Achieving Secrecy Capacity of the Gaussian ... - Semantic Scholar

Comment

Report 3 Downloads 102 Views

1

Achieving Secrecy Capacity of the Gaussian Wiretap Channel with Polar Lattices

arXiv:1503.02313v1 [cs.IT] 8 Mar 2015

Ling Liu, Yanfei Yan, and Cong Ling Member, IEEE

Abstract In this work, an explicit wiretap coding scheme based on polar lattices is proposed to achieve the secrecy capacity of the additive white Gaussian noise (AWGN) wiretap channel. Firstly, polar lattices are used to construct secrecygood lattices for the mod-Λs Gaussian wiretap channel. Then we propose an explicit shaping scheme to remove this mod-Λs front end and extend polar lattices to the genuine Gaussian wiretap channel. The shaping technique is based on the lattice Gaussian distribution, which leads to a binary asymmetric channel at each level for the multilevel lattice codes. By employing the asymmetric polar coding technique, we construct an AWGN-good lattice and a secrecy-good lattice with optimal shaping simultaneously. As a result, the encoding complexity for the sender and the decoding complexity for the legitimate receiver are both O(N log N log(log N )). The proposed scheme is proven to be semantically secure.

I. I NTRODUCTION Wyner [1] introduced the wiretap channel model and showed that both reliability and confidentiality could be attained by coding without any key bits if the channel between the sender and the eavesdropper (wiretapper’s channel W ) is degraded with respect to the channel between the sender and the legitimate receiver (main channel V ). The goal of wiretap coding is to design a coding scheme that makes it possible to communicate both reliably and securely between the sender and the legitimate receiver. Reliability is measured by the decoding error probability for the ˆ 6= M} = 0, where N is the length of transmitted codeword, M is the confidential legitimate user, namely lim Pr{M N →∞

ˆ is its estimation. Secrecy is measured by the mutual information between M and the signal received message and M

by the eavesdropper Z[N ] . In this work, we will follow the strong secrecy condition proposed by Csisz´ar [2], i.e., 1 I(M; Z[N ] ) N →∞ N

lim I(M; Z[N ] ) = 0, which is more widely accepted than the weak secrecy criterion lim

N →∞

= 0. In

simple terms, the secrecy capacity is defined as the maximum achievable rate under both the reliability and strong secrecy conditions. When W is degraded with respect to V , the secrecy capacity is given by C(V ) − C(W ) [3], where C(·) denotes the channel capacity. This work was supported in part by FP7 project PHYLAWS (EU FP7-ICT 317562) and in part by the China Scholarship Council. This work was/will be presented at the IEEE Int. Symp. Inform. Theory (ISIT), Honolulu, USA, 2014 and the IEEE Inform. Theory Workshop, Jerusalem, ISRAEL, 2015. Ling Liu, Yanfei Yan and Cong Ling are with the Department of Electrical and Electronic Engineering, Imperial College London, London, UK (e-mails: [email protected], [email protected], [email protected]).

March 10, 2015

DRAFT

2

In the study of strong secrecy, plaintext messages are often assumed to be random and uniformly distributed. From a cryptographic point of view, it is crucial that the security does not rely on the distribution of the message. This issue can be resolved by using the standard notion of semantic security [4] which means that, asymptotically, it is impossible to estimate any function of the message better than to guess it without accessing Z[N ] at all. The relation between strong secrecy and semantic security was recently revealed in [5], [6], namely, semantic security is equivalent to achieving strong secrecy for all distributions pM of the plaintext messages: lim max I(M; Z[N ] ) = 0.

(1)

N →∞ pM

Alice

Fig. 1.

Encoder

AWGN

Decoder

AWGN

Eve

Bob

The Gaussian wiretap channel.

In this work, we construct lattice codes for the Gaussian wiretap channel (GWC) which is shown in Fig. 1. The confidential message M drawn from the message set M is encoded by the sender (Alice) into an N -dimensional

codeword X[N ] . The outputs Y[N ] and Z[N ] received by the legitimate receiver (Bob) and the eavesdropper Eve are respectively given by    Y[N ] = X[N ] + Wb[N ] [N ]

where Wb

[N ]

and We

  Z[N ] = X[N ] + W[N ] , e

are N -dimensional Gaussian noise vectors with zero mean and variance σb2 , σe2 respectively.

The channel input X[N ] satisfies the power constraint Ps , i.e., 1 E[kX[N ] k2 ] ≤ Ps . N Polar codes [7] have shown their great potential in solving the wiretap coding problem. The polar coding scheme proposed in [8], combined with the block Markov coding technique [9], was proved to achieve the strong secrecy capacity when W and V are both binary-input symmetric channels, and W is degraded with respect to V . For continuous channels such as the GWC, there also has been notable progress in wiretap lattice coding. On the theoretical aspect, the existence of lattice codes achieving the secrecy capacity to within

1 2

nat under the strong

secrecy as well as semantic security criterion was demonstrated in [6]. On the practical aspect, wiretap lattice codes were proposed in [10] and [11] to maximize the eavesdropper’s decoding error probability. March 10, 2015

DRAFT

3

A. Our contribution Polar lattices, the counterpart of polar codes in the Euclidean space, have already been proved to be additive white Gaussian noise (AWGN)-good [12] and further to achieve the AWGN channel capacity with lattice Gaussian shaping [13]1 . Motivated by [8], we will propose polar lattices to achieve both strong secrecy and reliability over the mod-Λs GWC. Conceptually, this polar lattice structure can be regarded as a secrecy-good lattice Λe nested within an AWGN-good lattice Λb (Λe ⊂ Λb ). Further, we will propose a Gaussian shaping scheme over Λb and Λe , using the multilevel asymmetric polar coding technique. As a result, we will accomplish the design of an explicit lattice coding scheme which achieves the secrecy capacity of the GWC, under the semantic security criterion. The novel technical contribution of this paper is two-fold: •

The construction of secrecy-good polar lattices for the mod-Λs GWC and the proof of their secrecy capacityachieving. This is an extension of the binary symmetric wiretap coding [8] to the multilevel coding scenario, and can also be considered as the construction of secrecy-good polar lattices for the GWC without the power constraint. The construction for the mod-Λs GWC provides considerable insight into wiretap coding for the genuine GWC, without deviating to the technicality of Gaussian shaping. This work is also of independent interest to other problems of information theoretic security, e.g., secret key generation from Gaussian sources [17].

•

The Gaussian shaping applied to the secrecy-good polar lattice, which follows the footpath of [13]. The resultant coding scheme is proved to achieve the secrecy capacity of the GWC. This coding scheme is further proved to be semantically secure. The idea follows the conception of [6], where lattice Gaussian sampling was employed to obtain semantic security. It is worth mentioning that our proposed coding scheme is not only a practical implementation of the secure random lattice coding in [6], but also an improvement in the sense that we successfully remove the constant 12 -nat gap to the secrecy capacity. Moreover, the reliability benefits from lattice Gaussian shaping, and the block Markov coding technique to handle the problematic set [9] is not required any more.

B. Comparison with the extractor-based approach Invertible randomness extractors were introduced into wiretap coding in [5], [18], [19]. The key idea is that an extractor is used to convert a capacity-achieving code with rate close to C(V ) for the main channel into a wiretap code with the rate close to C(V ) − C(W ). Later, this coding scheme was extended to the GWC in [20]. Besides, channel resolvability [21] was proposed as a tool for wiretap codes. An interesting connection between the resolvability and the extractor was revealed in [22]. The proposed approach and the one based on invertible extractors have their respective advantages. The extractorbased approach is modular, i.e., the error-correction code and extractor are realized separately; it is possible to harness the results of invertible extractors in literature. The advantage of our lattice-based scheme is that the wiretap code 1 Please

refer to [14]–[16] for other methods of achieving the AWGN channel capacity.

March 10, 2015

DRAFT

4

designed for Eve is nested within the capacity-achieving code designed for Bob, which represents an integrated approach. More importantly, lattice codes are attractive for emerging applications in network information theory thanks to their useful structures [14], [23]; thus the proposed scheme may fit better with this landscape when security is a concern [24]. C. Outline of the paper The paper is organized as follows: Section II presents some preliminaries of lattice codes. In Section III we construct secrecy-good polar lattices for the mod-Λs GWC, using the binary symmetric polar wiretap coding and multilevel lattice structure [25]. The original polar wiretap code in [8] is slightly modified to be compatible to the following shaping operation. In Section IV, we show how to implement the discrete Gaussian shaping over the polar lattice to remove the mod-Λs front end, using the polar coding technique for asymmetric channels. Then we prove that our wiretap lattice coding achieves the secrecy capacity with shaping. Furthermore, the strong secrecy is extended to semantic security. Finally, we discuss the relationship between the lattice constructions with and without shaping in Section V. D. Notations All random variables (RVs) will be denoted by capital letters. Let PX denote the probability distribution of a RV X taking values x in a set X and let H(X) denote its entropy. For multilevel coding, we denote by Xℓ a RV X

at level ℓ. The i-th realization of Xℓ is denoted by xiℓ . We also use the notation xi:j ℓ as a shorthand for a vector

(xiℓ , ..., xjℓ ), which is a realization of RVs Xi:j = (Xiℓ , ..., Xjℓ ). Similarly, xiℓ: will denote the realization of the ℓ i-th RVs from level ℓ to level , i.e., of Xiℓ: = (Xiℓ , ..., Xi ). For a set I, I c denotes its compliment set, and |I| represents its cardinality. For an integer N , [N ] will be used to denote the set of all integers from 1 to N . W and ˜ will be used to denote a binary memoryless asymmetric (BMA) channel and a binary memoryless symmetric W (BMS) channel respectively. Following the notation of [7], we denote N independent uses of channel W by W N . (i)

By channel combining and splitting, we get the combined channel WN and the i-th subchannel WN . Specifically, (i,N )

for a channel Wℓ at level ℓ, WℓN , Wℓ,N and Wℓ

are used to denote its N independent expansion, the combined

channel and the i-th subchannel after polarization. 1(·) denotes the indicator function. Throughout this paper, we use the binary logarithm, denoted by log, and information is measured in bits. II. P RELIMINARIES

OF

L ATTICE C ODES

A. Definitions A lattice is a discrete subgroup of Rn which can be described by Λ = {λ = Bx : x ∈ Zn }, where B is the n-by-n lattice generator matrix and we always assume that it has full rank in this paper.

March 10, 2015

DRAFT

5

For a vector x ∈ Rn , the nearest-neighbor quantizer associated with Λ is QΛ (x) = arg min kλ−xk. We define the λ∈Λ

modulo lattice operation by x mod Λ , x− QΛ (x). The Voronoi region of Λ, defined by V(Λ) = {x : QΛ (x) = 0},

specifies the nearest-neighbor decoding region. The Voronoi cell is one example of fundamental region of the lattice. A measurable set R(Λ) ⊂ Rn is a fundamental region of the lattice Λ if ∪λ∈Λ (R(Λ) + λ) = Rn and if (R(Λ) + λ) ∩ (R(Λ) + λ′ ) has measure 0 for any λ 6= λ′ in Λ. The volume of a fundamental region is equal to that of the Voronoi region V(Λ), which is given by Vol(Λ) = |det(B)|. The theta series of Λ (see, e.g., [26, p.70]) is defined as ΘΛ (τ ) =

X

2

e−πτ kλk ,

τ > 0.

λ∈Λ

In this paper, to satisfy the reliability condition for Bob, we are mostly concerned with the block error probability Pe (Λ, σ 2 ) of lattice decoding. It is the probability Pr{x ∈ / V(Λ)} that an n-dimensional independent and identically

distributed (i.i.d.) Gaussian noise vector x with zero mean and variance σ 2 per dimension falls outside the Voronoi region V(Λ). For an n-dimensional lattice Λ, define the volume-to-noise ratio (VNR) of Λ by 2

γΛ (σ) ,

Vol(Λ) n . σ2

Then we introduce the notion of lattices which are good for the AWGN channel without power constraint. Definition 1 (AWGN-good lattices): A sequence of lattices Λb of increasing dimension n is AWGN-good if, for any fixed Pe (Λb , σ 2 ) ∈ (0, 1),

lim γΛb (σ) = 2πe

n→∞

and if, for a fixed VNR greater than 2πe, Pe (Λb , σ 2 ) goes to 0 as n → ∞. It is worth mentioning here that we do not insist on exponentially vanishing error probabilities, unlike Poltyrev’s original treatment of good lattices for coding over the AWGN channel [27]. This is because a sub-exponential or polynomial decay of the error probability is often good enough. B. Flatness Factor and Lattice Gaussian Distribution For σ > 0 and c ∈ Rn , the Gaussian distribution of mean c and variance σ 2 is defined as kx−ck2 1 fσ,c (x) = √ e− 2σ2 , ( 2πσ)n

for all x ∈ Rn . For convenience, let fσ (x) = fσ,0 (x). Given lattice Λ, we define the Λ-periodic function fσ,Λ (x) = for x ∈ Rn .

X − kx−λk2 1 fσ,λ (x) = √ e 2σ2 , n ( 2πσ) λ∈Λ λ∈Λ X

The flatness factor is defined for a lattice Λ as [6] ǫΛ (σ) , max |Vol(Λ)fσ,Λ (x) − 1| . x∈R(Λ)

March 10, 2015

DRAFT

6

It can be interpreted as the maximum variation of fσ,Λ (x) from the uniform distribution over R(Λ). The flatness factor can be calculated using the theta series [6]: n γΛ (σ) 2 1 − 1. ǫΛ (σ) = ΘΛ 2π 2πσ 2

We define the discrete Gaussian distribution over Λ centered at c ∈ Rn as the following discrete distribution

taking values in λ ∈ Λ: DΛ,σ,c (λ) = where fσ,c (Λ) ,

P

λ∈Λ

fσ,c (λ) , fσ,c (Λ)

∀λ ∈ Λ,

fσ,c (λ) = fσ,Λ (c). Again for convenience, we write DΛ,σ = DΛ,σ,0 .

It is also useful to define the discrete Gaussian distribution over a coset of Λ, i.e., the shifted lattice Λ − c: DΛ−c,σ (λ − c) =

fσ (λ − c) , fσ,c (Λ)

∀λ ∈ Λ.

Note the relation DΛ−c,σ (λ − c) = DΛ,σ,c (λ), namely, they are a shifted version of each other. If the flatness factor is negligible, the discrete Gaussian distribution over a lattice preserves the capacity of the AWGN channel. Theorem 1 (Mutual information of discrete Gaussian distribution [28]): Consider an AWGN channel Y = X + E where the input constellation X has a discrete Gaussian distribution DΛ−c,σs for arbitrary c ∈ Rn , and where the variance of the noise E is σ 2 . Let the average signal power be Ps so that SNR = Ps /σ 2 , and let σ ˜ , √ σ2s σ

σs +σ2

Then, if ε = ǫΛ (˜ σ)
1 − 2−N β } = lim {i : Z( N m→∞ N

˜) I(W ˜ ), 1 − I(W

which means the proportion of such roughly error-free subchannels (with negligible Bhattacharyya parameters) ˜ ). The set of the indices of all those almost error-free subchannels is usually approaches the channel capacity I(W called the information set I and its complementary is called the frozen set F . Consequently, the construction of capacity-achieving polar codes is simply to identify the indices in the information set I. However, for a general

˜ W ˜ (i) ) appears to BMS channel other than binary erasure channel, the complexity of the exact computation for Z( N

˜ W ˜ (i) ) was proposed in [31], using the be exponential in the block length N . An efficient estimation method for Z( N idea of channel upgrading and degrading. It was shown that with a sufficient number of quantization levels, the ˜ has continuous output, and the involved computational complexity is approximation error is negligible even if W acceptable. In [7], a bit-wised decoding method called successive cancellation (SC) decoding was proposed to show that polar codes are able to achieve channel capacity with vanishing error probability. This decoding method has complexity P ˜ W ˜ (i) ). O(N logN ), and the error probability is given by PeSC ≤ i∈I Z( N B. Polar codes for the binary symmetric wiretap channel ˜ to Now we revisit the construction of polar codes for the binary symmetric wiretap channel. We use V˜ and W denote the symmetric main channel between Alice and Bob and the symmetric wiretap channel between Alice and March 10, 2015

DRAFT

8

˜ have binary input X and W ˜ is degraded with respect to V˜ . Let Y and Z denote Eve, respectively. Both V˜ and W ˜ . After the channel combination and splitting of N independent uses of the V˜ and W ˜ by the the output of V˜ and W polarization transform U[N ] = X[N ] GN , we define the sets of reliability-good indices for Bob and information-poor indices for Eve as ˜ V˜ (i) ) ≤ 2−N β }, G(V˜ ) = {i : Z( N (i)

(3)

β

˜ ) = {i : Z( ˜ W ˜ ) ≥ 1 − 2−N }, N (W N (i) ˜ (i) ) is the i-th subchannel of the main channel (wiretapper’s channel) after where 0 < β < 0.5 and V˜N (W N

polarization transform. ˜ ) was defined as Note that in the seminal paper [8] of polar wiretap coding, the information-poor set N (W β

˜ (i,N ) ) ≤ 2−N }. In contrast, our criterion here is based on the Bhattacharyya parameter2. This slight {i : I(W

modification will bring us much convenience when lattice shaping is involved in Sect. IV. The following lemma shows that the modified criterion is similar to the original one in the sense that the mutual information of the ˜ ) can still be bounded in the same form. subchannels with indices in N (W ˜ (i) be the i-th subchannel after the polarization transform on independent N uses of a BMS Lemma 1: Let W N ˜ . If Z( ˜ W ˜ (i) ) ≥ 1 − 2−N β , the mutual information of the i-th subchannel can be upper-bounded as channel W N (i)

β′

˜ ) ≤ 2−N , 0 < β ′ < β < 0.5, I(W N for sufficiently large N . ˜ is symmetric, W ˜ (i) is symmetric as well. By [7, Proposition 1], we have Proof: When W N q (i) ˜ ˜ W ˜ (i) )2 I(WN ) ≤ 1 − Z( N p β′ ≤ 2 · 2−N β ≤ 2−N ,

where the last inequality holds for sufficiently large N .

˜ ) can be upper-bounded in the same form, it is not difficult Since the mutual information of subchannels in N (W to understand that strong secrecy can be achieved using the index partition proposed in [8]. Similarly, we divide the index set [N ] into the following four sets: ˜ ), B = G(V˜ ) ∩ N (W ˜ )c A = G(V˜ ) ∩ N (W

(4)

˜ ), D = G(V˜ )c ∩ N (W ˜ )c . C = G(V˜ )c ∩ N (W Clearly, A ∪ B ∪ C ∪ D = [N ]. Then we assign set A with message bits M, set B with random bits R, set C with frozen bits F which are known to both Bob and Eve prior to transmission, and set D with random bits R. The next lemma shows that this assignment achieves strong secrecy. We note that this proof is similar to that in [9] and it is given in Appendix A. 2 This

idea has already been used in [8] to prove that polar wiretap coding scheme is secrecy capacity-achieving.

March 10, 2015

DRAFT

9

Lemma 2: According to the partitions of the index set shown in (4), if we assign the four sets as follows A ← M, B ← R, C ← F,

(5)

D ← R,

the information leakage I(M; Z[N ] ) can be upper-bounded as β′

I(M; Z[N ] ) ≤ N · 2−N , 0 < β ′ < 0.5.

(6)

With regard to the secrecy rate, we show that the modified polar coding scheme can also achieve the secrecy capacity. ˜ ) denote the channel capacity of the main channel V˜ and wiretap channel W ˜ Lemma 3: Let C(V˜ ) and C(W ˜ is degraded with respect to V˜ , the secrecy capacity, which is given by C(V˜ ) − C(W ˜ ), is respectively. Since W achievable using the modified wiretap coding scheme, i.e., ˜ )|/N = C(V˜ ) − C(W ˜ ). lim |G(V˜ ) ∩ N (W

N →∞

Proof: See Appendix B. We can also observe that the proportion of the problematic set D is arbitrarily small when N is sufficiently large.

β ˜ V˜ (i) ) < 1 − 2−N β }. As has been shown in This is because set D is a subset of the unpolarized set {i : 2−N < Z( N

[8], the reliability condition cannot be fulfilled with SC decoding due to the existence of D. Fortunately, we can use the blocking technique proposed in [9] to achieve reliability and strong secrecy simultaneously. C. Secrecy-good polar lattices A sublattice Λ′ ⊂ Λ induces a partition (denoted by Λ/Λ′ ) of Λ into equivalence classes modulo Λ′ . The order

of the partition is denoted by |Λ/Λ′ |, which is equal to the number of cosets. If |Λ/Λ′ | = 2, we call this a binary partition. Let Λ/Λ1 / · · · /Λr−1 /Λ′ for r ≥ 1 be an n-dimensional lattice partition chain. For each partition Λℓ−1 /Λℓ

(1 ≤ ℓ ≤ r with convention Λ0 = Λ and Λr = Λ′ ) a code Cℓ over Λℓ−1 /Λℓ selects a sequence of representatives

aℓ for the cosets of Λℓ . Consequently, if each partition is binary, the code Cℓ is a binary code. Polar lattices are constructed by “Construction D” [26, p.232] using a set of nested polar codes C1 ⊆ C2 · ·· ⊆ Cr [25]. Suppose Cℓ has block length N and the number of information bits kℓ for 1 ≤ ℓ ≤ r. Choose a basis g1 , g2 , · · · , gN from the polar generator matrix GN such that g1 , · · · gkℓ span Cℓ . When the dimension n = 1, the lattice L admits the form [25] L=

(

r X ℓ=1

2

ℓ−1

kℓ X i=1

uiℓ gi

r

N

+2 Z

|

uiℓ

)

∈ {0, 1} ,

(7)

where the addition is carried out in RN . The fundamental volume of a lattice obtained from this construction is given by Vol(L) = 2−N RC · Vol(Λr )N ,

March 10, 2015

DRAFT

10

Alice

Fig. 2.

Encoder

AWGN

Mod Λs

AWGN

Mod Λs

Decoder

Bob

Eve

The mod-Λs Gaussian wiretap channel.

where RC =

Pr

ℓ=1 Rℓ

=

1 N

Pr

ℓ=1

kℓ denotes the sum rate of component codes. In this paper, we limit ourselves

to the binary lattice partition chain and binary polar codes for simplicity. Now we consider the construction of secrecy-good polar lattices over the mod-Λs GWC shown in Fig. 2. The difference between the mod-Λs GWC and the genuine GWC is the mod-Λs operation on the received signal of Bob and Eve. With some abuse of notation, the outputs Y[N ] and Z[N ] at Bob and Eve’s ends respectively become    Y[N ] = [X[N ] + Wb[N ] ] mod Λs ,   Z[N ] = [X[N ] + W[N ] ] mod Λs . e

The idea of wiretap lattice coding over the mod-Λs GWC [6] can be explained as follows. Let Λb and Λe be the AWGN-good lattice and secrecy-good lattice designed for Bob and Eve accordingly. Let Λs ⊂ Λe ⊂ Λb be a

nested chain of N -dimensional lattices in RN , where Λs is the shaping lattice. Note that the shaping lattice Λs here

is employed primarily for the convenience of designing the secrecy-good lattice and secondarily for satisfying the power constraint. Consider a one-to-one mapping: M → Λb /Λe which associates each message m ∈ M to a coset

˜ m ∈ Λb /Λe . Alice selects a lattice point λ ∈ Λe ∩ V(Λs ) uniformly at random and transmits X[N ] = λ + λm , λ

˜ m in V(Λe ). This scheme has been proved to achieve both reliability and where λm is the coset representative of λ semantic security in [6] by random lattice codes. We will make it explicit by constructing polar lattice codes in this section. Let Λb and Λe be constructed from a binary partition chain Λ/Λ1 / · · · /Λr−1 /Λr , and assume Λs ⊂ ΛN r such [N ]

3 N N that Λs ⊂ ΛN r ⊂ Λe ⊂ Λb . Also, denote by X1:r the bits encoding Λ /Λr , which include all information bits [N ]

[N ]

for message M as a subset. We have that [X[N ] + We ] mod ΛN r is a sufficient statistic for X1:r . This can be seen from [25, Lemma 8], rewritten as follows:

Lemma 4 (Sufficiency of mod-Λ output [25]): For a partition chain Λ/Λ′ (Λ′ ⊂ Λ), let the input of an AWGN

channel be X = A + B, where A ∈ R(Λ) is a random variable, and B is uniformly distributed in Λ ∩ R(Λ′ ). Reduce

the output Y first to Y′ = Y mod Λ′ and then to Y′′ = Y′ mod Λ. Then the mod-Λ map is information-lossless, 3 This

is always possible with sufficient power, since the power constraint is not our primary concern in this section.

March 10, 2015

DRAFT

11

namely I(A; Y′ ) = I(A; Y′′ ), which means that the output Y′′ = Y′ mod Λ of mod-Λ map is a sufficient statistic for A. ′ N In our context, we identify Λ with ΛN r and Λ with Λs , respectively. Since the bits encoding Λr /Λs are uniformly

distributed4 , the mod-ΛN r operation is information-lossless in the sense that [N ]

[N ]

I(X1:r ; Z[N ] ) = I(X1:r ; [X[N ] + We[N ] ] mod ΛN r ). [N ]

As far as mutual information I(X1:r ; Z[N ] ) is concerned, we can use the mod-ΛN r operator instead of the mod-Λs operator here. Under this condition, similarly to the multilevel lattice structure introduced in [25], the mod-Λs channel can be decomposed into a series of BMS channels according to the partition chain Λ/Λ1 / · · · /Λr−1 /Λr . Therefore, the already mentioned polar coding technique for BMS channels can be employed. Moreover, the channel resulted from the lattice partition chain can be proved to be equivalent to that based on the chain rule of mutual information. Following this channel equivalence, we can construct an AWGN-good lattice Λb and a secrecy-good lattice Λe , using the wiretap coding technique (3) at each partition level. A mod-Λ channel is a Gaussian channel with a modulo-Λ operator in the front end [25], [32]. The capacity of the mod-Λ channel is [25] C(Λ, σ 2 ) = log(Vol(Λ)) − h(Λ, σ 2 ),

(8)

where h(Λ, σ 2 ) is the differential entropy of the Λ-aliased noise over V(Λ): Z fσ,Λ (t) log fσ,Λ (t)dt. h(Λ, σ 2 ) = − V(Λ)

The differential entropy is maximized to log(Vol(Λ)) by the uniform distribution over V(Λ). The Λℓ−1 /Λℓ channel is defined as a mod-Λℓ channel whose input is drawn from Λℓ−1 ∩ V(Λℓ ). It is known that the Λℓ−1 /Λℓ channel

is symmetric5 , and the optimum input distribution is uniform [25]. Furthermore, the Λℓ−1 /Λℓ channel is binary if |Λℓ−1 /Λℓ | = 2. The capacity of the Λℓ−1 /Λℓ channel for Gaussian noise of variance σ 2 is given by [25] C(Λℓ−1 /Λℓ , σ 2 ) = C(Λℓ , σ 2 ) − C(Λℓ−1 , σ 2 ) = h(Λℓ−1 , σ 2 ) − h(Λℓ , σ 2 ) + log(Vol(Λℓ )/Vol(Λℓ−1 )).

The decomposition into a set of Λℓ−1 /Λℓ channels is used in [25] to construct AWGN-good lattices. Take the partition chain Z/2Z/ · · · /2r Z as an example. Given uniform input X1:r , let Kℓ denote the coset indexed by x1:ℓ ,

i.e., Kℓ = x1 + · · · + 2ℓ−1 xℓ + 2ℓ Z. The conditional probability distribution function (PDF) of this channel with ¯ = Z mod Λℓ is binary input Xℓ and output Z

1 fZ|X z |xℓ ) = √ ¯ ℓ (¯ 2πσe

X

a∈Kℓ (x1:ℓ )

1 exp − 2 k¯ z − ak2 . 2σe

(9)

Since the previous input bits x1:ℓ−1 cause a shift on Kℓ and will be removed by the multistage decoder at level ℓ, the code can be designed according to the channel transition probability (9) with x1:ℓ−1 = 0. Following the notation of 4 In

fact, all bits encoding Λe /Λs are uniformly distributed in wiretap coding.

5 This

is “regular” in the sense of Delsarte and Piret and symmetric in the sense of Gallager [25].

March 10, 2015

DRAFT

12

[25], we use V (Λℓ−1 /Λℓ , σb2 ) and W (Λℓ−1 /Λℓ , σe2 ) to denote the Λℓ−1 /Λℓ channel for Bob and Eve respectively. The Λℓ−1 /Λℓ channel can also be used to construct secrecy-good lattices. In order to bound the information leakage of the wiretapper’s channel, we firstly express I(X1:r ; Z) according to the chain rule of mutual information as I(X1:r ; Z) = I(X1 ; Z) + I(X2 ; Z|X1 ) + · · · + I(Xr ; Z|X1:r−1 ).

(10)

This equation still holds if Z denotes the noisy signal after the mod-Λr operation, namely, Z = [X+We ] mod Λr . We will adopt this notation in the rest of this subsection. We refer to the ℓ-th channel associated with mutual information I(Xℓ ; Z|X1:ℓ−1 ) as the equivalent channel denoted by W ′ (Xℓ ; Z|X1:ℓ−1 ), which is defined as the channel from Xℓ to Z given the previous X1:ℓ−1 . Then the transition probability distribution of W ′ (Xℓ ; Z|X1:ℓ−1 ) is [25, Lemma 6] X 1 Pr(a)fZ (z|a) fZ|Xℓ (z|xℓ ) = Pr(Kℓ (x1:ℓ )) a∈Kℓ (x1:ℓ ) (11) X 1 1 1 √ exp − 2 kz − ak2 , z ∈ V(Λr ). = |Λℓ /Λr | 2πσe 2σe a∈Kℓ (x1:ℓ )

From (9) and (11), we can observe that the channel output likelihood ratio (LR) of the W (Λℓ−1 /Λℓ , σe2 ) channel is equal to that of the ℓ-th equivalent channel W ′ (Xℓ ; Z|X1:ℓ−1 ). Then we have the following channel equivalence lemma. Lemma 5: Consider a lattice L constructed by a binary lattice partition chain Λ/Λ1 / · · · /Λr−1 /Λr . Constructing a

polar code for the ℓ-th equivalent binary-input channel W ′ (Xℓ ; Z|X1:ℓ−1 ) defined by the chain rule (10) is equivalent to constructing a polar code for the Λℓ−1 /Λℓ channel W (Λℓ−1 /Λℓ , σe2 ). Proof: See Appendix C. Note that another proof based on direct calculation of the mutual information and Bhattacharyya parameters of the subchannels can be found in [33]. Remark 1: Observe that if we define V ′ (Xℓ ; Y|X1:ℓ−1 ) as the equivalent channel according to the chain rule expansion of I(X; Y) for the main channel, the same result can be obtained between V (Λℓ−1 /Λℓ , σb2 ) and V ′ (Xℓ ; Y|X1:ℓ−1 ). Moreover, this lemma also holds without the mod-Λs front-end, i.e., without power constraint. The construction of AWGN-good polar lattices was given in [13], where nested polar codes were constructed based on a set of Λℓ−1 /Λℓ channels. We note that the Λℓ−1 /Λℓ channel is degraded with respect to the Λℓ /Λℓ+1 channel [13, Lemma 3]. Now it is ready to introduce the polar lattice construction for the mod-Λs GWC shown in Fig. 3. A polar lattice L is constructed by a series of nested polar codes C1 (N, k1 ) ⊆ C2 (N, k2 ) ⊆ · · · ⊆ Cr (N, kr ) and a binary lattice partition chain Λ/Λ1 / · · · /Λr . The block length of polar codes is N . Alice splits the message M into M1 , · · ·, Mr . We follow the same rule (5) to assign bits in the component polar codes to achieve strong secrecy. Note that W (Λℓ−1 /Λℓ , σe2 ) is degraded with respect to V (Λℓ−1 /Λℓ , σb2 ) for 1 ≤ ℓ ≤ r because σb2 ≤ σe2 . Treating

V (Λℓ−1 /Λℓ , σb2 ) and W (Λℓ−1 /Λℓ , σe2 ) as the main channel and wiretapper’s channel at each level and using the

March 10, 2015

DRAFT

13

#" ! "

M"

"

"

M "

#"$ ! %

"

()*+ !

5" 6" $" & 4 %" '

2 ! ()*+"

-.+*/0)*/1

! # "

/ ," !

Mapping

M

5

M

6

# !

()*+

-.+*/0)*/1

,#

!

& ! '

()*+ !

$an%&' (i)*

+#i,"

Fig. 3.

! #

(&0

$ & 4 % '

3 !

-."

!ann"#

The multilevel lattice coding system over the mod-Λs Gaussian wiretap channel.

partition rule (4), we can get four sets Aℓ , Bℓ , Cℓ and Dℓ . Similarly, we assign the bits as follows Aℓ ← Mℓ , Bℓ ← Rℓ ,

(12)

Cℓ ← Fℓ , Dℓ ← Rℓ for each level ℓ, where Mℓ , Fℓ and Rℓ represent message bits, frozen bits (could be set as all zeros) and random bits at level ℓ. Since the Λℓ−1 /Λℓ channel is degraded with respect to the Λℓ /Λℓ+1 channel, it is easy to obtain that Cℓ ⊇ Cℓ+1 , which means Aℓ ∪ Bℓ ∪ Dℓ ⊆ Aℓ+1 ∪ Bℓ+1 ∪ Dℓ+1 . This construction is clearly a lattice construction as polar codes constructed on each level are nested. We skip the proof of nested polar codes here. A similar proof can be found in [12]. Interestingly, the above multilevel construction yields an AWGN-good lattice Λb and a secrecy-good lattice Λe simultaneously6. More precisely, Λb is constructed from a set of nested polar codes C1 (N, |A1 | + |B1 | + |D1 |) ⊆ · · · ⊆ Cr (N, |Ar | + |Br | + |Dr |), while Λe is constructed from a set of nested polar codes C1 (N, |B1 | + |D1 |) ⊆ · · · ⊆ Cr (N, |Br | + |Dr |) and with the same lattice partition chain. More details about the AWGN-goodness of Λb are given in the next subsection. It is clear that Λe ⊂ Λb . Thus, our proposed coding scheme instantiates the coset ˜m ∈ Λb /Λe . coding scheme introduced in [6], where the confidential message is mapped to the coset λ By using the above assignments and Lemma 2, we have [N ]

β′

I(Mℓ ; Zℓ ) ≤ N 2−N , [N ]

where Zℓ

(13)

= Z[N ] mod Λℓ . In other words, the employed polar code for the channel W (Λℓ−1 /Λℓ , σe2 ) can guarantee β′

that the mutual information between the input message and the output is upper bounded by N 2−N . According to Lemma 5, this polar code can also guarantee the same upper bound on the mutual information between the input 6 In

this paper, a sequence of lattices Λe of increasing dimension is called secrecy-good if they achieve the strong secrecy capacity

asymptotically. Note that this definition is different from that in [6], which is based on the flatness factor.

March 10, 2015

DRAFT

14

message and the output of the channel W ′ (Xℓ ; Z|X1:ℓ−1 ) as shown in the following inequality (Xℓ is independent of the previous X1:ℓ−1 ): [N ]

β′

I(Mℓ ; Z[N ] , X1:ℓ−1 ) ≤ N 2−N . Recall Z[N ] is the signal received by Eve after the mod-Λr operation. From the chain rule of mutual information, I(M; Z[N ] ) =

r X ℓ=1

=

r X ℓ=1

≤ =

r X ℓ=1

r X

I(Z[N ] ; Mℓ |M1:ℓ−1 ) H(Mℓ |M1:ℓ−1 ) − H(Mℓ |Z[N ] , M1:ℓ−1 ) (14)

H(Mℓ ) − H(Mℓ |Z[N ] , M1:ℓ−1 ) I(Mℓ ; Z[N ] , M1:ℓ−1 )

ℓ=1

≤

r X ℓ=1

[N ]

β′

I(Mℓ ; Z[N ] , X1:ℓ−1 ) ≤ rN 2−N , [N ]

[N ]

where the last inequality holds because I(Mℓ ; Z[N ] , X1:ℓ−1 ) = I(Mℓ ; Z[N ] , U1:ℓ−1 ) and adding more variables will not decrease the mutual information. Therefore strong secrecy is achieved since limN →∞ I(M; Z[N ] ) = 0. Remark 2: Note that the above analysis actually implies semantic security, i.e., (14) holds for arbitrarily distributed M. This is because of the symmetric nature of the Λb /Λe channel [25]. Since the message M is drawn from R(Λe ) and the random bits are drawn from Λe ∩R(Λs ), by Lemma 4, the mod-Λe map is information lossless and its output is a sufficient statistic for M. In this sense, the channel between the confidential message and the Eavesdropper’s signal can be viewed as a Λb /Λe channel. Since the Λb /Λe channel is symmetric, the maximum mutual information is achieved by the uniform input. Consequently, the mutual information corresponding to other input distributions can also be upper bounded by rN 2−N

β′

in (14). It is worth mentioning this Λb /Λe channel can be seen as the

counterpart in lattice coding of the randomness-induced channel defined in [8]. Theorem 2 (Achieving secrecy capacity of the mod-Λs GWC): Consider a polar lattice L constructed according to (12) with the binary lattice partition chain Λ/Λ1 / · · · /Λr and r binary nested polar codes with block length N . Scale Λ and r to satisfy the following conditions: (i) h(Λ, σb2 ) → log(Vol(Λ)),

(ii) h(Λr , σe2 ) →

1 2

log(2πeσe2 ).

Given σe2 > σb2 , all strong secrecy rates R satisfying R
σb2 , we also have h(Λ, σe2 ) → log(V (Λ)) and thus

ǫ1 ≈ 0. The number of levels is also increased until h(Λr , σe2 ) ≈

1 2

log(2πeσe2 ), hence h(Λr , σb2 ) ≈

1 2

log(2πeσe2 ),

such that both ǫb and ǫe are almost 0. Therefore by scaling Λ1 and adjusting r, the secrecy rate can get arbitrarily close to

1 2

σ2

log σe2 . b

Remark 3: The secrecy capacity of the mod-Λs Gaussian wiretap channel per use is given by Cs =

1 1 1 1 C(Λs , σb2 ) − C(Λs , σe2 ) = h(Λs , σe2 ) − h(Λs , σb2 ) N N N N

since the wiretapper’s channel is degraded with respect to the main channel. Because h(Λr , σe2 ) → and Λs ⊂ ΛN r , we have

1 2 N h(Λs , σe )

→

1 2

log(2πeσe2 ) and

1 2 N h(Λs , σb )

→

1 2

1 2

log(2πeσe2 )

log(2πeσb2 ). Hence Cs →

1 2

σ2

log σe2 . b

It also equals the secrecy capacity of the Gaussian wiretap channel when the signal power goes to infinity. It is noteworthy that we successfully remove the 21 -nat gap in the achievable secrecy rate derived in [6] which is caused by the limitation of the L∞ distance associated with the flatness factor. Remark 4: We note that conditions (i) and (ii) in the theorem are just mild ones. When the σe2 = 4 and σb2 = 1, the gap from

1 2

σ2

log σe2 is only 0.05 when we choose r = 3 and partition chain η(Z/2Z/4Z) with scaling factor b

η = 2.5. Remark 5: From conditions (i) and (ii), we can see that the construction for secrecy-good lattices requires more levels than the construction of AWGN-good lattices. ǫ1 can be made arbitrarily small by scaling down Λ such that both h(Λ, σe2 ) and h(Λ, σb2 ) are sufficiently close to log V (Λ). In polar lattices for AWGN-goodness [12],

March 10, 2015

DRAFT

16

we only need h(Λr′ , σb2 ) ≈

1 2

log(2πeσb2 ) for some r′ < r. Since ǫb < ǫe , Λr′ may be not enough for the

wiretapper’s channel. Therefore, more levels are needed in the wiretap coding context. To satisfy the condition h(Λr , σe2 ) →

1 2

log(2πeσe2 ), it is sufficient to guarantee that Pe (Λr , σe2 ) → 0 by [25, Theorem 13]. When oner

2 ) ≤ e dimensional binary partition Z/2Z/4Z/... is used, we have Pe (Λr , σe2 ) ≤ Q( 2σ e

2r

2 − 8σ 2 e

, where Q(·) is the

Q-function. Letting r = O(log N ), the error probability vanishes as Pe (Λr , σe2 ) = e−O(N ) , which implies that

h(Λr , σe2 ) →

1 2

log(2πeσe2 ) as N → ∞.

D. Reliability In the original polar coding scheme for the binary wiretap channel [8], how to assign set D is a problem. Assigning frozen bits to D guarantees reliability but only achieves weak secrecy, whereas assigning random bits to D guarantees strong secrecy but may violate the reliability requirement because D may be nonempty. In order to ensure strong secrecy, D is assigned with random bits (D ← R), which makes this scheme failed to accomplish

the theoretical reliability. For any ℓ-th level channel V (Λℓ−1 /Λℓ , σb2 ) at Bob’s end, the probability of error is upper ˜ (j) (Λℓ−1 /Λℓ , σ 2 )) of subchannels that are not frozen to bounded by the sum of the Bhattacharyya parameters Z(V b N

zero. For each bit-channel index j and β < 0.5, we have j ∈ G(V (Λℓ−1 /Λℓ , σb2 )) ∪ Dℓ . ˜ (j) (Λℓ−1 /Λℓ , σ 2 )) over the set G(V (Λℓ−1 /Λℓ , σ 2 ) is bounded by 2−N β , By the definition (3), the sum of Z(V b b N

therefore the error probability of the ℓ-th level channel under the SC decoding, denoted by PeSC (Λℓ−1 /Λℓ , σb2 ), can be upper bounded by β

PeSC (Λℓ−1 /Λℓ , σb2 ) ≤ N 2−N +

X

˜ (j) (Λℓ−1 /Λℓ , σb2 )). Z(V N

j∈Dℓ

Since multistage decoding is utilized, by the union bound, the final decoding error probability for Bob is bounded as ˆ 6= M} ≤ Pr{M

r X

PeSC (Λℓ−1 /Λℓ , σb2 ).

i=1

Unfortunately, a proof that this scheme satisfies the reliability condition cannot be attained here because the bound P ˜ (j) (Λℓ−1 /Λℓ , σ 2 )) is not known. Note that significantly low probabilities of error can still of the sum j∈Dℓ Z(V b N

be achieved in practice since the size of Dℓ is very small for sufficiently large N .

The reliability problem was recently solved in [9], where a new scheme dividing the information message into several blocks was proposed. For a specific block, Dℓ is still assigned with random bits and transmitted in advance in the set Aℓ of the previous block. This scheme involves negligible rate loss and finally realizes reliability and strong security simultaneously. In this case, if the reliability of each partition channel can be achieved, i.e., for any ℓ-th level partition Λℓ−1 /Λℓ , PeSC (Λℓ−1 /Λℓ , σb2 ) vanishes as N → ∞, then the total decoding error probability for Bob can be made arbitrarily small. Consequently, based on this new scheme of assigning the problematic set, the error probability on level ℓ can be upper bounded by ′β

PeSC (Λℓ−1 /Λℓ , σb2 ) ≤ ǫℓN ′ + kℓ · O(2−N ), March 10, 2015

(15) DRAFT

17

where kℓ is the number of information blocks on the ℓ-th level, N ′ is the length of each block which satisfies N ′ × kℓ = N and ǫℓN ′ is caused by the first separate block on the ℓ-th level consisting of the initial bits in Dℓ . Since |Dℓ | is extremely small comparing to the block length N , the decoding failure probability for the first block can be made arbitrarily small when N is sufficiently large. Meanwhile, by the analysis in [13], when h(Λ, σb2 ) → log(V (Λ)), h(Λr , σb2 ) →

1 2

log(2πeσb2 ), and RC → C(Λ/Λr , σb2 ), we have γΛb (σb ) → 2πe. Therefore,

Λb is an AWGN-good lattice7 . Note that the rate loss incurred by repeatedly transmitted bits in Dℓ is negligible because of its small size. Specifically, the actual secrecy rate in the ℓ-th level is given by

kℓ 2 2 kℓ +1 [C(Λℓ−1 /Λℓ , σb ) − C(Λℓ−1 /Λℓ , σe )].

Clearly,

this rate can be made close to the secrecy capacity by choosing sufficiently large kℓ as well. IV. S ECRECY- GOOD

POLAR LATTICES WITH DISCRETE

G AUSSIAN

SHAPING

In this section, we apply Gaussian shaping on the AWGN-good and secrecy-good polar lattices. The idea of lattice Gaussian shaping was proposed in [28] and then implemented in [13] to construct capacity-achieving polar lattices. For wiretap coding, the discrete Gaussian distribution can also be utilized to satisfy the power constraint. In simple terms, after obtaining the AWGN-good lattice Λb and the secrecy-good lattice Λe , Alice still maps each ˜ m ∈ Λb /Λe as mentioned in Sect. III. However, instead of the mod-Λs operation, Alice message m to a coset λ

˜ m and σ 2 is arbitrarily samples the encoded signal XN from DΛe +λm ,σs , where λm is the coset representative of λ s close to the signal power Ps (see [6] for more details). Based on the lattice Gaussian shaping, we will propose a new partition for the genuine GWC. We will also show that this shaping operation does not hurt the secrecy rate and that the proposed scheme is semantically secure. A. Gaussian shaping over polar lattices As shown in [13], the shaping scheme is based on the technique of polar codes for asymmetric channels. For the paper to be self-contained, a brief review will be presented in this subsection. A more detailed explanation of this Gaussian shaping technique can be found in [13]. Similarly to the polar coding on symmetric channels, the Bhattacharyya parameter for a binary memoryless

asymmetric (BMA) channel is defined as follows. Definition 3 (Bhattacharyya parameter for BMA channel): Let W be a BMA channel with input X ∈ X = {0, 1} and output Y ∈ Y. The input distribution and channel transition probability is denoted by PX and PY|X respectively. The Bhattacharyya parameter Z for W is the defined as q X Z(X|Y) = 2 PY (y) PX|Y (0|y)PX|Y (1|y) y

Xq PX,Y (0, y)PX,Y (1, y). = 2 y

7 More

precisely, to make Λb AWGN-good, we need Pe (Λb , σb2 ) → 0 by definition. By [13, Theorem 2], Pe (Λb , σb2 ) ≤ rN 2−N

β

+

N · Pe (Λr , σb2 ). According to the analysis in Remark 5, r = O(log N ) is sufficient to guarantee Pe (Λr , σb2 ) = e−O(N) , meaning that a sub-exponentially vanishing Pe (Λb , σb2 ) can be achieved.

March 10, 2015

DRAFT

18

The following lemma, which will be useful for the forthcoming new partition scheme, shows that by adding observable at the output of W , Z will not decrease. Lemma 6 (Conditioning reduces Bhattacharyya parameter Z [13]): Let (X, Y, Y′ ) ∼ PX,Y,Y′ , X ∈ X = {0, 1}, Y ∈

Y, Y′ ∈ Y ′ , we have

Z(X|Y, Y′ ) ≤ Z(X|Y). When X is uniformly distributed, the Bhattacharyya parameter of BMA channels coincides with that of BMS channels defined in Definition 2. Moreover, the calculation of Z can be converted to the calculation of the Bhattacharyya parameter Z˜ for a related BMS channel. The following lemma is implicitly considered in [34] and then explicitly expressed in [13]. We show it here for completeness. ˜ be a binary input channel corresponding to Lemma 7 (From Asymmetric to Symmetric channel [13]): Let W ˜ ∈ X = {0, 1} and output Y ˜ ∈ {Y, X }. The input of W ˜ is uniformly the asymmetric channel W with input X ˜ and W is shown in Fig. 4. Then W ˜ is x = 1) = 12 . The relationship between W x = 0) = PX˜ (˜ distributed, i.e., PX˜ (˜ a binary symmetric channel in the sense that PY| ˜|˜ x) = PY,X (y, x). ˜ X ˜ (y, x ⊕ x

ܺ෨ Fig. 4.

˜ and W . The relationship between W

ܺ

ْ

ܻ

ܹ ෩ ܹ

ܺ ْ ܺ෨

The following lemma describes how to construct a polar code for a BMA channel W from that for the associated ˜. BMS channel W Lemma 8 (The equivalence between symmetric and asymmetric Bhattacharyya parameters [34]): For a BMA ˜ be its symmetrized channel constructed according to Lemma 7. Suppose channel W with input X ∼ PX , let W ˜ [N ] and Y ˜ [N ] = X[N ] ⊕ X ˜ [N ] , Y[N ] be the input X[N ] and Y[N ] be the input and output vectors of W N , and let X ˜ [N ] =X ˜ [N ] GN , and denote by ˜ N . Consider polarized random variables U[N ] =X[N ] GN and U and output vectors of W ˜ N the combining channel of N uses of W and W ˜ , respectively. The Bhattacharyya parameter for each WN and W ˜ N , i.e., subchannel of WN is equal to that of each subchannel of W ˜ i |U ˜ 1:i−1 , X[N ] ⊕ X ˜ [N ] , Y[N ] ). ˜ U Z(Ui |U1:i−1 , Y[N ] ) = Z( To obtain the desired input distribution of PX for W , the indices with very small Z(Ui |U1:i−1 ) should be removed from the information set of the symmetric channel. Following [13], the resultant subset is referred to as the information set I for the asymmetric channel W . For the remaining part I c , we further find out that there are some bits which can be made independent of the information bits and uniformly distributed. The purpose of March 10, 2015

DRAFT

19

extracting such bits is for the interest of our lattice construction. We name the set that includes those independent frozen bits as the independent frozen set F , and the remaining frozen bits are determined by the bits in F ∪ I. We name the set of all those deterministic bits as the shaping set S. The three sets are formally defined as follows:  β  the independent frozen set: F = {i ∈ [N ] : Z(Ui |U1:i−1 , Y[N ] ) ≥ 1 − 2−N }     β β (16) the information set: I = {i ∈ [N ] : Z(Ui |U1:i−1 , Y[N ] ) ≤ 2−N and Z(Ui |U1:i−1 ) ≥ 1 − 2−N }     c  the shaping set: S = (F ∪ I) .

To find these three sets, one can use Lemma 8 to calculate Z(Ui |U1:i−1 , Y[N ] , X[N ] ) using the known constructing

techniques for symmetric polar codes [31] [35]. We note that Z(Ui |U1:i−1 ) can be computed in a similar way, by

˜ and X ⊕ X. ˜ Besides the construction, the decoding process for the constructing a symmetric channel between X asymmetric polar codes can also be converted to the decoding for the symmetric polar codes. The polar coding scheme according to (16), which can be viewed as an extension of the scheme proposed in [34], has been proved to be capacity-achieving in [13]. Moreover, it can be extended to the construction of multilevel asymmetric polar codes. For the sake of brevity, we skip the detailed analysis which can be found in [13] and show the following summary on the multilevel asymmetric polar codes. Theorem 3 (Coding theorem for multilevel polar codes [13]): Consider a polar code with the following encoding and decoding strategies for the channel of the ℓ-th (ℓ ≤ r) level Wℓ with the channel transition probability PY|Xℓ ,X1:ℓ−1 (y|xℓ , x1:ℓ−1 ). •

[N ]

Encoding: Before sending the codeword xℓ

[N ]

= uℓ GN , the index set [N ] are divided into three parts: the

independent frozen set Fℓ , information set Iℓ , and shaping set Sℓ , which are defined as follows:  β [N ]  Fℓ = {i ∈ [N ] : Z(Uiℓ |U1:i−1 , X1:ℓ−1 , Y[N ] ) ≥ 1 − 2−N }  ℓ    β β [N ] [N ] Iℓ = {i ∈ [N ] : Z(Uiℓ |U1:i−1 , X1:ℓ−1 , Y[N ] ) ≤ 2−N and Z(Uiℓ |U1:i−1 , X1:ℓ−1 ) ≥ 1 − 2−N } ℓ ℓ      Sℓ = (Fℓ ∪ Iℓ )c .

The encoder first places uniformly distributed information bits in Iℓ . Then the frozen set Fℓ is filled with a uniform random sequence which are shared between the encoder and the decoder. The bits in Sℓ are generated

by a mapping φSℓ , {φi }i∈Sℓ from a family of randomized mappings ΦSℓ , which yields the following distribution: uiℓ

•

=

  0

 1

[N ]

with probability PUi |U1:i−1 ,X [N ] (0|u1:i−1 , x1:ℓ−1 ), ℓ ℓ

(17)

[N ]

ℓ

[N ]

and estimates

ℓ

[N ] u ˆℓ

1:ℓ−1

ℓ

ℓ

[N ]

based on the previously recovered x1:ℓ−1 according

   if i ∈ Fℓ uiℓ ,    [N ] u ˆiℓ = φi (ˆ u1:i−1 , x1:ℓ−1 ), if i ∈ Sℓ ℓ     [N ]  argmax PUi |U1:i−1 ,X[N ] ,Y [N ] (u|ˆ u1:i−1 , x1:ℓ−1 , y [N ] ), if i ∈ Iℓ ℓ u

March 10, 2015

1:ℓ−1

with probability PUi |U1:i−1 ,X [N ] (1|u1:i−1 , x1:ℓ−1 ). ℓ

Decoding: The decoder receives y to the rule

ℓ

.

1:ℓ−1

DRAFT

20

Note that probability PUi |U1:i−1 ,X[N ] ℓ

ℓ

[N ]

1:ℓ−1 ,Y

[N ]

(u|ˆ u1:i−1 , x1:ℓ−1 , y [N ] ) can be calculated by the SC decoding algorithm ℓ

efficiently, treating Y and X1:ℓ−1 (already decoded by the SC decoder at previous levels) as the outputs of the asymmetric channel. With the above encoding and decoding, the message rate can be arbitrarily close to I(Xℓ ; Y|X1:ℓ−1 ) and the expectation of the decoding error probability over the randomized mappings satisfies β′

EΦSℓ [Pe (φSℓ )] = O(2−N ) for any β ′ < β < 0.5. Consequently, there exists a deterministic mapping φSℓ such β′

that Pe (φSℓ ) = O(2−N ). In practice, to share the mapping φSℓ between the encoder and the decoder, we can let them have access to the same source of randomness, which can be achieved by initializing the pseudorandom number generators on both sides the same state. Now let us pick a suitable input distribution PX1:r to implement the shaping. As shown in Theorem 1, the mutual information between the discrete Gaussian lattice distribution DΛ,σs and the output of the AWGN channel approaches

1 2

log(1 + SNR) as the flatness factor ǫΛ (˜ σ ) → 0. Therefore, we use the lattice Gaussian distribution

PX ∼ DΛ,σs as the constellation, which gives us limr→∞ PX1:r = PX ∼ DΛ,σs . By [13, Lemma 5], when N → ∞, the mutual information I(Xr ; Y|X1:r−1 ) at the bottom level goes to 0 if r = O(log log N ), and using the first r P levels would involve a capacity loss ℓ>r I(Xℓ ; Y|X1:ℓ−1 ) ≤ O( N1 ). From the chain rule of mutual information,

I(X1:r ; Y) =

r X

I(Xℓ ; Y|X1:ℓ−1 ),

ℓ=1

we have r binary-input channels and the ℓ-th channel according to I(Xℓ ; Y|X1:ℓ−1 ) is generally asymmetric with the input distribution PXℓ |X1:ℓ−1 (1 ≤ ℓ ≤ r). Then we can construct the polar code for the asymmetric channel at each level according to Lemma 7. As a result, the ℓ-th symmetrized channel is equivalent to the MMSE-scaled Λℓ−1 /Λℓ channel in the sense of channel polarization. (See [13] for more details.) Therefore, when power constrain is taken into consideration, the multilevel polar codes before shaping are 2 constructed according to the symmetric channel V (Λℓ−1 /Λℓ , σ ˜b2 ) and W (Λℓ−1 /Λℓ , σ ˜e2 ), where σ ˜b2 = √σs2σb 2 σs +σb 2 σ σ 2 s e and σ ˜e = √ 2 2 are the MMSE-scaled noise variance of the main channel and of the wiretapper’s channel, σs +σe

respectively. This is similar to the mod-Λs GWC scenario mentioned in the previous section. The difference is that

σb2 and σe2 are replaced by σ ˜b2 and σ ˜e2 accorrdingly. As a result, we can still obtain an AWGN-good lattice Λb and a secrecy-good lattice Λe by treating V (Λℓ−1 /Λℓ , σ ˜b2 ) and W (Λℓ−1 /Λℓ , σ ˜e2 ) as the main channel and wiretapper’s channel at each level. B. Three-dimensional partition Now we consider the partition of the index set [N ] with shaping involved. According to the analysis of asymmetric [N ]

polar codes, we have to eliminate those indices with small Z(Uiℓ |U1:i−1 , X1:l−1 ) from the information set of the ℓ [N ]

symmetric channels. Therefore, Alice cannot send message on those subchannels with Z(Uiℓ |U1:i−1 , X1:ℓ−1 ) < ℓ

β ˜ ℓ , because it only depends on the shaping distribution. At 1 − 2−N . Note that this part is the same for V˜ℓ and W

March 10, 2015

DRAFT

21

each level, the index set which is used for shaping is given as β

[N ]

Sℓ , {i ∈ [N ] : Z(Uiℓ |U1:i−1 , X1:ℓ−1 ) < 1 − 2−N }, ℓ and the index set which is not for shaping is denoted by Sℓc . Recall that for the index set [N ], we already have two partition criteria, i.e, reliability-good and information-bad (see (3)). We rewrite the reliability-good index set Gℓ and information-bad index set Nℓ at level ℓ as β

[N ]

Gℓ , {i ∈ [N ] : Z(Uiℓ |U1:i−1 , X1:ℓ−1 , Y[N ] ) ≤ 2−N }, ℓ β

[N ]

(18)

Nℓ , {i ∈ [N ] : Z(Uiℓ |U1:i−1 , X1:ℓ−1 , Z[N ] ) ≥ 1 − 2−N }. ℓ Note that Gℓ and Nℓ are defined by the asymmetric Bhattacharyya parameters. Nevertheless, by Lemma 8 and the

˜ ℓ ) as defined in (3), where V˜ℓ and W ˜ ℓ are the respective channel equivalence, we have Gℓ = G(V˜ℓ ) and Nℓ = N (W symmetric channels or the MMSE-scaled Λℓ−1 /Λℓ channels for Bob and Eve at level ℓ. The four sets Aℓ , Bℓ , Cℓ ,

˜ ℓ ), respectively. Now the and Dℓ are defined in the same fashion as (4), with Gℓ and Nℓ replacing G(V˜ℓ ) and N (W whole index set [N ] is divided like a cube in three directions, which is shown in Fig. 5.

Good for Bob

Bad for Bob

Information poor for Eve

not poor for Eve

Fig. 5.

Partitions of the index set [N ] with shaping.

Clearly, we have eight blocks: c

ASℓ = Aℓ ∩ Sℓ , ASℓ = Aℓ ∩ Sℓc c

BℓS = Bℓ ∩ Sℓ , BℓS = Bℓ ∩ Sℓc c

(19)

CℓS = Cℓ ∩ Sℓ , CℓS = Cℓ ∩ Sℓc c

DℓS = Dℓ ∩ Sℓ , DℓS = Dℓ ∩ Sℓc c

c

By Lemma 6, we observe that ASℓ = CℓS = ∅, ASℓ = Aℓ , and CℓS = Cℓ . The shaping set Sℓ is divided into two

sets BℓS and DℓS . The bits in Sℓ are determined by the bits in Sℓc according to the mapping. Similarly, Sℓc is divided March 10, 2015

DRAFT

22

c

c

c

c

c

into the four sets ASℓ = Aℓ , BℓS , CℓS = Cℓ , and DℓS . Note that for wiretap coding, the frozen set becomes CℓS , which is slightly different from the frozen set for channel coding. To satisfy the reliability condition, the frozen set c

c

CℓS and the problematic set DℓS cannot be set uniformly random any more. Recall that only the independent frozen [N ]

β

set Fℓ at each level, which is defined as {i ∈ [N ] : Z(Uiℓ |U1:i−1 , Y[N ] , X1:ℓ−1 ) ≥ 1 − 2−N }, can be set uniformly ℓ

random (which are already shared between Alice and Bob), and the bits in the unpolarized frozen set F¯ℓ , defined [N ]

β

β

, Y[N ] , X1:ℓ−1 ) < 1 − 2−N }, should be determined according to the mapping. as {i ∈ [N ] : 2−N < Z(Uiℓ |U1:i−1 ℓ

c c Moreover, we can observe that Fℓ ⊂ CℓS and DℓS ⊂ Dℓ ⊂ F¯ℓ . Here we make the bits in Fℓ uniformly random c

c

and the bits in CℓS \ Fℓ and DℓS determined by the mapping. Therefore, from now on, we adjust the definition of the shaping bits as: β

[N ]

β

β

[N ]

, Y[N ] , X1:ℓ−1 ) < 1 − 2−N }, Sℓ , {i ∈ [N ] : Z(Uiℓ |U1:i−1 , X1:ℓ−1 ) < 1 − 2−N or 2−N < Z(Uiℓ |U1:i−1 ℓ ℓ

(20)

which is essentially equivalent to the definition of the shaping set given in Theorem 3. c

c

To sum up, at level ℓ, we assign the sets ASℓ , BℓS , and Fℓ with message bits Mℓ , uniformly random bits Rℓ , and uniform frozen bits Fℓ , respectively. The rest bits Sℓ (in Sℓ ) will be fed with random bits according to PUi |U1:i−1 ,X[N ] . Clearly, this shaping operation will make the input distribution arbitrarily close to PXℓ |X1:ℓ−1 . In ℓ

ℓ

1:l−1

this case, we can obtain the equality between the Bhattacharyya parameter of asymmetric setting and symmetric setting (see Lemma 8). This provides us a convenient way to prove the strong secrecy of the wiretap coding scheme with shaping because we have already proved the strong secrecy of a symmetric wiretap coding scheme using the Bhattacharyya parameter of the symmetric setting. A detailed proof will be presented in the following subsection. Before this, we show that the shaping will not change the message rate. ˜ ℓ , consider the reliability-good Lemma 9: For the symmetrized main channel V˜ℓ and wiretapper’s channel W indices set Gℓ and information-bad indices set Nℓ defined as in (18). By eliminating the shaping set Sℓ from the c

c

original message set defined in (4), we get the new message set ASℓ = Gℓ ∩ Nℓ ∩ Sℓc . The proportion of |ASℓ | equals to that of |Aℓ |, and the message rate after shaping can still be arbitrarily close to

1 2

σ ˜2

log σ˜e2 . b

Proof: By Theorem 2, when shaping is not involved, the message rate can be made arbitrarily close to

1 2

σ ˜2

log σ˜e2 . b

By the new definition (20) of Sℓ , we still have ASℓ = ∅, which means the shaping operation will not affect the message rate. C. Strong secrecy In [8], an induced channel is defined in order to prove strong secrecy. Here we call this induced channel randomness-induced channel because it is induced by feeding the subchannels in the sets Bℓ and Dℓ with uniformly random bits. However, when shaping is involved, the set Bℓ and Dℓ are no longer fed with uniformly random bits. In fact, some subchannels (covered by the shaping mapping) should be fed with bits according to the distribution PUi |U1:i−1 ,X [N ] . We define the channel induced by the shaping bits as the shaping-induced channel. ℓ

ℓ

1:l−1

Definition 4 (Shaping-induced channel): The shaping-induced channel QN (W, S) is defined in terms of N uses of an asymmetric channel W , and a shaping subset S of [N ] of size |S|. The input alphabet of QN (W, S) is March 10, 2015

DRAFT

23

X

1

Fig. 6.

GN

1

W

Z1

W

Z2

W

ZN

2

.......

X U

X

.....

shaping bits

…....

.......

U 2 U

N

Block diagram of the shaping-induced channel QN (W, S).

{0, 1}N −|S| and the bits in S are determined by the input bits according to a specific shaping mapping φ. A block diagram of the shaping induced channel is shown in Fig. 6. Based on the shaping-induced channel, we define a new induced channel, which is caused by feeding a part of the input bits of the shaping-induced channel with uniformly random bits. Definition 5 (New induced channel): Based on a shaping induced channel QN (W, S), the new induced channel QN (W, S, R) is specified in terms of a randomness subset R of size |R|. The randomness is introduced into the input set of the shaping-induced channel. The input alphabet of QN (W, S, R) is {0, 1}N −|S|−|R| and the bits in R are uniformly and independently random. A block diagram of the new induced channel is shown in Fig. 7.

...

W

Z1

X

W

Z2

GN

W

ZN

2

.......

...

shaping random bits bits Fig. 7.

1

2

...

U

X

1

U

X ...

U

N

Block diagram of the new induced channel QN (W, S, R).

The new induced channel is a combination of the shaping-induced channel and randomness-induced channel. This is different from the definition given in [8] because the bits in S are neither independent to the message bits nor uniformly distributed. As long as the input bits of the new induced channel are uniform and the shaping bits are chosen according to the shaping mappings, the new induced channel can still generate 2N possible [N ]

realizations xℓ March 10, 2015

[N ]

of Xℓ

[N ]

as N goes to infinity, and those xℓ

can be viewed as the output of N i.i.d binary DRAFT

24

sources with input distribution PXℓ |X1:ℓ−1 . These are exactly the conditions required by Lemma 8. Specifically, we [N ] ˜ i |U ˜ 1:i−1 , X[N ] , X[N ] ⊕ X ˜ [N ] , Z[N ] ). In simple words, this equation holds ˜ U have Z(Uiℓ |U1:i−1 , X1:ℓ−1 , Z[N ] ) = Z( ℓ ℓ ℓ 1:ℓ−1 ℓ ℓ [N ]

[N ]

when xℓ

and xℓ

[N ]

⊕x ˜ℓ

are all selected from {0, 1}N according to their respective distributions. Then we can

exploit the relation between the asymmetric channel and the corresponding symmetric channel to bound the mutual information of the asymmetric channel. Therefore, we have to stick to the input distribution (uniform) of our new induced channel and also the distribution of the mappings. This is similar to the setting of the randomness induced channel in [8], where the input distribution and the randomness distribution are both set to be uniform. In [8], the randomness-induced channel is further proved to be symmetric; then any other input distribution can also achieve strong secrecy and the symmetry finally results in semantic security. In this work, however, we do not have a proof of the symmetry of the new induced channel. For this reason, we assume for now that the message bits are uniform distributed. To prove semantic security, we will show that the information leakage of the symmetrized version of the new induced channel is vanishing in Sect. IV-E Lemma 10: Let Mℓ be the uniformly distributed message bits and Fℓ be the independent frozen bits at the input of the channel at the ℓ-th level after shaping, we have β′

[N ]

I(Mℓ Fℓ ; Z[N ] , X1:ℓ−1 ) ≤ 2N 2−N . c

Proof: For the shaping induced channel QN (Wℓ , Sℓ , Rℓ ) (Rℓ is BℓS according to the above analysis), we

write the indices of the input bits (Sℓ ∪ Rℓ )c = [N ] \ (Sℓ ∪ Rℓ ) as {i1 , i2 , ..., iN −sℓ −rℓ }, where |R| = rℓ and |Sℓ | = sℓ , and assume that i1 < i2 < · · · < iN −sℓ −rℓ . We have (Sℓ ∪Rℓ )c

[N ]

I(Mℓ Fℓ ; Z[N ] , X1:ℓ−1 ) = I(Uℓ

[N ]

; Z[N ] , X1:ℓ−1 ) iN −rℓ −sℓ

= I(Uiℓ1 , Uiℓ2 , ..., Uℓ =

N −r ℓ −sℓ X j=1

=

N −r ℓ −sℓ X

[N ]

; Z[N ] , X1:ℓ−1 )

i

[N ]

i

i

[N ]

i

I(Uℓj ; Z[N ] , X1:ℓ−1 |Uiℓ1 , Uiℓ2 , ..., Uℓj−1 ) I(Uℓj ; Z[N ] , X1:ℓ−1 , Uiℓ1 , Uiℓ2 , ..., Uℓj−1 )

j=1

ℓ −sℓ X (a) N −r

≤

i

[N ]

i −1

I(Uℓj ; Z[N ] , X1:ℓ−1 , U1ℓ , U2ℓ , ..., Uℓj

),

j=1

where (a) holds because adding more variables will not decrease the mutual information. Then the above mutual information can be bounded by the mutual information of the symmetric channel plus an infinitesimal term as follows: N −r ℓ −sℓ X

i

[N ]

1:ij −1

I(Uℓj ; Z[N ] , X1:ℓ−1 , Uℓ

)

j=1

ℓ −sℓ X (a) N −r

≤

March 10, 2015

j=1

˜ [N ] ⊕ X[N ] , U ˜ 1:ij −1 ) ˜ [N ] ⊕ X[N ] , U ˜ 1:ij −1 ) + H(U ˜ ij |Z[N ] , X[N ] , X ˜ ij ; Z[N ] , X[N ] , X I(U ℓ 1:ℓ−1 ℓ ℓ ℓ ℓ 1:ℓ−1 ℓ ℓ ℓ

DRAFT

25 N −r ℓ −sℓ X

−

j=1

ℓ −sℓ X (b) N −r

≤

i

[N ]

1:ij −1

H(Uℓj |Z[N ] , X1:ℓ−1 , Uℓ i

[N ]

[N ]

[N ]

1:ij −1

˜ ˜ j ; Z[N ] , X I(U ℓ 1:ℓ−1 , Xℓ

j=1

N −r ℓ −sℓ X

+

j=1

ℓ −sℓ X (c) N −r

≤

j=1

(d)

≤ N 2−N

i

[N ]

1:ij −1

˜ ⊕ Xℓ , U ℓ

Z(Uℓj |Z[N ] , X1:ℓ−1 , Uℓ

)

i

1:ij −1

[N ]

) − (Z(Uℓ j |Z[N ] , X1:ℓ−1 , Uℓ

))2

˜ [N ] ⊕ X[N ] , U ˜ 1:ij −1 ) + N 2−N β ˜ ij ; Z[N ] , X[N ] , X I(U ℓ 1:ℓ−1 ℓ ℓ ℓ

β′

≤ 2N 2−N

)

+ N 2−N

β

β′

for 0 < β ′ < β < 0.5. Inequalities (a)-(d) follow from ˜ ij , (a) uniformly distributed U ℓ (b) [36, Proposition 2] which gives H(X|Y) − H(X|Y, Z) ≤ Z(X|Y) − (Z(X|Y, Z)2 ) and Lemma 8, i

[N ]

1:ij −1

(c) our coding scheme guaranteeing that Z(Uℓj |Z[N ] , X1:ℓ−1 , Uℓ

β

) is greater than 1 − 2−N for the frozen

bits and information bits, (d) Lemma 1.

Finally, strong secrecy (for uniform message bits) can be proved in the same fashion as shown in (14) as: I(M; Z[N ] ) ≤

r X ℓ=1

[N ]

I(Mℓ ; Z[N ] , X1:ℓ−1 ) ≤

r X ℓ=1

β′

[N ]

I(Mℓ Fℓ ; Z[N ] , X1:ℓ−1 ) ≤ 2rN 2−N .

An unavoidable question is that whether the shaping bits Sℓ in Sℓ make the message Mℓ insecure when Eve knows the frozen bits and the mapping beforehand. It is possible for Eve to decode some bits in Sℓ because the mutual information I(Mℓ Fℓ ; Sℓ ) is not vanishing. In this case, it seems that Eve may use the decoded bits to decide other shaping bits and then get some information about the message bits. In fact, this is not the case, because bits in Sℓ which are decodable for Eve turn out to be irrelevant to the message Mℓ . Let us assume a specific shaping bit s (s ∈ Sℓ ) which can be decoded by Eve from the knowledge of frozen bits and mapping. Then the index of this s [N ]

should precede that of any message bits. We can easily obtain that I(Uiℓ ; U1:i−1 , X1:ℓ−1 ) → 0 for any i ∈ Aℓ . This ℓ

means that s is almost independent of the message and is determined by the other bits. Knowing this s will not help Eve to get extra information about the message bits. Therefore we conclude that the whole shaping scheme is secure in the sense that the mutual information leakage between M and Z[N ] vanishes with the block length N . D. Reliability The reliability analysis in Sect. III-D holds for the wiretap coding without shaping. When shaping is involved, the problematic set Dℓ at each level is included in the shaping set Sℓ . The bits in Dℓ can be recovered by Bob simply by the shared mapping but not requiring the blocking technique [9]. By Theorem 3, the reliability at each March 10, 2015

DRAFT

26

level can be guaranteed by uniformly distributed independent frozen bits and random mapping with distribution PUi |U1:i−1 ,X[N ] . Consequently, by the multilevel decoding and union bound, the expectation of the block error ℓ

ℓ

1:ℓ−1

probability of our wiretap coding scheme is vanishing as N → ∞. Now we present the main theorem of the paper. Theorem 4 (Achieving secrecy capacity of the GWC): Consider a multilevel lattice code constructed from polar σe ) be negligible codes based on asymmetric channels and lattice Gaussian shaping DΛ,σs . Given σe2 > σb2 , let ǫΛ (˜ and set the number of levels r = O(log log N ) for N → ∞. Then all strong secrecy rates R satisfying R < 1+SNRb 1 are achievable for the Gaussian wiretap channel, where SNRb and SNRe denote the SNR of the 2 log 1+SNRe

main channel and wiretapper’s channel, respectively.

Proof: The reliability condition and the strong secrecy condition are satisfied by Theorem 3 and Lemma 10, respectively. It remains to illustrate that the secrecy rate approaches the secrecy capacity. For some ǫ′ → 0, we have lim R =

N →∞

r X ℓ=1

=

r X ℓ=1

(a)

=

c

|ASℓ | lim N →∞ N

I(Xℓ ; Y|X1 , · · ·, Xℓ−1 ) − I(Xℓ ; Z|X1 , · · ·, Xℓ−1 )

1 log 2

(b)

1 ≥ log 2

σ ˜e2 σ ˜b2

(21)

− ǫ′

1 + SNRb 1 + SNRe

− ǫ′ ,

where (a) is due to Lemma 9, and (b) is because the signal power Ps ≤ σs2 [28, Lemma 1]8 , respectively. E. Semantic security In this subsection, we extend strong secrecy of the constructed polar lattices to semantic security, namely the resulted strong secrecy does not rely on the distribution of the message. We firstly show that the reliability condition can be satisfied for arbitrarily distributed message bits. By Theorem 3, we already know that when the frozen bits and information bits are uniformly selected and the shaping bits are β′

selected according to PUi |U1:i−1 ,X[N ] , the average block error probability at each level EΦSℓ [Pe (ΦSℓ )] = O(2−N ). ℓ

ℓ

1:ℓ−1

Note that EΦSℓ [Pe (ΦSℓ )] is the average block error probability over all uniformly distributed frozen bits and [N ]

information bits. Taking the first level as an example, let Ei denote the set of pairs of u1 and y [N ] such that S decoding error occurs at the i-th bit, then the block decoding error event is given by E ≡ i∈I1 Ei . According to [N ]

our encoding scheme, each codeword u1

occurs with probability

2−(|I1 |+|F1 |)

Y

i∈S1

8 Of

PUi |U1:i−1 (ui1 |u1:i−1 ). 1 1

1

course, R cannot exceed the secrecy capacity, so this inequality implies that Ps is very close to σs2 .

March 10, 2015

DRAFT

27

Then the expectation of decoding error probability over all random mappings is expressed as X Y 2−(|I1 |+|F1 |) ( EΦS1 [Pe (ΦS1 )] = PUi |U1:i−1 (ui1 |u1:i−1 )) 1 1

[N ]

u1

1

i∈S1

,y [N ]

[N ]

[N ]

· PY[N ] |U[N ] (y [N ] |u1 )1[(u1 , y [N ] ) ∈ E]. 1

β′

Therefore, there exists at least one mapping φS1 and a constant δ such that Pe (φS1 ) = δ2−N . For this good [N ]

mapping φS1 , the probability of each codeword u1

2−(|I1 |+|F1 |) 1

becomes

\

i∈S1

φi (u1:i−1 ) = ui1 . 1

For a specific choice of message bits and frozen bits uI1 1 ∪F1 , define a random variable X as X

S

u1 1 ,y [N ]

1

\

i∈S1

[N ] [N ] φi (u1:i−1 ) = ui1 · PY[N ] |U[N ] (y [N ] |u1 )1[(u1 , y [N ] ) ∈ E]. 1 1

Observe that 0 ≤ X ≤ 1 and its expectation over all choices of message bits and frozen bits E[X] = Pe (φS1 ) =

δ2

−N β

′

. Moreover, the variance of X, denoted by σ 2 (X), satisfies σ 2 (X) ≤ E[X2 ] ≤ E[X]. By the Chebyshev

inequality, β′

Pr(|X − δ2−N | ≥ 2−N

β ′′

)≤

′ ′′ σ 2 (X) −(N β −2N β ) . ′′ ≤ δ2 β 2−2N

For a sufficient large N and β ′′ < β ′ , the probability Pr(X ≥ δ2−N

β′

+ 2−N

β ′′

) → 0. Therefore, for arbitrarily

distributed frozen bits and information bits, the block error probability under SC decoding is small than δ2−N

2−N

β ′′

β′

+

with probability almost 1. Clearly, A1 ⊂ I1 , meaning that the message bits could be selected according to

arbitrary distribution. Note that the above analysis can be generalized to the ℓ-th level for any ℓ ≤ r. Next, we prove that the information leakage also vanishes for arbitrarily distributed message bits. Again, we take the level-1 wiretapper’s channel W1 as an example. Our goal is to show that the maximum mutual information between M1 F1 and Z[N ] is vanishing as N → ∞. Unlike the symmetric randomness induced channel introduced in [8], the new induced channel is generally asymmetric with transition probability Q(z|v) =

1 2 r1

X

W1N (z|(v; e; φS1 (v, e))GN ),

e∈{0,1}r1

where φS1 (v, e) represents the shaping bits determined by v (the frozen bits and message bits together) and e (the random bits) according to mapping φS1 . It is difficult to find the optimal input distribution to maximize the mutual information for the new induced channel. To prove the semantic security, we investigate the relationship between the i-th subchannel of W1,N and the i-th ˜ 1,N , which are denoted by W (i,N ) and W ˜ (i,N ) , respectively. According to subchannel of its symmetrized version W 1 1 ˜1 : X ˜ 1 → (Z, X ˜ 1 ⊕ X1 ). After Lemma 7, the asymmetric wiretap channel W1 : X1 → Z is symmetrized to channel W (i,N )

the N -by-N polarization transform, we obtain W1 [N ]

˜ i → (U ˜ 1:i−1 , X ˜ [N ] ⊕ ˜ (i,N ) : U : Ui1 → (U1:i−1 , Z[N ]) and W 1 1 1 1 1 (i,N )

X1 , Z[N ] ). The next lemma shows that if we symmetrize W1 directly, i.e., construct a symmetric channel ^ ^ (i,N ) ˜ i (i,N ) 1:i−1 ˜ i ⊕ Ui ) in the sense of Lemma 7, W ˜ (i,N ) . W1 : U1 → (U1 , Z[N ] , U is degraded with respect to W 1 1 1 1

March 10, 2015

DRAFT

28

^ (i,N ) (i,N ) Lemma 11: The symmetrized channel W1 derived directly from W1 is degraded with respect to the i-th ˜ 1. ˜ (i,N ) of W subchannel W 1 Proof: According to the proof of [34, Theorem 2], we have the relationship [N ] [N ] 1:i [N ] ˜ (i,N ) (˜ W u1:i−1 ,x ˜1 ⊕ x1 , z [N ] |˜ ui1 ) = 2−N +1 PU1:i ). [N ] (u1 , z 1 1 1 ,Z [N ]

Letting x˜1

[N ]

⊕ x1

[N ] ˜ (i,N ) (u1:i−1 , 0[N ] , z [N ]|ui1 ) = 2−N +1 PU1:i ,Z[N ] (u1:i = 0[N ] , the equation becomes W ), 1 ,z 1 1 1 [N ]

which has already been addressed in [34]. However, for a fixed x1 [N ]

2N −1 choices of x˜1

and u ˜i1 = ui1 , since GN is full rank, there are

˜ (i,N ) having the same remaining, which means that there exists 2N −1 outputs symbols of W 1

1:i [N ] transition probability 2−N +1 PU1:i ). Suppose a middle channel which maps all these output symbols [N ] (u1 , z 1 ,Z 1:i [N ] to one single symbol, which is with transition probability PU1:i ). The same operation can be done [N ] (u1 , z 1 ,Z 1:i [N ] for u˜i1 = ui1 ⊕ 1, making another symbol with transition probability PU1:i ) corresponding to the input [N ] (u1 , z 1 ,Z

ui1 ⊕ 1. This is a channel degradation process, and the degraded channel is symmetric. ^ (i,N ) is equivalent to the degraded channel mentioned above. By Then we show that the symmetrized channel W1 ∼ (i,N )

Lemma 7, the channel transition probability of W1

is

^ (i,N ) 1:i−1 1:i [N ] (u1 ,u ˜i1 ⊕ ui1 , z [N ] |˜ ui1 ) = PU1:i ), W1 [N ] (u1 , z 1 ,Z which is equal to the transition probability of the degraded channel discussed in the previous paragraph. Therefore, ^ (i,N ) ˜ (i,N ) . W1 is degraded with respect to W 1 ^ (i,N ) ˜ (i,N ) can be proved. This is because Remark 6: In fact, a stronger relationship that W1 is equivalent to W 1 that the output symbols combined in the channel degradation process have the same LR. An evidence of this result ^ (i,N ) ˜ W ˜ (i,N ) ) = Z(Ui1 |U1:i−1 , Z[N ] ) = Z( ˜ W can be found in [34, Equation (36)], where Z( ). Nevertheless, the 1 1 1 degradation relationship is sufficient for this work. Notice that Lemma 11 can be generalized to high level ℓ, with [N ]

outputs Z[N ] replaced by (Z[N ] , X1:ℓ−1 ). Illuminated by Lemma 11, we can also symmetrize the new induced channel at level ℓ and show that it is ˜ ℓ . For simplicity, letting ℓ = 1, the degraded with respect to the randomness-induced channel constructed from W (S1 ∪R1 )c

new induced channel at level 1 is QN (W1 , S1 , R1 ) : U1 c

c

c

˜ N (W1 , S1 , R1 ) : → Z[N ] , which is symmetrized to Q

˜ (S1 ∪R1 ) ⊕U(S1 ∪R1 ) ) in the same fashion as in Lemma 7. Recall that the randomness-induced ˜ (S1 ∪R1 ) → (Z[N ] , U U 1 1 1 c

˜ (S1 ∪R1 ) → (Z[N ] , X ˜ [N ] ⊕ X[N ] ). Note that ˜ 1 defined in [8] can be denoted as QN (W ˜ 1 , R1 ∪ S1 ) : U channel of W 1 1 1

˜ 1 , R1 ∪ S1 ), set R1 ∪ S1 is fed with uniformly random bits, which is for the randomness-induced channel QN (W different from the shaping-induced channel. ˜ 1 → (Z, X ˜ 1 ⊕ X1 ), ˜1 : X Lemma 12: For an asymmetric channel W1 : X1 → Z and its symmetrized channel W

˜ N (W1 , S1 , R1 ) is degraded with respect to the randomnessthe symmetrized version of the new induced channel Q

˜ 1 , R1 ∪ S1 ). induced channel QN (W

[N ]

Proof: The proof is similar to that of Lemma 11. For a fixed realization x1 [N ]

2|S1 ∪R1 )| choice of x ˜1

(S1 ∪R1 )c

and input u˜1

, there are

[N ]

remaining. Since z [N ] is only dependent on x1 , we can build a middle channel which

˜ 1 , R1 ∪ S1 ) to one output symbol of Q ˜ N (W1 , S1 , R1 ), which means merges the 2|S1 ∪R1 )| output symbols of QN (W March 10, 2015

DRAFT

29

˜ N (W1 , S1 , R1 ) is degraded with respect to QN (W ˜ 1 , R1 ∪ S1 ). Again, this result can be generalized to higher that Q levels. Finally, we are ready to prove the semantic security of our wiretap coding scheme. For brevity, let Mℓ Fℓ and c

c

˜ ℓ denote U(Sℓ ∪Rℓ ) and U ˜ ℓF ˜ (Sℓ ∪Rℓ ) , respectively. Recall that M is divided into M1 , ..., Mr at each level. We M ℓ ℓ ˜F ˜ as the collection of message and frozen bits on all levels of the new induced channel and the express MF and M ˜ℓ ⊕ Mℓ Fℓ from ˜F ˜ ⊕ MF as the operation M ˜ ℓF symmetric randomness-induced channel, respectively. We also define M level 1 to level r. Theorem 5 (Semantic security): For arbitrarily distributed message M, the information leakage I(M; Z[N ] ) of the proposed wiretap lattice code is upper-bounded as ′

˜ F; ˜ Z[N ] , M ˜F ˜ ⊕ MF) ≤ rN 2−N β , I(M; Z[N ] ) ≤ I(M ˜ F; ˜ Z[N ] , M ˜F ˜ ⊕ MF) is the capacity of the symmetrized channel derived from the non-binary channel where I(M MF → Z[N ] 9 .

˜ 1 , S1 , R1 ) Proof: By [8, Proposition 16], the channel capacity of the randomness-induced channel QN (W

is upper-bounded by N 2−N

β′

when partition rule (3) is used. By channel degradation, the channel capacity ′

˜ N (W1 , S1 , R1 ) can also be upper-bounded by N 2−N β . Since this of the symmetrized new induced channel Q β′

˜ N (Wℓ , Sℓ , Rℓ )) ≤ N 2−N , which means result can be generalized to higher level ℓ (ℓ ≥ 1), we obtain C(Q ′

˜ℓ ⊕ Mℓ Fℓ ) ≤ N 2−N β . Similarly to (14), we have ˜ℓ ; Z[N ] , X[N ] , M ˜ ℓF ˜ ℓF I(M 1:ℓ−1 ˜ F; ˜ Z[N ] , M ˜F ˜ ⊕ MF) I(M =

r X ℓ=1

=

r X ℓ=1

≤ = (a)

=

r X ℓ=1

r X

˜1:ℓ−1 ) ˜ℓ ; Z[N ] , M ˜F ˜ ⊕ MF|M ˜ 1:ℓ−1 F ˜ ℓF I(M ˜1:ℓ−1 ) ˜ℓ |Z[N ] , M ˜F ˜ ⊕ MF, M ˜ 1:ℓ−1 F ˜1:ℓ−1 ) − H(M ˜ ℓF ˜ ℓ |M ˜ 1:ℓ−1 F ˜ ℓF H(M ˜1:ℓ−1 ) ˜ℓ |Z[N ] , M ˜F ˜ ⊕ MF, M ˜ 1:ℓ−1 F ˜ℓ ) − H(M ˜ ℓF ˜ ℓF H(M (22) ˜ℓ ; Z ˜ ℓF I(M

ℓ=1 r X ℓ=1

(b)

≤

r X ℓ=1

[N ]

˜1:ℓ−1 ) ˜F ˜ ⊕ MF, M ˜ 1:ℓ−1 F ,M

˜ℓ ⊕ Mℓ Fℓ ) ˜ℓ ; Z[N ] , M1:ℓ−1 F1:ℓ−1 , M ˜ ℓF ˜ ℓF I(M [N ]

˜ℓ ; Z[N ] , X ˜ ˜ ˜ ℓF I(M 1:ℓ−1 , Mℓ Fℓ ⊕ Mℓ Fℓ ) β′

≤ rN 2−N , ˜ℓ+1:r ⊕ ˜ℓ is independent of M ˜ ℓ+1:r F ˜ ℓF where equality (a) holds because Z[N ] is determined by MFR and M Mℓ+1:r Fℓ+1:r , and inequality (b) holds because adding more variables will not decrease the mutual information. ˜ are both non-binary, symmetrization of a non-binary channel is similar to that of a binary channel as shown in Lemma 7. When X and X ˜ denotes the result of the exclusive or (xor) operation of the binary expressions of X and X. ˜ X⊕X 9 The

March 10, 2015

DRAFT

30

Therefore, we have I(M; Z[N ] ) ≤ I(MF; Z[N ] ) (a)

˜F ˜ ⊕ MF) − H(MF) + I(MF; Z[N ] ) ≤ H(M

(b)

˜ F; ˜ Z[N ] , M ˜F ˜ ⊕ MF) = I(M β′

≤ rN 2−N , where the equality in (a) holds iff MF is also uniform, and (b) is due to the chain rule. V. D ISCUSSION We would like to elucidate our coding scheme for the Gaussian wiretap channel in terms of the lattice structure. In Sect. III, we constructed the AWGN-good lattice Λb and the secrecy-good lattice Λe without considering the power constraint. When the power constraint is taken into consideration, the lattice Gaussian shaping was implemented in Sect. IV. Λb and Λe were then constructed according to the MMSE-scaled main channel and wiretapper’s channel, respectively. We note that these two lattices themselves are generated only if the independent frozen bits on all levels are 0s. Since the independent frozen set of the polar codes at each level is filled with random bits, we actually obtain a coset Λb + χ of Λb and a coset Λe + χ of Λe simultaneously, where χ is a uniformly distributed shift. This is because we can not fix the independent frozen bits Fℓ in our scheme (due to the lack of the proof that the shaping-induced channel is symmetric). By using the lattice Gaussian DΛ,σs as our constellation in each lattice dimension, we would obtain DΛN ,σs without coding. Since Λe + χ ⊂ Λb + χ ⊂ ΛN , we actually implemented the lattice Gaussian shaping over both Λb + χ and Λe + χ. To summarize our coding scheme, Alice firstly assigns each ˜ m ∈ Λb /Λe , then randomly sends a point in the coset Λe + χ + λm (λm is the coset message m ∈ M to a coset λ ˜ m ) according to the distribution DΛ +χ+λ ,σ via the shaping operation. This scheme is consistent with leader of λ e m s

the theoretical model proposed in [6]. ˜F ˜ to (Z[N ] , M ˜F ˜ ⊕ MF) was constructed to For semantic security, a symmetrized new induced channel from M upper-bound the information leakage. This channel is directly derived from the new induced channel from MF to Z[N ] . According to Lemma 11, this symmetrized new induced channel is degraded with respect to the symmetric [N ]

[N ]

˜ is frozen, the randomness-induced ˜F ˜ to (Z[N ] , X ˜ ⊕ X ). Moreover, when F randomness-induced channel from M 1:r 1:r ˜ to (Z[N ] , X ˜ [N ] ⊕ X[N ] ) corresponds to the Λb /Λe channel given in Sect. III (with MMSE scaling). channel from M 1:r 1:r A PPENDIX A P ROOF

OF

L EMMA 2

Proof: It is sufficient to show I(MF; Z[N ] ) ≤ N · 2−N

β′

since I(M; Z[N ] ) ≤ I(MF; Z[N ] ). As has been

shown in [8], the induced channel MF → Z[N ] is symmetric when B and D are fed with random bits R. For a ˜ A and U ˜C symmetric channel, the maximum mutual information is achieved by uniform input distribution. Let U

˜ [N ] be the corresponding channel output. Assuming denote independent and uniform versions of M and F and Z

March 10, 2015

DRAFT

31

i1 < i2 < ... < i|A∪C| are the indices in A ∪ C, I(MF; Z[N ] )

˜C; Z ˜ [N ] ) ˜ AU ≤ I(U |A∪C|

=

X

˜ ij−1 ) ˜ [N ] |U ˜ i1 , ..., U ˜ ij ; Z I(U

X

˜ ij−1 ) ˜ [N ] , U ˜ i1 , ..., U ˜ ij ; Z I(U

X

˜ [N ] , U ˜ 1:ij −1 ) ˜ ij ; Z I(U

X

˜ j ) ≤ N · 2−N . I(W N

j=1

|A∪C|

=

j=1

|A∪C|

≤

j=1

|A∪C|

=

j=1

β′

(i )

A PPENDIX B P ROOF

OF

L EMMA 3

˜ ) presented in (3), Proof: According to the definitions of G(V˜ ) and N (W |G(V˜ )| N →∞ N ˜ )| |N (W lim N →∞ N

1 ˜ V˜ (i) ) ≤ 2−N β }| = C(V˜ ), |{i : Z( N N 1 ˜ ). ˜ W ˜ (i) ) ≥ 1 − 2−N β }| = 1 − C(W = lim |{i : Z( N N →∞ N

lim

=

lim

N →∞

¯ V˜ ) and N¯ (W ˜ ) as Here we define another two sets G( ¯ V˜ ) = {i : Z( ˜ V˜ (i) ) ≥ 1 − 2−N β }, G( N (i)

¯ (W ˜) N Similarly, we have limN →∞

¯ V ˜ )| |G( N

β

˜ W ˜ ) ≤ 2−N }. = {i : Z( N

= 1 − C(V˜ ) and limN →∞

¯ (W ˜ )| |N N

˜ ). Since W ˜ is degraded with respect = C(W

¯ V˜ ) and N ¯ (W ˜ ) are disjoint with each other, then we have to V˜ , G(

¯ V˜ ) ∪ N ¯ (W ˜ )| |G( ˜ ). = 1 − C(V˜ ) + C(W N →∞ N lim

By the property of polarization, the proportion of the unpolarized part is vanishing as N goes to infinity, i.e., ¯ V˜ )| |G(V˜ ) ∪ G( = 1, N →∞ N ˜)∪N ¯ (W ˜ )| |N (W = 1, lim N →∞ N lim

Finally, we have ˜ )| ¯ V˜ ) ∪ N ¯ (W ˜ )| |G(V˜ ) ∩ N (W |G( ˜ ). = 1 − lim = C(V˜ ) − C(W N →∞ N →∞ N N lim

March 10, 2015

DRAFT

32

A PPENDIX C P ROOF

OF

L EMMA 5

Proof: It is sufficient to demonstrate that channel W (Λℓ−1 /Λℓ , σe2 ) is degraded with respect to W ′ (Xℓ ; Z|X1:ℓ−1 ) and W ′ (Xℓ ; Z|X1:ℓ−1 ) is degraded with respect to W (Λℓ−1 /Λℓ , σe2 ) as well. To see this, we firstly construct a ¯ ∈ V(Λℓ ). For a specific realization z¯ of Z, ¯ this W ˆ from Z ∈ V(Λr ) to Z ˆ maps z¯ + [Λℓ /Λr ] to middle channel W z¯ with probability 1, where [Λℓ /Λr ] represents the set of the coset leaders of the partition Λℓ /Λr . Then we obtain ˆ , which means W (Λℓ−1 /Λℓ , σ 2 ) is degraded channel W (Λℓ−1 /Λℓ , σe2 ) by concatenating W ′ (Xℓ ; Z|X1:ℓ−1 ) and W e ¯ to Z. For a specific realization ˇ from Z to W ′ (Xℓ ; Z|X1:ℓ−1 ). Similarly, we can also construct a middle channel W ¯ this W ˆ maps z¯ to z¯ + [Λℓ /Λr ] with probability z¯ of Z,

1 |Λℓ /Λr | ,

where |Λℓ /Λr | is the order of this partition. This

means that W ′ (Xℓ ; Z|X1:ℓ−1 ) is also degraded to W (Λℓ−1 /Λℓ , σe2 ).

By channel degradation and [31, Lemma 1], letting channel W and W ′ denote W (Λℓ−1 /Λℓ , σe2 ) and W ′ (Xℓ ; Z|X1:ℓ−1 ) for short, we have (i) (i) ′ (i) ′ (i) ˜ ˜ ˜ ˜ Z(W N ) ≤ Z(W N ) and Z(WN ) ≥ Z(W N ), (i)

(i)

(i)

(i)

I(WN ) ≤ I(W ′ N ) and I(WN ) ≥ I(W ′ N ), (i) (i) ′ (i) ′ (i) ˜ ˜ meaning that Z(W N ) = Z(W N ) and I(WN ) = I(W N ).

R EFERENCES [1] A. D. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, no. 8, pp. 1355–1387, Oct. 1975. [2] I. Csisz´ar, “Almost independence and secrecy capacity,” Probl. of Inform. Transmission, vol. 32, pp. 48–57, 1996. [3] S. Leung-Yan-Cheong, “On a special class of wiretap channels,” IEEE Trans. Inf. Theory, vol. 23, no. 5, pp. 625–627, Sep. 1977. [4] S. Goldwasser and S. Micali, “Probabilistic encryption,” J. Comput. Syst. Sci., vol. 28, no. 2, pp. 270–299, 1984. [5] M. Bellare, S. Tessaro, and A. Vardy, “Semantic security for the wiretap channel,” in Proc. CRYPTO 2012, ser. Lecture Notes in Computer Science, vol. 7417.

Springer-Verlag, 2012, pp. 294–311.

[6] C. Ling, L. Luzzi, J. Belfiore, and D. Stehle, “Semantically secure lattice codes for the Gaussian wiretap channel,” IEEE Trans. Inf. Theory, vol. 60, no. 10, pp. 6399–6416, Oct. 2014. [7] E. Arıkan, “Channel polarization: A method for constructing capacity-achieving codes for symmetric binary-input memoryless channels,” IEEE Trans. Inf. Theory, vol. 55, no. 7, pp. 3051–3073, July 2009. [8] H. Mahdavifar and A. Vardy, “Achieving the secrecy capacity of wiretap channels using polar codes,” IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6428–6443, Oct. 2011. [9] E. S¸as¸oˇglu and A. Vardy, “A new polar coding scheme for strong security on wiretap channels,” in Proc. 2013 IEEE Int. Symp. Inform. Theory, Istanbul, Turkey, July 2013, pp. 1117–1121. [10] F. Oggier, P. Sol´e, and J.-C. Belfiore, “Lattice codes for the wiretap Gaussian channel: Construction and analysis,” Mar. 2011. [Online]. Available: http://arxiv.org/abs/1103.4086 [11] A. Ernvall-Hytonen and C. Hollanti, “On the eavesdropper’s correct decision in Gaussian and fading wiretap channels using lattice codes,” in Proc. 2011 IEEE Inform. Theory Workshop, Paraty, Brazil, Oct. 2011, pp. 210–214. [12] Y. Yan, C. Ling, and X. Wu, “Polar lattices: Where Arıkan meets Forney,” in Proc. 2013 IEEE Int. Symp. Inform. Theory, Istanbul, Turkey, July 2013, pp. 1292–1296. [13] Y. Yan, L. Liu, C. Ling, and X. Wu, “Construction of capacity-achieving lattice codes: Polar lattices,” Nov. 2014. [Online]. Available: http://arxiv.org/abs/1411.0187 [14] R. Zamir, Lattice Coding for Signals and Networks: A Structured Coding Approach to Quantization, Modulation, and Multiuser Information Theory.

March 10, 2015

Cambridge, UK: Cambridge University Press, 2014.

DRAFT

33

[15] E. Abbe and A. Barron, “Polar coding schemes for the AWGN channel,” in Proc. 2011 IEEE Int. Symp. Inform. Theory, St. Petersburg, Russia, July 2011. [16] A. Joseph and A. Barron, “Least squares superposition codes of moderate dictionary size are reliable at rates up to capacity,” IEEE Trans. Inf. Theory, vol. 58, no. 5, pp. 2541–2557, May 2012. [17] C. Ling, L. Luzzi, and M. Bloch, “Secret key generation from Gaussian sources using lattice hashing,” in Proc. 2013 IEEE Int. Symp. Inform. Theory, Istanbul, Turkey, July 2013, pp. 2621–2625. [18] M. Hayashi and R. Matsumoto, “Construction of wiretap codes from ordinary channel codes,” in Proc. 2010 IEEE Int. Symp. Inform. Theory, Austin, USA, June 2010, pp. 2538–2542. [19] M. Cheraghchi, F. Didier, and A. Shokrollahi, “Invertible extractors and wiretap protocols,” IEEE Trans. Inf. Theory, vol. 58, no. 2, pp. 1254–1274, Feb 2012. [20] H. Tyagi and A. Vardy, “Explicit capacity-achieving coding scheme for the Gaussian wiretap channel,” in Proc. 2014 IEEE Int. Symp. Inform. Theory, Honolulu, USA, June 2014, pp. 956–960. [21] M. Bloch and J. Laneman, “Strong secrecy from channel resolvability,” IEEE Trans. Inf. Theory, vol. 59, no. 12, pp. 8077–8098, Dec. 2013. [22] R. A. Chou, M. R. Bloch, and J. Kliewer, “Low-complexity channel resolvability codes for the symmetric multiple-access channel,” in Proc. 2014 IEEE Inform. Theory Workshop, Hobart, Australia, Nov. 2014, pp. 466–470. [23] B. Nazer and M. Gastpar, “Compute-and-forward: Harnessing interference through structured codes,” IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6463–6486, Oct. 2011. [24] Y. Liang, H. Vincent, and S. Shamai, “Information theoretic security,” in Found. Trends Commun. Inf. Theory. Norwell, MA, USA: Now Publishers, 2009. [25] G. D. Forney Jr., M. Trott, and S.-Y. Chung, “Sphere-bound-achieving coset codes and multilevel coset codes,” IEEE Trans. Inf. Theory, vol. 46, no. 3, pp. 820–850, May 2000. [26] J. H. Conway and N. J. A. Sloane, Sphere Packings, Lattices, and Groups. New York: Springer, 1993. [27] G. Poltyrev, “On coding without restictions for the AWGN channel,” IEEE Trans. Inf. Theory, vol. 40, pp. 409–417, Mar. 1994. [28] C. Ling and J. Belfiore, “Achieving AWGN channel capacity with lattice Gaussian coding,” IEEE Trans. Inf. Theory, vol. 60, no. 10, pp. 5918–5929, Oct. 2014. [29] E. Arıkan and I. Telatar, “On the rate of channel polarization,” in Proc. 2009 IEEE Int. Symp. Inform. Theory. Seoul, South Korea: IEEE, June 2009, pp. 1493–1495. [30] S. B. Korada, “Polar codes for channel and source coding,” Ph.D. dissertation, Ecole Polytechnique F´ed´erale de Lausanne, Lausanne, Switzerland, 2009. [31] I. Tal and A. Vardy, “How to construct polar codes,” IEEE Trans. Inf. Theory, vol. 59, no. 10, pp. 6562–6582, Oct. 2013. ¨ vol. 59, no. 4, pp. [32] R. Fischer, “The modulo-lattice channel: The key feature in precoding schemes,” Int. J. Electron. Commun. (AEU), 244–253, June 2005. [33] Y. Yan, L. Liu, and C. Ling, “Polar lattices for strong secrecy over the mod-Λ Gaussian wiretap channel,” in Proc. 2014 IEEE Int. Symp. Inform. Theory, Honolulu, USA, June 2014, pp. 961–965. [34] J. Honda and H. Yamamoto, “Polar coding without alphabet extension for asymmetric models,” IEEE Trans. Inf. Theory, vol. 59, no. 12, pp. 7829–7838, Dec. 2013. [35] R. Mori and T. Tanaka, “Performance of polar codes with the construction using density evolution,” IEEE Commun. Lett., vol. 13, no. 7, pp. 519–521, July 2009. [36] E. Arıkan, “Source polarization,” in Proc. 2010 IEEE Int. Symp. Inform. Theory, Austin, USA, June 2010, pp. 899–903.

March 10, 2015

DRAFT

Recommend Documents

Gaussian Feedback Capacity - Semantic Scholar

Approximate Capacity of Gaussian Relay ... - Semantic Scholar

The Secrecy Capacity of the Semi-deterministic ... - Semantic Scholar