Compute-and-Forward Can Buy Secrecy Cheap
aa r X i v : . [ c s . CR ] A p r Compute-and-Forward Can Buy Secrecy Cheap
Parisa Babaheidarian*, Somayeh Salimi** *Boston University,**KTH Royal Institute of Technology
Abstract —We consider a Gaussian multiple access channelwith K transmitters, a (intended) receiver and an externaleavesdropper. The transmitters wish to reliably communicatewith the receiver while concealing their messages from theeavesdropper. This scenario has been investigated in prior worksusing two different coding techniques; the random i.i.d. Gaussiancoding and the signal alignment coding. Although, the latteroffers promising results in a very high SNR regime, extendingthese results to the finite SNR regime is a challenging task. Inthis paper, we propose a new lattice alignment scheme basedon the compute-and-forward framework which works at anyfinite SNR. We show that our achievable secure sum rate scaleswith log(SNR) and hence, in most SNR regimes, our schemeoutperforms the random coding scheme in which the securesum rate does not grow with power. Furthermore, we show thatour result matches the prior work in the infinite SNR regime.Additionally, we analyze our result numerically. I. I
NTRODUCTION
Gaussian Multiple Access Channel (MAC) has been con-sidered under different security scenarios. One interesting sce-nario is the K -user Gaussian MAC with an external eavesdrop-per in which the users wish to reliably send their messages tothe receiver while keeping them hidden from the eavesdropper.This scenario has been investigated in [1] using the Gaussiani.i.d. random codes. Although, these codes achieve the capacityregion of MAC without security, the result in [1] shows thatthey have a poor performance in relatively high SNR regimeswhen the security constraint is added. In an attempt to improvethe high SNR results, researchers investigated the problemusing the signal alignment technique. In particular, in [2] and[3], it is shown that their proposed schemes offer a significantimprovement over the random coding counterpart in a veryhigh SNR regime. In fact, the scheme proposed in [3] achievesthe optimal secure Degrees of Freedom (DoF) of the K -user Gaussian wiretap MAC. However, as these alignmentschemes use a maximum-likelihood decoder, bounding theerror probability of the decoder in the finite SNR regimeis challenging and this limits their results to the high SNRregime.In light of lattice alignment technique, the compute-and-forward framework was proposed in [4] which can operate atany finite SNR. Recently, the K -user Gaussian MAC withoutsecurity constraint has been investigated in [5] based onlattice coding and the compute-and-forward framework. Theproposed scheme in [5] achieves the MAC sum capacity withina constant gap and for any finite SNR.Motivated by the above arguments, we propose a newachievability scheme for the K -user Gaussian wiretap MACin which lattice alignment is used along with the asymmet-ric compute-and-forward framework. We evaluate the perfor- mance of our proposed scheme both analytically and numeri-cally for any finite SNR. We prove that our proposed schemeachieves a secure sum rate that scales with log(SNR) , incontrast to the Gaussian random coding result which does notgrow with SNR and therefore, it somehow fails at moderateand high SNR regimes. Finally, we show that the asymptoticbehavior of our proposed scheme agrees with the prior workresult in [2] in the high SNR regime.The paper is organized as follows. In Section II, our setuppreliminaries are described. Our main result is given in SectionIII along with the comparison to the prior works. In SectionIV, the proof of the main result is presented. We conclude thepaper in Section V. The proof of Lemma 1 used in Section IVis given in Appendix.II. P ROBLEM S TATEMENT A K -user (real) Gaussian wiretap multiple access channel(MAC) consists of K transmitters, a receiver and an externaleavesdropper. The relations between the channel inputs andoutputs are given as y = K X ℓ =1 h ℓ x ℓ + z , y E = K X ℓ =1 g ℓ x ℓ + z E (1)where x ℓ is an N -length channel input vector of user ℓ whichsatisfies the following power constraint. k x ℓ k ≤ N P, ∀ ℓ ∈ { , . . . , K } (2)The vectors y and y E in (1) are the receiver and the eaves-dropper channel outputs, respectively. Also, z and z E are theindependent channel noises, each distributed i.i.d. accordingto N (0 , . Finally, vectors h , [ h , . . . , h K ] T and g , [ g , . . . , g K ] T are real-valued vectors representing the channelgains to the receiver and the eavesdropper, respectively. Thechannel model is illustrated in Fig. 1.User ℓ encodes its confidential message W ℓ , which isuniformly distributed over the set { , . . . , NR ℓ } and is in-dependent of other users’ messages, through some stochasticmapping E ℓ , i.e., x ℓ = E ℓ ( W ℓ ) , for ℓ ∈ { , . . . , K } . Thereis also a decoder D at the receiver side which estimates themessages, i.e., D ( y ) = { ˆ W ℓ } Kℓ =1 . Definition 1 (Achievable secure sum rate):
For thedescribed channel model, a secure sum rate P Kℓ =1 R ℓ isachievable, if for any ǫ > and large enough N , there exista sequence of encoders {E ℓ } kℓ =1 and a decoder D such that Pr K [ ℓ =1 { ˆ W ℓ = W ℓ } ! < ǫ (3) K X ℓ =1 R ℓ ≤ N H ( W , W , . . . , W K | y E ) + ǫ (4) E + z D ˆ W ˆ W ... ˆ W K x y W E x W K E K + z E Eavesdropper x K g K y E ... g h g h K Fig. 1:
The asymmetric Gaussian wiretap multiple access channelmodel. where Pr denotes the probability of the event. The securesum capacity is the supremum of all achievable secure sumrates. III. M
AIN R ESULTS
The problem described in Section II has been treatedin [2] and [3] in the infinite SNR regime. Their proposedschemes is based on bounding the minimum distance betweenthe codewords in the receiver’s effective codebook. Usingthis method, they showed that the decoding error probabilitytends to zero, provided that the input power goes to infinity.In this paper, we present a new scheme which provides alower bound on the secure sum capacity for the same modeland for any finite value of SNR. To this end, we utilizethe compute-and-forward framework presented in [4]. Moreprecisely, we develop a coding scheme using an asymmetriccompute-and-forward framework to address the asymmetrictransmitter-eavesdropper channel gains, i.e., different values of g ℓ for different users. It should be noted that the asymmetriccompute-and-forward framework is also treated in [6], but herewe add the security constraint to the framework.In the compute-and-forward framework, the receiver firstdecodes K linearly independent integer combinations of thetransmitted lattice codewords and then, it solves the equationsfor its desired lattice codewords. The equations are decodedsuccessively meaning that at each step k , the receiver cancelsthe effect of the k − previously decoded codewords from thecurrent equation and solves it for the next codeword. The ap-proach is similar to the Gaussian elimination with a differencethat row switching is not allowed here. This limitation is due tothe fact that a codeword cannot be eliminated from the currentequation using another equation which has not been decodedyet. As a result, the order of canceling out the codewordscannot be chosen arbitrarily, however, it can be shown thatthere exists at least one successive cancellation order suchthat all K codewords can be decoded [5]. Proposition 1:
Consider an index permutation function π ,i.e., π : { , . . . , K } → { , . . . , K } , which gives a successive Note that in Definition 1 we are interested in weak secrecy. The rates are determined by how closely the equations integer coefficientsmatch the channel gains h ℓ . cancellation order in the compute-and-forward framework.Also, assume that the set of linearly independent integer-valued K -length vectors { a , . . . , a K } be the equations coef-ficients. Then, for the channel model in Section II, the receivercan decode the message W ℓ ∈ { , . . . , NR ℓ } with a vanishingerror probability if R ℓ ≤ R comb,π ( ℓ ) , max (cid:18)
12 log (cid:18)
SNR ℓ k F a π ( ℓ ) k (cid:19) , (cid:19) (5)where the matrix F is given as F , (cid:0) P I K × K + hh T (cid:1) − × diag r SNR P , . . . , r SNR K P ! . The notation diag( v ) stands for the diagonal matrix built fromthe vector v and SNR ℓ > is the power used at encoder ℓ togenerate its codewords. Notice that as long as the generatedcodewords are scaled properly before transmission, they wouldsatisfy the channel input power constraint. Proposition 1 is immediately deduced from applying Theo-rem 2 along with Theorem 5 in [5] with an exception that,here, users operate at different powers. All other conditionsstated in Theorem 5 in [5] still apply in Proposition 1.In the following, we present a lower bound on the securesum capacity achieved by the proposed scheme.
Theorem 1:
A rate tuple ( R , . . . , R K ) offers an achievablesecure sum rate for the channel model described in Section II,if they satisfy the following constraints. R ℓ ≥ , R ℓ ≤ R comb,π ( ℓ ) ∀ ℓ ∈ { , . . . , K } (6) K X ℓ =1 R ℓ ≤ max π R sum (7)where R sum = K X k =2 R comb,k −
12 log (cid:18) P Kℓ =1 g ℓ g π − (1) (cid:19)! (8)The maximum in (7) is taken over all the possible successivecancellation orders π and the notation π − ( . ) simply denotesthe inverse permutation operator.Proof of Theorem 1 is given in Section IV. Comparison to the prior works
The K -user Gaussian wiretap MAC has been investigatedin [1] by means of i.i.d. Gaussian random coding. Accordingto [1], for the considered channel model, the following securesum rate is achievable K X ℓ =1 R ℓ ≤ max (cid:18)
12 log (cid:18) k h k P k g k P (cid:19) , (cid:19) (9)Note that the right hand side of expression (9) does notscale with power P or in other words, the asymptotic behaviorof (9) tends to a constant rate for a fixed number of usersand a given set of channel gains. In contrast, our achievablesecure sum rate in (8) scales logarithmic with P . To provethis, we only need to show that the first term in (8) growswith log( P ) as the second term is constant with respect to The scaling factors can be absorbed into the the channel gains. he power. Without loss of generality, let us assume
SNR ℓ = α ℓ P, ∀ ℓ and some α ℓ > (Note that according to the earlierdiscussion in Proposition 1, α ℓ > is allowed). Then we have, K X k =1 R comb,ka ≥ K P ) + 12 K X k =1 log( α k ) −
12 log( K K | det( F ) | )= K P ) + 12 K X k =1 log( α k ) − K K ) + log( P ))+ 12 log(1 + k h k P ) − K X k =1 log( α k )= 12 log(1 + k h k P ) − K K ) (10)where inequality (a) is deduced from Theorem 4 in [5]. Now,we exploit Theorem 12 in [5] in which it is shown that R comb,k < δ ( K − K + δ ( K − . log( P )+ c, ∀ k , where the inequalityholds for any δ > and some c constant with respect to P .Therefore, if we take δ → and ignore the constant termsin (10), we have P Kk =2 R comb,k ∝ . K − K log( P ) . As a result,the secure sum rate in (8) grows with log( P ) .The numerical results are given in Fig. 2 which are evaluatedfor the three-user channel and random i.i.d. (real) Gaussianchannel gains. It can be seen that for the moderate and highSNR regimes, our proposed scheme outperforms the randomcoding result presented in [1]. Notice that the achievable non-secure results are shown in the figure as well which can beconsidered as an upper bound on the secure sum rate.Another interesting observation occurs when the channel tothe legitimate receiver is degraded with respect to the channelto the eavesdropper. For the Gaussian setting and the samenoise power, this corresponds to the case k h k ≤ k g k . Inthis case, according to the expression in (9), random codingfails to achieve a positive secure sum rate, while our schemeachieves a strictly positive secure sum rate as long as the ratios h ℓ g ℓ are not rational. To illustrate this observation, we ran anexperiment on a two-user Gaussian wiretap MAC with a fixedpower (at SNR = 25dB ) in which the channel gains are givenas h = h , √ i T , g = h √ θ ) , √ θ ) i T (11)for some random θ uniformly distributed over [0 , π ] . This isan example of the case where k h k = k g k . Fig. 3 shows thatas long as the ratios of h ℓ g ℓ are not rational, a positive securesum rate can be attained following our scheme.At last, we investigate the asymptotic behavior of theexpression (8). We show that our scheme achieves a totalsecure DoF of K − K . Earlier, to prove the scalability of (8)with log( P ) , we showed that the R sum is proportional to . K − K log( P ) , provided that the constant terms are ignored.Therefore, lim P →∞ R sum log (1 + P ) = K − K (12) It can be shown that the Lebesgue measure of such rational ratios is small.
SNR (dB) s u m r a t e s w i t h a nd w i t h o u t s ec u r i t y f o r t h ree − u s er M AC ( b i t s ) MAC sum−capacityCompute−and−forward achievable sum−rateRandom coding achievable secure sum−rateProposed scheme achievable secure sum−rate
Fig. 2:
Achievable sum rate, with and without security evaluatedfor the three-user asymmetric Gaussian MAC at different SNR. θ (rad) Su m − r a t e ( N o r m a li ze d b y M AC s u m − c a p a c i t y ) Compute−and−forward achievable sum−rate Proposed scheme achievable secure sum−rateRandom coding achievable secure sum−rate
Fig. 3:
Achievable sum rate evaluated for the two-user asymmetricGaussian wiretap MAC with channel gains given as in (11) atSNR=25 dB.
Thus, the asymptotic behavior of the proposed scheme agreeswith the result in [2]. In fact, we can further improve thepresented scheme so that its asymptotic behavior reaches theoptimal secure degrees of freedom given in [3]. The latter isaimed to be presented in the extended version.IV. P
ROOF OF T HEOREM R N . To this end, each encodedcodeword ˜ x at transmitter ℓ is scaled before the transmissionby a factor of g ℓ , i.e., x ℓ = ˜ x ℓ g ℓ , so that the eavesdropperreceives the sum of the codewords ˜ x as its channel output,i.e., y E = P Kℓ =1 ˜ x + z E . Consequently, user ℓ generatesits codewords ˜ x using power of SNR ℓ , g ℓ P so that thetransmitted codewords x ℓ satisfy the power constraint in (2).As it was mentioned earlier, to address the problem of userswith different powers, we utilize the asymmetric compute-and-forward framework along with a nested lattice structure. In ourasymmetric compute-and-forward framework, user ℓ generatesa sequence of n -length lattice codewords t ℓ using a pair offine and coarse lattice sets as (Λ f,ℓ , Λ ℓ ) . The coarse lattice Λ ℓ is scaled such that its second moment equals to the availablepower at user ℓ , i.e., SNR ℓ = g ℓ P . Also, we impose a nestedstructure on the users’ lattice pairs as Λ K ⊆ Λ K − ⊆ · · · ⊆ Λ ⊆ Λ f,K ⊆ · · · ⊆ Λ f, (13)In the rest of the proof, we shall assume π ( ℓ ) = ℓ, ∀ ℓ in (8).If that is not the case, we can simply re-index the users indicesnd define a nested structure as in (13) for the re-indexed users.User ℓ constructs its codebook in three steps. The first stepfor user ℓ is to construct its inner codebook L ℓ , Λ f,ℓ ∩ V ℓ ,where V ℓ is the fundamental Voronoi region of the coarselattice Λ ℓ . The ratio between the coarse and the fine latticesis set such that L ℓ consists of nR comb,ℓ inner codewords t ℓ ,i.e., R comb,ℓ = n log (cid:12)(cid:12) Λ f,ℓ ∩ V ℓ (cid:12)(cid:12) , ∀ ℓ . The inner codewords t ℓ have a uniform distribution over L ℓ .In the second step, user ℓ builds its outer codebook bygenerating B i.i.d. copies of the inner codewords t ℓ , for somelarge enough B . Let us denote the outer codewords as ¯ t ℓ .Then we have ¯ t ℓ , [ t [1] ℓ , . . . , t [ B ] ℓ ] . Note that each t [ i ] ℓ isindependently and uniformly distributed over L ℓ . It is worthto mention that the outer code is added only for technicalityreasons in the proof of Lemma 2 in [8] and it does notincrease secrecy. Also, adding the outer layer to the codebookchanges the block length of the overall codewords from n to N , B × n .Finally, in the third step, the wiretap codebook is built.To this end, user ℓ partitions the outer codewords ¯ t ℓ into NR ℓ equal-size bins and randomly assigns each index w ℓ ∈{ , . . . , NR ℓ } to exactly one bin. Rates R ℓ are chosensuch that they satisfy (6) and P Kℓ =1 R ℓ = P Kℓ =2 R comb,ℓ − log (cid:0) P ℓ g ℓ g (cid:1) + ǫ , for some small ǫ > . Also, user ℓ hasa random dither d [ i ] ℓ for each block i , which is independentlygenerated according to a uniform distribution over V ℓ . Dithersare public and do not increase secrecy. To send a message W ℓ = w ℓ , user ℓ randomly picks acodeword ¯ t ℓ from the corresponding bin and dithers it. Then,it scales the resulting codeword by the factor of g ℓ . The signaltransmitted by user ℓ is x ℓ △ = 1 g ℓ (cid:0)(cid:2) ¯ t ℓ + ¯ d ℓ (cid:3) mod Λ ℓ (cid:1) (14)Note that in (14) the modular operation is done block-wise,meaning that for i ∈ { , . . . , B } the signal transmitted atblock i is g ℓ ([ t [ i ] ℓ + d [ i ] ℓ ] mod Λ ℓ ) . Proof of secrecy
In this subsection, we bound the eavesdropper’s equivoca-tion rate. Without loss of generality, let us assume R comb,ℓ > , ∀ ℓ . We have N H ( W , . . . , W K (cid:12)(cid:12) y E , ¯ d , . . . , ¯ d K ) ≥ N H (¯ t , . . . , ¯ t K (cid:12)(cid:12) y E , ¯ d , . . . , ¯ d K ) − N H (¯ t , . . . , ¯ t K (cid:12)(cid:12) W , . . . , W K , y E , ¯ d , . . . , ¯ d K ) ( a ) ≥ N H (¯ t , . . . , ¯ t K (cid:12)(cid:12) y E , ¯ d , . . . , ¯ d K ) − ǫ ≥ N H (¯ t , . . . , ¯ t K (cid:12)(cid:12) y E , ¯ d , . . . , ¯ d K , z E ) − ǫ b ) = 1 N H ¯ t , . . . , ¯ t K (cid:12)(cid:12)(cid:12)(cid:12) K X ℓ =1 g ℓ x ℓ , ¯ d , . . . , ¯ d K ! − ǫ As the average leakage rate (w.r.t. dithers) goes to zero, there must exista sequence of deterministic dithers for which the leakage rate goes to zero. ( c ) = 1 N H ¯ t , . . . , ¯ t K (cid:12)(cid:12)(cid:12)(cid:12) " K X ℓ =1 ¯ t ℓ mod Λ , ¯ u , ¯ d , . . . , ¯ d K ! − ǫ d ) = 1 N H ¯ t , . . . , ¯ t K (cid:12)(cid:12)(cid:12)(cid:12) " K X ℓ =1 ¯ t ℓ mod Λ , ¯ u , ¯ d , . . . , ¯ d K ! − ǫ e ) ≥ N H ¯ t , . . . , ¯ t K (cid:12)(cid:12)(cid:12)(cid:12) " K X ℓ =1 ¯ t ℓ mod Λ ! − N H (¯ u ) − ǫ f ) = 1 N H (¯ t , . . . , ¯ t K ) − N H (¯ u ) − ǫ g ) = BN K X ℓ =2 nR comb,ℓ − BN H ( u [1]1 ) − ǫ h ) ≥ K X ℓ =2 R comb,ℓ − (1 − ǫ ) 12 log P Kℓ =1 g ℓ + ǫg ! − δ ( ǫ ) − ǫ ≥ K X ℓ =2 R comb,ℓ −
12 log P Kℓ =1 g ℓ g ! − ǫg − δ ( ǫ ) − ǫ i ) = K X ℓ =2 R comb,ℓ −
12 log P Kℓ =1 g ℓ g ! − ǫ (15)In the above inequalities, (a) is deduced from applying thepacking lemma to the outer codewords (detailed proof of thisstep is provided in Appendix of [8]). (b) is true since aftersubtracting the noise from y E , the remaining random vectorsbecome independent of the noise. (c) is true since Λ is thedensest lattice among the lattices (Λ , Λ , . . . , Λ K ) , accordingto the nested structure in (13). Therefore, " K X ℓ =1 g ℓ x ℓ − K X ℓ =1 ¯ d ℓ mod Λ = " K X ℓ =1 ¯ t ℓ mod Λ . Also, notice that H K X ℓ =1 g ℓ x ℓ ! = H " K X ℓ =1 g ℓ x ℓ mod Λ , ¯ u ! , where ¯ u △ = P Kℓ =1 g ℓ x ℓ − hP Kℓ =1 g ℓ x ℓ i mod Λ . Inequality(d) is due to the reason that the codeword ¯ t can be obtainedfrom the modulo-sum hP Kℓ =1 ¯ t ℓ i mod Λ and the sequence ofcodewords ¯ t , . . . , ¯ t K . (e) holds since dithers are independentof the codewords and conditioning reduces entropy. (f) isdeduced from Lemma 2 in [9] (Crypto lemma), which impliesthat for each block i ∈ [1 , B ] , h t [ i ]1 + P Kℓ =2 t [ i ] ℓ i mod Λ hasuniform distribution over the codebook L and is independentof P Kℓ =2 t [ i ] ℓ . (g) is true since (cid:12)(cid:12) L ℓ (cid:12)(cid:12) = 2 nR comb,ℓ and for i ∈ { , . . . , B } , inner codewords t [ i ] ℓ have i.i.d. uniformdistribution over L ℓ , ∀ ℓ . Also, ¯ u consists of B i.i.d. copiesof u [ i ]1 by its definition. (h) follows from applying Lemma 1in Appendix to u [1]1 , and finally, (i) is deduced by defining ǫ , δ ( ǫ ) + ǫg + 2 ǫ . Thus, the condition in (4) is satisfiedand the proof of secrecy is completed.V. C ONCLUSION
In this paper, we proposed a security scheme built on theasymmetric compute-and-forward framework, which works atny finite SNR. The achievable secure sum rate presented inour scheme scales with log(SNR) and therefore, it signifi-cantly outperforms the existing random coding result for themost SNR regimes. Our presented scheme also achieves a totalsecure DoF of K − K . This result can be furthered improved toachieve the optimal secure DoF which is aimed to be presentedin our future work. A CKNOWLEDGMENT
The authors would like to thank Bobak Nazer and PrakashIshwar for their valuable comments and helpful discussions.R
EFERENCES[1] E. Tekin and A. Yener, “The general gaussian multiple-access and two-way wiretap channels: Achievable rates and cooperative jamming,”
IEEETransactions on Information Theory , vol. 54, no. 6, pp. 2735–2751, 2008.[2] G. Bagherikaram, A. S. Motahari, and A. K. Khandani, “On the se-cure degrees-of-freedom of the multiple-access-channel,” available onlinehttp://arxiv.org/abs/1003.0729.[3] J. Xie and S. Ulukus, “Secure degrees of freedom of one-hopwireless networks,” Submitted September 2012, available onlinehttp://arxiv.org/abs/1209.5370.[4] B. Nazer and M. Gastpar, “Compute-and-forward: Harnessing inter-ference through structured codes,”
IEEE Transactions on InformationTheory , vol. 57, no. 10, pp. 6463–6486, 2011.[5] O. Ordentlich, U. Erez, and B. Nazer, “The approximate sum ca-pacity of the symmetric gaussian k-user interference channel,”
IEEETransactions on Information Theory , To appear 2014, available onlinehttp://arxiv.org/abs/1206.0197.[6] V. Ntranos, V. R. Cadambe, B. Nazer, and G. Caire, “Asymmetriccompute-and-forward,” in , Monticello, IL, September 2013.[7] U. Erez and R. Zamir, “Achieving log(1 + SNR) on the AWGN channel with lattice encoding and decoding,”
IEEE Transactions onInformation Theory , vol. 50, no. 10, pp. 2293–2314, 2004.[8] P. Babaheidarian and S. Salimi, “Compute-and-forward canbuy sececy cheap (extended version),” preprint available athttp://blogs.bu.edu/parisabh/files/2015/01/Extendedversion.pdf , 2015.[9] G. D. Forney, “On the role of mmse estimation in approaching theinformation-theoretic limits of linear gaussian channels: Shannon meetswiener,” in , Monticello, IL, September 2003. A PPENDIX
Lemma 1:
Consider a set of n -dimensional lattices Λ , . . . , Λ K with their fundamental Voronoi regions as V , . . . , V K , respectively. Assume that all the lattices arescaled such that their second moments equal to SNR ℓ = g ℓ P, ∀ ℓ ∈ { , . . . , K } , where P > . Now construct randomvectors u j , for j ∈ { , . . . , K } , as u j , Q Λ j (cid:16)P Kℓ =1 s ℓ (cid:17) ,where s , . . . , s K are independent n -dimensional random vec-tors uniformly distributed over V , . . . , V K , respectively, andthe operation Q Λ j ( . ) is the nearest neighbor quantizer withrespect to the lattice Λ j . Then, for all ǫ > and sufficientlylarge n , the entropy of u j is bounded as n H ( u j ) ≤ (1 − ǫ ) 12 log P Kℓ =1 g ℓ + ǫg j ! + δ ( ǫ ) ∀ j (16)where δ ( ǫ ) tends to zero as ǫ → . Proof:
According to Lemma 1, u j is the output of the latticequantizer Q Λ j , so it can only take discrete values. To boundthe entropy of u j , first we bound the range of k P Kℓ =1 s ℓ k asfollows. Let r cov ,ℓ denote the covering radius of Λ ℓ , i.e., theradius of the smallest ball containing the Voronoi region V ℓ . Also, let r eff ,ℓ denote the radius of the sphere which hasthe same volume as the volume of V ℓ , i.e., Vol( B ( r eff ,ℓ )) =Vol( V ℓ ) . Now, consider K ( n -dimensional) balls whose sec-ond moments per dimension equal to σ , σ , . . . , σ K and theirradii are given as r cov , , r cov , , . . . , r cov ,K , respectively. Next,for each ℓ ∈ { , . . . , K } , consider a random vector b ℓ withthe uniform distribution over an n -dimensional ball B ( r cov ,ℓ ) .Recall that a ball has the smallest normalized second momentfor a given volume [7]. Therefore, we have g ℓ P = 1 n E k s ℓ k ≥ n E (cid:13)(cid:13)(cid:13)(cid:13) (cid:18) r eff ,ℓ r cov ,ℓ (cid:19) b ℓ (cid:13)(cid:13)(cid:13)(cid:13) = (cid:18) r eff ,ℓ r cov ,ℓ (cid:19) σ ℓ , ∀ ℓ (17)Now, consider a random vector z eq , P Kℓ =1 z ℓ , in whichrandom vectors z ℓ are i.i.d. according to the distribu-tion N ( , σ ℓ I ) and therefore, z eq ∼ N ( , σ eq I ) . Then,from (17) we have σ z eq = P Kℓ =1 σ ℓ ≤ P Kℓ =1 (cid:16) r cov ,ℓ r eff ,ℓ (cid:17) g ℓ P .Now, using Lemma 11 in [7], we conclude that e K.n.c ( n ) f z eq ( z eq ) = e K.n.c ( n ) ( f z ( z eq ) ∗ ... ∗ f z K ( z eq )) ≥ f P Kℓ =1 s ℓ ( z eq ) (18)where n.c ( n ) goes to zero as n goes to infinity. Noticethat in deriving (18) we also used the fact that vectors s ℓ are independent vectors, and hence, pdf of their sum is theconvolution of their individual pdfs. Now we can bound therange of k P Kℓ =1 s ℓ k as follows. For any ǫ > , Pr (cid:18)(cid:13)(cid:13) K X ℓ =1 s ℓ (cid:13)(cid:13) B (cid:16)q nσ z eq + nǫ (cid:17) (cid:19) ( a ) ≤ e K.n.c ( n ) Pr (cid:18) k z eq k 6∈ B (cid:16)q nσ z eq + nǫ (cid:17) (cid:19) ≤ ǫ. Inequality (a) follows from (18) and non-negativity of the ℓ -norm. Also, the last inequality is deduced from the Weak Lawof Large numbers (WLL) for sufficiently large n . Since weshowed that (cid:13)(cid:13) P Kℓ =1 s ℓ (cid:13)(cid:13) belongs to the ball B ( q nσ zeq + nǫ ) with probability − ǫ , it only remains to find an upper boundon the number of non-intersecting Voronoi regions V j whichfit in this ball, i.e., V ol (cid:18) B (cid:16)q nσ z eq + nǫ (cid:17) (cid:19) V ol ( V j ) = V ol (cid:18) B (cid:16)q nσ z eq + nǫ (cid:17) (cid:19) V ol ( B ( r eff ,j )) ( a ) ≤ (cid:18) nσ z eq + nǫ (cid:16) r eff ,j r cov ,j (cid:17) ng j P (cid:19) n ( b ) ≤ (cid:18) P Kℓ =1 (cid:16) r cov ,ℓ r eff ,ℓ (cid:17) g ℓ + ǫ (cid:16) r eff ,j r cov ,j (cid:17) g j (cid:19) n , where inequality (a) is concluded from Lemma 6 in [7] andinequality (b) follows from (17). Finally, recall that for a highdimensional good lattices, we have log (cid:16) r cov ,ℓ r eff ,ℓ (cid:17) → [7].Therefore, n H ( u j ) ≤ (1 − ǫ ) 12 log (cid:18) P Kℓ =1 g ℓ + ǫg j (cid:19) + δ ( ǫ ) . Note that using WLL, the term δ ( ǫ ) tends zero as n goes toinfinity. This completes the proof.goes toinfinity. This completes the proof.