The Two-Way Wiretap Channel: Achievable Regions and Experimental Results
Aly El Gamal, O. Ozan Koyluoglu, Moustafa Youssef, Hesham El Gamal
aa r X i v : . [ c s . I T ] O c t The Two-Way Wiretap Channel: AchievableRegions and Experimental Results
Aly El Gamal, O. Ozan Koyluoglu, Moustafa Youssef, and Hesham El Gamal
Abstract
This work considers the two-way wiretap channel in which two legitimate users, Alice and Bob, wish to exchangemessages securely in the presence of a passive eavesdropper Eve. In the full-duplex scenario, where each node cantransmit and receive simultaneously, we obtain new achievable secrecy rate regions based on the idea of allowing thetwo users to jointly optimize their channel prefixing distributions and binning codebooks in addition to key sharing.The new regions are shown to be strictly larger than the known ones for a wide class of discrete memoryless andGaussian channels. In the half-duplex case, where a user can only transmit or receive on any given degree of freedom,we introduce the idea of randomized scheduling and establish the significant gain it offers in terms of the achievablesecrecy sum-rate. We further develop an experimental setup based on a IEEE 802.15.4-enabled sensor boards, anduse this testbed to show that one can exploit the two-way nature of the communication, via appropriately randomizingthe transmit power levels and transmission schedule, to introduce significant ambiguity at a noiseless
Eve.
I. I
NTRODUCTION
In a pioneering paper [2], Shannon established the achievability of perfectly secure communication in the presenceof an eavesdropper with unbounded computational complexity. However, the necessary condition for perfect secrecy,i.e., that the entropy of the private key is at least as large as that of the message, appears to be prohibitive for mostpractical applications. In [3], Wyner revisited the problem and proved the achievability of a positive secrecy rate overa degraded discrete memoryless channel, via a key-less secrecy approach, by relaxing the noiseless assumption andthe strict notion of perfect secrecy employed in [2]. Wyner’s results were later extended to the Gaussian and broadcastchannels in [4] and [5], respectively. In [6], Maurer showed how to exploit the presence of a public discussion
Aly El Gamal was with the Wireless Intelligent Networks Center (WINC), Nile University, Cairo, Egypt. He is now with the University ofIllinois at Urbana-Champaign (Email: [email protected]). O. Ozan Koyluoglu was with the Department of Electrical and Computer Engineering,The Ohio State University, Columbus, OH. He is now with the University of Texas at Austin (Email: [email protected]). Hesham El Gamalis with the Department of Electrical and Computer Engineering, The Ohio State University, Columbus, OH (Email: [email protected]).Moustafa Youssef was with the Wireless Intelligent Networks Center (WINC), Nile University, Cairo, Egypt. He is now with AlexandriaUniversity and Egypt-Japan University of Science and Technology (E-JUST) (Email: [email protected]).This work was presented in part at the 2009 IEEE Global Communications Conference (GLOBECOM 2009) and the 2010 IEEE InformationTheory Workshop (ITW 2010).This research was supported in part by the National Science Foundation (NSF), the Los Alamos National Labs (LANL), the USAID Fund,and QNRF.
October 30, 2018 DRAFT channel to achieve positive secrecy over the one way wiretap channel even when the eavesdropper channel is lessnoisy than the legitimate one. In [7], the authors considered a more practical feedback scenario where the noiselesspublic channel is replaced by receiver feedback over the same noisy channel. Under this assumption, it was shownthat the perfect secrecy capacity is equal to the capacity of the main channel in the absence of the eavesdropperfor full-duplex modulo-additive discrete memoryless channels. More interestingly, [7] established the achievabilityof positive secrecy rates, even under the half-duplex constraint where each feedback symbol introduces an erasureevent in the main channel.Our work generalizes this line of work by investigating the fundamental limits of the two-way wiretap channel,where Alice and Bob wish to exchange secure messages in the presence of a passive eavesdropper Eve. It is easy tosee that the one way channel with feedback considered in [7] is a special case of this model. Using the cooperativechannel prefixing and binning technique proposed in [8], [9], along with an innovative approach for key sharingbetween Alice and Bob, we first derive an inner bound on the secrecy capacity region of the full-duplex discretememoryless two-way wiretap channel. By specializing our results to the additive modulo- and Gaussian channel,our region is shown to be strictly larger than those reported recently in the literature [10], [11], [13]. The gaincan be attributed to the fact that we allow both nodes to simultaneously send secure messages when the channelconditions are favorable. We then proceed to the half-duplex setting where each node can only transmit or receiveon the same degree of freedom. Here, we introduce the concept of randomized scheduling for secrecy , wherebyAlice and Bob send their symbols at random time instants to maximally confuse Eve at the expense of introducing collisions and erasure events in the main channel. Remarkably, this approach is shown to result in significantgains in the achievable secure sum rate, as compared with the traditional deterministic scheduling approach. In theGaussian scenario, we show that the ambiguity at Eve can be further enhanced by randomizing the transmit powerlevels.Inspired by our information theoretic foundation, we develop an IEEE . . testbed to estimate the ambiguityat the eavesdropper in near field wireless sensor networks where the distance between the legitimate nodes issignificantly smaller than that to the potential eavesdropper. A representative scenario corresponds to Body AreaNetworks (BAN) which are being considered for a variety of health care applications. Here, the sensor nodes aremounted on the body, and hence, any potential eavesdropper is expected to be at a significantly larger distancefrom each legitimate node. Clearly, ensuring the confidentiality of the messages exchanged between sensors is animportant design consideration in this application. Assuming an eavesdropper equipped with an energy classifier,analytical and experimental results that quantify the achievable secrecy sum rate under a two dimensional pathloss model are derived. However, it is worth noting that we do not address the issue of implementing the classicalwiretap code [3] in this work. Overall, these results establish the gain offered by the two-way randomization conceptand establish the feasibility of our approach in realistic scenarios.It is worth noting that similar settings to the one considered in this work, exist in the literature. In particular, theauthors in [15] consider a binary erasure block-fading channel where the nodes are placed according to a similargeometric model to that in Section IV, and provide analytical and experimental results for the secrecy outage October 30, 2018 DRAFT probabilities for frames of different sizes, [14] considers an extension of the two-way wiretap channel where theuntrusted eavesdropper may be used to relay messages between the two users. Also, [16] considers the two-waywiretap channel with a strong secrecy constraint, where the mutual information leakage to the eavesdropper, ratherthan the leakage rate (defined in Section II) is required to vanish in the limit of the number of channel uses.The rest of the paper is organized as follows. In Section II, we develop an achievable secrecy rate region for thefull-duplex discrete memoryless two-way wiretap channel, and specialize the result to the additive modulo- andGaussian channel. Section III is devoted to the half-duplex scenario where the concept of randomized scheduling isintroduced. Our practical setting, using the TinyOS-enabled sensor boards, is described in Section IV. The analyticaland experimental results of this section establish the feasibility of our approach in near field wireless sensor networkapplications. Finally, we offer some concluding remarks in Section V. To enhance the flow of the paper, the detailedproofs are collected in the appendices. II. F ULL -D UPLEX C HANNELS
In the full-duplex scenario, each of the two legitimate terminals is equipped with a transmitter and a receiverthat can operate simultaneously on the same degree of freedom. The two users intend to exchange messages inthe presence of a (passive) eavesdropper. More specifically, the i th user wishes to transmit a secret message w i ,selected from a set of equiprobable messages M i = { , . . . , M i } , to the other user, in n channel uses, where i = 1 , . For message w i , a codeword X i ( w i ) = { X i (1) , . . . , X i ( n ) } is transmitted at a rate R i = n log M i . The i th decoder employs a decoding function φ i ( . ) to map the received sequence Y i to an estimate ˆ w i of w i . Thetwo-way communication is governed by reliability and secrecy constraints. The former is measured by the averageprobability of error, P e,i = 1 M i X w i ∈M i P { ˆ w i = w i | w i is sent } , for i = 1 , whereas the latter is quantified by the mutual information leakage rate to the eavesdropper L , i.e., L n = 1 n I ( W , W ; Z ) , where Z = { Z (1) , . . . , Z ( n ) } is the observed sequence at the eavesdropper. Here, we focus on the perfect secrecy rate region, where the leakage rate is made arbitrarily small [3], as formalized in the following. Definition 1:
The secret rate tuple ( R , R ) is achievable for the two-way wiretap channel, if for any given ǫ > , there exists an ( n, M , M , P e, , P e, , L n ) code such that, R = 1 n log M R = 1 n log M max( P e, , P e, ) ≤ ǫL n ≤ ǫ, for sufficiently large n . October 30, 2018 DRAFT
We note that the last condition implies that (see, e.g., [9, Lemma 15]) n H ( W i | Z ) ≥ R i − ǫ for i = 1 , . The secrecy capacity region is defined as the set of all achievable secret rate tuples ( R , R ) and is denotedby C F . Throughout the sequel, we will use the following shorthand notation for probability distributions: P ( x ) , P ( X = x ) , P ( x | y ) , P ( X = x | Y = y ) , and P ( x, y ) , P ( X = x, Y = y ) , where X and Y denote arbitraryrandom variables. We will also use log( x ) to denote log ( x ) , and [ a ] + to denote max( a, . Furthermore, for thefull-duplex discrete memoryless two-way channel with an external passive eavesdropper (DM-TWC-E), we will usethe calligraphic letters X and X to denote the discrete input finite alphabets for user and user , respectively,and Y , Y , and Z , to denote the output alphabets observed at the decoders of user , user , and the eavesdropper,respectively. The channel is given by P ( y , y , z | x , x ) and is memoryless in the following sense. P ( y ( t ) , y ( t ) , z ( t ) | x t , x t , y t − , y t − , z t − ) = P ( y ( t ) , y ( t ) , z ( t ) | x ( t ) , x ( t )) . We further assume all channel state information to be available at all nodes. Our general achievable region isobtained via a coding scheme inspired by [9] where the codewords C and C are drawn from the two binningcodebooks, and passed on to the two respective prefix channels. To maximize the ambiguity at Eve, both the binningcodebooks and channel prefixing distributions are jointly optimized. In addition, the proposed scheme involves keysharing with a block encoding technique to facilitate the secrecy generation. In particular, the key received fromthe other user during the previous block is used in a one time pad scheme [17] to transmit additional secret bits.The codeword consisting of the XOR of the message and the key serves a) as a cloud center in the superpositioncoding and b) as an additional randomization for the binning codebook. The following result characterizes the setof achievable rates using our coding scheme. Theorem 1:
The proposed coding scheme achieves the region R for the full-duplex DM-TWC-E. R , closure of [ p ∈P R ( p ) ⊆ C F , where P denotes the set of all joint distributions of the random variables Q , U , U , C , C , X , and X satisfying P ( q, u , u , c , c , x , x ) = P ( q ) P ( u | q ) P ( c | u ) P ( x | c ) P ( u | q ) P ( c | u ) P ( x | c ) and R ( p ) is the closure of all rate pairs ( R = R u + R s + R o , R = R u + R s + R o ) , with non-negative tuples October 30, 2018 DRAFT ( R u , R s , R o , R x , R u , R s , R o , R x ) satisfying R s + R k + R o + R x ≤ I ( C ; Y | X , U , Q ) (1) R u + R s + R k + R o + R x ≤ I ( U , C ; Y | X , Q ) (2) R s + R k + R o + R x ≤ I ( C ; Y | X , U , Q ) (3) R u + R s + R k + R o + R x ≤ I ( U , C ; Y | X , Q ) (4) R o + R x ≤ I ( C ; Z | U , U , C , Q ) (5) R o + R x ≤ I ( C ; Z | U , U , C , Q ) (6) R o + R x + R o + R x = I ( C , C ; Z | U , U , Q ) (7) R u + R o ≤ R k (8) R u + R o ≤ R k (9) Proof:
Please refer to Appendix A.For i = 1 , , R si denotes the rate of physically secure transmission for user i . i.e., the part of message W i that issecured using cooperative binning and channel prefixing only, R ki denotes the rate of key transmission from user i to the other user, R oi denotes the rate of transmission of the open part of message W i that is secured using the secretkey received from the other user in the previous block. The classical wiretap code [3] requires sacrificing part of therate available for reliable communication, to exploit the secrecy advantage offered by the physical channel (in ourcase, the equivalent channel after inserting the channel prefix) in order to hide the message from the eavesdropper.The aforementioned part equals R oi + R xi for user i . Note that the eavesdropper may be able to decode this partof message W i , including the open part, but that will not violate the secrecy condition since this part is securedby the secret key received from the other user. The possibility of using a superposition code [18] to transmit thephysically secured message is allowed, where all nodes - including the eavesdropper - can identify the position ofthe cloud center, however, the part of the message conveyed through the cloud center is secured through the secretkey received from the other user in the previous block, and in this case the rate of transmission for this part isgiven by R ui . The random variables Q and U denote the time sharing random variable and the cloud center of thesuperposition code, respectively.Inequalities (1)- (4) follow from the reliable communication constraint, and the conditions in (5)- (7) ensure thatenough randomization is inserted through the wiretap code into the multiple access channel from the two legitimatenodes to the eavesdropper, such that the secrecy constraint is satisfied. Finally, the conditions in (8)- (9) followfrom the fact that the entropy of the part of the message that is secured using the secret key received from theother user is bounded by the entropy of that key [2]. Note that the role of key sharing evident from the aboveinequalities, is not to increase the sum rate, but to give complete freedom in distributing the the secrecy advantageoffered by the two-way wiretap channel (after inserting the channel prefixes) between the two users. Remark 1:
The proposed coding scheme can be used to exchange open messages (secured using the secret key)
October 30, 2018 DRAFT in addition to the physically secure ones between Alice and Bob, even through the cloud center of the superpositioncode. More Specifically, the rate R ui can be split into an open part R uoi and a physically secured part R usi . Let R secret i and R open i be the secret and open message rates of transmitter i = 1 , . Then, the proposed scheme readilyachieves the four-dimensional rate region given by the closure of the union (over all input probability distributions)of the set of rate tuples ( R secret = R s + R o + R us , R open = R x + R uo , R secret = R s + R o + R us , R open = R x + R uo ) , with the non-negative rate tuples ( R us , R uo , R s , R o , R x , R us , R uo , R s , R o , R x ) satisfying (1)-(7) with R u = R us + R uo , R u = R us + R uo and R us + R o ≤ R k , R us + R o ≤ R k .One can immediately see that the region R does not lend itself to simple computational approaches. Therefore,the rest of the section will focus primarily on the following sub-region R F . Theorem 2:
For the full-duplex DM-TWC-E, R F , closure of [ p ∈P F R F ( p ) ⊆ R ⊆ C F , where P F denotes the set of all joint distributions of the random variables Q , C , C , X , and X satisfying P ( q, c , c , x , x ) = P ( q ) P ( c | q ) P ( c | q ) P ( x | c ) P ( x | c ) and R F ( p ) is the closure of all non-negative rate tuples ( R , R ) satisfying R ≤ I ( C ; Y | X , Q ) R ≤ I ( C ; Y | X , Q ) R + R ≤ I ( C ; Y | X , Q ) + I ( C ; Y | X , Q ) − I ( C , C ; Z | Q ) . Proof:
Please refer to Appendix B.Note that the above region, R F , is achievable without the need to use superposition coding, hence it is not clearto us whether the use of a superposition code is needed or not. (Please refer to Remark 2 in Appendix B.) A. The Modulo-Two Channel
To shed more light on the structural properties of our achievable rate region, we now consider the special caseof the full-duplex modulo- two-way wiretap channel described by the following set of input-output relations. Y = X ⊕ X ⊕ N Y = X ⊕ X ⊕ N Z = X ⊕ X ⊕ N e , where N = { N (1) , . . . , N ( n ) } , N = { N (1) , . . . , N ( n ) } , and N e = { N e (1) , . . . , N e ( n ) } are the additive binarynoise vectors impairing Alice, Bob, and Eve, respectively. The corresponding transition probabilities are given by: P ( N ( t ) = 1) = ǫ , P ( N ( t ) = 1) = ǫ , and P ( N e ( t ) = 1) = ǫ e for i = 1 , . . . , n . The secrecy capacity region is October 30, 2018 DRAFT denoted by C F M . In this special case, the transmitted codeword reduces to the modulo- sum of a binning codewordand an independent prefix noise component, i.e., X = C ⊕ ¯ N X = C ⊕ ¯ N , where ¯N = { ¯ N (1) , . . . , ¯ N ( n ) } , ¯N = { ¯ N (1) , . . . , ¯ N ( n ) } are the prefix noise vectors transmitted by Alice andBob. The components of these vectors are generated according to i.i.d. distributions with the following marginals: P ( ¯ N ( t ) = 1) = ¯ ǫ , P ( ¯ N ( t ) = 1) = ¯ ǫ for i = 1 , . . . , n . The binning codebooks, on the other hand, are generatedaccording to a uniform i.i.d. distribution. We further define the following crossover probabilities to describe thecascade of the prefix and original channels. P ( y = c | c ) = ˆ ǫ , ǫ (1 − ¯ ǫ ) + ¯ ǫ (1 − ǫ ) P ( y = c | c ) = ˆ ǫ , ǫ (1 − ¯ ǫ ) + ¯ ǫ (1 − ǫ ) P ( z = ( c ⊕ c ) | c , c ) = ˆ ǫ e , ǫ e (1 − ¯ ǫ ) + ¯ ǫ (1 − ǫ e ) where, ¯ ǫ = ¯ ǫ (1 − ¯ ǫ )+¯ ǫ (1 − ¯ ǫ ) . The need for the channel prefixes is evident in the case when the physical channeldoes not offer a secrecy advantage. For example, for the case when all channels are noiseless ( ǫ = ǫ = ǫ e = 0 ),no positive secrecy rates are achievable with only binning and key sharing. However, it is easy to see that the rates ( R , R ) = (1 , and (0 , are achievable with a choice of (¯ ǫ , ¯ ǫ ) = (0 , . and (0 . , , respectively. Using theabove notation, the achievable region in Theorem 2 reduces to the region R F M defined as follows.
Corollary 1:
For the full-duplex modulo- two-way wiretap channel R F M , closure of the convex hull of [ p ∈P FM R F M ( p ) ⊆ C F M , where P F M is defined as, P F M , { (¯ ǫ , ¯ ǫ ) : 0 ≤ ¯ ǫ , ¯ ǫ ≤ } , and R F M ( p ) is the closure of all non-negative rate tuples ( R , R ) satisfying R ≤ − H (ˆ ǫ ) R ≤ − H (ˆ ǫ ) R + R ≤ H (ˆ ǫ e ) − H (ˆ ǫ ) − H (ˆ ǫ ) . Moreover, our achievable region contains the two corner points of the secrecy capacity region , namely max ( R , ∈C R = 1 − H ( ǫ ) , and max (0 ,R ) ∈C R = 1 − H ( ǫ ) . Proof:
Please refer to Appendix C.
October 30, 2018 DRAFT
A few remarks are now in order.1) The region in Corollary 1 is strictly larger than the ones reported in [10], [11], as demonstrated by thenumerical results of Fig. 1. Here we compare our region with the one achieved by random binning and keysharing only, and channel prefixing only ( [10, Section 5]). The region reported in [11, Theorem 2] can beachieved via binning without key sharing, hence, is a strict sub-region of Corollary 1.2) The corner points of the region in Corollary 1 is achieved by random binning and key sharing only if ǫ e > max( ǫ , ǫ ) , and achieved by only channel prefixing if ǫ e < min( ǫ , ǫ ) .3) The previous result identifies the separate role of channel prefixing and binning. First, channel prefixing isused to create an advantage of Alice and Bob over Eve via the joint optimization of ¯ ǫ and ¯ ǫ . Then, thebinning codebooks are used to transform this advantage into a secrecy gain for the two terminals. B. The Gaussian Channel
In the full-duplex Gaussian setting, the channel is given by, Y = √ g X + X + N Y = X + √ g X + N Z = √ g e X + √ g e X + N e where g , g , g e , and g e are channel coefficients, N , N , and N e are i.i.d. noise vectors with zero-mean unit-variance white Gaussian entries at user , user , and Eve, respectively. We assume the average power constraintsgiven by n n X t =1 ( X i ( t )) ≤ ρ i , for i = 1 , . The secrecy capacity of this channel is denoted by C F G .We define γ ( x ) , log(1+ x ) and h ( X ) = − R f X ( x ) log f X ( x ) . The prefix to the channel from user to user is an additive white Gaussian noise channel with i.i.d. noise ¯ N ∼ N (0 , ρ n ) , where the allocated power for user isdistributed among the signal C and the artificial noise ¯ N . More specifically, C ∼ N (0 , ρ c ) , and ρ c + ρ n = ρ − ǫ ,and the transmitted signal X = C + ¯N . By the weak law of large numbers, n P nt =1 ( X ( t )) → ρ − ǫ as n → ∞ . X is constructed similarly to obtain the following. Corollary 2:
For the full-duplex Gaussian two-way wiretap channel, the achievable rate region R F G is given by, R F G , closure of the convex hull of ( S p ∈P FG R F G ( p ) ) ⊆ C F G ,where P F G is defined as, P F G , { ( ρ c , ρ n , ρ c , ρ n ) : ρ c + ρ n ≤ ρ , ρ c + ρ n ≤ ρ } , and R F G ( p ) is the closure of all non-negative rate tuples ( R , R ) satisfying R ≤ γ (cid:18) ρ c ρ n (cid:19) October 30, 2018 DRAFT R ≤ γ (cid:18) ρ c ρ n (cid:19) R + R ≤ γ (cid:18) ρ c ρ n (cid:19) + γ (cid:18) ρ c ρ n (cid:19) − γ (cid:18) ρ c g e + ρ c g e ρ n g e + ρ n g e (cid:19) Proof:
The proof follows by extending Theorem 2 to continuous random variables, where we also set |Q| = 1 ,and use the convex hull operation. The tools needed to extend the probability of error and equivocation analysisare already available in the literature[e.g. see [11] and [12]].In Fig. 2, we compare the region of Corollary 2 with the following special cases: 1) Both users implementcooperative binning and key sharing without channel prefixing and 2) One of the users implements individualsecrecy encoding [3], the other helps only with channel prefixing. The same trends of the modulo- case areobserved here except for the fact that channel prefixing does not achieve the two extreme points of R F G . We notethat the region reported in [11, Theorem 2] can be achieved by implementing binning without key sharing, andhence, is a sub-region of Corollary 2. The scheme in [11, Section V] is either binning only at both users, or binningat one user and channel prefixing (jamming) at the other user. The resulting regions are subregions of Corollary 2(the first one is a subregion of the dashed region and the second one is the dotted region in Fig. .). Next, wecompare our results with that of [13]. Let, R ∗ , max α ∈ [0 , α γ ( ρ ) − " γ (cid:18) g e ρ g e ρ (cid:19) − − αα (cid:20) γ ( ρ ) − γ (cid:18) g e ρ g e ρ (cid:19)(cid:21) + + + R ∗ is obtained by reversing the indices above. Then, the achievable rate region proposed in [13] is given by theconvex hull of the following three points: [0 , , [ R ∗ , , and [0 , R ∗ ] . We note that the region R F G given in Corollary 2 strictly includes this one. (The proof of the inclusion part isgiven in Appendix D.) Fig. 3 demonstrates the fact that the inclusion can be strict. The same figure also includesthe achievable region obtained by backward key sharing only . In this scheme, users utilize only the one time padscheme in a time division manner where the node first receives a secret key and then uses it to secure the message.The corresponding region can be described as follows. Let R † , max α ∈ [0 , min ( αγ ( ρ ) , (1 − α ) (cid:20) γ ( ρ ) − γ (cid:18) g e ρ g e ρ (cid:19)(cid:21) + ) .R † is obtained by reversing the indices above. Then backward key sharing achieves the convex hull of the followingthree points: [0 , , [ R † , , and [0 , R † ] . Note that, this is a subregion of R (given in Theorem 1), in which C is used to transmit secret key from user to user , and U is utilized to transmit secret message in a one time pad fashion. Comparing R † and R ∗ inFig. 3, we can see that this scheme can achieve higher rates than the ones reported in [13]. We also remark thatthis example is an evidence of the fact that the region in Theorem 1 strictly includes that of Theorem 2. (That is, October 30, 2018 DRAFT0 R F ( R as R † / ∈ R F but R † ∈ R for the Gaussian channel.) In summary, the region in Theorem 1 includes allthe stated regions as special cases. III. H ALF -D UPLEX C HANNELS
Our first step is to define the following equivalent full-duplex model for the half-duplex channel.
Definition 2:
For a given half-duplex channel governed by P ( y , z | x ) , P ( y , z | x ) , P ( z | x , x ) , and P ( y ) P ( y ) P ( z ) an equivalent full-duplex channel P ∗ ( y , y , z | x , x ) is defined as follows.We allow the channel inputs to take the values in X ∗ i = {X i , ? } , where ? represents the no transmission event.Similarly the channel outputs take values in Y ∗ i = {Y i , ? } , where ? represents the no reception event (due to thehalf-duplex constraint). Then, for the t th symbol time, the full-duplex channel P ∗ ( y , y , z | x , x ) is said to be inone of the following states: ) x ( t ) ∈ X , x ( t ) =? : User is transmitting, user is in no transmission state. ) x ( t ) =? , x ( t ) ∈ X : User is in no transmission state, user is transmitting. ) x ( t ) ∈ X , x ( t ) ∈ X : Both users are transmitting. ) x ( t ) =? , x ( t ) =? : Both users are in the no transmission state.Accordingly, the channel P ∗ ( y , y , z | x , x ) is given by P ∗ ( y , y , z | x , x ) = P ( y , z | x , x =?) { y , ? } , for state P ( y , z | x =? , x ) { y , ? } , for state P ( z | x , x ) { y , ? } { y , ? } , for state P ( y , y , z | x , ? , x =?) , for state , where { x,y } = 1 , if x = y and { x,y } = 0 , if x = y , and P ( y , z | x , x =?) , P ( y , z | x =? , x ) , P ( z | x , x ) ,and P ( y , y , z | x =? , x =?) are given by the half-duplex channel.Using this definition and our results for the full-duplex channel, we obtain the following result. Corollary 3 (Deterministic Scheduling):
The following region R H − D is achievable for the half-duplex DM-TWC-E with deterministic scheduling. R H − D , the closure of [ P ∈P H ,P s + P s =1 R H − D ( P ) , where P H denotes the set of all joint distributions of the random variables Q , C , C , X , and X satisfying P ( q, c , c , x , x ) = P ( q ) P ( c | q ) P ( c | q ) P ( x | c ) P ( x | c ) , R H − D ( P ) is the closure of all non-negative rate tuples ( R , R ) satisfying R ≤ P s I ( C ; Y | Q, state 1 ) R ≤ P s I ( C ; Y | Q, state 2 ) R + R ≤ P s [ I ( C ; Y | Q, state 1 ) − I ( C ; Z | Q, state 1 )] + + P s [ I ( C ; Y | Q, state 2 ) − I ( C ; Z | Q, state 2 )] + , October 30, 2018 DRAFT1 and the channel is given by P ∗ ( y , y , z | x , x ) as defined in (10). Proof:
The proof follows by Theorem 1 with the channel given by P ∗ ( y , y , z | x , x ) . In each block werandomly select a state S = k with probability P s,k , and replace Q by { Q, S } , where the random sequence s represents the channel states (and given to all nodes). The achievable region can be represented with the givendescription, where the inputs are chosen such that we only utilize state and as the states and do not increasethe achievable rates.The previous region is achievable with a deterministic scheduling approach whereby the two users Alice andBob a-priori agree on the schedule. Consequently, Eve is made aware of the schedule. Now, in order to furtherconfuse the eavesdropper, we propose a novel randomized scheduling scheme whereby, in each channel use, user i will be in a transmission state with probability P i . Clearly, this approach will result in collisions, wasting someopportunities for using the channels. However, as established shortly, the gain resulting from confusing Eve aboutthe source of each transmitted symbol will outweigh these inefficiencies in many relevant scenarios. To simplifyour derivations, we assume that all the nodes can identify perfectly state (no transmission state). Furthermore,we also give Eve an additional advantage by informing her of the symbol durations belonging to state , and asa result we have the term − P P I ( C , C ; Z | Q, state in the sum rate constraint below. These assumptions arepractical in the Gaussian channel, where the users can use the received power levels to distinguish these states. Thefollowing result characterizes the corresponding achievable region. Corollary 4 (Randomized Scheduling):
The region R H is achievable for the half-duplex DM-TWC-E with ran-domized scheduling. R H , closure of [ P ∈P H , ≤ P ,P ≤ R H ( P ) , where P H denotes the set of all joint distributions of the random variables Q , C , C , X , and X satisfying P ( q, c , c , x , x ) = P ( q ) P ( c | q ) P ( c | q ) P ( x | c ) P ( x | c ) , R H ( P ) is the closure of all non-negative rate tuples ( R , R ) satisfying R ≤ P (1 − P ) I ( C ; Y | X , Q, state 1 ) R ≤ (1 − P ) P I ( C ; Y | X , Q, state 2 ) R + R ≤ P (1 − P ) I ( C ; Y | X , Q, state 1 ) + (1 − P ) P I ( C ; Y | X , Q, state 2 ) − P P I ( C , C ; Z | Q, state 3 ) − ( P (1 − P ) + (1 − P ) P ) I ( C , C ; Z | Q, state 1 or 2 ) , and the channel is given by P ∗ ( y , y , z | x , x ) as defined in (10). Proof:
Please refer to Appendix E.Similar to the full-duplex scenario, we now specialize our results to the modulo- case. We model this channelas a ternary input channel where the third input corresponds to the no-transmission event. This way, the threenodes can identify the symbol intervals when no one is transmitting. Therefore, those symbols will be identified October 30, 2018 DRAFT2 and erased, and the crossover probabilities corresponding to the other three states are given by, P ( z = c | only user is transmitting ) = ǫ e , ǫ e (1 − ¯ ǫ ) + ¯ ǫ (1 − ǫ e ) P ( z = c | only user is transmitting ) = ǫ e , ǫ e (1 − ¯ ǫ ) + ¯ ǫ (1 − ǫ e ) P ( z = ( c ⊕ c ) | both users are transmitting ) = ˆ ǫ e where ˆ ǫ e is given as in the previous section. Moreover, for some µ , µ ∈ [0 , , we define the followings, P ( y = 1 | only user is transmitting ) = ˆ µ , ˆ ǫ (1 − µ ) + µ (1 − ˆ ǫ ) P ( y = 1 | only user is transmitting ) = ˆ µ , ˆ ǫ (1 − µ ) + µ (1 − ˆ ǫ ) P ( z = 1 | only user is transmitting ) = µ e , ǫ e (1 − µ ) + µ (1 − ǫ e ) P ( z = 1 | only user is transmitting ) = µ e , ǫ e (1 − µ ) + µ (1 − ǫ e ) P ( z = 1 | both users are transmitting ) = ˆ µ e , ˆ ǫ e (1 − µ ) + µ (1 − ˆ ǫ e ) , where, ˆ ǫ and ˆ ǫ are given as in the previous section, and µ = µ (1 − µ ) + µ (1 − µ ) . Using these definitions,the following result is obtained. Proposition 1:
The set of achievable rates for the half-duplex modulo- two-way wiretap channel R HM is givenby, R HM , closure of the convex hull of ( [ P ∈P HM R HM ( P ) ) , where P HM is defined as, P HM , { (¯ ǫ , ¯ ǫ , µ , µ , P , P ) : 0 ≤ ¯ ǫ , ¯ ǫ , µ , µ , P , P ≤ , } , and R HM ( P ) is the closure of all non-negative rate tuples ( R , R ) satisfying R ≤ P (1 − P )( H (ˆ µ ) − H (ˆ ǫ )) R ≤ P (1 − P )( H (ˆ µ ) − H (ˆ ǫ )) R + R ≤ P (1 − P )( H (ˆ µ ) − H (ˆ ǫ )) + P (1 − P )( H (ˆ µ ) − H (ˆ ǫ )) − P P ( H (ˆ µ e ) − H (ˆ ǫ e )) − ( P (1 − P ) + P (1 − P )) (cid:18) H ( µ e d + µ e d ) − . H ( d ǫ e + d ǫ e ) − . H ( d (1 − ǫ e ) + d ǫ e ) (cid:19) , where d = P (1 − P ) P (1 − P ) + P (1 − P ) , and d = 1 − d . Proof:
Please refer to Appendix F.
October 30, 2018 DRAFT3
The advantage offered by randomized scheduling is best demonstrated in the following example. First, we observethat cooperative binning and channel prefixing scheme with deterministic scheduling fails to achieve a non-zerosecrecy rate if Eve’s channel is not more noisy than the legitimate channels. Now, consider the noiseless case, i.e., ǫ = ǫ = ǫ e = 0 . By setting µ = µ = P = P = 0 . , ¯ ǫ = 0 , and ¯ ǫ = 0 . , Proposition 1 shows that therandomized scheduling approach allows user to achieve a secure rate of R = 0 . − . − H (0 . > . The final step is to specialize the region to the Gaussian channel with half-duplex nodes. Eve is again assumedto perfectly identify the no transmission and simultaneous transmission states. We select codewords and jammingsequences as Gaussian (with powers ρ ci and ρ ni , respectively). In addition, to further increase Eve’s ambiguity, usersjointly set ( ρ ci + ρ ni ) g ei to the same value ρ r (assuming the channel knowledge at both users). The following resultis readily available. Proposition 2:
The set of achievable rates for the half-duplex Gaussian two-way wiretap channel R HG is givenby, R HG , closure of the convex hull of ( S P ∈P HG R HG ( P ) ) where P HG is defined as, P HG , { ( ρ c , ρ n , ρ c , ρ n , P , P ) : 0 ≤ P , P ≤ , ( ρ c + ρ n ) g e = ( ρ c + ρ n ) g e = ρ r ,P ( ρ c + ρ n ) ≤ ρ , P ( ρ c + ρ n ) ≤ ρ } , and R HG ( P ) is the closure of all non-negative rate tuples ( R , R ) satisfying R ≤ P (1 − P ) γ (cid:18) ρ c ρ n (cid:19) R ≤ P (1 − P ) γ (cid:18) ρ c ρ n (cid:19) R + R ≤ P (1 − P ) γ (cid:18) ρ c ρ n (cid:19) + P (1 − P ) γ (cid:18) ρ c ρ n (cid:19) + h ( Z | C , C ) − h ( Z ) , where h ( Z ) − h ( Z | C , C ) = P P γ (cid:18) ρ c g e + ρ c g e ρ n g e + ρ n g e (cid:19) + ( P (1 − P ) + P (1 − P )) 12 log(2 πe (1 + ρ r )) − ( P (1 − P ) + P (1 − P )) Z ∞ j = −∞ Z ∞ i = −∞ f C ( i ) f C ( j ) h ( Z | i, j ) df C df C , and f Z | C ,C ( z | i, j ) = d f ( z ; i, ρ n g e ) + d f ( z ; j, ρ n g e ) ,d = P (1 − P ) P (1 − P ) + P (1 − P ) ,d = 1 − d , October 30, 2018 DRAFT4 and f ( x ; µ, σ ) is the value at x of the probability density function of a Gaussian random variable with mean µ and variance σ .We remark that the ambiguity at Eve can be further increased by randomizing the transmit power levels at theexpense of more receiver complexity (due to the non-coherent nature of the transmissions). We implemented thisrandomization idea in the next section, where the complexity issue is resolved by using energy classifiers.IV. R ANDOMIZATION FOR S ECRECY : P
RACTICAL I MPLEMENTATION
In this section, we study a more practical half-duplex Gaussian setting where the constant channel coefficients aredetermined by the distance-based path losses in a -D geometric model. Our focus will be devoted to the symmetriccase where the two messages have the same rate. Without any loss of generality, Alice and Bob are assumed tobe located on the x -axis at opposite ends of the origin and Eve is assumed to be located outside a circle centeredaround the origin of radius r E at an angle θ of the x -axis (see Figure 4). This key assumption faithfully modelsthe spatial separation, between the legitimate nodes and eavesdropper(s), which characterizes near field wirelessnetworks like Body Area Networks (BAN) [see e.g. [19]]. The performance of the proposed secure randomizedscheduling communication scheme will be obtained as a function of r E and the distance between Alice and Bob,i.e., d AB . In the discrete-time model, the signals received by the three nodes in the t th symbol interval are givenby Y ( t ) = { X ( t ) , } h G A ( d − α/ AA X ( t ) e − jkd AA + d − α/ AB X ( t ) e − jkd AB ) + N ( t ) i Y ( t ) = { X ( t ) , } h G B ( d − α/ AB X ( t ) e − jkd AB + d − α/ BB X ( t ) e − jkd BB ) + N ( t ) i Z ( t ) = G E ( d − α/ AE X ( t ) e − jkd AE + d − α/ BE X ( t ) e − jkd BE ) + N e ( t ) , where k is the wave number, G A , G B and G E are propagation constants which depend on the receive antennagains, and α is the path loss exponent which will be taken to as in the free space propagation scenario. (One caneasily extend our results for other scenarios with different path loss exponents.) For further simplicity, we restrictourselves to binary encoding implying that X ( t ) ∈ n − p ρ ( t ) , , p ρ ( t ) o , where ρ ( t ) is the instantaneous signalto noise ratio at unit distance in the t th symbol interval if Alice decides to transmit. X ( t ) = 0 if Alice decides notto transmit. The same applies to X ( t ) . ρ ( t ) is selected randomly in the range [ ρ min , ρ max ] , by varying the transmitpower, according to a distribution that is known a priori to all nodes. The indicator function { x,y } is defined asin Section III. In order to ensure the robustness of our results, we assume that Eve employs a large enough receiveantenna, i.e., G E >> , such that her receiver has a high enough SNR and the additive noise effect in Z canbe ignored. We assume G A = G B = 1 , and a hard decision decoder at both the legitimate receiver(s) and theeavesdropper. We consider a memoryless classifier C used by Eve to identify the origin of each received symbol,i.e., the decision is based only on the power level of the observed symbol in the current time interval. Here, P m and P f represent the probability of miss detection and false alarm, respectively. Furthermore, we use P e | m to denotethe probability of symbol error given occurrence of the miss detection event. Finally, we use the following notation: φ ( x ) , x R −∞ √ π e − t dt . October 30, 2018 DRAFT5
The deterministic scheduling paradigm is represented by a
Time Division Multiplexing scheme whereby only asingle message is transmitted in any given time frame, and the legitimate receiver jams the channel with random-content feedback symbols at random time intervals. More specifically, the receiver will transmit a feedback symbolat any time interval with probability β . This feedback will result in erroneous outputs at the eavesdropper due toits inability to identify the symbols corrupted by the random feedback signal and erasures at the legitimate receiverdue to the half-duplex constraint. As argued in [7], this scheme is capable of completely impairing Eve in modulo-additive channels. In our real-valued channel, however, a simple energy classifier based on the average receivedsignal power [20] can be used by Eve to differentiate between corrupted and non-jammed symbols. To overcomethis problem, we use pre-determined distributions for the transmit power of both the data symbols, f , and feedbacksymbols f . This randomized power allocation strategy is intended to increase the probability of misclassification at Eve. The following result characterizes the achievable rate with this scheme. Theorem 3:
Using the proposed TDM protocol with randomized feedback and power allocation, the followingsecrecy rate is achievable at each user. R s = 0 . β,f ,f (cid:26) min θ, C (cid:8) [ R M − R E ] + (cid:9)(cid:27) , where R M = (1 − β ) (cid:18) − H (cid:18) − φ (cid:18)r ρ min d ABα (cid:19)(cid:19)(cid:19) R E = (1 − β (1 − P m ) − (1 − β ) P f ) (cid:18) − H (cid:18) βP m P e | m − β (1 − P m ) − (1 − β ) P f (cid:19)(cid:19) Proof:
Please refer to Appendix G.In the randomized scheduling approach, each node will transmit its message during randomly selected timeintervals, where a single node’s transmitter is active in any given time interval with probability P t , and the transmitpower level is randomly selected according to the distribution f . Consequently, there are four possible states of bothtransmitters in any particular time interval i . Due to our noiseless assumption, the eavesdropper’s antenna will easilyidentify silence intervals. Eve’s challenge, however, is to differentiate between the other three states. Let A and B represent the transmission event of Alice and Bob, respectively. Similarly, A c and B c are the complementary events.Finally, we let E → E to denote the occurrence of event E and its classification by Eve as event E , and denotethe probability of error given that the event ( A, B ) was mistaken for ( A, B c ) by the classifier as P e | ( A,B ) → ( A,B c ) .The following is the achievable secrecy rate with the two-way randomization approach. Theorem 4:
Using the two-way randomized scheduling and power allocation protocol , the following secrecy rateis achievable at each user. R s = max P t ,f (min θ, C ([ R M − max( R EA , R EB )] + )) , where R M = P t (1 − P t ) (cid:18) − H (cid:18) − φ (cid:18)r ρ min d ABα (cid:19)(cid:19)(cid:19)
October 30, 2018 DRAFT6 R EA = D A − H P ( EA ) e D A !! R EB = D B − H P ( EB ) e D B !! D A = P t P ( A,B ) → ( A,B c ) + P t (1 − P t ) P ( A c ,B ) → ( A,B c ) + P t (1 − P t ) (cid:0) − P ( A,B c ) → ( A c ,B ) − P ( A,B c ) → ( A,B ) (cid:1) D B = P t P ( A,B ) → ( A c ,B ) + P t (1 − P t ) P ( A,B c ) → ( A c ,B ) + P t (1 − P t ) (cid:0) − P ( A c ,B ) → ( A,B c ) − P ( A c ,B ) → ( A,B ) (cid:1) P ( EA ) e = P t P ( A,B ) → ( A,B c ) P e | ( A,B ) → ( A,B c ) + 0 . P t (1 − P t ) P ( A c ,B ) → ( A,B c ) P ( EB ) e = P t P ( A,B ) → ( A c ,B ) P e | ( A,B ) → ( A c ,B ) + 0 . P t (1 − P t ) P ( A,B c ) → ( A c ,B ) and D A , D B represent the portion of symbols classified by Eve as being transmitted by Alice or Bob respectively. Proof:
Please refer to Appendix H.One can argue that the achievable secrecy rate increases as r E increases. The reason is that a large r E will impairEve’s ability to differentiate between the symbols transmitted by Bob and Alice. The following result characterizesthe secrecy rate achievable in the asymptotic scenario when r E >> d AB . Corollary 5:
Let R max be the achievable secrecy rate using the randomized scheduling and power allocationscheme when r E → ∞ . Then, R max = max P t ([ R M − (1 − (1 − P t ) )(1 − H (0 . + ) , (10)where R M = P t (1 − P t ) (cid:18) − H (cid:18) − φ (cid:18)r ρ min d ABα (cid:19)(cid:19)(cid:19)
Proof:
Please refer to Appendix I.
A. Numerical Results
In our numerical examples, we assume a uniform power distribution for both Alice and Bob, and a threshold-basedenergy classifier is used by Eve. Because we assume that all channels are noiseless, Eve can successfully decode thereceived symbols, corresponding to concurrent transmissions, as the symbols with the higher received signal power.Also, the received signal powers in all transmission scenarios are known a priori, where a transmission scenariois defined by the set of active transmitters and the selected power levels. Based on the received signal power, thetransmission scenario is detected by Eve, and hence the set of active transmitters. In case two or more transmissionscenarios result in the same received signal power, a random choice is made with equal probabilities given to allpossible scenarios. To simplify the calculations, we further assume that Alice and Bob use sufficient error controlcoding to overcome the additive noise effect. More precisely, Alice and Bob are assumed to use asymptotically
October 30, 2018 DRAFT7 optimal forward error control coding and that their received SNR is above the minimal level required to achievearbitrarily vanishing probability of error.Fig. 5 reports the achievable secrecy rate R s of Theorems 3 and 4 at different values for the distance ratio d min d max ( d min = min ( d AE , d BE ) , d max = max ( d AE , d BE )). A few remarks are now in order.1) The two-way randomization scheme achieves higher rates than the TDM scheme. The reason is the addedambiguity at Eve resulting from the randomization in the scheduling algorithm.2) The lower secrecy rates for smaller values of d min d max is due to Eve’s enhanced ability to capture the symbolstransmitted by the node closer to her.3) The rates plotted in Fig. 5 were found to be very close to those of a classifier that does not erase any receivedsymbols, i.e., transmission scenarios corresponding to concurrent transmissions are not considered. B. Experimental Results
We implemented our experiments on TinyOS [21] using TelosB motes [22], which have a built-in CC2420 radiomodule [23]. The CC2420 module uses the IEEE 802.15.4 standards in the . GHZ band [24]. Our setup consistsof four nodes, equivalent to Alice, Bob, Eve, and a Gateway module. The Gateway acts as a link between thesensor network and a PC running a java program. Our experiment is divided into cycles. During each cycle, the PCworks as an orchestrator, through the Gateway , that determines, using a special message (
TRIGGER-MSG ), whetherAlice should send alone, Bob sends alone, or both send concurrently. It also determines the power level used fortransmission. These decisions are based on the transmission probability P t . Upon receiving the broadcast TRIGGER-MSG, each trusted node transmits a DATA-MSG while Eve will start to continuously read the value in the ReceivedSignal Strength Indicator (RSSI) register (the RSSI value read by the CC2420 module is a moving average of the last received symbols [23].). Eve then transfers the RSSI readings from the memory buffer to the Gateway node whichwill forward them to the PC in an RSSI-MSG . For each cycle, the java program stores the received RSSI readings forfurther processing by the energy classifier (implemented in MATLAB). When transmitting data messages (
DATA-MSG ) from Alice or Bob, each node constructs a random payload of 100 bytes using the RandomMlcg componentof TinyOS, which uses the Park-Miller Minimum Standard Generator. Each symbol is
O-QPSK modulated [24]representing bits of the data. We also had to remove the CSMA-CA mechanism from the CC2420 driver in orderto allow both Alice and Bob to transmit concurrently. Finally, it is worth noting that the orchestrator was used toovercome the synchronization challenge in our experimental set-up. In practical implementations, Bob (or Alice)could start jamming the channel upon receiving the Start of Frame Delimiter (SFD).In our implementation of the energy classifier, the discrete nature of the transmit power levels is taken intoconsideration. First, the eavesdropper was given the advantage of having the classifier trained on a set of readingstaken by running the experiment in the same environment and at the same node locations as those for which theclassifier would be later used. In the training phase, our classifier is given prior information on the configuration,power levels selected for each node, and the measured RSSI readings at each cycle. It then finds the mean andvariance of the measured RSSI values for each transmitted power level for Alice and Bob when each of them sends October 30, 2018 DRAFT8 alone in a cycle. Any received symbol is classified as being transmitted by either of the communicating nodes. Thischoice is based on our third observation on the rates plotted in Fig. 5. When running the classifier, a maximumlikelihood rule is employed, where the following expression is evaluated, max i f A i ( y )max i f B i ( y ) A ≷ B and the symbol is classified accordingly, where f X i ( y ) is the value of the approximated Gaussian distribution ofmeasured RSSI values when source X is the only transmitter with power level i . In a practical implementation, thelength of a cycle is the duration of a single symbol, and hence, in our setup the classifier bases its decision on asingle RSSI reading. In evaluating the classifier performance, we use the transmission scenario indicating the actualstatus of the transmitters in each cycle and compare them with the classification results to obtain the probability ofeach possible misclassification event. We also assume that, in case of concurrent transmission, Eve can correctlydecode the symbol received with the higher signal power, as suggested in [25]. This assumption is used to calculatethe values of P e | ( A,B ) → ( A,B c ) and P e | ( A,B ) → ( A c ,B ) . We also use the same set of data to train and run a classifier forthe TDM protocol described above. Here, we only consider cycles when Alice’s transmitter is active, and considerBob’s concurrent transmission as jamming .Our experiments were conducted in a hallway environment, where only few scatterers exist (only the wallstructure). We train, run, and evaluate our energy classifier, then use the resulting probabilities in the rate expressionsof Theorem 3 and Theorem 4 to find the achievable secrecy rates. Figs. 6 and 7 report these results in tworepresentative configurations. In the first, Alice and Bob are placed at the same location with d AE = d BE = 20 f t ,whereas d AE = 1 f t and d BE = 20 f t in the second. We note that the measured difference of received signalpower values from both transmitting nodes was found to be dB and dB for Configurations and , respectively.This implies that the maximum rates in Fig. 7 and Fig. 6 should be compared to the value of R s in Fig. 5 at d min d max = 0 . and . respectively. We believe that this difference between the theoretical and experimental resultscan be attributed to hardware differences and the deviation of the actual channel from the simplistic free spacemodel used in our derivations. More specifically, we observe that the maximum secrecy rates for the two-wayrandomized scheduling scheme in our experimental results is slightly lower than those calculated numerically. Thereason is Eve’s enhanced ability to distinguish between the two sources of transmission due to the discrete natureof the selected transmit power values. Nevertheless, the experimental results establish the ability of our two-wayrandomized scheduling and power allocation scheme to achieve perfect secrecy in practical near field communicationscenarios where the distance between Eve and legitimate nodes will be larger than the inter-node distance, even ifEve is equipped with a very large receive antenna .V. C ONCLUSION
In this paper, we used the cooperative binning and channel prefixing approach to obtain achievable secrecy rates forboth the discrete memoryless and Gaussian full-duplex two-way wiretap channels. In the proposed scheme, channelprefixing is used to create an advantage for the legitimate terminals over the eavesdropper which is transformed
October 30, 2018 DRAFT9 by the binning codebooks into a non-trivial secrecy rate region. A private key sharing and encryption was usedto distribute the secure sum rate between the two users. We then introduced the idea of randomized schedulingand established its fundamental role in the half-duplex two-way wiretap channel. Our theoretical analysis revealedthe ability of the proposed randomization approach to achieve relatively high secure transmission rates under mildconditions on the eavesdropper location. The ambiguity introduced at the eavesdropper by randomized schedulingwas further validated by numerical results and extensive experimental results using IEEE 802.15.4-enabled sensorboards in near field communication scenarios. A
CKNOWLEDGMENT
The authors are thankful to C. Emre Koksal of The Ohio State University for insightful discussions.A
PPENDIX AP ROOF OF T HEOREM P ( q ) , then generate a sequence q n ′ , where the entries are i.i.d.,and each entry is randomly chosen according to P ( q ) . The sequence q n ′ is then given to all nodes before thecommunication takes place. Codebook Generation:
Consider user i ∈ { , } that has a secret message w i ∈ M i = { , , ..., M i } , and a private key w ki ∈ M ki = { , , ..., M ki } . For a given distribution P ( u i | q ) and the sequence q , generate M ui i.i.d. sequences u n ′ i ( w ui ) , where w ui ∈ [1 , · · · , M ui = 2 n ′ R ui ] . For each codeword u n ′ i ( w ui ) , generate M si M ki M oi M xi = 2 n ′ ( R si + R ki + R oi + R xi − ǫ ) i.i.d.sequences c n ′ i , where M i = M si M oi M ui , and P ( c n ′ i | u n ′ i ) = Q n ′ t =1 P ( c i ( t ) | u i ( t )) . Randomly distribute these intodouble indexed bins, where each bin has M oi M xi = 2 n ′ ( R oi + R xi − ǫ ) codewords, and is indexed by the tuple ( w si , w ki ) , w si ∈ { , · · · , M si = 2 n ′ R si } , w oi ∈ { , · · · , M oi = 2 n ′ R oi } , and w xi ∈ { , · · · , M xi = 2 n ′ R xi } . These codewords arerepresented by c n ′ i ( w ui , w si , w ki , w oi , w xi ) . Encoding:
We use a block encoding scheme, where the full message is transmitted over B blocks, each of length n ′ , and n = n ′ B . In the rest of the proof, we use bold face letters to represent vectors of block length n ′ . In eachblock, each user will transmit a private key in addition to its message, and the other user will use this private key inthe next block to secure its message fully or in part. We omit the block indices for readability. In any given block,user will send the corresponding block messages of w ∈ M and the randomly selected w k ∈ M k . The messageindex ( w ) is used to select a tuple ( w s , ˜ w u , ˜ w o ) , where ˜ w u and ˜ w o are encrypted into w u and w o , respectively,using the private key ¯ w k = [ ¯ w k , ¯ w k ] received from the other user in the previous block. In other words, let ˜ b u , ˜ b o , b u1 , b o1 , ¯ b k , and ¯ b k be the binary representations of ˜ w u , ˜ w o , w u , w o , ¯ w k , and ¯ w k respectively. Then, b u1 = ˜b u1 ⊕ ¯b k12 , and b o1 = ˜b o1 ⊕ ¯b k22 . Here, w u is used to select the cloud center of the super position coding (see,e.g., [26]), ( w s , w k ) is used to select the bin index, and the codeword index within the bin is given by ( w o , w x ) ,where w x is randomly selected according to a uniform distribution. (Note that, due to one time pad, w o is alsouniformly distributed.) Thus the corresponding codeword c n ′ ( w u , w s , w k , w o , w x ) is selected. Then, the channel October 30, 2018 DRAFT0 input, x n ′ , is generated using the distribution P ( x | c ) . A similar encoding scheme is employed at user . As themessages transmitted in different blocks are independent, satisfying the reliability and security constraints for eachblock guarantees their application for all messages transmitted in an arbitrarily large number of blocks. Decoding:
Consider a message y n ′ received at the receiver of user . Let A n ′ ,ǫ be the set of weakly typical ( q n ′ , u n ′ ( w u ) , c n ′ ( w u , w s , w k , w o , w x ) , y n ′ ) sequences. As n ′ → ∞ , the decoder will select ( w u , w s , w k , w o , w x ) such that, ( q n ′ , u n ′ ( w u ) , c n ′ ( w u , w s , w k , w o , w x ) , y n ′ , x n ′ ) ∈ A n ′ ,ǫ if such a tuple exists and is unique. Otherwise, the decoder declares an error. Note that the decoder’s estimate ˆ w is determined by ( w s , w u , w o , ¯ w k ) , where ¯ w k is the private key sent by user in the previous block. Decoding atreceiver is symmetric and can be described by reversing the indices and above. Probability of Error Analysis:
It follows by the proof of the capacity of the point to point DMC [1] that for any given ǫ > , receiver candecode the corresponding messages with P e, < ǫ for sufficiently large n ′ , if R s + R k + R o + R x ≤ I ( C ; Y | X , U , Q ) (11) R u + R s + R k + R o + R x ≤ I ( U , C ; Y | X , Q ) (12)By symmetry, a similar condition applies to receiver to have P e, < ǫ , i.e., R s + R k + R o + R x ≤ I ( C ; Y | X , U , Q ) (13) R u + R s + R k + R o + R x ≤ I ( U , C ; Y | X , Q ) (14) Equivocation Computation:
Consider the following argument. H ( W k , W s , W k , W s | Z ) ( a ) ≥ H ( W k , W s , W k , W s | Z , U , U , Q )= H ( W k , W s , W k , W s , Z | U , U , Q ) − H ( Z | U , U , Q )= H ( W k , W s , W k , W s , C , C , Z | U , U , Q ) − H ( Z | U , U , Q ) − H ( C , C | W k , W s , W k , W s , Z , U , U , Q )= H ( Z | C , C , W k , W s , W k , W s , U , U , Q )+ H ( W k , W s , W k , W s , C , C | U , U , Q ) − H ( Z | U , U , Q ) − H ( C , C | W k , W s , W k , W s , Z , U , U , Q ) ( b ) = [ H ( Z | C , C , U , U , Q ) − H ( Z | U , U , Q )] + H ( C , C | U , U , Q ) − H ( C , C | W k , W s , W k , W s , Z , U , U , Q ) ( c ) ≥ − n ′ I ( C , C ; Z | U , U , Q ) − n ′ ǫ + H ( C , C | U , U , Q ) − H ( C , C | W k , W s , W k , W s , Z , U , U , Q ) , (15) October 30, 2018 DRAFT1 where (a) follows from the fact that conditioning does not increase the entropy, (b) follows from the fact that, given U , U , Q , ( W k , W s , W k , W s ) → ( C , C ) → ( Z ) is a Markov Chain, and (c) follows from I ( C , C ; Z | U , U , Q ) ≤ n ′ I ( C , C ; Z | U , U , Q )+ n ′ ǫ with ǫ → as n ′ → ∞ for a discrete memoryless channel (see, e.g., [3, Lemma8]).Here, H ( C , C | U , U , Q ) = n ′ ( R k + R s + R o + R x + R k + R s + R o + R x − ǫ ) , (16)as, given ( U , U , Q ) = ( u , u , q ) , the tuple ( C , C ) has n ′ ( R k + R s + R o + R x + R k + R s + R o + R x − ǫ ) possible valueseach with equal probability, and, H ( C , C | W k = w k , W s = w s , W k = w k , W s = w s , Z , U = u , U = u , Q = q ) ≤ n ′ ǫ for ǫ → as n ′ → ∞ . This follows from the Fano’s inequality, as the eavesdropper can decode the randomizationindices ( w o , w x , w o , w x ) given ( w k , w s , w k , w s ) if the following conditions are satisfied. R o + R x ≤ I ( C ; Z | C , U , U , Q ) (17) R o + R x ≤ I ( C ; Z | C , U , U , Q ) (18) R o + R x + R o + R x ≤ I ( C , C ; Z | U , U , Q ) (19)By averaging over W k , W s , W k , W s , U , U , and Q , we obtain H ( C , C | W k , W s , W k , W s , Z , U , U , Q ) ≤ n ′ ǫ , (20)Now, once we set, R o + R x + R o + R x = I ( C , C ; Z | U , U , Q ) , (21)and combine (15), (16), (20), and (21), we obtain n ′ H ( W k , W s , W k , W s | Z ) ≥ R k + R s + R k + R s − ( ǫ + ǫ + 2 ǫ ) and ( ǫ + ǫ + 2 ǫ ) → as n ′ → ∞ .Since ¯ w k ( ¯ w k ) is used as a private key to secure the part of the message carried in w u , w o ( w u , w o , respectively)with the one-time-padded scheme, the secrecy constraint n ′ H ( W , W | Z ) ≥ R + R − ǫ is satisfied (see [2]) if R u + R o ≤ R k (22) R u + R o ≤ R k (23)where we set R = R u + R o + R s and R = R u + R o + R s . October 30, 2018 DRAFT2
Finally, we note that R u = R u = R o = R o = 0 for the first block. However, the impact of this condition on theachievable rate diminishes as the number of blocks B → ∞ . The region achieved by the proposed scheme is givenby (11), (12), (13), (14), (17), (18), (19), (22), and (23).A PPENDIX BP ROOF OF T HEOREM p ∈ P F , let I , I ( C ; Y | X , Q ) − I ( C ; Z | Q ) ,I , I ( C ; Y | X , Q ) − I ( C ; Z | Q ) , and I , I ( C ; Y | X , Q ) + I ( C ; Y | X , Q ) − I ( C , C ; Z | Q ) . If I < , we set R = R = 0 . Hence, we only focus on cases for which I ≥ . This implies that I ≥ and/or I ≥ . (As I < and I < implies that I < .) We detail the proof for the following cases. Case 1: I ≥ and I ≥ for the given p ∈ P F .We set U , U as deterministic and R u = R u = 0 in Theorem 1, and obtain that R s + R k + R o + R x ≤ I ( C ; Y | X , Q ) , I (24) R s + R k + R o + R x ≤ I ( C ; Y | X , Q ) , I (25) R o + R x ≤ I ( C ; Z | C , Q ) , I (26) R o + R x ≤ I ( C ; Z | C , Q ) , I (27) R o + R x + R o + R x = I ( C , C ; Z | Q ) , I (28) R o ≤ R k (29) R o ≤ R k (30)As I ≥ , I ≥ , and I ≥ , we can choose the rates as follows: • If I ( C ; Y | X , Q ) ≥ I ( C ; Z | C , Q ) , then we choose R k = 0 , R o = R k , R x = [ I ( C , C ; Z | Q ) − I ( C ; Y | X , Q )] + , R s = I ( C ; Y | X , Q ) − R k − [ I ( C , C ; Z | Q ) − I ( C ; Y | X , Q )] + , R k = I ( C ; Z | Q ) − [ I ( C , C ; Z | Q ) − I ( C ; Y | X , Q )] + , R o = 0 , R x = I ( C , C ; Z | Q ) − R k − R x , R s = [ I ( C ; Y | X , Q ) − I ( C , C ; Z | Q )] + . • If I ( C ; Y | X , Q ) < I ( C ; Z | C , Q ) , then we choose R s = I ( C ; Y | X , Q ) − I ( C , C ; Z | Q )+ I ( C ; Y | X , Q ) , R x = I ( C , C ; Z | Q ) − R x , R x = I ( C ; Y | X , Q ) ,and the remaining rates equal to zero. October 30, 2018 DRAFT3
These choice of non-negative rates satisfy conditions in (24)-(30), and hence we can achieve the rate pair ( R = I − [ I − I ] + , R = [ I − I ] + ) . Similarly, by reversing the indices above, the rate pair ( R = [ I − I ] + , R = I − [ I − I ] + ) is achievable. Now, combining these two achievable points we obtain the following achievable region: The set ofnon-negative ( R , R ) pairs satisfying R ≤ I R ≤ I R + R ≤ I + I − I are achievable. Case 2: I ≥ and I < for the given p ∈ P F .We set U and C as deterministic and choose the following rates in Theorem 1 (other rates are chosen to be ). R k = I ( C ; Y | X , Q ) − I ( C ; Z | U , Q ) − R s R s ≤ I ( C ; Y | X , Q ) − I ( C ; Z | U , Q ) R x = I ( C ; Z | U , Q ) R u = min { I ( U ; Y | X , Q ) , R k } For the given p ∈ P F with I ≥ and I < , the following region is achievable. R ≤ I ( C ; Y | X , Q ) R ≤ I ( U ; Y | X , Q ) R + R ≤ I ( C ; Y | X , Q ) − I ( C ; Z | U , Q ) Note that the above region is the same as the one in the theorem statement, with the random variable U takingthe role of C . Case 3: I < and I ≥ for the given p ∈ P F .Reversing the indices everywhere in case 2 above, we obtain the following achievable region R ≤ I ( C ; Y | X , Q ) R ≤ I ( C ; Y | X , Q ) R + R ≤ I ( C ; Y | X , Q ) − I ( C ; Z | C , Q ) Combining the above cases completes the proof.
Remark 2:
The above scheme either uses the one time padded private key as one of the two selectors for therandomization index (Case 1), or does not employ the random binning coding scheme and only uses the private
October 30, 2018 DRAFT4 key at one of the user (User 2 in Case 2, and User 1 in Case 3). Hence, no superposition coding is present. Weshould also note that the achievable rates proved above in Cases 2 and 3, can be higher than that of the statement.However, as already mentioned, we only use this Theorem as a simple special case of Theorem 1.A
PPENDIX CP ROOF OF C OROLLARY |Q| = 1 in Theorem 2 and take the convex hull of the achievable rates. We compute the following terms. I ( C ; Y | X , Q ) = H ( Y | X ) − H ( Y | C , X ) ≤ − H (ˆ ǫ ) (31) I ( C ; Y | X , Q ) = H ( Y | X ) − H ( Y | C , X ) ≤ − H (ˆ ǫ ) (32) I ( C ; Y | X , Q ) + I ( C ; Y | X , Q ) − I ( C , C ; Z | Q ) = ( H ( Y | X ) + H ( Y | X ) − H ( Z ))+ ( H ( Z | C , C ) − H ( Y | C , X ) − H ( Y | C , X )) By noting that, H ( Y | X ) + H ( Y | X ) − H ( Z ) = ( H ( X ⊕ N ) + H ( X ⊕ N ) − H ( X ⊕ X ⊕ N e )) ( a ) = H ( X ⊕ N ) + H ( X ⊕ N ) − H ( X ⊕ N ⊕ X ⊕ N ⊕ ˆ N e ) ( b ) ≤ H ( X ⊕ N ) + H ( X ⊕ N ) − H ( X ⊕ N ⊕ X ⊕ N )= H ( X ⊕ N ) + H (( X ⊕ N ⊕ X ⊕ N ) | ( X ⊕ N )) − H ( X ⊕ N ⊕ X ⊕ N )= H (( X ⊕ N ) , ( X ⊕ N ⊕ X ⊕ N )) − H ( X ⊕ N ⊕ X ⊕ N )= H (( X ⊕ N ) | ( X ⊕ N ⊕ X ⊕ N )) ≤ where (a) follows by setting ˆ N e = N ⊕ N ⊕ N e , (b) follows from the fact that conditioning does not increaseentropy, we conclude that, I ( C ; Y | X , Q ) + I ( C ; Y | X , Q ) − I ( C , C ; Z | Q ) ≤ H (ˆ ǫ e ) − H (ˆ ǫ ) − H (ˆ ǫ ) , (33)The proof is complete by combining the terms in (31), (32), and (33) with Theorem 2. We note that equalityapplies in the three mentioned terms when the variables C , C are drawn from the uniform distribution over { , } . October 30, 2018 DRAFT5 A PPENDIX DT HE REGION R F G
INCLUDES THAT OF [13]We utilize the time sharing parameter as follows. Let Q = { , } , where q = 1 with prob. (1 − α ) and q = 2 with prob. α . The remaining distributions are as follows. • For q = 1 , we set C as deterministic and X = ¯ N for channel prefixing. C and ¯ N are generated with fullpowers P and P , respectively. • For q = 2 , we set C as deterministic and X = ¯ N for channel prefixing. C and ¯ N are generated with fullpowers P and P , respectively.With this choice the region in Theorem 2 reduces to the following: R ≤ I ( C ; Y | X , Q ) = αγ ( P ) R ≤ I ( C ; Y | X , Q ) = (1 − α ) γ ( P ) R + R ≤ I ( C ; Y | X , Q ) + I ( C ; Y | X , Q ) − I ( C , C ; Z | Q )= αγ ( P ) + (1 − α ) γ ( P ) − αγ (cid:18) g e P g e P (cid:19) − (1 − α ) γ (cid:18) g e P g e P (cid:19) Let R K , γ ( P ) − γ (cid:18) g e P g e P (cid:19) , and R ( α ) , " αγ ( P ) − (cid:20) αγ (cid:18) g e P g e P (cid:19) − (1 − α ) R K (cid:21) + + . If R K ≤ , then R ∗ = γ ( ρ ) − γ ( g e ρ g e ρ ) is achieved by setting α = 1 in the above region. If R K > , then therate R ( α ) is achievable. As R ∗ = max α ∈ [0 , R ( α ) for R K > , the point [ R ∗ , is achievable. The achievability of [0 , R ∗ ] can be obtained similarly, and hence, the region of Theorem 2 includes that of [13].A PPENDIX ES KETCH OF THE P ROOF OF C OROLLARY P ∗ ( y , y , z | x , x ) with states given to users reduces to the following equivalent channel. P ∗∗ ( y , y , z | x , x ) = P ( y , z | x , x =?) { y , ? } , for state P ( y , z | x =? , x ) { y , ? } , for state P ( z | x , x ) { y , ? } { y , ? } , for state { y , ? } { y , ? } { z, ? } , for state , Note that P ∗∗ ( y , y , z | x , x ) is not equivalent to P ∗ ( y , y , z | x , x ) . We describe coding scheme for thechannel P ∗∗ . The channel P ∗∗ will be equivalent to P ∗ , if the nodes can classify the state of the channel.We first consider the channel between x and y over a block of n ′ channel uses. There are P (1 − P ) n ′ symbolsfor which the channel is in state 1 (law of large numbers). The symbols for state 2 have y =? are deleted. (These October 30, 2018 DRAFT6 correspond to symbols that have x =? .) The symbols corresponding to state of the channel can be modeledas random erasures. (There are P P n ′ such symbols with high probability as n ′ gets large.) Finally, the channeloutputs corresponding to state 4 will be erased (as there is no transmission from user 1). Therefore we considercoding over [ P (1 − P ) + P P ] n ′ symbols between x and y , for which P P n ′ symbols are erasures (as n ′ gets large).We first define the followings. n = P (1 − P ) n ′ n = (1 − P ) P n ′ n = P P n ′ n = (1 − P )(1 − P ) n ′ In the codebook design, we generate n ′ ( R k + R s + R o + R x ) codewords denoted by c n + n of length n + n . For eachsymbol time, with probability (1 − P ) we input x =? (no transmission event), and with probability P we generatethe channel input x according to P ( x | c ) using the next symbol in c n + n . If there is no remaining symbols in c n + n , we input x =? (the effect of this diminishes as n ′ gets large). Similarly, we generate n ′ ( R k + R s + R o + R x ) codewords denoted by c n + n of length n + n , and map it to x n ′ .For the decodability, the typical set decoding is employed. For example, the decoder will select ( w k , w s , w o , w x ) such that, ( q n ′ , c n + n ( w k , w s , w o , w x ) , y n + n ) ∈ A n + n ,ǫ ( state 1 ) . Here, the remaining symbols in y n ′ are deleted as they are equal to ? . The equivalent channel is the randommapping of c n + n to x n + n , from which n symbols are randomly erased and the remaining ones generate y n .Here the error probability (averaged over the ensemble) can be made small, if R k + R s + R o + R x ≤ n n ′ I ( C ; Y | X , Q, state 1 ) (34) R k + R s + R o + R x ≤ n n ′ I ( C ; Y | X , Q, state 2 ) (35)To show that the secrecy constraint is satisfied, we follow the steps similar to that of Appendix A. Due to keysharing it suffices to show n ′ H ( W k , W s , W k , W s | Z n ′ ) ≥ R k + R s + R k + R s − ǫ, for sufficiently large n ′ , together with R o ≤ R k , and (36) R o ≤ R k . (37)Here, the latter is used to ensure that there are sufficient number of key bits (from the previous block) to securemessages that are carried in the open part (of the current block), and the former is satisfied (from the equivocation October 30, 2018 DRAFT7 computation provided in Appendix A) if the rates satisfy the followings. R o + R x ≤ n + n n ′ I ( C ; Z | C , state 1 or 2 ) + n n ′ I ( C ; Z | C , state 3 ) (38) R o + R x ≤ n + n n ′ I ( C ; Z | C , state 1 or 2 ) + n n ′ I ( C ; Z | C , state 3 ) (39) R o + R x + R o + R x = n + n n ′ I ( C , C ; Z | state 1 or 2 ) + n n ′ I ( C , C ; Z | state 3 ) , (40)Then the region obtained by equations (34), (35), (36), (37), (38), (39), and (40) can be simplified (using thesame steps given in Appendix B) to obtain the stated result.A PPENDIX FP ROOF OF P ROPOSITION |Q| = 1 and compute the followings. I ( C ; Y | X , Q, state 1 ) = H (ˆ µ ) − H (ˆ ǫ ) I ( C ; Y | X , Q, state 2 ) = H (ˆ µ ) − H (ˆ ǫ ) and the eavesdropper’s observed information is given by, I ( C , C ; Z | state 3 ) = H (ˆ µ e ) − H (ˆ ǫ e ) I ( C , C ; Z | state 1 or 2 ) = (cid:0) H ( µ e d + µ e d ) − . H ( d ǫ e + d ǫ e ) − . H ( d (1 − ǫ e ) + d ǫ e ) (cid:1) , where the last equality is a direct results of the following computation. H ( Z | C = 0 , C = 0) = H ( d ǫ e + d ǫ e ) H ( Z | C = 1 , C = 1) = H ( Z | C = 0 , C = 0) H ( Z | C = 1 , C = 0) = H ( d (1 − ǫ e ) + d ǫ e ) H ( Z | C = 0 , C = 1) = H ( Z | C = 1 , C = 0) A PPENDIX GP ROOF OF T HEOREM α M , α E denote the fraction ofsymbols erased at Bob and Eve, and P e ( M ) , P ( E ) e denote the probability of erroneously decoding a received symbolgiven that it was not erased at Bob and Eve, respectively. By applying the appropriate random binning scheme [3],the following secrecy rate is achievable ( [5], Theorem 3). R = max P ( x ) (cid:8) [ I ( X ; Y ) − I ( X ; Z )] + (cid:9) , where X denotes the input, Y and Z denote the outputs at Bob and Eve, respectively. Considering the transitionmodel for this channel, we see H ( Y | X ) = H ( α M ) + (1 − α M ) H ( P e ( M ) ) . October 30, 2018 DRAFT8
Now, let Pr { X ( t ) = p ρ ( t ) } = Π and Pr { X ( t ) = − p ρ ( t ) } = 1 − Π . Then, H ( Y ) = H ( α M ) + (1 − α M ) H (Π(1 − P e ( M ) ) + (1 − Π) P e ( M ) ) , and max Π H ( Y ) = H ( α M ) + (1 − α M ) when Π = 0 . . This results in max P ( x ) I ( X ; Y ) = max P ( x ) ( H ( Y ) − H ( Y | X )) = (1 − α M )(1 − H ( P e ( M ) )) Similarly, max P ( x ) I ( X ; Z ) = (1 − α E )(1 − H ( P ( E ) e )) .Following the half-duplex assumption, all data symbols transmitted during the same time interval of a feedbacktransmission will be considered as erasures at the legitimate receiver’s channel. Therefore, as the frame length T → ∞ , α M = β . For the rest of the symbols, the probability of symbol error by the hard decision detector willbe P e ( M ) ( t ) = 1 − φ s ρ ( t ) d ABα . On the other hand, feedback transmissions will introduce decoding errors at Eve. Noting that − P m of thosecorrupted symbols will be detected by the energy classifier, we get α E = β (1 − P m ) + (1 − β ) P f P ( E ) e = βP m P e | m − α E . Combining these results, we obtain max P ( x ) I ( X ; Y ) = (1 − β ) − H T T X t =1 P e ( M ) ( t ) !! ≥ (1 − β ) (cid:18) − H (cid:18) − φ (cid:18)r ρ min d ABα (cid:19)(cid:19)(cid:19) , R M and denoting R E , (1 − α E )(1 − H ( P ( E ) e )) , we have max P ( x ) I ( X ; Z ) = R E , and R = max P ( x ) ([ I ( X ; Y ) − I ( X ; Z )] + ) ≥ [max P ( x ) I ( X ; Y ) − max P ( x ) I ( X ; Z )] + ≥ [ R M − R E ] + . Finally, we consider a max-min strategy whereby the legitimate receiver assumes that the eavesdropper chooses itsposition around the perimeter of the circle and the energy classifier’s mechanism C to minimize the secrecy rate R s . Accordingly, the legitimate receiver determines the probability of random feedback transmission β and boththe data and feedback signal power distributions f and f to maximize this worst case value (note that the rate isscaled by . to account for the time division between the two nodes). We obtain R s = 0 . β,f ,f (cid:26) min θ, C R (cid:27) . October 30, 2018 DRAFT9 A PPENDIX HP ROOF OF T HEOREM R = [(1 − α M )(1 − H ( P e ( M ) )) − (1 − α E )(1 − H ( P e ( E ) ))] + , where α M , α E denote the fraction of symbols erased at Bob and Eve, and P e ( M ) , P ( E ) e denote the probability oferroneously decoding a received symbol given that it was not erased at Bob and Eve, respectively. Using half-duplexantennas, each node will be able to decode a symbol transmitted by the other node only when its own transmitteris idle and the other node’s transmitter is active. These two conditions are simultaneously satisfied with probability P t (1 − P t ) yielding α M = 1 − P t (1 − P t ) . We also see that P e ( M ) ( t ) = 1 − φ s ρ ( t ) d ABα . The symbols classified by Eve as being transmitted by Alice can belong to one of three categories. The first, whichtakes place with probability P t (1 − P t ) (cid:0) − P ( A,B c ) → ( A c ,B ) − P ( A,B c ) → ( A,B ) (cid:1) , represents the portion successfullydetected and correctly decoded by Eve. The second corresponds to symbols transmitted by Bob and misclassifiedas belonging to Alice; with probability P t (1 − P t ) P ( A c ,B ) → ( A,B c ) . Those symbols are independent from the onestransmitted by Alice, and hence, have a probability . of being different. The third category, with probability P t P ( A,B ) → ( A,B c ) , corresponds to concurrent transmissions that are not erased by Eve’s classifier and misclassifiedas Alice’s symbols. The probability of error in these symbols is denoted by P e | ( A,B ) → ( A,B c ) . Combining these, weget α E = 1 − D A P ( E ) e = P ( EA ) e − α E R = h (1 − α M )(1 − H ( P e ( M ) )) − (1 − α E ) (cid:16) − H (cid:16) P ( E ) e (cid:17)(cid:17)i + ≥ " P t (1 − P t ) (cid:18) − H (cid:18) − φ (cid:18)r ρ min d ABα (cid:19)(cid:19)(cid:19) − D A − H P ( EA ) e D A !! + And the same result applies to the secrecy rate of Bob’s message to Eve by using, α E = 1 − D B P ( E ) e = P ( EB ) e − α E Finally, in order to achieve symmetric secure communication, we set both rates to the minimum of achievablesecrecy rates for the two nodes. We follow the same min-max strategy as given in the proof of Theorem 3 to obtainthe lower bound on R s . October 30, 2018 DRAFT0 A PPENDIX IP ROOF OF C OROLLARY E ∈ { ( A, B c ) , ( A c , B ) } . Moreover, P E → E = 0 . for allsix possible combinations of E and E , P e | ( A,B ) → E =0.25 for the two possible values of E . By applying thosevalues, we get: R EA = R EB = P t (1 − . P t )(1 − H (0 . These values are achieved by employing a symmetric real-time detector at Eve, i.e. R EA = R EB , and each symbolhas to be decoded as being transmitted either by Alice or Bob. However, Eve may choose to maximize the value max( R EA , R EB ) by either maximizing only one of those values at the cost of minimizing the other, or by allowingits decoder to match the same symbol to different sources, e.g., let P E → ( A,B c ) = 1 for all possible values of E ,then, D A = 1 − (1 − P t ) , note that P e | ( E → ( A,B c )) remains the same. By applying the resulting probabilities in the last example, we get therate in (10). It is obvious that by symmetry, having E = ( A c , B ) for all symbols results in the same rate.R EFERENCES[1] C. E. Shannon, “A mathematical theory of communication,”
Bell Syst. Tech. J. , vol. 27, pp. 379–423, 623–656, July, Oct. 1948.[2] C. E. Shannon, “Communication theory of secrecy systems,”
Bell Syst. Tech. J. , vol. 28, pp. 656–715, Oct. 1949.[3] A. Wyner, “The wire-tap channel,”
Bell Syst. Tech. J. , vol. 54, pp. 1355–1387, 1974.[4] S. Leung-Yan-Cheong and M. E. Hellman, “The Gaussian wire-tap channel,”
IEEE Trans. Inf. Theory , vol. 24, pp. 451–456, July 1978.[5] I. Csisz´ar and J.K¨orner, “Broadcast channels with confidential messages,”
IEEE Trans. Inf. Theory , vol. 24, pp. 339–348, May 1978.[6] U. M. Maurer, “Secret key agreement by public discussion from common information,”
IEEE Trans. Inf. Theory , vol. 39, pp. 733–742,May 1993.[7] L. Lai, H. El Gamal, and H. V. Poor, “The wiretap channel with feedback: Encryption over the channel,”
IEEE Trans. Inf. Theory , vol. 54,no. 11, pp. 5059–5067, Nov. 2008.[8] O. O. Koyluoglu and H. El Gamal, “On the secrecy rate region for the interference channel,” in
Proc. 2008 IEEE International Symposiumon Personal, Indoor and Mobile Radio Communications (PIMRC’08) , Cannes, France, Sept. 2008.[9] ——, “Cooperative binning and channel prefixing for secrecy in interference channels,”
IEEE Trans. Inf. Theory , submitted for publication.[10] E. Tekin and A. Yener, “Achievable rates for two-way wire-tap channels,” in
Proc. IEEE Int. Symp. on Information Theory (ISIT) , pp.941–945, June 2007.[11] ——, “The general Gaussian multiple-access and two-way wiretap channels: Achievable rates and cooperative jamming,”
IEEE Trans. Inf.Theory , vol. 54, no. 6, pp. 2735–2751, June 2008.[12] ——, “Correction to: “The Gaussian multiple-access wire-tap channel” and “The general Gaussian multiple-access and two-way wiretapchannels: achievable rates and cooperative jamming”,”
IEEE Trans. Inf. Theory , vol. 56, pp. 4762–4763, Sep 2010 .[13] X. He and A. Yener, “The role of feedback in two-way secure communications,”
IEEE Trans. Inf. Theory , submitted for publication, 2009.[14] ——, “Cooperation with an untrusted relay: A secrecy perspective,”
IEEE Trans. Inf. Theory , vol. 56, no. 8, pp. 3807-3827, Aug 2010.[15] A. Elmorsy, M. Nour, M. Elsabagh, and M.Youssef, “Practical Provably Secure Communication for Half-Duplex Radios,”
Proc. IEEEInternational Conference on Communications (ICC) , June 2011.
October 30, 2018 DRAFT1 [16] A. J. Pierrot and M. R. Bloch, “Strongly secure communications over the two-way wiretap channel,”
IEEE Trans. Inf. Forensics andSecurity , submitted for publication, Available Online: http://arxiv.org/abs/1010.0177.[17] G. S. Vernam, “Cipher printing telegraph systems for secret wire and radio telegraphic communications,”
Journal of the American Instituteof Electrical Engineers , vol. 55, pp. 109–115, 1926.[18] A. El Gamal and Y. Kim, “Lecture notes on network information theory,” available at http://arxiv.org/abs/1001.3404 , 2010.[19] G. Z. Yang, “Body Sensor Networks,”
Springer , 2006.[20] K. Srinivasan and P. Levis, “RSSI is under appreciated.”[21] J. Hill, R. Szewczyk, A. Woo, S. Hollar, D. Culler, and K. Pister, “System architecture directions for networked sensors.”
ArchitecturalSupport for Programming Languages and Operating Systems , pp. 93–104.[22] “Telos data sheet.”[23] “Chipcon CC2420 datasheet.”[24] “IEEE 802.15.4 wireless medium access control (MAC) and physical layer (PHY) specifications for low-rate wireless personal area networks(LR-WPANs).”[25] K. Whitehouse, A. Woo, F. Jiang, J. Polastre, and D. Culler, “Exploiting the capture effect for collision detection and recovery.” in
Proc.The Second IEEE Workshop on Embedded Networked Sensors (EmNetS-II) , pp. 45–52, 30–31 May 2005.[26] T. Cover and J. Thomas, “Elements of information theory.” John Wiley Sons, Inc., 1991. (bps) R ( bp s ) Outer BoundR FM Channel PrefixingBinning and Key Sharing
Fig. 1. Boundaries of achievable rate regions for the modulo- channel, when ǫ = 0 . , ǫ = 0 . , ǫ e = 0 . , and µ = µ = 0 . . Theouter bound is the capacity of the two-way channel without the secrecy constraints. October 30, 2018 DRAFT2 (bps) R ( bp s ) Outer BoundR FG Binning or Channel PrefixingCooperative Binning and Key Sharing
Fig. 2. Boundaries of achievable rate regions for the Gaussian channel, when g = g = 1 , g e = 10 , g e = 0 . , and ρ = 1 , ρ = 100 .The outer bound is the capacity of the two-way channel without the secrecy constraints. (bps) R ( bp s ) Outer BoundR FG Binning or Channel PrefixingCooperative Binning and Key Sharing[He and Yener]Backward Key Sharing Only
Fig. 3. Boundaries of achievable rate regions for the Gaussian channel, when g = g = 1 , g e = 5 , g e = 0 . , and ρ = ρ = 1 . Theouter bound is the capacity of the two-way channel without the secrecy constraints.Fig. 4. Near field wireless communications scenario. Eve is assumed to be located outside a circle of radius r E whose center lies at themid-point between Alice and Bob. October 30, 2018 DRAFT3 min / d max R s Two−Way Communication with Randomized SchedulingOne−Way Communication with Feedback
Fig. 5. Maximum achievable secrecy rate for different distance ratios between Eve and each of the two communicating nodes. R s Configuration 1Configuration 2
Fig. 6. β vs. R s in different configurations for the one way TDM scheme, R s = 0.5 [ R M − R E ] + . We consider the case when Alice is thetransmitter and Bob is the legitimate receiver. R s Configuration 1Configuration 2
Fig. 7. P t vs. R s in different configurations for the randomized scheduling communication scheme, R s = [ R M - max ( R EA , R EB )] + ..