# On the Throughput of Secure Hybrid-ARQ Protocols

for Gaussian Block-Fading Channels

###### Abstract

The focus of this paper is an information-theoretic study of retransmission protocols for reliable packet communication under a secrecy constraint. The hybrid automatic retransmission request (HARQ) protocol is revisited for a block-fading wire-tap channel, in which two legitimate users communicate over a block-fading channel in the presence of a passive eavesdropper who intercepts the transmissions through an independent block-fading channel. In this model, the transmitter obtains a -bit ACK/NACK feedback from the legitimate receiver via an error-free public channel. Both reliability and confidentiality of secure HARQ protocols are studied by the joint consideration of channel coding, secrecy coding, and retransmission protocols. In particular, the error and secrecy performance of repetition time diversity (RTD) and incremental redundancy (INR) protocols are investigated based on good Wyner code sequences, which ensure that the confidential message is decoded successfully by the legitimate receiver and is kept in total ignorance by the eavesdropper for a given set of channel realizations. This paper first illustrates that there exists a good rate-compatible Wyner code family which ensures a secure INR protocol. Next, two types of outage probabilities, connection outage and secrecy outage probabilities are defined in order to characterize the tradeoff between the reliability of the legitimate communication link and the confidentiality with respect to the eavesdropper’s link. For a given connection/secrecy outage probability pair, an achievable throughput of secure HARQ protocols is derived for block-fading channels. Finally, both asymptotic analysis and numerical computations demonstrate the benefits of HARQ protocols to throughput and secrecy.

Information-theoretic secrecy, HARQ, block-fading, rate compatible punctured codes, incremental redundancy, time diversity.

## I Introduction

Reliable communication is essential in applications of wireless packet-oriented data networks. A class of special coding schemes, the so-called hybrid automatic retransmission request (HARQ), combine powerful channel coding with retransmission protocols to enhance the reliability of communication links. Among currently available HARQ protocols, the most elementary form is the repetition-coding-based HARQ which combines several noisy observations of the same packet by using a suitable diversity technique at the receiver, such as maximal-ratio combining, equal-gain combining, or selection combining. A more powerful HARQ scheme is the so-called incremental redundancy HARQ, which achieves higher throughput efficiency by adapting its error correcting code redundancy to fluctuating channel conditions. In an incremental redundancy scheme, the message is encoded at the transmitter by a “mother” code. Initially, only a selected number of coded symbols are transmitted. The selected number of coded symbols form a codeword of a punctured mother code. If a retransmission is requested, additional redundancy symbols are sent under possibly different channel conditions. An information-theoretic analysis of the throughput performance of HARQ protocols over block-fading Gaussian collision channels is found in [1]. By assuming Gaussian random coding and typical-set decoding, the results of [1] are independent of the particular coding/decoding technique and can be regarded as providing a limiting performance in the information-theoretic sense. Another line of recent research on HARQ concerned with various mother codes and their puncturing can be found in [2, 3, 4, 5, 6, 7, 8].

Confidentiality is a basic requirement for secure communication over wireless networks. We note that the broadcast nature of the wireless medium gives rise to a number of security issues. In particular, wireless transmission is very susceptible to eavesdropping since anyone within communication range can listen to the traffic and possibly extract information. Traditionally, confidentiality has been provided by using cryptographic methods, which rely heavily on secret keys. However, the distribution and maintenance of secret keys are still open issues for large wireless networks. Fortunately, confidential communication is possible without sharing a secret key between legitimate users. This was shown by Wyner in his seminal paper [9]. In the discrete memoryless wire-tap channel model he proposed, the communication between two legitimate users is eavesdropped upon via a degraded channel (the eavesdropper channel). The level of ignorance of the eavesdropper with respect to the confidential message is measured by the equivocation rate. Perfect secrecy requires that the equivocation rate should be asymptotically equal to the message entropy rate. Wyner showed that perfect secrecy can be achieved via a stochastic code, referred to as Wyner secrecy code. Csiszár and Körner generalized this result and determined the secrecy capacity region of the broadcast channel with confidential messages in [10]. Recent research investigates multi-user communication with confidential messages, e.g., multiple access channels with confidential messages [11, 12], multiple access wire-tap channels [13], and interference channels with confidential messages [14]. The effect of fading on secure communication has been studied in [15, 16, 17, 18]. More specifically, assuming that all communicating parties have perfect channel state information (CSI) prior to the message transmission, [15] has studied the delay limited secrecy capacity of wireless channels, while [16, 17, 18] have studied the secrecy capacity of an ergodic fading channel. [18] has also considered the ergodic scenario in which the transmitter has no CSI about the eavesdropper channel.

In this paper, we investigate secure packet communication based on HARQ protocols. The challenge of this problem is twofold: first, the encoder at the transmitter needs to provide sufficient redundancy for the legitimate receiver to decode its message successfully; on the other hand, too much redundancy may help adversarial eavesdropping. As an example, retransmission is an effective way to enhance reliability, but nevertheless it may also compromise confidentiality. This motivates the joint consideration of channel coding, secrecy coding, and retransmission protocols.

We consider a frequency-flat block-fading Gaussian wire-tap channel. In this model, a transmitter sends confidential messages to a legitimate receiver via a block-fading channel in the presence of a passive eavesdropper who intercepts the transmission through an independent block-fading channel. We assume that the transmitter has no perfect CSI, but receives a -bit ACK/NACK feedback from the legitimate receiver via a reliable public channel. Under this setting, we study the secure HARQ protocols from an information theoretic point of view. In particular, the error and secrecy performance of repetition time diversity (RTD) and incremental redundancy (INR) protocols are investigated based on good Wyner code sequences, which ensure that the confidential message is decoded successfully by the legitimate receiver and is kept completely secret from the eavesdropper for a given set of channel realizations of both the main and the eavesdropper channels. Next, we show that there exists a good rate-compatible Wyner code family which suits the secure INR protocol. Due to the absence of CSI, the transmitter cannot adapt its code and power level to channel conditions. Instead, for a given mother code, we consider the outage performance of secure HARQ protocols. Specifically, we define two types of outage: connection outage and secrecy outage. The outage probabilities (i.e., the probabilities of connection and secrecy outage) are used to characterize the tradeoff between the reliability of the legitimate communication link and the confidentiality with respect to the eavesdropper’s link. We evaluate the achievable throughput of HARQ protocols under the constraints on these two outage probabilities. Finally, we compare the secrecy throughput of two HARQ protocols through both numerical computations and an asymptotic analysis, and illustrate the benefit of HARQ schemes to information secrecy.

Generally speaking, when the coding parameters (main channel code rate and secrecy information rate for ensuring reliability and secrecy, respectively) can be freely chosen, INR can achieve a significantly larger throughput than RTD, which concurs with the results not involving secrecy where it has been shown that mutual-information accumulation (INR) is a more effective approach than SNR-accumulation (RTD) [1]. However, when one is forced to ensure small connection outage for the main channel even when it is bad, one is forced to reduce the main channel code rate. The INR scheme, having a larger coding gain (to both the intended receiver and the eavesdropper), needs to sacrifice a larger portion of the main channel code rate in order to satisfy the secrecy requirement. Hence, when the main channel code rate is bounded due to the connection outage constraint, the achievable secrecy throughput of INR may be smaller than that of RTD. This result deviates from that not involving secrecy.

The remainder of this paper is organized as follows. We describe the system model and preliminaries in Section II. In Section III, we prove the existence of good Wyner codes for parallel channel communication and define outage events, while these results are applied to INR and RTD protocols in Section IV. We derive the secrecy throughput of two protocols over block fading channels in Section V, and present an asymptotic analysis in Section VI. We illustrate and compare the various results and protocols numerically in Section VII. Finally, we give conclusions and some interesting directions for future research in Section VIII, The proofs of the results are provided in appendices.

## Ii System Model and Preliminaries

### Ii-a System Model

As shown in Fig. 1, we consider a model in which a transmitter
sends confidential messages to a destination via a source-destination channel
(the main channel) in the presence of a passive eavesdropper which listens to
the transmission through a source-eavesdropper channel (the eavesdropper
channel). Both the main channel and the eavesdropper channel experience
-block fading, in which the channel gain is constant within a block while
varying independently from block to block [19, 20]. We
assume that each block is associated with a time slot of duration and
bandwidth ; that is, the transmitter can send real
symbols in each slot. Additionally, we assume that the number of channel uses
within each slot (i.e., ) is large enough to allow for invoking random
coding arguments.^{1}^{1}1For example, in a 64 kb/s down-link reference data
channel for universal mobile telecommunications system (UMTS) data-transmission
modes, each slot can contain up to dimensions
[21].

At the transmitter, a confidential message is encoded into a codeword , which is then divided into blocks , each of length . The codeword occupies slots; that is, for , the -th block is sent in slot and received by the legitimate receiver through the channel gain and by the eavesdropper through the channel gain . A discrete time baseband-equivalent block-fading wire-tap channel model can be expressed as follows:

and | (1) |

where denotes the input signal, and denote the output signals at the legitimate receiver and the eavesdropper, respectively, at time (), and are independent and identically distributed (i.i.d.) random variable sequences, and and , for , denote the normalized (real) channel gains of the main channel and the eavesdropper channel, respectively. Furthermore, we assume that the signal has constant average energy per symbol

(2) |

Let and denote vectors whose elements are the main channel gains and the eavesdropper channel gains, respectively. We refer to as a channel pair and assume that the legitimate receiver knows its channel , while the eavesdropper knows its channel .

### Ii-B Wyner Codes

In this subsection, we consider a single-block transmission, i.e., and introduce Wyner codes [9], which are the basis of our secure HARQ protocols.

Let denote a Wyner code of size to convey
a confidential message set ,
where and is the codeword length. The basic idea
of Wyner codes is to use a stochastic encoder to increase the
secrecy level [9, 10]. Hence, there are
two rate parameters associated with the Wyner code: the main channel
code rate and the secrecy information rate .^{2}^{2}2We
call the secrecy gap as the rate sacrificed to ensure the
secrecy requirement. The Wyner code is constructed
based on random binning [9] as follows. We generate
codewords , where ,
and , by choosing the
symbols independently at random according to the input
distribution . A Wyner code ensemble is the
set of all possible Wyner codes of length , each
corresponding to a specific generation and a specific labeling.

The stochastic encoder of is described by a matrix of conditional probabilities so that, given , we randomly and uniformly select from and transmit . We assume that the legitimate receiver employs a typical-set decoder. Given , the legitimate receiver tries to find a pair so that and are jointly typical [22], i.e.,

If there is no such jointly typical pair, then the decoder claims failure.

Assume that signals and are received at the legitimate receiver and the eavesdropper, respectively, via a channel pair . The average error probability is defined as

(3) |

where is the output of the decoder at the legitimate receiver and is the prior probability that message is sent.

The secrecy level, i.e., the degree to which the eavesdropper is confused, is measured by the equivocation rate at the eavesdropper. Perfect secrecy is achieved if for all the equivocation rate satisfies

(4) |

For conciseness, we say that a code of length is good for a wire-tap channel with the channel pair if and the perfect secrecy requirement (4) can be achieved, for all and sufficiently large .

### Ii-C Secure HARQ Protocols

We first consider a general (in ) secure HARQ protocol for a block-fading wire-tap channel. The transmitter encodes the confidential information (and cyclic redundancy check (CRC) bits) by using a mother code of length . The obtained codeword is partitioned into blocks represented as . At the first transmission, the transmitter sends the block under the channel gain pair . Decoding of this code is performed at the intended receiver, while the secrecy level is measured at the eavesdropper. If no error is detected, the receiver sends back an acknowledgement (ACK) to stop the transmission; otherwise a negative acknowledgement (NACK) is sent to request retransmission, and the transmitter sends the block under the channel gain pair . Now, decoding and equivocation calculation are attempted at the receiver and eavesdropper by combining the previous block with the new block . The procedure is repeated after each subsequent retransmission until all blocks of the mother code are transmitted or an HARQ session completes due to the successful decoding at the intended receiver.

Now, we focus on the error performance and secrecy level after transmissions, . Let

denote the input, the output at the intended receiver, and the output at the eavesdropper after transmissions, respectively. For a given channel pair , the average error probability after the transmissions is defined as

(5) |

where denotes the output of the decoder at the legitimate receiver after transmissions.

The secrecy level after transmissions is given by

We say that perfect secrecy is achieved after transmissions if, for all , the equivocation rate satisfies

(6) |

We note that this definition implies that the perfect secrecy can also be achieved after transmissions, for .

Similar to the definition of good codes for a single-block transmission, we say that a code of length is good for the -block transmission and a channel pair if and the perfect secrecy requirement (6) can be achieved, for all and sufficiently large .

In particular, we consider the following two secure HARQ protocols based on different mother codes and different combination techniques.

#### Ii-C1 Incremental Redundancy

In the INR secure HARQ protocol, the mother code is a Wyner code of length , i.e.,

In the first transmission, the transmitted coded symbols form a codeword of a punctured Wyner code of length ,

Similarly, after transmission, , the (all) transmitted coded symbols form a codeword of a punctured Wyner code of length ,

At the legitimate receiver and the eavesdropper, decoding and equivocation calculation are attempted, respectively, based on the punctured code .

We note that the punctured codes form a family of rate-compatible Wyner codes with the secrecy rates

Hence, we refer to this protocol as the INR protocol based on rate-compatible Wyner codes.

#### Ii-C2 Repetition Time Diversity

We also consider a simple time-diversity HARQ protocol based on the repetition of a Wyner code. In this case, the mother code is a concatenated code consisting of the Wyner code as the outer code and a simple repetition code of length as the inner code, i.e.,

(7) |

After each transmission, decoding and equivocation calculation are performed at the receiver and the eavesdropper, respectively, based on maximal-ratio packet combining.

## Iii Secure Channel Set and Outage Events

In this section, we study the error performance and the secrecy level when a mother Wyner code is transmitted over parallel channels. Results given in this section form the basis for the performance analysis of secure HARQ protocols.

For a given Wyner code, an important practical question is: under what channel conditions will the communication be reliable and secure? In the following theorem, we describe a secure channel set and demonstrate that there exists a Wyner code sequence good for all channel pairs in this set.

###### Theorem 1.

Let denote the union of all channel pairs satisfying

(8) | |||||

and | (9) |

where and are single letter mutual information characterizations of the channel (1). There exists a Wyner code good for all channel pairs .

In the system model described in Section II, the transmitter does not have any channel state information; that is, one cannot choose the code based on a particular fading channel state. Hence, it is important to show that there exists a Wyner code sequence good for all channel pairs in the secure channel set .

To facilitate the formulation of outage-based throughput, we define
that an outage event occurs when the channel pair does not belong to
the secure channel set, i.e., . Specifically,
we distinguish two types of outage: connection outage
^{3}^{3}3The main channel is viewed as a communication link. The
link is connected if a packet can be delivered to the intended
receiver successfully within the delay constraint (within
transmissions), otherwise it is in the connection outage. The
connection outage probability defined in this paper is also referred
to as information outage probability in [19].
and secrecy outage. In particular, we say that a connection
outage occurs if

(10) |

while we say that a secrecy outage occurs if

(11) |

Accordingly, we can evaluate both connection outage and secrecy outage probabilities, which are the probabilities of each of the outage events averaged over all possible fading states. In fact, the connection outage probability can be interpreted as the limiting error probability for large block length packets; the secrecy outage probability can be regarded as an upper bound on the probability of unsecured packets. Moreover, Theorem 1 implies that the connection outage probability and the secrecy outage probability are not just average probabilities over a code ensemble, but they can be achieved by a deterministic code sequence.

## Iv Secure HARQ with Wyner Codes

In this section, we evaluate the error performance and measure the secrecy level during secure HARQ sessions.

A key part of an ARQ protocol is that decoding errors should be detected, so that ACKs or NACKs can be generated accurately. A complete decoding function (e.g. maximum a posteriori probability decoding or maximum-likelihood decoding) requires the encoder to add extra redundancy to the information bits, which decreases the throughput slightly. The authors of [1] have shown that error detection can be accomplished by using the built-in error detection capability of suboptimal decoders.

###### Lemma 1.

###### Proof:

The proof follows similarly to that given in [1]. ∎

### Iv-a Incremental Redundancy

To evaluate the performance of the INR protocol, we employ the following -parallel channel model. Let us focus on the decoding after transmissions, i.e., the coded blocks are transmitted, . As shown in Fig. 2, the block experiences channel pair , . We assume that each of the punctured blocks is sent to a dummy memoryless component channel whose output is independent of the input.

In this case, the mother codeword is transmitted over parallel channels. At the legitimate receiver, the decoder combines the real signal with dummy signal blocks to form

Similarly, the processed symbols at the eavesdropper are

where are dummy signal blocks. We note that the added dummy blocks do not affect either the decoding at the legitimated receiver or the equivocation calculation at the eavesdropper since they are independent of the confidential message.

The codewords of the mother Wyner code are transmitted in at most transmissions during the secure HARQ session. By using the equivalent parallel channel model, we can describe this secure HARQ problem as communication over parallel wire-tap channels and, hence, establish the following theorem.

###### Theorem 2.

Consider the secure INR protocol based on rate compatible Wyner codes

where

Let denote the union of all channel pairs satisfying

(12) | |||||

and | (13) |

Then, there exists a family of rate compatible Wyner codes such that is good for all channel pairs , for .

### Iv-B Repetition Time Diversity

In the RTD secure HARQ protocol, both the legitimate receiver and the eavesdropper combine several noisy observations of the same packet based on diversity techniques. The optimal receivers perform maximal-ratio combining (MRC), which essentially transforms the vector channel pair into a scalar channel pair . Hence, after transmissions, the equivalent channel model can be written as follows:

(14) |

for , where and .

Let denote the union of all channel pairs satisfying

(15) | |||||

and | (16) |

where and are single letter mutual information characterizations of the channel (14). For a given (finite) , we have the following result for the RTD secure HARQ protocol.

###### Corollary 1.

There exists a Wyner code such that its -repeating code

is good for all channel pairs , for .

###### Proof:

The proof follows directly from Theorem 1 by setting . ∎

## V Secrecy Throughput of HARQ Protocols

In this section, we study the achievable secrecy throughput for HARQ protocols. We focus on Rayleigh independent block fading channels for illustration; other types of block fading channels can be studied in a similar way.

We note that the optimal input distribution of the channel (1) is not known in general when the transmitter has no CSI. For the sake of mathematical tractability, we consider Gaussian inputs. For INR, the mutual information and can be written as

and | (17) |

where

(18) |

are the signal-to-noise ratios (SNRs) at the legitimate receiver and the eavesdropper, respectively, during transmission . For RTD, we can express the mutual information quantities and as

and | (19) |

Although we consider only Gaussian signaling here, the results in Section IV can be applied to other input distributions, for example, discrete signaling under modulation constraints.

Let denote the number of transmissions within a HARQ session. Given a distribution of the main channel SNR , for both INR and RTD protocols, the probability mass function of can be expressed as

and | (20) |

where and are chosen either from (V) or from (17) corresponding to a specific HARQ protocol. Let denote the connection outage probability, and denote the secrecy outage probability. The definition in (20) implies that and can be written as follows:

(21) | |||||

and | (22) |

Now, we study the secrecy throughput based on and . We first consider a target secrecy outage probability ; that is, at least a fraction of the confidential message bits sent by the transmitter are kept completely secret. Under this constraint, the secrecy throughput , measured in bits per second per hertz, is defined to be the average number of bits decoded at the legitimate receiver,

(23) |

where again is the number of symbols in each block and is the number of information bits successfully decoded by the intended receiver up to time slot (when a total of blocks are sent). The event that the transmitter stops sending the current codeword is recognized to be a recurrent event[23]. A random reward is associated with the occurrence of the recurrent event. In particular, bits/symbol if transmission stops because of successful decoding, and bits/symbol if it stops because successful decoding has not occurred after transmissions. By applying the renewal-reward theorem [1, 23], we obtain the secrecy throughput as

(24) |

where is the expected number of transmissions in order to complete a codeword transmission, i.e.,

(25) |

We can properly choose the mother code parameters ( and ) to obtain the maximum throughput while satisfying -secrecy requirement. Hence, we consider the following problem

(26) | ||||

s.t. |

The optimization problem (26) imposes a probabilistic service requirement in terms of confidentiality; that is, the service quality is acceptable as long as the probability of the secrecy outage is less than , a parameter indicating the outage tolerance of the application. Note that is a decreasing function of , and is linearly proportional to . Hence, we can solve the optimization problem (26) in the following two steps: first, for given , , and , we find the maximum value ; next, we obtain the optimum , which maximizes the secrecy throughput .

On the other hand, reliability is another important quality of service parameter. To achieve both the connection outage target and the secrecy outage target , we consider the following problem

(27) | |||

In addition to the service requirement of confidentiality, problem (27) also imposes a probabilistic service requirement on the connection outage, i.e., at least a fraction of HARQ sessions are successful. The connection outage constraint ensures that, at the expense of possibly lower average throughput, the delay constraint (that a packet can be delivered within transmissions) is satisfied of the time, hence enabling applications which trade average rate for decoding delay like voice communication systems, e.g., CDMA2000 [24]. A similar constraint has been considered in [25] in terms of service outage for parallel fading channels.

To evaluate , and , we need the cumulative distribution functions (CDFs) of and . For the RTD protocol, we can use the fact that and are gamma distributed to express the CDFs of and in terms of incomplete gamma functions. In the case of the INR protocol, the distributions of and cannot be written in a closed form. Hence, we resort to Monte-Carlo simulation in order to obtain empirical CDFs. Note that Monte Carlo simulation is needed only to estimate empirical CDFs, while is found numerically by a (non-random) search.

## Vi Asymptotic Analysis

In general, the secrecy throughput of the INR protocol is difficult to calculate since there is no closed form available for . In this section, we consider the asymptotic secrecy throughput, which does have a closed form.

We are interested in asymptotic results as increases without bound. Note that this asymptote corresponds to a delay-unconstrained system. In this case, secure HARQ protocols yield zero packet loss probability, i.e., the transmission of a codeword ends only when it is correctly decoded. As a result, the problems (26) and (27) yield the same throughput, which can be obtained from (24) as follows:

(28) |

Let us consider how to choose a mother Wyner code for the INR protocol in order to meet reliability and confidentiality constraints when is large. Let and denote the instantaneous SNRs at the legitimate receiver and the eavesdropper, respectively.

###### Lemma 2.

Consider an INR secure HARQ protocol with the mother Wyner code Then

(29) |

if and only if

and | (30) |

where the expectations are over and/or . Furthermore, if (30) does not hold, then

(31) |

For comparison, we consider the situation in which the Wyner code is transmitted over -block fading channel without using the HARQ protocol. We refer to this case as the -fading-block (MFB) coding scheme. Theorem 1 implies that, by using the MFB scheme, the requirement (29) can be achieved if and only if

and | (32) |

We note that the condition (30) for the INR protocol is weaker than the condition (32) for the MFB scheme. In other words, the INR scheme can achieve the confidentiality and reliability requirements more easily than can the MFB coding scheme by using the same Wyner code. This result illustrates the benefit of the INR secure HARQ protocol.

Based on Lemma 2, we have the following asymptotic result concerning the achievable throughput for secure HARQ protocols.

###### Theorem 3.

We consider the secure HARQ protocols over a block-fading wire-tap channel. If the secrecy information rate satisfies

(33) |

then the secrecy throughput of RTD and INR protocols can be written as follows:

where and are the instantaneous SNRs at the legitimate receiver and the eavesdropper, respectively.

###### Proof:

We provide a proof in Appendix D. ∎

## Vii Numerical Results

In our numerical examples, we consider Rayleigh block fading, i.e. the main channel instantaneous SNR has the probability density function (PDF) , and the eavesdropper channel instantaneous SNR has the PDF , where and are the average SNRs of the main and eavesdropper channels, respectively.

To illustrate how the secrecy throughput is related to the choice of (and ), we give a numerical example of versus in Fig. 3, in which the parameter settings are as follows: the main channel average SNR is dB, the eavesdropper channel average SNR is dB, the maximum number of transmissions is . (We observe that similar results are obtained by using other parameter settings.) For each , we obtain the maximum that meets the secrecy constraint or , respectively. When there is no secrecy constraint (), due to the sub-optimality of the RTD scheme, the RTD curve is uniformly below the INR curve. This does not happen when there is a secrecy constraint. The reason is that INR not only favors the information transmission to the intended receiver, but also benefits the eavesdropping by the eavesdropper. Hence, INR needs to sacrifice a larger portion of the main channel code rate than RTD in order to keep the eavesdropper ignorant of the confidential messages. This is reflected in Fig. 3 that a larger has to be chosen for INR (than RTD) in order to obtain a positive secrecy throughput.

It is clear from Fig. 3 that there exists a unique (and therefore ) to maximize for each parameter setting. For all secrecy constraints ( or ), if the best and are chosen for each scheme accordingly, INR yields higher secrecy throughput than RTD does, which shows the benefit of INR over RTD.

According to (21), the choice of decides the reliability performance. This is shown in Fig. 4, where we plot the connection outage probability versus the value of . For both INR and RTD, increases with the value of . Note that a more strict secrecy constraint requires a larger (as shown in Fig. 3), which however causes the degradation of the reliability performance. We can see that there exists a tradeoff between secrecy and reliability.

Given a strict connection outage constraint , the choice of (and ) might not be feasible. For instance, in order to obtain , we need to choose and (marked with ‘A’ and ‘B’ respectively in Fig. 3 and Fig. 4). Specifically, for a connection outage constraint , is not feasible for INR when , and is not feasible for both INR and RTD when in Fig. 3. Note that for the case of (and ), positive secrecy throughput cannot be obtained for INR, but can be obtained for RTD. This implies that RTD might outperform INR, when we have strict secrecy and connection outage constraints. This is a surprising result in the view of the well-known HARQ performance when there is no secrecy constraint, where INR always outperforms RTD [1].

In Fig. 5 and Fig. 6, we show the secrecy throughput under different target secrecy outage probabilities . There is no connection outage requirement in Fig. 5. There is an additional connection outage requirement of in Fig. 6. The parameter settings are dB, dB and . We can see that small secrecy outage probability can be achieved when the throughput is small for both protocols. The INR protocol outperforms the RTD protocol uniformly when there is no connection outage requirement. However, when there is a strict connection outage requirement, the RTD protocol outperforms the INR protocol when is small (e.g., ).

Fig. 7 illustrates the relationship between the secrecy throughput and the main channel average SNR when there is a target secrecy outage probability and no connection outage requirement. The average SNR of the eavesdropper channel is fixed to be dB. We find that the INR protocol outperforms the RTD protocol significantly, especially when the main channel SNR is large.

In Fig. 8, we show the secrecy throughput versus the maximum number of transmissions . Comparing with the secrecy throughput without the connection outage constraint, the secrecy throughput with a connection outage constraint () suffers some loss when is small due to insufficient diversity. Both secrecy throughputs converge when sufficient diversity can be obtained as increases. In particular, when , both throughputs are the same and are given by (28) in the asymptotic analysis. For INR, the secrecy throughput increases monotonically with . For RTD, decreases with due to its strongly suboptimal coding scheme. This concurs with the asymptotic analysis that, when , a constant (nonzero) secrecy throughput ( according to Theorem ) can be achieved for INR, while zero throughput can be obtained for RTD.

## Viii Conclusions and Future Directions

In this paper, we have studied secure packet communication over frequency-flat block-fading Gaussian channels, based on secure HARQ protocols with the joint consideration of channel coding, secrecy coding and retransmission protocols. From an information theoretic point of view, we have considered two secure HARQ protocols: a repetition time diversity scheme with maximal-ratio combining (RTD), and an incremental redundancy scheme based on rate-compatible Wyner secrecy codes (INR). We have proved the existence of good Wyner code sequences, which ensure that the legitimate receiver can decode the message and the eavesdropper can be kept ignorant of it for an HARQ session under certain channel realizations.

To facilitate the formulation of the outage-based throughput, we have defined two types of outage: connection outage and secrecy outage. The outage probabilities, more specifically, the connection and secrecy outage probabilities have been used to characterize the tradeoff between the reliability of the legitimate communication link and the confidentiality with respect to the eavesdropper’s link. We have evaluated the achievable throughput of RTD and INR protocols under probabilistic requirements (constraints) on secrecy outage and/or connection outage, and have illustrated the benefits of HARQ schemes to information secrecy through some numerical results and an asymptotic analysis.

In general, INR can achieve a significantly larger throughput than RTD, which concurs with the results not involving secrecy that mutual-information accumulation (INR) is a more effective approach than SNR-accumulation (RTD). However, when one is forced to ensure small connection outage for the main channel even when it is bad, one is forced to reduce the main channel code rate. The INR scheme, having a larger coding gain (to both the intended receiver and the eavesdropper), needs to sacrifice a larger portion of the main channel code rate (i.e., requires a larger secrecy gap) in order to satisfy the secrecy requirement. Hence when the main channel code rate is bounded due to the connection outage constraint, the achievable secrecy throughput of INR may be smaller than that of RTD.

We conclude this work by pointing out some future research directions.

First, as pointed out in [26], many practical encoders are separated from the modulator and therefore the performance of HARQ protocols is impacted by modulation constraints. Although we have assumed Gaussian signaling, it is possible and also meaningful to extend the analysis to take discrete signaling into account.

In our analysis, we have assumed random coding and typical set decoding. Future work should consider practical coding and decoding schemes for secure HARQ protocols. Existing work on the practical secrecy code design includes coset coding [27], low-density parity check (LDPC) code design [28], and nested codes [29]. The design of practical rate compatible secrecy codes for Gaussian channels remains a challenging problem.

## Appendix A Proof of Theorem 1

For convenience, let and denote the set of channel pairs so that

(34) | |||||

and | (35) |

where is arbitrarily small. It is clear that when .

In order to prove Theorem 1, we first consider the following lemma.

###### Lemma A.1.

There exists a code that is good for any channel pair .

### A-a Proof of Lemma

###### Proof:

Following standard continuity arguments [22], we consider a quantization of the input and output of the channel (1) and work on the resulting discrete channel. Given a channel pair , on every fading block , the channel is time-invariant and memoryless. Let denote the input, and let and denote the outputs at the legitimate receiver and the eavesdropper, respectively. From the weak law of large numbers, we have the following limits in probability:

and |

where is the input entropy per letter; and are the output entropy per letter at the intended receiver and the eavesdropper, respectively, in block ; and and are the joint entropies per letter in block . Define the typical set as the set of all sequences for which the above sample means are within of their limits.

The random coding ensemble is constructed by generating codewords , where and , by choosing the symbols independently at random. Given , the encoder randomly and uniformly selects a from and transmits .

#### A-A1 Error Analysis

Given a message , the legitimate receiver declares that was transmitted, if is the only codeword that is jointly typical with . An error is declared if either is not jointly typical with , or there is another codeword jointly typical with . Let us denote this type of error as . By following the same steps in [22, Theorem ], we obtain that , the probability of error averaged over the code ensemble is

By choosing , we have

(36) |

for every channel pair as the codeword length is sufficiently large, where .

Let denote the set of codewords corresponding to message (bin ). Suppose that the eavesdropper gets to know a priori, based on which it tries to determine which codeword was sent. The eavesdropper declares that was sent, if is the only codeword in that is jointly typical with . An error is declared if either is not jointly typical with , or there is another codeword in jointly typical with . Denoting this type of error as , we obtain that , the average probability of error averaged over the code ensemble is

By choosing , we have

(37) |

for every channel pair when the codeword length is sufficiently large, where .

Now we define an error event , which occurs whenever or occurs, i.e.

(38) |

According to (36) and (37), by using the union bound, we have for any ,

It is clear that the average error probability, averaged over the channel set is

Interchanging expectations with respect to and with respect to (since the integrand is nonnegative and bounded by 1) yields

Then, there exists a sequence of codes (for increasing ) such that

where is a random variable that is a function of the channel pair . According to the Markov inequality, we have