Reliability and Secrecy Functions of the Wiretap Channel under Cost Constraint

 
 
 
 
Reliability and Secrecy Functions of the Wiretap Channel under Cost Constraint

 
 
 
 
 Te Sun Han, ,   Hiroyuki Endo,   Masahide Sasaki
T. S. Han is with the Quantum ICT Laboratory, National Institute of Information and Communications Technology (NICT), Nukui-kitamachi 4-2-1, Koganei, Tokyo,184-8795, Japan (email: han@is.uec.ac.jp, han@nict.go.jp)H. Endo is with the Department of Applied Physics, Waseda University, Okubo 3-4-1, Shinjuku, Tokyo, Japan, and is also a collaborating research fellow of the Quantum ICT Laboratory, NICT (email: h-endo-1212@ruri.waseda.jp, h-endo@nict.go.jp)M. Sasaki is with the Quantum ICT Laboratory, NICT, Nukui-kitamachi 4-2-1, Koganei, Tokyo,184-8795, Japan (email: psasaki@nict.go.jp)
July 21, 2019
Abstract

The wiretap channel has been devised and studied first by Wyner, and subsequently extended to the case with non-degraded general wiretap channels by Csiszár and Körner. Focusing mainly on the stationary memoryless channel with cost constraint, we newly introduce the notion of reliability and secrecy functions as a fundamental tool to analyze and/or design the performance of an efficient wiretap channel system, including binary symmetric wiretap channels, Poisson wiretap channels and Gaussian wiretap channels. Compact formulae for those functions are explicitly given for stationary memoryless wiretap channels. It is also demonstrated that, based on such a pair of reliability and secrecy functions, we can control the tradeoff between reliability and secrecy (usually conflicting), both with exponentially decreasing rates as block length becomes large. Four ways to do so are given on the basis of rate shifting, rate exchange, concatenation and change of cost constraint. Also, the notion of the secrecy capacity is defined and shown to attain the strongest secrecy standard among others. The maximized vs. averaged secrecy measures is also discussed.

reliability function, secrecy function, secrecy measures, Poisson wiretap channel, cost constraint, Gaussian wiretap channel, binary symmetric wiretap channel, tradeoff between reliability and secrecy, concatenation, rate shifting, rate exchange, change of cost constraint

1 Introduction

The pioneering work by Wyner [1] as well as by Csiszár and Körner [2], based on the wiretap channel model, has provided a strong impetus to find a new scheme of the physical layer cryptography in a good balance of usability and secrecy. In particular, they have first formulated the tradeoff between the transmission rate for Bob and the equivocation rate against Eve. Since then, “information theoretic security attracts much attention, because it offers security that does not depend on conjectured difficulties of some computational problem, ” suggested by Associate Editor and there have been extensive studies on various kinds of wiretap channels, which are nicely summarized, e.g., in Laourine and Wagner [3] along with the secrecy capacity formula for the Poisson wiretap channel without cost constraint. Among others, Hayashi [4] is the first who has derived the relevant secrecy exponent function to specify the exponentially decreasing speed (i.e., exponent) of the leaked information under the average secrecy criterion when no cost constraint is considered.
  Throughout in this paper, we are imposed cost constraints (limit on available transmission energy, bandwidth, and so on). We first address, given a general wiretap channel, the primal problem to establish a general formula to simultaneously summarize the reliability performance for Bob and the secrecy performance against Eve under the maximum secrecy criterion. Next, it is shown that both of them are described by using exponentially decaying functions of the code length when a stationary memoryless wiretap channel is considered. This provides the theoretical basis for investigating the asymptotic behavior of reliability and secrecy. We can then specifically quantify achievable reliability exponents and achievable secrecy exponents as well as the tradeoff between them for several important wiretap channel models such as binary symmetric wiretap channels, Poisson wiretap channels, Gaussian wiretap channels. In particular, four ways of the tradeoff to control reliability and secrecy are given and discussed with their novel significance. Also, on the basis of the analysis of these exponents under cost constraint, the new formula for the -secrecy capacity (with the strongest secrecy among others) is established to apply to several typical wiretap channel models. A remarkable feature of this paper is that we first derive the key formulas not depending on respective specific channel models and then apply them to those respective cases to get new insights into each case as well.
  The paper is organized as follows. In Section 2, the definitions of wiretap channel and related notions such as error probability, cost constraint, secrecy capacity and concatenation are introduced along with various kinds of secrecy measures.
  In Section 3.A, we give a fundamental formula to simultaneously evaluate a pair of reliability behavior and secrecy behavior under cost constraint for a general wiretap channel, which is then in Section 3.B, particularized to establish the specific formulas for stationary and memoryless wiretap channels. Here, the notions of reliability function and secrecy function are introduced to evaluate the exponent of the exponentially decreasing decoding error for Bob and that of the exponentially decreasing divergence distance against Eve for the stationary memoryless wiretap channel under cost constraint. This is one of the key results in this paper. We also present their numerical examples to see how the reliability and secrecy exponents vary depending on the channel and cost parameters. Also, superiority of the maximum secrecy criterion to the average secrecy criterion is discussed. In Section 3.C, a strengthening of Theorem 3.3 in Section 3.B is provided. In Section 3.D, the -secrecy capacity formula (with the strongest secrecy) is given under cost constraint, including the formula for a special but important case with more capable wiretap channels.
  In Section 4, four ways for the tradeoff are demonstrated: one is by rate shifting, another one by rate exchange, one more by concatenation, and the other by change of cost constraint, which are discussed in terms of the reliability and secrecy exponents. This section is thus prepared for more quantitative analysis/design of the reliability-secrecy tradeoff.
  In Section 5, the formula for the -secrecy capacity is applied to the Poisson wiretap channel with cost constraint, which is a practical model for free-space Laser communication with a photon counter.
  In Section 6, for Poisson wiretap channels with cost constraint we demonstrate the reliability and secrecy functions as an application of the key theorem established in Section 3.B.
  In Section 7, we investigate the effects of channel concatenation with an auxiliary channel for the Poisson wiretap channel.
  In Section 8, the -secrecy capacity formula for the Gaussian wiretap channel is given as an application of the key theorem established in Section 3.D.
  In Section 9, for the Gaussian wiretap channels with cost constraint we demonstrate the reliability and secrecy functions as an application of the key theorem established in Section 3.B. In particular, these functions are numerically compared with those of Gallager-type, which reveals that a kind of duality exists among them. In Section 10, we conclude the paper.

2 Preliminaries and basic concepts

In this section we give the definition of the wiretap channel. There are several levels and ways to specify the superiority of the legitimate users, Alice and Bob, to the eavesdropper, Eve, such as physically degraded Eve, (statistically) degraded Eve, less noisy Bob, and more capable Bob. In this paper, we are interested mainly in the last class of channels because the other ones imply the last one (cf. Csiszár and Körner [9]).
  We introduce here the necessary notions and notations to quantify the reliability and the secrecy of this kind of wiretap channel model. In particular, we define several kinds of secrecy metrics, including the strongest criterion based on the divergence distance with reference to a target output distribution, while the notion of concatenation of channels is also introduced to construct a possible way to control tradeoff between reliability and secrecy.

A. Wiretap channel

Let be arbitrary alphabets (not necessarily finite), where is called an input alphabet, and are called output alphabets. A general wiretap channel consists of two general channels, i.e., (from Alice for Bob) and (from Alice against Eve), where , are the conditional probabilities of given (of block length ), respectively. Alice wants to communicate with Bob as reliably as possible but as secretly as possible against Eve. We let ( indicate such a wiretap channel.
  Given a message set , we consider a stochastic encoder for Alice and a decoder for Bob , and for let denote the output due to via channel .

B. Cost constraint

From the viewpoint of communication technologies, it is sometimes needed to impose cost constraint on channel inputs. Here we give its formal definition.
  For fix a mapping (the set of nonnegative real numbers) arbitrarily. For we call the cost of and the cost per letter. In the channel coding problem with cost constraint, we require the encoder outputs satisfy

(2.1)

where is an arbitrarily nonnegative given constant, which we call cost constraint . Notice here that the encoder is stochastic. When (2.1) holds, we say that the encoder satisfies the cost constraint and call ( a wiretap channel with cost constraint . Incidentally, define

(2.2)

then (2.1) is rewritten also as

(2.3)
Remark 2.1

Consider the case with and , then in this case it is easy to check that , which means that the wiretap channel is actually imposed no cost constraint. \QED

C. Error probability, secrecy measures and secrecy capacities

Given a wiretap channel () with cost constraint , the error probability (measure of reliability) via channel for Bob is defined to be

(2.4)

whereas the divergence distance (measure 1 of secrecy) and the variational distance (measure 2 of secrecy) via channel against Eve are defined to be

(2.5)
(2.6)

where

where denotes the output probability distribution on via channel due to the input , and is called the target output probability distribution on , which is generated via channel due to an arbitrarily prescribed input distribution on . Specifically, is given by . In this paper the logarithm is taken to the natural base .
  With these two typical measures of secrecy, we can define two kinds of criteria for achievability:

(2.7)
(2.8)

We say that a rate is -achievable if there exists a pair of encoder and decoder satisfying criterion (2.7) and

(2.9)

When there is no fear of confusion, we say simply that a rate is -achievable by dropping cost constraint , and so on also in the sequel. Similarly, we say that a rate is -achievable if there exists a pair of encoder and decoder satisfying criterion (2.8) and (2.9). It should be noted here that criterion (2.7) implies criterion (2.8), owing to Pinsker inequality [10]:

which means that criterion (2.7) is stronger than criterion (2.8).

On the other hand, many people (e.g., Csiszár [7], Hayashi [4]) have used, instead of measure (2.5), the mutual information:

(2.10)

With this measure (measure 3 of secrecy), we may consider one more criterion for achievability (called the i-achievability):

(2.11)

On the other hand, since the identity (Pythagorean theorem):

(2.12)

holds, is a stronger measure than . Moreover, since

always holds by virtue of the triangle axiom of the variational distance, is stronger than (measure 4 of secrecy: cf. [7]), so that criterion (2.8) is stronger than the d-achievability:

(2.13)

Furthermore, one may sometimes prefer to consider the following achievability (called the w-achievability):

(2.14)

which is nothing but the so-called weak secrecy (measure 5 of secrecy). Indeed, this is the weakest criterion among others; its illustrating example will appear in Examples 5.1 and 8.1, while criterion (2.7) is the strongest one and introduced for the first time in this paper. Fig.1 shows the implication scheme among these five measures of secrecy.

Fig. 1: The implication scheme: The arrow means that is stronger than ; means that coincides with when , where is due to [10] and is due to [14]. In the finite alphabet case, exponential decay of (with increasing ) implies that of (cf. [7]).

The secrecy capacities - and between Alice and Bob are defined to be the supremum of all -achievable rates and that of all -achievable rates, respectively. Similarly, the secrecy capacity d- with d-achievability, the secrecy capacity i- with i-achievability as well as the secrecy capacity w- with w-achievability can also be defined.

Remark 2.2

One may wonder if the “strongest” measure of secrecy can be given an operational meaning. In this connection, we would like to cite the paper by Hou and Kramer [8] in which is interpreted as a measure of “non-confusion” and as a measure of “non-stealth,” and is interpreted as the background noise distribution on that Eve detects in advance to the communication between Alice and Bob; thus, in view of (2.12), by making we can not only keep the message secret from Eve but also hide the presence of meaningful communication. Alice can control so as to be most perplexng to Eve. A connection to some hypothesis testing problem is also pointed out. A similar interpretation is given also for with as a measure of “non-confusion” and as a measure of “non-stealth,” because the following inequality holds:

(2.15)
Remark 2.3

We notice that all of , , , and , defined here are the measures averaged over the message set with the uniform distribution. On the other hand, we can consider also the criteria maximized over the message set which will be discussed later in Remark 3.9. \QED

D. Concatenation

In wiretap channel coding it is one of the important problems how to control the tradeoff between the reliability for Bob and the secrecy against Eve. There are several ways to control it. One of these is to make use of the concatenation of the main wiretap channel with an auxiliary (virtual) channel. So, it is convenient to state here its formal definition for later use.

Let be an arbitrary alphabet (not necessarily finite) and let be an arbitrary auxiliary random variable with values in such that forms a Markov chain in this order, where is an input variable for the wiretap channel ; and are the output variables of channels due to the input , respectively.

Definition 2.1

Given a general channel , we define its concatenated channel so that

(2.16)

where We use the convention that, given random variables and , and denote the probability distribution of , and the conditional probability distribution of given , respectively is an arbitrary auxiliary channel. In particular, we say that a pair is a concatenation of the wiretap channel , if

(2.17)
(2.18)

with the auxiliary channel . Notice that if as random variables then these reduce to the non-concenated wiretap channel. \QED

E. Stationary memoryless wiretap channel

In this paper the substantial attention is payed to the special class of wiretap channels called the stationary memoryless wiretap channel, the definition of which is given by

Definition 2.2

A wiretap channel is said to be stationary and memoryless if, with some channels , it holds that

(2.19)

where This wiretap channel may be denoted simply by . \QED

When we are dealing with a stationary memoryless wiretap channel it is usual to assume an additive cost in the sense that where . This enables us to analyze the detailed performances of the wiretap channel, to be shown in the following sections.

3 Evaluation of reliability and secrecy

In this section, the problem of a general wiretap channel with general cost constraint is first studied, and next the problem of a stationary memoryless wiretap channel with additive cost constraint is investigated in details. In particular, with criterion (2.7) we are interested in exponentially decreasing rates of as tends to . Finally, its applicantion to establish a general formula for the -secrecy capacity - with cost constraint is provided.

A. General wiretap channel with cost constraint

Let , be arbitrary general channels and be an arbitrary auxiliary input distribution on , and set

(3.1)
(3.2)

where . Then, we have

Theorem 3.1

Let be a general wiretap channel with general cost constraint , and , be arbitrary positive integers, then there exists a pair ) of encoder (satisfying cost constraint ) and decoder such that

(3.3)
(3.4)
(3.5)

where is a concatenation of (cf. Definition 2.1), and we assume that the condition

(3.6)

holds for the random variable over induced via the auxiliary channel by the input variable subject to on . \QED

Proof: See Appendix A.

Remark 3.1

Formula (3.3) without concatenation is due to Gallager [11], while formulas (3.4), (3.5) without concatenation and cost constraint have first been shown in a different context by Han and Verdú [13, p.768] based on a simple random coding argument, and subsequently developed by Hayashi [4] based on a universal hashing argument to establish the cryptographic implication of channel resolvability (see, also Hayashi [6]). \QED

Remark 3.2

We define the rates and , which is called the coding rate for Bob and the resolvability rate against Eve, respectively. Rate is quite popular in channel coding, whereas rate , roughly speaking, indicates the rate of a large dice with faces to provide randomness needed to implement an efficient stochastic encoder to deceive Eve. \QED

Remark 3.3

In view of (3.6), the concatenated channels as defined by (2.17) and (2.18) can be written as

(3.7)
(3.8)

The reason why we have introduced the concatenated channel instead of the non-concatenated channel can be seen from the following theorem.

Theorem 3.2 (Tradeoff of reliability and secrecy by concatenation)

Concatenation decreases reliability for Bob and increases secrecy against Eve.

Proof:  The quantity in (3.3) is lower bounded, by concavity of the function , as

(3.9)
(3.10)
(3.11)

where . This implies that concatenation decreases reliability for the channel for Bob. On the other hand, the quantity in (3.5) is upper bounded, by convexity of the function , as

(3.12)
(3.13)
(3.14)

which implies that concatenation increases secrecy against the channel for Eve. Thus, we can control the tradeoff between reliability and secrecy (usually conflicting) by adequate choice of an auxiliary channel (e.g., see Fig.4 later for the case of stationary memoryless wiretap channels). Furthermore, it should be noted that in (3.4) also has such a nice tradeoff property like in the above, owing to the convexity in . \QED

B. Stationary memoryless wiretap channel with cost constraint

So far we have studied the performance of general wiretap channels with general cost constraint . Suppose now that we are given a stationary and memoryless wiretap channel , specified by , with additive cost . With this important class of channels, we attempt to bring out specific useful insights on the basis of Theorem 3.1. To do so, let us consider the case in which are i.i.d. variables with common joint distribution

(3.15)

then, the probabilities of and , and the conditional probability of given are written as

(3.16)
(3.17)
(3.18)

respectively, where

It should be noted here that indicates a channel input for , and indicates a channel input for . Accordingly, these specifications define a joint probability distribution on . Also, the concatenated channel in this case is written simply as

(3.19)
(3.20)

Then, we have one of the key results:

Theorem 3.3

Let be a stationary memoryless wiretap channel with additive cost . Let be a joint probability distribution as above, and suppose that the constraint on is satisfied. Then, for any positive integers , , there exists a pair ) of encoder (satisfying cost constraint ) and decoder such that

and

where we have put for simplicity, and are the constants such that or to be specified in the proof. \QED

Proof: See Appendix B.

Remark 3.4 (Two secrecy functions)

So far, we have established evaluation of upper bounds (3.3) and (3.5) when the channel is stationary and memoryless under cost constraint. It should be noted, however, that we did not evaluate upper bound (3.4). This is because (3.4) contains the term with negative power , and hence upper bounding for (3.4) does not work. Thus, we prefer bound (3.5) rather than bound (3.4). \QED

Remark 3.5

Instead of upper bound (B.8) (in the proof of Theorem 3.3) on the characteristic function , i.e., the upper bound

(3.23)

Gallager [11] used the upper bound

(3.24)

where is an arbitrary small constant. Wyner [15] also used upper bound (3.24) for Poisson channels. However, we prefer upper bound (3.23) in this paper (except for in Theorems 9.2 and 9.4 later in Section 9), because it provides us with reasonable evaluation of the reliability and secrecy functions for binary symmetric wiretap channels, for Poisson wiretap channels and also for Gaussian wiretap channels to be treated in this section and in Sections 6, 7 and 9. \QED

Let us now give more compact forms to (LABEL:eq:istan1) and (LABEL:eq:istan2). To do so, let us define a reliability exponent function (or simply, reliability function) for Bob, and a secrecy exponent function (or simply, secrecy function) against Eve, as §§§In the theory of channel coding it is the tradition to use the terminology “reliability functionn” to denote the “optimal” one. Therefore, more exactly, it might be recommended to use the term such as “achievable reliability exponent (function)” and “achievable secrecy exponent (function),” because here we lack the converse results. However, in this paper, simply for convenience with some abuse of the notation, we do not stick to the optimality and prefer to use their shorthands, because in most cases the optimal computable formula is not known. Then, the term “optimal reliability function” with the converse makes sense. Similarly for the “secrecy function.”

where for fixed rates we have set , and

Thus, we have

Theorem 3.4

Let be a stationary memoryless wiretap channel with additive cost constraint , then there exists a pair ) of encoder (satisfying cost constraint ) and decoder such that

(3.29)
(3.30)

where it is assumed that satisfies . \QED

Remark 3.6 (Reliability and secrecy functions)

The function quantifies performance of channel coding (called the random coding exponent of Gallager [11]), whereas the function quantifies performance of channel resolvability (cf. Han and Verdú [13], Han [12], Hayashi [4, 6]).

Remark 3.7

It should be noted that, the third term in on the right-hand side of (LABEL:eq:func11) and the third term in on the right-hand of (LABEL:eq:func12) is both of the order , which approach zero as tends to , so that these terms do not affect the exponents. Actually, the term on the right-hand side of (LABEL:eq:func11) is not needed here but is needed in on the right-hand side of (3.35) to follow under the maximum criterion. \QED

Remark 3.8 (Non-concatenation)

It is sometimes useful to consider the special case with as random variables over . In this case the above quantities () reduce to

(3.31)

where the reliability function with (3.31) with instead of is earlier found in Gallager [11] and (3.31) with instead of applied to Poisson channels is found in Wyner [15], while the secrecy function with (LABEL:eq;halimeq1) intervenes for the first time in this paper. \QED

Recall that, so far, upper bounds on the error probability and the divergence distance are based on the averaged criteria as mentioned in Section 1.C. Alternatively, instead of the averaged criteria and , we can define the maximum criteria and as follows.

(3.33)
(3.34)

With these criteria, using Markov inequality Set then Markov inequality tells that and Therefore, , where We then keep the message set and throw out the rest to obtain Theorem 3.5. This causes the term to intervene on the right-hand side of (LABEL:eq:func11). applied to (3.29) and (3.30), we obtain, instead of Theorem 3.4,

Theorem 3.5

Let be a stationary memoryless wiretap channel with additive cost constraint , then there exists a pair ) of encoder (satisfying cost constraint ) and decoder such that

(3.35)
(3.36)

where it is assumed that satisfies . \QED

Remark 3.9 (Average vs. maximum criteria)

Bound (3.35) is well known in channel coding (cf. Gallager [11]), whereas bound (3.36) is taken into consideration for the first time in this paper.
  In channel coding, which of the averaged or the maximum we should take would be rather a matter of preference or the context. On the other hand, however, which of the averaged or the maximum we should take is a serious matter from the viewpoint of secrecy. This is because, even with small , we cannot exclude a possibility that the divergence distance is very large for some particular and hence is also very large, which implies that the message is not saved from a serious risk of successful decryption by Eve. On the other hand, with small , every message is guaranteed to be kept highly confidential against Eve as well. Thus, we prefer the criterion as well as in this paper. \QED

In view of Remark 3.7, we are tempted to go further over the properties of the functions . In particular, we are interested in the behavior of the functions and In this connection, we have following lemma, where we let denote the mutual information between the input and its output via the channel .

Lemma 3.1

Assume that and , then