Compute-and-Forward Can Buy Secrecy Cheap

Compute-and-Forward Can Buy Secrecy Cheap

Parisa Babaheidarian*, Somayeh Salimi** *Boston University,**KTH Royal Institute of Technology

We consider a Gaussian multiple access channel with  transmitters, a (intended) receiver and an external eavesdropper. The transmitters wish to reliably communicate with the receiver while concealing their messages from the eavesdropper. This scenario has been investigated in prior works using two different coding techniques; the random i.i.d. Gaussian coding and the signal alignment coding. Although, the latter offers promising results in a very high SNR regime, extending these results to the finite SNR regime is a challenging task. In this paper, we propose a new lattice alignment scheme based on the compute-and-forward framework which works at any finite SNR. We show that our achievable secure sum rate scales with and hence, in most SNR regimes, our scheme outperforms the random coding scheme in which the secure sum rate does not grow with power. Furthermore, we show that our result matches the prior work in the infinite SNR regime. Additionally, we analyze our result numerically.

I Introduction

Gaussian Multiple Access Channel (MAC) has been considered under different security scenarios. One interesting scenario is the -user Gaussian MAC with an external eavesdropper in which the users wish to reliably send their messages to the receiver while keeping them hidden from the eavesdropper. This scenario has been investigated in [1] using the Gaussian i.i.d. random codes. Although, these codes achieve the capacity region of MAC without security, the result in [1] shows that they have a poor performance in relatively high SNR regimes when the security constraint is added. In an attempt to improve the high SNR results, researchers investigated the problem using the signal alignment technique. In particular, in [2] and[3], it is shown that their proposed schemes offer a significant improvement over the random coding counterpart in a very high SNR regime. In fact, the scheme proposed in [3] achieves the optimal secure Degrees of Freedom (DoF) of the -user Gaussian wiretap MAC. However, as these alignment schemes use a maximum-likelihood decoder, bounding the error probability of the decoder in the finite SNR regime is challenging and this limits their results to the high SNR regime.
In light of lattice alignment technique, the compute-and-forward framework was proposed in [4] which can operate at any finite SNR. Recently, the -user Gaussian MAC without security constraint has been investigated in [5] based on lattice coding and the compute-and-forward framework. The proposed scheme in[5] achieves the MAC sum capacity within a constant gap and for any finite SNR.
Motivated by the above arguments, we propose a new achievability scheme for the -user Gaussian wiretap MAC in which lattice alignment is used along with the asymmetric compute-and-forward framework. We evaluate the performance of our proposed scheme both analytically and numerically for any finite SNR. We prove that our proposed scheme achieves a secure sum rate that scales with , in contrast to the Gaussian random coding result which does not grow with SNR and therefore, it somehow fails at moderate and high SNR regimes. Finally, we show that the asymptotic behavior of our proposed scheme agrees with the prior work result in [2] in the high SNR regime.
The paper is organized as follows. In Section II, our setup preliminaries are described. Our main result is given in Section III along with the comparison to the prior works. In Section IV, the proof of the main result is presented. We conclude the paper in Section V. The proof of Lemma 1 used in Section IV is given in Appendix.

Ii Problem Statement

A -user (real) Gaussian wiretap multiple access channel (MAC) consists of transmitters, a receiver and an external eavesdropper. The relations between the channel inputs and outputs are given as


where is an -length channel input vector of user  which satisfies the following power constraint.


The vectors and in (1) are the receiver and the eavesdropper channel outputs, respectively. Also, and are the independent channel noises, each distributed i.i.d. according to . Finally, vectors and are real-valued vectors representing the channel gains to the receiver and the eavesdropper, respectively. The channel model is illustrated in Fig. 1.
User  encodes its confidential message , which is uniformly distributed over the set  and is independent of other users’ messages, through some stochastic mapping , i.e., , for . There is also a decoder  at the receiver side which estimates the messages, i.e., .

Fig. 1: The asymmetric Gaussian wiretap multiple access channel model.
Definition 1 (Achievable secure sum rate)

For the described channel model, a secure sum rate  is achievable, if for any and large enough , there exist a sequence of encoders and a decoder such that


where denotes the probability of the event.111Note that in Definition 1 we are interested in weak secrecy. The secure sum capacity is the supremum of all achievable secure sum rates.

Iii Main Results

The problem described in Section II has been treated in [2] and [3] in the infinite SNR regime. Their proposed schemes is based on bounding the minimum distance between the codewords in the receiver’s effective codebook. Using this method, they showed that the decoding error probability tends to zero, provided that the input power goes to infinity. In this paper, we present a new scheme which provides a lower bound on the secure sum capacity for the same model and for any finite value of SNR. To this end, we utilize the compute-and-forward framework presented in [4]. More precisely, we develop a coding scheme using an asymmetric compute-and-forward framework to address the asymmetric transmitter-eavesdropper channel gains, i.e., different values of for different users. It should be noted that the asymmetric compute-and-forward framework is also treated in [6], but here we add the security constraint to the framework.
In the compute-and-forward framework, the receiver first decodes linearly independent integer combinations of the transmitted lattice codewords and then, it solves the equations for its desired lattice codewords.222The rates are determined by how closely the equations integer coefficients match the channel gains . The equations are decoded successively meaning that at each step , the receiver cancels the effect of the previously decoded codewords from the current equation and solves it for the next codeword. The approach is similar to the Gaussian elimination with a difference that row switching is not allowed here. This limitation is due to the fact that a codeword cannot be eliminated from the current equation using another equation which has not been decoded yet. As a result, the order of canceling out the codewords cannot be chosen arbitrarily, however, it can be shown that there exists at least one successive cancellation order such that all  codewords can be decoded [5].

Proposition 1

Consider an index permutation function , i.e., , which gives a successive cancellation order in the compute-and-forward framework. Also, assume that the set of linearly independent integer-valued -length vectors  be the equations coefficients. Then, for the channel model in Section II, the receiver can decode the message with a vanishing error probability if


where the matrix is given as

The notation stands for the diagonal matrix built from the vector and is the power used at encoder  to generate its codewords. Notice that as long as the generated codewords are scaled properly before transmission, they would satisfy the channel input power constraint.333The scaling factors can be absorbed into the the channel gains.

Proposition 1 is immediately deduced from applying Theorem 2 along with Theorem 5 in [5] with an exception that, here, users operate at different powers. All other conditions stated in Theorem 5 in [5] still apply in Proposition 1.
In the following, we present a lower bound on the secure sum capacity achieved by the proposed scheme.

Theorem 1

A rate tuple offers an achievable secure sum rate for the channel model described in Section II, if they satisfy the following constraints.




The maximum in (7) is taken over all the possible successive cancellation orders  and the notation simply denotes the inverse permutation operator.
Proof of Theorem 1 is given in Section IV.

Comparison to the prior works

The -user Gaussian wiretap MAC has been investigated in [1] by means of i.i.d. Gaussian random coding. According to [1], for the considered channel model, the following secure sum rate is achievable


Note that the right hand side of expression (9) does not scale with power or in other words, the asymptotic behavior of (9) tends to a constant rate for a fixed number of users and a given set of channel gains. In contrast, our achievable secure sum rate in (8) scales logarithmic with . To prove this, we only need to show that the first term in (8) grows with as the second term is constant with respect to the power. Without loss of generality, let us assume and some (Note that according to the earlier discussion in Proposition 1,  is allowed). Then we have,


where inequality (a) is deduced from Theorem 4 in [5]. Now, we exploit Theorem 12 in [5] in which it is shown that , where the inequality holds for any and some constant with respect to . Therefore, if we take and ignore the constant terms in (10), we have . As a result, the secure sum rate in (8) grows with .
The numerical results are given in Fig. 2 which are evaluated for the three-user channel and random i.i.d. (real) Gaussian channel gains. It can be seen that for the moderate and high SNR regimes, our proposed scheme outperforms the random coding result presented in [1]. Notice that the achievable non-secure results are shown in the figure as well which can be considered as an upper bound on the secure sum rate.
Another interesting observation occurs when the channel to the legitimate receiver is degraded with respect to the channel to the eavesdropper. For the Gaussian setting and the same noise power, this corresponds to the case . In this case, according to the expression in (9), random coding fails to achieve a positive secure sum rate, while our scheme achieves a strictly positive secure sum rate as long as the ratios are not rational.444It can be shown that the Lebesgue measure of such rational ratios is small. To illustrate this observation, we ran an experiment on a two-user Gaussian wiretap MAC with a fixed power (at SNR) in which the channel gains are given as


for some random uniformly distributed over . This is an example of the case where . Fig. 3 shows that as long as the ratios of are not rational, a positive secure sum rate can be attained following our scheme.
At last, we investigate the asymptotic behavior of the expression (8). We show that our scheme achieves a total secure DoF of . Earlier, to prove the scalability of (8) with , we showed that the is proportional to , provided that the constant terms are ignored. Therefore,


Thus, the asymptotic behavior of the proposed scheme agrees with the result in [2]. In fact, we can further improve the presented scheme so that its asymptotic behavior reaches the optimal secure degrees of freedom given in [3]. The latter is aimed to be presented in the extended version.

Fig. 2: Achievable sum rate, with and without security evaluated for the three-user asymmetric Gaussian MAC at different SNR.
Fig. 3: Achievable sum rate evaluated for the two-user asymmetric Gaussian wiretap MAC with channel gains given as in (11) at SNR=25 dB.

Iv Proof of Theorem 1

In this section, we use notions and properties related to the lattice coding and nested lattice structure which are discussed in detail in the seminal work by Erez and Zamir in [7]. Due to the space limitation, we avoid discussing the previously known results in this paper and we focus on the new results. Our proposed scheme provides security by confusing the eavesdropper through aligning the codewords at the eavesdropper side such that it can only decode the subsets of the codewords which have the same sum values in . To this end, each encoded codeword at transmitter  is scaled before the transmission by a factor of , i.e., , so that the eavesdropper receives the sum of the codewords as its channel output, i.e., . Consequently, user  generates its codewords  using power of so that the transmitted codewords satisfy the power constraint in (2).
As it was mentioned earlier, to address the problem of users with different powers, we utilize the asymmetric compute-and-forward framework along with a nested lattice structure. In our asymmetric compute-and-forward framework, user  generates a sequence of -length lattice codewords   using a pair of fine and coarse lattice sets as . The coarse lattice  is scaled such that its second moment equals to the available power at user , i.e., . Also, we impose a nested structure on the users’ lattice pairs as


In the rest of the proof, we shall assume in (8). If that is not the case, we can simply re-index the users indices and define a nested structure as in (13) for the re-indexed users.
User  constructs its codebook in three steps. The first step for user  is to construct its inner codebook , where is the fundamental Voronoi region of the coarse lattice . The ratio between the coarse and the fine lattices is set such that  consists of inner codewords , i.e., . The inner codewords have a uniform distribution over .
In the second step, user  builds its outer codebook by generating  i.i.d. copies of the inner codewords , for some large enough . Let us denote the outer codewords as . Then we have . Note that each is independently and uniformly distributed over . It is worth to mention that the outer code is added only for technicality reasons in the proof of Lemma 2 in [8] and it does not increase secrecy. Also, adding the outer layer to the codebook changes the block length of the overall codewords from to .
Finally, in the third step, the wiretap codebook is built. To this end, user  partitions the outer codewords into equal-size bins and randomly assigns each index to exactly one bin. Rates  are chosen such that they satisfy (6) and , for some small . Also, user  has a random dither for each block , which is independently generated according to a uniform distribution over . Dithers are public and do not increase secrecy.555As the average leakage rate (w.r.t. dithers) goes to zero, there must exist a sequence of deterministic dithers for which the leakage rate goes to zero.
To send a message , user  randomly picks a codeword  from the corresponding bin and dithers it. Then, it scales the resulting codeword by the factor of . The signal transmitted by user  is


Note that in (14) the modular operation is done block-wise, meaning that for the signal transmitted at block  is .

Proof of secrecy

In this subsection, we bound the eavesdropper’s equivocation rate. Without loss of generality, let us assume . We have


In the above inequalities, (a) is deduced from applying the packing lemma to the outer codewords (detailed proof of this step is provided in Appendix of [8]). (b) is true since after subtracting the noise from , the remaining random vectors become independent of the noise. (c) is true since is the densest lattice among the lattices , according to the nested structure in (13). Therefore,

Also, notice that

where . Inequality (d) is due to the reason that the codeword can be obtained from the modulo-sum and the sequence of codewords . (e) holds since dithers are independent of the codewords and conditioning reduces entropy. (f) is deduced from Lemma 2 in [9] (Crypto lemma), which implies that for each block  , has uniform distribution over the codebook and is independent of . (g) is true since and for , inner codewords have i.i.d. uniform distribution over . Also, consists of  i.i.d. copies of by its definition. (h) follows from applying Lemma 1 in Appendix to , and finally, (i) is deduced by defining . Thus, the condition in (4) is satisfied and the proof of secrecy is completed.

V Conclusion

In this paper, we proposed a security scheme built on the asymmetric compute-and-forward framework, which works at any finite SNR. The achievable secure sum rate presented in our scheme scales with and therefore, it significantly outperforms the existing random coding result for the most SNR regimes. Our presented scheme also achieves a total secure DoF of . This result can be furthered improved to achieve the optimal secure DoF which is aimed to be presented in our future work.


The authors would like to thank Bobak Nazer and Prakash Ishwar for their valuable comments and helpful discussions.


  • [1] E. Tekin and A. Yener, “The general gaussian multiple-access and two-way wiretap channels: Achievable rates and cooperative jamming,” IEEE Transactions on Information Theory, vol. 54, no. 6, pp. 2735–2751, 2008.
  • [2] G. Bagherikaram, A. S. Motahari, and A. K. Khandani, “On the secure degrees-of-freedom of the multiple-access-channel,” available online
  • [3] J. Xie and S. Ulukus, “Secure degrees of freedom of one-hop wireless networks,” Submitted September 2012, available online
  • [4] B. Nazer and M. Gastpar, “Compute-and-forward: Harnessing interference through structured codes,” IEEE Transactions on Information Theory, vol. 57, no. 10, pp. 6463–6486, 2011.
  • [5] O. Ordentlich, U. Erez, and B. Nazer, “The approximate sum capacity of the symmetric gaussian k-user interference channel,” IEEE Transactions on Information Theory, To appear 2014, available online
  • [6] V. Ntranos, V. R. Cadambe, B. Nazer, and G. Caire, “Asymmetric compute-and-forward,” in 51th Annual Allerton Conference on Communications, Control, and Computing, Monticello, IL, September 2013.
  • [7] U. Erez and R. Zamir, “Achieving on the channel with lattice encoding and decoding,” IEEE Transactions on Information Theory, vol. 50, no. 10, pp. 2293–2314, 2004.
  • [8] P. Babaheidarian and S. Salimi, “Compute-and-forward can buy sececy cheap (extended version),” preprint available at, 2015.
  • [9] G. D. Forney, “On the role of mmse estimation in approaching the information-theoretic limits of linear gaussian channels: Shannon meets wiener,” in 41th Annual Allerton Conference on Communications, Control, and Computing, Monticello, IL, September 2003.


Lemma 1

Consider a set of -dimensional lattices with their fundamental Voronoi regions as , respectively. Assume that all the lattices are scaled such that their second moments equal to , where . Now construct random vectors , for , as , where are independent -dimensional random vectors uniformly distributed over , respectively, and the operation is the nearest neighbor quantizer with respect to the lattice . Then, for all and sufficiently large , the entropy of is bounded as


where tends to zero as .

Proof: According to Lemma 1, is the output of the lattice quantizer , so it can only take discrete values. To bound the entropy of , first we bound the range of as follows. Let denote the covering radius of , i.e., the radius of the smallest ball containing the Voronoi region . Also, let denote the radius of the sphere which has the same volume as the volume of , i.e., . Now, consider (-dimensional) balls whose second moments per dimension equal to and their radii are given as , respectively. Next, for each , consider a random vector with the uniform distribution over an -dimensional ball . Recall that a ball has the smallest normalized second moment for a given volume [7]. Therefore, we have


Now, consider a random vector , in which random vectors are i.i.d. according to the distribution  and therefore, . Then, from (17) we have . Now, using Lemma 11 in [7], we conclude that


where goes to zero as goes to infinity. Notice that in deriving (18) we also used the fact that vectors are independent vectors, and hence, pdf of their sum is the convolution of their individual pdfs. Now we can bound the range of as follows. For any ,

Inequality (a) follows from (18) and non-negativity of the -norm. Also, the last inequality is deduced from the Weak Law of Large numbers (WLL) for sufficiently large . Since we showed that belongs to the ball with probability , it only remains to find an upper bound on the number of non-intersecting Voronoi regions which fit in this ball, i.e.,

where inequality (a) is concluded from Lemma 6 in [7] and inequality (b) follows from (17). Finally, recall that for a high dimensional good lattices, we have  [7]. Therefore,

Note that using WLL, the term tends zero as goes to infinity. This completes the proof.

Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description