Strong Secrecy for Erasure Wiretap Channels

Strong Secrecy for Erasure Wiretap Channels

Abstract

We show that duals of certain low-density parity-check (LDPC) codes, when used in a standard coset coding scheme, provide strong secrecy over the binary erasure wiretap channel (BEWC). This result hinges on a stopping set analysis of ensembles of LDPC codes with block length and girth , for some . We show that if the minimum left degree of the ensemble is , the expected probability of block error is when the erasure probability , where depends on the degree distribution of the ensemble. As long as and , the dual of this LDPC code provides strong secrecy over a BEWC of erasure probability greater than .

I Introduction

The information-theoretic limits of secure communications over public channels were first investigated by Shannon [1]; given a message and its corresponding cryptogram of length , a message is communicated with perfect secrecy if . Shannon proved the disappointing result that perfect secrecy requires a secret key with entropy . In this setting, Wyner subsequently proposed an alternative model for secure communication called a wiretap channel [2], in which all communications occur over noisy channels and the eavesdropper observes a degraded version of the signal received by the legitimate receiver. Wyner introduced the notion of weak secrecy, which requires the leaked information rate to vanish as , and established the weak secrecy capacity, that is the maximum secure communication rate achievable over a wiretap channel under this condition. Maurer and Wolf later highlighted the shortcomings of weak secrecy for cryptographic purposes, and suggested to replace it with the notion of strong secrecy, by which the absolute information should vanish as . Surprisingly, this stronger secrecy requirement does not reduce secrecy capacity [3, 4].

Despite the surge of recent results investigating wiretap channels, the design of coding schemes with provable secrecy rate has not attracted much attention. Some efforts in coding for wiretap channels include [5, 6, 7, 8, 9].

In this work, we revisit the LDPC-based coset coding scheme of [7] for the binary erasure wiretap channel. We first show that the dual of randomly generated LDPC codes can achieve strong secrecy provided the probability of block error of the LDPC codes decays faster than with the block length in a binary erasure channel. Then, we show that for certain small-cycle-free LDPC ensembles, the probability of block error under iterative decoding decays as . We obtain this result by analyzing the stopping sets of LDPC ensembles. Stopping sets [10, 11] determine whether iterative decoding of LDPC codes under erasures will succeed or not. Asymptotic enumeration of stopping sets has been done by several authors (see [12, 13, 14, 15] and references thereof). We follow the approach in [12], where asymptotics of the average block error probability of LDPC codes were derived.

Ensembles of LDPC codes with better than average block error probability are known from prior studies which use expander-based ideas and stopping set expurgation [16, 17]. Expander-based ideas typically require minimum bit node degree of five or above resulting in a decrease in thresholds. Expurgation of stopping sets is usually more difficult to achieve than expurgation of short cycles in random constructions. In our approach, we consider ensembles with finite girth. Restricting the girth results in expected block error probability in irregular ensembles with minimum girth 4 and minimum bit node degree 3. This enables high erasure thresholds and efficient construction methods.

In this work, the code construction for strong secrecy is fundamentally different from Maurer and Wolf’s procedure to obtain strong secrecy from weak secrecy [3]. Maurer and Wolf’s method relies on the equivalence of key-generation with one-way communication and coding for the wiretap channel, while our code construction yields a forward error-control scheme directly. Nevertheless, the constraint imposed in our code construction limits the achievable secrecy rate.

The rest of the paper is organized as follows. In Section II, we briefly review the coset coding scheme for the binary erasure wiretap channel and establish the connection between strong secrecy and the decay of probability of block error with code length. In Section III, we show that the probability of block error for ensembles without short cycles decays fast enough to guarantee strong secrecy.

Ii Secrecy Coding for the Binary Erasure Wiretap Channel

The wiretap channel considered in this work, denoted by , is illustrated in Fig. 1. The channel between the legitimate parties is noiseless while the eavesdropper’s channel is a binary erasure channel with erasure probability (denoted BEC). The secrecy capacity of this wiretap channel is  [2].

1?EveDECODERBobENCODERAlice010
Fig. 1: Binary erasure wiretap channel.

The “coset coding” scheme to communicate secretly over this channel, proposed in [6], is the following. Prior to transmission, Alice and Bob agree on a code with parity check matrix . The coset of with syndrome is denoted by . To transmit a message of bits, Alice transmits a codeword chosen uniformly at random in . Bob decodes his received codeword by forming the syndrome .

The following theorem due to Ozarow and Wyner connects the equivocation of the eavesdropper to algebraic properties of the generator matrix.

Theorem 1 ([6]).

Let be a code with generator matrix , where represents the -th column of . Let be an observation of the eavesdropper with unerased position given by . Let . Then, iff has full rank.

Based on Theorem 1, we can now connect the rate of convergence of to the probability that a submatrix of has full rank.

Lemma 1.

Let be the submatrix of corresponding to the unerased positions in . Let be the probability that is not full rank. Then, a coset coding scheme operates with strong secrecy if the probability is such that for some .

Proof:

We can lower bound as

If , then , which can be made arbitrary small for sufficiently large and . ∎

Let be an LDPC ensemble with variable nodes, left edge degree distributions and right node degree distribution  [15, §3.4] with possibly some expurgations. The degree distributions are from an edge perspective, that is is the fraction of edges connected to a variable node of degree and is similarly defined.

Let denote the probability of block error for codes from over BEC under iterative decoding. An important interpretation of is the following: for a parity-check matrix with degree distribution , is a lower bound on the probability that erased columns of (over a BEC) form a full-rank submatrix. Using this interpretation and results from [7], we have the following immediate corollary of Lemma 1.

Corollary 1.

If there exists such that , () for , then the dual of a code from used in a coset coding scheme provides strong secrecy over a for .

Fig. 2: Weak and strong secrecy regions using duals of LDPC codes

It is immediately clear that we will have , where is the erasure threshold for the ensemble over LDPC codes [15]. As noted in [7], when we have weak secrecy. In view of this, we will have guaranteed weak and strong secrecy regions as illustrated in Fig. 2 by doing “coset coding” using duals of LDPC codes. We know that degree distributions can be optimized so that is very close to the code rate. Since LDPC codes achieve capacity over a BEC, our coding scheme will achieve weak secrecy very close to the secrecy rate and strong secrecy slightly away from the secrecy rate. In the next section, we will show that exists for some restricted ensembles of LDPC codes.

Iii The LDPC ensemble without short cycles

In this section, we study the sub-ensemble of Tanner graphs [15] whose girth is at least for some integer which does not change with the block length . We denote the ensemble of all Tanner graphs by and the sub-ensemble of girth graphs by . We associate sockets to each node of degree . An edge in a Tanner graph is an unordered pair containing one bit node socket and one check node socket. A Tanner graph with edges has sockets on each side. Therefore, the size of the ensemble equal to the number of permutation of the check node sockets, which is . First we show that the size of our sub-ensemble is not negligible compared to the size of the original ensemble as .

Lemma 2 ([18, Corollary 4]).

Let be even positive integers and be an integer. As grows, let . Then, the number of (labeled) -regular bipartite graphs on vertices with girth greater than is

as .

Note that the number of -regular bipartite graphs on vertices is . The following corollary is then immediate.

Corollary 2.

Let be positive even numbers and let be an integer. Let remain constant as . Then, the fraction of regular bipartite graphs that have girth greater than is

as . In particular, this fraction is bounded away from zero for large .

Lemma 3.

Let a irregular Tanner graph ensemble be such that and the coefficients of the degree distribution polynomials are rational. Let be an integer that remains constant with block length . There exists an increasing sequence of positive integers such that the fraction of graphs of girth in is bounded away from zero as .

Proof:

Let be the least common multiple of all the vertex degrees in the graph. Clearly, and it is a function of only and . Let be the smallest positive integer such that

where is the fraction of variable nodes of degree and is the fraction of check nodes of degree [15, §3.4]. Consider the Tanner graph ensemble with variable nodes. We can group of the degree variable nodes to get one variable node of degree . If we do this for all the variable node degrees, we will have a left regular Tanner graph with left degree . Similarly, we can repeat this process for the check nodes to get a regular Tanner graph. Note that in this node grouping process, we preserve the number of edges since the ensemble allows the possibility of multiple edges. The girth of the resultant regular graph is not more than that of the original graph. It can also be noted that there is a one-one correspondence between the graphs in the ensemble and those in the ensemble. By lemma 2, the fraction of graphs with girth in the ensemble, say , is non-zero if is large enough. So, the fraction of graphs in the ensemble with girth is at least . This proves the lemma. ∎

Remark 1.

Let be a graph dependent positive number. Let represent the expectation of over . Let be the expectation over and be the expectation over . We have

where . By lemma 3, there exists a such that for large , we have . Therefore,

This inequality is used to upper bound when it is easier to find an upper bound to .

Iii-a Stopping sets and stopping number

For the sake of clarity and completeness, we restate some of the definitions that were originally stated in [12]. Given a Tanner graph , let be any subset of variable nodes in . Let the (check node) neighbours of be denoted by . is called a stopping set if the degree of all the check nodes in the induced subgraph is at least two. The stopping number of a Tanner graph is defined as the size of its smallest stopping set. For a given Tanner graph, its stopping number is denoted by and the set of all stopping sets is denoted by . The stopping ratio is defined as the ratio of the stopping number to the block length.

The average stopping set distribution is defined as

where the average is taken over all the Tanner graphs in . For any rational , it is assumed that there exists a sequence of strictly increasing block lengths such that for all . We can then define the normalized stopping set distribution as

It was shown that is continuous over the set of rationals and hence, it can be extended to a continuous function over . The critical exponent stopping ratio of a Tanner graph ensemble is defined as

Iii-B Block error probability of short-cycle-free ensembles

In this section, we prove a key result about the average block error probability of short-cycle-free LDPC ensembles, which is central to our claim that the duals of these codes provide strong secrecy. Let be the probability of block error when the code is transmitted over and iteratively decoded. We define [12]

where is the binary entropy function calculated using natural logarithms. Note that , and are calculated over the entire ensemble instead of the girth-restricted ensemble. Instead of calculating directly, we take averages of this quantity over an ensemble of codes and show that the average block error probability over the ensemble decays as fast as we want it to for .

Theorem 2.

For , with minimum variable node degree , maximum variable node degree and maximum check node degree we have

and in the limits of small and large

Proof:

Let be the set of variable nodes corresponding to the random erasures in the LDPC codeword. The iterative decoding fails iff contains a stopping set. So,

For any , we bound using union bound as

Using an argument almost identical to the one used in [12, Theorem 16], we can show that the expectations of the second and the third terms go to zero exponentially as if . Now,

A stopping set of variable nodes can have nodes of different degrees. Let denote the set of all non-negative integer solutions to the equation . We can write

Here, is the number of ways to connect the selected variable nodes to form a stopping set. This number is independent of as long as is just a small fraction of it. We also note that if we increase the degree of all the check nodes in the graph, can only increase. Therefore, we may upper bound by the number of ways to form a stopping set assuming each check node has the maximum possible degree, . The latter number is equal to by elementary combinatorics. We have,

where the last inequality follows from [12, Lemma 18]. If we denote by , we have . So,

If we denote the summand by , we have

if we choose small enough. Also,

Since we have . Again, if we choose small enough, we will have . So, is a non-increasing function and . We now have

Here, and depend only on and . If remains a constant as , we have

(1)

Also,

Using , , ,

Choosing such that and ,

where depends only on and .

If is small enough, then the summation in the above equation is bounded by a decreasing geometric sum. So,

(2)

as and . ∎

From the above theorem, the average block error probability in our ensemble decays faster than for and . This correpsonds to LDPC ensembles with a minimum bit node degree of at least 3 and girth at least 4. By corollary 1, the duals of these LDPC codes achieve strong secrecy over a BEWC of erasure probability .

The (3, 6) regular LDPC ensemble has , and rate . When duals of codes in this ensemble are used on , a secret communication rate of 0.5 is achieved with weak secrecy when and with strong secrecy when . Our numerical calculations indicate that some of the degree distributions that are optimized for very high have .

Iv Conclusion and future directions

In this work, we have shown that duals of LDPC codes with girth greater than 4 and minimum left degree at least achieve strong secrecy on the binary erasure wiretap channel. LDPC ensembles with degree 2 nodes play an important role in achieving capacity on the binary erasure channel. Further study is required on the relationship between these LDPC codes and strong secrecy. Another research possibility involves optimizing the degree distributions to find LDPC ensembles with a very high for a given rate.

References

  1. C. E. Shannon, “Communication Theory of Secrecy Systems,” Bell System Technical Journal, vol. 28, pp. 656–715, 1948.
  2. A. D. Wyner, “The Wire-Tap Channel,” Bell System Technical Journal, vol. 54, no. 8, pp. 1355–1367, October 1975.
  3. U. M. Maurer and S. Wolf, “Information-Theoretic Key Agreement: From Weak to Strong Secrecy for Free,” in Advances in Cryptology - Eurocrypt 2000, Lecture Notes in Computer Science.   B. Preneel, 2000, p. 351.
  4. I. Csiszár, “Almost Independence and Secrecy Capacity,” Problems of Information Transmission, vol. 32, no. 1, pp. 40–47, January-March 1996.
  5. C. H. Bennett, G. Brassard, C. Crépeau, and U. Maurer, “Generalized Privacy Amplification,” IEEE Trans. Inf. Theory, vol. 41, no. 6, pp. 1915–1923, November 1995.
  6. L. H. Ozarow and A. D. Wyner, “Wire Tap Channel II,” AT&T Bell Laboratories Technical Journal, vol. 63, no. 10, pp. 2135–2157, December 1984.
  7. A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, and J.-M. Merolla, “Applications of LDPC Codes to the Wiretap Channels,” IEEE Trans. Inf. Theory, vol. 53, no. 8, pp. 2933–2945, Aug. 2007.
  8. R. Liu, Y. Liang, H. V. Poor, and P. Spasojević, “Secure Nested Codes for Type II Wiretap Channels,” in Proceedings of IEEE Information Theory Workshop, Lake Tahoe, California, USA, September 2007, pp. 337–342.
  9. G. Cohen and G. Zemor, “Syndrome-Coding for the Wiretap Channel Revisited,” in Proc. IEEE Information Theory Workshop, Chengdu, China, October 2006, pp. 33–36.
  10. C. Di, D. Proietti, I. Telatar, T. Richardson, and R. Urbanke, “Finite-length analysis of low-density parity-check codes on the binary erasure channel,” Information Theory, IEEE Transactions on, vol. 48, no. 6, pp. 1570 –1579, jun 2002.
  11. T. Richardson and R. Urbanke, “The capacity of low-density parity-check codes under message-passing decoding,” Information Theory, IEEE Transactions on, vol. 47, no. 2, pp. 599 –618, feb 2001.
  12. A. Orlitsky, K. Viswanathan, and J. Zhang, “Stopping set distribution of LDPC code ensembles,” IEEE Transactions on Information Theory, vol. 51, no. 3, pp. 929 –953, march 2005.
  13. O. Milenkovic, E. Soljanin, and P. Whiting, “Asymptotic spectra of trapping sets in regular and irregular ldpc code ensembles,” Information Theory, IEEE Transactions on, vol. 53, no. 1, pp. 39 –55, jan. 2007.
  14. D. Burshtein and G. Miller, “Asymptotic enumeration methods for analyzing ldpc codes,” Information Theory, IEEE Transactions on, vol. 50, no. 6, pp. 1115 – 1131, june 2004.
  15. T. Richardson and R. Urbanke, Modern Coding Theory.   Cambridge University Press, 2008.
  16. S. Korada and R. Urbanke, “Exchange of limits: Why iterative decoding works,” in Information Theory, 2008. ISIT 2008. IEEE International Symposium on, july 2008, pp. 285 –289.
  17. A. Amraoui, A. Montanari, T. Richardson, and R. Urbanke, “Finite-length scaling for iteratively decoded ldpc ensembles,” Information Theory, IEEE Transactions on, vol. 55, no. 2, pp. 473 –498, feb. 2009.
  18. B. D. McKay, N. C. Wormald, and B. Wysocka, “Short cycles in random regular graphs,” Electr. J. Comb., vol. 11, no. 1, 2004.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
137593
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description