] R. G. Gallager, Low-Density Parity-Check Codes. Cambridge, MA: MIT Press,1963.

[25] R. Tanner, “A recursive approach to low complexity codes,” IEEE Trans. Inform.Theory, vol. 27, no. 5, pp. 533–547, Sept. 1981.

[26] M. G. Luby, M. Mitzenmacher, M. A. Shokrollahi, D. A. Spielman, and V. Stemann,“Practical loss-resilient codes,” in Proc. ACM Symp. Theory Computing, El Paso,TX, May 1997, pp. 150–159.

[27] M. G. Luby, M. Mitzenmacher, M. A. Shokrollahi, and D. A. Spielman, “Analysisof low density codes and improved designs using irregular graphs,” in Proc. ACMSymp. Theory Computing, Dallas, TX, May 1998, pp. 249–258.

125

[28] ——, “Efficient erasure correcting codes,” IEEE Trans. Inform. Theory, vol. 47,no. 2, pp. 569–584, Feb. 2001.

[29] T. Richardson and R. Urbanke, “The capacity of low-density parity-check codesunder message-passing decoding,” IEEE Trans. Inform. Theory, vol. 47, no. 2, pp.599–618, Feb. 2001.

[30] T. Richardson, M. Shokrollahi, and R. Urbanke, “Design of capacity-approachingirregular low-density parity-check codes,” IEEE Trans. Inform. Theory, vol. 47, no. 2,pp. 619–637, Feb. 2001.

[31] S. Chung, G. D. Forney, Jr., T. J. Richardson, and R. Urbanke, “On the designof low-density parity-check codes within 0.0045 dB of the Shannon limit,” IEEECommun. Lett., vol. 5, no. 2, pp. 58–60, Feb. 2001.

[32] C. Berrou, A. Glavieux, and P. Thitimajshima, “Near Shannon limit error-correctingcoding and decoding,” in Proc. IEEE Int. Conf. Commun., vol. 2, Geneva,Switzerland, May 1993, pp. 1064–1070.

[33] F. R. Kschischang, B. J. Frey, and H. A. Loeliger, “Factor graphs and thesum-product algorithm,” IEEE Trans. Inform. Theory, vol. 47, no. 2, pp. 498–519,Feb 2001.

[34] J. Hagenauer, E. Offer, and L. Papke, “Iterative decoding of binary block andconvolutional codes,” IEEE Trans. Inform. Theory, vol. 42, no. 2, pp. 429–445, Mar.1996.

[35] A. J. Viterbi, “Error bounds for convolutional codes and an asymptoticallyoptimumdecoding algorithm,” IEEE Trans. Inform. Theory, vol. 13, no. 2, pp. 260–269, April1967.

[36] L. R. Bahl, J. Cocke, F. Jelinek, and J. Raviv, “Optimal decoding of linear codesfor minimizing symbol error rates,” IEEE Trans. Inform. Theory, vol. 20, no. 2, pp.284–287, Mar. 1974.

[37] A. Liveris, Z. Xiong, and C. Georghiades, “Compression of binary sources with sideinformation at the decoder using LDPC codes,” IEEE Commun. Lett., vol. 6, no. 10,pp. 440–442, Oct. 2002.

[38] T. Cover and J. Thomas, Elements of Information Theory, 2nd ed. New York:Wiley-Interscience, 2006.

[39] G. Miller and D. Burshtein, “Bounds on the maximum-likelihood decoding errorprobability of low-density parity-check codes,” IEEE Trans. Inform. Theory, vol. 47,no. 7, pp. 2696–2710, Nov. 2001.

[40] A. Bennatan and D. Burshtein, “On the application of LDPC codes to arbitrarydiscrete-memoryless channels,” IEEE Trans. Inform. Theory, vol. 50, no. 3, pp.417–438, Mar. 2004.

126

[41] T. Richardson and R. Urbanke, “Efficient encoding of low-density parity-checkcodes,” IEEE Trans. Inform. Theory, vol. 47, no. 2, pp. 638–656, Feb. 2001.

[42] R. Urbanke, “Degree distribution optimizer for LDPC code ensembles,” 2001.[Online]. Available: http://ipgdemos.epfl.ch/ldpcopt/

[43] H. Imai and S. Hirakawa, “A new multilevel coding method using error correctingcodes,” IEEE Trans. Inform. Theory, vol. 23, pp. 371–377, May 1977.

[44] U. Wachsmann, R. F. H. Fischer, and J. B. Huber, “Multilevel codes: Theoreticalconcepts and practical design rules,” IEEE Trans. Inform. Theory, vol. 45, pp.1361–1391, July 1999.

[45] J. Hou, P. H. Siegel, L. B. Milstein, and H. D. Pfister, “Capacity-approachingbandwidth-efficient coded modulation schemes based on low-density parity-checkcodes,” IEEE Trans. Inform. Theory, vol. 49, no. 9, pp. 2141–2155, Sept. 2003.

[46] T. Han, Information-Spectrum methods in information theory. Berlin:Springer-Verlag, 2003.

[47] I. Csiszar and P. Narayan, “Secrecy capacities for multiple terminals,” IEEE Trans.Inform. Theory, vol. 50, no. 12, pp. 3047–3061, Dec. 2004.

[48] ——, “Secrecy capacities for multiterminal channel models,” IEEE Trans. Inform.Theory, vol. 54, no. 6, pp. 2437–2452, June 2008.

[49] Y. Oohama, “Gaussian multiterminal source coding,” IEEE Trans. Inform. Theory,vol. 43, no. 6, pp. 1912–1923, Nov. 1997.

[50] V. Kac and P. Cheung, Quantum Calculus. New York: Springer-Verlag, 2002.

[51] A. Marshall and I. Olkin, Inequalities: theory of majorization and its applications.Academic Press, 1979.

127

BIOGRAPHICAL SKETCH

Chan Wong Wong received the B.S. and M.S. degrees in electrical engineering from

National Taiwan University (NTU), Taipei, Taiwan in 2002 and 2004, respectively.

From 2002 to 2004, he was a teaching and research assistant at the Graduate

Institute of Communications Engineering (GICE), NTU. During 2003 to 2006 he was

with Afa Technologies, Inc., Taipei, Taiwan, as a DSP system engineer in developing

demodulators for various digital video broadcasting standards. He has been a teaching

and graduate assistant in University of Florida, Gainesville, FL since 2007. His research

interests lie in the area of communication theory applied to equalization, coding and

security for wireless communication.

Chan Wong is a member of the Phi Tau Phi Scholastic Honor Society of the

Republic of China.

128