Construction of wiretap codes from ordinary channel codes
aa r X i v : . [ c s . I T ] J a n Construction of wiretap codes from ordinarychannel codes
Masahito Hayashi
Graduate School of Information Sciences, Tohoku Univ., JapanCQT, National Univ. of Singapore, SingaporeEmail: [email protected]
Ryutaroh Matsumoto
Dept. of Communications and Integrated Systems,Tokyo Institute of Technology, 152-8550 JapanEmail: [email protected]
Abstract —From an arbitrary given channel code over a dis-crete or Gaussian memoryless channel, we construct a wiretapcode with the strong security. Our construction can achieve thewiretap capacity under mild assumptions. The key tool is thenew privacy amplification theorem bounding the eavesdroppedinformation in terms of the Gallager function.
I. I
NTRODUCTION
The information theoretical security [15] recently has at-tracted huge interest. The wiretap channel [7], [21] is oneof its fundamental problems. On a wiretap channel, signalsfrom the legitimate sender, called Alice, is delivered to bothlegitimate receiver, called Bob, and eavesdropper, called Eve.The goal of Alice is to deliver messages to Bob with lowdecoding probability while keeping Eve from knowing muchabout the messages. The capacity of wiretap channels hasbeen determined for discrete memoryless channels [7], [21]and for Gaussian channels [14] with a weaker notion ofsecurity. The capacity of the above wiretap channels are alsodetermined with a stronger notion of security [2], [6], [11].The exponential decreasing rate of eavesdropped informationis also evaluated in [11], [12]. Shannon theoretic study of thewiretap channels is fairly advanced.On the other hand, there is still room for research in theactual construction of codes for the wiretap channels, whichwe call the wiretap codes. Thangaraj et al. [20] proposedan LDPC based construction for specific discrete memory-less channels, and Klinc et al. [13] proposed another LDPCbased construction for Gaussian channels. Hamada [10] andHayashi [12] proposed general linear code based constructionfor additive discrete memoryless channels. Muramatsu andMiyake proposed a construction based on the hashing propertyof LDPC matrices [18], whose decoding requires the high-complexity minimum entropy decoder.In those constructions except [12], error correction andprovision of secrecy are combined in the constructed cod-ing scheme. This prevents us from using well-studied error-correcting codes for the error correction in the wiretap codes,and we need to adjust existing error-correcting codes or inventa new wiretap code. This inconvenience may not be necessary.In fact, in the quantum key distribution protocols, the errorcorrection and the provision of secrecy can be separatelystudied and developed, see [16] and references therein. Moreover, previous constructions for discrete memorylesschannels do not cover all the discrete memoryless channelsexcept [18]. It is desirable to have a construction of wiretapcodes that can be used for any discrete memoryless channels.In this paper, we show two constructions of wiretap codesfrom encoder and decoder in an ordinary channel code. Wedo not modify the channel encoder nor decoder. We attach thetwo-universal hash function to the encoder and the decoder inorder to realize secrecy from Eve. We show that our construc-tion can achieve the wiretap capacity in the strong securitysense over discrete and Gaussian memoryless channels, whilesome of previous constructions do not have proofs of thestrong security.The key tools for our constructions are the new forms ofthe privacy amplification (PA) theorem [3]. The original PAtheorem [3] does not achieve the optimal rate of PA, whichis the conditional Shannon entropy of Alice’s informationconditioned on Eve’s information. Renner [19] improved it sothat Renner’s version of the theorem can achieve the optimalrate. However, it does not enable us to construct the wiretapcode using an existing channel code. The reason is that wecannot numerically compute the necessay rate of hashing fora given channel code in order for Eve’s information on secretmessage to become sufficiently small. So we present twonew forms of the PA theorem. One is already given in [12].However, it requires the random selection of a chennel encoderfrom the given family of channel codes. We shall provideanother form of the PA theorem in Theorem 7, which enablesus to construct a wiretap code from single channel encoder.Our new PA theorem is a nontrivial adaptation of the channelresolvability lemma [11, Lemma 2].This paper is organized as follows: In Sec. II we fix nota-tions used in this paper. In Secs. III and IV two constructionsof wiretap codes are given. In Sec. V we present a novelprivacy amplification theorem bounding the eavesdroppedinformation in terms of the Gallager function. Section VIconcludes the paper. II. P
RELIMINARY
In this section we shall fix notations used in this paper andreview necessary prior results. Let X be the finite alphabetof channel inputs, Y the alphabet of channel outputs tothe legitimate receiver, called Bob, and Z the alphabet ofhannel outputs to the eavesdropper, called Eve. The legitimatesender is called Alice. We fix the conditional probability orconditional probability density Q Y | X of the channel to Boband Q Z | X of the channel to Eve. We assume channels arememoryless and further assume that • both Y and Z are finite, which means that the channelsare discrete memoryless, • or Y = Z = R and the channels are additive Gaussian.Let M n be the set of messages transmitted to Bob secretlyfrom Eve, η Alice ,n a stochastic map from M n to X n of awiretap encoder, and η Bob ,n a deterministic map from Y n to M n . We use the natural logarithm instead of log forconvenience. Definition 1:
A rate
R > is said to be achievable if thereexists a sequence ( η Alice ,n , η Bob ,n ) of encoders and decoderssuch that lim n →∞ Pr[ M n = η Bob ,n ( η Alice ,n ( M n ))] = 0 , lim n →∞ I ( M n ; Z n ) = 0 , lim inf n →∞ ln |M n | ≥ R, where M n is the uniform random variable over M n and Z n is the random variable for Eve’s channel output from channelinput η Alice ,n ( M n ) . The supremum of the achievable rates isthe capacity of the wiretap channel ( Q Y | X , Q Z | X ) .Note that we employ the strong security criterion introducedby Csisz´ar [6] and Maurer and Wolf [17]. The necessity forthe strong security is given in [2], [17]. Proposition 2: [2], [6], [11] The capacity of the wiretapchannel ( Q Y | X , Q Z | X ) is max P T ,P X | T [ I ( T ; Y ) − I ( T ; Z )] . (1)In the next section, we shall show a construction of wiretapencoder and decoder from arbitrary given channel encoder anddecoder. In the construction, we assume that we are given Q X | T achieving the maximum of Eq. (1). Note that when thewiretap channel is Gaussian, it is degraded and we can take T = X without losing the optimality. In the construction, weshall also use a family of the two-universal hash functions [5],which is reviewed next. Definition 3:
Let S and S be finite sets and F a subsetof the set of all mappings from S to S . The family F issaid to be a family of two-universal hash functions if Pr[ F ( x ) = F ( x )] ≤ / |S | , for all distinct x and x in S , where F is the uniform randomvariable on F .III. R ANDOMIZED CONSTRUCTION OF A WIRETAP CODE
A. Encoder and decoder
In this section we shall construct wiretap encoder anddecoder from arbitrary given ordinary channel encoder anddecoder. The construction in this section can achieve thewiretap capacity (1) if the uniform distribution on T realizesthe wiretap capacity (1). The assumptions are: • We know Q X | T achieving the maximum of Eq. (1).Denote by T the alphabet of T . • We are given a family channel encoders µ Alice ,n,g indexedby g ∈ G n mapping a message in the message set L n to acodeword in T n and a channel decoder µ Bob ,n,g mappinga received signal in Y n to a message in L n . The channelencoder µ Alice ,n,g is a one-to-one map, and T n is equalto the disjoint union of µ Alice ,n,g ( L n ) for g ∈ G n . • We are given a family F n of two-universal hash functionsfrom L n to M n , where M n is the message set of thewiretap code. Remark 4:
The assumption on the channel encoders isusually met with linear codes. We usually use the codebookof a linear code whose codewords have zero syndrome. If weallow codebooks to have nonzero syndrome, then the familyof codebooks with multiple syndromes constitutes the familyof encoders { µ Alice ,n,g | g ∈ G n } .From these assumptions, we can construct a wiretap en-coder, which is an extension of Hayashi’s construction [12].Choose a hash function F n uniformly randomly from F n and G ∈ G n . For a given message M n to the wiretapencoder of code length n , choose a message L n uniformlyrandomly from F − n ( M n ) ⊂ L n , and compute the codeword T n = µ Alice ,n,G ( L n ) from the channel encoder. Finally, com-pute the actually transmitted signal X n by passing T n to theartificial memoryless channel Q nX | T . The decoder maps a givenreceived signal Y n in Y n to the message F n ( µ Bob ,n ( Y n )) ∈M n .The random selection of F n and G n is a fatal problem be-cause it requires sharing of common randomness between Al-ice and Bob. However, we shall show that I ( M n ; Z n | F n , G n ) can be upper bounded by an arbitrary positive number ǫ × ǫ ,which means that at least − ǫ ) % choices of f n ∈ F n and g n ∈ G n keep I ( M n ; Z n | F n = f n , G n = g n ) below ǫ . Thusthe legitimate sender and receiver can agree on the randomchoice of f n before transmission of the secret messsage M n . B. Evaluation of the eavesdropped information
It should be clear that the (block) average decoding errorprobability of the constructed wiretap code is lower than orequal to that of the underlying code ( µ Alice ,n,g , µ Alice ,n,g ) for g ∈ G n regardless of random choices of F n and L n from M n . The remaining task is evaluation of the eavesdroppedinformation I ( M n , Z n ) , where Z n is Eve’s received signalon the channel input X n . To do so, we introduce Hayashi’sversion of the privacy amplification theorem [12] Proposition 5:
Let L be the uniform random variable witha finite alphabet L and Z any random variable. If Z is notdiscrete random variable then the conditional probability of Z given L is assumed to be Gaussian. Let F be a family of two-universal hash functions from L to M , and F be the uniformrandom variable on F . Then H ( F ( L ) | F, Z ) ≥ ln |M| − |M| s × exp( ψ ( s, P LZ )) s |L| s < s ≤ , where ψ ( s, P LZ ) = ln X z P ℓ P L ( ℓ )( P Z | L ( z | ℓ )) s P Z ( z ) s . If Z is conditionally Gaussian P z should be replaced by theintegration and P Z , P Z | L denote probability densities. Remark 6:
The above proposition is a combination of [12,Eq. (2)] and the argument in proof of [12, Theorem 2]. Itwas assumed that Z was discrete in [12]. However, whenthe conditional probability of Z given L is Gaussian, thereis no difficulty to extend the original result. It should be alsonoted that the uniformity assumption on L is indispensable,otherwise the claim is false.By the above proposition, for fixed G = g ∈ G n we have I ( M n ; Z gn , F n ) = I ( M n ; Z gn | F n )= H ( M n | F n ) − H ( M n | Z gn , F n ) ≤ ln |M n | − H ( M n | Z gn , F n ) ≤ |M n | s × exp( ψ ( s, P gL n Z n )) |L n | s s (2)for < s ≤ , where P gL n Z n is the joint probabilitydistribution and Z gn is Eve’s received signal with a fixed g ∈ G n A major problem with the last upper bound (2) on I ( M n ; Z n | F n ) is that for a given channel code it is practicallyimpossible to numerically compute ψ ( s, P gL n Z n ) . To overcomethis difficulty we shall upper bound exp( ψ ( s, P gL n Z n )) by exp( ψ ( s, P T Z )) , where P T Z is a joint distribution on
T × Z .Let T g = µ Alice ,n,g ( L n ) that is a random variableon T n . Note that T g is the uniform random variable on µ Alice ,n,g ( L n ) ⊂ T n . By the assumption on the givenfamily of channel encoders µ Alice ,n,g , g ∈ G n , the convexcombination of P g ∈G n P T g / |G n | is the uniform distribution Uniform( T n ) on T n . By the concavity of exp( ψ ( s, · )) onthe channel input probability distribution [12, Lemma 1], wehave |G n | X g ∈G n exp( ψ ( s, P gL n Z n )) ≤ exp( ψ ( s, Q nZ | T Uniform( T n ))= exp( nψ ( s, Q Z | T Uniform( T )) . Observe that computation of the last mathematical expressionis easy for almost all channels.What we have proved is I ( M n ; Z n | F n , G n ) ≤ |M n | s × exp( nψ ( s, Q Z | T Uniform( T ))) |L n | s s . (3)Observe that the minimization of the RHS of Eq. (3) over s isalso computable by the bisection method [4, Algorithm 4.1]because it is convex with respect to s . The logarithm of the The concavity is proved under that assumption that Z is finite. However,if the conditional probability Q Z | X is Gaussian, the concavity proof needsno change except notational ones. right hand side is s (cid:18) ln |M n | − ln |L n | + nψ ( s, Q Z | T Uniform( T )) s (cid:19) − ln s. (4)By l’Hˆopital’s theorem, we have lim s → +0 ψ ( s, Q Z | T Uniform( T )) s = I (Uniform( T ) , Q Z | T ) , where the right hand side is the mutual information betweenthe channel output and the uniform channel input to theimaginary channel Q Z | T . Thus, by choosing s such that ψ ( s,Q Z | T Uniform( T )) s < I (Uniform( T ) , Q Z | T ) + δ , we can seethat if ln |M n | < ln |L n − n ( I (Uniform( T ) , Q Z | T ) + δ ) forsome δ > then Eq. (4) converges to −∞ as n → ∞ ,which means the eavesdropper Eve has little information onthe secret message. This means that if ln |L n | /n converges to I (Uniform( T ) , Q Z | T ) and the wiretap capacity (1) is achievedwith uniform channel input then this construction also achievesthe wiretap capacity.Drawbacks in the proposed construction is the randomselection of channel encoders. This requires that almost allpairs of encoder and decoder have to provide low decodingerror probability, which is not verified with most of channelcodes. Moreover, in some case, for example the channelencoder using the Trellis shaper [8], it is difficult to preparea family of encoders that satisfies the requirement. Thus, inthe next section, we show a deterministic construction of awiretap code from a given channel code.IV. D ETERMINISTIC CONSTRUCTION OF A WIRETAP CODE
In this section, we assume that the index set G n has onlyone element, and we are given a pair of an encoder µ Alice ,n a decoder µ Bob ,n . We also assume that the given family F n of hash functions satisfies the condition that for all f ∈ F n and m ∈ M n we have | f − ( m ) | = |L n | / |M n | in orderto apply Theorem 7 in Sec. V. This assumption on F n issatisfied, for example when M n = F kq and L n = F nq , usingthe set of all the surjective linear maps from L n to M n .Moreover, the linear mappings defined by the concatenation ofthe identity matrix and the Toeplitz matrix considered in [12,Appendix] also satisfy the assumption and is more efficientlyimplemented in practice.The construction of the wiretap code is the same as theprevious section except that there is no random selection ofencoders. The construction in this section can achieve thewiretap capacity (1) if the distribution P T on T realizing (1)also maximizes the mutual information I ( P T , Q Z | T ) to theeavesdropper. In order to evaluate the average of the mutualinformation, we develop a new privacy amplification theorem(Theorem 7) based on Gallager function by modifying [11,Lemma 2] in the next section. Applying this result, one canshow that I ( M n ; Z n | F n ) ≤ |M| s exp( φ ( s, Q nZ | T , P T n )) |L| s s , ≤ s ≤ / , where φ ( s, Q nZ | T , P T n )= ln Z Z n X t ∈T n P T n ( t )( Q nZ | T ( z | t )) / (1 − s ) ! − s dz. If Z is finite, the integration should be replaced by summationand Q Z | T should be interpreted as the conditional probability.Again, for a given channel encoder µ Alice ,n , it is alsopractically impossible to compute φ ( s, Q nZ | T , P T n ) . We shallshow that a method to upper bound it. We have exp( φ ( s, Q nZ | T , P T n )) ≤ max P n exp( φ ( s, Q nZ | T , P n )) , where P n is a probability distribution on T n . Observe that φ is essentially same as the function E in [1], [9]. Thus if P ,s maximizes exp( φ ( s, Q Z | T , P ,s )) , then its n -fold i.i.d.extension P n ,s also maximizes max P n exp( φ ( s, Q nZ | T , P n )) [1], and we have I ( M n ; Z n | F n ) ≤ |M| s exp( nφ ( s, Q Z | T , P ,s )) |L| s s . (5)Observe that for fixed s and Q Z | T , exp( φ ( s, Q Z | T , P ,s )) isa concave function on a convex set and P ,s can easily becomputed [4]. Observe also that for fixed Q Z | T , the function max P ,s [RHS of Eq. (5)] is a convex function of s , thus min s max P ,s [RHS of Eq. (5)] can also be easily computedby the bisection method [4, Algorithm 4.1].The logarithm of the right hand side is s (cid:18) ln |M n | − ln |L n | + nφ ( s, Q Z | T , P ,s ) s (cid:19) − ln s. Since φ is essentially E in [9], lim s → φ ( s, Q Z | T , P ) /s = I ( P, Q Z | T ) , where P is a distribution on T . Let P max be adistribution on T maximizing I ( P, Q Z | T ) . Therefore, by thealmost same argument as Section II, if ln |M n | < ln |L n | − n ( I ( P max , Q Z | T ) + δ ) for all n , then I ( M n ; Z n | F n ) goes tozero as n → ∞ . If P max also maximizes the wiretap capacity(1) and the given channel code achieves the information rate I ( P max , Q Y | T ) then the construction in this section achievesthe wiretap capacity.V. N EW PRIVACY AMPLIFICATION THEOREM IN TERMS OFTHE G ALLAGER FUNCTION
We shall show the following new privacy amplification the-orem that is indispensable with the deterministic constructionof wiretap codes in Sec. IV.
Theorem 7:
Assume that the given family of two-universalhash function F from L to M satisfies that | F − ( m ) | = |L||M| , ∀ m, a fixed conditional probability Q Z | L is given, and the randomvariable L obeys the uniform distribution on L . Then, I ( F ( L ); Z | F ) = E F I ( F ( L ); Z ) ≤ |M| s exp( ¯ φ ( s, Q Z | L )) |L| s s , (6) for ≤ s ≤ / , where E F expresses the expectationconcerning the random variable F , ¯ φ ( s, Q Z | L ) = ln Z Z (cid:16) E L ( Q Z | L ( z | L )) / (1 − s ) (cid:17) − s dz and dz is an arbitrary measure. Proof.
Observe first that the joint probability P F L = P F × P L and the conditional probability Q Z | L uniquely determines Q Z | F ( L ) . We can check that the function s ¯ φ ( s, Q nZ | F ( L ) ) satisfies the following properties: ¯ φ (0 , Q Z | F ( L ) ) = 0 , d ¯ φ ( s, Q Z | F ( L ) ) ds ≥ d ¯ φ ( s, Q Z | F ( L ) ) ds (cid:12)(cid:12)(cid:12) s =0 = I ( F ( L ); Z ) . Hence, its convexity guarantees the inequality s E F I ( F ( L ); Z ) ≤ E F ¯ φ ( s, Q Z | F ( L ) ) , which implies theinequality E F I ( F ( L ); Z ) ≤ E F ¯ φ ( s, Q Z | F ( L ) ) s (7)for < s ≤ . In the following, we denote the uniformdistriburtion on L by P L Let u = − s , then ≥ u > and s = u u . Since x x u is concave, E F (cid:2) X ℓ ′ : F ( ℓ ′ )= F ( ℓ ) ,ℓ ′ = ℓ Q Z | L ( z | ℓ ′ ) (cid:3) u ≤ (cid:2) E F X ℓ ′ : F ( ℓ ′ )= F ( ℓ ) ,ℓ ′ = ℓ Q Z | L ( z | ℓ ′ ) (cid:3) u ≤ (cid:2) X ℓ ′ : ℓ ′ = ℓ |M| Q Z | L ( z | ℓ ′ ) (cid:3) u ≤ (cid:2) |L||M| Q Z ( z ) (cid:3) u = ( |L||M| ) u Q Z ( z ) u . (8)Using (8) and the relation ( x + y ) u ≤ x u + y u for two positivereal numbers x, y , we obtain e E F ¯ φ ( s,Q Z | F ( L ) ) ≤ E F e ¯ φ ( s,Q Z | F ( L ) ) (9) =E F Z Z (cid:16) X m ∈M |M| Q Z | F ( L ) ( z | m ) u (cid:17) u dz ≤ Z Z (cid:16) E F X m ∈M |M| Q Z | F ( L ) ( z | m ) u (cid:17) u dz (10) = Z Z (cid:16) E F X m ∈M |M| Q Z | F ( L ) ( z | m ) Q Z | F ( L ) ( z | m ) u (cid:17) u dz = Z Z (cid:16) E F X m ∈M |M| h X ℓ ∈L : F ( ℓ )= m |M||L| Q Z | L ( z | ℓ ) ih X ℓ ∈L : F ( ℓ )= m |M||L| Q Z | L ( z | ℓ ) i u (cid:17) u dz = Z Z (cid:16) E F X ℓ ∈L |L| Q Z | L ( z | ℓ )( |M||L| ) u h Q Z | L ( z | ℓ )+ X ℓ ′ ∈L : F ( ℓ ′ )= F ( ℓ ) ,ℓ ′ = ℓ Q Z | L ( z | ℓ ′ ) i u (cid:17) u dz Z Z (cid:16) E F X ℓ ∈L |L| Q Z | L ( z | ℓ )( |M||L| ) u h Q Z | L ( z | ℓ ) u + (cid:0) X ℓ ′ ∈L : F ( ℓ ′ )= F ( ℓ ) ,ℓ ′ = ℓ Q Z | L ( z | ℓ ′ ) (cid:1) u i(cid:17) u dz (11) = Z Z (cid:16) ( |M||L| ) u X ℓ ∈L |L| Q Z | L ( z | ℓ ) u + (cid:0) |M||L| (cid:1) u × X ℓ ∈L |L| Q Z | L ( z | ℓ )E F (cid:0) X ℓ = ℓ ′ ∈ F − ( ℓ ) Q Z | L ( z | ℓ ′ ) (cid:1) u (cid:17) u dz ≤ Z Z (cid:16) ( |M||L| ) u E L Q Z | L ( z | L ) u + ( |M||L| ) u Q Z ( z ) (cid:0) |L||M| (cid:1) u Q Z ( z ) u (cid:17) u dz (12) = Z Z (cid:16) ( |M||L| ) u E L Q Z | L ( z | L ) u + Q Z ( z ) u (cid:17) u dz ≤ Z Z (cid:16) ( |M||L| ) u E L Q Z | L ( z | L ) u (cid:17) u + ( Q Z ( z ) u ) u dz (13) = Z Z ( |M||L| ) u u (cid:16) E L Q Z | L ( z | L ) u (cid:17) u + Q Z ( z ) dz =1 + ( |M||L| ) u u Z Z (cid:16) E L Q Z | L ( z | L ) u (cid:17) u dz =1 + ( |M||L| ) s e ¯ φ ( s,Q nZ | L ) , where the inequalities can be shown in the following way.Ineq. (12) follows from (8). Ineq. (11) and (13) follow frominequality ( x + y ) u ≤ x u + y u for ≤ u ≤ and x, y ≥ .Ineq. (10) follows from the concavity of x x u for ≤ u ≤ . Ineq. (9) follows from the convexity of x e x . Since theabove inequality implies E F ¯ φ ( s, Q Z | F ( L ) ) ≤ ln[1 + ( |M||L| ) s e ¯ φ ( s,Q nZ | L ) ] ≤ ( |M||L| ) s e ¯ φ ( s,Q nZ | L ) , using (7) we obtain (6).VI. C ONCLUSION
In this paper, starting from an arbitrary given channel code,we showed two constructions of wiretap codes. The firstone involves the randomized selection of channel encoders.The second one is deterministic. These two construction canachieve the wiretap capacity under different conditions. Ourconstructions provide the strong security.Ideally, the addition of hash functions to an arbitrary givenchannel code should always achieve the wiretap capacitywhenever the given channel code achieves the capacity of thecomposition of the artificially added channel Q X | T plus thephysical channel Q Z | X . The proposed constructions fall shortof this ideal. The improved construction should be explored.The numerical computation of an optimal Q X | T from given Q Y | X and Q Z | X is also an open problem. A CKNOWLEDGMENT
The second author would like to thank Prof. YasutadaOohama, Prof. Tomohiko Uyematsu, Dr. Shun Watanabe, andDr. Kenta Kasai for helpful discussions. This research waspartially supported by a Grant-in-Aid for Scientific Researchin the Priority Area “Deepening and Expansion of StatisticalMechanical Informatics (DEX-SMI),” No. 18079014 and aMEXT Grant-in-Aid for Young Scientists (A) No. 20686026.R
EFERENCES[1] S. Arimoto, “On the converse to the coding theorem for discretememoryless channels,”
IEEE Trans. Inform. Theory , vol. 19, no. 3, pp.357–359, May 1973.[2] J. Barros and M. Bloch, “Strong secrecy for wireless channels,” in
ICITS2008 , ser. Lecture Notes in Compute Sciences, R. Safavi-Naini, Ed., vol.5155. Springer-Verlag, 2008, pp. 40–53.[3] C. H. Bennett, G. Brassard, C. Cr´epeau, and U. M. Maurer, “Generalizedprivacy amplification,”
IEEE Trans. Inform. Theory , vol. 41, no. 6, pp.1915–1923, Nov. 1995.[4] S. Boyd and L. Vandenberghe,
Convex Optimization . CambridgeUniversity Press, 2004.[5] J. L. Carter and M. N. Wegman, “Universal classes of hash functions,”
J. Comput. System Sci. , vol. 18, no. 2, pp. 143–154, Apr. 1979.[6] I. Csisz´ar, “Almost independence and secrecy capacity,”
Problems ofInformation Transmission , vol. 32, no. 1, pp. 40–47, 1996.[7] I. Csisz´ar and J. K¨oner, “Broadcast channels with confidential mes-sages,”
IEEE Trans. Inform. Theory , vol. 24, pp. 339–348, 1978.[8] G. D. Forney, Jr., “Trellis shaping,”
IEEE Trans. Inform. Theory , vol. 38,no. 2, pp. 281–300, Mar. 1992.[9] R. G. Gallager,
Information Theory and Reliable Communication . NewYork: John Wiley & Sons, 1968.[10] M. Hamada, “Security of quotient codes for classical wiretap channels,”in
Proc. SITA2009 , Dec. 2009, pp. 309–314.[11] M. Hayashi, “General non-asymptotic and asymptotic formulas in chan-nel resolvability and identification capacity and its application to wire-tap channel,”
IEEE Trans. Inform. Theory , vol. 52, no. 4, pp. 1562–1575,2006.[12] ——, “Exponential evaluations in universal random privacy amplifica-tion,” 2009, arXiv:0904.0308.[13] D. Klinc, J. Ha, S. M. McLaughlin, J. Barros, and B.-J. Kwak, “LDPCcodes for the Gaussian wiretap channel,” in
Proc. ITW , Oct. 2009, pp.95–99.[14] S. K. Leung-Yan-Cheong and M. E. Hellman, “The gaussian wire-tapchannel,”
IEEE Trans. Inform. Theory , vol. 24, pp. 451–456, Jul. 1978.[15] Y. Liang, H. V. Poor, and S. Shamai (Shitz),
Information TheoreticSecurity . Hanover, MA, USA: NOW Publishers, 2009.[16] R. Matsumoto, “Problems in application of ldpc codes to infor-mation reconciliation in quantum key distribution protocols,” 2009,arXiv:0908.2042.[17] U. Maurer and S. Wolf, “Information-theoretic key agreement: Fromweak to strong secrecy for free,” in
EUROCRYPTO 2000 , ser. LNCS,B. Preneel, Ed. Springer-Verlag, 2000, vol. 1807, pp. 351–368.[18] J. Muramatsu and S. Miyake, “Construction of wiretap channel codesby using sparse matrices,” in
Proc. ITW , Oct. 2009, pp. 105–109.[19] R. Renner, “Security of quantum key distribution,”
International Journalon Quantum Information , vol. 6, no. 1, pp. 1–127, Feb. 2008, (originallypublished as Ph.D thesis, ETH Z¨urich, Switzerland, 2005).[20] A. Thangaraj, S. Dihidar, A. Calderbank, S. McLaughlin, and J.-M.Merolla, “Application of ldpc codes to the wiretap channel,”
IEEE Trans.Inform. Theory , vol. 53, pp. 2933–2945, Aug. 2007.[21] A. D. Wyner, “The wire-tap channel,”
Bell System Tech. J. , vol. 54, pp.1355–1387, 1975., vol. 54, pp.1355–1387, 1975.