Polar Coding for the Broadcast Channel with Confidential ... - arXiv

Download PDF
Comment
Report 5 Downloads 57 Views
1

Polar Coding for the Broadcast Channel with Confidential Messages and Constrained Randomization arXiv:1411.0281v1 [cs.IT] 2 Nov 2014

R´emi A. Chou, Matthieu R. Bloch

Abstract We develop a low-complexity polar coding scheme for the discrete memoryless broadcast channel with confidential messages under strong secrecy and randomness constraints. Our scheme extends previous work by using an optimal rate of uniform randomness in the stochastic encoder, and avoiding assumptions regarding the symmetry or degraded nature of the channels. The price paid for these extensions is that the encoder and decoders are required to share a secret seed of negligible size and to increase the block length through chaining. We also highlight a close conceptual connection between the proposed polar coding scheme and a random binning proof of the secrecy capacity region.

I. I NTRODUCTION With the renewed interest for information-theoretic security, there have been several attempts to develop low-complexity coding schemes achieving the fundamental secrecy limits of the wiretap channel models. In particular, explicit coding schemes based on low-density parity-check codes [1]–[3], polar codes [4]–[7], and invertible extractors [8], [9] have been successfully developed for special cases of Wyner’s model [10], in which the channels are at least required to be symmetric. The recently introduced chaining techniques for polar codes provide, however, a convenient way to construct explicit low-complexity coding schemes for a variety of information-theoretic channel models [11], [12] without any restrictions on the channels. In this paper, we develop a low-complexity polar coding scheme for the broadcast channel with confidential messages [13]. Rather than view randomness as a free resource, which could be used to R. A. Chou and M. R. Bloch are with the School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA 30332. E-mail : [email protected]; [email protected]. This work was supported in part by the NSF under Award CCF 1320298. Part of this work was submitted to IEEE Information Theory Workshop 2015. November 4, 2014

DRAFT

2

simulate random numbers at arbitrary rate with no cost, we adopt the point of view put forward in [14], [15], in which any randomness used for stochastic encoding must be explicitly accounted for. In particular, our proposed polar coding scheme exploits the optimal rate of randomness identified in [14] and relies on polar codes for channel prefixing. Results closely related to the present work have been independently developped in [16], [17]. However, these works do not consider randomness as a resource and assume that channel prefixing can be performed through other means; in addition [17] only focuses on weak secrecy. When specialized to Wyner’s wiretap model, our scheme also resembles that in [6], but with a number of notable distinctions. Specifically, while no pre-shared secret seed is required in [6], the coding scheme therein relies on a two-layer construction for which no efficient code construction is presently known [6, Section 3.3]. In contrast, our coding scheme requires a pre-shared secret seed, but at the benefit of only using a single layer of polarization. The remaining of the paper is organized as follows. Section II formally introduces the notation and the model under investigation. Section III develops a random binning proof of the results in [14], which serves as a guideline for the design of the polar coding scheme. Section IV describes the proposed polar coding scheme in details, while Section V provides its detailed analysis. Section VI offers some concluding remarks. II. B ROADCAST CHANNEL WITH CONFIDENTIAL MESSAGES AND CONSTRAINED RANDOMIZATION A. Notation We define the integer interval Ja, bK, as the set of integers between bac and dbe. For n ∈ N and N , 2n , h i⊗n we let Gn , 11 01 be the source polarization transform defined in [18]. We note the components of a vector, X 1:N , of size N , with superscripts, i.e., X 1:N , (X 1 , X 2 , . . . , X N ). When the context makes clear that we are dealing with vectors, we write X N in place of X 1:N . We note V(·, ·) and D(·||·) the variational distance and the divergence, respectively, between two distributions. Finally, we note the indicator function 1{ω}, which is equal to 1 if the predicate ω is true and 0 otherwise. B. Channel model and capacity region We consider the problem of secure communication over a discrete memoryless broadcast channel (X , pY Z|X , Y, Z) illustrated in Figure 1. The marginal probabilities pY |X and pZ|X define two Discrete

Memoryless Channels (DMCs) (X , pY |X , Y) and (X , pZ|X , Z), which we refer to as Bob’s channel and Eve’s channel, respectively.

November 4, 2014

DRAFT

3

Bob

Alice

R

O M S

Encoder

YN XN

pY Z|X ZN

O M S R

Decoder

Decoder

= common message

b O c M Sb bb O

Eve

= private message = confidential message = randomness

Fig. 1. Communication over a broadcast channel with confidential messages. O is a common message that must be reconstructed by both Bob and Eve. S is a confidential message that must be reconstructed by Bob and kept secret from Eve. M is a private message that must be reconstructed by Bob, but may neither be secret nor reconstructed by Eve. R represents an additional randomization sequence used at the encoder.

Definition 1. A (2N RO , 2N RM , 2N RS , 2N RR , N ) code CN for the broadcast channel consists of • • • • •

a common message set O , J1, 2N RO K a private message set M , J1, 2N RM K

a confidential message set S , J1, 2N RS K

a randomization sequence set R , J1, 2N RR K

an encoding function f : O × M × S × R → X N , which maps the messages (o, m, s) and the randomness r to a codeword xN



a decoding function g : Y N → O × M × S , which maps each observation of Bob’s channel y N to the messages (ˆ o, m, ˆ sˆ)



a decoding function h : Z N → O, which maps each observation of Eve’s channel z N to the message oˆˆ

For uniformly distributed O, M , S , and R, the performance of a (2N RO , 2N RM , 2N RS , 2N RR , N ) code CN for the broadcast channel is measured in terms of its probability of error   b b M c, S) b 6= (O, M, S) or O b 6= O , Pe (CN ) , P (O,

and its leakage of information about the confidential message to Eve Le (CN ) , I(S; Z N ). November 4, 2014

DRAFT

4

Definition 2. A rate tuple (RO , RM , RS , RR ) is achievable for the broadcast channel if there exists a sequence of (2N RO , 2N RM , 2N RS , 2N RR , N ) codes {CN }N >1 such that lim Pe (CN ) = 0, (reliability condition)

N →∞

lim Le (CN ) = 0.(strong secrecy)

N →∞

The achievable region RBCC is defined as the closure of the set of all achievable rate quadruples. The exact characterization of RBCC was obtained in [14]. Theorem 1 ( [14]). RBCC is the closed convex set consisting of the quadruples (RO , RM , RS , RR ) for which there exist auxiliary random variables (U, V ) such that U − V − X − (Y, Z) and RO 6 min[I(U ; Y ), I(U ; Z)], RO + RM + RS 6 I(V ; Y |U ) + min[I(U ; Y ), I(U ; Z)], RS 6 I(V ; Y |U ) − I(V ; Z|U ), RM + RR > I(X; Z|U ), RR > I(X; Z|V ).

The main contribution of the present work is to develop a polar coding scheme achieving the rates in RBCC .

III. A

BINNING APPROACH TO CODE DESIGN : FROM RANDOM BINNING TO POLAR BINNING

In this section, we argue that our construction of polar codes for the broadcast channel with confidential messages is essentially the constructive counterpart of a random binning proof of the region RBCC . While random coding is often the natural tool to address channel coding problems, random binning is already found in [19] to establish the strong secrecy of the wiretap channel, and is the tool of choice in quantum information theory [20]; there has also been a renewed interest for random binning proofs in multi-user information theory, motivated in part by [21]. In Section III-A, we sketch a random binning proof of the characterization of RBCC established in [14], which may be viewed as a refinement of the analysis in [21] to obtain a more precise characterization of the stochastic encoder. While the results we derive are not new, we use this alternative proof in Section III-B to obtain high-level insight into the construction of polar codes. The main benefit is to clearly highlight the crucial steps of the construction in Section IV and of its analysis in Section V. In particular, the rate conditions developed in the random binning proof of Section III-A directly translate into the definition of the polarization sets in Section III-B. November 4, 2014

DRAFT

5

A. Information-theoretic random binning Information-theoretic random binning proofs rely on the following well-known lemmas. We use the notation δ(N ) to denote an unspecified positive function of N that vanishes as N goes to infinity. Lemma 1 (Source-coding with side information). Consider a Discrete Memoryless Source (DMS) (X × Y, pXY ). For each xN ∈ X N , assign an index Φ(xN ) ∈ J1, 2N R K uniformly at random. If R > H(X|Y ),

then ∃N0 such that ∀N > N0 , there exists a deterministic function gN : J1, 2N R K × Y N → X N :

(Φ(xN ), y N ) 7→ x ˆN such that

EΦ V pX N X N , pX N gN (Y N )



6 δ(N ).

Lemma 2 (Privacy amplification, channel intrinsic randomness, output statistics of random binning). Consider a DMS (X × Z, pXZ ) and let  > 0. For each xN ∈ X N , assign an index Ψ(xN ) ∈ J1, 2N R K uniformly at random. Denote by qM the uniform distribution on J1, 2N R K. If R < H(X|Z), then ∃N0

such that ∀N > N0

EΨ V pΨ(X N )Z N , qM pZ N



6 δ(N ).

One may obtain more explicit results regarding the convergence to zero in Lemma 1 and Lemma 2, but we ignore this for brevity. The principle of a random binning proof of Theorem 1 is to consider a DMS (U × V × X × Y × Z, pU V XY Z ) such that U − V − X − Y Z , and to assign two types of indices to source sequences by

random binning. The first type identifies subset of sequences that play the roles of codebooks, while the second type labels sequences with indices that can be thought of as messages. As explained in the next paragraphs, the crux of the proof is to show that the binning can be “inverted,” so that the sources may be generated from independent choices of uniform codebooks and messages. Common message encoding. We introduces two indices ψ U ∈ J1, 2N ρU K and o ∈ J1, 2N RO K by random binning on uN such that: •

ρU > max (H(U |Y ) , H(U |Z)), so that Lemma 1 ensures that the knowledge of ψ U allows Bob

and Eve to reconstruct the sequence uN with high probability knowing y N or z N , respectively; •

ρU + RO < H(U ), so that Lemma 2 ensures that the indices ψ U and o are almost uniformly

distributed and independent of each other. The binning scheme induces a joint distribution pU N ΨU O . To convert the binning scheme into a channel coding scheme, Alice operates as follows. Upon sampling indices ψ˜U ∈ J1, 2N ρU K and o˜ ∈ J1, 2N RO K November 4, 2014

DRAFT

6

from independent uniform distributions, Alice stochastically encodes them into a sequence u ˜N drawn according to pU N |ΨU O (˜ uN |ψ˜U , o˜). The choice of rates above guarantees that the joint distribution pU˜ N Ψ˜ U O˜

approximates the distribution pU N ΨU O in variational distance, so that disclosing ψ˜U allows Bob and Eve to decode the sequence u ˜N . Secret and private message encoding. Following the same approach, we introduce three indices ψ V |U ∈

J1, 2N ρV |U K, s ∈ J1, 2N RS K, and m ∈ J1, 2N RM K by random binning on v N such that •

ρV |U > H(V |U Y ), to ensure that knowing ψ V |U and uN , Bob may reconstruct the sequence xN ;



ρV |U + RS + RM < H(V |U Z), to ensure that the indices are almost uniformly distributed and

independent of each other, as well as of the source sequences U N and Z N . The binning scheme induces a joint distribution pV N U N ΨV |U SM . To obtain a channel coding scheme, Alice encodes the realizations of independent and uniformly distributed indices ψ˜V |U ∈ J1, 2N ρV |U K, s˜ ∈

J1, 2N RS K, m ˜ ∈ J1, 2N RM K, and the sequence u ˜N , into a sequence v˜N drawn according to the distribution

pV N |U N ΨV |U SM (˜ v N |˜ uN , ψ˜V |U , s˜, m) ˜ . The resulting joint distribution is again a close approximation of pV N U N ΨV |U SM , so that the scheme inherits the reliability and secrecy properties of the random binning

scheme upon disclosing ψ˜V |U . Channel prefixing. Finally, we introduce the indices ψ X|V ∈ J1, 2N ρV |X K and r ∈ J1, 2N RR K by random

binning on xN such that •

ρX|V < H(X|V ) to ensure that ψ X|V is independent of the source sequences X N and Z N ;



ρX|V + RR < H(X|V ) to ensure that the indices are almost uniformly distributed and independent

of each other, as well as of the source sequences V N . The binning scheme induces a joint distribution pX N V N U N ΨX|V R . To obtain a channel prefixing scheme, Alice encodes the realizations of uniformly distributed indices ψ˜X|V and r˜, and the previously obtained v˜N into a sequence x ˜N drawn according to pX N |V N ΨX|V R (˜ xN |˜ v N ψ˜X|V r˜). The resulting joint distribution

induced is once again a close approximation of pX N V N U N ΨX|V R . Chaining to de-randomize the codebooks. The downside of the schemes described earlier is that they require sharing the indices ψ˜U , ψ˜V |U , and ψ˜X|V , identifying the codebooks between Alice, Bob, and Eve; however, the rate cost may be amortized by reusing the same indices over sequences of k blocks. Specifically, the union bound shows that the average error probability over k blocks is at most k times that of an individual block, and a hybrid argument shows that the information leakage over k blocks is at most k times that of an individual block. Consequently, for k and N large enough, the impact on the transmission rates is negligible. November 4, 2014

DRAFT

7

Total amount of randomness. The total amount of randomness required for encoding includes not only the explicit random numbers used for channel prefixing but also all the randomness required in the stochastic encoding to approximate the source distribution. One can show that the rate randomness specifically used in the stochastic encoding is negligible; we omit the proof of this result for random binning, but this is analyzed precisely for polar codes in Section V. By combining all the rate constraints above and perform Fourier-Motzkin elimination, one recovers the rates in Theorem 1.

B. Binning with polar codes The main observation to translate the analysis of Section III-A into a polar coding scheme is that Lemma 1 and Lemma 2 have the following counterparts in terms of source polarization. Lemma 3 (adapted from [18]). Consider a DMS (X × Y, pXY ). For each x1:N ∈ FN 2 polarized as

u1:N = Gn x1:N , let u1:N [HX|Y ] denote the high entropy bits of u1:N in positions HX|Y , {i ∈ J1, nK :  β ˜1:N from the H U i |U 1:i−1 Y N > δN } and δN , 2−N with β ∈]0, 21 [. For every i ∈ J1, N K, sample u

distribution

   1 u ˜i = ui if i ∈ HY |X i 1:i−1 p˜U i |U 1:i−1 (˜ u |˜ u ),  p i 1:i−1 N (˜ ui |˜ u1:i−1 y N ) if i ∈ HYc |X . U |U Y

and create x ˜1:N = u ˜1:N Gn . Then,

and limN →∞ HX|Y = H(X|Y ).

 V pX 1:N X 1:N , pX 1:N X˜ N 6 δN ,

In other words, the high entropy bits in positions HX|Y play the same role as the random binning

index in Lemma 1. However, note that the construction of x ˜1:N in Lemma 3 is explicitly stochastic. Lemma 4 (adapted from [22]). Consider a DMS (X × Z, pXZ ). For each x1:N ∈ FN 2 polarized as u1:N = Gn x1:N , let u1:N [VX|Z ] denote the very high entropy bits of u1:N in positions VX|Z , {i ∈  β J1, nK : H U i |U 1:i−1 Z 1:N > 1 − δN } and δN , 2−N with β ∈]0, 12 [. Denote by qU 1:N [VX|Z ] the uniform

distribution of bits in positions VX|Z . Then,

 V pU 1:N [VX|Z ]Z 1:N , qU 1:N [VX|Z ] pZ 1:N 6 δN

and limN →∞ VX|Z = H(X|Z) by [22, Lemma 1]. November 4, 2014

DRAFT

8

The very high entropy bits in positions VX|Z therefore play the same role as the random binning index in Lemma 2. This suggests that any result obtained from random binning could also be derived using source polarization as a linear and low-complexity alternative; intuitively, information theoretic constraints resulting from Lemma 1 translate into the use of “high entropy” sets H, while those resulting from Lemma 2 translate into the use of “very high entropy” sets V . However, unlike the indices resulting from random binning, the high entropy and very high entropy sets may not necessarily be aligned, and the precise design of a polar coding scheme requires more care. In the remainder of the paper, we consider a DMS (U × V × X × Y × Z, pU V XY Z ) such that U − V − X − Y Z , I(V ; Y |U ) − I(V ; Z|U ) > 0, and |X |= |U|= |V|= 2. The extension to larger alphabets

is obtained following ideas in [23]. We also assume without loss of generality I(U ; Y ) 6 I(U ; Z), the case I(U ; Y ) > I(U ; Z) is treated similarly.

Common message encoding. Define the polar transform of U 1:N , as A1:N , U 1:N Gn and the associated sets  HU , i ∈ J1, N K : H(Ai |A1:i−1 ) > δN ,  VU , i ∈ J1, N K : H(Ai |A1:i−1 ) > 1 − δN ,  HU |Y , i ∈ J1, N K : H(Ai |A1:i−1 Y 1:N ) > δN ,  HU |Z , i ∈ J1, N K : H(Ai |A1:i−1 Z 1:N ) > δN .

(1) (2) (3) (4)

If we could guarantee that HU |Z ⊆ HU |Y ⊆ VU , then we could directly mimic the information-theoretic random binning proof. We would use random bits in positions HU |Z to identify the code, random bits in positions VU \ HU |Z for the message, successive cancellation encoding to compute the bits in positions VUc and approximate the source distribution, and chaining to amortize the rate cost of the bits in positions HU |Z . Unfortunately, the inclusion HU |Y ⊆ HU |Z is not true in general, and one must also use chaining

as in [11] to “realign” the sets of indices. Furthermore, only the inclusions HU |Z ⊆ HU and HU |Y ⊆ HU are true in general, so that the bits in positions HU |Z ∩ VUc and HU |Y ∩ VUc must be transmitted separately. The precise coding scheme is detailed in Section IV-A. Secret and private messages encoding. Define the polar transform of V 1:N as B 1:N , V 1:N Gn and the associated sets  VV |U , i ∈ J1, N K : H(B i |B 1:i−1 U 1:N ) > 1 − δN ,  VV |U Z , i ∈ J1, N K : H(B i |B 1:i−1 U 1:N Z 1:N ) > 1 − δN , November 4, 2014

(5) (6) DRAFT

9

 HV |U Y , i ∈ J1, N K : H(B i |B 1:i−1 U 1:N Y 1:N ) > δN ,  VV |U Y , i ∈ J1, N K : H(B i |B 1:i−1 U 1:N Y 1:N ) > 1 − δN ,

MU V Z , VV |U \VV |U Z .

(7) (8) (9)

If the inclusion HV |U Y ⊆ VV |U Z were true, then we would place random bits identifying the codebook in positions HV |U Y , random bits describing the secret message in positions VV |U Z \ HV |U Y , random bits describing the private message in positions VV |U \ VV |U Z , use successive cancellation encoding to compute the bits in positions VVc |U and approximate the source distribution, and use chaining to amortize the rate cost of the bits in positions HV |U Y . This is unfortunately again not directly possible in general, and one needs to exploit chaining to realign the indices, and transmit the bits in positions HV |U Y ∩ VVc |U separately and secretly to Bob. The precise coding scheme is detailed in Section IV-B. Channel prefixing. Finally, define the polar transform of X 1:N as T 1:N , X 1:N Gn and the associated sets  VX|V , i ∈ J1, N K : H(T i |T 1:i−1 V 1:N ) > 1 − δN ,  VX|V Z , i ∈ J1, N K : H(T i |T 1:i−1 V 1:N Z 1:N ) > 1 − δN .

(10) (11)

One performs channel prefixing by placing random bits identifying the code in positions VX|V Z , random bits describing the randomization sequence in positions VX|V \ VX|V Z , and using successive cancellation c encoding to compute the bits in positions VX|V and approximate the source distribution. Chaining is

finally used to amortize the cost of randomness for describing the code. The precise coding scheme is detailed in Section IV-C. IV. P OLAR CODING SCHEME In this section, we describe the details of the polar coding scheme resulting from the discussion of the previous section. Recall that the joint probability distribution pU V XY Z of the original source is fixed and defined as in Section III-B. As alluded to earlier, we perform the encoding over k blocks of size N . We use the subscript i ∈ J1, kK to denote random variables associated to encoding Block i. The

chaining constructions corresponding to the encoding of the common, secret, and private messages, and randomization sequence, are described in Section IV-A, Section IV-B, and Section IV-C, respectively. Although each chaining is described independently, all messages should be encoded in every block before moving to the next. Specifically, in every block i ∈ J1, k − 1K, Alice successively encodes the common

message, the secret and private messages, and performs channel prefixing, before she moves to the next block i + 1. November 4, 2014

DRAFT

10 e1:N A 2

A U Y Z ⇢ IU Z contains information bits from the previous block

A U Y Z ⇢ IU Z contains information bits from the previous block

IU Y contains common contains message O1k

IU Y contains common contains message O2k

IU Y contains contains message Ok common

O1,2 ,

VU \(AU Y Z [ IU Y ) contains randomness

e1:N A 1 [IU Y \IU Z ]

U

contains randomness from Block 1

VUc contains almost deterministic bits

VUc contains almost deterministic bits

Ok

A U Y Z ⇢ IU Z contains information bits from the previous block IU Y \ I U Z contains common message Ok 1

2,2

,

VU \(AU Y Z [ IU Y )

¯U e1:N G 2 , A2 [(HU |Y [ HU |Z )\VU ] 2

¯U e1:N G 1 , A1 [(HU |Y [ HU |Z )\VU ] 1

e1:N R11 , A 1 [VU \IU Y ]

{

{

{ A U Y Z ⇢ IU Z contains randomness

e1:N A k

e1:N A k 1

{

e1:N A 1

e1:N A k 2 [IU Y \IU Z ]

VU \(AU Y Z [ IU Y ) contains randomness from Block 1

Ok

1,2

, VU \(AU Y Z [ (IU Y \ IU Z )) e1:N A k 1 [IU Y \IU Z ] contains randomness from Block 1

VUc contains almost deterministic bits ¯U e1:N G kk 11, Ak 1 [(HU |Y [ HU |Z )\VU ]

VUc contains almost deterministic bits ¯ kU, A e1:N G k [(HU |Y [ HU |Z )\VU ] k

Negligible rate of information transmitted to Bob and Eve

Fig. 2.

e1:N Chaining for the encoding of the A ’s, which corresponds to the encoding of the common messages. i

A. Common message encoding In addition to the polarization sets defined in (1)-(4) we also define IU Y , VU \HU |Y , IU Z , VU \HU |Z , AU Y Z , any subset of IU Z \IU Y with size |IU Y \IU Z |.

Note that AU Y Z exists since we have assumed I(U ; Y ) 6 I(U ; Z). In fact, |IU Z \IU Y |−|IU Y \IU Z |= |IU Z |−|IU Y |> 0.

The encoding procedure with chaining is summarized in Figure 2. e 1:N as follows. Let O1 be a vector of |IU Y | uniformly distributed In Block 1, the encoder forms U 1

information bits that represents the common message to be reconstructed by Bob and Eve. Upon observing a realization o1 , the encoder samples e a1:N from the distribution peA1:N 1 1  n o    if 1 aj1 = oj1    peAj1 |A11:j−1 (aj1 |a11:j−1 ) , 1/2 if      pAj |A1:j−1 (aj |a1:j−1 ) if 1 1 November 4, 2014

defined as j ∈ IU Y j ∈ VU \IU Y ,

(12)

j ∈ VUc

DRAFT

11

where the components of o1 have been indexed by the set of indices IU Y for convenience, so that

e1:N [IU Y ]. The random bits that identify the codebook and that are required to reconstruct A e1:N O1 , A 1 1

e1:N [HU |Z ] for Eve and A e1:N [HU |Y ] for Bob. Moreover, we note are A 1 1

e1:N e1:N ΨU 1 , A1 [VU \IU Y ] = A1 [VU ∩ HU |Y ], c e1:N ΦU 1 , A1 [(HU |Y ∪ HU |Z ) ∩ VU ].

U Both ΨU 1 and Φ1 are publicly transmitted to both Bob and Eve. Note that, unlike in the random binning U proof, the use of polarization forces us to distinguish the part ΨU 1 that is nearly uniform from the part Φ1

that is not. We show later that the rate cost of this additional transmission is negligible. We also write e1:N [IU Y ∩ IU Z ] and O1,2 , A e1:N [IU Y \IU Z ]. We will retransmit O1,2 O1 , [O1,1 , O1,2 ], where O1,1 , A 1 1 e 1:N , A e1:N Gn . in the next block following the same strategy as in [11]. Finally, we compute U 1 1

e1:N as follows. Let Oi be a vector of |IU Y | uniformly disIn Block i ∈ J2, k − 1K, the encoder forms A 1

tributed information bits representing the common message in that block. Upon observing the realizations oi and oi−1 , the encoder draws e a1:N from the distribution peA1:N defined as follows. i i  n o j j   1 a = o if j ∈ IU Y  i i    n o   1 aj = oj if j ∈ AU Y Z i i−1,2 j 1:j−1 peAji |Ai1:j−1 (ai |ai ), , o n  j U j   if j ∈ VU \(IU Y ∪ AU Y Z ) 1 ai = (ψ1 )      p j 1:j−1 (aj |a1:j−1 ) if j ∈ V c A |A U i i

(13)

where the components of oi , oi−1,2 , and ψ1U , have been indexed by the set of indices IU Y , AU Y Z , and VU \(IU Y ∪ AU Y Z ), respectively. Consequently, note that

e1:N e1:N Oi = A i [IU Y ] and Oi−1,2 = Ai [AU Y Z ].

e1:N are A e1:N [HU |Y ] The random bits that identify the codebook and that are required to reconstruct A i i e1:N [HU |Z ] for Eve. Parts of these bits depend on messages in previous blocks. For the for Bob and A i

others, we define

e1:N ΨU i , Ai [VU \(IU Y ∪ AU Y Z )],

e1:N ΦU i , Ai [(HU |Y ∪ HU |Z )\VU ].

U U Note that the bits in ΨU i are reusing the bits in Ψ1 ; however, it is necessary to make the bits Φi available

to both Bob and Eve, to enable the reconstruction of Oi . We show later that this entails a negligible rate

November 4, 2014

DRAFT

12

e1:N [IU Y ∩ IU Z ] and Oi,2 , A e1:N [IU Y \IU Z ], cost. Finally, we write Oi , [Oi,1 , Oi,2 ], where Oi,1 , A i i e 1:N , A e1:N Gn . and we retransmit Oi,2 in the next block, We finally compute U i i

e1:N in Block k , as follows. Let Ok be a vector of |IU Y ∩ IU Z | uniformly Finally, the encoder forms A k

distributed bits representing the common message in that block. Given realizations ok and ok−1 , the encoder samples e a1:N from the distribution peA1:N defined k k  n o j j   1 a = o  k k    n o   j j 1 a = o k k−1,2 peAjk |A1:j−1 (ajk |a1:j−1 ), n o k k  j   1 ak = (ψ1U )j      p j 1:j−1 (aj |a1:j−1 ) A |A k k

as follows. if j ∈ IU Y ∩ IU Z if j ∈ AU Y Z

,

(14)

if j ∈ VU \(AU Y Z ∪ (IU Y ∩ IU Z )) if j ∈ VUc

where the components of ok , ok−1,2 , and ψ1U have been indexed by the set of indices IU Y ∩ IU Z , AU Y Z , and VU \(AU Y Z ∪ (IU Y ∩ IU Z )), respectively. Consequently, e1:N [IU Y ∩ IU Z ], Ok−1,2 = A e1:N [AU Y Z ]. Ok = A k k

e1:N are A e1:N [HU |Y ] The random bits that identify the codebook and that are required to reconstruct A k k

e1:N [HU |Z ] for Eve. Parts of these bits depend on messages in previous blocks. For the for Bob and A k

others, we define

e1:N ΨU k , Ak [VU \(AU Y Z ∪ (IU Y ∩ IU Z ))], e1:N ΦU k , Ak [(HU |Y ∪ HU |Z )\VU ],

U U and note that ΨU k merely reuses the bits of Ψ1 . Φk is made available to both Bob and Eve to help them

reconstruct Ok , but this incurs a negligible rate cost. U The public transmission of (ΨU 1 , Φ1:k ) to perform the reconstruction of the common message is taken

into account in the secrecy analysis in Section V.

B. Secret and private message encoding In addition to the polarization set defined in (5)-(9), we also define BV |U Y , a fixed subset of VV |U Z with size |VV |U Y ∪ ((HV |U Y \VV |U Y ) ∩ VV |U ))| MU V Z , VV |U \VV |U Z .

The encoding procedure with chaining is summarized in Fig. 3.

November 4, 2014

DRAFT

13

e11:N B

{

{

{ contains confidential message SS12

VV |U Z \BV |U Y

contains confidential message SSk2

BV |U Y

V |U 1

e11:N [HV |U Y ] B

MU V Z

contains private message M2

non-uniform bits

V |U 1

VVc |U

contains almost deterministic bits

contains almost all the side information that allows ek1:N1 Bob to reconstruct B

uniform bits

uniform bits

e21:N [HV |U Y ] B non-uniform bits

V |U 2

VVc |U

BV |U Y

V |U k 1

V |U 2

contains almost all the side information that allows e11:N Bob to reconstruct B

uniform bits

contains private message M21

VV |U Z \BV |U Y

contains confidential message S2

VV |U Z

MU V Z

ek1:N B

e21:N B

non-uniform bits

V |U k 1

contains private message M2k

VVc |U

contains almost deterministic bits

contains almost deterministic bits

ek1:N [HV |U Y ] B

Negligible rate of information secretly transmitted to Bob

Fig. 3.

MU V Z

ei1:N ’s, which corresponds to the encoding of the private and confidential messages. Chaining for the encoding of the B

In Block 1, the encoder forms Ve11:N as follows. Let S1 be a vector of |VV |U Z | uniformly distributed bits

representing the secret message and let M1 be a vector of |MU V Z | uniformly distributed bits representing

the private message to be reconstructed by Bob. Given a confidential message s1 , a private message m1 , and u e1:N resulting from the encoding of the common message, the encoder samples eb1:N from the 1 1

distribution peB11:N defined as follows.

 n o  j j   1 b = s  1 1   n o j 1:j−1 1:N peB1j |B11:j−1 U11:N (b1 |b1 u e1 ) , 1 bj1 = mj1      pB j |B 1:j−1 U 1:N (bj |b1:j−1 u e1:N 1 ) 1 1

if j ∈ VV |U Z if j ∈ MU V Z ,

(15)

if j ∈ VVc |U

where the components of s1 and m1 have been indexed by the set of indices VV |U Z and MU V Z , e 1:N [VV |U Z ] and M1 = B e 1:N [MU V Z ]. The random bits that respectively. Consequently, note that S1 = B 1 1

identify the codebook required for reconstruction are those in positions HV |U Y , which we split as V |U

Ψ1

V |U

Φ1 V |U

Note that Ψ1

e11:N [VV |U Y ∪ ((HV |U Y \VV |U Y ) ∩ VV |U ))], ,B

e11:N [(HV |U Y \VV |U Y ) ∩ V c ]. ,B V |U V |U

is uniformly distributed but Φ1

block but we cannot reuse

V |U Φ1 .

V |U

is not. Consequently, we may reuse Ψ1

We instead share

V |U Φ1

in the next

secretly between Alice and Bob and we show

e 1:N Gn . later that this may be accomplished with negligible rate cost. Finally, define Ve11:N , B 1 November 4, 2014

DRAFT

14

In Block i ∈ J2, kK, the encoder forms Vei1:N as follows. Let Si be a vector of |VV |U Z \BV |U Y | uniformly

distributed bits and Mi be a vector of |MU V Z | uniformly distributed bits that represent the secret and V |U

private message in block i, respectively. Given a private message mi , a confidential message si , ψi−1 , and u e1:N resulting from the encoding of the common message, the encoder draws eb1:N from the distribution i i peBi1:N defined as follows.

 n o  j j   1 b = s  i  i      V |U j j  1 bi = ψi−1 e1:N ) , peBij |Bi1:j−1 Ui1:N (bji |bi1:j−1 u i n o  j j   1 b = m  i i      pB j |B 1:j−1 U 1:N (bj |b1:j−1 u e1:N i ) 1 1

if j ∈ VV |U Z \BV |U Y if j ∈ BV |U Y

,

(16)

if j ∈ MU V Z if j ∈ VVc |U

V |U

where the components of si , ψi−1 , and mi have been indexed by the set of indices VV |U Z \BV |U Y ,

e 1:N [VV |U Z \BV |U Y ], ΨV |U = B e 1:N [BV |U Y ], and Mi = BV |U Y , and MU V Z respectively, so that Si = B i i i−1

e 1:N [MU V Z ]. The random bits that identify the codebook required for reconstruction are those in B i positions HU |V Y , which we split as V |U

Ψi

V |U

Φi V |U

Again, Ψi

V |U

share Φi

ei1:N [VV |U Y ∪ ((HV |U Y \VV |U Y ) ∩ VV |U ))], ,B

ei1:N [(HV |U Y \VV |U Y ) ∩ V c ]. ,B V |U V |U

is uniformly distributed but Φi

V |U

is not, so that we reuse Ψi

in the next block but we V |U

securely between Alice and Bob. We show later that the cost of sharing Φi V |U

In Block k , Alice securely shares (Ψk

is negligible.

V |U e 1:N Gn . , Φ1:k ) with Bob. Finally, define Vei1:N , B i

C. Channel prefixing The channel prefixing procedure with chaining is illustrated in Fig. 4. e 1:N as follows. Let R1 be a vector of |VX|V \VX|V Z | uniformly disIn Block 1, the encoder forms X 1

tributed bits representing the randomness required for channel prefixing. Given a randomization sequence

r1 and ve11:N resulting from the encoding of secret and private messages, the encoder draws e t1:N from 1

the distribution peT11:N defined as follows.     1/2    n o 1:N j j v e ) , peT1j |T11:j−1 V11:N (tj1 |t1:j−1 1 t = r 1 1 1 1      pT j |T 1:j−1 V 1:N (tj |t1:j−1 ve11:N ) 1 1 November 4, 2014

if j ∈ VX|V Z if j ∈ VX|V \VX|V Z ,

(17)

c if j ∈ VX|V

DRAFT

IZU \IY U 15

contains randomness

Te11:N [VX|V Z ]

contains randomness from previous block

VX|V Z

Tek1:N1 [VX|V Z ]

contains randomness from previous block

VX|V \VX|V Z

VX|V \VX|V Z

VX|V \VX|V Z

c VX|V

c VX|V

c VX|V

contains randomness

contains almost deterministic bits

Fig. 4.

VX|V Z

Tek1:N

{

VX|V Z

Te21:N

{

{

Te11:N

contains randomness

contains randomness

contains almost deterministic bits

contains almost deterministic bits

Chaining for the encoding of the Tei1:N ’s, which corresponds to channel prefixing.

where the components of r1 have been indexed by the set of indices VX|V \VX|V Z , so that R1 =

Tei1:N [VX|V \VX|V Z ]. The random bits that identify the codebook are those in position VX|V Z , which

we denote

X|V

Ψ1

, Te11:N [VX|V Z ].

e 1:N , Te1:N Gn , which is transmitted over the channel WY Z|X . We note Y 1:N , Z 1:N Finally, compute X 1 1 1 1

the corresponding channel outputs.

e 1:N as follows. Let Ri be a vector of |VX|V \VX|V Z | uniIn Block i ∈ J2, kK, the encoder forms X i

formly distributed bits representing the randomness required for channel prefixing in block i. Given a

randomization sequence ri and vei1:N resulting from the encoding of secret and private messages, the encoder draws e t1:N from the distribution peTi1:N defined as follows. i  n o   1 tji = e tji−1    n o j 1:j−1 1:N peTij |Ti1:j−1 Vi1:N (ti |ti vei ) , 1 tji = rij      pT j |T 1:j−1 V 1:N (tj |t1:j−1 ve1:N ) i i i

if j ∈ VX|V Z if j ∈ VX|V \VX|V Z ,

(18)

c if j ∈ VX|V

where the components of ri have been indexed by the set of indices VX|V \VX|V Z , so that Ri =

X|V Tei1:N [VX|V \VX|V Z ]. Note that the random bits describing the codebook are Ψi , Tei1:N [VX|V Z ],

e 1:N , Te1:N Gn and transmit it over the channel and are reused from the previous block. Finally, define X i i WY Z|X . We note Yi1:N , Zi1:N the corresponding channel outputs.

November 4, 2014

DRAFT

16

D. Decoding The decoding procedure is as follows. b1:N of A e1:N as follows. Reconstruction of the common message by Bob. Bob forms the estimate A 1:k 1:k

U e1:N In Block 1, Bob knows (ΨU 1 , Φ1 ), which contains all the bits A1 [HU |Y ] by construction. Bob runs

the successive cancellation decoder for source coding with side information of [18] using Y11:N and e1:N [HU |Y ]. In Block i ∈ J2, kK, Bob estimates A e1:N [HU |Y ] with (ΨU , A b1:N [IU Y \IU Z ], ΦU ), and uses A 1 1 i i−1 i

this estimate along with Yi1:N to run the successive cancellation decoder for source coding with side

information. bb1:N e1:N Reconstruction of the common message by Eve. Eve forms the estimate A 1:k of A1:k starting from

U Block k and going backwards as follows. In Block k , Eve knows (ΨU k , Φk ), which contains all the

e1:N [HU |Z ] by construction. Eve runs the successive cancellation decoder for source coding bits in A k

e1:N [HU |Z ]. For i ∈ J1, k − 1K, Eve estimates A e1:N [HU |Z ] with with side information using Zk1:N and A k k−i bb1:N U U 1:N (Ψ1 , Ak−i+1 [AU Y Z ], Φk−i ), and uses this estimate along with Zk−i to run the successive cancellation

decoder for source coding with side information.

b 1:N of B e 1:N Reconstruction of the private and confidential messages by Bob. Bob forms the estimate B 1:k 1:k V |U

as follows starting with Block k . In Block k , given (Ψk

V |U

, Φk

b 1:N ), Bob estimates B e 1:N with , Yk1:N , U k k

e 1:N , an estimate the successive cancellation decoder for source coding with side information. From B k

b V |U , B b 1:N [VV |U Y ] of ΨV |U is formed. For i ∈ J1, k − 1K, given (Ψ b V |U , ΦV |U , Y 1:N , U b 1:N ), Bob Ψ k k−i k−i k−1 k−1 k−i k−i

e 1:N with the successive cancellation decoder for source coding with side information. From estimates B k−i

e 1:N , an estimate of ΨV |U is formed. Once all the estimates B b 1:N have been formed, Bob extracts the B k−i 1:k k−i−1 c1:k of S1:k and M1:k , respectively. estimates Sb1:k and M

V. A NALYSIS OF P OLAR CODING SCHEME

We now analyze in details the characteristics and performances of the polar coding scheme described in Section IV. Specifically, we show the following. Theorem 2. Consider a discrete memoryless broadcast channel (X , pY Z|X , Y, Z). The coding scheme of Section III, whose complexity is O(N log N ) achieves the region RBCC . The result of Theorem 2, follows in four steps. First, we show that the polar coding scheme of Section IV approximates the statistics of the original DMS (U × V × X × Y × Z, pU V XY Z ) from which the polarization sets were defined. Second, we show that the various messages rates are indeed those in

November 4, 2014

DRAFT

17

RBCC . Third, we show that the probability of decoding error vanishes with the block length. Finally, we

show that the information leakage vanishes with the block length.

A. Approximation of original DMS statistics e1:N , B e 1:N , Ve 1:N , and X e 1:N , generated in block i ∈ J1, kK do not have the Recall that the vectors A i i i i

exact joint distribution of the vectors A1:N , B 1:N , V 1:N , and X 1:N , induced by the source polarization of the original DMS (U × V × X × Y × Z, pU V XY Z ). However, the following lemmas show that the joint distributions are close to one another, which is crucial for the subsequent reliability and secrecy analysis. Lemma 5. For i ∈ J1, kK, we have D(pU 1:N , peUi1:N ) = D(pA1:N , peA1:N ) 6 N δN . i

Hence, by Pinsker’s inequality

(U )

(U )

where δN ,



V(pA1:N , peA1:N ) 6 δN , i

√ 2 log 2 N δN .

Proof: See Appendix A. Lemma 6. For i ∈ J1, kK, we have D(pV 1:N U 1:N ||peVi1:N Ui1:N ) = D(pB 1:N U 1:N ||peBi1:N Ui1:N ) 6 2N δN .

Hence, by Pinsker’s inequality

(U V )

(U V )

where δN

V(pB 1:N U 1:N , peBi1:N Ui1:N ) 6 δN

√ √ , 2 log 2 N δN .

,

Proof: See Appendix B. Lemma 7. For i ∈ J1, kK, we have D(pX 1:N V 1:N ||peXi1:N Vi1:N ) = D(pT 1:N V 1:N ||peTi1:N Vi1:N ) 6 3N δN .

Hence, by Pinsker’s inequality

(XV )

(XV )

where δN

,

November 4, 2014



√ 2 log 2 3N δN .

V(pX 1:N V 1:N , peXi1:N Vi1:N ) 6 δN

,

DRAFT

18

Proof: See Appendix C. Combining the three previous lemmas, we obtain the following. Lemma 8. For i ∈ J1, kK, we have (P )

(P )

where δN ,



V(pU 1:N V 1:N X 1:N Y 1:N Z 1:N , peUi1:N Vi1:N Xi1:N Yi1:N Zi1:N ) 6 δN .

√ √ √ 2 log 2 N δN (2 2 + 3).

Proof: See Appendix D. As noted in [24], upper-bounding the divergence with a chain rule is easier than directly upper-bounding the variational distance as in [25], [26]. B. Transmission rates We now analyze the rate of common message, confidential message, private message, and randomization sequence, used at the encoder, as well as the different sum rates and the rate of additional information sent to Bob and Eve. Common message rate. The overall rate RO of common information bits transmitted satisfies (k − 1)|IU Y |+|IU Y ∩ IU Z | kN |IU Y | |IU Y \IU Z | = − N kN |IU Y | |IU Y | − > N kN I(Y ; U ) N →∞ −−−−→ I(Y ; U ) − k

RO =

k→∞

−−−→ I(Y ; U ),

where we have used [18]. Since we also have RO 6

|IU Y | N →∞ −−−→ N −

I(Y ; U ), we conclude

N →∞,k→∞

RO −−−−−−−−→ I(Y ; U ).

Confidential message rate. First, observe that V |U

|Ψ1

| = |VV |U Y ∪ ((HV |U Y \VV |U Y ) ∩ VV |U ))|

6 |VV |U Y |+|HV |U Y \VV |U Y | = |VV |U Y |+|HV |U Y |−|VV |U Y |

6 |HV |U Y |, November 4, 2014

DRAFT

19 V |U

and |Ψ1

|> |VV |U Y |. Hence, since limN →∞ |VV |U Y |/N = H(V |U Y ) by [22, Lemma 1] and

limN →∞ |HV |U Y |/N = H(V |U Y ) by [18], we have V |U

|Ψ1 | lim = H(V |U Y ). N →∞ N

Then, the overall rate RS of secret information bits transmitted is RS =

|VV |U Z |+(k − 1)|VV |U Z \BV |U Y | kN |VV |U Z |+(k − 1)(|VV |U Z |−|BV |U Y |) = kN |VV |U Z |−|BV |U Y | |BV |U Y | = + N kN V |U

|VV |U Z |−|Ψ1 = N

|

V |U

+

|Ψ1 | kN

N →∞

−−−−→ I(V ; Y |U ) − I(V ; Z|U ) +

H(V |U Y ) k

k→∞

−−−→ I(V ; Y |U ) − I(V ; Z|U ).

Private message rate. The overall rate RM of private information bits transmitted is k|MU V Z | kN |VV |U \VV |U Z | = N |VV |U |−|VV |U Z | = N

RM =

N →∞

−−−−→ I(V ; Z|U ),

where we have used [22, Lemma 1]. Randomization rate. The uniform random bits used in the stochastic encoder includes those of the randomization sequence for channel prefixing, as well as those required to identify the codebooks and run the successive cancellation encoding. Using [22, Lemma 1], we find that the rate required to identify the codebook for the common message is |VU | N →∞ H(U |Y ) k→∞ |VU \IU Y | 6 −−−−→ −−−→ 0. kN kN k

Similarly, the rate required to identify the codebook for the secret and private messages corresponds to

November 4, 2014

DRAFT

20 V |U

the rate of (Ψk

V |U

, Φk

e 1:N , ), which is transmitted to Bob to allow him to reconstruct B 1:k V |U

|(Ψk

V |U

, Φk )| kN e 1:N [HV |U Y ]| |B = k kN N →∞ H(V |U Y ) −−−−→ k k→∞

−−−→ 0,

where we have used [18]. The randomization sequence rate used in channel prefixing is |VX|V |+(k − 1)|VX|V \VX|V Z | kN |VX|V \VX|V Z | |VX|V Z | + = N kN |VX|V |−|VX|V Z | |VX|V Z | = + N kN H(X|V Z) N →∞ −−−−→ I(X; Z|V ) + , k k→∞

−−−→ I(X; Z|V ),

where we have used [22, Lemma 1]. We now show that the rate of uniform bits required for successive cancellation encoding in (12), (13), (14), (15), (16), (17), (18) is negligible trough a series of lemmas. Lemma 9. For i ∈ J1, kK, we have

1 X ej |A e1:j−1 ) = 0. H(A i i N →∞ N c lim

j∈VU

Proof: See Appendix E.

Lemma 10. For i ∈ J1, kK, we have

1 X e j |B e 1:j−1 U ei1:N ) = 0. H(B i i N →∞ N c lim

j∈VV |U

Proof: See Appendix F.

Lemma 11. For i ∈ J1, kK, we have

1 X H(Teij |Tei1:j−1 Vei1:N ) = 0. N →∞ N c lim

j∈VX|V

November 4, 2014

DRAFT

21

The proof of Lemma 11 is similar to that of Lemma 10 using Lemma 7 in place of Lemma 6. Hence, the overall randomness rate RR used at the encoder is asymptotically N →∞,k→∞

RR −−−−−−−−→ I(X; Z|V ).

Sum rates. The sum of the private message rate RM and the randomness rate RR is asymptotically N →∞,k→∞

RM + RR −−−−−−−−→I(V ; Z|U ) + I(X; Z|V ) (a)

= H(Z|U ) − H(Z|U V ) + H(Z|V ) − H(Z|XV )

= H(Z|U ) − H(Z|XV ) (b)

= H(Z|U ) − H(Z|XU )

= I(X; Z|U ),

where (a) and (b) hold by U − V − X − Z . Moreover, the sum of the common message rate RO , the private message rate RM , and the confidential message rate RS is asymptotically N →∞,k→∞

RO + RM + RS −−−−−−−−→I(Y ; U ) + I(V ; Z|U ) + I(V ; Y |U ) − I(V ; Z|U ) = I(Y ; U ) + I(V ; Y |U ).

Seed Rate. The rate of the secret sequence that must be shared between the legitimate users to initialize the coding scheme is V |U

|Ψk

V |U

|+k|Φ1 kN

|

V |U

|Ψk | |Φ1V |U | + kN N |HV |U Y | |HV |U Y \VV |U Y | 6 + kN N |HV |U Y | |HV |U Y |−|VV |U Y | 6 + kN N N →∞ H(V |Y ) −−−−→ k =

k→∞

−−−→ 0,

where we have used [22, Lemma 1] and [18]. Moreover the rate of public communication from Alice to both Bob and Eve is U |ΨU 1 |+|Φ1:k | kN November 4, 2014

DRAFT

22

|ΨU 1 |+k|HU \VU | kN |VU \IU Y |+k(|HU |−|VU |) = kN |HU |Y |+k(|HU |−|VU |) 6 kN |HU |Y | |HU |−|VU | = + kN N H(U |Y ) N →∞ −−−−→ k

6

k→∞

−−−→ 0.

C. Average probability of error 1:N with small probability. We first show that Eve and Bob can reconstruct the common messages O1:k

For i ∈ J1, kK, consider an optimal coupling [25], [27] between peUi1:N Yi1:N and pU 1:N Y 1:N such that

e 1:N , Ye 1:N ) 6= (U 1:N , Y 1:N )}. Define also for P[EUi ,Yi ] = V(peUi1:N Yi1:N , pU 1:N Y 1:N ), where EUi ,Yi , {(U i i

b1:N [IU Y \IU Z ] 6= A e1:N [IU Y \IU Z ]}. i ∈ J2, kK, Ei , {A i−1 i−1 We have

bi ] P[Oi 6= O

bi1:N 6= U ei1:N ] = P[ U

bi1:N 6= U ei1:N |EUc ,Y ∩ Eic ]P[EUc ,Y ∩ Eic ] + P[U bi1:N 6= U ei1:N |EUi ,Yi ∪ Ei ]P[EUi ,Yi ∪ Ei ], = P[ U i i i i

bi1:N 6= U ei1:N |EUc ,Y ∩ Eic ] + P[EUi ,Yi ∪ Ei ] 6 P[U i i

(a)

6 N δN + P[EUi ,Yi ] + P[Ei ]

(b)

(P )

6 N δN + δN + P[Ei ]

(P ) 1:N 1:N bi−1 ei−1 6 N δN + δN + P[U 6= U ]

(c)

(P ) b11:N 6= U e11:N ] 6 (i − 1)(N δN + δN ) + P[U

(d)

(P )

6 i(N δN + δN ),

(19)

where (a) follows from the error probability of source coding with side information [18] and the union bound, (b) holds by the optimal coupling and Lemma 8, (c) holds by induction, (d) holds similarly to

November 4, 2014

DRAFT

23

the previous inequalities. We thus have by the union bound and (19) 1:N b 1:N ] 6 P[O1:k 6= O 1:k

k X i=1

bi ] P[Oi 6= O

k(k + 1) (P ) (N δN + δN ). 2

6

We similarly obtain for Eve k(k + 1) bb 1:N (P ) 1:N P[O1:k 6= O (N δN + δN ). 1:k ] 6 2

Next we show how Bob can recover the secret and private messages. Informally, the decoding process of the confidential and private messages (M1:k , S1:k ) for Bob is as follows. Reconstruction starts with V |U

Block k . Given (Ψk

V |U

, Φk

b 1:N ), Bob can reconstruct Ve 1:N , from which ΨV |U is deduced. , Yk1:N , U k k k−1

V |U V |U 1:N , U b 1:N ), Bob can reconstruct Ve 1:N , from which ΨV |U Then, for i ∈ J1, k −1K, given (Ψk−i , Φk−i , Yk−i k−i k−i k−i−1

1:N . is deduced. Finally, S1:k can be recovered from Ve1:k

Formally, the analysis is as follows. For i ∈ J1, kK, consider an optimal coupling [25], [27] be-

tween peUi1:N Vi1:N Yi1:N and pU 1:N V 1:N Y 1:N such that P[EUi ,Vi ,Yi ] = V(peUi1:N Vi1:N Yi1:N , pU 1:N V 1:N Y 1:N ), where e 1:N , Ve 1:N , Y 1:N ) 6= (U 1:N , V 1:N , Y 1:N )}. Define also for i ∈ J1, k − 1K, E V |U , EUi ,Vi ,Yi , {(U i i i Ψ i

b 1:N 6= U e 1:N }, and E V |U e , E V |U ∪ E e . b V |U 6= ΨV |U }, E e , {U {Ψ i i i i Ui Ui Ψ ,U i Ψ i

i

For i ∈ J1, k − 1K, we have

ci , Sbi )] P[(Mi , Si ) 6= (M (a)

= P[Vei 6= Vbi ]

c c c = P[Vei 6= Vbi |EUc i ,Vi ,Yi ∩ EΨ V |U e ]P[EU ,V ,Y ∩ E V |U e ] i i i ,U Ψ ,U i

i

i

i

+ P[Vei 6= Vbi |EUi ,Vi ,Yi ∪ EΨV |U ,Uei ]P[EUi ,Vi ,Yi ∪ EΨV |U ,Uei ] i

6 P[Vei 6=

Vbi |EUc i ,Vi ,Yi



c EΨ V |U e ] , Ui i

i

+ P[EUi ,Vi ,Yi ∪ EΨV |U ,Uei ] i

c 6 P[Vei 6= Vbi |EUc i ,Vi ,Yi ∩ EΨ V |U e ] + P[EUi ,Vi ,Yi ] + P[E V |U e ] Ψ , Ui ,U i

i

i

c 6 P[Vei 6= Vbi |EUc i ,Vi ,Yi ∩ EΨ V |U e ] + P[EUi ,Vi ,Yi ] + P[E V |U ] + P[E e ] Ui Ψ ,U i

i

i

(b)

c e b b 1:N 6= U ei1:N ] 6 P[Vei 6= Vbi |EUc i ,Vi ,Yi ∩ EΨ V |U e ] + P[EUi ,Vi ,Yi ] + P[Vi+1 6= Vi+1 ] + P[Ui ,U i

i

(c)

bi1:N 6= U ei1:N ] 6 N δN + P[EUi ,Vi ,Yi ] + P[Vei+1 6= Vbi+1 ] + P[U

(d)

(P ) bi1:N 6= U ei1:N ] 6 N δN + δN + P[Vei+1 6= Vbi+1 ] + P[U   (e) (P ) 6 (i + 1) N δN + δN + P[Vei+1 6= Vbi+1 ]

November 4, 2014

DRAFT

24

  (P ) 6 (i + 1)(k − i) N δN + δN + P[Vek 6= Vbk ]

(f )

  (P ) 6 (i + 1)(k − i + 1) N δN + δN

(g)

V |U where (a) holds because Vei contains (Mi , Si , Ψi−1 ) by construction, (b) holds because Vei+1 contains V |U

Ψi

by construction, (c) follows from the error probability of lossless source coding with side infor-

mation [18], (d) holds by the optimal coupling and Lemma 8, (e) holds by (19), (f ) holds by induction, (g) is obtained similarly to the previous inequalities.

Hence, c1:k , Sb1:k )] P[(M1:k , S1:k ) 6= (M 6

k X i=1

6

k X i=1

=



ci , Sbi )] P[(Mi , Si ) 6= (M

  (P ) (i + 1)(k − i + 1) N δN + δN

  k(k + 1)(k + 2) (P ) +k N δN + δN . 6

(20)

D. Information leakage The functional dependence graph for the coding scheme of Section III is given in Figure 5. For the secrecy analysis the following term must be upper bounded U N I(S1:k ; ΨU 1 Φ1:k Z1:k ). U Note that we have introduced (ΨU 1 , Φ1:k ), since these random variables have been made available to

Eve. Recall that ΦU 1:k is additional information transmitted to Bob and Eve to reconstruct the common U messages O1:k . Recall also that ΨU 1 ⊃ Ψi , i ∈ J2, kK, as it is the randomness reused among all the blocks

that allows the transmission of the common messages O1:k . We start by proving that secrecy holds for a given block i ∈ J2, kK in the following lemma. Lemma 12. For i ∈ J2, kK and N large enough, V |U

(∗)

U I(Si Ψi−1 ; Zi1:N ΦU i Ψ1 ) 6 δN , (∗)

where δN ,



√ √ √ √ √ √ √ 2 log 2 N δN (1 + 6 2 + 3 3)(N − log2 ( 2 log 2 N δN (1 + 6 2 + 3 3))).

Proof: See Appendix G.

November 4, 2014

DRAFT

25

Block i

Block i

1

Block i + 1 U i

Oi ei1:N U

U i 1

Si

1:N ei+1 U

U i

Si+1

Mi

V |U i 1

U i+1

Oi+1

U i+1

Mi+1

V |U i

V |U i+1 1:N Vei+1

Vei1:N X|V i 1

X|V i

ei1:N X

Ri

Zi1:N

Ri+1

1:N ei+1 X

X|V i+1

1:N Zi+1

Functional dependence graph of the block encoding scheme. For Block i, Oi is the common message, Mi is the

Fig. 5.

V |U

private message, Si is the confidential message. Ψi

is the side information retransmitted in the next block to allow Bob to

V |U 1:N U e 1:N , ΨU and its observations Y1:k . ΨU reconstruct Mi and Si given Φi i is the randomness used to form Ui i ⊂ Ψ1 X|V ei1:N where ΨX|V represent the randomness necessary at the encoder to form X from the previous block. Ri and Ψi i

is reused X|V

= Ψ1

is reused from the previous block. Finally, ΦU i is information, whose rate is negligible, sent to Bob and Eve to allow them to reconstruct the common messages.

X|V

Recall that for channel prefixing in the encoding process we reuse some randomness Ψ1 X|V

all the blocks so that Ψ1

X|V

= Ψi

V |U

X|V

, i ∈ J2, kK. We show in the following lemma that Ψ1

among

is almost

U independent from (Zi1:N , Ψi−1 , Si , ΦU i , Ψi ). This fact will be useful in the secrecy analysis of the overall

scheme. Lemma 13. For i ∈ J2, kK and N large enough, X|V

I(Ψ1

V |U

(∗)

U ; Zi1:N Ψi−1 Si ΦU i Ψi ) 6 δN ,

(∗)

where δN is defined as in Lemma 12. Proof: See Appendix H. Using Lemmas 12 and 13, we show in the following lemma a recurrence relation that will make the secrecy analysis over all blocks easier.

November 4, 2014

DRAFT

26

e i , I(S1:k ; ΨU ΦU Z 1:N ). We have Lemma 14. Let i ∈ J1, k − 1K. Define L 1 1:i 1:i e i+1 − L e i 6 3δ (∗) . L N

Proof: See Appendix I. We then have

U 1:N e 1 = I(S1:k ; ΨU L 1 Φ1 Z1 )

U 1:N U U 1:N = I(S1 ; ΨU 1 Φ1 Z1 ) + I(S2:k ; Ψ1 Φ1 Z1 |S1 ) (a)

(∗)

U 1:N 6 δN + I(S2:k ; ΨU 1 Φ1 Z1 |S1 ) (∗)

U 1:N 6 δN + I(S2:k ; ΨU 1 Φ1 Z1 S1 ) (b)

(∗)

= δN ,

where (a) follows from Lemma 12, (b) follows from independence of S2:k and the random variables of Block 1. Hence, strong secrecy follows from Lemma 14 by remarking that U N e I(S1:k ; ΨU 1 Φ1:k Z1:k ) = L1 +

6

(∗) δN

k−1 X e i+1 − L ei ) (L i=1

(∗)

+ (k − 1)(3δN ) (∗)

= (3k − 2)δN .

VI. C ONCLUSION Our proposed polar coding scheme for the broadcast channel with confidential messages and constrained randomization provides an explicit low-complexity scheme achieving the capacity region of [14]. Although the presence of auxiliary random variables and the need to re-align polarization sets through chaining introduces rather involved notation, the coding scheme is conceptually close to a binning proof of the capacity region, in which polarization is used in place of random binning. We believe that a systematic use of this connection will effectively allow one to translate any results proved with output statistics of random binning [21] into a polar coding scheme. It is arguable whether the resulting schemes are truly practical, as the block length N and the number of blocks k are likely to be fairly large. In addition work remains to be done to circumvent the need for sharing random seeds between the transmitter and receivers.

November 4, 2014

DRAFT

27

A PPENDIX A P ROOF OF L EMMA 5 Let i ∈ J2, k − 1K. We have D(pU 1:N ||peUi1:N ) (a)

= D(pA1:N ||peA1:N ) i

(b)

=

N X j=1

) D(pAj |A1:j−1 ||peAji |A1:j−1 i

X

(c)

=

j∈VU (d)

=

X

j∈VU

) D(pAj |A1:j−1 ||peAji |A1:j−1 i

(1 − H(Aj |A1:j−1 ))

(e)

6 |VU |δN

6 N δN ,

(21)

where (a) holds by invertibility of Gn , (b) holds by the chain rule, (c) holds by (13), (d) holds by (13) and uniformity of Oi and Oi−1,2 , (e) holds by definition of VU . Similarly for i ∈ {1, k}, using (12) and (14) we also have D(pU 1:N ||peUi1:N ) 6 N δN .

(22)

A PPENDIX B

P ROOF OF L EMMA 6 Let i ∈ J2, kK. We have D(pB 1:N |U 1:N ||peBi1:N |Ui1:N ) (a)

=

N X j=1

(b)

=

D(pB j |B 1:j−1 U 1:N ||peBij |Bi1:j−1 Ui1:N )

X

j∈VV |U (c)

=

X

j∈VV |U

D(pB j |B 1:j−1 U 1:N ||peBij |Bi1:j−1 Ui1:N )

(1 − H(B j |B 1:j−1 U 1:N ))

(d)

6 |VV |U |δN

6 N δN , November 4, 2014

(23) DRAFT

28 V |U

where (a) holds by the chain rule, (b) holds by (16), (c) holds by (16) and uniformity of Ψi−1 , Si , and Mi , (d) holds by definition of VV |U .

Then, D(pV 1:N U 1:N ||peVi1:N Ui1:N ) (a)

= D(pB 1:N U 1:N ||peBi1:N Ui1:N )

(b)

= D(pB 1:N |U 1:N ||peBi1:N |Ui1:N ) + D(pU 1:N ||peUi1:N )

(c)

6 2N δN ,

where (a) holds by invertibility of Gn , (b) holds by the chain rule, (c) holds by (23) and Lemma 5. Similarly, using (15) and Lemma 5, we have D(pV 1:N U 1:N ||peV11:N U11:N )62N δN . A PPENDIX C

P ROOF OF L EMMA 7 Let i ∈ J2, kK. We have D(pT 1:N |V 1:N ||peTi1:N |Vi1:N ) (a)

=

N X j=1

(b)

=

D(pT j |T 1:j−1 V 1:N ||peTij |Ti1:j−1 Vi1:N )

X

j∈VX|V (c)

=

X

j∈VX|V

D(pT j |T 1:j−1 V 1:N ||peTij |Ti1:j−1 Vi1:N )

(1 − H(T j |T 1:j−1 V 1:N ))

(d)

6 |VX|V |δN

6 N δN ,

(24)

where (a) holds by the chain rule, (b) holds by (18), (c) holds by (18) and uniformity of the bits in Tei1:N [VX|V ], (d) holds by definition of VX|V .

November 4, 2014

DRAFT

29

Then, D(pX 1:N V 1:N ||peXi1:N Vi1:N ) (a)

= D(pT 1:N V 1:N ||peTi1:N Vi1:N )

(b)

= D(pT 1:N |V 1:N ||peTi1:N |Vi1:N ) + D(pV 1:N ||peVi1:N )

(c)

6 3N δN ,

where (a) holds by invertibility of Gn , (b) holds by the chain rule, (c) holds by (24) and Lemma 6. Similarly, using (17) and Lemma 6, we have D(pX 1:N V 1:N ||peX11:N V11:N )63N δN . A PPENDIX D

P ROOF OF L EMMA 8 We have V(pU 1:N V 1:N X 1:N Y 1:N Z 1:N , peUi1:N Vi1:N Xi1:N Yi1:N Zi1:N )

= V(pY 1:N Z 1:N |U 1:N V 1:N X 1:N pU 1:N V 1:N X 1:N , peYi1:N Zi1:N |Ui1:N Vi1:N Xi1:N peUi1:N Vi1:N Xi1:N )

(a)

= V(pY 1:N Z 1:N |X 1:N pU 1:N V 1:N X 1:N , peYi1:N Zi1:N |Xi1:N peUi1:N Vi1:N Xi1:N )

(b)

= V(pU 1:N V 1:N X 1:N , peUi1:N Vi1:N Xi1:N )

= V(pX 1:N |U 1:N V 1:N pU 1:N V 1:N , peXi1:N |Ui1:N Vi1:N peUi1:N Vi1:N )

(c)

= V(pX 1:N |V 1:N pU 1:N V 1:N , peXi1:N |Vi1:N peUi1:N Vi1:N )

(d)

6 V(pX 1:N |V 1:N pU 1:N V 1:N , peXi1:N |Vi1:N pU 1:N V 1:N ) + V(peXi1:N |Vi1:N pU 1:N V 1:N , peXi1:N |Vi1:N peUi1:N Vi1:N )

= V(pX 1:N |V 1:N pU 1:N V 1:N , peXi1:N |Vi1:N pU 1:N V 1:N ) + V(pU 1:N V 1:N , peUi1:N Vi1:N )

(e)

(U V )

6 V(pX 1:N |V 1:N pU 1:N V 1:N , peXi1:N |Vi1:N pU 1:N V 1:N ) + δN (U V )

= V(pX 1:N |V 1:N pV 1:N , peXi1:N |Vi1:N pV 1:N ) + δN

(f )

(U V )

6 V(pX 1:N |V 1:N pV 1:N , peXi1:N Vi1:N ) + V(peXi1:N Vi1:N , peXi1:N |Vi1:N pV 1:N ) + δN (U V )

= V(pX 1:N V 1:N , peXi1:N Vi1:N ) + V(peVi1:N , pV 1:N ) + δN

(U V )

6 V(pX 1:N V 1:N , peXi1:N Vi1:N ) + V(pU 1:N V 1:N , peUi1:N Vi1:N ) + δN

(g)

(U V )

6 2δN

November 4, 2014

(XV )

+ δN

,

DRAFT

30

e 1:N → Ve 1:N → where (a) and (c) follow from the Markov condition U → V → X → (Y Z) and U i i

e 1:N → (Y 1:N Z 1:N ) , (b) follows from pY 1:N Z 1:N |X 1:N = peY 1:N Z 1:N |X 1:N and [28, Lemma 17], (d) X i i i i i i

holds by the triangle inequality, (e) holds by Lemma 6, (f ) hold by the triangle inequality, (g) holds by Lemmas 6 and 7. A PPENDIX E P ROOF OF L EMMA 9 We have for i ∈ J1, kK, for j ∈ VUc , ej |A e1:j−1 ) − H(Aj |A1:j−1 )| |H(A i i

e1:j ) − H(A1:j )|+|H(A e1:j−1 ) − H(A1:j−1 )| 6 |H(A i i

2j e1:j−1 ) − H(A1:j−1 )| + |H(A i ) V(pA1:j , peA1:j i   (b) (U ) (U ) e1:j−1 ) − H(A1:j−1 )| 6 δN N − log2 δN + |H(A i   (U ) (U ) 6 2δN N − log2 δN

(a)

6 V(pA1:j , peA1:j ) log i

(A)

, δN ,

where (a) holds by [29], (b) holds by Lemma 5 and because x 7→ x log x is decreasing for x > 0 small enough. Hence, we obtain X

c j∈VU

=

ej |A e1:j−1 ) H(A i i

X

X

c j∈HU j∈HU \VU

6 |HU \VU |+

ej |A e1:j−1 ) H(A i i

X

c j∈HU

= |HU |−|VU |+

6 |HU |−|VU |+

ej |A e1:j−1 ) H(A i i

X

c j∈HU

X

c j∈HU

ej |A e1:j−1 ) H(A i i

(A)

(H(Aj |A1:j−1 ) + δN ) (A)

c 6 |HU |−|VU |+|HU |(δN + δN ) (A)

6 |HU |−|VU |+N (δN + δN ), and we obtain the result by [22, Lemma 1] and [18]. November 4, 2014

DRAFT

31

A PPENDIX F P ROOF OF L EMMA 10 We have for i ∈ J1, kK, for j ∈ VVc |U , e j |B e 1:j−1 U ei1:N ) − H(B j |B 1:j−1 U 1:N )| |H(B i i

e 1:j U ei1:N ) − H(B 1:j U 1:N )|+|H(B e 1:j−1 U ei1:N ) − H(B 1:j−1 U 1:N )| 6 |H(B i i (a)

6 V(pB 1:j U 1:N , peBi1:j Ui1:N ) log

 (U V ) e 1:j−1 U ei1:N ) − H(B 1:j−1 U 1:N )| 2N − log2 δN + |H(B i   (U V ) (U V ) 6 2δN 2N − log2 δN

(b)

(U V )

6 δN



2j+N e 1:j−1 U ei1:N ) − H(B 1:j−1 U 1:N )| + |H(B i V(pB 1:j U 1:N , peBi1:j Ui1:N )

(B)

, δN ,

where (a) holds by [29], (b) holds by Lemma 6 and because x 7→ x log x is decreasing for x > 0 small enough. Then, X

j∈VVc |U

=

e j |B e 1:j−1 U ei1:N ) H(B i i

X

X

c j∈HV |U j∈HV |U \VV |U

6 |HV |U \VV |U |+

e j |B e 1:j−1 U ei1:N ) H(B i i

X

c j∈HV |U

= |HV |U |−|VV |U |+

6 |HV |U |−|VV |U |+

e j |B e 1:j−1 U ei1:N ) H(B i i

X

c j∈HV |U

X

c j∈HV |U

e j |B e 1:j−1 U ei1:N ) H(B i i

(B)

(H(B j |B 1:j−1 U 1:N ) + δN ) (B)

6 |HV |U |−|VV |U |+|HVc |U |(δN + δN ) (B)

6 |HV |U |−|VV |U |+N (δN + δN ), and we obtain the result by [22, Lemma 1] and [18].

November 4, 2014

DRAFT

32

A PPENDIX G P ROOF OF L EMMA 12 We have V(pB 1:N [VV |U Z ]U 1:N Z 1:N , peBi1:N [VV |U Z ] peUi1:N Zi1:N )

6 V(pB 1:N [VV |U Z ]U 1:N Z 1:N , pB 1:N [VV |U Z ] pU 1:N Z 1:N ) + V(pB 1:N [VV |U Z ] pU 1:N Z 1:N , peB 1:N [VV |U Z ] peU 1:N Z 1:N )

(a)

6 V(pB 1:N [VV |U Z ]U 1:N Z 1:N , pB 1:N [VV |U Z ] pU 1:N Z 1:N ) + V(pB 1:N [VV |U Z ] , peB 1:N [VV |U Z ] ) + V(pU 1:N Z 1:N , peU 1:N Z 1:N )

(b)

(P )

6 V(pB 1:N [VV |U Z ]U 1:N Z 1:N , pB 1:N [VV |U Z ] pU 1:N Z 1:N ) + 2δN q (d) p (P ) 6 2 log 2 D(pB 1:N [VV |U Z ]U 1:N Z 1:N ||pB 1:N [VV |U Z ] pU 1:N Z 1:N ) + 2δN q p (P ) = 2 log 2 I(B 1:N [VV |U Z ]; U 1:N Z 1:N ) + 2δN (c)

6

p

2 log 2

p

(P )

N δN + 2δN ,

(25)

where (a) follows from the triangle inequality, (b) holds by Lemma 8, (c) holds by Pinsker’s inequality, (d) holds because using the fact that conditioning reduces entropy we have I(B 1:N [VV |U Z ]; U 1:N Z 1:N ) = H(B 1:N [VV |U Z ]) − H(B 1:N [VV |U Z ]|U 1:N Z 1:N ) X 6 |VV |U Z |− H(B j |B 1:j−1 U 1:N Z 1:N ) j∈VV |U Z

6 |VV |U Z |+|VV |U Z |(δN − 1) 6 N δN . We then obtain V(peBi1:N [VV |U Z ]Ui1:N Zi1:N , peBi1:N [VV |U Z ] peUi1:N Zi1:N ) (a)

6 V(peBi1:N [VV |U Z ]Ui1:N Zi1:N , pB 1:N [VV |U Z ]U 1:N Z 1:N ) + V(pB 1:N [VV |U Z ]U 1:N Z 1:N , peBi1:N [VV |U Z ] peUi1:N Zi1:N )

(b)

6

p

2 log 2

p

(P )

N δN + 3δN ,

(26)

where (a) holds by the triangle inequality, (b) holds by Lemma 8, and (25).

November 4, 2014

DRAFT

33

Then, for N large enough by [29], V |U

U I(Si Ψi−1 ; Zi1:N ΦU i Ψi )

ei1:N [VV |U Z ]; Zi1:N U ei1:N ) 6 I(B

6 V(peBi1:N [VV |U Z ]Ui1:N Zi1:N , peBi1:N [VV |U Z ] peUi1:N Zi1:N )

|VV |U Z | V(peB [VV |U Z ]U Zi1:N , peBi1:N [VV |U Z ] peUi1:N Zi1:N ) p p p p √ √ √ √ 6 2 log 2 N δN (1 + 6 2 + 3 3)(N − log2 ( 2 log 2 N δN (1 + 6 2 + 3 3))), × log2

1:N i

1:N i

where we have used (26) and that x 7→ x log x is decreasing for x > 0 small enough. A PPENDIX H P ROOF OF L EMMA 13 By the triangle inequality we can write V(pT 1:N [VX|V Z ]U 1:N V 1:N Z 1:N , peTi1:N [VX|V Z ] peUi1:N Vi1:N Zi1:N )

6 V(pT 1:N [VX|V Z ]U 1:N V 1:N Z 1:N , pT 1:N [VX|V Z ] pU 1:N V 1:N Z 1:N ) + V(pT 1:N [VX|V Z ] pU 1:N V 1:N Z 1:N , peTi1:N [VX|V Z ] peUi1:N Vi1:N Zi1:N )

(a)

(P )

6 V(pT 1:N [VX|V Z ]U 1:N V 1:N Z 1:N , pT 1:N [VX|V Z ] pU 1:N V 1:N Z 1:N ) + 2δN q (b) p (P ) 6 2 log 2 D(pT 1:N [VX|V Z ]U 1:N V 1:N Z 1:N , pT 1:N [VX|V Z ] pU 1:N V 1:N Z 1:N ) + 2δN q p (P ) = 2 log 2 I(T 1:N [VX|V Z ]; Z 1:N U 1:N V 1:N ) + 2δN (c)

6

p

2 log 2

p

(P )

N δN + 2δN ,

(27)

where (a) holds by the triangle inequality and Lemma 8, (b) holds by Pinsker’s inequality, (c) holds because using the fact that conditioning reduces entropy and U − V − X we have I(T 1:N [VX|V Z ]; Z 1:N U 1:N V 1:N ) X 6 |VX|V Z |− H(T j |T 1:j−1 Z 1:N U 1:N V 1:N ) j∈VX|V Z

= |VX|V Z |−

X

j∈VX|V Z

H(T j |T 1:j−1 Z 1:N V 1:N )

6 |VX|V Z |+|VX|V Z |(δN − 1) 6 N δN . November 4, 2014

DRAFT

34

Hence, V(peTi1:N [VX|V Z ]Ui1:N Vi1:N Zi1:N , peTi1:N [VX|V Z ] peUi1:N Vi1:N Zi1:N )

6 V(peTi1:N [VX|V Z ]Ui1:N Vi1:N Zi1:N , pT 1:N [VX|V Z ]U 1:N V 1:N Z 1:N )

+ V(pT 1:N [VX|V Z ]U 1:N V 1:N Z 1:N , peTi1:N [VX|V Z ] peUi1:N Vi1:N Zi1:N ) p p (P ) 6 2 log 2 N δN + 3δN ,

(28)

where (a) holds by the triangle inequality, (b) holds by Lemma 8, and (27). Then, for N large enough by [29], X|V

I(Ψi

V |U

U ; Zi1:N Ψi−1 Si ΦU i Ψi )

U ei1:N [HV |U Z ]ΦU = I(Tei1:N [VX|V Z ]; Zi1:N B i Ψi )

ei1:N U ei1:N ) 6 I(Tei1:N [VX|V Z ]; Zi1:N B

(a)

ei1:N ) = I(Tei1:N [VX|V Z ]; Zi1:N Vei1:N U

6 V(peTi1:N [VX|V Z ]Ui1:N Vi1:N Zi1:N , peTi1:N [VX|V Z ] peUi1:N Vi1:N Zi1:N ) × log2

(b)

6

p

2 log 2

p

|VX|V Z | V(peTi1:N [VX|V Z ]Ui1:N Vi1:N Zi1:N , peTi1:N [VX|V Z ] peUi1:N Vi1:N Zi1:N )

p p √ √ √ √ N δN (1 + 6 2 + 3 3)(N − log2 ( 2 log 2 N δN (1 + 6 2 + 3 3))),

where (a) holds by invertibility of Gn , (b) holds by (28) and because x 7→ x log x is decreasing for x > 0 small enough.

November 4, 2014

DRAFT

35

A PPENDIX I P ROOF OF L EMMA 14 Let i ∈ J1, k − 1K. We have e i+1 − L ei L

U 1:N U U 1:N = I(S1:k ; ΨU 1 Φ1:i+1 Z1:i+1 ) − I(S1:k ; Ψ1 Φ1:i Z1:i ) 1:N U U 1:N = I(S1:k ; ΦU i+1 Zi+1 |Ψ1 Φ1:i Z1:i ) 1:N U U 1:N U 1:N U U 1:N = I(S1:i+1 ; ΦU i+1 Zi+1 |Ψ1 Φ1:i Z1:i ) + I(Si+2:k ; Φi+1 Zi+1 |Ψ1 Φ1:i Z1:i S1:i+1 )

(a)

1:N U 1:N U U 1:N U 6 I(S1:i+1 ΦU 1:i Z1:i ; Φi+1 Zi+1 |Ψ1 ) + I(Si+2:k ; Φ1:i+1 Z1:i+1 S1:i+1 Ψ1 )

(b)

1:N U 1:N U = I(S1:i+1 ΦU 1:i Z1:i ; Φi+1 Zi+1 |Ψ1 )

1:N U U 1:N U 1:N U = I(Si+1 ; ΦU i+1 Zi+1 |Ψ1 ) + I(S1:i Φ1:i Z1:i ; Φi+1 Zi+1 |Ψ1 Si+1 ) 1:N U U 1:N U 1:N U 6 I(Si+1 ; ΦU i+1 Zi+1 Ψ1 ) + I(S1:i Φ1:i Z1:i ; Φi+1 Zi+1 |Ψ1 Si+1 ) (c)

(∗)

1:N U 1:N U 6 δN + I(S1:i ΦU 1:i Z1:i ; Φi+1 Zi+1 |Ψ1 Si+1 ) (∗)

1:N U 1:N U 6 δN + I(S1:i ΦU 1:i Z1:i ; Φi+1 Zi+1 Si+1 |Ψ1 ) (d)

V |U

(∗)

1:N 6 δN + I(S1:i ΦU 1:i Z1:i Ψi (∗)

V |U

(∗)

V |U

(∗)

V |U

= δN + I(Ψi (e)

6 δN + I(Ψi (f )

V |U

(∗)

V |U

1:N U U 1:N U 1:N ; ΦU i+1 Zi+1 Si+1 |Ψ1 ) + I(S1:i Φ1:i Z1:i ; Φi+1 Zi+1 Si+1 |Ψi

X|V

1:N U ; ΦU i+1 Zi+1 Si+1 |Ψ1 )

X|V

ΨU 1 ; Si+1 ) + I(Ψi

Ψi

Ψi

= δN + I(Ψi

1:N U ; ΦU i+1 Zi+1 Si+1 |Ψ1 )

X|V

Ψi

= δN + I(Ψi

X|V

Ψi

X|V

Ψi

V |U

X|V

Ψi

V |U

1:N U ; ΦU i+1 Zi+1 |Ψ1 Si+1 ) + I(Ψi

(∗)

V |U

1:N U Si+1 ; ΦU i+1 Zi+1 Ψ1 ) + I(Ψi

6 δN + I(Ψi (g)

ΨU 1)

1:N U ; ΦU i+1 Zi+1 |Ψ1 Si+1 )

1:N U ; ΦU i+1 Zi+1 |Ψ1 Si+1 )

(∗)

= δN + I(Ψi

X|V

Ψi

X|V

X|V

V |U

1:N ; ΦU i+1 Zi+1 |Ψi

V |U

1:N ; ΦU i+1 Zi+1 Ψi

ΨU 1 Si+1 )

ΨU 1 Si+1 )

(∗)

6 3δN ,

where (a) holds by the chain rule and positivity of mutual information, (b) holds by independence of Si+2:k with all the random variables of the previous blocks, (c) holds by Lemma 12, in (d) we introduce V |U

the random variable Ψi

X|V

and Ψi

to be able to break the dependencies between the random variables

1:N of block (i + 1) and the random variables of the previous blocks, (e) holds because S1:i ΦU 1:i Z1:i → V |U

Ψi

X|V

Ψi

V |U

U 1:N ΨU 1 → Φi+1 Zi+1 Si+1 , (f ) holds because (Ψi

November 4, 2014

X|V

, Ψi

, ΨU i ) is independent of Si+1 , (g) DRAFT

36 X|V

holds by Lemmas 12, 13 and because Ψi

X|V

is constant equal to Ψ1

.

R EFERENCES [1] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, and J.-M. Merolla, “Applications of LDPC codes to the wiretap channels,” IEEE Trans. Inf. Theory, vol. 53, no. 8, pp. 2933–2945, August 2007. [2] A. Subramanian, A. Thangaraj, M. Bloch, and S. McLaughlin, “Strong secrecy on the binary erasure wiretap channel using large-girth LDPC codes,” IEEE Transactions on Information Forensics and Security, vol. 6, no. 3, pp. 585–594, September 2011. [3] V. Rathi, R. Urbanke, M. Andersson, and M. Skoglund, “Rate-equivocation optimal spatially coupled LDPC codes for the bec wiretap channel,” in Proc. of IEEE Int. Symp. Info. Theory, Saint-Petersburg, Russia, August 2011, pp. 2393–2397. [4] H. Mahdavifar and A. Vardy, “Achieving the Secrecy Capacity of Wiretap Channels using Polar Codes,” IEEE Trans. Inf. Theory, vol. 57, no. 10, pp. 6428–6443, 2011. [5] E. S¸as¸o˘glu and A. Vardy, “A New Polar Coding Scheme for Strong Security on Wiretap Channels,” in Proc. of IEEE Int. Symp. Info. Theory, 2013, pp. 1117–1121. [6] J. M. Renes, R. Renner, and D. Sutter, “Efficient one-way secret-key agreement and private channel coding via polarization,” in Advances in Cryptology-ASIACRYPT 2013.

Springer, 2013, pp. 194–213.

[7] M. Andersson, R. Schaefer, T. Oechtering, and M. Skoglund, “Polar coding for bidirectional broadcast channels with common and confidential messages,” IEEE Journal on Selected Areas in Communications, vol. 31, no. 9, pp. 1901–1908, 2013. [8] M. Hayashi, “Exponential decreasing rate of leaked information in universal random privacy amplification,” IEEE Trans. Info. Theory, vol. 57, no. 6, pp. 3989–4001, 2011. [9] M. Bellare and S. Tessaro, “Polynomial-time, semantically-secure encryption achieving the secrecy capacity,” arXiv preprint arXiv:1201.3160, 2012. [10] A. D. Wyner, “The wire-tap channel,” The Bell System Technical Journal, The, vol. 54, no. 8, pp. 1355–1387, 1975. [11] M. Mondelli, S. H. Hassani, I. Sason, and R. Urbanke, “Achieving the superposition and binning regions for broadcast channels using polar codes,” arXiv preprint arXiv:1401.6060, 2014. [12] M. Mondelli, S. H. Hassani, and R. Urbanke, “How to achieve the capacity of asymmetric channels,” arXiv preprint arXiv:1406.7373, 2014. [13] I. Csisz´ar and J. Korner, “Broadcast channels with confidential messages,” IEEE Trans. Inf. Theory, vol. 24, no. 3, pp. 339–348, 1978. [14] S. Watanabe and Y. Oohama, “Broadcast channels with confidential messages by randomness constrained stochastic encoder,” in Proc. of IEEE Int. Symp. Info. Theory, 2012, pp. 61–65. [15] M. Bloch and J. Kliewer, “On Secure Communication with Constrained Randomization,” in IEEE Int. Symp. Info. Theory. IEEE, 2012, pp. 1172–1176. [16] T. Gulcu and A. Barg, “Achieving secrecy capacity of the wiretap channel and broadcast channel with a confidential component,” arXiv preprint arXiv:1410.3422, 2014. [17] Y. Wei and S. Ulukus, “Polar coding for the general wiretap channel,” arXiv preprint arXiv:1410.3812, 2014. [18] E. Arikan, “Source Polarization,” in IEEE Int. Symp. Info. Theory, 2010, pp. 899–903. [19] I. Csisz´ar, “Almost independence and secrecy capacity,” Problems of Information Transmission, vol. 32, no. 1, pp. 40–47, January-March 1996. November 4, 2014

DRAFT

37

[20] J. Renes and R. Renner, “Noisy channel coding via privacy amplification and information reconciliation,” IEEE Transactions on Information Theory, vol. 57, no. 11, pp. 7377–7385, 2011. [21] M. H. Yassaee, M. R. Aref, and A. Gohari, “Achievability proof via output statistics of random binning,” in Proc. of IEEE Int. Symp. Info. Theory, Boston, MA, July 2012, pp. 1044–1048. [22] R. A. Chou, M. R. Bloch, and E. Abbe, “Polar coding for secret-key generation,” arXiv preprint arXiv:1305.4746v2, 2013. [23] E. S¸as¸o˘glu, “Polar codes for discrete alphabets,” in IEEE Int. Symp. Info. Theory, 2012, pp. 2137–2141. [24] N. Goela, E. Abbe, and M. Gastpar, “Polar codes for broadcast channels,” arXiv preprint arXiv:1301.6150, 2013. [25] S. Korada and R. Urbanke, “Polar Codes are Optimal for Lossy Source Coding,” IEEE Trans. Inf. Theory, vol. 56, no. 4, pp. 1751–1768, 2010. [26] J. Honda and H. Yamamoto, “Polar coding without alphabet extension for asymmetric models,” IEEE Trans. Inf. Theory, vol. 59, no. 12, pp. 7829–7838, 2013. [27] D. Aldous, “Random walks on finite groups and rapidly mixing markov chains,” in S´eminaire de Probabilit´es XVII 1981/82. Springer, 1983, pp. 243–297. [28] P. Cuff, “Communication in Networks for Coordinating Behavior,” Ph.D. dissertation, Stanford Univ., CA., 2009. [29] I. Csisz´ar and J. K¨orner, Information Theory: Coding Theorems for Discrete Memoryless Systems.

Cambridge Univ Pr,

1981.

November 4, 2014

DRAFT

Recommend Documents