The MIMO Wiretap Channel Decomposed - Communications

1

The MIMO Wiretap Channel Decomposed Anatoly Khina, Yuval Kochman, and Ashish Khisti

Abstract—The problem of sending a secret message over the Gaussian multiple-input multiple-output (MIMO) wiretap channel is studied. While the capacity of this channel is known, it is not clear how to construct optimal coding schemes that achieve this capacity. In this work we show how to use linear operations along with successive interference cancellation in order to reduce the problem to that of designing optimal codes for the single-antenna additive-noise Gaussian wiretap channel. Much like popular communication techniques in the absence of an eavesdropper, the data is carried over parallel streams. The derivation of the schemes is based upon joint triangularization of channel matrices. We find that the same techniques can be used to re-derive capacity expressions for the MIMO wiretap channel in a way that is simple and closely connected to a transmission scheme. This technique allows to extend the recently proven semantic security for scalar Gaussian channel to the MIMO case. We further consider the problem of transmitting confidential messages over a two-user broadcast MIMO channel. For that problem, we find that derivation of both the capacity and a transmission scheme is a direct corollary of the analysis we applied to the MIMO wiretap channel. Index Terms—Wiretap channel, MIMO channel, confidential broadcast, successive interference cancellation, dirty-paper coding, matrix decomposition.

I. I NTRODUCTION The wiretap channel, introduced by Wyner [1], is composed of a sender (“Alice”) who wishes to convey data to a legitimate user (“Bob”), such that the eavesdropper (“Eve”) cannot recover (almost) any information of this data. The capacity of this channel [1], [2] equals to a mutual-information difference, and was extended to the Gaussian case in [3]. Let the channels from Alice to Bob and Eve be given by

multiple-input multiple-output multiple-eavesdropper (MIMOME) channel [4]–[6], is given by y B = HB x + z B y E = HE x + z E ,

(2a) (2b)

where x, y B and y E are complex-valued vectors with dimensions of the number of antennas in the terminals of Alice, Bob and Eve, denoted by NA , NB , and NE , respectively. The channel matrices HB and HE have the corresponding dimensions. The additive noise vectors z B and z E are mutually independent, i.i.d., circularly-symmetric Gaussian with zero mean unit element variance. The secrecy capacity of this scenario for the case where the input is subject to an average covariance constraint   ¯, (3) K , E xx†  K

and the case where the input is subject to a total (over all antennas) power constraint P : trace(K) ≤ P,

was established in [6] and [4]–[6], respectively. Under a covariance constraint, this capacity is given by the difference of mutual informations to Bob and Eve, optimized over all Gaussian channel inputs that satisfy the respective input constraint: ¯ = max IS (HB , HE , K) , CS (HB , HE , K)

(4)

IS (HB , HC , K) , I(HB , K) − I(HE , K),

(5)

I(H, K) = log I + HKH†

(6)

¯ KK

where

and

y B = hB x + z B y E = hE x + z E , where hB and hE are complex scalar gains, zB and zE are mutually-independent circularly-symmetric Gaussian zero mean unit variance noises and the transmission is subject to a unit power constraint. Then, the capacity is achieved by a Gaussian input: CS (hB , hE ) = I (x; yB ) − I (x; yE ) (1a) i   h  2 2 , (1b) = log 1 + |hB | − log 1 + |hE | +

where [a]+ , max{0, a}. The vector extension of this result, the multiple-input multiple-output (MIMO) Gaussian wiretap channel or the The material in this paper was presented in part at the 2014 IEEE International Symposium of Information Theory (ISIT), Honolulu, HI, USA, and at the 2015 IEEE ISIT, Hong Kong.

is the Gaussian vector mutual information (MI), and |A| denotes the determinant of A. Later, Bustin et al. [7] provided an explicit solution to the maximization problem under the covariance constraint (4). We note that the capacity under a total power constraint can be written as the union of achievable regions under a covariance constraint (see [8, Lemma 1]): CS (HB , HE , P ) =

max

¯ trace{K}=P ¯ K:

¯ . CS (HB , HE , K)

(7)

Hence, we shall concentrate on the covariance constrained setting in this paper. The confidential broadcast (BC) channel offers a natural extension to the wiretap channel setting. In the confidential BC setting, Alice wishes to convey different data to two users (“Bob” and “Charlie”), such that (almost) no information can be recovered by one user about the data intended for the other user. That is, for the data that is intended for Bob, Charlie acts

2

as the eavesdropper (“Eve” in the wiretap setting), whereas for the data intended for Charlie, Bob takes the role of Eve. The capacity region of the Gaussian MIMO confidential BC channel, a scenario considered first in [9], was determined by Liu et al. [10] to be rectangular under the covariance constraint (3). Namely, it is given by all rate pairs (RB , RC ) satisfying

for the MIMO channel without secrecy in Section IV. We extend this framework to work for the MIMO wiretap setting in Sections V and VI. Finally, DPC variants of this scheme are discussed in Section VII and utilized, along with the results of Section III, to construct a simple proof of the capacity region of the confidential MIMO BC setting as well as providing a layered-DPC scheme that attains it.


¯ , RB ≤ CS HB , HC , K
¯ , RC ≤ CS HC , HB , K

II. U NITARY M ATRIX T RIANGULARIZATION In this section we briefly review some important matrix decompositions which will be used in the sequel. In Section II-A we recall the generalized triangular decomposition (GTD), and some of its important special cases which include the singular value decomposition (SVD), QR decomposition, and geometric mean decomposition (GMD).1 Joint unitary triangularizations of two matrices are discussed in Section II-B. Throughout this paper, we shall only need to decompose full-rank matrices with equal or more rows than columns.

(8a) (8b)

where HC is the channel matrix to Charlie replacing HE ¯ is the capacity of the MIMO in (2b), and CS (HB , HC , K) wiretap channel defined in (4). The converse is immediate, as both users achieve their maximal possible secrecy rates simultaneously; it is the direct part that is quite striking. Although capacity is well understood, it is less clear how to construct codes for wiretap and confidential broadcast channels. For the scalar Gaussian case, various approaches have been suggested, see, e.g., [11]–[17] and references therein. However, assuming that we have such a code for the scalar case, it is not clear how to construct a capacity-achieving scheme for the MIMO setting. In this work we present an approach that reduces these MIMO secrecy problems to scalar Gaussian ones. by means of matrix decompositions, specifically joint unitary triantularizations [18]. The decompositions yield a layered coding scheme, where the secrecy capacity is approached by means of a scalar wiretap code in each layer and successive interference cancellation (SIC) at the receiver. The contribution of such an approach to the MIMO wiretap channel can be compared to that of SVD-based schemes [19] or V-BLAST/GDFE [20]– [23] to MIMO communication without secrecy constraints. Beyond the architectural merit, our approach yields two more fruits. First, it enables us to revisit the capacity results for the MIMO wiretap and confidential MIMO broadcast channels. In that respect, we establish the optimal covariance matrix for the MIMO wiretap channel as well as an expression for the secrecy capacity in terms of the generalized singular values of suitably defined matrices. This re-derives a result by Bustin et al. [7], which was based on elaborate informationtheoretic considerations, using a direct linear-algebraic approach. Turning to the confidential BC channel, we are able to re-derive (8) almost as a corollary of the analysis applied to the MIMO wiretap channel, also explaining the role of dirtypaper coding in this setup. Second, reducing the MIMO problem to a scalar one allows us to leverage recent advances in the secrecy analysis of the scalar Gaussian wiretap channel: whereas we concentrate in this paper on constructing weak secrecy schemes, we show that in fact a special matrix triangularization allows to achieve strong secrecy guarantees and even semantic security for the MIMO wiretap channel. An outline of this paper is as follows. We start by reviewing the relevant unitary matrix decompositions in Section II. These decompositions are used to re-derive the MIMO wiretap capacity expressions in Section III. We further recall how these decompositions allow to construct capacity achieving schemes

A. Single Matrix Triangularization The following definitions are used in this section. Definition 1 (Multiplicative majorization; see [25]). Let x and y be two n-dimensional vectors of positive elements. ˜ and y ˜ the vectors composed of the entries of Denote by x x and y, respectively, ordered non-increasingly. We say that x majorizes y (x  y) if they have equal products: n Y

xj =

ℓ Y

x ˜j ≥

n Y

yj ,

ℓ Y

y˜j .

j=1

j=1

and their (ordered) elements satisfy, for any 1 ≤ ℓ < n, j=1

j=1

Definition 2 (Singular values; see [26]). Let A be a full-rank matrix of dimensions m× n, where m ≥ n. Then, the singular values (SVs) of A are the positive solutions σ of the equation † A A − σ 2 I = 0.

Let the SV vector σ(A) be composed of all SVs (including their algebraic multiplicity), ordered non-increasingly. We use these definitions to characterize the set of all possible diagonals achievable via unitary triangularization, as follows.

Theorem 1 (Generalized Triangular Decomposition [27]). Let A be a full-rank matrix of dimensions m × n, where m ≥ n, and t be an n-dimensional vector of positive elements. A GTD of the matrix A is given by: A = UTV† ,

(9)

where U and V are unitary matrices of dimensions m×m and n × n, respectively, and T is a generalized upper triangular matrix with a prescribed set of diagonal values t, i.e., Tii = ti , 1 See

i = 1, . . . , n ,

[24] for a geometrical interpretation of these decompositions.

3

Tij = 0 ,

∀i > j .

This decomposition exists if and only if the vector t is majorized by σ(A): σ(A)  t . In other words, the singular values are an extremal case for the diagonal of all possible unitary triangularizations. The necessity of the majorization condition was proven by Weyl [28], and the sufficiency of this condition — by Horn [29]. Explicit constructions of the decomposition were introduced in [30] and [31]. We now recall three important special cases of the GTD. 1) SVD (See, e.g., [26]): Here the resulting matrix T in (9) is a diagonal matrix, and its diagonal elements are equal to the singular values of the decomposed matrix A. 2) QR Decomposition (See, e.g., [26]): In this decomposition, the matrix V in (9) equals to the identity matrix and hence does not depend on the matrix A. This decomposition can be constructed by performing Gram–Schmidt orthonormalization on the (ordered) columns of the matrix A. 3) GMD (See [27], [32], [33]): The diagonal elements of T in this decomposition are all equal to the geometric mean of its singular values σ(A), which is real and positive. Note that this decomposition always exists if A is full-rank (since the vector of singular values of A necessarily majorizes the vector of diagonal elements of T), but is not unique. B. Joint Matrix Triangularization The existence condition for a joint unitary triangularization of two matrices is similar to that of the GTD in Theorem 1, where the singular values are replaced by the generalized singular values (GSVs), and the diagonal of T is replaced by the ratio of the diagonals of the resulting generalized triangular matrices. These quantities are defined below. Definition 3 (Generalized singular values [26], [34]). For any (ordered) matrix pair (A1 , A2 ), the GSVs are the non-negative solutions µ of the equation † † A1 A1 − µ2 A2 A2 = 0 . Let the GSV vector µ(A1 , A2 ) be composed of all GSVs (including their algebraic multiplicity), ordered non-increasingly. A characterization of the possible joint unitary triangularizations of two matrices with prescribed diagonal ratios is provided in the following theorem. Theorem 2 (Joint unitary triangularization [18]). Let A1 and A2 be two full-rank matrices of dimensions m1 ×n and m2 ×n, respectively, where m1 , m2 ≥ n, and t be an n-dimensional vector of positive elements. A joint unitary triangularization of the matrices A1 and A2 is given by: A1 = U1 T1 V† , †

A2 = U2 T2 V ,

(10a) (10b)

where U1 , U2 and V are unitary matrices of dimensions m1 × m1 , m2 × m2 and n × n, respectively, and T1 and T2

are generalized upper triangular matrices with a prescribed set of diagonal ratios values t, i.e., T1;ii = ti , i = 1, . . . , n , T2;ii Tk;ij = 0 , k = 1, 2 , ∀i > j . This joint decomposition exists if and only if the vector t is majorized by the GSV vector µ(A1 , A2 ): µ(A1 , A2 )  t . In other words, the GSVs are an extremal case for the diagonal ratios of all possible joint unitary triangularizations. The joint unitary decomposition that corresponds to these extremal values is the GSVD. The diagonal representation of the GSVD is better known. For a matrix pair (A1 , A2 ) it is given by [26], [34] A1 = U1 D1 X† ,

(11a)

†

A2 = U2 D2 X ,

(11b)

where U1 and U2 are unitary, X is invertible, and D1 and D2 are generalized diagonal matrices (viz., Dk;ij = 0 for i 6= j, where Dk;ij is the (i, j) entry of Dk ) with positive diagonal values satisfying: D†1 D1 + D†2 D2 = I,

(12)

the ratios of which are equal to the GSVs: D1;ii = µi (A1 , A2 ) , D2;ii

i = 1, . . . , n,

and are assumed, w.l.o.g., to be ordered non-increasingly. To see the equivalence to the triangular form, apply a QL decomposition2 to X, to attain: A1 = U1 D1 TV† , †

A2 = U2 D2 TV ,

(13a) (13b)

where T is upper-triangular and V is unitary. By denoting T1 = D1 T and T2 = D2 T, we have the triangular form of the GSVD, which is, in turn, a special case of (10). III. T HE MIMO W IRETAP C APACITY R EVISITED In this section we re-derive the explicit capacity expression of Bustin et al. [7] for the MIMO wiretap channel under a covariance constraint (3) in terms of the GSVD. While we do not establish a new capacity result, our approach of simultaneous unitary triangularization will lead to a simplified representation of the optimal covariance matrix as well as layered coding schemes, as will be discussed in the subsequent sections. To that end, construct the augmented matrices GB = ¯ and GE = G(HE , K), ¯ where3 G(HB , K)   ¯ 1/2 H K ¯ G(H, K) , . (14) I 2 This decomposition is similar to the QR decomposition, only instead of an upper triangular matrix, the resulting matrix is lower triangular. This can be achieved, e.g., by applying Gram–Schmidt triangularization to the columns of a matrix, from last to first. 3 K1/2 is any matrix B satisfying BB† = K.

4

¯ is the constraining covariance matrix (3). Now, Recall that K apply some joint unitary triangularization (9): GB = UB TB V†A , GE =

UE TE V†A

(15a)

,

(15b)

where UB , UE and VA are unitary, and TB and TE are generalized upper triangular. Let {bi } and {ei } denote the diagonal values of TB and TE , respectively, where, as explained in Section II-B, these values can be designed by varying VA . Then, the Gaussian MI (6) satisfies: ¯ = log G† GB I(HB , K) (16a) B X = log b2i , (16b) and similarly for Eve:

¯ = log G† GE I(HE , K) E X = log e2i .

Hence, their difference (5) is given by ¯ = IS (HB , HE , K)

NA X i=1

log

b2i . e2i

(17)

By specializing (15) to the GSVD we have
¯ , µi (GB , GE ) µi HB , HE , K bi = , ei
¯ to emphasize where we use the notation µi HB , HE , K ¯ Without loss of generality, we assume the dependence in K. that the GSV vector is non-increasing. We further denote by LB the number of GSVs which are greater than 1, and by LE = NA − LB the remaining GSVs. In terms of the GSVs, we can rewrite (4) as: ¯ = max CS (HB , HE , K) ¯ KK

NA X

log µ2i (HB , HE , K) .

i=1

Indeed, in these terms the MIMO wiretap capacity can be expressed as follows. Theorem 3 (MIMO Wiretap Capacity under a Covariance Constraint [7]). The secrecy capacity under a covariance ¯ is given by matrix constraint K ¯ = CS (HB , HE , K)

NA X
  ¯ . log µ2i HB , HE , K +

¯ and K be two matrices satisfying Lemma 1. Let K ¯ 0  K  K. Then for all i = 1, . . . , NA , log µ2i (HB , HE , K) ¯ ≥ log µ2i (HB , HE , K) .

That is, as we “decrease” the input covariance, the GSVs move towards µi = 1. The proof, which appears in Appendix A, uses standard matrix calculus to show that the differential of the i-th GSV, dµi , with respect to a change in the covariance matrix dK, is given by
dµi = µ2i − 1 · γi (dK) , where γi (dK) ≥ 0 for dK  0. By Lemma 1, clearly Theorem 3 gives an upper bound on the capacity. To see that it is achievable, consider the matrix: ¯ K=K

1/2

¯ VA IB V†A K

,

(18)

where VA is the right unitary matrix of the triangular form of the GSVD (13), IB is a diagonal matrix whose first LB diagonal values (corresponding to GSVs that are greater than 1) are equal to 1, and the remaining LE — to 0. Trivially, ¯ The choice of K effectively truncates the GSVs of K: ¯ K  K.
  ¯ . log µ2i (HB , HC , K) = log µ2i HB , HC , K +

This is formally proved in Appendix B. Remark 1. The optimal covariance matrix K (18) is called K∗x in [7], where it is given in terms of the diagonal form of the GSVD (11):4 # " −1 † 1/2 0 Y Y LB ×LE Y † K ¯ †/2 , (20) ¯ Y B B K=K 0LE ×LE 0LE ×LB where Y = X−† and X is the right invertible matrix of (11), YB is the sub-matrix composed of the first LB columns of Y, and 0m×n denotes the all-zero matrix of dimensions m × n. Comparing (18) and (20), it is evident that using the triangular form of the GSVD indeed simplifies the representation over using the diagonal one. Remark 2. One may wonder why, of all possible choices of VA , the capacity is given in terms of the GSVD. An intuitive reason is as follows. By Theorem 1, the GSV series is the “least balanced” possible in a multiplicative majorization sense among all achievable diagonal ratios. In particular, for any VA ,  NA  NA X X   b2 log i2 . log µ2i + ≥ ei + i=1 i=1 Remark 3. Using (7), the capacity of the MIMO wiretap channel under a power constraint P can be written as

i=1

This explicit capacity expression along with the optimal ¯ were established by Bustin et covariance matrix K  K al. [7] using the channel enhancement technique along with vector extensions of the I–MMSE relation. We present an alternative proof of this result using a direct approach: once the optimization problem (4) is stated, it can be solved by linear algebra and elementary calculus only. The key to our proof is the following lemma.

1/2†

CS (HB , HC , P ) =

max

K:trace{K}=P

NA X  i=1

 log µ2i (HB , HC , K) + .

Remark 4. For the optimal K (18), all the GSVs are greater or equal to 1. To the contrary, assume that some are strictly smaller than 1; then, we can use a matrix K with the 4 In [7] a specific choice of K1/2 was used: the matrix B that satisfies BB = K.

5

appropriate directions “nullified”. Such a “truncated” matrix will satisfy the covariance constraint while improving the achievable secrecy rate of the scheme, in contradiction to the assumption. A fortiori, under a power constraint, the power saved by such a truncation can be allocated to “useful” directions.

= log(1 + SINRB;i ) =

log(b2i ) ,

(25b) (25c)

where {bi } are the diagonal values of TB , which satisfy b2i = 1 + SINRB;i

(26)

and IV. S CALAR T RANSMISSION OVER MIMO C HANNELS In this section we briefly review the connection between matrix decompositions and scalar transmission schemes, without secrecy requirements. For a more thorough account, the reader is referred to [18], [24], [35]. Consider the channel (2a). Construct the augmented matrix GB = G(HB , K) as in (14), and choose some unitary matrix VA . Apply the GTD (9) to GB with VA as the right matrix: GB = UB TB V†A .

(21)

˜ be a vector of standard Gaussian variables, and set Now let x ˜. x = K1/2 VA x

(22)

˜ B the sub-matrix consisting of the upper-left Denote by U ˜B = U ˜ †B K1/2 VA , and let NB × NA block of UB , define T †

˜ B yB ˜B = U y

(23a)

˜ †B z B ˜ †B K1/2 VA x ˜ +U =U ˜Bx ˜ +z ˜B . =T

(23b)

= y˜B;i −

NA X

TB;i,ℓ x ˜ℓ

ℓ=i+1 i−1 X

= T˜B;i,i x ˜i +

, T˜B;i,i x ˜i +

T˜B;i,ℓ x˜ℓ + z˜i

ℓ=1 zieff .

i=1

(24a)

(24b) (24c)

′ yB;i ,

In this scalar channel from x ˜i to we see other x ˜ℓ as “interference”, z˜i — as “noise”, and their sum zieff — as “effective noise”. The resulting signal-to-interference-andnoise ratio (SINR) is given by: (T˜B;i,i )2 SINRB;i , Kz eff ;i,i (T˜B;i,i )2 , , i−1 P ˜ 2 (TB;i,ℓ ) Kz˜ ;i,i + ℓ=1

where Kz˜ ;i,j denotes the (i, j) entry of Kz˜ . The following key result achieves the mutual information [35, Lemma III.3], [23].6  
NA ′ (25a) ˜i ; yB;i I x˜i ; y B ˜ xi+1 = I x use the fact that T˜B;i,ℓ = TB;i,ℓ for ℓ > i.S 6 Note that, even though z ˜ has dependent components, the entries of the effective noise z eff , are independent.

NA
X log (1 + SINRB;i ) log b2i = i=1

= I(HB , K) ,

which equals the channel capacity for the optimal K. This analysis immediately gives rise to the following scheme, which is, in turn, a variant of the renowned V-BLAST/GDFE scheme [20]–[23]. Scheme (Layered-SIC). Offline: Construct NA scalar Gaussian codes that are good for SNRs {SINRB;i }.7 Alice: At each time instant: ˜ , using one sample from each codebook. • Forms x • Transmits x according to (22): ˜. x = K1/2 VA x Bob: ˜ B according to (23): • At each time instant forms y ˜ †B y B ˜B = U y ˜Bx ˜ +z ˜B . =T

(23c)

˜ B is not unitary, the statistics of z ˜ †B z differ from ˜,U Since U ˜ †B . ˜ BU those of z, and its covariance matrix is given by Kz˜ , U 5 Now, for i = 1, . . . , NA , define ′ yB;i

NA X

•

The codebooks are decoded using SIC, from last (i = NA ) to first (i = 1). Assuming correct decoding ′ of all codebooks i + 1, . . . , NA , Bob forms yB;i (24): ′ yB;i = T˜B;i,i x ˜i + zieff .

By the analysis above, the scheme is optimal in the sense that the sum of codebook rates can approach the channel capacity. V. O RTHOGONALIZING E VE ’ S C HANNEL In this section we present a simple adaptation of the layeredSIC scheme of Section IV to the MIMO wiretap setting, that achieves the secrecy capacity of the channel using scalar wiretap codes. To this end, we note that the layered-SIC scheme is capacity-achieving (without secrecy constraints) for any choice of VA . In particular, we can choose VA to be the unitary matrix that diagonalizes Eve’s effective channel matrix, namely, the right matrix of the SVD of Eve: HE K1/2 = UE DE V†A .

(27)

Applying this VA to HE (followed by K1/2 ) provides effective parallel scalar independent channels to Eve, of SNRs that satisfy 2 1 + SNRE;i = 1 + DE;ii

(28a)

5 We

7 More generally, any number N ≥ rank{K} of scalar codebooks can be used; see [18], [35] for details.

6

, e2i ,

(28b)

where {DE;ii } are the diagonal values of DE , which constitute the singular values of HE , and q 2 ei , DE;ii + 1.

The respective decomposition of GB is as in (21), where the diagonal values of the resulting generalized triangular matrix TB are {bi }. Since Eve observes parallel independent channels, using scalar wiretap codes over these channels, that are matched to the SNRs to Eve (28), guarantees the secrecy of the scheme. Moreover, by using wiretap codes that work with respect to the SNRs to Bob of (26), the secrecy capacity is achieved. This is formally stated in the following theorem.

Theorem 4. The layered-SIC scheme of Section IV achieves the secrecy capacity under a covariance constraint ¯ by using: CS (HB , HE K) • The optimal input covariance matrix K of (18). 1/2 • Choosing VA of the SVD of HE K (27). • Scalar Gaussian capacity-achieving wiretap codes that for the Bob–Eve SNR-pairs  2 are 2 designed
bi − 1, ei − 1 . Proof: The total rate can approach  q NA q X 2 2 bi − 1, ei − 1 CS R= = ≥

i=1 NA  X

log

i=1 NA X

log

i=1

b2i e2i



(29a)

(29b) +

b2i e2i

(29c)

= I(HB , K) − I(HE , K),

(29d)

where the last equality follows from (16) and I(HE , K) = log I + HE KH†E = log I + K†/2 H†E HE K1/2 = log I + V†A D2E VA = log I + D2

¯ E z E has the same statistics as z E . The ¯E , U where z ¯ †E is resulting channel is diagonal with i.i.d. noise. Since, U invertible, its application incurs no loss in information, i.e., ˜ E ) = (˜ I(˜ x; y x; y E ). ˜ †E results in parallel independent GausHence, applying U sian scalar channels, with no loss of information. The resulting parallel (orthogonal) AWGN channels have SNRs {e2i − 1}, as we assumed in constructing the scalar wiretap codes. Thus, secrecy is guaranteed. Remark 5. Gaussian codes are known to provide strong secrecy guarantees (see [36]). Thus, using such codes establishes a strong secrecy guarantee of the MIMO wiretap channel capacity (4). Moreover, by applying the procedure of [11] to Gaussian codes, even semantic security can be guaranteed. Remark 6. Similarly to Remark 4, for the optimal K under a covariance constraint, either bi > ei or bi = ei = 1 hold for all i, since otherwise K can be improved by nullifying the transmit power of this sub-channel, as in Section III. Hence, for the optimal choice of K. the limiting operation in (29b) is inactive. This can be also shown directly using the majorization condition of Theorem 2. Remark 7. In the celebrated SVD-based scheme for MIMO channels of Telatar [19], the SVD is applied to the physical channel matrix H = UDV†A . The transmitted signal is then formed as x = VA Φ˜ x, where Φ is a water-filling (non˜ is a vector whose entries comprise unitary) matrix and x the channel codebooks. Thus, the SVD plays two roles: it serves both for reducing the coding task to that of coding over scalar channels and to construct the optimal input covariance matrix. In contrast, in (27) the SVD is applied to the effective channel matrix Ge K1/2 , which already includes the nonunitary “coloring” part K1/2 . Thus, there is an order reversal: first the capacity expression is optimized with respect to K, and then diagonalization is carried to reduce the coding task. This form allows to use the SVD-based scheme for scenarios where the optimization over K is dictated by other constraints, e.g., individual power constraints, or where the target expression is different, e.g., an MI difference as in the wiretap case. Finally, note that the rate of (17) can be achieved using the proposed scheme, even if K is suboptimal (when exact calculation of the optimal K is hard).

E

=

=

NA X

i=1 NA X i=1

2 log 1 + DE;ii





log e2i .

Thus, capacity can be achieved with the optimal K. Bob can decode just as he did without secrecy; it remains to bound the mutual information that Eve can gain. Let ˜ E = U†E y E , where UE is chosen according to (27). Then, y ˜ E = U†E y E y ¯ Ax ˜ + zE ) = U†E (HE K1/2 V ˜ + UE z E , = DE x

VI. G ENERAL M ULTI -S TREAM S CHEME In this section we show that in fact secrecy capacity can be achieved using the layered-SIC scheme and scalar wiretap codes for any choice VA , and by this generalizing the result of Section V to transmission that is not necessarily orthogonal over Eve’s channel. Specifically, we show that the secrecy capacity can be achieved using any joint triangularization of the augmented channel matrices (15) (any unitary matrix VA at the encoder). In the general case, Eve’s resulting matrix is triangular and hence denoted by TE , as in (15b). The diagonal values of TE are denoted by {ei }. The resulting family of schemes includes two important special cases, discussed in Section VI-A, in addition to the one introduced in Section V.

7

Theorem 5. The layered-SIC scheme of Section IV achieves the secrecy capacity under a covariance constraint CS (HB , HE K) by using: • The optimal input covariance matrix K of (18). • Any joint unitary triangularization (15). • Scalar Gaussian capacity-achieving wiretap codes that for the Bob–Eve SNR-pairs  2 are 2 designed
bi − 1, ei − 1 , where {bi } and {ei } are defined as in Section III. We use the following result, proved in Appendix C, for the proof of this theorem, which extends beyond the Gaussian wiretap setting, for both the discrete and the continuous cases. Proposition 1. Let p(yB |x) and p(yE |x) be the transition distributions for the legitimate user (“Bob”) and the eavesdropper (“Eve”), respectively, of a memoryless wiretap channel, where x is the transmitted signal, and yB and yE are the channel outputs to Bob and Eve, respectively. Let a superposition coding scheme be defined by codes {˜ xi : i = 1, . . . , NA } and a scalar function ϕ such that x = ϕ (˜ x1 , . . . , x ˜NA ) .

(30)

Then, for ǫ > 0, however small, and for any joint distribution p(˜x1 , . . . , ˜xNA ), there exists a scheme which achieves weak secrecy, with the k-th codebook conveying a rate: A A Rk = I(˜xk ; yB |˜xN xk ; yE |˜xN k+1 ) − I(˜ k+1 ) − ǫ.

(31)

Remark 8. The secrecy-proof of this result uses a “genieaided” argument: in the mutual information of the k-th codeword recovered by Eve, we provide all previous codewords {˜ xℓ | ℓ = k + 1, . . . , NA } as “genie”, even though Eve cannot recover these messages. Bob, on ther other hand, uses successive decoding to recover the messages. Thus, the allocation of rates {Rk } in (31) guarantees that all the messages (m1 , ..mNA ) remain jointly secured from the eavesdropper’s channel output sequence. Proof of Theorem 5: We specialize the general superposition coding framework of Proposition 1 to the linear encoder structure and independent Gaussian distributions of (˜x1 , . . . , ˜xNA ). Use x = ϕ (˜ x1 , . . . , x ˜NA ) ˜, = K1/2 VA x ˜ is composed of one symbol from in (30), where the vector x ˜ = (˜ each codebook: x x1 , . . . , x ˜k )T .8 Each codebook is a scalar Gaussian wiretap codebook of average power 1. The achievable secrecy rate of codebook k = 1, . . . , NA is given by (31):     A A Rk = I ˜xk ; yB ˜xN xk ; yE ˜xN (32a) k+1 − I ˜ k+1 − ǫ

′ ′ = I ˜xk ; yB;k − I ˜xk ; yE;k −ǫ (32b)

2 2 (32c) = log bk − log ek − ǫ b2k (32d) = log 2 − ǫ , ek 8 Here, in contrast to Appendix C, boldface letters represent spatial vectors and time indices are suppressed.

where (32c) and (32b) are due to (25a) and (25c), respectively. Thus, using the result of (17), we can achieve R= =

N X

Rk

k=1 N  X k=1

b2 log k2 ek



+

−ǫ

and for the optimal covariance matrix K, the scheme approaches the secrecy capacity. A. Important Special Cases We now present “special” choices of VA which provide various advantages. 1) Orthogonalizing Eve’s channel: The scheme of Section V is, in fact, a special case of the proposed scheme in this section. The unitary matrix VA of the SVD of HE K1/2 in (27) is identical to that of the SVD of GE (15b) and the diagonal entries of DE and of TE satisfy the relation (28); see [37] for further details and proof. 2) Orthogonalizing Bob’s channel: Avoiding SIC: Performing SIC adds complexity to the decoder, as well as introduces potential error propagation. We can avoid this by performing SVD with respect to Bob’s channel, as opposed to Eve’s channel, as done in Section V. That is, choose VA such that GB = UB DB V†A , where DB is diagonal. As happens with Eve in Section V, Bob obtains a diagonal equivalent channel, where each sub-stream can be decoded independently. 3) Avoiding individual bit-loading: When using (nonsecret) communication schemes based on SVD or QR, as in the layered-SIC scheme, the effective sub-channel gains {bi } are different in general. This requires, in turn, a bit-loading mechanism and the design of codes of different rates matching these gains. By using the GMD, described in Section II-A, instead, a constant diagonal is achieved, which translates into equal SNRs for all parallel channels. This suggests, in turn, that bit-loading can be avoided altogether and that the codewords sent over the resulting sub-channels can be drawn from the same codebook. A similar result can be achieved for the wiretap setting. To this end we require the usage of a modular scheme that transforms good AWGN codes of rate close to log(b2 ) for Bob into wiretap codes of rate close to log(b2 /e2 ). This way, after applying the GMD to GB , the same AWGN codebook can be used over all sub-channels, where for each sub-channel a different transformation into a wiretap code is used, that depends on its effective SNR to Eve (e2i − 1). Indeed, such a modular approach exists; see Section IX. Remark 9. It is possible to use the same wiretap code without assuming the modular wiretap code construction, by using a joint matrix decomposition that achieves constant diagonals for both triangular matrices simultaneously. A construction that essentially achieves this property was proposed in [24].

8

VII. D IRTY-PAPER C ODING BASED S CHEMES In this section we construct the DPC counterparts of the layered-SIC scheme for Gaussian MIMO channels with and without secrecy constraints. In these variants the successive decoding process of the scalar codes is replaced with a successive encoding one; consequently, all (scalar) codebooks can be recovered in parallel and independently of each other. Consequently, these variants are useful for more complex settings, such as the confidential MIMO broadcast setting treated in Section VIII. We start by presenting the DPC-based schemes without secrecy constraints, in Section VII-A. We then construct a variant for the MIMO wiretap setting, in Section VII-B, which again achieves the secrecy capacity of the channel. A. Without Secrecy Constraints We now briefly review the DPC variant of the layered-SIC scheme, which is based in turn on [38], [39] (see also [35]). Scheme (Layered-DPC). Offline: Construct NA good dirty-paper codebooks as follows. Codebook i (1 ≤ i ≤ NA ) is constructed for a channel with AWGN of power 1, SNR (b2i − 1) and interference9 NA X

TB;i,ℓ x ˜ℓ

Theorem 6. The layered-DPC scheme of Section VII-A achieves the secrecy capacity under a covariance constraint ¯ by using: CS (HB , HE K) • The optimal input covariance matrix K of (18). • Any joint unitary triangularization (15). • Scalar Gaussian dirty-paper wiretap codes, where the i-th codebook (i = 1, . . . , NA ) is designed for – P Bob’s SNR of (b2i − 1) and interference NA ˜ℓ . ℓ=i+1 TB;i,ℓ x – Eve’s SNR of (e2i − 1).

– Rate close to Ri = log(b2i /e2i ). We next prove the existence of such codes and consequently also the result of Theorem 6. Proof: The proof follows by a standard extension of the proof of Theorem 5 to the dirty-paper case [40]–[42]. Codebook construction: For each k = 1, . . . , NA we ˜ generate a codebook C of 2n(Rk +Rk ) sub-codebooks. Each such sub-codebook is assigned a unique index pair (mk , fk ), ˜ where mk ∈ {1, 2, . . . , 2nRk } and fk ∈ {1, 2, . . . , 2nRk }, and U ˜ contains 2n[Rk −(Rk +Rk )] codewords. Each codeword within codebook k is generated independently in an i.i.d. manner with respect to a Gaussian distribution p(uk ) with parameters dictated by

(33) uk = T˜B;k,k ˜xk + αk

ℓ=i+1

which is available as side information at the transmitter. Alice: At each time instant: • Generates x ˜i from last (i = NA ) to first (i = 1), where x ˜i is generated according to the message to be conveyed and the interference (33). ˜ with entries {˜ • Forms x xi }. • Transmits x according to (22): ˜. x = K1/2 VA x Bob: ˜ B according to (23): • At each time instant forms y †

˜ B yB . ˜B = U y •

Decodes the codebooks using dirty-paper decoders, where x ˜i is decoded from y˜B;i .

By using good dirty-paper codes, capacity is achieved; see, e.g., [35]. We further note that codeword x ˜i is recovered from y˜B;i regardless of whether the other codewords {˜ xj |j 6= i} were recovered or not. B. MIMO Wiretap Channel By replacing the dirty-paper scalar codes in the layeredDPC scheme with scalar dirty-paper wiretap codes [40], [41], a scheme that approaches the MIMO wiretap secrecy capacity can be constructed. 9 Again,

we use the fact that T˜B;i,ℓ = TB;i,ℓ for ℓ > i.

NA X

T˜B;k,ℓ x ˜ℓ ,

(34a)

ℓ=k+1

αk ,

b2k − 1 , b2k

(34b)

for zero mean unit power i.i.d. Gaussian random variables {˜xk |k = 1, . . . , NA }. Note that since in this case the interference (available as side information to Alice) in sub-channel k is composed of messages {xℓ |ℓ = 1, . . . , NA }, the information carried by the sets {˜xℓ |ℓ = 1, . . . , NA } and {uℓ |ℓ = 1, . . . , NA } is the same. Let ǫ > 0. Then the rates are chosen as   A Rk , I (uk ; yB ) − I uk ; yE , uN k+1 − ǫ  h  i  NA A = I (uk ; yB ) − I uk ; uN − I u ; y u k E k+1 − ǫ k+1     A A = I ˜xk ; yB ˜xN xk ; yE ˜xN k+1 − ǫ k+1 − I ˜ b2 = log k2 − ǫ, e     k ˜ k , I uk ; yE uNA − ǫ = I ˜xk ; yE ˜xNA − ǫ R k+1 k+1
= log e2k − ǫ,

RkU

, I (uk ; yB ) − ǫ

= log

b2k

+

NA X

ℓ=k+1

|TB;k,ℓ |

2

!

−ǫ.

(35a)

(35b)

(35c)

Encoding (Alice): Encoding is carried in a successive manner, from last (k = NA ) to first (k = 1). Within codebook k, the index of the sub-codebook to be used is determined by the secret message mk and a fictitious message fk drawn uniformly over their respective ranges. The codeword uk ,

9

within sub-codebook (mk , fk ) that is selected, the one that PNis A T˜B;k,ℓ x ˜ℓ . is jointly typical with the side information ℓ=k+1 If no such codeword uk exists, then the first codeword is selected. Decoding (Bob): Bob recovers (mk , fk ) using standard dirty-paper decoding as in Section VII-A, and discards fk . The error probability can be made arbitrarily small by taking large enough n. Secrecy analysis (Eve): As in the proof of Proposition 1, we provide {uℓ |ℓ = k + 1, . . . , NA } as genied for the secrecy analysis of uk . By recalling that {˜xℓ |ℓ = k + 1, . . . , NA } and {uℓ |ℓ = k + 1, . . . , NA } carry the same information, and the linear relation in the definition of uk (34a), the secrecy analysis reduces to the analyis in the proof of Proposition 1, as appears in Appendix C, specialized to the Gaussian case. VIII. C ONFIDENTIAL B ROADCAST

AS A

C ONSEQUENCE

In this section we consider the two-user MIMO confidential broadcast scenario. Namely, “Eve” is replaced with “Charlie” in (2b), and the corresponding noise, output and channel matrix are denoted by z C , y C and HC , respectively. We next show that, under the covariance matrix constraint, the rectangular capacity region (8), that was established in [10], can be attained as a natural extension of the capacity derivation for the MIMO wiretap channel and the layered DPC scheme proposed in Sections III and VII, respectively. A. Capacity We saw in Section III that in order to achieve the secrecy capacity where Charlie takes the role of Eve, the GSVD needs to be applied to (GB , GC ) and only the sub-channels corresponding to GSVs that are greater than 1 (corresponding to sub-channels with greater SNR to Bob than to Charlie) need to be used, and the rest — nullified. However, we note that, if we were interested in confidential communication with Charlie rather than with Bob, we would get the same solution with the roles of HB and HC reversed. This, in turn, means inversion of the GSVs: ¯ = − log µi (HB , HC , K). ¯ log µi (HC , HB , K) In these terms, we can write the rectangular capacity-region of the confidential BC channel (8), established first in [10], as follows. Theorem 7. The capacity region of the confidential MIMO ¯ is given BC channel under an input covariance constraint K by all rates (RB , RC ) satisfying: RB ≤ RC ≤

NA X 

i=1 NA X i=1



¯ log µ2i HB , HC , K




,

¯ − log µ2i HB , HC , K




+

+

(36a) .

(36b)

Remark 10. Similarly to the MIMO wiretap channel, the capacity region under a power constraint P is just the union of all (rectangular) regions under a covariance constraint with small enough trace.

The converse part of this result is trivial by Theorem 3, since both users attain their individual secrecy capacities. For the direct part, it is tempting to think that since different GSVs are nullified for Bob and for Charlie, Alice can achieve their optimal rates simultaneously by communicating over orthogonal “subspaces”. However, since the matrices TB and TC are not diagonal, these “subspaces” are not orthogonal, and some more care is needed. To this end, in the next section we put into force the layeredDPC scheme of Section VII, which allows to recover the sub-message transmitted over each sub-channel independently, without the recovery of other sub-messages (in contrast to the layered-SIC scheme). This property is required by at least one of the users — Bob or Charlie — as each of them recovers only a subset of all the transmitted sub-messages. The derivation of the scheme thus provides a constructive proof for the direct part of Theorem 7, which is an alternative to the proof in [10]. B. Capacity Achieving Schemes In view of Theorem 2 and the schemes developed for the MIMO wiretap channel, the result of Section III has a rather intuitive interpretation: VA of the GSVD is the precoding matrix that designs the ratios between {bi } and {ci } to be as large as possible ({ci } replacing {ei }), which corresponds to maximizing the achievable secrecy rate to Bob. In order to achieve Bob’s secrecy capacity, only the sub-channels for which the secrecy rate is positive (bi > ci ) need to be utilized. Allocating the remaining sub-channels to Charlie, on the other hand, attains Charlie’s optimal covariance matrix. Combining the two gives rise to the following scheme, which is a straightforward adaptation of the layered-DPC scheme of Section VII for the wiretap channel. Scheme (Layered-DPC confidential broadcast). Offline: ¯ and to GC = • Apply the GSVD to GB = G(HB , K) ¯ G(HC , K) as in (15). • Denote the diagonal entries of TB and TC by {bi } and {ci }, respectively. • Denote further the (first) number of indices for which bi > ci by LB . The remaining LC = NA − LB indices satisfy ci ≥ bi . ˜ B the upper-left NB ×LB sub-matrix of UB , • Denote by U ˜ and by UC — the upper-right NC × LC sub-matrix of UC . • Construct NA good scalar wiretap codes of unit power and length n, denoted by x ˜i (with the time index omitted to simplify notation), as follows. – The first LB codes are intended for Bob: Codebook x ˜i (1 ≤ i ≤ LB ) is constructed for an AWGN channel to Bob of SNR b2i − 1 and interference: NA X

TB;i,ℓ x ˜ℓ ,

ℓ=i+1

and for an AWGN channel to Charlie of SNR c2i − 1. – The remaining LC codes are intended for Charlie: Codebook x ˜i (LB + 1 ≤ i ≤ NA ) is constructed for

10

an AWGN channel to Charlie of SNR c2i − 1 and interference: NA X

TC;i,ℓ x˜ℓ ,

ℓ=i+1

and for an AWGN channel to Bob of SNR b2i − 1. Alice: At each time instant: • Generates x ˜i from last to first, where x ˜i is generated according to the messages to be conveyed and the interference signals {˜ xℓ |ℓ = i + 1, . . . , NA }. ˜ with entries {˜ • Forms x xi }. • Transmits x according to (22): 1/2

¯ x=K

˜. VA x

Bob: • At each time instant forms †

˜ B yB . ˜B = U y Decodes codebooks i = 1, . . . , LB using dirty-paper decoders, where x ˜i is decoded from y˜B;i . Charlie: • At each time instant forms

•

˜ †C y C . ˜C = U y •

Decodes codebooks i = LB + 1, . . . , NA using dirtypaper decoders, where x ˜i is decoded from y˜C;(i−LB ) .

The following theorem proves that this scheme allows both users to attain their respective secrecy capacities simultaneously, providing a proof for Theorem 7. Theorem 8. The layered-DPC confidential BC scheme achieves the secrecy capacity region under a covariance constraint (36) by: • Using scalar Gaussian dirty-paper wiretap codes intended for Bob, as follows, where the i-th codebook (i = 1, . . . , LB ) is designed for: 2 – Bob’s PNA SNR of (bi − 1) and interference ˜ℓ . ℓ=i+1 TB;i,ℓ x – Charlie’s SNR of (c2i − 1).

•

– Rate close to Ri = log(b2i /c2i ). Using scalar Gaussian DPC wiretap codes intended for Charlie, as follows, where the i-th codebook (i = LB + 1, . . . , NA ) is designed for: – Charlie’s SNR of (c2i − 1) and interference PNA ˜ℓ . ℓ=i+1 TC;i,ℓ x – Bob’s SNR of (b2i − 1).

– Rate close to Ri = log(c2i /b2i ).

Proof sketch: We start by noting that since the capacity region is rectangular, it suffices to show how to approach the corner point of this region. The proof relies on the fact that in the layered-DPC scheme for the MIMO wiretap channel of Section VII, each sub-codebook is recovered independently, regardless of the other sub-codebooks. Hence, the proof of the

decodability and secrecy analysis for Charlie are the same as in the proof of Theorem 6 (with Charlie being the “legitimate” user). In the treatment for Bob, a small variation is needed: the interference over sub-channel i (1 ≤ i ≤ LB ) is composed A of both, messages intended for Charlie, x˜N LB +1 , and messages LB intended for Bob, x˜i+1 . Thus, the DPC for Bob is carried with respect to both of these interferences, and the decodability and secrecy analysis follow as in the proof of Theorem 6. Remark 11 (Replacing DPC with SIC). DPC was used in the layered-DPC scheme for both users. However, in the proposed scheme one may use SIC instead of DPC for Charlie, as is done in the layered-SIC scheme for the MIMO wiretap problem. Alternatively, by using lower-triangular matrices instead of upper-triangular ones in (15) (which corresponds to switching roles between Bob and Charlie in the construction of the scheme), one can use SIC for Bob and DPC for Charlie. This phenomenon was also observed by Liu et al. [10]. Unfortunately, this scheme does not allow, in general, to avoid DPC for both of the users. Remark 12 (Other choices of precoding matrices). In Section VI-A, different choices of VA were proposed for the MIMO wiretap problem: diagonalizing either TB or TC , which corresponds to avoiding SIC by Bob or guaranteeing strong secrecy, respectively; or, by balancing all the SNRs of the sub-channels to Bob, which allows using the same codebook over all sub-channels and avoiding bit-loading / rate allocation. The analog in the case of confidential broadcast can be achieved by applying block diagonal unitary operations, in addition to the matrix VA that is dictated by the GSVD, where the blocks correspond to the sub-channels that are allocated to Bob and to Charlie, of dimensions LB × LB and LC × LC , respectively. However, whereas we can avoid SIC and DPC at Bob’s end in the layered confidential BC scheme by diagonalizing his channel, we cannot achieve this result for both Charlie and Bob simultaneously, as DPC needs to be employed for at least one of the users. IX. D ISCUSSION : F ROM R AMDOM E NSEMBLES TO S PECIFIC C ODES In this work, we have demonstrated how scalar codes can be used for some MIMO secrecy scenarios. Throughout the work, we have assumed that these scalar codes are taken from a random ensemble, suitable in an appropriate sense (with or without secrecy constraints, with or without side information). One may be interested in an even stronger result, where any scalar codes that are good in the appropriate sense can be used, without worrying about the way they were created. Further, one may hope to combine this with procedures that construct scalar wiretap codes from non-secrecy ones, such as [11] (which is based upon similar techniques for discrete wiretap channels in [43], [44]). Unfortunately, as we report in [45], there are some obstacles. Surprisingly, the problem lies already in the use of scalar codes for MIMO communications without secrecy constraints. Although, in practice, V-BLAST/GDFE schemes are used in conjunction with arbitrary scalar codebooks, e.g., onedimentional constellations with some error-correction code,

11

the combination does not necessarily approach capacity even if the individual codes do; indeed, for some specific channel matrices, the scheme might perform very poorly. To see this, consider (23). This is a multiple-access channel (MAC) from ′ the inputs x ˜1 , . . . , x ˜i to the output yB;i . The SIC decoder treating all inputs as noise is equivalent to a stage of a successive-decoding procedure for the MAC. For the MAC, in turn, not any collection of good AWGN codes achieves capacity (see, e.g., [46]). For example, assume that a MAC is given by yB = x1 + x2 + z. Now further assume that the two codebooks are nested lattices. In that case (up to shaping), any possible point of x1 + x2 is also a point of the higher-rate code, thus one codebook cannot be decoded without the other. The problem is not restricted to integer coefficient ratios but affects performance for coefficients close to any “simple” ratio; see, e.g., [47, Section III]. The same problem occurs in our secrecy proofs (except when Eve’s channel is orthogonalized, as in Section V): We successively provide Eve with previous messages as a “genie” side information. As a result the proof hinges on Eve’s disability to perform successive decoding process in the presence of interference from yet undecoded messages. Here also this interference is taken to be Gaussian and alignment might help Eve. To conclude, of the two ingredients needed for adjusting any codes that are good for communication over scalar AWGN channels to the MIMO wiretap channel, the secrecy part can be treated by the procedure of [11]. The remaining problem is similar to the one in SIC without secrecy constraints. Indeed, obtaining good scalar Gaussian codes that approach capacity under SIC (wihtout secrecy) from arbitrary scalar Gaussian codes remains an interesting open problem. ACKNOWLEDGMENTS The authors thank Ziv Goldfeld for proposing to extend the result of Proposition 1 from independent codes x1 , . . . , xNA to dependent ones. A PPENDIX A P ROOF OF L EMMA 1 Consider the diagonal variant of the GSVD of GB = G(HB , K) and GE = G(HE , K) (11): GB = UB DB X†

(37a)

†

(37b)

GE = UE DE X ,

and denote the squared GSV vector by λ, i.e., the vector whose entries satisfy: λi , µ2i . Following (17), the MI difference in terms of {λi } is equal to X IS (HB , HE , K) = log λi .

Proposition 2. For any matrices GB and GE , consider the generalized eigenvalue (GEV) problem: G†B GB y = λG†E GE y . Then, the generalized eigenvalues of (G†B GB , G†E GE ), {λi }, are the GSVs of (GB , GE ), {µi }, and the generalized eigenvectors are the corresponding columns of Y = X−† . Furthermore, the differential of the GEV λ in terms of the differentials of G†B GB and of G†E GE is given by   y † d(G†B GB ) − λd(G†E GE ) y . (38) dλ = y † G†E GE y Proof: The first part of the proposition easily follows from G†B GB Y = XD2B , G†E GE Y = XD2E . The proof of the differential identity (38) can be derived by standard eigenvalue perturbation analysis; see, e.g., [48]. Lemma 2. The differential of the GSV λi (i = 1, . . . , NA ), in terms of the differential of the covariance matrix K, is given by c2i dλi = (λi − 1)y †i B−1 (dK)B−† y i , where B = K1/2 , e is the diagonal of DE , and y i is the corresponding generalized eigenvector corresponding to λi . Proof: By specializing G†B GB and G†E GE to the matrices in (37), and differentiating with respect to K, we obtain 2d(G†B GB ) = B−1 (dK)H†B HB B + B† H†B HB (dK)B−† , (39a) 2d(G†E GE ) = B−1 (dK)H†E HE B + B† H†E HE (dK)B−† . (39b) Substituting (39) in (38), gives rise to  2c2i dλi = y †i B−1 (dK)(H†B HB − λi H†E HE )B  + B† (H†B HB − λi H†E HE )(dK)B−† y i  = y †i B−1 (dK)B−† B† (H†B HB − λi H†E HE )B  + B† (H†B HB − λi H†E HE )BB−1 (dK)B−† y i = 2(λi − 1)y †i B−1 (dK)B−† y i ,

as desired. Corollary 1. If dK is positive semi-definite, then the sign of dλi equals the sign of λi − 1. The result of Lemma 1 follows immediately from this corollary.

12

T RUNCATION

OF

A PPENDIX B G ENERALIZED S INGULAR VALUES

Apply the triangular variant of the GSVD (13) to the matrices GB = G(HB , K) and GE = G(HE , K): GB = UB DB TV†A , GE = UE DE TV†A .

A PPENDIX C P ROOF OF P ROPOSITION 1 In this appendix, with a slight abuse of notation, we denote by boldface letters n-length sequences, with n being the block length (in contrast to the other parts of the paper, where boldface letters denote spatial vectors). Proof of Proposition 1: Denote ˜ k , I(˜xk ; yE |˜xNA ) − ǫ. R (41) k+1

Since VA is unitary, the following relations hold:   HB K1/2 VA ′ GB , I = U′B DB T ,   HE K1/2 VA ′ GE , I ′ = UE DE T ,

where U′B and U′E are unitary. That is, the GSVD of G′B and G′E is achieved by applying a QR decomposition to each of them. Finally, by incorporating IB we achieve   HB K1/2 VA IB ˜ GB , I ˜ BT ˜ ˜BD (40a) =U   1/2 ˜ E , HE K VA IB G I ˜ ˜ ˜ (40b) = UE DE T , ˜ B and U ˜ E are unitary having the same first LB where U ′ ˜ B and D ˜ E have ˜ D columns as UB and U′E , respectively; T, the same first LB columns as T, DB and DE , respectively, whereas the remaining LC = NA − LB columns are all zero except for the diagonal elements, which are equal to 1: ˜ B;i,j = D ˜ C;i,j D = T˜i,j ( 1 i = j, j > LB = . 0 i 6= j, j > LB The latter is easily seen by noting that the QR decomposition carries a Gram–Schmidt process over the columns of the decomposed matrices, and hence the first LB columns remain the same after applying IB , whereas the structure of the remaining columns is trivial due to the nullification of the last LC columns of HB K1/2 VA . ˜ B and G ˜ E up to the We note that (40) is the GSVD of G normalization property (12), which has no effect on the GSVs and can be achieved by a multiplication by an NA × NA diagonal matrix with its first √ LB entries equal to 1 and the remaining entries — to 1/ 2. The desired result is established by noting that K1/2 = 1/2 ˜ B, G ˜ E ) are equal ¯ VA IB , and that the first LB GSVs of (G K to the first LB GSVs of (GB , GE ) (the GSVs that are greater ˜ B, G ˜ E ) are equal to 1. than 1) and the remaining GSVs of (G

The codebooks are generated sequentially, from last (k = NA ) to first (k = 1), as follows. For k = NA , construct ˜ the codebook CNA of 2n(RNA +RNA ) codewords, that are generated independently with i.i.d. entries with respect to p (˜xNA ). For k ∈ {1, . . . , NA − 1}, for each (already gen˜ NA ) ∈ Ck+1 × · · · × CNA , erated) codeword set (˜ xk+1 , . . . , x ˜k ) n(Rk +R generate Qa codebook of 2 codewords with ren ˜ℓ (i) is the spect to i=1 p (˜xk |˜ xk+1 (i), . . . , x ˜NA (i)), where x ˜ ℓ . Within each codebook, i-the letter of the codeword x each codeword is assigned a unique index pair (mk , fk ) ˜ where mk ∈ {1, 2, . . . , 2nRk } and fk ∈ {1, 2, . . . , 2nRk }. Each codeword is selected according to the secret message mk and a fictitious message fk drawn uniformly over its range. The transmitted codeword is therefore ˜ NA (mNA , fNA )). Bob’s decoding is x = ϕ (˜ x1 (m1 , f1 ), . . . , x based on successive decoding starting from the last message (k = NA ) and proceeding to the first (k = 1). Since   ˜ k = I ˜xk ; yB ˜xNA − 2ǫ (42a) Rk + R k+1   A (42b) < I ˜xk ; yB ˜xN k+1 , the decoding of each combined message (mk , fk ) succeeds with arbitrarily high probability, as n → ∞. In order to satisfy the secrecy constraint, the following condition must hold, for any ǫ˜ > 0 and large enough n: 1 1 H (m1 , . . . , mNA |y E , C) ≥ H(m1 , . . . , mNA ) − ǫ˜ , n n where C = {C1 , . . . , CNA } denotes the overall collection of the NA codebooks. It suffices to show that for any ǫ′ > 0, and large enough n, 1 1 A H(mk |y E , mN H(mk ) − ǫ′ k+1 , C) ≥ n n is satisfied for each k. Note that     NA A ˜ H mk y E , mN , C ≥ H m , x , C y k E k+1 k+1     NA A ˜ k y E , x ˜ k+1 , C − H x ˜ k mk , y E , x ˜N = H mk , x k+1 , C     A A ˜N ˜N ˜ k y E , x =H x k+1 , C . k+1 , C − H fk mk , y E , x

Due to (41), in our construction the eavesdropper can decode   NA ˜ k+1 , C , and fk with probability going to 1, given mk , y E , x hence the second term is vanishingly small. Thus, we are left with     ′ A A ˜ k y E , x ˜N H mk y E , mN , C ≥ H x k+1 k+1 , C − nǫn     NA NA ˜ k1 x ˜ k+1 , y E , C − H x ˜ 1k−1 x ˜ k , y E , C − nǫ′n . =H x

13

Since the two equivocations are the same quantity up to an index shift, it suffices to show that for δ1 > 0 and δ2 > 0 that vanish with ǫ and large enough n, k h    i X A A I ˜xℓ ; yB ˜xN xℓ ; yE ˜xN − δ1 ℓ+1 − I ˜ ℓ+1

(43a)

Remark 13. For the special case of mutually independent (˜x1 , . . . , ˜xNA ), there is no need to generate a different codebook Ck for each selection of preceding codewords ˜ NA ), and the same codebook can be applied (˜ xk+1 , . . . , x regardless of the other codewords.

ℓ=1

 1  k NA ˜ 1 x ˜ k+1 , y E , C H x (43b) n k     X A NA ˜ ˜ ≤ I ˜xℓ ; yB ˜xN − I x ; y x ℓ E ℓ+1 ℓ+1 + δ2 . (43c) ≤

ℓ=1

˜ ℓ are To establish (43b) we use the fact that the sequences x A ˜N selected independently given x , so that, for large enough ℓ+1 n, the following chain of inequalities holds   NA ˜ k1 x ˜ k+1 , y E , C H x (44a)     NA NA ˜ k1 ; y E x ˜ k+1 , C ˜ k1 x ˜ k+1 , C − I x (44b) =H x =

=

k h    i X NA NA ˜ ℓ+1 , C − I x ˜ ℓ ; y E x ˜ ℓ+1 , C ˜ ℓ x H x

(44c)

ℓ=1 k h X

   i A NA ˜ ˜ nI ˜xℓ ; yB ˜xN − 2ǫ − I x ; y x , C (44d) ℓ E ℓ+1 ℓ+1

ℓ=1 k h X

≥n

ℓ=1

 i    A A I ˜xℓ ; yB ˜xN xℓ ; yE ˜xN ℓ+1 − 3ǫ , ℓ+1 − I ˜

(44e)

where (44d) follows from (42a), and to establish (44e) we use the fact that the channel is memoryless along with standard typicality arguments [49]. To establish (43c), we use [50, Lemma 1], by substituting: •S = •v= •L ,

k  X

˜ℓ Rℓ + R

ℓ=1 ˜xk1 (mk1 , f1k )



∈ [1, 2

A • u = ˜xN k+1

nS

]

• z = yE

The conditions for the lemma hold since     NA A H ˜xk1 ˜xk+1 , yE , C = H L ˜xN k+1 , yE , C ,

and

S= = >

k  X

ℓ=1 " k X

ℓ=1 " k X ℓ=1

˜ℓ Rℓ + R



#   NA I ˜xℓ ; yB ˜xℓ+1 − 2ǫ #   NA I ˜xℓ ; yE ˜xℓ+1 + δ

  A = I ˜xk1 ; yE ˜xN k+1 + δ ,

(45a)

(45b)

(45c) (45d)

where (45c) follows from the fact that the communication rate Rℓ of each sub-channel must be positive (and ǫ and δ are small enough, and n is sufficiently large), else it is not used. Since we have proved (43b) and (43c), the secrecy analysis is now complete.

R EFERENCES [1] A. D. Wyner, “The wiretap channel,” IEEE Trans. Info. Theory, vol. 54, pp. 1355–1387, 1975. [2] I. Csisz´ar and J. K¨orner, “Broadcast channels with confidential messages,” IEEE Trans. Info. Theory, vol. 24, pp. 339–348, 1978. [3] S. K. Leung-Yan-Cheong and M. E. Hellman, “The Gaussian wiretap channel,” IEEE Trans. Info. Theory, vol. 24, pp. 451–456, 1978. [4] A. Khisti and G. W. Wornell, “Secure transmission with multiple antennas—part II: The MIMOME wiretap channel,” IEEE Trans. Info. Theory, vol. 56, pp. 5515–5532, 2010. [5] F. Oggier and B. Hassibi, “The secrecy capacity of the MIMO wiretap channel,” IEEE Trans. Info. Theory, vol. 57, pp. 4961–4972, 2011. [6] T. Liu and S. Shamai, “A note on the secrecy capacity of the multipleantenna wiretap channel,” IEEE Trans. Info. Theory, vol. 55, pp. 2547– 2553, 2009. [7] R. Bustin, R. Liu, H. V. Poor, and S. Shamai, “An MMSE approach to the secrecy capacity of the MIMO Gaussian wiretap channel,” EURASIP Journal on Wireless Comm. and Networking. Special Issue on Wireless Physical Security, 2009. [8] H. Weingarten, Y. Steinberg, and S. Shamai, “The capacity region of the Gaussian multiple-input multiple-output broadcast channel,” IEEE Trans. Info. Theory, vol. 52, pp. 3936–3964, Sept. 2006. [9] R. Liu and H. V. Poor, “Secrecy capacity region of a multiple-antenna Gaussian broadcast channel with confidential messages,” IEEE Trans. Info. Theory, vol. 55, pp. 1235–1249, 2009. [10] R. Liu, T. Liu, H. V. Poor, and S. Shamai, “Multiple-input multipleoutput Gaussian broadcast channels with confidential messages,” IEEE Trans. Info. Theory, vol. 56, pp. 4215–4227, 2010. [11] H. Tyagi and A. Vardy, “Semantically-secure coding scheme achieving the capacity of a Gaussian wiretap channel,” arXiv:cs.IT/1412.4958, Dec. 2014. [12] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, and J.-M. Merolla, “Applications of LDPC codes to the wiretap channel,” IEEE Trans. Info. Theory, vol. 53, no. 8, pp. 2933–2945, Aug. 2007. [13] D. Klinc, H. Jeongseok, S. W. McLaughlin, J. Barros, and B.-J. Kwak, “LDPC codes for the Gaussian wiretap channel,” IEEE Trans. Info. Theory, vol. 6, pp. 532–540, 2011. [14] F. Oggier, P. Sol´e, and J.-C. Belfiore, “Lattice codes for the wiretap Gaussian channel: Construction and analysis,” IEEE Trans. Info. Theory, Submitted, Jan. 2013. [Online]. Available: http://arxiv.org/abs/0708. 4219. [15] H. Mahdavifar and A. Vardy, “Achieving the secrecy capacity of wiretap channels using polar codes,” IEEE Trans. Info. Theory, vol. 57, pp. 6428–6443, 2011. [16] M. Andersson, “Coding for the wiretap channel,” Ph.D. dissertation, School of Electrical Engineering (EES), Royal Institute of Technology (KTH), Stockholm, Sweden, 2011. [17] Y. Yan, L. Liu, and C. Ling, “Polar lattices for strong secrecy over the mod-λ gaussian wiretap channel,” in Proc. IEEE Int. Symp. on Info. Theory (ISIT), Honolulu, HI, USA, June/July 2014, pp. 961–965. [18] A. Khina, Y. Kochman, and U. Erez, “Joint unitary triangularization for MIMO networks,” IEEE Trans. Sig. Proc., vol. 60, pp. 326–336, 2012. [19] E. Telatar, “Capacity of the multiple antenna Gaussian channel,” Europ. Trans. Telecommun., vol. 10, pp. 585–595, Nov. 1999. [20] G. Foschini, “Layered space–time architecture for wireless communication in a fading environment when using multi-element antennas,” Bell Sys. Tech. Jour., vol. 1, no. 2, pp. 41–59, 1996. [21] P. W. Wolniansky, G. J. Foschini, G. D. Golden, and R. A. Valenzuela, “V-BLAST: An architecture for realizing very high data rates over the rich-scattering wireless channel,” in Proc. URSI Int. Symp. Sig., Sys., Elect. (ISSSE), Sep./Oct. 1998, pp. 295–300. [22] J. M. Cioffi and G. D. Forney Jr., “Generalized decision-feedback equalization for packet transmission with ISI and Gaussian noise,” in Comm., Comp., Cont. and Sig. Proc., 1997, pp. 79–127. [23] B. Hassibi, “An efficient square-root algorithm for BLAST,” in Proc. IEEE Int. Conf. on Acoust. Speech and Sig. Proc. (ICASSP), vol. 2, Istanbul, Turkey, June 2000, pp. 737–740.

14

[24] A. Khina, I. Livni, A. Hitron, and U. Erez, “Joint unitary triangularization for Gaussian multi-user MIMO networks,” IEEE Trans. Info. Theory, vol. 61, no. 5, pp. 2662–2692, 2015. [25] D. P. Palomar and Y. Jiang, “MIMO transceiver design via majorization theory,” Found. Trends Comm. Info. Theory, vol. 3, pp. 331–551, Nov. 2006. [26] G. H. Golub and C. F. Van Loan, Matrix Computations, 3rd ed. Baltimore: Johns Hopkins University Press, 1996. [27] Y. Jiang, W. Hager, and J. Li, “The geometric mean decompostion,” Lin. Algebra and Its Apps., vol. 396, pp. 373–384, Feb. 2005. [28] H. Weyl, “Inequalities between two kinds of eigenvalues of a linear transformation,” in Proc. Nat. Acad. Sci. USA, 35, 1949, pp. 408–411. [29] A. Horn, “On the eigenvalues of a matrix with prescribed singular values,” in Proc. Amer. Math. Soc., 1954, pp. 4–7. [30] Y. Jiang, W. Hager, and J. Li, “The generalized triangular decompostion,” Math. of Comput., vol. 77, no. 262, pp. 1037–1056, 2008. [31] J.-K. Zhang and K. M. Wong, “Fast QRS decomposition of matrix and its applications to numerical optimization,” Dpt. of Elect. and Comp. Engineering, McMaster University, Tech. Rep. [Online]. Available: http://www.ece.mcmaster.ca/∼ jkzhang/papers/sam qrs.pdf [32] P. Kosowski and A. Smoktunowicz, “On constructing unit triangular matrices with prescribed singular values,” Computing, vol. 64, no. 3, pp. 279–285, 2000. [33] J.-K. Zhang, A. Kavˇci´c, and K. M. Wong, “Equal-diagonal QR decomposition and its application to precoder design for successive-cancellation detection,” IEEE Trans. Info. Theory, vol. 51, pp. 154–172, 2005. [34] C. F. Van Loan, “Generalizing the singular value decomposition,” SIAM J. Numer., vol. 13, pp. 76–83, 1976. [35] Y. Jiang, W. Hager, and J. Li, “Uniform channel decomposition for MIMO communications,” IEEE Trans. Sig. Proc., vol. 53, pp. 4283– 4294, 2005. [36] M. R. Bloch and J. N. Laneman, “Strong secrecy from channel resolvability,” IEEE Trans. Info. Theory, vol. 59, no. 12, pp. 8077–8098, Dec. 2013. [37] A. Khina, Y. Kochman, and A. Khisti, “Decomposing the MIMO wiretap channel,” in Proc. IEEE Int. Symp. on Info. Theory (ISIT), Honolulu, HI, USA, June/July 2014, pp. 206–210. [38] J. M. Cioffi and G. Ginis, “A multi-user precoding scheme achieving crosstalk cancellation with application to DSL systems,” in Proc. 34th Asilomar Conf. Sig., Sys and Comp., vol. 2, Pacific Grove, CA, USA, Nashville, Tennessee, Nov. 1999. [39] G. Caire and S. S. (Shitz), “On the multiple antenna broadcast channel,” in Proc. of 35th Asilomar Conference, Pacific Grove, California, USA, Oct./Nov. 2001. [40] C. Mitrpant, A. J. Han Vinck, and Y. Luo, “An achievable region for the Gaussian wiretap channel with side information,” IEEE Trans. Info. Theory, vol. 52, no. 5, pp. 2181–2190, May 2006. [41] Y. Chen and A. J. Han Vinck, “Wiretap channel with side information,” IEEE Trans. Info. Theory, vol. 54, no. 1, pp. 395–402, Jan. 2008. [42] M. H. M. Costa, “Writing on dirty paper,” IEEE Trans. Info. Theory, vol. 29, pp. 439–441, May 1983. [43] M. Bellare, S. Tessaro, and A. Vardy, “Semantic security for the wiretap channel,” in Proc. CRYPTO, LNCS, vol. 7417, 2012, pp. 294–311. [44] M. Hayashi and R. Matsumoto, “Construction of wiretap codes from ordinary channel codes,” in Proc. Int. Symp. Info. Theory (ISIT), Austin, TX, June 2010, pp. 2538–2542. [45] A. Khina, Y. Kochman, and A. Khisti, “From ordinary AWGN codes to optimal MIMO wiretap schemes,” in Proc. IEEE Info. Theory Workshop (ITW), Hobart, Tasmania, Australia, Oct./Nov. 2014, pp. 632–636. [46] F. Baccelli, A. El Gamal, and D. N. C. Tse, “Interference networks with point-to-point codes,” IEEE Trans. Info. Theory, vol. 57, pp. 2582–2596, 2011. [47] O. Ordentlich and U. Erez, “On the robustness of lattice interference alignment,” IEEE Trans. Info. Theory, vol. 59, pp. 2735–2759, 2013. [48] J. de Leeuw, “Derivatives of generalized eigen systems with applications,” Preprint Series 528, Department of Statistics, UCLA, Sep. 2007. [49] T. M. Cover and J. A. Thomas, Elements of Information Theory, Second Edition. New York: Wiley, 2006. [50] Y.-K. Chia and A. El Gamal, “Three-receiver broadcast channels with common and confidential messages,” IEEE Trans. Info. Theory, vol. 58, pp. 2748–2765, 2012.