The Wiretap Channel with Feedback: Encryption over the Channel
aa r X i v : . [ c s . I T ] A p r The Wiretap Channel with Feedback:Encryption over the Channel
Lifeng Lai, Hesham El Gamal and H. Vincent Poor
Abstract
In this work, the critical role of noisy feedback in enhancing the secrecy capacity of the wiretapchannel is established. Unlike previous works, where a noiseless public discussion channel is used forfeedback, the feed-forward and feedback signals share the same noisy channel in the present model.Quite interestingly, this noisy feedback model is shown to be more advantageous in the current setting.More specifically, the discrete memoryless modulo-additive channel with a full-duplex destination nodeis considered first, and it is shown that the judicious use of feedback increases the perfect secrecycapacity to the capacity of the source-destination channel in the absence of the wiretapper. In theachievability scheme, the feedback signal corresponds to a private key, known only to the destination.In the half-duplex scheme, a novel feedback technique that always achieves a positive perfect secrecyrate (even when the source-wiretapper channel is less noisy than the source-destination channel) isproposed. These results hinge on the modulo-additive property of the channel, which is exploited by thedestination to perform encryption over the channel without revealing its key to the source. Finally, thisscheme is extended to the continuous real valued modulo- Λ channel where it is shown that the perfectsecrecy capacity with feedback is also equal to the capacity in the absence of the wiretapper. I. I
NTRODUCTION
The study of secure communication from an information theoretic perspective was pioneeredby Shannon [1]. In Shannon’s model, both the sender and the destination possess a common secretkey K , which is unknown to the wiretapper, and use this key to encrypt and decrypt the message Lifeng Lai ([email protected]) was with the Department of Electrical and Computer Engineering at the Ohio State University,he is now is with the Department of Electrical Engineering at Princeton University. Hesham El Gamal ([email protected]) iswith the Department of Electrical and Computer Engineering at the Ohio State University. H. Vincent Poor ([email protected])is with the Department of Electrical Engineering at Princeton University. This research was supported by the National ScienceFoundation under Grants ANI-03-38807 and CNS-06-25637.
DRAFT M . Shannon considered a scenario where both the legitimate receiver and the wiretapper havedirect access to the transmitted signal and introduced the perfect secrecy condition I ( M ; Z ) = 0 ,implying that the signal Z received by the wiretapper does not provide any additional informationabout the source message M . Under this model, he proved the pessimistic result that theachievability of perfect secrecy requires the entropy of the shared private key K to be at leastequal to the entropy of the message itself (i.e., H ( K ) ≥ H ( M ) for perfect secrecy). Clearly,the distribution of the secret key under this model is challenging.In a pioneering work [2], Wyner introduced the wiretap channel and established the possibilityof creating an almost perfectly secure source-destination link without relying on private (secret)keys. In the wiretap channel, both the wiretapper and destination observe the source encodedmessage through noisy channels. Similar to Shannon’s model, the wiretapper is assumed to haveunlimited computational resources. Wyner showed that when the source-wiretapper channel isa degraded version of the source-destination channel, the source can send perfectly secure messages to the destination at a non-zero rate. The main idea is to hide the information streamin the additional noise impairing the wiretapper by using a stochastic encoder which mapseach message to many codewords according to an appropriate probability distribution. Thisway, one induces maximal equivocation at the wiretapper. By ensuring that the equivocationrate is arbitrarily close to the message rate, one achieves perfect secrecy in the sense that thewiretapper is now limited to learn almost nothing about the source-destination messages from itsobservations. Follow-up work by Leung-Yan-Cheong and Hellman has characterized the secrecycapacity of the additive white Gaussian noise (AWGN) wiretap channel [4]. In a landmark paper,Csisz ´ a r and K¨orner generalized Wyner’s approach by considering the transmission of confidentialmessages over broadcast channels [5]. This work characterized the perfect secrecy capacity ofDiscrete Memoryless Channels (DMC)s, and showed that the perfect secrecy capacity is positiveunless the source-wiretapper channel is less noisy than the source-destination channel (referredto as the main channel in the sequel) .Positive secrecy capacity is not always possible to achieve in practice. In an attempt to transmit Wyner’s notion of per symbol equivocation is weaker than Shannon’s notion of perfect secrecy [3]. The source-wiretapper channel is said to be less noisy than the main channel, if for every V → X → Y Z , I ( V ; Z ) ≥ I ( V ; Y ) , where X is the signal transmitted by the source, and where Y and Z are the received signal at the receiver and thewiretapper respectively. DRAFT messages securely in these unfavorable scenarios, [6] and [7] considered the wiretap channelwith noiseless feedback . They showed that one may leverage the feedback to achieve a positiveperfect secrecy rate, even when the feed-forward perfect secrecy capacity is zero. In this model,there exists a separate noiseless public channel, through which the transmitter and receivercan exchange information. The wiretapper is assumed to obtain a perfect copy of the messagestransmitted over this public channel. Upper and lower bounds were derived for the perfect secrecycapacity with noiseless feedback in [6], [7]. In several cases, as discussed in detail in the sequel,these bounds coincide. But, in general, the perfect secrecy capacity with noiseless feedbackremains unknown. Along the same line, [8] established the critical role of a trusted/untrustedhelper in enhancing the secret key capacity of public discussion algorithms. The multi-terminalgeneralization of the basic set-up of [6], [7] was studied in [9]. Finally, in [10]–[12], the publicdiscussion paradigm was extended to handle the existence of active adversaries.Our work represents a marked departure from the public discussion paradigm. In our model,we do not assume the existence of a separate noiseless feedback channel. Instead, the feedbacksignal from the destination, which is allowed to depend on the signal received so far, is transmittedover the same noisy channel used by the source. Based on the noisy feedback signal, the sourcecan then causally adapt its transmission scheme, hoping to increase the perfect secrecy rate. Thewiretapper receives a mixture of the signal from the source and the feedback signal from thedestination. Quite interestingly, we show that in the modulo-additive DMC with a full-duplexdestination, the perfect secrecy capacity with noisy feedback equals the capacity of the mainchannel in the absence of the wiretapper. Furthermore, the capacity is achieved with a simplescheme where the source ignores the feedback signal and the destination feeds back randomlygenerated symbols from a certain alphabet set. This feedback signal plays the role of a privatekey, known only by the destination, and encryption is performed by the modulo-additive channel.The more challenging scenario with a half-duplex destination, which cannot transmit and receivesimultaneously, is considered next. Here, the active transmission periods by the destination willintroduce erasures in the feed-forward source-destination channel. In this setting, we propose anovel feedback scheme that achieves a positive perfect secrecy rate for any non-trivial channeldistribution. The feedback signal in our approach acts as a private destination only key which The authors also considered a more general secret sharing problem.
DRAFT strikes the optimal tradeoff between introducing erasures at the destination and errors at thewiretapper. Finally, the proposed scheme is extended to the continuous modulo- Λ lattice channelwhere it is shown to achieve the capacity of the main channel. Overall, our work proposes anovel approach for encryption where 1) the feedback signal is used as a private key known onlyto the destination and 2) the encryption is performed by exploiting the modulo-additive propertyof the channel. This encryption approach is shown to be significantly superior to the classicalpublic discussion paradigm.Recently, there has been a resurgent interest in studying secure communications from in-formation theoretic perspective under various scenarios. The point-to-point fading eavesdropperchannel was considered in [13]–[18] under different assumptions on the delay constraints andthe available transmitter Channel State Information (CSI). In [19]–[22], the information theoreticlimits of secure communications over multiple access channels were explored. The relay channelwith confidential messages, where the relay acts both as a wiretapper and a helper, was studiedin [23], [24]. In [25], the interference channel with confidential messages was studied. In [26],the four terminal relay-eavesdropper channel was introduced and analyzed. The wiretap channelwith side information was studied in [27].The rest of the paper is organized as follows. In Section II, we introduce the system model andour notation. Section III describes and analyzes the proposed feedback scheme which achievesthe capacity of the full duplex modulo-additive DMC. Taking the Binary Symmetric Channel(BSC) as an example, we then compare the performance of the proposed scheme with the publicdiscussion approach. The half-duplex scenario is studied in Section IV. In Section V, we extendour results to the modulo- Λ lattice channel. Finally, Section VI offers some concluding remarksand outlines possible venues for future research.II. T HE M ODULO -A DDITIVE D ISCRETE M EMORYLESS C HANNEL
Throughout the sequel, the upper-case letter X will denote a random variable, a lower-caseletter x will denote a realization of the random variable, a calligraphic letter X will denote a finitealphabet set and a boldface letter x will denote a vector. Furthermore, we let [ x ] + = max { , x } .Without feedback, our modulo-additive discrete memoryless wiretap channel is described by the DRAFT following relations at time i y ( i ) = x ( i ) + n ( i ) ,z ( i ) = x ( i ) + n ( i ) , (1)where y ( i ) is the received symbol at the destination, z ( i ) is the received symbol at the wiretapper, x ( i ) is the channel input, n ( i ) and n ( i ) are the noise samples at the destination and wiretapper,respectively. Here N and N are allowed to be correlated, while each process is assumedto be individually drawn from an identically and independently distributed source. Also wehave X ∈ X = { , , · · · , |X | − } , Y, N ∈ Y = { , , · · · , |Y | − } and Z, N ∈ Z = { , , · · · , |Z| − } with finite alphabet sizes |X | , |Y | , |Z| respectively. Here ‘ + ’ is understoodto be modulo addition with respect to the corresponding alphabet size, i.e., y ( i ) = [ x ( i ) + n ( i )]mod |Y | and z ( i ) = [ x ( i ) + n ( i )] mod |Z| with addition in the real field.In this paper, we focus on the wiretap channel with noisy feedback. More specifically, at time i the destination sends the causal feedback signal X ( i ) over the same noisy channel used forfeed-forward transmission, i.e. , we do not assume the existence of a separate noiseless feedbackchannel. The causal feedback signal is allowed to depend on the received signal so far Y i − , i.e. , X ( i ) = Ψ( Y i − ) , where Ψ can be any (possibly stochastic) function. In general, we allow thedestination to choose the alphabet of the feedback signal X and the corresponding size |X | .With this noisy feedback from the destination, the received signal at the source, wiretapper anddestination are y ( i ) = x ( i ) + x ( i ) + n ( i ) ,y ( i ) = x ( i ) + x ( i ) + n ( i ) , and z ( i ) = x ( i ) + x ( i ) + n ( i ) , respectively. Here Y ∈ Y = { , , · · · , |Y | − } is the received noisy feedback signal at thesource and N is the feedback noise, which may be correlated with N and N . We denote thealphabet size of N and Y by |Y | . Again, all ‘ + ’ operation should be understood to be moduloaddition with corresponding alphabet size.Now, the source wishes to send the message W ∈ W = { , · · · , M } to the destination using a ( M, n ) code consisting of: 1) a casual stochastic encoder f at the source that maps the message DRAFT w and the received noisy feedback signal y i − to a codeword x ∈ X n with x ( i ) = f ( i, w, y i − ) , (2)2) a stochastic feedback encoder Ψ at the destination that maps the received signal into X ( i ) with x ( i ) = Ψ( y i − ) and 3) a decoding function at the destination d : Y n → W . The averageerror probability of the ( M, n ) code is P ne = X w ∈W M Pr { d ( y ) = w | w was sent } . (3)The equivocation rate at the wiretapper is defined as R e = 1 n H ( W | Z ) . (4)We are interested in perfectly secure transmission rates defined as follows. Definition 1:
A secrecy rate R f is said to be achievable over the wiretap channel with noisyfeedback if for any ǫ > , there exists a sequence of codes ( M, n ) such that for any n ≥ n ( ǫ ) ,we have R f = 1 n log M, (5) P ne ≤ ǫ, (6) n H ( W | Z ) ≥ R f − ǫ. (7) Definition 2:
The secrecy capacity with noisy feedback C fs is the maximum rate at whichmessages can be sent to the destination with perfect secrecy; i.e. C fs = sup f, Ψ { R f : R f is achievable } . (8)Note that in our model, the wiretapper is assumed to have unlimited computation resources andto know the coding scheme of the source and the feedback function Ψ used by the destination.We believe that our feedback model captures realistic scenarios where the terminals exchangeinformation over noisy channels.III. T HE W IRETAP C HANNEL WITH F ULL -D UPLEX F EEDBACK
A. Known Results
The secrecy capacity of the wiretap DMC without feedback C s was characterized in [5].Specializing to our modulo-additive channel, one obtains C s = max V → X → Y Z [ I ( V ; Y ) − I ( V ; Z )] + . (9) DRAFT
The wiretap DMC with public discussion was introduced and analyzed in [6], [7]. Morespecifically, these papers considered a more general model in which all the nodes observecorrelated variables , and there exists an extra noiseless public channel with infinite capacity,through which both the source and the destination can send information. Combining the correlatedvariables and the publicly discussed messages, the source and the destination generate a key aboutwhich the wiretap only has negligible information. Please refer to [7] for rigorous definitionsof these notions. Since the public discussion channel is noiseless, the wiretapper is assumed toobserve a noiseless version of the information transmitted over it. It is worth noting that someof the schemes proposed in [6], [7] manage only to generate an identical secret key at both thesource and destination. The source may then need to encrypt its message using the one-timepad scheme which reduces the effective source-destination information rate. Thus, the effective secrecy rate that could be used to transmit information from the source to the destination may be less than the results reported in [6], [7]. Nevertheless, we use these results for comparisonpurposes (which is generous to the public discussion paradigm). The following theorem givesupper and lower bounds on the secret key capacity of the public discussion paradigm C ps . Theorem 3 ( [6], [7]):
The secret key capacity of the public discussion approach satisfies thefollowing conditions: max { max P X [ I ( X ; Y ) − I ( X ; Z )] , max P X [ I ( X ; Y ) − I ( Y ; Z )] } ≤ C ps ≤ min { max P X I ( X ; Y ) , max P X I ( X ; Y | Z ) } . Proof:
Please refer to [6], [7].These bounds are known to be tight in the following cases [6], [7].1) P Y Z | X = P Y | X P Z | X , i.e. , the main channel and the source-wiretapper channel are inde-pendent; in this case C ps = max P X { I ( X ; Y ) − I ( Y ; Z ) } . (10)2) P XZ | Y = P X | Y P Z | Y , i.e. , X → Y → Z forms a Markov chain, and hence the source-wiretapper channel is a degraded version of the main channel. In this case C ps = max P X { I ( X ; Y ) − I ( X ; Z ) } . (11) The wiretap channel model is a particular mechanism for the nodes to observe the correlated variables, and corresponds tothe “channel type model” studied in [7].
DRAFT
This is also the secrecy capacity of the degraded wiretap channel without feedback. Hencepublic discussion does not increase the secrecy capacity for the degraded wiretap channel.3) P XY | Z = P X | Z P Y | Z , i.e. , X → Z → Y , so that the main channel is a degraded version ofthe wiretap channel. In this case C ps = 0 . (12)Again, public discussion does not help in this scenario. B. The Main Result
Before presenting the main theorem, we present the crypto lemma which will be intensivelyused later.
Lemma 4 (Crypto Lemma [28]):
Let G be a compact abelian group with group operation ‘+’,and let Y = X + X , where X and X are random variables over G and X is independent of X and uniform over G . Then Y is independent of X and uniform over G . Proof:
Please refer to [28].The following theorem characterizes the secrecy capacity of the wiretap channel with noisyfeedback. Moreover, achievability is established through a novel encryption scheme that exploitsthe modulo-additive structure of the channel and uses a private key known only to the destination.
Theorem 5:
The secrecy capacity of the discrete memoryless modulo-additive wiretap channelwith noisy feedback is C fs = C, (13)where C is the capacity of the main channel in the absence of the wiretapper. Proof:
1. Converse.Let R f = { R f : there exists a coding scheme that satisfies (5)-(7) for R f } . (14)Also, let R = { R : there exists a coding scheme that satisfies (5)-(6) for R } . (15) DRAFT
Obviously R f ⊆ R , since we are dropping off the equivocation condition (7), i.e. , we areignoring the wiretapper. Hence we have C fs = sup R f ≤ sup R . It is clear that R is the setof reliable transmission rate of an ordinary DMC channel with feedback. It is well known thatfeedback does not increase the capacity of discrete memoryless channels, hence we have C fs = sup R f ≤ sup R = C. (16)2. Achievability.For any given input probability mass function p ( x ) , we use the following scheme.1) Coding at the source.The source ignores the feedback signal and uses a channel coding scheme for the ordinarychannel without wiretapper. More specifically, the source generates M = 2 R f length- n codewords x with probability p ( x ) = n Y i =1 p ( x ( i )) . When the source needs to send message w ∈ W , it sends the corresponding codeword x ( w ) .2) Feedback at the destination.The destination sets X = Z , and at any time i sets x ( i ) = a, a ∈ { , · · · , |Z| − } withprobability / |Z| . Hence x is uniformly distributed over Z n .3) Decoding at the destination.After receiving y , the destination sets ˆ y = y − x , here ‘ − ’ is understood to be acomponent-wise modulo |Y | operation. It is easy to see that ˆ y = x + n . The destinationthen claims that ˆ w was sent, if (ˆ y , x ( ˆ w )) are jointly typical. For any given ǫ > , theprobability that ˆ w = w goes to zero, if R f = I ( X ; ˆ Y ) − ǫ = I ( X ; Y | X ) − ǫ and n is largeenough. The channel X → ˆ Y is equivalent to the main channel without feedback. Henceas long as R f < C , there exists a code with sufficient code-length such that P ne ≤ ǫ forany ǫ > .4) Equivocation at the wiretapper.The wiretapper will receive z = x + x + n , (17) DRAFT0 and x is uniformly distributed over Z n and is independent with x . Based on the cryptolemma, for any given x , x + X is uniformly distributed over Z n , and hence z is uniformlydistributed over Z n for any transmitted codeword x and noise realization n . Moreover Z is independent with X , thus I ( X ; Z ) = 0 . (18)Hence we have I ( W ; Z ) ≤ I ( X ; Z ) = 0 , thus n H ( W | Z ) = H ( W ) − I ( W ; Z ) n = R f , (19)and we achieve perfect secrecy.This completes the proof.The following observations are now in order.1) Our scheme achieves I ( W ; Z ) = 0 . This implies perfect secrecy in the strong sense ofShannon [1] as opposed to Wyner’s notion of perfect secrecy [2], which has been pointedout to be insufficient for certain encryption applications [3].2) The enabling observation behind our achievability scheme is that, by judiciously exploitingthe modulo-additive structure of the channel, one can render the channel output at thewiretapper independent from the codeword transmitted by the source. Here, the feedbacksignal x serves as a private key and the encryption operation is carried out by the channel.Instead of requiring both the source and destination to know a common encryption key,we show that only the destination needs to know the encryption key, hence eliminatingthe burden of secret key distribution.3) Remarkably, the secrecy capacity with noisy feedback is shown to be larger than the secretkey capacity of public discussion schemes. This point will be further illustrated by thebinary symmetric channel example discussed next. This presents a marked departure fromthe conventional wisdom , inspired by the data processing inequality, which suggests thesuperiority of noiseless feedback. This result is due to the fact that the noiseless feedbacksignal is also available to the wiretapper, while in the proposed noisy feedback schemeneither the source nor the wiretapper knows the feedback signal perfectly. In fact, thesource in our scheme ignores the feedback signal, which is used primarily to confuse thewiretapper. DRAFT1
4) Our result shows that complicated feedback functions Ψ are not needed to achieve optimalperformance in this setting (i.e., a random number generator suffices). Also, the alphabetsize of the feedback signal can be set equal to the alphabet size of the wiretapper channeland the coding scheme used by the source is the same as the one used in the absence ofthe wiretapper. C. The Binary Symmetric Channel Example
X(cid:13) Y(cid:13)Z(cid:13)
Fig. 1. The Binary Symmetric Wiretap Channel.
To illustrate the idea of encryption over the channel, we consider in some details the wiretapBSC shown in Figure 1, where X = Y = Z = { , } , Pr { n = 1 } = ǫ and Pr { n = 1 } = δ .The secrecy capacity of this channel without feedback is known to be [6] C s = [ H ( δ ) − H ( ǫ )] + , with H ( x ) = − x log x − (1 − x ) log(1 − x ) . We differentiate between the following special cases.1) ǫ = δ = 0 .In this case, both the main channel and wiretap channel are noiseless, hence C s = 0 . Also we have C ps = 0 , since the wiretapper sees exactly the same as what the destination sees. Specializingour scheme to this BSC channel, at time i , the destination randomly chooses x ( i ) = 1 with probability 1/2 and sends x ( i ) over the channel. This creates a virtual BSC at the DRAFT2 wiretapper with δ ′ = 1 / . On the other hand, since the destination knows the value of x ( i ) , it can cancel it by adding x ( i ) to the received signal. This converts the originalchannel to an equivalent BSC with ǫ ′ = 0 . Hence, through our noisy feedback approach,we obtain an equivalent wiretap BSC with parameters ǫ ′ = 0 , δ ′ = 1 / resulting in C fs = H ( δ ′ ) − H ( ǫ ′ ) = 1 . < δ < ǫ < / , N and N are independent.Since δ < ǫ , we have C s = 0 . Also, N and N are independent, so P Y Z | X = P Y | X P Z | X . Then from (10), one can easilyobtain that [6] C ps = H ( ǫ + δ − ǫδ ) − H ( ǫ ) . Our feedback scheme, on the other hand, achieves C fs = 1 − H ( ǫ ) . Since H ( ǫ + δ − ǫδ ) ≤ , we have C fs ≥ C ps with equality if and only if ǫ + δ − ǫδ = 1 / .3) < δ < ǫ < / and N ( i ) = N ( i ) + N ′ ( i ) , where Pr { n ′ ( i ) = 1 } = ( ǫ − δ ) / (1 − δ ) .The main channel is a degraded version of the source-wiretapper channel, X → Z → Y ,as shown in Figure 2. X(cid:13) Z(cid:13) Y(cid:13)
Fig. 2. The BSC Wiretap Channel with a Degraded Main Channel.
Hence, from (12), we have C s = C ps = 0 , while C fs = 1 − H ( ǫ ) . < ǫ < δ < / , and N ( i ) = N ( i ) + N ′ ( i ) , where Pr { n ′ ( i ) = 1 } = ( δ − ǫ ) / (1 − ǫ ) . DRAFT3
X(cid:13) Z(cid:13)Y(cid:13)
Fig. 3. The BSC wiretap Channel with a Degraded Source-Wiretapper Channel.
In this case, the source-wiretapper channel is a degraded version of the main channel asshown in Figure 3; X → Y → Z , so from (11) C s = C ps = H ( δ ) − H ( ǫ ) . But C fs = 1 − H ( ǫ ) ≥ C ps with equality if and only if δ = 1 / .5) N and N are correlated and the channel is not degraded.In this case C s = [ H ( δ ) − H ( ǫ )] + . The value of C ps is unknown in this case but can be bounded by C s = [ H ( δ ) − H ( ǫ )] + ≤ C ps ≤ − H ( ǫ ) = C fs . In summary, the secrecy capacity with noisy feedback is always larger than or equal to that ofthe public discussion paradigm when the underlying wiretap channel is a BSC. More strongly,the gain offered by the noisy feedback approach, over the public discussion paradigm, is rathersignificant in many relevant special cases.IV. E
VEN H ALF - DUPLEX F EEDBACK IS S UFFICIENT
It is reasonable to argue against the practicality of the full duplex assumption adopted in theprevious section. For example, in the wireless setting, nodes may not be able to transmit andreceive with the same degree of freedom due to the large difference between the power levels ofthe transmit and receive chains. This motivates extending our results to the half duplex wiretapchannel where the terminals can either transmit or receive but never both at the same time. Under
DRAFT4 this situation, if the destination wishes to feed back at time i , it loses the opportunity to receivethe i th symbol transmitted by the source, which effectively results in an erasure (assuming thatthe source is unaware of the destination decision). The proper feedback strategy must, therefore,strike a balance between confusing the wiretapper and degrading the source-destination link. Inorder to simplify the following presentation, we first focus on the wiretap BSC. The extensionto arbitrary modulo-additive channels is briefly outlined afterwards.In the full-duplex case, at any time i , the optimal scheme is to let the destination send x ( i ) ,which equals or with probability 1/2 respectively. But in the half-duplex case, if the destinationalways keeps sending, it does not have a chance to receive information from the source, andhence, the achievable secrecy rate is zero. This problem, however, can be solved by observingthat if at time i , x ( i ) = 0 , the signal the wiretapper receives, i.e. , z ( i ) = x ( i ) + n ( i ) , is the same as in the case in which the destination does not transmit. The only crucial differencein this case is that the wiretapper does not know whether the feedback has taken place or not,since x ( i ) can be randomly generated at the destination and kept private.The previous discussion inspires the following feedback scheme for the half-duplex channel.The destination first fixes a faction ≤ t ≤ which is revealed to both the source and wiretapper.At time i , the destination randomly generates x ( i ) = 1 with probability t and x ( i ) = 0 withprobability − t . If x ( i ) = 1 , the destination sends x ( i ) over the channel, which causesan erasure at the destination and a potential error at the wiretapper. On the other hand, when x ( i ) = 0 , the destination does not send a feedback signal and spends the time on receivingfrom the channel. The key to this scheme is that although the source and wiretapper know t ,neither is aware of the exact timing of the event x = 1 . The source ignores the feedback andkeeps sending information. The following result characterizes the achievable secrecy rate withthe proposed feedback scheme. Theorem 6:
For a BSC with half-duplex nodes and parameters ǫ and δ , the scheme proposedabove achieves R fs = max µ,t h (1 − t ) (cid:2) H ( ǫ + µ − µǫ ) − H ( ǫ ) (cid:3) − (cid:2) H (ˆ δ + µ − µ ˆ δ ) − H (ˆ δ ) (cid:3)i + , (20)with ˆ δ = δ + t − δt . DRAFT5
Proof:
For the main channel, if the destination spends a t fraction of its time on sending,the equivalent main channel is shown in Figure 4 with output ˆ y ∈ { , φ, } , where φ representsan erasure. The erasure probability is t . In the remaining − t fraction of the time, the channelis a BSC with parameter ǫ . Hence, the transition matrix of this equivalent channel is (1 − t )(1 − ǫ ) t (1 − t ) ǫ (1 − t ) ǫ t (1 − t )(1 − ǫ ) . Meanwhile for the wiretapper, the equivalent channel is still a BSC, but with the increasederror probability ˆ δ = (1 − t ) δ + t (1 − δ ) = δ + t − δt. (21) Fig. 4. The Equivalent Main Channel.
Hence the original BSC wiretap channel with noisy feedback is equivalent to a new wiretapchannel X → ( ˆ Y , Z ) without feedback, and the channel parameters are given as above.As shown in [5], for this equivalent wiretap channel the following secrecy rate is achievablefor any input distribution P X : R f = [ I ( X ; ˆ Y ) − I ( X ; Z )] + . (22)Hence, by using the input distribution Pr { X = 1 } = µ , one can see that R f = max µ,t h (1 − t ) (cid:2) H ( ǫ + µ − µǫ ) − H ( ǫ ) (cid:3) − (cid:2) H (ˆ δ + µ − µ ˆ δ ) − H (ˆ δ ) (cid:3)i + (23)is achievable.In general, one can obtain the optimal values of µ and t by setting the partial derivativeof R f , with respect to µ and t to 0, and solving the corresponding equations. Unfortunately,except for some special cases, we do not have a closed form solution for these equations atthe moment. Interestingly, using the not necessarily optimal choice of µ = t = 1 / , we obtain DRAFT6 R f = (1 − H ( ǫ )) / implying that we can achieve a nonzero secrecy rate as long as ǫ = 1 / irrespective of the wiretapper channel conditions. Hence, even for half-duplex nodes, noisyfeedback from the destination allows for transmitting information securely for almost any wiretapBSC. Finally, we compare the performance of different schemes in some special cases of thewiretap BSC.1) ǫ = δ = 0 .As mentioned above, here we have C s = C ps = 0 . It is easy to verify that the optimalchoice of µ and t are / , and we thus have R fs = 1 / .2) < δ < ǫ < / and N ( i ) = N ( i ) + N ′ ( i ) , where Pr { n ′ ( i ) = 1 } = ( ǫ − δ ) / (1 − δ ) .The main channel is a degraded version of the wiretap channel, so C s = C ps = 0 . (24)But by setting µ = t = 1 / in our half-duplex noisy feedback scheme, we obtain R fs =(1 − H ( ǫ )) / . The extension to the general discrete modulo-additive channel is natural. The destination canset X = Z , and generates x ( i ) with certain distribution P X . At time i , if the randomlygenerated x ( i ) = 0 , the destination sends a feedback signal, incurring an erasure to itself. Onthe other hand, if x ( i ) = 0 , it does not send the feedback signal and spends the time listening tothe source. The achievable performance could be calculated based on the equivalent channels asdone in the BSC. This scheme guarantees a positive secrecy capacity as seen in the case where P X is chosen to be uniformly distributed over Z . This is because a uniform distribution over Z renders the output at the wiretapper independent from the source input, i.e., I ( W ; Z ) = 0 ,while the destination can still spend / |Z| part of the time listening to the source. Finding theoptimal distribution P X , however, is tedious.V. T HE M ODULO - Λ C HANNEL
In this section, we take a step towards extending our approach to continuous valued channels.In particular, we consider the Modulo- Λ channel [29]–[32]. This choice is motivated by twoconsiderations 1) this channel still enjoys the modulo structure which proved instrumental inderiving our results in the discrete case, and 2) the modulo- Λ channel has been shown to play animportant role in achieving the capacity of the Additive White Gaussian Noise (AWGN) channel DRAFT7 using lattice coding/decoding techniques [31] (in other words, an AWGN source-destinationchannel can be well approximated by a Modulo- Λ channel). In the following, we show that,similar to the discrete case, noisy feedback can increase the secrecy capacity of the wiretapmodulo- Λ channel to that of the main channel capacity in the absence of the wiretapper.Before proceeding further, we need to introduce few more definitions. An m -dimensionallattice Λ ⊂ R m is a set of points Λ △ = { λ = Gu : u ∈ Z m } , (25)where G ∈ R m × m denotes the lattice generator matrix. A fundamental region Ω ∈ R m of Λ is aset such that each x ∈ R m can be written uniquely in the form x = λ + e with λ ∈ Λ , e ∈ Ω , and R m = Λ + Ω . There are many different choices of the fundamental region, each with the samevolume which will be denoted as V (Λ) . Given a lattice Λ , a fundamental region Ω of Λ , and azero-mean white Gaussian noise process with variance σ per dimension, the mod- Λ channel isdefined as follows [29]. Definition 7 ( [29]):
The input of the mod- Λ channel consists of points X ∈ Ω ; the output ofthe mod- Λ channel is Y = ( X + N ) mod Λ , where N is an m -dimensional white Gaussiannoise variable with variance σ per dimension. Hence Y is the unique element of Ω that iscongruent to X + N .In our wiretap mod- Λ channel, the output at the wiretapper (in the absence of feedback) is alsogiven by Z = ( X + N ) mod Λ . Here N is an m -dimensional white Gaussian noise variablewith variance σ per dimension. Similar to Section II, we consider noisy feedback, where thedestination sends a feedback signal X ∈ Ω based on its received signal, and the received signalat the source is Y = ( X + X + N ) mod Λ , where N is an m -dimensional white Gaussiannoise with variance σ per dimension. Now, the received signal at the destination and wiretapperare Y = ( X + X + N ) mod Λ and Z = ( X + X + N ) mod Λ , respectively.For example, if m = 1 , Λ = Z is a lattice in R , with [ − / , / being one of its fundamentalregions. With this lattice and fundamental region, the output at the destination is then Y =( X + X + N ) mod Λ = X + X + N − ⌊ X + X + N + 1 / ⌋ , where N is a one-dimensionalGaussian random variable with variance σ . Here ⌊ x ⌋ denotes the largest integer that is smallerthan x . One can easily check that Y ∈ [1 / , / . The output at the wiretapper and source canbe written in a similar manner. This m = 1 example can be viewed as the continuous counterpart DRAFT8 of the discrete channels considered in Section III.Let N ′ = N mod Λ , and let f Λ ,σ ( n ′ ) be the probability density function of N ′ , one caneasily verify that [29] f Λ ,σ ( n ′ ) = X b ∈ Λ (2 πσ ) − m exp −|| n ′ + b || / σ , n ′ ∈ Ω . (26)Denote the differential entropy of the noise term N ′ by h (Λ , σ ) . Then h (Λ , σ ) = − Z Ω(Λ) f Λ ,σ ( n ′ ) log f Λ ,σ ( n ′ ) d n ′ . (27)We are now ready to prove the following. Theorem 8:
The secrecy capacity of mod- Λ channel with noisy feedback is C fs = log( V (Λ)) − h (Λ , σ ) . (28) Proof:
The proof follows along the same lines as that of Theorem 5. For the converse, (28)was shown to be the capacity of the mod- Λ channel with the absence of the wiretap in [29],which naturally serves as an upper-bound for the secrecy capacity, as argued in the proof ofTheorem 5.To achieve this secrecy capacity, the source generates length- n codewords x , with the i thelement x ( i ) being chosen uniformly from Ω . Hence each codeword x ∈ Ω n ⊂ R n × m . Now,at time i , the destination generates feedback signals x ( i ) with uniform distribution over theset Ω , and thus the feedback signal X is uniformly distributed over Ω n . Based on the cryptolemma, for any codeword x and any particular noise realization n , the length- n random variablereceived at the wiretapper Z = x + X + n mod Λ , is uniformly distributed over Ω n and is independent with X . Hence, we have I ( X ; Z ) = 0 . (29)On the other hand, with X uniformly distributed over Ω n , the mutual information between X and Y given X (the destination knows X ) is n I ( X ; Y | X ) = log( V (Λ)) − h (Λ , σ ) . (30)So, for any ǫ > , there exists a code with rate R f = C f − ǫ and I ( M ; Z ) = 0 . This completesthe achievablity part. DRAFT9
Our result for the modulo- Λ channel sheds some light on the more challenging scenario ofthe wiretap AWGN channel with feedback. The difference between the two cases results fromthe modulo restrictions imposed on the destination and wiretapper outputs. The first constraintdoes not entail any loss of generality due to the optimality of the modulo- Λ approach in theAWGN setting [31]. Relaxing the second constraint, however, poses a challenge because itdestroys the modulo structure necessary to hide the information from the wiretapper (i.e., thecrypto lemma needs the group structure). In other words, if the wiretapper is not limited bythe modulo-operation then it can gain some additional information about the source messagefrom its observations. Therefore, finding the secrecy capacity of the wiretap AWGN channelremains elusive (at the moment, we can only compute achievable rates using Gaussian noise asthe feedback signal). VI. CONCLUSION
In this paper, we have obtained the secrecy capacity (or achievable rate) for several instantia-tions of the wiretap channel with noisy feedback. More specifically, with a full duplex destination,it has been shown that the secrecy capacity of modulo-additive channels is equal to the capacity ofthe source-destination channel in the absence of the wiretapper. Furthermore, the secrecy capacityis achieved with a simple scheme in which the destination randomly chooses its feedback signalfrom a certain alphabet set. Interestingly, with a slightly modified feedback scheme, we are ableto achieve a positive secrecy rate for the half duplex channel. Overall, our work has revealed anew encryption paradigm that exploits the structure of the wiretap channel and uses a privatekey known only to the destination. We have shown that this paradigm significantly outperformsthe public discussion approach for sharing private keys between the source and destination.Our results motivate several interesting directions for future research. For example, character-izing the secrecy capacity of arbitrary DMCs (and the AWGN channel) with feedback remains anopen problem. From an algorithmic perspective, it is also important to understand how to exploitdifferent channel structures (in addition to the modulo-additive one) for encryption purposes.Finally, extending our work to multi-user channel (e.g., the relay-eavesdropper channel [26]) isof definite interest.
DRAFT0 R EFERENCES [1] C. E. Shannon, “Communication theory of secrecy systems,”
Bell System Technical Journal , vol. 28, pp. 656–715, Oct.1949.[2] A. D. Wyner, “The wire-tap channel,”
Bell System Technical Journal , vol. 54, no. 8, pp. 1355–1387, 1975.[3] U. M. Maurer and S. Wolf, “Information-theoretic key agreement: From weak to strong secrecy for free,”
Lecture Notesin Computer Science , vol. 1807, pp. 356–373, 2000.[4] S. K. Leung-Yan-Cheong and M. E. Hellman, “The Gaussian wiretap channel,”
IEEE Trans. on Information Theory , vol. 24,pp. 451–456, Jul. 1978.[5] I. Csisz ´ a r and J. Korner, “Broadcast channels with confidential messages,” IEEE Trans. on Information Theory , vol. 24,pp. 339–348, May 1978.[6] U. M. Maurer, “Secret key agreement by public discussion from common information,”
IEEE Trans. on Information Theory ,vol. 39, pp. 733–742, May 1993.[7] R. Ahlswede and I. Csisz ´ a r, “Common randomness in information theory and cryptography, part I: Secret sharing,” IEEETrans. on Information Theory , vol. 39, pp. 1121–1132, July 1993.[8] I. Csisz ´ a r and P. Narayan, “Common randomness and secret key generation with a helper,” IEEE Trans. on InformationTheory , vol. 46, pp. 344–366, Mar. 2000.[9] I. Csisz ´ a r and P. Narayan, “Secrecy capacities for multiple terminals,” IEEE Trans. on Information Theory , vol. 50,pp. 3047–3061, Dec. 2004.[10] U. M. Maurer and S. Wolf, “Secret key agreement over a non-authenticated channel - Part I: Definitions and bounds,”
IEEE Transactions on Information Theory , vol. 49, pp. 822–831, Apr. 2003.[11] U. M. Maurer and S. Wolf, “Secret key agreement over a non-authenticated channel - Part II: The simulatability condition,”
IEEE Transactions on Information Theory , vol. 49, pp. 832–838, Apr. 2003.[12] U. M. Maurer and S. Wolf, “Secret key agreement over a non-authenticated channel - Part III: Privacy amplification,”
IEEE Transactions on Information Theory , vol. 49, pp. 839–851, Apr. 2003.[13] P. K. Gopala, L. Lai, and H. El Gamal, “On the secrecy capacity of fading channels,”
IEEE Trans. on Information Theory ,Oct. 2006. Submitted.[14] Y. Liang, H. V. Poor, and S. S. (Shitz), “Secure communication over fading channels,”
IEEE Trans. on Information Theory ,2006. Submitted.[15] M. Bloch, J. Barros, M. R. D. Rodrigues, and S. W. McLaughlin, “Wireless information-theoretic security - part I:Theoretical aspects,”
IEEE Trans. on Information Theory , 2006. Submitted.[16] M. Bloch, J. Barros, M. R. D. Rodrigues, and S. W. McLaughlin, “Wireless information-theoretic security - part II: Practicalimplementation,”
IEEE Trans. on Information Theory , 2006. Submitted.[17] Z. Li, R. Yates, and W. Trappe, “Secure communication over wireless channels,” in
Information Theory and ApplicationWorkshop, UCSD , Jan. 2007.[18] P. Parada and R. Blahut, “Secrecy capacity of SIMO and slow fading channels,” in
Proc. IEEE Internat. Symposium onInformation Theory , (Adelaide, Australia), pp. 2152–2155, Sep. 2005.[19] E. Tekin and A. Yener, “The Gaussian multiple access wire-tap channel,”
IEEE Trans. on Information Theory , 2006.Submitted.[20] E. Tekin and A. Yener, “The Gaussian multiple-access wire-tap channel,”
IEEE Trans. on Information Theory , 2007.Submitted.
DRAFT1 [21] Y. Liang and H. V. Poor, “Generalized multiple access channels with confidential messages,”
IEEE Trans. on InformationTheory , 2006. Submitted.[22] R. Liu, I. Maric, R. D. Yates, and P. Spasojevic, “The discrete memoryless multiple access channel with confidentialmessages,” in
Proc. IEEE Internat. Symposium on Information Theory , (Seattle, WA), July 9-14, 2006.[23] Y. Oohama, “Coding for relay channels with confidential messages,” in
Proc. IEEE Information Theory Workshop , (Cairns,Australia), pp. 87 – 89, Sept. 2-7, 2001.[24] Y. Oohama, “Relay channels with confidential messages,”
IEEE Trans. on Information Theory , Nov. 2006. Submitted.[25] R. Liu, I. Maric, P. Spasojevic, and R. D. Yates, “Discrete memoryless interference and broadcast channels with confidentialmessages: Secrecy capacity regions,”
IEEE Trans. on Information Theory , 2007. submitted.[26] L. Lai and H. El Gamal, “The relay-eavesdropper channel: Cooperation for secrecy,”
IEEE Trans. on Information Theory ,Dec 2006. Submitted.[27] C. Mitrpant, A. Vinck, and Y. Luo, “An achievable region for the Gaussian wiretap channel with side information,”
IEEETrans. on Information Theory , vol. 52, pp. 2181–2190, May 2006.[28] G. D. Forney, Jr., “On the role of MMSE estimation in approaching the information-theoretic limits of linear gaussianchannels: Shannon meets wiener,” in
Proc. Allerton Conf. on Communication, Control, and Computing , (Monticello, IL),2003.[29] G. D. Forney, Jr., “Sphere-bound-achieving coset codes and multilevel coset codes,”
IEEE Trans. on Information Theory ,vol. 46, pp. 820–850, May 2000.[30] M. V. Eyuboglu and G. D. Forney, Jr., “Trellis precoding: Combined coding, precoding and shaping for intersymbolinterference channels,”
IEEE Trans. on Information Theory , vol. 38, pp. 301–314, Mar. 1992.[31] U. Erez and R. Zamir, “Achieving log(1 + SNR ) on the AWGN channel with lattice encoding and decoding,” IEEETrans. on Information Theory , vol. 50, pp. 2293–2314, Oct. 2004.[32] H. El Gamal, G. Caire, and M. O. Damen, “Lattice coding and decoding achieve the optimal diversity-vs-multiplexingtradeoff of MIMO channels,”
IEEE Trans. on Information Theory , vol. 50, pp. 968–985, June 2004., vol. 50, pp. 968–985, June 2004.