aa r X i v : . [ c s . I T ] M a y Providing Secrecy with Lattice Codes
Xiang He Aylin Yener
Wireless Communications and Networking LaboratoryElectrical Engineering DepartmentThe Pennsylvania State University, University Park, PA 16802 [email protected] [email protected]
Abstract —Recent results have shown that lattice codes can beused to construct good channel codes, source codes and physicallayer network codes for Gaussian channels. On the other hand,for Gaussian channels with secrecy constraints, efforts to daterely on random codes. In this work, we provide a tool to bridgethese two areas so that the secrecy rate can be computed whenlattice codes are used. In particular, we address the problem ofbounding equivocation rates under nonlinear modulus operationthat is present in lattice encoders/decoders. The technique isthen demonstrated in two Gaussian channel examples: (1) aGaussian wiretap channel with a cooperative jammer, and (2)a multi-hop line network from a source to a destination withuntrusted intermediate relay nodes from whom the informationneeds to be kept secret. In both cases, lattice codes are used tofacilitate cooperative jamming. In the second case, interestingly,we demonstrate that a non-vanishing positive secrecy rate isachievable regardless of the number of hops.
I. I
NTRODUCTION
Information theoretic secrecy was first proposed by Shan-non in [1]. In this classical model, Bob wants to send amessage to Alice, which needs to be kept secret from Eve.Shannon’s notion of secrecy requires the average rate ofinformation leaked to Eve to be zero, with no assumptionmade on the computational power of Eve. Wyner, in [2],pointed out that, more often than not, the eavesdropper(Eve) has a noisy copy of the signal transmitted from thesource, and building a useful secure communication systemper Shannon’s notion is possible [2]. Csiszar and Korner [3]extended this to a more general channel model.Numerous channel models have since been studied underShannon’s framework. The maximum reliable transmissionrate with secrecy is identified for several cases includingthe Gaussian wiretap channel [4] and the MIMO wiretapchannel [5], [6], [7]. Sum secrecy capacity for a degradedGaussian multiple access wiretap channel is given in [8].For other channels, upper bounds, lower bounds and someasymptotic results on the secrecy capacity exist. For theachievability part, Shannon’s random coding argument provesto be effective in majority of these works.On the other hand, it is known that the random codingargument may be insufficient to prove capacity theorems forcertain channels [9]. Instead, structured codes like latticecodes are used. Using structured codes has two benefits. First,it is relatively easy to analyze large networks under thesecodes. For example, in [10], [11], the lattice code allows therelaying scheme to be equivalent to a modulus sum operation,making it easy to trace the signal over a multi-hop relay network. Secondly, the structured nature of these codes makesit possible to align unwanted interference, for example, forthe interference channel with more than two users [12], [13],and the two way relay channel [10], [11].A natural question is therefore whether structured codesare useful for secure communication as well. In particular, inthis work, we are interested in answering two questions:1) How do we bound the secrecy capacity when structuredcodes are used?2) Are there models where structured codes prove to beuseful in providing secrecy?Relevant references in this line of thinking includes [14]and [15]. Reference [14] considers a binary additive two-way wiretap channel where one terminal uses binary jammingsignals. Reference [15] examines a wiretap channel where theeavesdropping channel is a modulus- Λ channel. Under theproposed signaling scheme therein, the source uses a latticecode to convey the secret message, and, the destination jamsthe eavesdropper with a lattice code. The eavesdropper seesthe sum of these two codes, both taking value in a finitegroup, where the sum is carried under the addition definedover the group. It is known that if the jamming signal issampled from a uniform distribution over the group, then thesum is independent from the message.While these are encouraging steps in showing the impact ofstructured jamming signals, as commented in [15], using thistechnique in Gaussian channels is a non-trivial step. In theGaussian channel, also, the eavesdropper receives the sum ofthe signal from the source and the jamming signal. However,the addition is over real numbers rather than over a finitegroup. The property of modulus sum is therefore lost and itis difficult to measure how much information is leaked to theeavesdropper.Most lattice codes for power constrained transmission havea similar structure to the one used in [15]. First, a lattice isconstructed, which should be a good channel code under thenoise/interference. Then, to meet the power constraint, thelattice, or its shifted version, is intersected with a boundedset, called the shaping set, to create a set of lattice pointswith finite average power. The lattice is shifted to make suresufficiently many lattice points fall into the shaping set tomaintain the codebook size and hence the coding rate [16].The decoder at the destination is called a lattice decoder if itis only asked to find the most likely lattice point under thereceived signals, and is not aware of shaping set. Because ofhe structured nature of the lattice, a lattice decoder has lowercomplexity compared to the maximum likelihood decoderwhere the knowledge of shaping set is used. Also, underthe lattice decoder, the introduction of shaping set does notpose any additional difficulty to the analysis of decodingperformance. Commonly used shaping sets include the sphere[12] and the fundamental region of a lattice [17].A key observation is that, from the viewpoint of an eaves-dropper, the shaping set actually provides useful information,since it reduces the set of lattice points the eavesdropperneeds to consider. The main aim of this work, therefore, isto find a shaping set and lattice code construction underwhich the information leaked to the eavesdropper can bebounded. This shaping set, as we shall see, turns out to be thefundamental region of a “coarse” lattice in a nested latticestructure. Under this construction, we show that at most 1 bitis leaked to the eavesdropper per channel use. This enablesus to lower bound the secrecy rate using a technique similarto the genie bound from [18].To demonstrate the utility of our approach, we then applyour technique to two channel models: a Gaussian wiretapchannel with a cooperative jammer, and a multi-hop linenetwork, where a source can communicate a destination onlythrough a chain of untrusted relays. In the second case,we demonstrate that a non-vanishing positive secrecy rateis achievable regardless of the number of hops .The following notation is used throughout this work: Weuse H to denote the entropy. ε k is used to denote anyvariable that goes to 0 when n goes to ∞ . We define C ( x ) = log (1 + x ) . ⌊ a ⌋ denotes the largest integer lessthan or equal to a .II. T HE R EPRESENTATION T HEOREM
In this section, we present a result about lattice codeswhich will be useful in the sequel.Let Λ denote a lattice in R N [17], i.e., a set of pointswhich is a group closed under real vector addition. Themodulus operation x mod Λ is defined as x mod Λ = x − arg min y ∈ Λ d ( x, y ) , where d ( x, y ) is the Euclidean distancebetween x and y . The fundamental region of a lattice V isdefined as the set { x : x mod Λ = 0 } . It is possible that thereare more than one lattice points that have the same minimaldistance to x . Breaking a tie like this is done by properlyassign the boundary of V [17].Let t A and t B be two numbers taken from V . For any set A , define A as A = { x : x ∈ A } . Then we have: { t A + t B : t A , t B ∈ V} = 2 V (1)Define A x as A x = { t A + t B + x, t A , t B ∈ V} . Then from(1), we have A x = x + 2 V . With this preparation, we areready to prove the following representation theorem : Theorem 1:
There exists a random integer T , such that ≤ T ≤ N , and t A + t B is uniquely determined by { T, t A + t B mod Λ } . Proof:
By definition of the modulus Λ operation, wehave t A + t B mod Λ = t A + t B + x, x ∈ Λ (2) The theorem is equivalent to finding the number of possible x meeting equation (2) for a given t A + t B mod Λ .To do that, we need to know a little more about the struc-ture of lattice Λ . Every point in a lattice, by definition, can berepresented in the following form [19]: x = N P i =1 a i v i , v i ∈ R N , a i ∈ Z . { a i } is said to be the coordinates of the latticepoint x under the basis { v i } .Based on this representation, we can define the followingrelationship: Consider two points x, y ∈ Λ , with coordinates { a i } and { b i } respectively. Then we say x ∼ y if a i = b i mod 2 , i = 1 ...N . It is easy to see the relationship ∼ isan equivalence relationship. Therefore, it defines a partitionover Λ .1) Depending on the values of a i − b i mod 2 , there are N sets in this partition.2) The sub-lattice is one set in the partition, whosemembers have even coordinates. The remaining N − sets are its cosets.Let C i denote any one of these cosets or . Then C i canexpressed as C i = 2Λ + y i , y i ∈ Λ . It is easy to verify that A x = x + 2 V , x ∈ C i is a partition of R N + y i , whichequals R N .We proceed to use the two partitions derived above: Since C i , i = 1 ... N is a partition of Λ , (2) can be solved byconsidering the following N equations: t A + t B mod Λ = t A + t B + x, x ∈ C i (3)From (1), this means t A + t B mod Λ ∈ x + 2 V for some x ∈ C i . Since x + 2 V , x ∈ C i is a partition of R N , there isat most one x ∈ C i that meets this requirement. This impliesfor a given t A + t B mod Λ , and a given coset C i , (3) onlyhas one solution for x . Since there are N such equations,(2) has at most N solutions. Hence each t A + t B mod Λ corresponds to at most N points of t A + t B . Remark 1:
Theorem 1 implies that modulus operationlooses at most one bit per dimension of information if t A , t B ∈ V .The following crypto lemma is useful and is provided herefor completeness. Lemma 1: [15] Let t A , t B be two independent randomvariables distributed over the a compact abelian group, t B has a uniform distribution, then t A + t B is independent from t A . Here + is the addition over the group.In the remainder of the paper, (Λ , Λ ) denotes a nestedlattice structure where Λ is the coarse lattice. Let V and V be their respective fundamental regions. We shall use a ⊕ b ,short for a + b mod Λ . Then from Lemma 1, we have thefollowing corollary: Corollary 1:
Let t A ∈ Λ ∩ V . t B ∈ Λ ∩ V and t B isuniformly distributed over Λ ∩ V . Let t S = t A ⊕ t B . Then t S is independent from t A .III. W IRETAP C HANNEL WITH A C OOPERATIVE J AMMER
In this section, we demonstrate the use of lattice codesfor secrecy in the simple model depicted in Figure 1. Nodes
S, D, E form a wiretap channel where S is the source node, Z Z S DECJ
Fig. 1. Wiretap Channel with a Cooperative Jammer, CJ D is the destination node, E is the eavesdropper. Let theaverage power constraint of node S be P . Now supposethat there is another transmitter CJ in the system, alsowith power constraint P , as shown in Figure 1. We assumethat the interference caused by CJ to node D is either tooweak or too strong that it can be ignored or removed, andconsequently there is no link between CJ and D . In thismodel, node CJ may choose to help S by transmitting ajamming signal to confuse the eavesdropper E . Below, wederive the secrecy rate for this case when the jamming signalis chosen from a lattice codebook. A. Gaussian Noise
We first consider the case when Z and Z are independentGaussian random variables with zero mean and unit variance.In this case, we have the following theorem: Theorem 2:
A secrecy rate of [ C ( P ) − + is achievable. Proof:
The codebook is constructed as follows: Let (Λ , Λ ) be a properly designed nested lattice structure in R N as described in [17]. The codebook is all the lattice pointswithin the set Λ ∩ V .Let t NA be the lattice point transmitted by node S . Let d NA be the dithering noise uniformly distributed over V . Thetransmitted signal is given by t NA ⊕ d NA . The receiver receivesthe above signal corrupted by Gaussian noise and tries todecode t NA . Let the decoding result be ˆ t NA . Then as shown in[17, Theorem 5], there exists a sequence of properly designed (Λ , Λ ) with increasing dimension, such that lim N →∞ N log | Λ ∩ V | < C ( P ) (4) C ( P ) = 12 log (1 + P ) (5)and lim N →∞ Pr( t NA = ˆ t NA ) = 0 .The cooperative jammer CJ uses the same codebook asnode S . Let the lattice point transmitted by CJ be t NB andthe dithering noise be d NB . The transmitted signal is givenby t NB ⊕ d NB . As in [17], we assume that d NA is known bynode S , the legitimate receiver node D and the eavesdroppernode E . d NB is known by node S , and the eavesdroppernode E . Hence, there is no common randomness betweenthe legitimate communicating pairs that is not known by theeavesdropper.Then the signal received by the eavesdropper can berepresented as t NA ⊕ d NA + t NB ⊕ d NB + Z N , where Z N isthe Gaussian channel noise over N channel uses. Then wehave H ( t NA | t NA ⊕ d NA + t NB ⊕ d NB + Z N , d NA , d NB ) (6) ≥ H ( t NA | t NA ⊕ d NA + t NB ⊕ d NB + Z N , d NA , d NB , Z N ) (7) = H ( t NA | t NA ⊕ d NA + t NB ⊕ d NB , d NA , d NB ) (8) = H ( t NA | t NA ⊕ d NA ⊕ t NB ⊕ d NB , d NA , d NB , T ) (9) = H ( t NA | t NA ⊕ t NB , d NA , d NB , T ) (10) = H ( t NA | t NA ⊕ t NB , T ) (11) = H (cid:0) T | t NA ⊕ t NB , t NA (cid:1) + H (cid:0) t NA | t NA ⊕ t NB (cid:1) − H (cid:0) T | t NA ⊕ t NB (cid:1) (12) ≥ H (cid:0) t NA | t NA ⊕ t NB (cid:1) − H (cid:0) T | t NA ⊕ t NB (cid:1) (13) = H (cid:0) t NA (cid:1) − H (cid:0) T | t NA ⊕ t NB (cid:1) (14) ≥ H (cid:0) t NA (cid:1) − H ( T ) (15)In (9), we introduce the N bit information T that will helpto recover t NA ⊕ d NA + t NB ⊕ d NB from t NA ⊕ d NA ⊕ t NB ⊕ d NB . In(14), we use the fact that t NA is independent from t NA ⊕ t NB based on Corollary 1.Let c = N I (cid:0) t NA ; t NA ⊕ d NA + t NB ⊕ d NB + Z N , d NA , d NB (cid:1) .Then from (15), since H ( T ) ≤ N , we have c ≤ .Therefore, if the message is mapped one-to-one to t NA , thenan equivocation rate of at least C ( P ) − is achievable undera transmission rate of C ( P ) bits per channel use.We note that to obtain perfect secrecy, some additionaleffort is required. First, we define a block of channel usesas the N channel uses required to transmit a N dimensionallattice point. A perfect secrecy rate of C ( P ) − can thenbe achieved by coding across multiple blocks: A codewordin this case is composed of Q components, each componentis an N dimensional lattice point sampled from a uniformdistribution over V ∩ Λ in an i.i.d. fashion. The resultingcodebook C contains ⌊ NQR ⌋ codewords with R < C ( P ) .Like wiretap codes, the codebook is then randomly binnedinto several bins, where each bin contains ⌊ NQc ⌋ codewords.The secret message W is mapped to the bins. The actualtransmitted codeword is chosen from that bin according to auniform distribution.Let Y NQe denote the signals available to the eavesdropper: Y NQe = { t NQA ⊕ d NQA + t NQB ⊕ d NQB + Z NQ , d NQA , d
NQB } .Then we have H ( W | Y NQe , C )= H ( W | t NQA , Y
NQe , C ) + H ( t NQA | Y NQe , C ) − H ( t NQA | W, Y
NQe , C ) (16) ≥ H ( t NQA | Y NQe , C ) − N Qε (17) = H ( t NQA | Y NQe , C ) − H ( t NQA |C ) + H ( t NQA |C ) − N Qε (18) = H ( t NQA |C ) − I ( t NQA ; Y NQe |C ) − N Qε (19) ≥ H (cid:16) t NQA |C (cid:17) − Q X q =1 I (cid:0) t NA ; Y Ne |C (cid:1) − N Qε (20) = H (cid:16) t NQA |C (cid:17) − QN c − N Qε = QN ( R − c ) − N Qε (21)In (17), we use Fano’s inequality to bound the last term in(16). This is because the size of each bin is kept small enoughsuch that given W , the eavesdropper can determine t NQA fromts received signal Y NQe . Using the standard random codingargument and (21), it can then be shown a secrecy rate of C ( P ) − c is achievable. Since c < , this means a secrecyrate of at least C ( P ) − bits per channel use is achievable. Remark 2:
It is interesting to compare the secrecy rateobtained here with that obtained by cooperative jamming withGaussian noise [20]. The latter is given by C ( P ) − C ( PP +1 ) . lim P →∞ C ( PP +1 ) = 0 . . Therefore there is at most . bitper channel use of loss in secrecy rate at high SNR by usinga structured code book as the jamming signal. B. Non-Gaussian Noise
The performance analysis in [17] requires Gaussian noise.This is not always the case, for example, in the presenceof interference, which is not necessarily Gaussian. For non-Gaussian noise, in principle, the analysis in [16] can be usedinstead. On the other hand, in [16], a sphere is used as theshaping set, making it difficult to computing the equivocationrate via Theorem 1. We show below, if the code rate R hasthe form log t, t ∈ Z + , then a scaled lattice t Λ of the finelattice Λ can be used for shaping instead. Theorem 3: If Z , Z are i.i.d. continuous random vari-ables with differential entropy h ( E ) , such that h ( E ) = 2 πe ,then a secrecy rate of [log ⌊√ P ⌋ − + is achievable. Proof:
We need to show that there exists a fine lattice Λ that has a good decoding performance [16, Theorem 6],and Λ is close to a sphere in the sense that lim N →∞ h ( S ) = 12 log (2 πeP ′ ) (22)where h ( S ) = N log |V| , |V| is the volume of the fundamen-tal region of Λ , and P ′ = N |V| R x ∈V k x k dx . It is shown in[21] that when a lattice is sampled from the lattice ensembledefined therein, it is close to a sphere in the sense of (22).The lattice ensemble is generally called construction A [16],whose generation matrices are all matrix of size K × N overfinite group GF( q ) , with q being a prime. The lattice sampledfrom the ensemble is “good” in probability when q, N → ∞ and K grows faster than log N [21, (25)-(28)]. Note that thisproperty of “goodness” is invariant under scaling. Therefore,we can scale the lattice so that the volume of its fundamentalregion remains fixed when its dimension N → ∞ . This givesus a sequence of lattice ensembles that meet the conditionof [13, Lemma 1]: (1) N → ∞ (2) q → ∞ . (3) Each latticeensemble of a given dimension is balanced [16]. This meanswhen N → ∞ , at least 3/4 of the lattice ensemble is good forchannel coding [13, Lemma 1]. The lattice decoder will havea positive decoding error exponent as long as |V| > Nh ( E ) .Combined, this means there must exist a lattice Λ ∗ thatis close to a sphere and is a good channel code at thesame time. Hence we have N log |V| → log (2 πeP ′ ) as N → ∞ . Since we assume h ( E ) = log (2 πe ) and require |V| > Nh ( E ) , this means as long as P ′ > , the decodingerror will decrease exponentially when N → ∞ .Now pick the shaping set to be the fundamental regionof t Λ ∗ , t ∈ Z + . Then the code rate R = log ( t ) [17]. With the dithering and modulus operation from [17], the averagepower of the transmitted signal per dimension is t P ′ . Notethat the modulus operation at the destination, required inorder to remove the dithering noise, may distort the additivechannel noise. However, the decoding error event, defined asthe noise pushing a lattice codeword into the set of typicalnoise sequence centered on a different lattice point [16],remains identical. Therefore, the decoding error exponentis the same. Hence we have P ′ > and t P ′ < P . Thelargest possible t is ⌊√ P ⌋ , with the rate being log ( ⌊√ P ⌋ ) .With similar arguments as in Theorem 2, we conclude that asecrecy rate of [log ( ⌊√ P ⌋ ) − + is achievable.IV. M ULTI - HOP L INE N ETWORK WITH U NTRUSTED R ELAYS
A. System Model
In this section, we examine a more complicated communi-cation scenario, as shown in Figure 2. The source has to com-municate over K − hops ( K ≥ to reach the destination.Yet the intermediate relaying nodes are untrusted and need tobe prevented from decoding the source information. Underthis model, we will show that, using Theorem 1, with latticecodes for source transmission and jamming signals and anappropriate transmission schedule, an end-to-end secrecy ratethat is independent of the number of untrusted relay nodesis achievable. We assume nodes can not receive and transmitsignals simultaneously. We assume that each node can onlycommunicate to its two neighbors, one on each side. Let Y i and X i be the received and transmitted signal of the i th noderespectively. Then they are related as Y i = X i − + X i +1 + Z i ,where Z i are zero mean Gaussian random variables with unitvariance, and are independent from each other. Each node has S 1 2 3 D
Fig. 2. A Line Network with 3 Un-trusted Relays the same average power constraint: n P nk =1 E (cid:2) X i ( k ) (cid:3) ≤ ¯ P where n is the total number of channel uses. The channelgains are normalized for simplicity.We consider the case where there is an eavesdropperresiding at each relay node and these eavesdroppers are notcooperating. This also addresses the scenario where there isone eavesdropper, but the eavesdropper may appear at anyone relay node that is unknown a priori. In either case, weneed secrecy from all relays and the secrecy constraints forthe K relay nodes are expressed as lim n →∞ n H ( W | Y ni ) =lim n →∞ n H ( W ) , i = 1 ...K . B. Signaling Scheme
Because all nodes are half duplex, a schedule is necessaryto control when a node should talk. The node schedule isbest represented by the acyclic directional graph as shownin Figure 3. The columns in Figure 3 indicate the nodes andthe rows in Figure 3 indicate the phases. The length of aphase is the number of channel uses required to transmit aattice point, which equals the dimension of the lattice. Anode in a row has an outgoing edge if it transmits duringa phase. The node in that row has an incoming edge if itcan hear signals during the previous phase. It is understood,though not shown in the figure, that the signal received bythe node is a superposition of the signals over all incomingedges corrupted by the additive Gaussian noise.A number of consecutive phases is called one block, asshown in Figure 3. The boundary of a block is shown by thedotted line in Figure 3. The data transmission is carried over M blocks. O n e b l o c k o f c h a nn e l u s e s t + t + J J − J J J J J J J t + J t + J t + J t + J t + J t + J t + J t + J t + t + J t + t + J t + t + J Fig. 3. One Block of Channel Uses
Again the nested lattice code (Λ , Λ ) from [10] is usedwithin each block. The codebook is constructed in the samefashion as in Section III.
1) The Source Node:
The input to the channel by thesource has the form t N ⊕ J N ⊕ d N . Here d N is the ditheringnoise which is uniformly distributed over V . t N and J N aredetermined as follows: If it is the first time the source nodetransmits during this block, t N is the origin. J N is pickedfrom the lattice points in Λ ∩V under a uniform distribution.Otherwise, t N is picked by the encoder. J N is the latticepoint decoded from the jamming signal the source receivedduring the previous phase. This design is not essential but itbrings some uniformness in the form of received signals andsimplifies explanation.
2) The Relay Node:
As this signal propagates toward thedestination, each relay node, when it is its turn, sends ajamming signal in the form of t Nk + d Nk mod Λ , k = 2 ...K − , where K is the number of nodes. Subscript k denotes thenode index which transmit this signal. If this is the firsttime the relay transmits during this block, then t Nk is drawnfrom a uniform distribution over Λ ∩ V , and all previousreceived signals are ignored. Otherwise, t Nk is computed fromthe signal it received during the previous phase. This willbe clarified in the sequel. d Nk again is the dithering noiseuniformly distributed over V .The signal received by the relay within a block can becategorized into the following three cases. Let z N denote theGaussian channel noise.1) If this is the first time the relay receives signals duringthis block, then it has the form ( t NA ⊕ d NA )+ z N . It onlycontains interference from its left neighbor.2) If this is the last time the relay receives signals duringthis block, then it has the form ( t NB ⊕ d NB )+ z N . It onlycontains interference from its right neighbor.3) Otherwise it has the form y Nk = ( t NA ⊕ d NA ) + ( t NB ⊕ d NB ) + z N .Here t NA , t NB are lattice points, and d NA , d NB are ditheringnoises. Following reference [10], if the lattice is properlydesigned and the cardinality of the set Λ ∩ V is properlychosen, then for case (3), the relay, with the knowledge of d NA , d NB , will be able to decode t NA ⊕ t NB . For case (1) and(2), the relay will be able to decode t NA and t NB respectively.Otherwise, we say that a decoding error has occurred at therelay node.The transmitted signal at the relay node is then computedas follows: x N = t NA ⊕ t NB ⊕ ( − x ′ N ) ⊕ d NC (23)Here x ′ N is the lattice point contained in the jamming signaltransmitted by this relay node during the previous phase. − isthe inverse operation defined over the group V ∩ Λ . t NA ⊕ t NB are decoded from the signal it received during the previousphase.In Figure 3, we labeled the lattice points transmitted oversome edges. For clarity we omitted the superscript N . The + signs in the figure are all modulus operations. The reasonwhy we have ( − x ′ N ) in (23) is now apparent: it leads toa simple expression for the signal as it propagates from therelay to the destination.
3) The Destination:
As shown in Figure 3, the destinationbehaves identically to a relay node when it computes itsjamming signal.It is also clear from Figure 3 that the destination will beable to decode the data from the source. This is becausethe lattice point contained in the signal received by thedestination has the form t N ⊕ J N , where t N is the latticepoint determined by the transmitted data, and J N is the latticepoint in the jamming signal known by the destination. C. A Lower Bound to the Secrecy Rate
Suppose the source transmits Q + 1 times within a block.Then each relay node receives Q +2 batches of signals withinthe block. An example with Q = 2 is shown in Figure 3.Given the inputs from the source of the current block, theignals received by the relay node are independent fromthe signals it received during any other block. Therefore,if a block of channel uses is viewed as one meta-channeluse, with the source input as the channel input and thesignal received by the relay as the channel output, then theeffective channel is memoryless. Each relay node has the The relay nodeunder consideration t ND x NA x NA t NB t NB t NB t ND t NA x NA x NA t NB t ND t NA t NB x NA t NA x NA t NB Fig. 4. Notations for Lattice Points contained in Signals, Q = 2 following side information regarding the source inputs withinone block:1) Q + 2 batches of received signals.2) All the dithering noises { d i } .3) Signals transmitted from the relay node during thisblock. Note that only the first batch of signals it trans-mitted may provide information because all subsequenttransmitted signals are computed from received signalsand dithering noises.Let W be the secret message transmitted over M blocks.Following the notation in Figure 4, the equivocation withrespect to the relay node is given by: H = 1 N M H ( W | ( x NMA ⊕ d NMα ) + z NM , d NMα ( x NMAi ⊕ d NMαi ) + ( t NMD ( i − ⊕ d NMβ ( i − ) + z NMi ,d NMαi , d
NMβ ( i − , i = 2 ...Q + 1( t NMD ( Q +1) ⊕ d NMβ ( Q +1) ) + z NMQ +1 , d NMβ ( Q +1) , t NMB , d NMb ) (24)Define the block error probability as ¯ P e = Pr( ∃ i ∈ { ...Q + 1 } , s.t.x NAi is in error , or t ND ( i − is in error , or t ND ( Q +1) is in error . ) (25)where x NAi is the part of x NMAi that is within one block.Similar notations are used for t ND ( i − and t ND ( Q +1) . Giventhe signaling scheme presented in section IV-B and [17,Theorem 2], the probability of decoding error at each relaynode goes to zero as N → ∞ . Let P e ( i, k ) be the probabilityof decoding error at relay node i during phase k . Then ¯ P e is related to P e ( i, k ) as ¯ P e ≤ − Q i,k (1 − P e ( i, k )) , where the subscript in product includes the indices of all the relaynode and the indices of the phases in this block.For any given block length Q , we have lim N →∞ ¯ P e = 0 .Note that ¯ P e is just a function of N and Q . Because thereare only finite number of relay nodes, this convergence isuniform over all relay nodes.Let the equivocation under error free decoding be ¯ H = 1 N M H ( W | ( x NMA ⊕ d NMα ) + z NM , d NMα (¯ x NMAi ⊕ d NMαi ) + (¯ t NMD ( i − ⊕ d NMβ ( i − ) + z NMi ,d NMαi , d
NMβ ( i − , i = 2 ...Q + 1(¯ t NMD ( Q +1) ⊕ d NMβ ( Q +1) ) + z NMQ +1 , d NMβ ( Q +1) , t NMB , d NMb ) (26)where ¯ x NMAi equals the value x NMAi takes with error freedecoding. ¯ t NMD ( i − and ¯ t NMD ( Q +1) are defined in a similarfashion. Then we have the following lemma: Lemma 2:
For a given Q , ¯ H + ε ≥ H ≥ ¯ H − ε where ε , → as N, M → ∞ . Proof:
Let c j , ˆ c j denote the part of signals received bythe relay node within the j th block. More specifically, theyhave the following form: ˆ c j = { ( x NAi ( j ) ⊕ d Nαi ( j ))+( t ND ( i − ( j ) ⊕ d Nβ ( i − ( j )) + z Ni ( j ) , i = 2 ...Q + 1 } (27) c j = { (¯ x NAi ( j ) ⊕ d Nαi ( j ))+(¯ t ND ( i − ( j ) ⊕ d Nβ ( i − ( j )) + z Ni ( j ) , i = 2 ...Q + 1 } (28)In this notation, we exclude the first and the last batch ofreceived signals. The first batch of received signals doesnot undergo any decoding operation. For the last batch ofreceived signals we have the following notation: ˆ f j = ( t ND ( Q +1) ( j ) ⊕ d Nβ ( Q +1) ( j )) + z NQ +1 ( j ) (29) f j = (¯ t ND ( Q +1) ( j ) ⊕ d Nβ ( Q +1) ( j )) + z NQ +1 ( j ) (30)The block index ( j ) will be omitted in the following discus-sion for clarity.We first prove that c j − ˆ c j is a discrete random variablewith a finite support. According to the notation of (28), c j − ˆ c j has Q components. Each component can be expressed as (cid:0) ¯ x NAi ⊕ d Nαi (cid:1) − (cid:0) x NAi ⊕ d Nαi (cid:1) +(¯ t ND ( i − ⊕ d Nβ ( i − ) − ( t ND ( i − ⊕ d Nβ ( i − ) (31)For the first line of (31) we have (cid:0) ¯ x NAi ⊕ d Nαi (cid:1) − (cid:0) x NAi ⊕ d Nαi (cid:1) (32) =¯ x NAi + d Nαi + x N − (cid:0) x NAi + d Nαi + x N (cid:1) (33) =¯ x NAi − x NAi + x N − x N (34)where x N , x N belong to the coarse lattice Λ . ApplyingTheorem 1, we note that x N and x N each has at most N possible solutions. ¯ x NAi and x NAi each take kV ∩ Λ k possiblevalues. Let R = N log kV ∩ Λ k . Then (32) takes at most N ( R +1) possible values. Similarly, we can prove that thesecond line of (31) has at most N ( R +1) possible values aswell. Therefore c j − ˆ c j takes at most NQ ( R +1) possiblevalues. Therefore H (cid:0) c j − ˆ c j (cid:1) ≤ N Q ( R + 1) . Similarly, itan be shown that f − ˆ f has at most N ( R + 1) solutions.This means that H ( c j − ˆ c j , f j − ˆ f j ) ≤ (4 Q + 2) N ( R + 1) (35)Let c = { c j } , ˆ c = { ˆ c j } , f = { f j } and ˆ f = { ˆ f j } j = 1 ...M .Let b denote the remaining conditioning terms in H . Let E j denote the random variable c j = ˆ c j or f j = ˆ f j . Then withprobability ¯ P e that E j = 1 . Otherwise E j = 0 . Let W bethe message transmitted over the M blocks. Then we have H ( W | b, ˆ c, ˆ f ) ≥ H ( W | b, c, ˆ c, f, ˆ f ) (36) = H ( W | b, c, f, c − ˆ c, f − ˆ f ) (37) = H ( W | b, c, f ) + H ( c − ˆ c, f − ˆ f | W, b, c, f ) − H ( c − ˆ c, f − ˆ f | b, c, f ) (38) ≥ H ( W | b, c, f ) − H ( c − ˆ c, f − ˆ f ) (39) ≥ H ( W | b, c, f ) − M X j =1 H ( c j − ˆ c j , f j − ˆ f j ) (40) = H ( W | b, c, f ) − M X j =1 H ( c j − ˆ c j , f j − ˆ f j , E j ) (41) ≥ H ( W | b, c, f ) − M X j =1 H ( E j ) − M X j =1 Pr( E j = 1) H ( c j − ˆ c j , f j − ˆ f j ) (42) ≥ H ( W | b, c, f ) − M − M ¯ P e (4 Q + 2) N ( R + 1) (43)By dividing N M on both sides and letting
N, M → ∞ , and ε = 1 /N + ¯ P e (4 Q + 2)( R + 1) we get H ≥ ¯ H − ε .Similarly we can prove ¯ H ≥ H − ε . Remark 3:
Lemma 2 says that if a particular equivocationvalue is achievable with regard to one relay node, when allthe other relay nodes do error free decoding, then the sameequivocation value is achievable when other relay nodes dodecode and forward which is only error free in asymptoticsense.
Lemma 3: ¯ H is the same for all relay nodes. Proof:
Lemma follows because relay nodes receivestatistically equivalent signals if there are no decoding errors.For the k th relay node, as shown by the edge labels inFigure 3, the condition term of ¯ H in (26) is related to t NMj as follows: x NMA = J NMk − (44) ¯ x NMA = t NM ⊕ J NMk − (45) ¯ x NMA = t NM ⊕ t NM ⊕ J NMk (46) ... ¯ x NMA ( Q +1) = t NM ⊕ t NM ⊕ ... ⊕ t NMQ − ⊕ J NMK + Q − (47) ¯ t NMD = J NMk (48) ¯ t NMD = t NM ⊕ J NMk +1 (49) ¯ t NMD = t NM ⊕ t NM ⊕ J NMk +2 (50) ... ¯ t NMD ( Q +1) = t NM ⊕ t NM ⊕ ...t NMQ − ⊕ J NMk + Q (51) t NMB = J NMk − (52)Given the lattice points transmitted by the source t NMj , thejoint distribution of the side information for any relay nodeis the same. Hence we have the lemma.With these preparation, we are now ready to present thefollowing achievable rate.
Theorem 4:
For any ε > , a secrecy rate of at least . C (2 ¯ P − . − − ε bits per channel use is achievableregardless of the number of hops. Proof:
According to Lemma 3, it suffices to designthe coding scheme based on one relay node. We focus onone block of channel uses as shown in Figure 3. Let V ( j ) to denote all the side information available to the relaynode within the j th block. We start by lower bounding H ( t NQ | V ( j )) under ideal error free decoding, where t NQ are the lattice points picked by the encoder at the source nodeas described in Section IV-B within this block. H ( t NQ | V ( j )) equals H ( t NQ | (¯ x NAi ⊕ d Nαi ) + (¯ t ND ( i − ⊕ d Nβ ( i − ) + z Ni ,d Nαi , d Nβ ( i − , i = 2 ...Q + 1 , t NB , d Nb ) (53)Comparing (53) with the condition terms in (26), we seethat we have removed the first batch and the last batch ofreceived signals during a block from the condition termsbecause they are independent from everything else. The lastbatch of received signals contains the lattice point of themost recent jamming signal observable by the relay node. Itsindependence follows from Lemma 1.We then assume that the eavesdropper residing at the relaynode knows the channel noise. This means (53) can be lowerbounded by: H ( t NQ | (¯ x NAi ⊕ d Nαi ) + (¯ t ND ( i − ⊕ d Nβ ( i − ) ,d Nαi , d Nβ ( i − , i = 2 ...Q + 1 , t NB , d Nb ) (54)Next, we invoke Theorem 1. Equation (54) can be lowerbounded by: H ( t NQ | ¯ x NAi ⊕ d Nαi ⊕ ¯ t ND ( i − ⊕ d Nβ ( i − , T i ,d Nαi , d Nβ ( i − , i = 2 ...Q + 1 , t NB , d Nb ) (55)where T i can be represented with N bits. Using the similarargument as in (9)-(13), (55) is lower bounded by: H ( t NQ | ¯ x NAi ⊕ d Nαi ⊕ ¯ t ND ( i − ⊕ d Nβ ( i − ,d Nαi , d Nβ ( i − , i =2 ...Q +1 , t NB , d Nb ) − H ( T i , i =2 ...Q +1 ) (56) = H ( t NQ | ¯ x NAi ⊕ ¯ t ND ( i − , i =2 ...Q +1 , t NB ) − H ( T i , i =2 ...Q +1 ) (57)It turns out that in the first term in (57), the conditionalvariables are all independent from t NQ . This is because ¯ t ND ( i − contains J Ni − k , which is a new lattice point notontained in previous ¯ t ND ( j − or ¯ x NAj j < i . The new latticepoint is uniformly distributed over V ∩ Λ . Therefore, fromLemma 1, ¯ x NAi ⊕ ¯ t ND ( i − is independent from t NQ . Therefore(57) equals H ( t NQ ) − H ( T i , i =2 ...Q +1 ) (58)Define c = 1 N Q I ( t NQ ; V ( j )) (59)Then from (58), we have c ∈ (0 , .To achieve perfect secrecy, a similar argument of codingacross different blocks as the one in Section III can be used.A codebook with rate R and size ⌊ MNQR ⌋ that spans over M blocks is constructed as follows: Each codeword is alength M Q sequence. Each component of the sequence isan N -dimensional lattice point sampled in an i.i.d fashionfrom the uniform distribution over V ∩ Λ . The codebook isthen randomly binned into several bins. Each bin contains ⌊ MNQc ⌋ codewords, with c given by (59). Denote thecodebook with C .The transmitted codeword is determined as follows: Con-sider a message set { W } , whose size equals the number ofthe bins. The message is mapped to the bins in a one-to-onefashion. The actual transmitted codeword is then selectedfrom the bin according to a uniform distribution. Let thiscodeword be u MNQ . Let V = { V ( j ) , j = 1 ...M } . Then wehave: H ( W | V, C ) (60) = H (cid:0) W | u MNQ , V, C (cid:1) + H (cid:0) u MNQ | V, C (cid:1) − H (cid:0) u MNQ | W, V, C (cid:1) (61) ≥ H (cid:0) u MNQ | V, C (cid:1) − M N Qε (62) = H (cid:0) u MNQ |C (cid:1) − I (cid:0) u MNQ ; V |C (cid:1) − M N Qε (63) ≥ H (cid:0) u MNQ |C (cid:1) − M X j =1 I (cid:0) u MNQ ( j ); V ( j ) (cid:1) − M N Qε (64) = H (cid:0) u MNQ |C (cid:1) − M N Qc − M N Qε (65)(62) follows from Fano’s inequality and the size of the binis picked according to the rate of information leaked tothe eavesdropper under the same input distribution used tosample the codebook. (64) follows from
C → u MNQ → V being a Markov chain. Divide (60) and (65) by M N Q and let M → ∞ , we have ε → and lim M →∞ MNQ H ( W | V, C ) =lim M →∞ MNQ H ( W ) . Therefore a secrecy rate of R − c bits per channel use is achieved. According to [10], R canbe arbitrarily close to C ( P − . by making N → ∞ , where P is the average power per channel use spent to transmit alattice point. For a given node, during Q + 3 phases, it isactive in Q + 1 phases. Since c ∈ [0 , , a secrecy rate of Q +12 Q +3 ( C ( Q +3 Q +1 ¯ P − . − is then achievable by letting M → ∞ . Taking the limit Q → ∞ , we have the theorem.V. C ONCLUSION
Lattice codes were shown recently as a useful technique toprove information theoretic results. In this work, we showed that lattice codes are also useful to prove secrecy results.This was done by showing that the equivocation rate couldbe bounded if the shaping set and the “fine” lattice formsa nested lattice structure. With this new tool, we computedthe secrecy rate for two models: (1) a wiretap channel witha cooperative jammer, (2) a multi-hop line network withuntrusted relays. For the second model, we have shown thata coding scheme can be designed to support a non-vanishingsecrecy rate regardless of the number of hops.R
EFERENCES[1] C. E. Shannon. Communication Theory of Secrecy Systems.
BellSystem Technical Journal , 28(4):656–715, 1949.[2] A. D. Wyner. The Wire-tap Channel.
Bell System Technical Journal ,54(8):1355–1387, 1975.[3] I. Csiszar and J. Korner. Broadcast Channels with ConfidentialMessages.
IEEE Transactions on Information Theory , 24(3):339–348,1978.[4] S. Leung-Yan-Cheong and M. Hellman. The Gaussian Wire-tapChannel.
IEEE Transactions on Information Theory , 24(4):451–456,1978.[5] A. Khisti and G. Wornell. Secure Transmission with Multiple Anten-nas: The MISOME Wiretap Channel. Submitted to IEEE Transactionson Information Theory, 2007.[6] S. Shafiee, N. Liu, and S. Ulukus. Towards the Secrecy Capacity ofthe Gaussian MIMO Wire-tap Channel: The 2-2-1 Channel. Submittedto IEEE Transactions on Information Theory, 2007.[7] F. Oggier and B. Hassibi. The Secrecy Capacity of the MIMO WiretapChannel.
IEEE International Symposium on Information Theory , 2008.[8] E. Tekin and A. Yener. The Gaussian Multiple Access Wire-tapChannel.
IEEE Transaction on Information Theory , 54(12):5747–5755,December 2008.[9] B. Nazer and M. Gastpar. The Case for Structured Random Codesin Network Capacity Theorems.
European Transactions on Telecom-munications, Special Issue on New Directions in Information Theory ,19(4):455–474, 2008.[10] K. Narayanan, M.P. Wilson, and A. Sprintson. Joint Physical LayerCoding and Network Coding for Bi-Directional Relaying.
AllertonConference on Communication, Control, and Computing , 2007.[11] W. Nam, S-Y Chung, and Y.H. Lee. Capacity Bounds for Two-way Relay Channels.
Internation Zurich Seminar on Communications ,2008.[12] G. Bresler, A. Parekh, and D. Tse. the Approximate Capacity ofthe Many-to-one and One-to-many Gaussian Interference Channels.
Allerton Conf. on Communication, Control, and Computing , 2007.[13] S. Sridharan, A. Jafarian, S. Vishwanath, and S. A. Jafar. Capacity ofSymmetric K-User Gaussian Very Strong Interference Channels.
IEEEGlobal Telecommunication Conf. , November 2008.[14] E. Tekin and A. Yener. Achievable Rates for Two-Way Wire-TapChannels.
International Symposium on Information Theory , June 2007.[15] L. Lai, H. El Gamal, and H.V. Poor. The Wiretap Channel with Feed-back: Encryption over the Channel.
IEEE Transaction on InformationTheory , 54(11):5059–5067, November 2008.[16] H. A. Loeliger. Averaging bounds for lattices and linear codes.
IEEE Transaction on Information Theory , 43(6):1767–1773, November1997.[17] U. Erez and R. Zamir. Achieving 1/2 log (1+ SNR) on the AWGNChannel with Lattice Encoding and Decoding.
IEEE Transactions onInformation Theory , 50(10):2293–2314, October 2004.[18] S.A. Jafar. Capacity with Causal and Non-Causal Side Informa-tion - A Unified View.
IEEE Transactions on Information Theory ,52(12):5468–5475, December 2006.[19] J.H. Conway and N.J.A. Sloane.
Sphere Packings, Lattices and Groups .Springer, 1999.[20] E. Tekin and A. Yener. The General Gaussian Multiple Accessand Two-Way Wire-Tap Channels: Achievable Rates and CooperativeJamming.
IEEE Transactions on Information Theory , 54(6):2735–2751, June 2008.[21] U. Erez, S. Litsyn, and R. Zamir. Lattices Which Are Good for(Almost) Everything.