Enhancing Secrecy Rates in a wiretap channel
Reliable communication imposes an upper limit on the achievable rate, namely the Shannon capacity. Wyner’s wiretap coding, which ensures a security constraint also, in addition to reliability, results in decrease of the achievable rate. To mitigate the loss in the secrecy rate, we propose a coding scheme where we use sufficiently old messages as key and for this scheme prove that multiple messages are secure with respect to (w.r.t.) all the information possessed by the eavesdropper. We also show that we can achieve security in the strong sense. Next we consider a fading wiretap channel with full channel state information of the eavesdropper’s channel and use our coding/decoding scheme to achieve secrecy capacity close to the Shannon capacity of the main channel (in the ergodic sense). Finally we also consider the case where the transmitter does not have the instantaneous information of the channel state of the eavesdropper, but only its distribution.
Enhancing Secrecy Rates in a wiretap channel
Shahid M Shah, Student Member, IEEE, and Vinod Sharma, Senior Member, IEEE
00footnotetext: Part of the paper was presented in 2013 IEEE International Conference on Communications Workshop on Physical Layer Security (ICC), Budapest, Hungary.00footnotetext: Shahid M Shah and Vinod Sharma are with Electrical communication Department, Indian Institute of Science, Bangalore, India.
Physical layer security, Wiretap Channel, Resolvability, Rate loss
With the advent of wireless communication, the issue of security has gained more importance due to the broadcasting nature of the wireless channel. Wyner  proposed a coding scheme to implement security at physical layer for a degraded wiretap channel, which is independent of computational capacity of the adversary. The result of Wyner was generalized to a more general broadcast channel . More recently, the growth of wireless communication systems has intensified the interest in implementing security at physical layer ( , , ).
There is a trade-off between the achievable rate and the level of secrecy to be achieved. In particular, in the coding scheme which achieves the secrecy capacity in a discrete memoryless wiretap channel, the eavesdropper (Eve) is confused with the random messages at a rate close to Eve’s channel capacity, thus resulting in loss of transmission rate , .
Considerable progress has recently been made to improve the achievable secrecy rate of a wiretap Channel. In  a wiretap channel with rate-distortion has been studied, wherein the transmitter and the receiver have access to some shared secret key before the communication starts. Secret key agreement between the transmitter (Alice) and the legitimate receiver (Bob) has been studied extensively in literature (-). When Alice and Bob have access to a public channel, the authors in  and  proposed a scheme to agree on a secret key about which the adversary has less information (leakage rate goes to zero asymptotically).
In  the authors have considered the wiretap channel with secure rate limited feedback. This feedback is used to agree on a secret key, and the overall secrecy rate is enhanced. Under some conditions, the secrecy rate achieved can be equal to the main channel capacity. In  the authors have considered a modulo-additive discrete memoryless wiretap channel with feedback. The feedback is transmitted using the feed-forward channel only. The feedback signal can be used as a secret key. The authors propose a coding scheme which achieves secrecy rate equal to the main channel capacity. Wiretap channel with a shared key was studied in .
Fading wiretap channel was studied in ,  and . In , previously transmitted confidential messages are stored in a secret key buffer and used in future slots to overcome the secrecy outage in a fading wiretap channel. In this model the data to be securely transmitted is delay sensitive. In  the authors also use previously transmitted bits and store in a secret key buffer to leverage the secrecy capacity against deep fades in the main channel. The authors prove that all messages are secure w.r.t. all the outputs of the eavesdropper. The secrecy rate is not enhanced but prevented to decrease when the main channel is worse than the eavesdropper’s channel. A multiplex coding technique has been proposed in  to enhance the secrecy capacity to the ordinary channel capacity. The mutual information rate between Eve’s received symbols and the (single) message transmitted is shown to decrease to zero as codeword length increases.
In most of the work cited above the security constraint used is weak secrecy where if the message to be confidentially transmitted is and the information that eavesdropper gets in channel uses is , then . From stringent security point of view, this notion is proved to be vulnerable for leaking some useful information to the eavesdropper . Maurer in  provided a coding scheme combined with privacy amplification and information reconciliation that achieves secrecy capacity (same as in the weak secrecy case) with a strong secrecy constraint, i.e., . There are other ways to achieve strong secrecy (see chapter 21 in ,  and ).
In this paper, we consider a time slotted wiretap channel. The messages transmitted in a slot are used as a key to encrypt the message in the next slot of communication. Simultaneously, we use the wiretap encoder for another message in the same slot, which enhances the secrecy rate. We ensure that in each slot the currently transmitted message is secure with respect to (w.r.t.) all the output that Eve has received so far.
In next part of this paper we extend this work to the wiretap channel with a secret key buffer, where the key buffer is used to store the previously transmitted secret messages. In this scheme we use the oldest messages stored in the key buffer as a key in a slot and then remove those messages from the key buffer (a previous message is used as a key only once). In each slot this key is used along with a wiretap encoder to enhance the secrecy rate. With this, not only the current message but all the messages sent in recent past are jointly secure w.r.t. all the data received by Eve till now. We also study a slow fading wiretap channel with the proposed coding scheme. We show that the water-filling power control along with our coding scheme provides the secrecy capacity close to Shannon capacity.
We also show that if resolvability based coding scheme  is used instead of wiretap coding in a slot, then we can achieve secrecy capacity equal to the main channel capacity in the strong sense also.
Rest of the paper is organised as follows. Channel model and the problem statement are presented in Section 2. Section 3 provides our coding and decoding scheme and shows that it can provide Shannon capacity for an AWGN wiretap channel. Section 4 extends it to a fading wiretap channel with Eavesdropper’s channel information at the transmitter while section 5 provides the results when this information is not available at the transmitter. Section 6 concludes this paper.
A note about the notation. Capital letters, e.g., will denote a random variable and the corresponding small letter its realization. An -length vector will be denoted as . Information theoretic notation will be same as in .
2 Channel Model and Problem Statement
We consider a discrete time, memoryless, degraded wiretap channel, where Alice wants to transmit messages to Bob. We want to keep Eve (who is passively ”listening”) ignorant of the messages (Fig. 1).
Formally, Alice wants to communicate messages reliably over the wiretap channel to Bob, while ensuring that Eve is not able to decode them, where , the secrecy capacity is defined below. is distributed uniformly over . At time , is the channel input and Bob and Eve receive the channel outputs and respectively, where . The transition probability matrix of the channel is . The secrecy capacity ()
is assumed .
We consider the system as a time slotted system where each slot consists of minislots and one minislot consists of channel uses; being a large positive integer. We are interested in transmitting a sequence of messages uniformly distributed over . Let be the capacity of Alice-Bob channel and denote the integer part of . For simplicity, we take as an integer. The message to be transmitted in slot consists of one or more messages . The codeword for message is denoted by . The corresponding received bits by Eve are . To increase the secrecy rate, the transmitter uses previous messages as keys for transmitting the messages in a later slot.
We will denote by the probability that any of the messages transmitted in a slot is not received properly by Bob: where is the decoded message by Bob in slot .
For secrecy we consider the leakage rate
in slot where is an arbitrarily large positive integer which can be chosen as a design parameter to take into account the secrecy requirement of the application at hand 111One motivation for this is the law in various countries where old secret documents are declassified after a certain number of years.. Then of course we should be considering .This means that the Eve at time is not interested in very old messages transmitted before slot .
Rate is achievable if there are coding-decoding schemes for each such that and as , where is an arbitrarily large fixed constant.
In the following we explain our coding scheme. The message transmitted in slot is stored in a key buffer (of infinite length) for later use as a key. After certain bits from the key buffer are used as a key for data transmission, those bits are discarded from the key buffer, not to be used again. Let be the number of bits in the key buffer at the beginning of slot . Let be the number of key bits used in slot from the key buffer. Then
where denotes the number of bits in . Now we explain the coding-decoding scheme used in this paper.
To transmit message in slot , the encoder has two parts
where is the set of secret keys generated and is the wiretap encoder, as in . We use the following encoder for : Take binary version of the message and with the binary version of the key. Encode the resulting encrypted message with an optimal usual channel encoder (e.g., an efficient LDPC code).
Assume . The case of can be easily handled in the same way. In the first slot message , encoded using the wiretap coding only is transmitted (we use only the first minislot, see Fig. 2) . At the end of slot 1, bits of this message are stored in the key buffer. Thus . In slot 2, message consisting of two messages are transmitted. is transmitted via wiretap coding and uses as a key and the encrypted message is transmitted via a usual capacity achieving channel code. At the end of slot 2, bits of are removed from the key buffer and bits of are stored in the key buffer. Since Bob is able to decode with a large probability, but not Eve, can be an effective key in slot 2. In slot 3, message consisting of 3 messages from the source message sequence are transmitted: one message in the first mini slot denoted as via wiretap coding and two messages denoted together as via encryption with message as key bits. In any mini-slot we can transmit upto messages via encryption with a key. This is because we cannot transmit reliably at a rate higher than Bob’s capacity . Thus, the maximum number of messages that can be transmitted in a slot is . Once we reach this limit, from then onwards messages will be transmitted in a slot providing the achievable rate which can be made as close to as we wish by making arbitrarily large.
Consequently, in slot , messages from the source message stream are transmitted, bits from the key buffer are removed in the beginning of slot and bits are added to the key buffer at the end of slot . The overall message is denoted by with consisting of one source message transmitted via wiretap coding and consisting of messages transmitted via the secret key. From slot onwards messages are transmitted in the above mentioned fashion.
We use the key buffer as a first in first out (FIFO) queue, i.e., at any time the oldest key bits in the buffer are used first. Also as .
We have a secret key buffer at Bob’s decoder also that is used in the same way as at the transmitter. The confidential messages decoded by the decoder are stored in this buffer. For decoding at Bob, in slot 1 the usual wiretap decoder is used (say, a joint-typicality decoder). From slot 2 onwards, for the first mini-slot, we use the wiretap decoder while for the rest of the mini-slots, we use the channel decoder (corresponding to the channel encoder used) and then the decoded message with the key used.
The above coding-decoding schemes ensure that as . There is a small issue of error propagation due to using the previous message as key: Let be the message error probability for the wiretap encoder and let be the message error probability due to the channel encoder for . Then and as . For the slot, we have Error in decoding Error in decoding Error in decoding . Thus the error increases with . But restarting (as in slot 1) after some large slots as in slot 1 (i.e., again start with one message in the first minislot and no message in the rest of the slot) will ensure that as .
In the rest of the paper we show that our coding scheme provides an achievable rate with the above secrecy criterion as close to as needed, for all large enough. We also note that the following proof is valid for . The proof for is different from the proposed proof and one can refer to  for details of the proof. We will denote the codeword and for the data received by Eve in the first part and the second part of slot .
3 Capacity of Wiretap Channel
The secrecy capacity of our coding-decoding scheme is and it satisfies (2) for any , for all large enough.
Proof: As mentioned in the last section, by using our coding-decoding scheme, using wiretap coding and secure key, in any slot , Bob is able to decode the message with probability as .
Fix and a small . Due to wiretap coding, we can choose such that for all . Since the key buffer , we use the oldest key bits in the buffer first and in any slot do not use more than key bits, after sometime (say slots) for all we will be using key bits only from the messages for messages . Furthermore,
We show in Lemma 1 that
and in Lemma 2 that
By fixing , we can take small enough such that is less than any desired value.
So far we have been considering an infinite buffer system. But an actual system will have a finite buffer. Now we compute the key buffer length needed for our system.
If we fix the probability of error for Bob and the upper bound on equivocation, then we can get the code length needed. Also, from the secrecy requirement, we can fix . Once and are fixed, to ensure that eventually, in slot we will use a key from messages before time , the key buffer size should be bits. Also, since in each slot, the key buffer length increases by bits, the key buffer will have at least bits after slot . In the finite buffer case eventually key buffer will overflow. We should loose only the latest bits arriving in any slot (not the bits already stored).
We can obtain Shannon capacity even with strong secrecy. For this instead of using the usual wiretap coding of Wyner in the first minislot of each slot we use the resolvability based coding scheme . Then instead of for large enough. Then from proof of Theorem 1, our coding-decoding scheme provides
4 AWGN Slow Fading Channel
We consider a slow flat fading AWGN channel (Fig. 1), where the channel gains in a slot are constant. The channel outputs are,
where is the channel input, and are independent, identically distributed sequences independent of each other and with distributions and respectively, and denotes Gaussian distribution with mean and variance . Also and are the channel gains to Bob and Eve respectively in the given slot. Let and .
The channel gains and in slot are constant and sequences and are and independent of each other. We assume that is known at the transmitter and Bob at the beginning of slot . The notation and assumptions are same as in Section 3. Power is used in slot for transmission. There is an average power constraint,
Given and at the beginning of slot , Alice needs to decide on and such that the resulting average transmission rate is maximized subject to (12), (2) and , where is the transmission rate in slot . We compute this capacity for ; otherwise, the capacity is zero. At the end of slot , bits are stored in the key buffer for later use as a key while bits have been removed. Thus, the buffer size evolves as,
For convenience, we define
where is the power used when the channel gains are and . Unlike Sections II and III where initial messages are with cardinality , we use adaptive coding and power control.
Then, we have the following theorem.
The secrecy rate
is achievable if , where is the water-filling power policy for Alice Bob channel.
We follow the coding-decoding scheme of Section-3 with the following change to account of the fading.
Each slot has mini-slots. We fix a power control policy satisfying average power constraint. We transmit for the first time when and use wiretap coding in all the minislots. We store all the transmitted bits in the key buffer also.
From next slot onwards, we use the first mini-slot for wiretap coding (if ) and rest of the mini-slots for transmission via secret key (if use only minislots for transmission with secret key in slot and do not use the first minislot, with . In every slot we remove bits and add bits to the key buffer. Since , . Thus and eventually, in every slot we will transmit in the first mini-slot at rate
and in the rest of the mini-slots at rate with arbitrarily large probability.
The average rate in a slot can be made as close to as we wish by making large enough. Thus, the rate for this coding scheme is maximized by water filling.
Now we want to ensure that for large enough, for messages we use only keys from . It can be ensured if we do not use more than key bits in a slot and from onward the key queue length bits, where the constant can be chosen arbitrarily large. Thus we modify the above scheme such that we use key bits in a slot instead of bits. By making as large as needed, we can get arbitrarily close to the water filling rate. ∎
5 Fading Wire-tap With no CSI of Eavesdropper
In this section we assume that the transmitter knows only the channel state of Bob at time but not , the channel state of Eve. This is more realistic because Eve is a passive listener. Now we modify our fading model. Instead of being constant during a slot (slow fading), the coherence time of is much smaller than the duration of a minislot. Then we can use the coding-decoding scheme of  in the first minislot with secrecy rate and , where
Now we have the following proposition
Secrecy capacity equal to the main channel capacity without CSI of Eve at the transmitter
is achievable subject to power constraint , where is the waterfilling policy.
Since each mini-slot is of long duration compared to the coherence time of the fading process , the coding scheme of  can be used without the CSI of Eve in the first minislot of each slot. This can achieve secrecy capacity
subject to the power constraint , with Now we can use the coding-decoding scheme of Section 3 to achieve the secrecy capacity equal to the main channel capacity
In this paper we have achieved secrecy rate equal to the main channel capacity of a wiretap channel by using the previous secret messages as a key for transmitting the current message. We have shown that not only the current message being transmitted, but all messages transmitted in last slots are secure w.r.t. all the outputs of the eavesdropper till now, where can be taken arbitrarily large. We have extended this result to fading wiretap channels when CSI of Eve may or may not be available to the transmitter. The optimal power control is water filling itself.
8 Proofs of Lemmas
Lemma 1: The following holds
Proof: We have,
because , where denotes that random variable is independent of .
where denotes the sequence without . However,
Also, because is independent of ,
Furthermore, since we have
Using the fact that we can directly show that the right side equals zero.
Let denote the indices of the slots in which messages are transmitted which are used as keys for transmitting and . Since
where denotes that forms a Markov chain, we have
where follows from (30), follows since and follows since .
We can similarly show that the other terms on the right side of (5) are also upper bounded by . This proves the lemma.
Lemma 2: The following holds