Reliability and Secrecy Functions
of the Wiretap Channel under Cost Constraint
The wiretap channel has been devised and studied first by Wyner, and subsequently extended to the case with non-degraded general wiretap channels by Csiszár and Körner. Focusing mainly on the stationary memoryless channel with cost constraint, we newly introduce the notion of reliability and secrecy functions as a fundamental tool to analyze and/or design the performance of an efficient wiretap channel system, including binary symmetric wiretap channels, Poisson wiretap channels and Gaussian wiretap channels. Compact formulae for those functions are explicitly given for stationary memoryless wiretap channels. It is also demonstrated that, based on such a pair of reliability and secrecy functions, we can control the tradeoff between reliability and secrecy (usually conflicting), both with exponentially decreasing rates as block length becomes large. Four ways to do so are given on the basis of rate shifting, rate exchange, concatenation and change of cost constraint. Also, the notion of the secrecy capacity is defined and shown to attain the strongest secrecy standard among others. The maximized vs. averaged secrecy measures is also discussed.
The pioneering work by Wyner
 as well as by
Csiszár and Körner
based on the wiretap channel model,
has provided a strong impetus to find a new scheme
of the physical layer cryptography
in a good balance of usability and secrecy.
In particular, they have first formulated the tradeoff between the transmission rate for Bob
equivocation rate against Eve.
“information theoretic security attracts much attention, because it offers security that does not depend
on conjectured difficulties of some computational problem, ”
†††suggested by Associate Editor
there have been extensive studies
on various kinds of wiretap channels,
which are nicely summarized, e.g., in Laourine and Wagner  along with
the secrecy capacity formula for the Poisson wiretap channel
without cost constraint.
Among others, Hayashi  is the first who has derived
the relevant secrecy exponent function to specify the exponentially decreasing speed
(i.e., exponent) of the leaked information
under the average secrecy criterion
no cost constraint is considered.
Throughout in this paper, we are imposed cost constraints (limit on available transmission energy, bandwidth, and so on). We first address, given a general wiretap channel, the primal problem to establish a general formula to simultaneously summarize the reliability performance for Bob and the secrecy performance against Eve under the maximum secrecy criterion. Next, it is shown that both of them are described by using exponentially decaying functions of the code length when a stationary memoryless wiretap channel is considered. This provides the theoretical basis for investigating the asymptotic behavior of reliability and secrecy. We can then specifically quantify achievable reliability exponents and achievable secrecy exponents as well as the tradeoff between them for several important wiretap channel models such as binary symmetric wiretap channels, Poisson wiretap channels, Gaussian wiretap channels. In particular, four ways of the tradeoff to control reliability and secrecy are given and discussed with their novel significance. Also, on the basis of the analysis of these exponents under cost constraint, the new formula for the -secrecy capacity (with the strongest secrecy among others) is established to apply to several typical wiretap channel models. A remarkable feature of this paper is that we first derive the key formulas not depending on respective specific channel models and then apply them to those respective cases to get new insights into each case as well.
The paper is organized as follows. In Section 2, the definitions of wiretap channel and related notions such as error probability, cost constraint, secrecy capacity and concatenation are introduced along with various kinds of secrecy measures.
In Section 3.A, we give a fundamental formula to simultaneously evaluate a pair of reliability behavior and secrecy behavior under cost constraint for a general wiretap channel, which is then in Section 3.B, particularized to establish the specific formulas for stationary and memoryless wiretap channels. Here, the notions of reliability function and secrecy function are introduced to evaluate the exponent of the exponentially decreasing decoding error for Bob and that of the exponentially decreasing divergence distance against Eve for the stationary memoryless wiretap channel under cost constraint. This is one of the key results in this paper. We also present their numerical examples to see how the reliability and secrecy exponents vary depending on the channel and cost parameters. Also, superiority of the maximum secrecy criterion to the average secrecy criterion is discussed. In Section 3.C, a strengthening of Theorem 3.3 in Section 3.B is provided. In Section 3.D, the -secrecy capacity formula (with the strongest secrecy) is given under cost constraint, including the formula for a special but important case with more capable wiretap channels.
In Section 4, four ways for the tradeoff are demonstrated: one is by rate shifting, another one by rate exchange, one more by concatenation, and the other by change of cost constraint, which are discussed in terms of the reliability and secrecy exponents. This section is thus prepared for more quantitative analysis/design of the reliability-secrecy tradeoff.
In Section 5, the formula for the -secrecy capacity is applied to the Poisson wiretap channel with cost constraint, which is a practical model for free-space Laser communication with a photon counter.
In Section 6, for Poisson wiretap channels with cost constraint we demonstrate the reliability and secrecy functions as an application of the key theorem established in Section 3.B.
In Section 7, we investigate the effects of channel concatenation with an auxiliary channel for the Poisson wiretap channel.
In Section 8, the -secrecy capacity formula for the Gaussian wiretap channel is given as an application of the key theorem established in Section 3.D.
In Section 9, for the Gaussian wiretap channels with cost constraint we demonstrate the reliability and secrecy functions as an application of the key theorem established in Section 3.B. In particular, these functions are numerically compared with those of Gallager-type, which reveals that a kind of duality exists among them. In Section 10, we conclude the paper.
2 Preliminaries and basic concepts
In this section we give the definition of the wiretap channel. There are
several levels and ways to specify the superiority of the legitimate users,
Alice and Bob, to the eavesdropper, Eve, such as physically degraded
Eve, (statistically) degraded Eve, less noisy Bob, and more capable
Bob. In this paper, we are interested mainly in the last class of channels because
the other ones
imply the last one (cf. Csiszár and Körner ).
We introduce here the necessary notions and notations to quantify the reliability and the secrecy of this kind of wiretap channel model. In particular, we define several kinds of secrecy metrics, including the strongest criterion based on the divergence distance with reference to a target output distribution, while the notion of concatenation of channels is also introduced to construct a possible way to control tradeoff between reliability and secrecy.
A. Wiretap channel
Let be arbitrary alphabets (not necessarily finite),
where is called an input alphabet, and are called
A general wiretap channel consists of two general channels, i.e.,
(from Alice for Bob) and
(from Alice against Eve), where
, are the conditional probabilities of
given (of block length ), respectively.
Alice wants to communicate with Bob as reliably as possible but
as secretly as possible against Eve.
We let ( indicate such a wiretap channel.
Given a message set , we consider a stochastic encoder for Alice and a decoder for Bob , and for let denote the output due to via channel .
B. Cost constraint
From the viewpoint of communication technologies,
it is sometimes needed to impose cost constraint on channel inputs.
Here we give its formal definition.
For fix a mapping (the set of nonnegative real numbers) arbitrarily. For we call the cost of and the cost per letter. In the channel coding problem with cost constraint, we require the encoder outputs satisfy
where is an arbitrarily nonnegative given constant, which we call cost constraint . Notice here that the encoder is stochastic. When (2.1) holds, we say that the encoder satisfies the cost constraint and call ( a wiretap channel with cost constraint . Incidentally, define
then (2.1) is rewritten also as
Consider the case with and , then in this case it is easy to check that , which means that the wiretap channel is actually imposed no cost constraint. \QED
C. Error probability, secrecy measures and secrecy capacities
Given a wiretap channel () with cost constraint , the error probability (measure of reliability) via channel for Bob is defined to be
whereas the divergence distance (measure 1 of secrecy) and the variational distance (measure 2 of secrecy) via channel against Eve are defined to be
where denotes the output probability distribution on
via channel due to the input
is called the target output probability distribution on ,
which is generated
via channel due to an arbitrarily prescribed input distribution on .
Specifically, is given by .
In this paper the logarithm is taken to the natural base .
With these two typical measures of secrecy, we can define two kinds of criteria for achievability:
We say that a rate is -achievable if there exists a pair of encoder and decoder satisfying criterion (2.7) and
When there is no fear of confusion, we say simply that a rate is -achievable by dropping cost constraint , and so on also in the sequel. Similarly, we say that a rate is -achievable if there exists a pair of encoder and decoder satisfying criterion (2.8) and (2.9). It should be noted here that criterion (2.7) implies criterion (2.8), owing to Pinsker inequality :
With this measure (measure 3 of secrecy), we may consider one more criterion for achievability (called the i-achievability):
On the other hand, since the identity (Pythagorean theorem):
holds, is a stronger measure than . Moreover, since
Furthermore, one may sometimes prefer to consider the following achievability (called the w-achievability):
which is nothing but the so-called weak secrecy (measure 5 of secrecy). Indeed, this is the weakest criterion among others; its illustrating example will appear in Examples 5.1 and 8.1, while criterion (2.7) is the strongest one and introduced for the first time in this paper. Fig.1 shows the implication scheme among these five measures of secrecy.
The secrecy capacities - and between Alice and Bob are defined to be the supremum of all -achievable rates and that of all -achievable rates, respectively. Similarly, the secrecy capacity d- with d-achievability, the secrecy capacity i- with i-achievability as well as the secrecy capacity w- with w-achievability can also be defined.
One may wonder if the “strongest” measure of secrecy can be given an operational meaning. In this connection, we would like to cite the paper by Hou and Kramer  in which is interpreted as a measure of “non-confusion” and as a measure of “non-stealth,” and is interpreted as the background noise distribution on that Eve detects in advance to the communication between Alice and Bob; thus, in view of (2.12), by making we can not only keep the message secret from Eve but also hide the presence of meaningful communication. Alice can control so as to be most perplexng to Eve. A connection to some hypothesis testing problem is also pointed out. A similar interpretation is given also for with as a measure of “non-confusion” and as a measure of “non-stealth,” because the following inequality holds:
We notice that all of , , , and , defined here are the measures averaged over the message set with the uniform distribution. On the other hand, we can consider also the criteria maximized over the message set which will be discussed later in Remark 3.9. \QED
In wiretap channel coding it is one of the important problems how to control the tradeoff between the reliability for Bob and the secrecy against Eve. There are several ways to control it. One of these is to make use of the concatenation of the main wiretap channel with an auxiliary (virtual) channel. So, it is convenient to state here its formal definition for later use.
Let be an arbitrary alphabet (not necessarily finite) and let be an arbitrary auxiliary random variable with values in such that forms a Markov chain in this order, where is an input variable for the wiretap channel ; and are the output variables of channels due to the input , respectively.
Given a general channel , we define its concatenated channel so that
where ‡‡‡We use the convention that, given random variables and , and denote the probability distribution of , and the conditional probability distribution of given , respectively is an arbitrary auxiliary channel. In particular, we say that a pair is a concatenation of the wiretap channel , if
with the auxiliary channel . Notice that if as random variables then these reduce to the non-concenated wiretap channel. \QED
E. Stationary memoryless wiretap channel
In this paper the substantial attention is payed to the special class of wiretap channels called the stationary memoryless wiretap channel, the definition of which is given by
A wiretap channel is said to be stationary and memoryless if, with some channels , it holds that
where This wiretap channel may be denoted simply by . \QED
When we are dealing with a stationary memoryless wiretap channel it is usual to assume an additive cost in the sense that where . This enables us to analyze the detailed performances of the wiretap channel, to be shown in the following sections.
3 Evaluation of reliability and secrecy
In this section, the problem of a general wiretap channel with general cost constraint is first studied, and next the problem of a stationary memoryless wiretap channel with additive cost constraint is investigated in details. In particular, with criterion (2.7) we are interested in exponentially decreasing rates of as tends to . Finally, its applicantion to establish a general formula for the -secrecy capacity - with cost constraint is provided.
A. General wiretap channel with cost constraint
Let , be arbitrary general channels and be an arbitrary auxiliary input distribution on , and set
where . Then, we have
Let be a general wiretap channel with general cost constraint , and , be arbitrary positive integers, then there exists a pair ) of encoder (satisfying cost constraint ) and decoder such that
where is a concatenation of (cf. Definition 2.1), and we assume that the condition
holds for the random variable over induced via the auxiliary channel by the input variable subject to on . \QED
Proof: See Appendix A.
Formula (3.3) without concatenation is due to Gallager , while formulas (3.4), (3.5) without concatenation and cost constraint have first been shown in a different context by Han and Verdú [13, p.768] based on a simple random coding argument, and subsequently developed by Hayashi  based on a universal hashing argument to establish the cryptographic implication of channel resolvability (see, also Hayashi ). \QED
We define the rates and , which is called the coding rate for Bob and the resolvability rate against Eve, respectively. Rate is quite popular in channel coding, whereas rate , roughly speaking, indicates the rate of a large dice with faces to provide randomness needed to implement an efficient stochastic encoder to deceive Eve. \QED
The reason why we have introduced the concatenated channel instead of the non-concatenated channel can be seen from the following theorem.
Theorem 3.2 (Tradeoff of reliability and secrecy by concatenation)
Concatenation decreases reliability for Bob and increases secrecy against Eve.
Proof: The quantity in (3.3) is lower bounded, by concavity of the function , as
where . This implies that concatenation decreases reliability for the channel for Bob. On the other hand, the quantity in (3.5) is upper bounded, by convexity of the function , as
which implies that concatenation increases secrecy against the channel for Eve. Thus, we can control the tradeoff between reliability and secrecy (usually conflicting) by adequate choice of an auxiliary channel (e.g., see Fig.4 later for the case of stationary memoryless wiretap channels). Furthermore, it should be noted that in (3.4) also has such a nice tradeoff property like in the above, owing to the convexity in . \QED
B. Stationary memoryless wiretap channel with cost constraint
So far we have studied the performance of general wiretap channels with general cost constraint . Suppose now that we are given a stationary and memoryless wiretap channel , specified by , with additive cost . With this important class of channels, we attempt to bring out specific useful insights on the basis of Theorem 3.1. To do so, let us consider the case in which are i.i.d. variables with common joint distribution
then, the probabilities of and , and the conditional probability of given are written as
It should be noted here that indicates a channel input for , and indicates a channel input for . Accordingly, these specifications define a joint probability distribution on . Also, the concatenated channel in this case is written simply as
Then, we have one of the key results:
Let be a stationary memoryless wiretap channel with additive cost . Let be a joint probability distribution as above, and suppose that the constraint on is satisfied. Then, for any positive integers , , there exists a pair ) of encoder (satisfying cost constraint ) and decoder such that
where we have put for simplicity, and are the constants such that or to be specified in the proof. \QED
Proof: See Appendix B.
Remark 3.4 (Two secrecy functions)
So far, we have established evaluation of upper bounds (3.3) and (3.5) when the channel is stationary and memoryless under cost constraint. It should be noted, however, that we did not evaluate upper bound (3.4). This is because (3.4) contains the term with negative power , and hence upper bounding for (3.4) does not work. Thus, we prefer bound (3.5) rather than bound (3.4). \QED
Gallager  used the upper bound
where is an arbitrary small constant. Wyner  also used upper bound (3.24) for Poisson channels. However, we prefer upper bound (3.23) in this paper (except for in Theorems 9.2 and 9.4 later in Section 9), because it provides us with reasonable evaluation of the reliability and secrecy functions for binary symmetric wiretap channels, for Poisson wiretap channels and also for Gaussian wiretap channels to be treated in this section and in Sections 6, 7 and 9. \QED
Let us now give more compact forms to (LABEL:eq:istan1) and (LABEL:eq:istan2). To do so, let us define a reliability exponent function (or simply, reliability function) for Bob, and a secrecy exponent function (or simply, secrecy function) against Eve, as §§§In the theory of channel coding it is the tradition to use the terminology “reliability functionn” to denote the “optimal” one. Therefore, more exactly, it might be recommended to use the term such as “achievable reliability exponent (function)” and “achievable secrecy exponent (function),” because here we lack the converse results. However, in this paper, simply for convenience with some abuse of the notation, we do not stick to the optimality and prefer to use their shorthands, because in most cases the optimal computable formula is not known. Then, the term “optimal reliability function” with the converse makes sense. Similarly for the “secrecy function.”
where for fixed rates we have set , and
Thus, we have
Let be a stationary memoryless wiretap channel with additive cost constraint , then there exists a pair ) of encoder (satisfying cost constraint ) and decoder such that
where it is assumed that satisfies . \QED
Remark 3.6 (Reliability and secrecy functions)
It should be noted that, the third term in on the right-hand side of (LABEL:eq:func11) and the third term in on the right-hand of (LABEL:eq:func12) is both of the order , which approach zero as tends to , so that these terms do not affect the exponents. Actually, the term on the right-hand side of (LABEL:eq:func11) is not needed here but is needed in on the right-hand side of (3.35) to follow under the maximum criterion. \QED
Remark 3.8 (Non-concatenation)
It is sometimes useful to consider the special case with as random variables over . In this case the above quantities () reduce to
Recall that, so far, upper bounds on the error probability and the divergence distance are based on the averaged criteria as mentioned in Section 1.C. Alternatively, instead of the averaged criteria and , we can define the maximum criteria and as follows.
With these criteria, using Markov inequality ¶¶¶Set then Markov inequality tells that and Therefore, , where We then keep the message set and throw out the rest to obtain Theorem 3.5. This causes the term to intervene on the right-hand side of (LABEL:eq:func11). applied to (3.29) and (3.30), we obtain, instead of Theorem 3.4,
Let be a stationary memoryless wiretap channel with additive cost constraint , then there exists a pair ) of encoder (satisfying cost constraint ) and decoder such that
where it is assumed that satisfies . \QED
Remark 3.9 (Average vs. maximum criteria)
Bound (3.35) is well known
in channel coding (cf. Gallager ), whereas
bound (3.36) is taken
into consideration for the first time in this paper.
In channel coding, which of the averaged or the maximum we should take would be rather a matter of preference or the context. On the other hand, however, which of the averaged or the maximum we should take is a serious matter from the viewpoint of secrecy. This is because, even with small , we cannot exclude a possibility that the divergence distance is very large for some particular and hence is also very large, which implies that the message is not saved from a serious risk of successful decryption by Eve. On the other hand, with small , every message is guaranteed to be kept highly confidential against Eve as well. Thus, we prefer the criterion as well as in this paper. \QED
In view of Remark 3.7, we are tempted to go further over the properties of the functions . In particular, we are interested in the behavior of the functions and In this connection, we have following lemma, where we let denote the mutual information between the input and its output via the channel .
Assume that and , then