# On The Capacity of Broadcast Channels With Degraded Message Sets and Message Cognition Under Different Secrecy Constraints

###### Abstract

This paper considers a three-receiver broadcast channel with degraded message sets and message cognition. The model consists of a common message for all three receivers, a private common message for only two receivers and two additional private messages for these two receivers, such that each receiver is only interested in one message, while being fully cognizant of the other one. First, this model is investigated without any secrecy constraints, where the capacity region is established, showing that the straightforward extension of the Körner and Marton inner bound to the investigated scenario is optimal. In particular, this agrees with Nair and Wang’s result, which states that the idea of indirect decoding – introduced to improve the Körner and Marton inner bound – does not provide a better region for this scenario. Further, some secrecy constraints are introduced by letting the private messages to be confidential ones. Two different secrecy criteria are considered: joint secrecy and individual secrecy. For both criteria, a general achievable rate region is provided. Moreover, the joint and individual secrecy capacity regions are established, if the two legitimate receivers are more capable than the eavesdropper. The established capacity regions indicate that the individual secrecy criterion can provide a larger capacity region as compared to the joint one, because each cognizant message can be used as a secret key for the other individual message. Further, the joint secrecy capacity is established for a more general class of more capable channels, where only one of the two legitimate receivers is more capable than the eavesdropper. This was done by showing that principle of indirect decoding introduced by Nair and El Gamal is optimal for this class of channels. This result is in contrast with the non-secrecy case, where the indirect decoding does not provide any gain.

## I Introduction

The broadcast channel (BC) with degraded message sets was initially introduced by Körner and Marton in [3]. They considered a two-receiver BC, where a common message is transmitted to both receivers and a private message is transmitted to only one of them. They established the capacity region for the general BC by providing a strong converse. The extension of Körner and Marton results to the three-receiver BC with two degraded message sets has been considered in [4, 5], where it has been shown that the straightforward extension of the Körner and Marton inner bound is optimal for many special cases. In [6], Nair and El Gamal considered a three-receiver BC with degraded message sets, where a common message is sent to all three receivers, while a private message is sent to only one receiver. They showed that the straightforward extension of the Körner and Marton inner bound for this scenario is no longer optimal. They presented a new coding scheme known as indirect decoding and showed that the resultant inner bound of this technique is strictly greater than the Körner and Marton inner bound. However, in [7], Nair and Wang showed that if the private message is to be sent to two receivers instead of one, the idea of indirect decoding does not yield any region better than the Körner and Marton inner bound. Another scenario for three-receiver BC with degraded message sets was considered in [8], where a common message is sent to all three receivers, while two private messages are only sent to two receivers with some message cognition at these receivers. In general, the transmission of degraded message sets over three-receiver BC has captured a lot of attention, yet it has not been completely solved as many questions remained unanswered beyond the two-receiver case.

Recent work does not only consider reliable transmission, but it also considers more complex scenarios that involve certain secrecy requirements. In particular, physical layer security has attracted a lot of researchers nowadays, see for example [9, 10, 11, 12] and references therein. Shannon was the first one to study the problem of secure communication from an information theoretic perspective in [13]. He showed that it can be achieved by a secret key shared between the transmitter and the receiver if the entropy of this key is greater than or equal to the entropy of the message to be transmitted. In [14], Wyner studied the degraded wiretap channel and proved that secure transmission is still achievable over a noisy channel without any secret key. In [15], Csiszár and Körner extended Wyner’s result to the general BC with common and confidential messages. In [16, 17], the previous two approaches were combined by studying the availability of a shared secret key during secure transmission over a wiretap channel. In [18], Kang and Liu proved that the secrecy capacity for this scenario is achieved by combining the wiretap coding principle along with Shannon’s one-time pad idea. Over the years, the integration of confidential and public services over different channels has become very important [19].

Despite the tremendous effort of researchers, the extension of Csiszár and Körner’s work to BC with two or more legitimate receivers has remained an open topic. In [20], Chia and El Gamal investigated the transmission of one common and one confidential message over a BC with two legitimate receivers and one eavesdropper. They derived a general achievable rate region and established the secrecy capacity if the two legitimate receivers are less noisy than the eavesdropper. They also showed that in some cases the indirect decoding can provide an inner bound that is strictly larger than the direct extension of Csiszár and Körner’s approach.

In this paper we investigate the transmission of degraded message sets with two layers over a three-receiver BC under different secrecy constraints. Our model combines the scenarios in [7, 8, 20] as follows: a common message is transmitted to all three receivers, a confidential common message to the two legitimate receivers and two confidential individual messages to the two legitimate receivers, where each receiver is only interested in one them, while being fully cognizant of the other one. This problem is of high interest and importance because it does not only generalize and combine the previous works in [7, 8, 20], but it is also of practical relevance since it can be motivated by the concept of two-phase bidirectional relaying in a three-node network [21, 22].

In the first phase of the bidirectional relaying, node 1 and node 2 transmit their messages to the relay node which decodes them, while keeping the eavesdropper unable to intercept any information about the transmission. This phase corresponds to the multiple access wiretap channel and was investigated in [23, 24, 25], where the latter discusses different secrecy criteria. Our work is related to the succeeding broadcast phase, where the relay re-encodes and transmits these messages back to the intended nodes. Since the receiving nodes are cognizant of their own message from the previous phase, they can use it as an additional side information for decoding. First results for the case where this communication scenario must be protected against an additional eavesdropper appeared in [26], where different achievable rate regions and an outer bound were provided. In our problem, we have an additional feature as the relay transmits another common confidential message to both legitimate receivers and a common message for all three nodes.

In [26], the authors claimed to define the secrecy requirement of their model based on a conservative secrecy measure known as joint secrecy. This measure assures the secrecy of each confidential message even if the other one is compromised. However, they established an achievable region in [26, Theorem 1] using secret key approach, where the confidential message of one user is used as a secret key for the other one. One can show that this encoding scheme does not fulfill the joint secrecy constraint. This observation encouraged us to consider another secrecy constraint, in which the legitimate receivers can cooperate together to protect their confidential messages based on some form of mutual trust. This led to the less conservative secrecy measure known as individual secrecy. In [1, 2], we investigated the effect of relaxing the secrecy constraint from joint secrecy to individual secrecy on the capacity region of the BC with receiver side information. On the other hand, different individual secrecy coding techniques has been introduced in an early parallel and independent work in [27] and more recently in [28, 29, 30].

The rest of this paper is organized as follows. In Section II, we introduce the model of three-receiver BC with degraded message sets and full message cognition without any secrecy constraints. We provide a weak converse showing that the straightforward extension of the Körner and Marton inner-bound is in fact the capacity region. This result agrees with the one in [7], that for this case indirect decoding can not outperform the Körner and Marton inner bound. In Section III, we introduce secrecy constraints to our model and discuss the differences between the joint and individual secrecy criteria. In Section IV, we provide an achievable rate region for the joint secrecy criterion. We then establish the joint secrecy capacity region if only one of the legitimate receivers is more capable than the eavesdropper using the principle of indirect decoding. In Section V, we provide an achievable rate region for the individual secrecy criterion. We then establish the individual secrecy capacity region if the two legitimate receivers are more capable than the eavesdropper.

### Notation

In this paper, random variables are denoted by capital letters and their realizations by the corresponding lower case letters, while calligraphic letters are used to denote sets. denotes the sequence of variables , where is the variable in the sequence. Additionally, we use to denote the sequence ). A probability distribution for the random variable X is denoted by . denotes a Markov chain of random variable U, V and X in this order, while implies that and are Markov chains. is used to denote the set of nonnegative real numbers. and are the traditional entropy and mutual information. The probability of an event is given by , while is used to represent the expectation. Moreover, is used to represent the set of natural numbers between and .

## Ii BC with Degraded Message Sets and Message Cognition

In this section, we investigate the three-receiver BC with degraded message sets and message cognition without any secrecy constraints. First, we introduce our model, then establish the capacity region for the general three-receiver BC with two degraded message sets.

### Ii-a System Model and Channel Comparison

Let , , and be finite input and output sets. Then for input and output sequences , , and of length , the discrete memoryless BC is given by

where represents the transmitted sequence, , and represent the received sequence at the three receivers. Before we discuss our model in details, we need to introduce two important classes of BCs, that we will address a lot in our investigation.

###### Definition 1.

In a discrete memoryless BC , is said to be less noisy than , also written as , if for every random variable such that forms a Markov chain, we have

(1) |

On the other hand, is said to be more capable than , if for every input distribution on , we have

(2) |

The class of more capable channels is strictly wider than the less noisy one. It can be shown that any less noisy channel is a more capable one. Further, it was shown that the class of less noisy channels contains the physically and stochastically degraded channels [31].

We consider the standard model with a block code of arbitrary but fixed length . We consider four different messages sets. The first set contains the common messages for all three receivers and is denoted by . The second set is denoted by and contains the private common messages for Receivers and . While the last two sets contain the individual private messages and . Further, we assume full message cognition at and ^{1}^{1}1From this point, we will refer to different receivers by their respective channel outputs interchangeably., such that is cognizant of the entire message and of the entire message as shown in Fig. 1.

###### Remark 1.

###### Definition 2.

A code for the BC with degraded message sets and message cognition consists of: four independent message sets , , and ; an encoding function at the transmitter

which maps a message quadruple to a codeword ; and three decoders, one at each receiver

that maps each channel observation at the respective receiver and the cognizant message to the corresponding intended messages or an error message .

We assume that the messages , , and are independent and chosen uniformly at random. The reliability performance of is measured in terms of its average probability of error

(3) |

where , and are the estimated messages at , and respectively.

###### Definition 3.

A rate quadruple is achievable for the BC with degraded message sets and message cognition, if there exists a sequence of codes and a sequence , such that for is large enough, the following holds

(4) |

### Ii-B Capacity Region

###### Theorem 1.

The capacity region of the three-receiver BC with degraded message sets and message cognition is the set of all rate quadruples that satisfy

(5) |

for some , such that forms a Markov chain. Further it suffices to have .

###### Proof:

The achievability follows directly from the straightforward extension of the Körner and Marton inner bound in [3] to the three-receiver BC with degraded message sets and message cognition as in [7, 8]. Superposition encoding is used as follows: is encoded in the cloud centers codewords , while are superimposed in the satellite codewords . Joint typicality decoders are then used at each receiver leading to the bounds in (5).

For the converse, we start by establishing the reliability upper bounds for any achievable rates. Based on Fano’s inequality, the expression of the average error probability in (3) and the reliability constraint given by (4), we have

(6) | ||||

(7) | ||||

(8) |

where , and .

Next, we let , , , , , and . We then start by considering the common rate . Using Eq. (6), we have

(9) |

Next, we consider the sum of the private rates which are intended for receiver . We have

(10) |

where follows from (7); follows as and follows by the Csiszár sum identity [15, Lemma 7]. If we use Eq. (8) and follow the exact same steps, we can derive a similar bound for the sum of the private rates intended for receiver as follows:

(11) |

Now using (9), (10) and (11) followed by introducing a time sharing random variable independent of all others and uniformly distributed over , and let , , , , , , , and , then take the limit as such that, , and , we reach the following

(12a) | ||||

(12b) | ||||

(12c) |

where and form Markov chains. Since the conditional mutual information is the expectation of the unconditional one, Eq. (12b) can be further upper-bounded as follows:

(13) |

where follows as is the value of that maximizes the difference ; while follows because is distributed according to the following probability distribution [11, Corollary 2.3]. This implies that the right hand side of Eq. (12b) is maximized by setting . Using this result, we can upper-bound Eq. (12b) as follows:

(14) |

where follows by the mutual information chain rule; follows because setting maximizes the right hand side of Eq. (12b); follows because and vanish for a fixed realization of ; while follows from the data processing inequality and the fact that forms a Markov chain, which implies that .

Now, If we apply the same steps and ideas to Eq. (12c), we can derive the following bound:

(15) |

where forms a Markov chain and is distributed as such that, is the value of that maximizes the difference . At this point we need to illustrate an important fact. One might argue that getting rid of the two conditional random variables and as we did, can not be done simultaneously because and might be dependent, such that the maximizing values and can not occur concurrently. However, this argument does not affect our converse because it only implies that the derived upper bounds might not be as tight as the original ones. To finalize our converse, we need to highlight the standard upper bounds for reliable transmission

(16) |

Now, if we combine (12a), along with (14), (15) and (16), such that forms a Markov chain, we reach the same region given by (5). In order to complete our converse, we need to point out that the cardinality argument follows from the Fenchel-Bunt strengthening of the usual Carathéodory’s theorem [31, Appendix C]. ∎

## Iii Secrecy in BC with Degraded Message Sets and Message Cognition

In this section, we will investigate the three-receiver BC with degraded message sets and message cognition under two different secrecy constraints: joint secrecy and individual secrecy. We compare these two criteria by investigating their capacity regions for some special cases and show that the individual secrecy provides a larger secrecy capacity compared to the joint one.

### Iii-a Secrecy Model and Criteria

We start by modifying the model introduced in the previous section, such that the private messages and are now confidential messages that need to be kept secret from the eavesdropper as shown in Figure 2. Our new code is defined as follows:

###### Definition 4.

A code for the wiretap BC with degraded message sets and message cognition consists of: four independent message sets , , and ; a source of local randomness at the encoder which is distributed according to ; an encoding function at the relay node

which maps a common message , a confidential message triple and a realization of the local randomness to a codeword , and three decoders, one for each node

that maps each channel observation at the respective node and the cognizant message to the corresponding required messages or an error message .

We assume that the messages , , and are chosen uniformly at random and use the average error probability in (3) to measure the reliability performance of the code . On the other hand, the secrecy performance of is measured with respect to two different criteria. These two criteria identify the level of ignorance of the eavesdropper^{2}^{2}2Although the third receiver is part of our model and not an external user, we will refer to it in the rest of the paper as an eavesdropper. about the confidential messages , and as follows:

1. Joint Secrecy: This criterion requires the leakage of the confidential messages of one user to the eavesdropper given the individual message of the other user to be small. For our model, this requirement can be expressed as follows:

(17) |

This criterion guarantees that the rate of information leaked to the eavesdropper from one user is small even if the other individual transmitted message is compromised. Thus, in this scenario the legitimate receivers do not have to trust each other. In some literature, the joint secrecy criterion is defined such that, the mutual leakage of all confidential messages to the eavesdropper is small as follows:

(18) |

One can easily show that the definition in (17) is equivalent to the one in (18) for some as follows:

where follows because and are independent which implies that ; while follows because . On the other hand, if Eq. (18) holds, it follows directly that and . However, we prefer the definition in (17), because it provides a better understanding to the relation between the legitimate receivers and allows us to interpret the immunity of the joint secrecy against compromised receivers.

2. Individual Secrecy: This criterion requires the leakage of the confidential messages of each user to the eavesdropper to be small without conditioning on the confidential messages of the others users. This requirement can be formulated as follows:

(19) |

where and are defined as before. Differently from the conservative constraint in (17), where different users do not trust each other, this secrecy measure allows the legitimate receivers to cooperate in protecting their messages against eavesdropping. In some literatures the individual secrecy criterion requires the sum of the leakages of each confidential message to the eavesdropper to be small as:

(20) |

However, this definition is only equivalent to the one in (19) if , but in general they are not the same. In fact, the constraint in (19) is stronger than this one. This is because Eq. (19) directly implies Eq. (20), while the opposite is not correct. The difference between these two definitions is in the interpretation of the word individual. In (19), individuality means different transmission flows, while in (20) it means different confidential messages. In this paper, we will use the individual secrecy constraint given in (19) because it implies the other constraint in (20) and we think it is more convenient and meaningful.

###### Definition 5.

###### Remark 3.

###### Remark 4.

It is important to note how our model generalize different works on the wiretap BC with more than one legitimate receiver as follows:

If we let , our model reduces to the three receivers BC with common and confidential messages investigated in [20].

If we let , our model reduces to the wiretap BC with receiver side information. This channel was investigated under the joint secrecy constraint in [26, 1] and under the individual secrecy constraint in [27, 1].

### Iii-B Individual Secrecy in Shannon’s Ciphering System

In this subsection, we will use Shannon’s ciphering system to show why addressing individual secrecy with respect to different messages might be misleading, and that it is more consistent to interpret individuality with respect to different transmission flows. We consider the scenario given by Figure 3. Shannon studied this model under the following secrecy constraint:

(22) |

He proved that this requirement is achieved if , where is the secret key shared between the transmitter and the receiver. In practical, it is hard to fulfill this condition because secret keys are usually shorter than the message. Now assume that we have a secret key such that . We can construct the following coding strategy. First, we divide into two messages and , such that . We then construct a new secret key by concatenating and . Now the encoder outputs , which is equivalent to the concatenation of and . The decoder works in the following order, it first extracts from the first part of by Xoring it with the shared secret key , then it use to extract from the second part of .

Using this technique, we can overcome the problem of short secret key, however we need to understand the drawbacks of such technique. Aside form the problem of error progression that arises form using the estimated to decode , this technique does not fulfill the secrecy constraint in (22). However, it fulfill the following individual secrecy constraint:

(23) |

In general, we can extend this coding technique for short keys with smaller entropy by dividing the message into smaller messages of the same entropy as the given key as . We can show that, the previous technique grants a certain secrecy level such that, the sum of the leakage of the small messages to the eavesdropper is small.

The difference between the two secrecy measures in the previous example is related to how to address the secrecy of information transmitted to a single user; whether it should be protected as a one big entity or it can be divided into smaller parts, where each part is protected separately. This issue is identical to the problem of identifying the individual secrecy and whether individuality means different users or different messages. That is why, we preferred the individual secrecy constraint in (19) because it requires the whole information transmitted to a certain user to be protected as one big entity. In our opinion, this is a more consistent and meaningful notation.

### Iii-C Secrecy Capacity Regions: Joint Vs Individual

In this subsection, we will try to highlight the differences between the joint and the individual secrecy criteria. To do so, we will compare the secrecy capacity region of both criteria for some special cases. Before we discuss these results, we need to introduce the following lemma.

###### Lemma 1.

Let be a discrete memoryless BC and assume that is less noisy than . Consider two independent random variables and , such that forms a Markov chain. Then the following holds: .

###### Proof:

In the first scenario, we consider a class of less noisy wiretap BC as in Figure 2, where the eavesdropper is less noisy than the two legitimate receivers. We also modify the model such that, we only have the two individual confidential messages and , without the common message and the common confidential message . Thus, the joint secrecy conditions in (17) change to and , while the individual secrecy conditions in (19) change to and .

###### Theorem 2.

Consider a wiretap BC with message cognition, where the eavesdropper is less noisy than the two legitimate receivers and , i.e. and . Then the joint secrecy capacity region is empty, while the individual secrecy capacity region is given by the set of all rate pairs that satisfy

(24) |

###### Proof:

We start with the individual secrecy capacity region. The proof of the achievability is based on interpreting each individual message as a secret key for the other one. The encoder constructs the Xored message by Xoring the corresponding elements of and as follows:

In order to transmit a message pair , the encoder generates the sequence , then transmits it to both receivers. The problem simplifies to a multicast problem and reliable transmission is only guaranteed by the condition in (24). Each legitimate receiver decodes the Xored message then uses the side information to extract it is own message. On the other hand, the eavesdropper can not extract any information about and , although it can correctly decode , because and .

Now for the converse, using Lemma 1, we will show that, if is less noisy than both and , the two rates and are equal. Let and be two sequences, such that as , and , we have

(25) |

where follows from Fano’s inequality as ; follows from (19), when and ; follows from Lemma 1 because , which implies that and follows because . If we let and follow the same steps we can derive a similar bound for as follows:

(26) |

Now in order to finalize our converse we need to highlight the standard upper bound for reliable transmission for each receiver given by:

(27) |

Finally, if we take the limit as for (25), (26), such that and , Our converse for the individual secrecy capacity region in (24) is complete.

Now, we turn to the other half of the theorem that indicates that the joint secrecy capacity region is empty if the eavesdropper is less noisy than the two legitimate receivers. The proof is based on Lemma 1 and is a direct consequence of [10, Proposition 3.4] and [15] as follows:

(28) |

where follows from Fano’s inequality; follows from (17), for ; while follows from Lemma 1 because , which implies that . Similarly, we have for the following

(29) |

Now if we take the limit as for (28), (29), such that and , we have . This implies that the joint secrecy capacity region for this scenario is empty. ∎

###### Remark 5.

The previous result was established for wiretap BC with receiver side information, where the legitimate receivers and are degraded from the eavesdropper in [28].

In the next scenario, we will continue with the previous model, where we discuss the wiretap BC in Figure 2 with only and . However, we will investigate a different class of less noisy channels, where the two legitimate receivers and are less noisy than the eavesdropper .

###### Theorem 3.

Consider a wiretap BC with message cognition, where the two legitimate receivers and are less noisy than the eavesdropper , i.e. and . Then the joint secrecy capacity region is given by the set of all rate pairs , such that

(30) |

While, the individual secrecy capacity region for the same scenario is given by the set of all rate pairs that satisfy