Strong Secrecy for Erasure Wiretap Channels
Ananda T. Suresh, Arunkumar Subramanian, Andrew Thangaraj, Matthieu Bloch, Steven McLaughlin
SStrong Secrecy for Erasure Wiretap Channels
Ananda T. Suresh ∗ , Arunkumar Subramanian † , Andrew Thangaraj ∗ , Matthieu Bloch † and Steven McLaughlin †∗ Department of Electrical Engineering, Indian Institute of Technology, MadrasEmail: [email protected] † School of Electrical and Computer Engineering, Georgia Institute of Technology, USA and GT-CNRS UMI 2958, FranceEmail: [email protected], [email protected], [email protected]
Abstract —We show that duals of certain low-density parity-check (LDPC) codes, when used in a standard coset codingscheme, provide strong secrecy over the binary erasure wiretapchannel (BEWC). This result hinges on a stopping set analysis ofensembles of LDPC codes with block length n and girth ≥ k ,for some k ≥ . We show that if the minimum left degree ofthe ensemble is l min , the expected probability of block error is O ( n (cid:100) l min k/ (cid:101)− k ) when the erasure probability (cid:15) < (cid:15) ef , where (cid:15) ef depends on the degree distribution of the ensemble. As long as l min > and k > , the dual of this LDPC code provides strongsecrecy over a BEWC of erasure probability greater than − (cid:15) ef . I. I
NTRODUCTION
The information-theoretic limits of secure communicationsover public channels were first investigated by Shannon [1];given a message M and its corresponding cryptogram X n oflength n , a message is communicated with perfect secrecy if I ( M ; X n ) = 0 . Shannon proved the disappointing resultthat perfect secrecy requires a secret key K with entropy H ( K ) ≥ H ( M ) . In this setting, Wyner subsequently proposedan alternative model for secure communication called a wire-tap channel [2], in which all communications occur over noisychannels and the eavesdropper observes a degraded version Z n of the signal received by the legitimate receiver. Wynerintroduced the notion of weak secrecy , which requires theleaked information rate n I ( M ; Z n ) to vanish as n → ∞ , andestablished the weak secrecy capacity , that is the maximumsecure communication rate achievable over a wiretap channelunder this condition. Maurer and Wolf later highlighted theshortcomings of weak secrecy for cryptographic purposes, andsuggested to replace it with the notion of strong secrecy , bywhich the absolute information I ( M ; Z n ) should vanish as n → ∞ . Surprisingly, this stronger secrecy requirement doesnot reduce secrecy capacity [3], [4].Despite the surge of recent results investigating wiretapchannels, the design of coding schemes with provable secrecyrate has not attracted much attention. Some efforts in codingfor wiretap channels include [5]–[9].In this work, we revisit the LDPC-based coset codingscheme of [7] for the binary erasure wiretap channel. Wefirst show that the dual of randomly generated LDPC codescan achieve strong secrecy provided the probability of blockerror of the LDPC codes decays faster than n with the blocklength n in a binary erasure channel. Then, we show that forcertain small-cycle-free LDPC ensembles, the probability ofblock error under iterative decoding decays as O ( n ) . We obtain this result by analyzing the stopping sets of LDPCensembles. Stopping sets [10], [11] determine whether iterativedecoding of LDPC codes under erasures will succeed or not.Asymptotic enumeration of stopping sets has been done byseveral authors (see [12]–[15] and references thereof). Wefollow the approach in [12], where asymptotics of the averageblock error probability of LDPC codes were derived.Ensembles of LDPC codes with better than n averageblock error probability are known from prior studies whichuse expander-based ideas and stopping set expurgation [16],[17]. Expander-based ideas typically require minimum bitnode degree of five or above resulting in a decrease inthresholds. Expurgation of stopping sets is usually more dif-ficult to achieve than expurgation of short cycles in randomconstructions. In our approach, we consider ensembles withfinite girth. Restricting the girth results in O ( n ) expectedblock error probability in irregular ensembles with minimumgirth 4 and minimum bit node degree 3. This enables higherasure thresholds and efficient construction methods.In this work, the code construction for strong secrecy isfundamentally different from Maurer and Wolf’s procedureto obtain strong secrecy from weak secrecy [3]. Maurer andWolf’s method relies on the equivalence of key-generationwith one-way communication and coding for the wiretapchannel, while our code construction yields a forward error-control scheme directly. Nevertheless, the constraint imposedin our code construction limits the achievable secrecy rate.The rest of the paper is organized as follows. In Section II,we briefly review the coset coding scheme for the binaryerasure wiretap channel and establish the connection betweenstrong secrecy and the decay of probability of block errorwith code length. In Section III, we show that the probabilityof block error for ensembles without short cycles decays fastenough to guarantee strong secrecy.II. S ECRECY C ODING FOR THE B INARY E RASURE W IRETAP C HANNEL
The wiretap channel considered in this work, denoted by
BEWC( (cid:15) ) , is illustrated in Fig. 1. The channel between thelegitimate parties is noiseless while the eavesdropper’s channelis a binary erasure channel with erasure probability (cid:15) (denotedBEC ( (cid:15) ) ). The secrecy capacity of this wiretap channel is C s = (cid:15) [2].The “coset coding” scheme to communicate secretly overthis channel, proposed in [6], is the following. Prior to a r X i v : . [ c s . I T ] A p r ? Z n E VE DECODER ˆ M B OB ENCODER M A LICE X n − (cid:15)(cid:15)(cid:15) − (cid:15)
01 0
BEC( (cid:15) ) Fig. 1. Binary erasure wiretap channel. transmission, Alice and Bob agree on a ( n, n − k ) code C with parity check matrix H . The coset of C with syndrome s k is denoted by C ( s k ) = { x n ∈ { , } n : s k = H T x n } . Totransmit a message M of k bits, Alice transmits a codeword X n chosen uniformly at random in C ( M ) . Bob decodes hisreceived codeword X n by forming the syndrome H T X n .The following theorem due to Ozarow and Wyner connectsthe equivocation of the eavesdropper to algebraic properties ofthe generator matrix. Theorem 1 ( [6]) . Let C be a ( n, n − k ) code with generatormatrix G = [ g , . . . , g n ] , where g i represents the i -th columnof G . Let z n be an observation of the eavesdropper with µ unerased position given by { i : z i (cid:54) =? } = { i , . . . , i µ } . Let G µ = [ g i . . . g i µ ] . Then, H ( M | z n ) = k iff G µ has full rank. Based on Theorem 1, we can now connect the rate ofconvergence of I ( M ; Z n ) to the probability that a submatrixof G has full rank. Lemma 1.
Let G µ be the submatrix of G corresponding tothe unerased positions in Z n . Let p nf be the probability that G µ is not full rank. Then, a coset coding scheme operates withstrong secrecy if the probability p nf is such that p nf = O ( n α ) for some α > .Proof: We can lower bound H ( M | Z n ) as H ( M | Z n ) ≥ H ( M | Z n , rank( G µ )) ≥ H ( M | Z n , G µ is full rank ) P [ G µ is full rank ]= k (1 − p nf ) = k − R s np nf If p nf = O ( n α ) , then I ( M ; Z n ) = k − H ( M | Z n ) ≤ O ( n α − ) ,which can be made arbitrary small for n sufficiently large and α > .Let C n ( λ, ρ ) be an LDPC ensemble with n variable nodes,left edge degree distributions λ ( x ) = (cid:80) i ≥ λ i x i − and rightnode degree distribution ρ ( x ) = (cid:80) i ≥ ρ i x i − [15, § λ ( x ) , ρ ( x ) are from an edge perspective, that is λ i is thefraction of edges connected to a variable node of degree i and ρ j is similarly defined.Let P ( n ) e ( (cid:15) ) denote the probability of block error for codesfrom C n ( λ, ρ ) over BEC ( (cid:15) ) under iterative decoding. An im-portant interpretation of P ( n ) e ( (cid:15) ) is the following: for a parity-check matrix H with degree distribution ( λ, ρ ) , − P ( n ) e ( (cid:15) ) is a lower bound on the probability that erased columns of weaksecrecy strongsecrecyEve's erasure probility Fig. 2. Weak and strong secrecy regions using duals of LDPC codes H (over a BEC ( (cid:15) ) ) form a full-rank submatrix. Using thisinterpretation and results from [7], we have the followingimmediate corollary of Lemma 1. Corollary 1.
If there exists (cid:15) ∗ > such that P ( n ) e ( (cid:15) ) = O ( n α ) , ( α > ) for (cid:15) < (cid:15) ∗ , then the dual of a codefrom C n ( λ, ρ ) used in a coset coding scheme provides strongsecrecy over a BEWC( (cid:15) ) for (cid:15) > − (cid:15) ∗ . It is immediately clear that we will have (cid:15) ∗ ≤ (cid:15) th , where (cid:15) th is the erasure threshold for the ensemble over LDPC codes[15]. As noted in [7], when (cid:15) ≤ (cid:15) th we have weak secrecy. Inview of this, we will have guaranteed weak and strong secrecyregions as illustrated in Fig. 2 by doing “coset coding” usingduals of LDPC codes. We know that degree distributions canbe optimized so that − (cid:15) th is very close to the code rate.Since LDPC codes achieve capacity over a BEC, our codingscheme will achieve weak secrecy very close to the secrecyrate and strong secrecy slightly away from the secrecy rate. Inthe next section, we will show that (cid:15) ∗ exists for some restrictedensembles of LDPC codes.III. T HE LDPC
ENSEMBLE WITHOUT SHORT CYCLES
In this section, we study the sub-ensemble of Tanner graphs[15] whose girth is at least k for some integer k ≥ which does not change with the block length n . We denotethe ensemble of all Tanner graphs by G ( n, λ, ρ ) and the sub-ensemble of girth ≥ g graphs by G g ( n, λ, ρ ) . We associate i sockets to each node of degree i . An edge in a Tanner graphis an unordered pair containing one bit node socket and onecheck node socket. A Tanner graph with | E | edges has | E | sockets on each side. Therefore, the size of the ensemble equalto the number of permutation of the check node sockets, whichis | E | ! . First we show that the size of our sub-ensemble is notnegligible compared to the size of the original ensemble as n → ∞ . Lemma 2 ( [18, Corollary 4]) . Let n, g be even positiveintegers and d ≥ be an integer. As n grows, let ( d − g − = o ( n ) . Then, the number of (labeled) d -regular bipartite graphson n vertices with girth greater than g is ( nd/ d !) n exp − g/ (cid:88) s =1 ( d − s s + o (1) as n → ∞ . Note that the number of d -regular bipartite graphs on n vertices is ( nd/ / ( d !) n . The following corollary is thenimmediate. orollary 2. Let g, n be positive even numbers and let d ≥ be an integer. Let d, g remain constant as n → ∞ . Then,the fraction of ( d, d ) regular bipartite graphs that have girthgreater than g is exp − g/ (cid:88) s =1 ( d − s s + o (1) as n → ∞ . In particular, this fraction is bounded away fromzero for large n . Lemma 3.
Let a ( λ, ρ ) irregular Tanner graph ensemble besuch that max { deg( λ ) , deg( ρ ) } > and the coefficients of thedegree distribution polynomials are rational. Let g > be aninteger that remains constant with block length n . There existsan increasing sequence ( n k ) of positive integers such that thefraction of graphs of girth > g in G ( n k , λ, ρ ) is bounded awayfrom zero as k → ∞ .Proof: Let d be the least common multiple of all thevertex degrees in the graph. Clearly, d > and it is a functionof only λ and ρ . Let a be the smallest positive integer suchthat a ˜ λ i d , a ˜ ρ j d ∈ N where ˜ λ i is the fraction of variable nodes of degree i and ˜ ρ j is the fraction of check nodes of degree j [15, § n k = ak variable nodes.We can group d/i of the degree i variable nodes to get onevariable node of degree d . If we do this for all the variablenode degrees, we will have a left regular Tanner graph withleft degree d . Similarly, we can repeat this process for thecheck nodes to get a ( d, d ) regular Tanner graph. Note that inthis node grouping process, we preserve the number of edgessince the ensemble allows the possibility of multiple edges.The girth of the resultant regular graph is not more than thatof the original graph. It can also be noted that there is a one-one correspondence between the graphs in the ( λ, ρ ) ensembleand those in the ( d, d ) ensemble. By lemma 2, the fraction ofgraphs with girth > g in the ( d, d ) ensemble, say µ , is non-zero if k is large enough. So, the fraction of graphs in the ( λ, ρ ) ensemble with girth > g is at least µ . This proves thelemma. Remark 1.
Let X be a graph dependent positive number.Let E X represent the expectation of X over G ( n, λ, ρ ) . Let E X be the expectation over G g ( n, λ, ρ ) and E X be theexpectation over G ( n, λ, ρ ) \ G g ( n, λ, ρ ) . We have E X = q n E X + (1 − q n ) E X where q n (cid:44) |G g ( n, λ, ρ ) | / |G ( n, λ, ρ ) | . By lemma 3, there existsa p > such that for large n , we have q n ≥ p . Therefore, E X ≥ p E X E X ≤ p E X This inequality is used to upper bound E X when it is easierto find an upper bound to E X . A. Stopping sets and stopping number For the sake of clarity and completeness, we restate someof the definitions that were originally stated in [12]. Given aTanner graph G , let U be any subset of variable nodes in G .Let the (check node) neighbours of U be denoted by N ( U ) . U is called a stopping set if the degree of all the check nodesin the induced subgraph G [ U ∪ N ( U )] is at least two. The stopping number of a Tanner graph is defined as the size of itssmallest stopping set. For a given Tanner graph, its stoppingnumber is denoted by s ∗ and the set of all stopping sets isdenoted by S . The stopping ratio is defined as the ratio of thestopping number to the block length.The average stopping set distribution is defined as E ( s ) = E ( |{ S ∈ S : | S | = s }| ) where the average is taken over all the Tanner graphs in G ( n, ρ, λ ) . For any rational α ∈ [0 , , it is assumed that thereexists a sequence ( n k ) of strictly increasing block lengths suchthat E ( αn k ) > for all n k . We can then define the normalizedstopping set distribution as γ ( α ) = lim k →∞ n k log E ( αn k ) It was shown that γ ( α ) is continuous over the set of rationalsand hence, it can be extended to a continuous function over [0 , . The critical exponent stopping ratio of a Tanner graphensemble is defined as α ∗ = inf { α > γ ( α ) ≥ } B. Block error probability of short-cycle-free ensembles
In this section, we prove a key result about the average blockerror probability of short-cycle-free LDPC ensembles, whichis central to our claim that the duals of these codes providestrong secrecy. Let P IT B ( C, (cid:15) ) be the probability of block errorwhen the code C is transmitted over BEC( (cid:15) ) and iterativelydecoded. We define [12] (cid:15) ef (cid:44) sup (cid:26) (cid:15) : max α ∈ [0 ,(cid:15) ] (cid:16) γ ( α ) + (1 − α ) h ( (cid:15) − α − α ) − h ( (cid:15) ) (cid:17) ≤ (cid:27) where h ( x ) is the binary entropy function calculated usingnatural logarithms. Note that γ ( α ) , and (cid:15) ef are calculated overthe entire ensemble G ( n, λ, ρ ) instead of the girth-restrictedensemble. Instead of calculating P IT B ( C, (cid:15) ) directly, we takeaverages of this quantity over an ensemble of codes and showthat the average block error probability over the ensemble G k ( n, λ, ρ ) decays as fast as we want it to for (cid:15) < (cid:15) ef . Theorem 2.
For G k ( n, λ, ρ ) , with minimum variable nodedegree l min , maximum variable node degree l max and maxi-mum check node degree r max > we have E ( P IT B ( C, (cid:15) )) = O (cid:18) n (cid:100) l min2 k (cid:101)− k (cid:19) and in the limits of small (cid:15) and large n E ( P IT B ( C, (cid:15) )) = O (cid:18) (cid:15) k n (cid:100) l min2 k (cid:101)− k (cid:19) roof: Let V e be the set of variable nodes correspondingto the random erasures in the LDPC codeword. The iterativedecoding fails iff V e contains a stopping set. So, P IT B ( C, (cid:15) ) = P ( ∃ S ∈ S : S ⊂ V e ) For any δ , δ > , we bound P IT B ( C, (cid:15) ) using union boundas P IT B ( C, (cid:15) ) ≤ δ n − (cid:88) i = k |{ S ∈ S : | S | = i }| (cid:15) i + P ( ∃ S ∈ S : S ⊂ V e , δ n ≤ | S | ≤ ( (cid:15) + δ ) n )+ P ( ∃ S ∈ S : S ⊂ V e , ( (cid:15) + δ ) n ≤ | S | ≤ n ) Using an argument almost identical to the one used in [12,Theorem 16], we can show that the expectations of the secondand the third terms go to zero exponentially as n → ∞ if (cid:15) < (cid:15) ef . Now, E (cid:32) δ n − (cid:88) i = k |{ S ∈ S : | S | = i }| (cid:15) i (cid:33) = δ n − (cid:88) i = k E ( |{ S ∈ S : | S | = i }| ) (cid:15) i ≤ p δ n − (cid:88) i = k E ( |{ S ∈ S : | S | = i }| ) (cid:15) i A stopping set of i variable nodes can have nodes ofdifferent degrees. Let S i denote the set of all non-negativeinteger solutions to the equation i l min + i l min +1 + · · · + i l max = i .We can write E ( |{ S ∈ S : | S | = i }| ) (cid:15) i = (cid:15) i (cid:88) { i s }∈S i (cid:0) n ˜ λ l min i l min (cid:1)(cid:0) n ˜ λ l min+1 i l min+1 (cid:1) · · · (cid:0) n ˜ λ l max i l max (cid:1) A (cid:0) | E | (cid:80) si s (cid:1) ≤ (cid:15) i (cid:18) ni (cid:19) (cid:88) { i s }∈S i A (cid:0) | E | (cid:80) si s (cid:1) Here, A is the number of ways to connect the selected i vari-able nodes to form a stopping set. This number is independentof n as long as i is just a small fraction of it. We also notethat if we increase the degree of all the check nodes in thegraph, A can only increase. Therefore, we may upper bound A by the number of ways to form a stopping set assuming eachcheck node has the maximum possible degree, r max . The latternumber is equal to coef (cid:0) ((1 + x ) r max − r max x ) m , x (cid:80) si s (cid:1) byelementary combinatorics. We have, A ≤ coef (cid:16) ((1 + x ) r max − r max x ) m , x (cid:80) si s (cid:17) ≤ (cid:18) m + (cid:98) (cid:80) si s (cid:99) − (cid:100) (cid:80) si s r max (cid:101)(cid:98) (cid:80) si s (cid:99) (cid:19) (2 r max − (cid:80) si s where the last inequality follows from [12, Lemma 18]. If wedenote (cid:80) si s by w , we have il min ≤ w ≤ il max . So, E ( |{ S ∈ S : | S | = i }| ) (cid:15) i ≤ (cid:15) i (cid:18) ni (cid:19) (cid:88) { i s }∈S i (cid:18) m + (cid:98) w (cid:99) − (cid:100) wr max (cid:101)(cid:98) w (cid:99) (cid:19) (2 r max − w (cid:0) | E | w (cid:1) ≤ (cid:15) i (cid:18) ni (cid:19) (2 r max − il max (cid:88) { i s }∈S i (cid:18) m + il max (cid:98) w (cid:99) (cid:19) (cid:0) | E | w (cid:1) ≤ (cid:15) i (cid:18) ni (cid:19) (2 r max − il max (cid:88) { i s }∈S i (cid:0) m + il max (cid:1) (cid:98) w (cid:99) w ! (cid:98) w (cid:99) ! ( | E | − il max ) w If we denote the summand by f ( w ) , we have f (2 r +1) f (2 r ) = r +1 | E |− il max ≤ il max | E |− il max ≤ δnl max | E |− δ nl max ≤ if we choose δ small enough. Also, f (2 r +2) f (2 r +1) = 2 m + il max | E |− il max ≤ m + δ nl max | E |− δ nl max Since r max > we have | E | > m . Again, if we choose δ small enough, we will have f (2 r + 2) /f (2 r + 1) ≤ . So, f ( w ) is a non-increasing function and w ≥ il min . We nowhave E ( |{ S ∈ S : | S | = i }| ) (cid:15) i ≤ (cid:15) i (cid:0) ni (cid:1) (2 r max − il max × (cid:88) { i s }∈S i (cid:0) m + il max (cid:1) (cid:98) il min2 (cid:99) ( il min )! (cid:98) il min (cid:99) ! ( | E | − il max ) il min ≤ (cid:15) i (cid:0) ni (cid:1) (2 r max − il max ( i + 1) r max × (cid:0) m + δ nl max (cid:1) (cid:98) il min2 (cid:99) ( il min )! (cid:98) il min (cid:99) ! ( | E | − δ nl max ) il min ≤ (cid:15) i (cid:0) ni (cid:1) (2 r max − il max ( i + 1) r max n (cid:100) il min2 (cid:101) × (cid:0) r + δ r max (cid:1) (cid:98) il min2 (cid:99) ( il min )! (cid:98) il min (cid:99) ! ( r − δ r max ) il min (cid:44) (cid:15) i J i Here, r = m/n and r = | E | /n depend only on ρ and λ . If i remains a constant as n → ∞ , we have J i = Θ (cid:18) n (cid:100) il min2 (cid:101)− i (cid:19) (1)Also, J i +2 J i = (cid:0) ni +2 (cid:1)(cid:0) ni (cid:1) (2 r max − l max ( r + δ l max ) l min ( r − δ l max ) l min × (cid:16) i +3 i +1 (cid:17) r max ( il min + 2 l min )! (cid:98) il min (cid:99) !( il min )! (cid:0) (cid:98) il min (cid:99) + l min (cid:1) ! n l min ≤ ( n − i − n − i )( i + 1)( i + 2) (2 r max − l max (cid:16) i +3 i +1 (cid:17) r max × ( r + δ l max ) l min ( r − δ l max ) l min ( il min + 2 l min ) l min (cid:0) (cid:98) il min (cid:99) + 1 (cid:1) l min n l min sing i +3 i +1 ≤ , il min + 2 l min ≤ il min , (cid:98) x (cid:99) + 1 ≥ x , J i +2 J i ≤ n i (2 r max − l max r max ( r + δ l max ) l min ( r − δ l max ) l min × (3 il min ) l min (cid:0) il min (cid:1) l min n l min Choosing δ ∈ (0 , such that r − δ l max > and δ < δ , J i +2 J i ≤ (2 r max − l max r max × ( r + δ l max ) l min (3 l min ) l min ( r − δ l max ) l min (cid:0) l min (cid:1) l min (cid:18) in (cid:19) l min − = B (cid:18) in (cid:19) l min − ≤ Bδ l min − where B depends only on λ and ρ . E (cid:32) δ n − (cid:88) i = k |{ S ∈ S : | S | = i }| (cid:15) i (cid:33) ≤ p δ n − (cid:88) i = k (cid:15) i J i ≤ p (cid:15) k δ n − (cid:88) i = k J i = 1 p (cid:15) k (cid:20) Θ (cid:18) n (cid:100) l min2 k (cid:101)− k (cid:19) + Θ (cid:18) n (cid:100) l min2 ( k +1) (cid:101)− k − (cid:19)(cid:21) × δ n/ (cid:88) i =0 (cid:16) Bδ l min − (cid:17) i If δ is small enough, then the summation in the aboveequation is bounded by a decreasing geometric sum. So, E (cid:32) δ n − (cid:88) i = k |{ S ∈ S : | S | = i }| (cid:15) i (cid:33) = O (cid:18) (cid:15) k n (cid:100) l min2 k (cid:101)− k (cid:19) ⇒ E (cid:0) P IT B ( C, (cid:15) ) (cid:1) = O (cid:18) (cid:15) k n (cid:100) l min2 k (cid:101)− k (cid:19) (2)as (cid:15) → and n → ∞ .From the above theorem, the average block error probabilityin our ensemble decays faster than n for l min > and k > .This correpsonds to LDPC ensembles with a minimum bitnode degree of at least 3 and girth at least 4. By corollary 1,the duals of these LDPC codes achieve strong secrecy over aBEWC of erasure probability − (cid:15) ef .The (3, 6) regular LDPC ensemble has (cid:15) th = 0 . , (cid:15) ef = 0 . and rate / . When duals of codes in thisensemble are used on BEWC( (cid:15) ) , a secret communication rateof 0.5 is achieved with weak secrecy when (cid:15) ∈ (0 . , . and with strong secrecy when (cid:15) > . . Our numericalcalculations indicate that some of the degree distributions thatare optimized for very high (cid:15) th have (cid:15) ef < . .IV. C ONCLUSION AND FUTURE DIRECTIONS
In this work, we have shown that duals of LDPC codeswith girth greater than 4 and minimum left degree at least achieve strong secrecy on the binary erasure wiretap channel.LDPC ensembles with degree 2 nodes play an important role in achieving capacity on the binary erasure channel. Furtherstudy is required on the relationship between these LDPCcodes and strong secrecy. Another research possibility involvesoptimizing the degree distributions to find LDPC ensembleswith a very high (cid:15) ef for a given rate.R EFERENCES[1] C. E. Shannon, “Communication Theory of Secrecy Systems,”
BellSystem Technical Journal , vol. 28, pp. 656–715, 1948.[2] A. D. Wyner, “The Wire-Tap Channel,”
Bell System Technical Journal ,vol. 54, no. 8, pp. 1355–1367, October 1975.[3] U. M. Maurer and S. Wolf, “Information-Theoretic Key Agreement:From Weak to Strong Secrecy for Free,” in
Advances in Cryptology -Eurocrypt 2000 , Lecture Notes in Computer Science. B. Preneel, 2000,p. 351.[4] I. Csisz´ar, “Almost Independence and Secrecy Capacity,”
Problems ofInformation Transmission , vol. 32, no. 1, pp. 40–47, January-March1996.[5] C. H. Bennett, G. Brassard, C. Cr´epeau, and U. Maurer, “GeneralizedPrivacy Amplification,”
IEEE Trans. Inf. Theory , vol. 41, no. 6, pp.1915–1923, November 1995.[6] L. H. Ozarow and A. D. Wyner, “Wire Tap Channel II,”
AT&TBell Laboratories Technical Journal , vol. 63, no. 10, pp. 2135–2157,December 1984.[7] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, andJ.-M. Merolla, “Applications of LDPC Codes to the Wiretap Channels,”
IEEE Trans. Inf. Theory , vol. 53, no. 8, pp. 2933–2945, Aug. 2007.[8] R. Liu, Y. Liang, H. V. Poor, and P. Spasojevi´c, “Secure Nested Codesfor Type II Wiretap Channels,” in
Proceedings of IEEE InformationTheory Workshop , Lake Tahoe, California, USA, September 2007, pp.337–342.[9] G. Cohen and G. Zemor, “Syndrome-Coding for the Wiretap ChannelRevisited,” in
Proc. IEEE Information Theory Workshop , Chengdu,China, October 2006, pp. 33–36.[10] C. Di, D. Proietti, I. Telatar, T. Richardson, and R. Urbanke, “Finite-length analysis of low-density parity-check codes on the binary erasurechannel,”
Information Theory, IEEE Transactions on , vol. 48, no. 6, pp.1570 –1579, jun 2002.[11] T. Richardson and R. Urbanke, “The capacity of low-density parity-check codes under message-passing decoding,”
Information Theory,IEEE Transactions on , vol. 47, no. 2, pp. 599 –618, feb 2001.[12] A. Orlitsky, K. Viswanathan, and J. Zhang, “Stopping set distributionof LDPC code ensembles,”
IEEE Transactions on Information Theory ,vol. 51, no. 3, pp. 929 –953, march 2005.[13] O. Milenkovic, E. Soljanin, and P. Whiting, “Asymptotic spectra oftrapping sets in regular and irregular ldpc code ensembles,”
InformationTheory, IEEE Transactions on , vol. 53, no. 1, pp. 39 –55, jan. 2007.[14] D. Burshtein and G. Miller, “Asymptotic enumeration methods foranalyzing ldpc codes,”
Information Theory, IEEE Transactions on ,vol. 50, no. 6, pp. 1115 – 1131, june 2004.[15] T. Richardson and R. Urbanke,
Modern Coding Theory . CambridgeUniversity Press, 2008.[16] S. Korada and R. Urbanke, “Exchange of limits: Why iterative decodingworks,” in
Information Theory, 2008. ISIT 2008. IEEE InternationalSymposium on , july 2008, pp. 285 –289.[17] A. Amraoui, A. Montanari, T. Richardson, and R. Urbanke, “Finite-length scaling for iteratively decoded ldpc ensembles,”
InformationTheory, IEEE Transactions on , vol. 55, no. 2, pp. 473 –498, feb. 2009.[18] B. D. McKay, N. C. Wormald, and B. Wysocka, “Short cycles in randomregular graphs,”