Wireless Physical Layer Security

EURASIP Journal on Wireless Communications and Networking

Guest Editors: Mérouane Debbah, Hesham El-Gamal, H. Vincent Poor, and Shlomo Shamai (Shitz) Wireless Physical Layer Security EURASIP Journal on Wireless Communications and Networking

Wireless Physical Layer Security

This is a special issue published in volume 2009 of “EURASIP Journal on Wireless Communications and Networking.” All articles are open access articles distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Editor-in-Chief Luc Vandendorpe, Universite´ catholique de Louvain, Belgium

Associate Editors

Thushara Abhayapala, Australia Zabih F. Ghassemlooy, UK Marc Moonen, Belgium Mohamed H. Ahmed, Canada Christian Hartmann, Germany Eric Moulines, France Farid Ahmed, USA Stefan Kaiser, Germany Sayandev Mukherjee, USA Carles Anton-Haro,´ Spain George K. Karagiannidis, Greece Kameswara Rao Namuduri, USA Anthony C. Boucouvalas, Greece Chi Chung Ko, Singapore AmiyaNayak,Canada Lin Cai, Canada Visa Koivunen, Finland Claude Oestges, Belgium Yuh-Shyan Chen, Taiwan Nicholas Kolokotronis, Greece A. Pandharipande, The Netherlands Pascal Chevalier, France Richard Kozick, USA Phillip Regalia, France Chia-Chin Chong, South Korea Sangarapillai Lambotharan, UK A. Lee Swindlehurst, USA Soura Dasgupta, USA Vincent Lau, Hong Kong George S. Tombras, Greece Ibrahim Develi, Turkey DavidI.Laurenson,UK Lang Tong, USA Petar M. Djuric,´ USA Tho Le-Ngoc, Canada Athanasios Vasilakos, Greece Mischa Dohler, Spain Wei Li, USA Ping Wang, Canada Abraham O. Fapojuwo, Canada Tongtong Li, USA Weidong Xiang, USA Michael Gastpar, USA Zhiqiang Liu, USA Xueshi Yang, USA Alex B. Gershman, Germany Stephen McLaughlin, UK Lawrence Yeung, Hong Kong Wolfgang Gerstacker, Germany Sudip Misra, India Dongmei Zhao, Canada David Gesbert, France Ingrid Moerman, Belgium Weihua Zhuang, Canada Contents

Wireless Physical Layer Security,Merouane´ Debbah, Hesham El-Gamal, H. Vincent Poor, and Shlomo Shamai (Shitz) Volume 2009, Article ID 404061, 2 pages

A Real Orthogonal Space-Time Coded UWB Scheme for Wireless Secure Communications, Yanbing Zhang and Huaiyu Dai Volume 2009, Article ID 571903, 8 pages

An MMSE Approach to the Secrecy Capacity of the MIMO Gaussian Wiretap Channel, Ronit Bustin, Ruoheng Liu, H. Vincent Poor, and Shlomo Shamai (Shitz) Volume 2009, Article ID 370970, 8 pages

Compound Wiretap Channels, Yingbin Liang, Gerhard Kramer, H. Vincent Poor, and Shlomo Shamai (Shitz) Volume 2009, Article ID 142374, 12 pages

Physical Layer Security Game: Interaction between Source, Eavesdropper, and Friendly Jammer, Zhu Han, Ninoslav Marina, Merouane´ Debbah, and Are Hjørungnes Volume 2009, Article ID 452907, 10 pages

Secrecy Capacity of a Class of Broadcast Channels with an Eavesdropper, Ersen Ekrem and Sennur Ulukus Volume 2009, Article ID 824235, 29 pages

Secrecy Capacity of a Class of Orthogonal Relay Eavesdropper Channels, Vaneet Aggarwal, Lalitha Sankar, A. Robert Calderbank, and H. Vincent Poor Volume 2009, Article ID 494696, 14 pages

Secret Sharing over Fast-Fading MIMO Wiretap Channels, Tan F. Wong, Matthieu Bloch, and John M. Shea Volume 2009, Article ID 506973, 17 pages

Secured Communication over Frequency-Selective Fading Channels: A Practical Vandermonde Precoding, Mari Kobayashi, Merouane´ Debbah, and Shlomo Shamai (Shitz) Volume 2009, Article ID 386547, 19 pages

Securing OFDM over Wireless Time-Varying Channels Using Subcarrier Overloading with Joint Signal Constellations, Gill R. Tsouri and Dov Wulich Volume 2009, Article ID 437824, 18 pages

Two-Hop Secure Communication Using an Untrusted Relay, Xiang He and Aylin Yener Volume 2009, Article ID 305146, 13 pages Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 404061, 2 pages doi:10.1155/2009/404061

Editorial Wireless Physical Layer Security

Merouane´ Debbah,1 Hesham El-Gamal,2 H. Vincent Poor,3 and Shlomo Shamai (Shitz)4

1 Alcatel-Lucent Chair on Flexible Radio, Sup´elec, 3 rue Joliot-Curie, 91192 Gif-sur-Yvette Cedex, France 2 Department of Electrical & Computer Engineering, Ohio State University, 205 Dreese Labs, 2015 Neil Avenue, Columbus, OH 43210, USA 3 Department of Electrical Engineering, Princeton University, Engineering Quadrangle, Olden Street, Princeton, NJ 08544, USA 4 Department of Electrical Engineering, Technion, Technion City, Haifa 32000, Israel

Correspondence should be addressed to Merouane´ Debbah, [email protected]

Received 31 December 2009; Accepted 31 December 2009

Copyright © 2009 Merouane´ Debbah et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

The issues of privacy and security in wireless communication information theoretic security, which builds on Shannon’s networks have taken on an increasingly important role as notion of perfect secrecy, was laid in the 1970s by Wyner these networks continue to flourish worldwide. Traditionally, and later by Csiszar´ and Korner,¨ who proved seminal results security is viewed as an independent feature addressed showing that there exist channel codes guaranteeing both above the physical layer, and all widely used cryptographic robustness to transmission errors and a prescribed degree protocols are designed and implemented assuming the of data confidentiality. In the 1970s and 1980s, the impact physical layer has already been established and provides of these works was limited, partly because practical wiretap an error-free link. However, with the emergence of ad- codes were not available, but mostly due to the fact that hoc and decentralized networks, higher-layer techniques, a strictly positive secrecy capacity in the classical wiretap such as encryption, are complex and difficult to implement. channel setup requires the legitimate sender and receiver to Therefore, there has been a considerable recent attention have some advantage (in general, a better SNR) over the on studying the fundamental ability of the physical layer to attacker. In recent times, information theoretic security has provide secure wireless communications. This paradigm is witnessed a renaissance due in part to the work of Maurer in called Wireless Physical Layer Security. Physical layer security the 1990s, who proved that even when a legitimate user has is an emerging research area that explores the possibility of a worse channel than an eavesdropper, it is possible for him achieving perfect-secrecy data transmission among intended to generate a secret key through public communication over network nodes, while possibly malicious nodes that eaves- an insecure yet authenticated channel. In the past few years, drop upon the transmission obtain zero information. The significant effort has been applied to the study of information breakthrough concept behind wireless physical layer security theoretic security for wireless channel models, enhancing is to exploit the characteristics of the wireless channel, such as the classical wiretap channel and including more realistic fading or noise, to provide secrecy for wireless transmissions. assumptions which allow for opportunistic exploitation of While these characteristics have traditionally been seen as the space/time/user dimensions of wireless channels for impairments, physical layer security takes advantage of these secret communications. characteristics for improving the security and reliability of Thegoalofthisspecialissueistopresentrecentresults wireless communication systems and networks. in wireless physical layer security that capture the research Information theoretic security provides the theoretical trends in the field. The papers to be found in this issue basis behind wireless physical layer security. Historically, provide the reader with a good overview of these trends. 2 EURASIP Journal on Wireless Communications and Networking

This special issue collects 10 papers clustered into two et al. studies the frequency-selective broadcast channel with groups: papers dealing with information theoretic aspects confidential messages, in which the transmitter sends a and papers focusing on practical scenarios. confidential message to the first receiver and a common mes- The first group of papers provides information theoretic sage to both receivers. A practical Vandermonde precoding results for wireless physical layer security. The first of approach is provided for which the achievable rate region is these, by Bustin et al., derives a closed-form expression studied. for the secrecy capacity of the multiple-input multiple output (MIMO) Gaussian wiretap channel, under a power- Acknowledgments covariance constraint. The proof uses a clever relationship between information theory and estimation theory in the We would like to thank the authors of all submitted papers Gaussian channel that can be extended to other types of (both those that were accepted and those that, regrettably, MIMO channels. The paper by Ekrem et al. characterizes could not be included) for considering our special issue for the secrecy capacity region between a single transmitter and disseminating their work. We extend our gratitude to the multiple receivers in a broadcast channel in the presence of many, very conscientious reviewers for sacrificing so much of an eavesdropper. It provides a clear understanding of secure their time in order to make this special issue a success. Last broadcasting, studying several special classes of channels, but not least, we thank the members of NEWCOM++ for with increasing generality. The third paper, by Aggarwal their joint collaboration in submitting high quality papers to et al., looks at the secrecy capacity of relay channels with this special issue. We also would like to thank the devoted orthogonal components in the presence of an additional staff of Hindawi for their high level of professionalism, and passive eavesdropper node. Inner and outer bounds on Luc Vandendorpe, the Editor-in-Chief of the journal, for the secrecy capacity are developed for both the discrete trusting us with this important assignment and helping us memoryless and the Gaussian channel models. The paper by to fulfill it successfully. Wang et al. studies secret sharing over the fast-fading MIMO wiretap channel. The key capacity is evaluated where the Mérouane Debbah effects of spatial dimensionality created by the use of multiple Hesham El-Gamal antennas at the source, destination, and eavesdropper are H. Vincent Poor investigated. The fifth paper, by Liang et al., focuses on Shlomo Shamai (Shitz) the compound wire-tap channel, which generalizes Wyner’s wire-tap model to allow both the channel from the transmitter to the legitimate receiver and that from the transmitter to the eavesdropper to take a number of possible states. The secrecy capacity is studied and established for various cases of interest (degraded, MIMO, etc.). Finally, the paper by He et al. considers a source-destination pair that can communicate only through an untrusted intermediate relay node. In this two-hop communication scenario, in which the use of the untrusted relay node is essential, a positive secrecy rate is shown to be achievable and an upper bound on it is provided. The second group of papers focuses on more practical aspects of wireless physical layer security. The first of these papers, by Tsouri et al., makes use of channel randomness, reciprocity and fast decorrelation in space to secure orthogonal frequency division multiplexing (OFDM) with low overhead on encryption, decryption, and key distribution. These properties make this approach a good alternative to traditional software-based information security algorithms in systems where the costs associated with such algorithms are an obstacle to implementation. The second paper, by Zhan et al., proposes a space-time coding scheme for impulse radio ultra-wideband (UWB) systems. A novel real orthogonal group code is designed for multiantenna UWB signals to exploit the full spatial diversity gain and achieve perfect communication secrecy. The third paper, by Han et al., introduces a game theoretic approach to investigate the interaction between the source that transmits the useful data and friendly jammers who assist the source by masking the eavesdropper. To analyze the outcome of the game, a Stackelberg-type game is investigated and a distributed algorithm is provided. Finally, the paper by Kobayashi Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 571903, 8 pages doi:10.1155/2009/571903

Research Article A Real Orthogonal Space-Time Coded UWB Scheme for Wireless Secure Communications

Yanbing Zhang and Huaiyu Dai

Department of Electrical and Computer Engineering, NC State University, Raleigh, NC 27695, USA

Correspondence should be addressed to Huaiyu Dai, [email protected]

Received 1 December 2008; Revised 5 June 2009; Accepted 21 July 2009

Recommended by Merouane Debbah

Recent research reveals that information security and information-hiding capabilities can be enhanced by proper exploitation of space-time techniques. Meanwhile, intrinsic properties of ultra-wideband (UWB) signals make it an outstanding candidate for secure applications. In this paper, we propose a space-time coding scheme for impulse radio UWB systems. A novel real orthogonal group code is designed for multi-antenna UWB signals to exploit the full spatial diversity gain and achieve the perfect communication secrecy. Its performance in a frequency-selective fading channel is analyzed. The transmission secrecy, including low probability of detection (LPD), low probability of intercept (LPI), and anti-jamming performance, is investigated, and some fundamental tradeoﬀs between these secrecy metrics are also addressed. A comparison of the proposed scheme with the direct sequence spread spectrum (DSSS) technique is carried out, which demonstrates that proper combination of UWB and space-time coding can provide substantial enhancement to wireless secure communications over other concurrent systems.

Copyright © 2009 Y. Zhang and H. Dai. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction characteristic polynomial and the entire spreading code can be reconstructed through certain algorithms [2]. This moti- The rapid expansion and proliferation of the wireless vates researchers to study enhancing the physical layer built- applications, especially in military and commercial use, have in security of CDMA systems through secure scrambling been prompting a corresponding increasing demand for [2] or random spreading codes [3]. In 1990s, chaos, a very transmission security. Currently, chief among the methods universal phenomenon in many nonlinear systems, has also of information security is cryptography. Working at the been found valuable in secure communication systems due network or higher layers mostly, cryptography aims to deny to its extreme sensitivity to initial conditions and parameters the unintended attempt on the information content by [4]. As a hybrid approach, it was shown that CDMA making various transformations of the original message. systems employing time-varying pseudo-chaotic spread- Protection against unintended disclosure of the information, ing sequences can provide improvements with respect to however, can also be enhanced at the physical layer. Three their conventional CDMA counterparts (employing binary- features are generally desired for transmission secrecy—low valued pseudo-noise spreading sequences) [5]. Techniques probability of detection (LPD), low probability of intercept have also been proposed to use the characteristics of the (LPI), and anti-jamming protection [1]. LPD, LPI, and radio channel itself to provide secure key distribution in a anti-jamming properties may be viewed as the counterparts mobile radio environment, where the information bearing of the three important objectives in cryptography: secrecy, signal is modiﬁed to precompensate for the phase eﬀects of integrity, and availability. the channel [6]. It is well known that code division multiple access A recent breakthrough in wireless communications, (CDMA) systems can provide an inherent physical layer multiple-input multiple-output (MIMO) technique, vastly security solution to wireless communications. However, if expands the capacity and range of communications. An an eavesdropper can intercept a 2n-bit sequence segment information-theoretic framework for investigating commu- generated from an n-stage linear feedback shift register, the nication security in wireless MIMO links is proposed in 2 EURASIP Journal on Wireless Communications and Networking

[7]. One of the principal conclusions there is that proper and LPD performance is also addressed. In Section 5 the sim- exploitation of space-time diversity at the transmitter can ulation results are presented. And finally, some concluding enhance information security and information-hiding capa- remarks are given in Section 6. bilities. Particularly, if a source with constant spatial inner products (see Section 3.1) is transmitted over an uninformed 2. System Model link, the cutoff rate of the channel will be equal to zero and the minimum probability of decoding error will be Consider a peer-to-peer UWB communication system forced to one. There are many known signal constellations equipped with M transmit antennas and N receive antennas. satisfying this perfect-secrecy property, like double unitary The transmitted waveform at the ith transmit antenna during codes, square unitary codes, or space-time QPSK. D time frames can be described as Reference [8] is an exemplary work of this principle, D−1 E where the authors proposed a secure transmission scheme x(i) t = φ p t − dT ( ) M id f , (1) based on random space-time coding. The basic idea is d=0 multiplying a random coefficient to the symbol sequence to T make the eavesdropper completely blind with the transmit- where f represents the pulse repetition time (frame) p t ted signal. However, this random space-time transmission interval corresponding to one symbol transmission. ( )is T scheme has some drawbacks as well. One is that since the transmitted monocycle with the pulse duration p,which φ the weight should be randomly selected, it has to trade is modulated by the (real) space-time code id. Typically, T transmission power for secrecy. The other is that before the the duration p is between 0.2–2 nanoseconds, resulting in T data transmission, a secure initialization method has to be a transmitted signal of ultra-wideband, while f is hundred√ T E/M adopted to set up the feedback channel. or thousand times longer than p [9, 13]. The factor E Research interests in ultra-wideband (UWB) wireless ensures that the total transmitted power is . For simplicity, communications have also proliferated in both industry and the random time-hopping (TH) codes for multiple access are academia recently [9]. Besides many other advantages, UWB omitted ([13]). also offers salient features, like ultrashort pulse and noise- A class of unitary space-time signals is proposed in [16] like power density, for secure communications [10, 11]. for flat-fading channels where neither the transmitter nor the ffi Intent to jointly exploit the advantages of MIMO and UWB receiver necessarily knows the fading coe cients. Suppose T has also been initiated. In particular, UWB-MIMO systems that signals are transmitted in blocks of time samples, ffi which employ space-time block coding have been proposed over which interval the fading coe cients are approximately in [12–14]. More recently, cooperative schemes have also constant. Then, this space-time coding design admits a K = RT R been considered for such systems [15]. These works show constellation of √2 ( is the data rate in bits per channel TΦ k = ... K performance improvement over the conventional single- use) signals Sk = k, 1, , , with the property Φ ... Φ T × M input single-output (SISO) UWB systems for commonly that 1, , K are complex-valued matrices obeying ΦH Φ =···=ΦH Φ = adopted modulation and multiple-access techniques, in both 1 1 K K I (We use superscripts T and H in single-user and multiuser scenarios. But to the best of our this paper to respectively denote the transpose and conjugate knowledge, there is no formal discussion on security issues transpose operations.). when multiple antennas are introduced to UWB systems. Extending this discussion to UWB systems, and assuming M = T This motivates us to investigate a unitary space-time (without loss of generality), the transmit signal coding scheme for UWB systems, coined as USTC-UWB, matrix can be formed as which can simultaneously exploit the information security S and information-hiding capabilities of space-time coding ⎡ ⎤ and UWB. Compared with general approaches in [7], USTC- φ11 p(t) φ12 p(t) ··· φ1M p(t) ⎢ ⎥ ⎢ ⎥ UWB employs real space-time codes suitable for UWB ⎢φ p t − T φ p t − T ··· φ p t − T ⎥ ⎢ 21 f 22 f 2M f ⎥, signals and can work at any transmission rate. Based on ⎢ ⎥ = ⎢ ⎥ the performance analysis in a multipath fading channel, ⎢ . . . . ⎥ ⎢ . . .. . ⎥ we demonstrate that USTC-UWB can achieve superior ⎣ ⎦ LPD, LPI, and anti-jamming performances, making it an φM1p t−MT f φM2p t−MT f ··· φMMp t−MT f outstanding candidate for wireless secure communications. (2) In the analysis, some fundamental trade-offs between the secrecy metrics are also explicitly addressed. A comparison where Φ ={φij} is a unitary matrix to be designed. of USTC-UWB with the direct sequence spread spectrum Due to its large bandwidth, the channel observed by (DSSS) technique is also carried out, which further demon- UWB signals is usually subject to frequency selective fading. strates its advantages. So an L-path tapped-delay line model is adopted in the The rest of the paper is organized as follows. Section 2 discussion, for which the impulse response from the ith describes the system model and assumptions. The proposed transmit antenna to the jth receive antenna can be described USTC-UWB scheme is presented in Section 3, together with as its BER performance analysis. Security metrics for USTC- L−1 UWB, including LPD, LPI, and anti-jamming properties, are l hij(t) = hijδ(t − τl), ff (3) analyzed in Section 4. The trade-o between anti-jamming l=0 EURASIP Journal on Wireless Communications and Networking 3

l with τl representing the delay and hij the complex amplitude transform, which can achieve full-rate and full diversity. of the lth path, respectively. At the receiver, we employ However, since UWB systems employ baseband transmis- an L-ﬁnger Rake receiver to exploit the multipath diversity sion, it is necessary to set {φij} to be real. In the following, inherent in UWB systems, each adopting the delayed versions weproposeaclassofrealorthogonalgroupcodesforUWB of the received monocycle as the reference waveform. It can signals based on Hadamard transform and rotation matrices, be shown that if τl − τl−1 ≥ Tp, l = 1, ..., L − 1, and the which also admit more general transmit antenna settings. For m autocorrelation function of the pulse γ(τ) = 0for|τ|≥Tp, n = 2 ,withm an integer, a Hadamard matrix is generated all L correlators’ outputs at the jth receive antenna can be by a simple recursion collected into a T × L (equivalently M × L)matrix ⎡ ⎤ Θ Θ ⎣ n/2 n/2⎦ E Θn = (7) = (4) −Θn/ Θn/ Yj M SHj + Wj , 2 2 with Θ = 1. So our group codes can be deﬁned by where Wj is the circularly symmetric complex Gaussian 1 background noise with spectral height N0/2, and the M × L Φ ={Φ , Φ , ···Φ TR− } matrix Hj collects the multipath gain as 0 1 2 1 (8) ⎛ ⎞ TR 1 2 L = ΩM(0), ΩM(1), ..., ΩM 2 − 1 , h j h j ··· h j ⎜ 1 1 1 ⎟ ⎜ 1 2 L ⎟ ⎜ h j h j ··· h j ⎟ M × M Ω i ⎜ 2 2 2 ⎟ where the matrix M( ) is recursively generated as = ⎜ ⎟. Hj ⎜ . . . . ⎟ (5) ⎡ ⎤ ⎜ . . .. . ⎟ ⎝ . . . ⎠ ΩM/2(i) ΩM/2(i) Ω i = √1 ⎣ ⎦ h1 h2 ··· hL M( ) ,(9) Mj Mj Mj 2 −ΩM/2(i) ΩM/2(i)

The decision rule for the ML decoder with channel state with the initial rotation matrix given by information (CSI) can be stated as ([17, Chapter 7]) ⎡ ⎤ i i 2 π · π · N ⎢ cos TR sin TR ⎥ E ⎢ 2 2 ⎥ Φ = arg min Yj − ΦHj . (6) Ω i = ⎢ ⎥. ML,CSI M 2( ) ⎣ ⎦ (10) Φ∈{Φ1,···Φ TR}j= i i 2 1 − sin π · cos π · 2TR 2TR

3. Unitary Space-Time Coding for UWB Systems T T Since ΩM(i)ΩM(i) = ΩM(i) ΩM(i) = IM, this group Conveying information with ultrashort pulses, UWB signals code falls into the category of real orthogonal design and can resolve many paths and thus are rich in multipath admits the perfect-secrecy property (constant spatial inner diversity. This has motivated research toward using Rake product) as well (Following the definition in [7], we call T receivers to collect the available diversity and thus enhance ΩM(i)ΩM(i) the spatial inner product of ΩM(i) in this the performance of UWB communication systems. On the paper.). Also note that the squared L2 norm for every column other hand, multi-antenna-based space-time systems offer and row of the matrices so generated (corresponding to the an effective means of enabling space diversity, which has the total transmit power in space and time, resp.) is equal to 1. potential to improve not only error performance but also This design works well for any transmission rate R and M = capacity. In this section, we consider the construction of 2m transmit antennas. For odd values of M, a similar design space-time codes for UWB systems. A novel unitary space- can be applied for a few special cases with some performance time code is designed, which can exploit the full spatial loss. For example, for M = 3, a code based on 3-dimensional diversity and fulfill the purpose of secure communications. rotation matrix can be employed: In Section 3.1, we first elaborate the design of this space-time ⎡ ⎤ code, and then its performance is characterized by a union 10 0 ⎢ ⎥ ⎢ ⎥ bound on the block error probability in Section 3.2. ⎢ i i ⎥ Ω i = ⎢0cosπ · sin π · ⎥ 3( ) ⎢ 2TR 2TR ⎥ (11) ⎣ i i ⎦ 3.1. Construction of Unitary Space-Time Codes for UWB. 0 − sin π · cos π · Rank and determinant criteria are proposed in [18]for 2TR 2TR space-time code design. That is, in order to achieve the maximum diversity, the matrix Φ − Φ hastobefullrankfor with the group codes given by any different codewords Φ and Φ. It is shown in [19] that TR all optimal (full-rank) space-time group codes are unitary, Φ = Ω3(0), Ω3(1), ..., Ω3 2 − 1 . (12) which coincide with the secure space-time code structure found in [7]. The code design for general odd M constitutes our future A family of complex-valued space-time codes is devised work. In the following, we give some performance analysis in [20] by use of rotated constellation and the Hadamard ofthiscodeforM = 2m cases. 4 EURASIP Journal on Wireless Communications and Networking

3.2. Performance of USTC-UWB System. Suppose Φ and high signal-to-noise ratio (SNR) region, this probability is Φ are two different transmitted ST codewords, then the upper-bounded by pairwise error probability (PEP) conditioned on the channel ⎛ ⎞−N matrix Hj , j = 1, ..., N,isgivenby[20] &r L&−1 1 ⎝ Ψ(l) E ⎠ P Φ −→ Φ ≤ λm , (19) 2 8M N0 m=1l=0 E P Φ −→ Φ | j j = ... N = d2 Φ Φ H , 1, , Q MN , , 4 0 where r is the rank of Φ − Φ . (13) For the group code we design above, it can be shown that ΩM(i) − ΩM(j), ∀i =/ j has full rank, that is, r = M (thus which is tightly upper bounded as full diversity is achieved). Following the similar approach in [19] we can get that all the eigenvalues are identical, given by P Φ −→ Φ | Hj , j = 1, ..., N π i − j λ = 2 m = ... M. (14) m 4sin TR , 1, 2, , (20) 1 E 2 ≤ exp − d2 Φ, Φ . 2 8MN0 Without loss of generality, we can assume Φ0 is trans- The square distance between Φ and Φ is defined as mitted, therefore the block probability of error could be bounded by L N H TR 2 (l) T (l) 2−1 d Φ, Φ = Hj Φ − Φ Φ − Φ Hj , (15) Pe ≤ P(Φ −→ Φi) l=1 j=1 0 i=1 l T ⎛ ⎞−MN (21) ( ) hl hl ··· hl TR L−1 where Hj = [ 1j 2j Mj ] is the lth column of Hj (cf., − & π Ψ l E ≤ 2 2 ⎝ 2 ( ) ⎠ . (5)). sin TR T 2 2 2M N0 Since (Φ − Φ) (Φ − Φ) is real and symmetric, the l=0 eigenvalue decomposition leads to 4. Security Performance Analysis Φ − Φ T Φ − Φ = Λ T V V , (16) There are a variety of metrics used to describe the security properties in a wireless communications system from {v ... v } where the columns 1, , M of V are the orthogonal different aspects. The most important of them is LPD, T eigenvectors of (Φ − Φ ) (Φ − Φ ), and the diagonal matrix LPI, and anti-jamming capability. LPD is concerned with Λ contains its eigenvalues λm, m = 1, ..., M. Using (16), the preventing adversaries from detecting a radio transmission. expression (14)canbewrittenas Low probability of being detected also means low probability of being jammed by hostile transmitters, which is especially P Φ −→ Φ | Hj , j = 1, ..., N preferable for military communications. Even after being ⎧ ⎫ detected, a good secure communication system is still L N M ⎨ H 2⎬ (17) expected to have a strong ability to prevent being intercepted 1 E (l) ≤ exp − λm Hj vm . and jammed; therefore these properties should be considered 2 ⎩ 8MN ⎭ 0 l=1 n=1 m=1 equally important. In this section, we analyze the LPD, LPI, and anti-jamming performance of the proposed USTC-UWB H 2 H (l) (l) T (l) scheme. Let Ψ(l) = E{(Hj ) vm }=E{(Hj ) vmvm(Hj )}= 2 { (l) } E Hj , the average pair-wise error probability can be 4.1. Low Probability of Detection (LPD). When the channel is calculated by unknown, a common detecting approach for the eavesdrop- $ % per is to use radiometer [10, 11], which measures the energy P Φ → Φ = E P Φ −→ Φ | Hj , j = 1, ..., N in a bandwidth B over a time interval Ts. The received signal is fed to a bandpass filter with bandwidth B, followed by the L N ' ( & & E 2 Ts ≤ 1 − λ (l) squaring device and the -second integrator. The output of E exp MN m Hj the integrator is sent to a comparator with a fixed threshold 2 l= n=1 8 0 (18) 1 level. If the integrator output is higher than the threshold, the L N M ' (−1 presence of a signal is declared. 1 & & & E = 1+ λmΨ(l) , Performance of the radiometer in practical systems 2 8MN l=1 n=1 m=1 0 hasbeenwellstudiedin[10, 11]. In this subsection, we investigate the asymptotic behavior of a radiometer by where in the last line, we use the fact that the moment considering the exponent of the detection error probability. generation function for an exponential ranodm variable X When the product of the observation interval and the sX −1 with mean E(X)isE(e ) = (1 − E(X)s) . Therefore, at the bandwidth TsB 1, the output statistics of the radiometer EURASIP Journal on Wireless Communications and Networking 5

can be modeled as Gaussian [11]. Assuming that H0 and 4.2. Low Probability of Intercept (LPI). As we discussed in H1 are two hypotheses that correspond to the absence and Section 3.1, the group code we design has constant spatial presence of the signal, respectively, then inner product. When the channel is unknown to the receiver, ) * 2 the maximum-likelihood (ML) decoding is given by [16] 1 − y − μn fH y = √ exp , 0 πσ σ2 N 2 n 2 n 2 Φ = H Φ ) * (22) ML,NCSI arg max Yj 2 Φ∈{Φ ,...,Φ TR} 1 − y − μsn 1 2 j=1 fH y = √ exp , 1 πσ σ2 (26) 2 sn 2 sn N H H μ = T B = arg max tr Yj ΦΦ Yj , where the mean and the variance are given by n 2 s , Φ 2 2 j=1 σn = 4TsB, μsn = 2TsB +2γ, σsn = 4TsB +4γ,andγ = E/N0 denotes the SNR. where tr{A} denotes the trace of matrix A. When the channel To study the asymptotic behavior, we keep the observa- is known to the receiver, the ML decision rule is given by tion interval Ts fixed, and assume that the number of the (6). So if we can keep the desired user informed, but the observations Ns goes to infinity as in [7]. The Chernoff error eavesdropper uninformed, the later will be absolutely blind exponent is defined as the exponentially decreasing rate of to the transmitted information (see (26)). Thus a perfect the detection error probability P : det err secrecy can be achieved. 1 To reach this objective, we can use a reverse-channel ρ = lim inf ln Pdet err. (23) Ns →∞ Ns estimation method motivated by [6]. That is, let the desired As a negative value, ρ is required to be as large as possible receiver transmit pilot signals periodically, by which the (close to 0) for LPD. By the large deviation technique [7] transmitter can estimate the channel state information. Once + the transmitter gets the CSI, it can precode the transmit ρ = 1 f 1−α y ... y ff inf lim inf ln H 1, , Ns signal to compensate for the e ect of the forward channel α∈ N →∞ N 1 [0,1] s s and make the composite channel effectively constant. Thus, α × f y ... yN dy ... dyN the desired user can be regarded as equivalently informed, H0 1, , s 1, , s while the eavesdropper is still kept uninformed, assuming the , - 1 2 2 independence of the channels between the transmitter and = min (1 − α) ln σn + α ln σsn − ln (1 − α)σn + ασsn α∈[0,1] 2 the desired user, and the eavesdropper. This approach is valid * when channel reciprocity holds. Otherwise, some secured − α α μ − μ 2 − (1 ) sn n . feedback can be adopted for this purpose [8]. 2 (1 − α)σn2 + ασsn2 Denote the received signals for the desired user and the (24) eavesdropper by Y and Z,respectively,givenΦ transmitted. P | Φ ffi Since the conditional probability density (Z ) depends In general, it is very di cult to get an explicit expression Φ ΦΦH ρ on only through the matrix , with the constant spatial for from (24). But in secure communication scenarios, Φ P | Φ T B γ inner product property of (i.e., (Z ) is independent we can assume s (which generally holds for UWB Φ σ2 ≈ σ2 ρ with ), we have signals). This assumption implies n sn,and is obtained α = / for 1 2in(24)as P(Z) = P(Z | Φ)p(Φ) = P(Z | Φ) p(Φ) = P(Z | Φ). γ2 Φ Φ ρ ≈− . (25) (27) 4TsB This nice and simple relationship coincides with the intuition So the mutual information is that a system with larger time-bandwidth product owns P(Z | Φ) better secure properties. I(Z; Φ) = E log = 0. (28) In a secure communications system, the intended P(Z) communicators (transmitter/receiver) should avoid signal That is, the received signal of the eavesdropper Z does not detection/interception, which implies that the minimum contain any information of the transmitted signal Φ. transmit power should be used at the transmitter end and the The secrecy capacity defined in [21] is then given by highest sensitive receiver employed at the receiver end. But the communications should also prevent signal jamming, E C ≥ I Φ − I Φ = ΣΣH H in this regard the transmitter should use the maximum s (Y; ) (Z; ) log2 det IMN + H H , MN0 transmit power and employ the least sensitive receiver (see (29) Section 4.3). Therefore, certain trade-off exists between these objectives. Equation (25) also explicitly illuminates the trade- where Σ is the precoding weight matrix and H represents off between anti-jamming and LPD performance: while the the channel between the transmitter and the desired receiver, performance of the desired user in the presence of jamming which is an MN × LN block diagonal matrix with Hj (see will certainly benefit from a larger transmit power, such an (5)) as the block diagonal elements. It is easy to see that the SNR increase inevitably leads to a higher probability of being secrecy capacity is maximized by choosing Σ = HH /H detected by the eavesdropper. under the constraints of ΣH = cILN and Σ=1. 6 EURASIP Journal on Wireless Communications and Networking

4.3. Anti-Jamming Performance. Consider a passband jam- Direct-sequence spread spectrum signals are also widely ming signal J(t) with central frequency fJ , modeled as a used as a secure communications technique. With much continuous-time wide-sense stationary zero-mean random larger bandwidth, UWB is expected to outperform DSSS for process with bandwidth BJ and the power spectral density transmission secrecy [22]. An immediate conclusion from ⎧ (25) is that UWB has a better asymptotic LPD performance J ⎨⎪ 0 than DSSS due to larger bandwidth and lower SNR, given , f − fJ ≤ BJ SJ f = 2 , (30) the same observation interval Ts. This conforms to earlier ⎩⎪ 0, otherwise. observations in [10, 11]. In the following, we further examine the anti-jamming performance. It follows that the autocorrelation of J(t)is Let {cn} denote the pseudo-random code sequence of the DSSS scheme (independent and identically distributed sin πBJ τ Bernoulli), pc(t) the chip waveform, Tb the bit interval, Tc RJ (τ) = J0 cos 2πfJ τ . (31) πτ the chip interval, and Lc = Tb/Tc the spreading ratio [22]. Then the jamming signal at the output of the DSSS receiver Then the received signal at receive antenna j can be is modeled as + L − Tb c 1 M− T− L− 1 11 J t = J t cn pc t − nTc dt. l k out,DSSS( ) ( ) ( ) (36) rj (t) = hijsi (t − τ(l)) + J(t) + nj (t) (32) 0 n=0 i=0 k=0 l=0 For fair comparison with UWB, we assume that pc(t) also k with si (t −τ(l)) = φik p(t −kTf ) denoting the transmit signal takes the same form as the UWB pulse and has the energy from ith transmit antenna at kth time interval as defined in of 1/Lc. Then, following a similar procedure as in the UWB (2). case, it is not difficult to get the power of the jamming signal The jamming signal appears at the output of a single in DSSS systems as correlator as + L J fJ +BJ J B + N = J2 = c 0 P f 2df ≈ 0 J T f J,DSSS E out,DSSS c , 2 fJ −BJ 2BDSSS Jout,UWB(t) = J(t)p(t)dt (33) 0 (37) with a power of where Pc( f ) is the frequency response of pc(t), and BDSSS is the bandwidth of the DSSS signal. N = J2 J,UWB E out,UWB Comparing (34)and(37), it is observed that the output + + jamming power for DSSS is larger than that for UWB as long T f T f as BUWB >BDSSS, which means that UWB provides a better = E J(t1)J(t2)p(t1)p(t2)dt1dt2 0 0 anti-jamming protection than DSSS. + + T f T f = RJ (t1 − t2)p(t1)p(t2)dt1dt2 5. Numerical Results 0 0 + + + T f T f ∞ In this section, some numerical examples are provided j2πft1 − j2πft2 = SJ f df p(t1)e p(t2)e dt1dt2 to better illustrate our main results in the previous sec- −∞ 0 0 tions. We employ UWB signals with frame interval T f = + 2 T = . J fJ +BJ J B 25 nanoseconds and pulse duration p 0 2 nanoseconds = 0 P f df ≈ 0 J B , The second derivative of a Gaussian pulse is adopted as the 2 fJ −BJ 2 UWB transmit pulse (34) ⎡ ⎤ 2 t 2 P f p t B p t = A ⎣ − 4 ⎦e−(4t/Tp) where ( ) is the frequency response of ( )and UWB is ( ) c 1 T (38) the bandwidth of UWB pulse. Note that in the last line, we p use the fact that the pulse has unit energy. We also assume with Ac chosen such that the pulse has unit energy. that P( f ) remains constant in the range of [ fJ − BJ , fJ + BJ ] First, the simulation BER and upper bound (21)forour and approximately takes the average value of 1/ 2B . UWB proposed USTC-UWB scheme is presented in Figure 1.We Consider all L correlators, the block error rate is bounded can see that employing multiple antennas for UWB signals by (cf., (21)) dramatically improves the BER performance and analytical P bounds match the exact BER at the high SNR region, which e,UWB testifies the validity of our analysis. ⎛ ⎞−MN L− Figure 2 gives a schematic demonstration of the tradeoff TR − &1 π Ψ l E ≤ 2 2⎝ 2 ( ) 0 ⎠ . between LPD and anti-jamming performance, where the sin TR M N LJ BJ / BUWB 2 l=0 2 2 0 + 0 2 relationship between the asymptotic detection error prob- (35) ability and the BER is visualized. Note that although an EURASIP Journal on Wireless Communications and Networking 7

M = T = 2 M = T = 2 100 100

10−1 10−1

10−2 10−2

10−3 BER BER 10−3 10−4

10−4 10−5

−5 10−6 10 −10 −8 −6 −4 −2 0 2 4 6 8 −10 −8 −6 −4 −2 0 2 4 6 8 SNR (dB) SNR (dB)

N = 1 simulation N = 1 upper bound N = 1 UWB N = 1 DSSS N = 2 simulation N = 2 upper bound N = 2 UWB N = 2 DSSS N = 4 UWB N = 4 DSSS N = 4 simulation N = 4 upper bound Figure 1: BER performance of USTC-UWB and its upper bound. Figure 3: Anti-jamming performance comparison of UWB and CDMA.

0 100

−0.1 10−1 −0.2

−0.3 10−2 ρ

−0.4 BER 10−3 −0.5

−0.6 10−4

−0.7 −5 −4 −3 −2 −1 0 10 10 10 10 10 10 10−5 0 5 10 15 20 25 30 35 40 Pe Distance (m) UWB M = N = 1 UWB M = 2, N = 1 M = 2 N = 2 UWB M = 2, N = 2 M = 2 N = 1 M = 1 N = 1

Figure 2: Tradeoff between LPD and anti-jamming. Figure 4: BER performance versus coverage range of SISO, MISO, and MIMO UWB system. increase of SNR corresponds a lower BER, it also inevitably DSSS due to better interference suppression (anti-jamming) leads to a higher probability of being detected. However, capability. a MIMO system can significantly reduce this probability Finally, the coverage range extension advantage of compared with multiple-input single-output (MISO) or employing multiple antennas in UWB transmission is exam- SISO systems. ined in Figure 4. A path link model in [24] is used in Figure 3. compares the performance of unitary space- the simulation. We can see that compared to conventional time coding for UWB and DSSS signals. The simulation SISO, MISO and MIMO schemes significantly increase the parameters are set as BDSSS = 5 MHz and Lc = 16 as in [23]. transmission distance of UWB system. For instance, at the We can see that UWB and DSSS systems possess the same targetBERof10−4, SISO is able to cover a range of 1 m, diversity gain at high SNR. But UWB steadily outperforms while with 2 transmit antennas MISO can cover about 5 m. 8 EURASIP Journal on Wireless Communications and Networking

By using 2 antennas also at receiver end, the range can be [8] X. Li, M. Chen, and E. P. Ratazzi, “A randomized space-time extended to almost 12 m. It is also observed that since the transmission scheme for secret-key agreement,” in Proceedings path loss increases dramatically with the distance, the BER of of the 39th Annual Conference on Information Sciences and all three schemes becomes very large after a certain distance. Systems (CISS ’05), Baltimore, Md, USA, March 2005. Note that this comparison assumes that the same power [9] L. Yang and G. B. Giannakis, “Ultra-wideband communica- is used at transmit side; that is, for a certain transmission tions: an idea whose time has come,” IEEE Signal Processing distance, multiple antennas result in a lower transmit power, Magazine, vol. 21, no. 6, pp. 26–54, 2004. thus reducing the probability of detection. [10] A. Bharadwaj and J. K. Townsend, “Evaluation of the covertness of time-hopping impulse radio using a multi- radiometer detection system,” in Proceedings of IEEE Military 6. Conclusions Communications Conference (MILCOM ’01), vol. 1, pp. 128– 134, Washington, DC, USA, November 2001. Motivated by some recent research progress on applying [11] D. R. McKinstry and R. M. Buehrer, “Issues in the perfor- MIMO technique in UWB and secure communications, mance and covertness of UWB communications systems,” we propose a new unitary space-time coding scheme for in Proceedings of IEEE Midwest Symposium on Circuits and impulse radio UWB systems. Its error rate and various Systems, vol. 3, pp. 601–604, Tulsa, Okla, USA, August 2002. transmission secrecy metrics are analyzed. The tradeoff [12] L. Yang and G. B. Giannakis, “Analog space-time coding for between low probability of detection and anti-jamming is multi-antenna ultra-wideband transmissions,” IEEE Transac- revealed, which indicates that any of these security features tions on Communications, vol. 52, no. 3, pp. 507–517, 2004. could not be solely enhanced without sacrificing another. [13] W. P. Siriwongpairat, M. Olfat, and K. J. R. Liu, “Performance Our work demonstrates that introducing properly designed analysis and comparison of time-hopping and direct-sequence UWB-MIMO systems,” EURASIP Journal on Applied Signal space-time codes into UWB systems not only improves the Processing, vol. 2005, no. 3, pp. 328–345, 2005. performance of conventional single-antenna schemes but ff [14] A. Tyago and R. Bose, “M-PAM space-time trellis codes for also o ers prominent benefits on physical-layer transmission ultra-wideband multi-input multi-output communications,” covertness, making it a strong candidate for wireless secure IET Communications, vol. 2, no. 4, pp. 514–522, 2008. communications, especially for short-distance applications. [15] C. Abou-Rjeily, N. Daniele, and J.-C. Belfiore, “On the amplify-and-forward cooperative diversity with time-hopping Acknowledgment ultra-wideband communications,” IEEE Transactions on Com- munications, vol. 56, no. 4, pp. 630–641, 2008. This work was supported in part by the US National Science [16] B. M. Hochwald and T. L. Marzetta, “Unitary space-time mod- Foundation under Grant CCF-0515164, CNS-0721815 and ulation for multiple-antenna communications in Rayleigh flat CCF-0830462. Part of the results in this work appeared in fading,” IEEE Transactions on Information Theory, vol. 46, no. [23]. 2, pp. 543–564, 2000. [17] A. J. Paulraj, R. Nabar, and D. Gore, Introduction to Space- Time Wireless Communications, Cambridge University Press, References Cambridge, UK, 2003. [1] M.-K. Tsay, C.-H. Liao, C.-S. Shyn, and T.-Y. Yang, “Simul- [18] V. Tarokh, N. Seshadri, and A. R. Calderbank, “Space-time taneous AJ and LPD evaluations for secure communication,” codes for high data rate wireless communication: performance in Proceedings of IEEE Military Communications Conference criterion and code construction,” IEEE Transactions on Infor- (MILCOM ’07), Orlando, Fla, USA, October 2007. mation Theory, vol. 44, no. 2, pp. 744–765, 1998. [2] Q. Ling, T. Li, and J. Ren, “Physical layer built-in security [19] B. L. Hughes, “Optimal space-time constellations from enhancement of DS-CDMA systems using secure block inter- groups,” IEEE Transactions on Information Theory, vol. 49, no. leaving,” in Proceedings of the 38th Asilomar Conference on 2, pp. 401–410, 2003. Signals, Systems and Computers, Pricenton, NJ, USA, March [20] M. O. Damen, K. Abed-Meraim, and J.-C. Belfiore, “Diagonal 2004. algebraic space-time block codes,” IEEE Transactions on Infor- [3] L. Nguyen, “Self-encoded spread spectrum communications,” mation Theory, vol. 48, no. 3, pp. 628–636, 2002. in Proceedings of IEEE Military Communications Conference [21] I. Csiszar and J. Korner,¨ “Broadcast channels with confidential (MILCOM ’99), vol. 1, pp. 182–186, Atlantic City, NJ, USA, messages,” IEEE Transactions on Information Theory, vol. 24, October 1999. no. 3, pp. 339–348, 1978. [4] T. Yang and L. O. Chua, “Secure communication via chaotic [22] B. M. Sadler and A. Swami, “On the performance of episodic parameter modulation,” IEEE Transactions on Circuits and UWB and direct-sequence communication systems,” IEEE Systems I, vol. 43, no. 9, pp. 817–819, 1996. Transactions on Wireless Communications,vol.3,no.6,pp. [5] Y. Hwang and H. C. Papadopoulos, “Physical-layer secrecy 2246–2255, 2004. in AWGN via a class of chaotic DS/SS systems: analysis and [23] Y. Zhang and H. Dai, “A unitary space-time coding scheme for design,” IEEE Transactions on Signal Processing, vol. 52, no. 9, UWB systems and its application in wireless secure commu- pp. 2637–2649, 2004. nications,” in Proceedings of IEEE International Conference on [6] H. Koorapaty, A. A. Hassan, and S. Chennakeshu, “Secure Acoustics, Speech and Signal Processing (ICASSP ’06), vol. 4, pp. information transmission for mobile radio,” IEEE Communi- 485–488, Toulouse, France, May 2006. cations Letters, vol. 4, no. 2, pp. 52–55, 2000. [24] K. Siwiak and A. Petroff, “A path link model for ultra wide [7] A. O. Hero III, “Secure space-time communication,” IEEE band pulse transmissions,” in Proceedings of the 53rd IEEE Transactions on Information Theory, vol. 49, no. 12, pp. 3235– Vehicular Technology Conference (VTC ’01), vol. 2, pp. 1173– 3249, 2003. 1175, Rhodes, Greece, May 2001. Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 370970, 8 pages doi:10.1155/2009/370970

Research Article An MMSE Approach to the Secrecy Capacity of the MIMO Gaussian Wiretap Channel

Ronit Bustin,1 Ruoheng Liu,2 H. Vincent Poor,2 and Shlomo Shamai (Shitz)1

1 Department of Electrical Engineering, Technion-Israel Institute of Technology, Technion City, Haifa 32000, Israel 2 Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA

Correspondence should be addressed to Ronit Bustin, [email protected]

Received 26 November 2008; Revised 15 March 2009; Accepted 21 June 2009

Recommended by Merouane´ Debbah

This paper provides a closed-form expression for the secrecy capacity of the multiple-input multiple output (MIMO) Gaussian wiretap channel, under a power-covariance constraint. Furthermore, the paper speciﬁes the input covariance matrix required in order to attain the capacity. The proof uses the fundamental relationship between information theory and estimation theory in the Gaussian channel, relating the derivative of the mutual information to the minimum mean-square error (MMSE). The proof provides the missing intuition regarding the existence and construction of an enhanced degraded channel that does not increase the secrecy capacity. The concept of enhancement has been used in a previous proof of the problem. Furthermore, the proof presents methods that can be used in proving other MIMO problems, using this fundamental relationship.

Copyright © 2009 Ronit Bustin et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction the information can be decoded arbitrarily reliably by the legitimate recipient, while insuring that it cannot be deduced The information theoretic characterization of secrecy in at any positive rate by the eavesdropper. communication systems has attracted considerable attention For a discrete memoryless wiretap channel with transi- in recent years. (See [1] for an exposition of progress in this tion probability P(Yr , Ye | X), a single-letter expression for area.) In this paper, we consider the general multiple-input the secrecy capacity was obtained by Csiszar´ and Korner¨ [4]: multiple-output (MIMO) wiretap channel, presented in [2], with t transmit antennas and r and e receive antennas at the Cs = max {I(U; Yr ) − I(U; Ye)},(3) P U legitimate recipient and the eavesdropper, respectively: ( ,X) U Yr [m] = Hr X[m] + Wr [m], where is an auxiliary random variable over a certain U (1) alphabet that satisfies the Markov relationship − X − Ye[m] = HeX[m] + We[m], (Yr , Ye). This result extends to continuous alphabet cases with power constraint (2). Thus, in order to evaluate the ∈ Rr×t ∈ Re×t where Hr and He are assumed to be fixed secrecy capacity of the MIMO Gaussian wiretap channel we during the entire transmission and are known to all three need to evaluate (3) under the power constraint (2). For the m m terminals. The additive noise terms Wr [ ]andWe[ ]are degraded case Wyner’s single-letter expression of the secrecy zero-mean Gaussian vector processes independent across the capacity results from setting U ≡ X [3]: time index m. The channel input satisfies a total power constraint: Cs = max{I(X; Yr ) − I(X; Ye)}. (4) P n (X) 1 m 2 ≤ P. n X[ ] (2) The problem of characterizing the secrecy capacity of m= 1 the MIMO Gaussian wiretap channel remained open until The secrecy capacity of a wiretap channel, defined by Wyner the work of Khisti and Wornell [5] and Oggier and Hassibi [3], as “perfect secrecy” capacity is the maximal rate such that [6]. In their respective work, Khisti and Wornell [5]and 2 EURASIP Journal on Wireless Communications and Networking

Oggier and Hassibi [6] followed an indirect approach using 2. Definitions and Preliminaries a Sato-like argument and matrix analysis tools. In [2]Liu and Shamai propose a more information-theoretic approach Consider a canonical version of the MIMO Gaussian wiretap using the enhancement concept, originally presented by channel, as presented in [2]: Weingarten et al. [7], as a tool for the characterization of Yr [m] = X[m] + Wr [m], the MIMO Gaussian broadcast channel capacity. Liu and (7) Shamai have shown that an enhanced degraded version Ye[m] = X[m] + We[m], attains the same secrecy capacity as does the Gaussian input m t m distribution. From the mathematical solution in [2]itis where X[ ] is a real input vector of length ,andWr [ ]and m evident that such an enhanced channel exists; however it is We[ ] are additive Gaussian noise vectors with zero means not intuitive why, or how to construct such a channel. and covariance matrices Kr and Ke,respectively,andare m A fundamental relationship between estimation theory independent across the time index . The noise covariance and information theory for Gaussian channels was presented matrices Kr and Ke are assumed to be positive definite. The in [8]; in particular, it was shown that for the MIMO channel input satisfies a power-covariance constraint: standard Gaussian channel, n 1 T √ X[m]X[m] S,(8) = n Y snr HX + N (5) m=1 and regardless of the input distribution, the mutual infor- where S is a positive semidefinite matrix of size t × t,and mation and the minimum mean-square error (MMSE) are “” denotes “less or equal to” in the positive semidefinite related (assuming real-valued inputs/outputs) by partial ordering between real symmetric matrices. Note that (8) is a rather general constraint that subsumes constraints d √ I that can be described by a compact set of input covariance d X; snr HX + N snr matrices [7]. For example, assuming Cs(S) is the secrecy (6) 1 √ capacity under a covariance constraint (8) we have according = E HX − HE X | snr HX + N 2 , 2 to [7] the following: where E{X | Y} stands for the conditional mean of X given Cs(P) = max Cs(S), Y tr(S)≤P . This fundamental relationship and its generalizations (9) [8, 9], referred to as the I-MMSE relations, have already been Cs(P1, P2, ..., Pt) = max Cs(S), shown to be useful in several aspects of information theory: Sii≤Pi,i=1,2,...,t providing insightful proofs for entropy power inequalities where Cs(P) is the secrecy capacity under a total power [10], revealing the mercury/waterfilling optimal power allo- constraint (2), and Cs(P1, P2, ..., Pt) is the secrecy capacity cation over a set of parallel Gaussian channels [11], tackling under a per antenna power constraint. As shown in [2, 7], the weighted sum-MSE maximization in MIMO broadcast characterizing the secrecy capacity of the general MIMO channels [12], illuminating extrinsic information of good Gaussian wiretap channel (1) can be reduced to character- codes [13], and enabling a simple proof of the monotonicity izing the secrecy capacity of the canonical version (7). For of the non-Gaussianness of independent random variables full details the reader is referred to [7], and [17, Theorem 3]. [14]. Furthermore, in [15] it has been shown that using this We first give a few central definitions and relationships relationship one can provide insightful and simple proofs that will be used in the sequel. We begin with the following for multiuser single antenna problems such as the broadcast definition: channel and the secrecy capacity problem. Similar techniques T were later used in [16] to provide the capacity region for the E = E (X − E{X | Y})(X − E{X | Y}) , (10) Gaussian multireceiver wiretap channel. Motivated by these successes, this paper provides an that is, E is the covariance matrix of the estimation error alternative proof for the secrecy capacity of the MIMO Gaus- vector, known as the MMSE matrix. For the specific case in sian wiretap channel using the fundamental relationship which the input to the channel is Gaussian with covariance presentedin[8, 9], which results in a closed-form expression matrix Kx,wedefine for the secrecy capacity, that is, an expression that does not −1 EG = Kx − Kx(Kx + K) Kx, (11) include optimization over the input covariance matrix, a difficult problem on its own due to the nonconvexity of where K is the covariance matrix of the additive Gaussian the expression [5]. Thus, another important contribution noise, N. That is, EG is the error covariance matrix of the of this paper is the explicit characterization of the optimal joint Gaussian estimator. input covariance matrix that attains the secrecy capacity. The The fundamental relationship between information the- proof presented here provides the intuition regarding the ory and estimation theory in the Gaussian channel gave rise existence and construction of the enhanced degraded channel to a variety of other relationships [8, 9]. In our proof, we will which is central in the approach of [2]. Furthermore, the use the following relationship, given by Palomar and Verdu´ methods presented here could be used to tackle other MIMO in [9]: problems, using the fundamental relationships shown in ∇ I =− −1 −1 [8, 9]. K (X; X + N) K EK , (12) EURASIP Journal on Wireless Communications and Networking 3 where K is the covariance matrix of the additive Gaussian where the last inequality is due to Lemma 1 and the fact that noise, N. Kr Ke.Equalityin(15) is attained when X is Gaussian. Our first observation regarding the relationship given in Thus, we obtain the following expression: (12) is detailed in the following lemma. 1 −1 1 −1 Cs = max log det I + KxKr − log det I + KxKe Lemma 1. For any two symmetric positive semidefinite matri- 0KxS 2 2 ces K1 and K2, such that 0 K1 K2 and positive semidefinite − − 1 1 1 1 d = r x − e x matrix A,theintegral K1K2 K A(K)K K is nonnegative max log det(K + K ) log det(K + K ) 0KxS 2 2 (where K1 K2 is any path from K1 to K2). 1 det Ke The proof of the lemma is given in Appendix A. + log 2 det Kr 1 det((Kr + Kx) + (Ke − Kr )) = max − log 3. The Degraded MIMO Gaussian 0KxS 2 det(Kr + Kx) Wiretap Channel 1 det Ke + log We first consider the degraded MIMO Gaussian wiretap 2 det Kr channel, that is, Kr Ke. 1 −1 = max − log det I + (Kr + Kx) (Ke − Kr ) Theorem 1. The secrecy capacity of the degraded MIMO 0KxS 2 Gaussian wiretap channel (7), Kr Ke, under the power- 1 det Ke covariance constraint (8) is + log 2 det Kr 1 −1 1 −1 1 −1 =− r e − r Cs = log det I + SKr − log det I + SKe . (13) log det I + (K + S) (K K ) 2 2 2 1 det Ke + log Proof. Using (12) the difference to be maximized, according 2 det Kr to Wyner’s single-letter expression (4), can be written as 1 −1 1 −1 = log det I + SKr − log det I + SKe . 2 2 − − (16) I(X; Yr ) − I(X; Ye) = K 1EK 1 dK. (14) Kr Ke

This is due to the independence of the line integral (A.3)on the path in any open connected set in which the gradient is 4. The General MIMO Gaussian continuous [18]. Wiretap Channel The error covariance matrix of any optimal estimator is upper bounded (in the positive semidefinite partial ordering In considering the general case, we first note that one can between real symmetric matrices) by the error covariance apply the generalized eigenvalue decomposition [19] to the following two symmetric positive definite matrices: matrix of the joint Gaussian estimator, EG,definedin(11), for the same input covariance. Formally, E EG,andthus 1/2 −1 1/2 1/2 −1 1/2 I + S Kr S , I + S Ke S . (17) one can express E as follows: E = EG − E0,whereE0 is some positive semidefinite matrix. That is, there exists an invertible general eigenvector matrix, Due to this representation of E we can express the C, such that mutual information difference, given in (14), in the following T 1/2 −1 1/2 manner: C I + S Ke S C = I, (18) T 1/2 −1 1/2 = Λ I(X; Yr ) − I(X; Ye) C I + S Kr S C r , − − where Λr = diag{λ r , λ r , ..., λt r } is a positive definite = K 1EK 1 dK 1, 2, , Kr Ke diagonal matrix. Without loss of generality, we assume that there are b (0 ≤ b ≤ t) elements of Λr larger than 1: −1 −1 = K (EG − E0)K dK Kr Ke (15) λ1, r ≥ ...≥ λb, r > 1 ≥ λb+1, r ≥···λt, r . (19) −1 −1 −1 −1 Λr = K EGK dK − K E0K dK Hence, we can write as Kr Ke Kr Ke ⎛ ⎞ Λ ⎝ 1 0 ⎠ −1 −1 Λr = , (20) ≤ K EGK dK, Λ Kr Ke 0 2 4 EURASIP Journal on Wireless Communications and Networking

T where Λ1 = diag{λ1, r , ..., λb, r },andΛ2 = where E = E{(X − E[X | Y])(X − E[X | Y]) },and 1/2 −1 1/2 diag{λb+1, r , ..., λt, r }. Since the matrix I + S Ke S is positive deﬁnite, the problem of calculating the generalized I(X; Yr | U) − I(X; Ye | U) eigenvalues and the matrix C is reduced to a standard eigenvalue problem [19]. Choosing the eigenvectors of the = E{I(X; Yr | U = u) − I(X; Ye | U = u)} standard eigenvalue problem to be orthonormal, and the requirement on the order of the eigenvalues, leads to an = E −1E − E | U = u 1/2 −1 1/2 K [(X [X Y, ]) invertible matrix C,whichisI + S Ke S -orthonormal. Kr Ke (26) Using these deﬁnitions we turn to the main theorem of this paper. T − ×(X − E[X | Y, U = u]) | U = u K 1 dK Theorem 2. The secrecy capacity of the MIMO Gaussian − − wiretap channel (7), under the power-covariance constraint = K 1EuK 1 dK, (8),is Kr Ke

= E{ − E | U − E | U T } 1 −1 1 −1 where Eu (X [X Y, ])(X [X Y, ]) .Thus, Cs = log det I + SK − log det I + SKe 2 0 2 putting the two together, (24)becomes (21) 1 ∗ −1 1 ∗ −1 = x r − x e log det I + K K log det I + K K , − − 2 2 I(U; Yr ) − I(U; Ye) = K 1(E − Eu)K 1 dK. (27) Kr Ke where, using the invertible matrix C defined in (18) one defines, We define, E = E − Eu, and obtain ⎡ ⎛ ⎞ ⎤ −1 Λ1 0 T 1/2⎣ −T ⎝ ⎠ −1 ⎦ 1/2 = E E | − E | U E | − E | U K0 = S C C − I S , (22) E ( [X Y] [X Y, ])( [X Y] [X Y, ]) 0 I(t−b)×(t−b) = E (E[E[X | Y, U] | Y] − E[X | Y, U]) and letting C = [C C ] where C is the t × b submatrix and T 1 2 1 ×(E[E[X | Y, U] | Y] − E[X | Y, U]) . C2 is the t × (t − b) submatrix, one defines, (28)

⎛ − ⎞ T 1 ∗ 1/2 ⎝ C1 C1 0⎠ T 1/2 Kx = S C C S . (23) That is, E is the error covariance of the optimal estimation of 00 E[X | Y, U]fromY, and as such it is positive semidefinite. It is easily verified that K0,definedin(22), satisfies both K0 Ke,andK0 Kr . The integral in (27)canbeupperbounded Proof. Following [7, Lemma 2], we may assume that S is using this fact and Lemma 1: (strictly) positive definite. We divide the proof into two parts: the converse part, that is, constructing an upper bound, I U − I U and the achievability part-showing that the upper bound is ( ; Yr ) ( ; Ye) attainable. = K−1EK −1 dK − K−1EK −1 dK K0Ke K0Kr (29) (a) Converse. Our goal is to evaluate the secrecy capacity − − expression (3). Due to the Markov relationship, U − X − ≤ K 1EK 1 dK. K Ke (Yr , Ye), the difference to be maximized can be written as 0

Equality will be attained when the second integral equals I(U; Yr ) − I(U; Ye) zero. Using the upper bound in (29) we present two possible proofs that result with the upper bound given in (30). The ={I(X; Yr ) − I(X; Ye)}−{I(X; Yr | U) − I(X; Ye | U)}. more information-theoretic proof is given in the sequel, (24) while the second, the more estimation-theoretic proof, is relegated to Appendix B. We use the I-MMSE relationship (12) on each of the two The upper bound given in (29) can be viewed as the diﬀerences in (24): secrecy capacity of an MIMO Gaussian model, similar to the model given in (7), but with noise covariance matrices K0 and Ke and outputs Y0[m]andYe[m], respectively. − − I(X; Yr ) − I(X; Ye) = K 1EK 1 dK, (25) Furthermore, this is a degraded model, and it is well known Kr Ke that the general solution given by Csiszar´ and Korner¨ [4], EURASIP Journal on Wireless Communications and Networking 5 reduces to the solution given by Wyner [3] by setting U ≡ X. Using (34) we can derive the following relationship (full Thus, (29)becomes details are given in Appendix D):

I U r − I U e ( ; Y ) ( ; Y ) −1 ∗ −1 = T Λ . det I + Kx K0 det C1 C1 det( 1) (35) ≤ I(U; Y0) − I(U; Ye)

≤ I(X; Y0) − I(X; Ye) And similarly we can derive − − −1 ≤ K 1EGK 1 dK ∗ −1 T det I + Kx Ke = det C C1 . (36) K0Ke 1 ≤ 1 −1 max log det I + KxK0 (30) Thus, we have 0KxS 2 ∗ −1 − 1 −1 detI + Kx K0 = Λ log det I + KxKe ∗ − det( 1), (37) 2 det I + Kx Ke 1 1 − = log det I + SK 1 which is the result attained in (33). This concludes the proof 2 0 of Lemma 3. 1 −1 − log det I + SKe , 2 Lemma 4. The following equality holds: where the third inequality is according to (15), and the last ∗ −1 ∗ −1 two transitions are due to Theorem 1,(16). This completes 1 detI + Kx K0 = 1 detI + Kx Kr . log ∗ − log ∗ − (38) the converse part of the proof. 2 det I + Kx Ke 1 2 det I + Kx Ke 1

(b) Achievability. We now show that the upper bound given Proof of Lemma 4. Due to the generalized eigenvalue decom- in (30) is attainable when X is Gaussian with covariance position (18)wehave, ∗ matrix Kx ,asdeﬁnedin(23). The proof is constructed ⎡ ⎛ ⎞ ⎤ ∗ Λ1 0 from the next three lemmas. We ﬁrst prove that Kx is a −1 = −1/2⎣ −T ⎝ ⎠ −1 − ⎦ −1/2. legitimate covariance matrix, that is, it complies with the Kr S C C I S (39) 0 Λ2 input covariance constraint (8).

∗ Using similar steps as the ones used to obtain (35)wecan Lemma 2. The matrix Kx deﬁned in (23) complies with the power-covariance constraint (8),thatis, show that, ∗ −1 0 Kx S. (31) ∗ −1 = T Λ . det I + Kx Kr det C1 C1 det( 1) (40) The proof of Lemma 2 is given in Appendix C. In the next ∗ two Lemmas we show that Kx attains the upper bound given Thus, concluding the proof of Lemma 4. in (30).

Lemma 3. The following equality holds: Putting all the above together we have that −1 ∗ −1 1 det I + SK 1 det I + Kx K 0 = 0 . 1 −1 1 −1 log − log ∗ − (32) log det I + SK − log det I + SKe 2 det I + SKe 1 2 det I + Kx Ke 1 2 0 2 Proof of Lemma 3. We first calculate the expression in the left 1 ∗ −1 = log det I + Kx K hand side (assuming S 0), which is the upper bound in 2 0 (30): 1 ∗ −1 − log det I + Kx Ke (41) 1/2 −1 1/2 T 1/2 −1 1/2 2 detI + S K0 S = det C I + S K0 S C / − / T / − / 1 2 e 1 1 2 1 2 1 1 2 det I + S K S det C I + S Ke S C 1 ∗ −1 (33) = log det I + Kx Kr 2 det Λ1 = = det Λ1, det I 1 ∗ −1 − log det I + Kx Ke , where we have used the generalized eigenvalue decomposi- 2 tion (18) and the definition of K0 (22). From (18)wenote where the first equality is due to Lemma 3, and the second that, ⎡ ⎛ ⎞ ⎤ equality is due to Lemma 4. Thus, the upper bound given I 0 in (30) is attainable using the Gaussian distribution over X, −1 = −1/2⎣ −T ⎝ ⎠ −1 − ⎦ −1/2. U ≡ ∗ Ke S C C I S (34) X,andKx ,definedin(23). This concludes the proof of 0 I Theorem 2. 6 EURASIP Journal on Wireless Communications and Networking

5. Discussion and Remarks For a function G with gradient ∇G the line integral (type II) [18]isgivenby The alternative proof we have presented here uses the −→ enhancement concept, also used in the proof of Liu and ∇ d r −→ −→ G Shamai [2], in a more concrete manner. We have constructed r 1 r 2 aspecificenhanceddegraded model. The constructed model u= 1 −→ −→ −→ −→ −→ is the “tightest” enhancement possible in the sense that under = ∇ r u r − r · r − r du. − G 1 + 2 1 2 1 T 1/2 1 1/2 u= the specified transformation, the matrix C [I+S K0 S ]C 0 is the “smallest” possible positive definite matrix, that is, both (A.3) Λr and I. −→ r t × t The specific enhancement results in a closed-form Thus in our case, where ∇G, are matrices, and ∇G = K−1A(K)K−1 the integral over a path from K to K is expression for the secrecy capacity, using K0. Furthermore, 1 2 Theorem 2 shows that instead of S we can maximize the equivalent to the following line integral: secrecy capacity by taking an input covariance matrix that 1 −1 “disregards” subchannels for which the eavesdropper has (K1 + u(K2 − K1)) A(K1 + u(K2 − K1)) an advantage over the legitimate recipient (or is equivalent u=0 to the legitimate recipient). Mathematically, this allows us × u − −1 · − du ∗ (K1 + (K2 K1)) (K2 K1) to switch back from K to Kr , and thus to show that Kx , 0 (A.4) 1 explicitly defined, is the optimal input covariance matrix. T − ∗ = u − 1 u − Intuitively, Kx is the optimal input covariance for the 1 (K1 + (K2 K1)) A(K1 + (K2 K1)) u=0 legitimate receiver, since under the transformation, C,itis −1 S for the sub-channels for which the legitimate receiver has × (K1 + u(K2 − K1)) (K2 − K1)1du. an advantage and zero otherwise. The enhancement concept was used in addition to the Since the Schur product preserves the positive defi- I-MMSE approach in order to attain the upper bound in nite/semidefinite quality [20, 7.5.3], it is easy to see that when (30). The primary usage of these two concepts came together 0 K1 K2, both are symmetric, and since A(K)isa in (29), where we derived an initial upper bound. We have positive semidefinite matrix for all K,theintegralisalways shown that the upper bound is attainable when X is Gaussian nonnegative. ∗ with covariance matrix Kx . Thus, under these conditions the second integral in (29) should be zero, that is, B. Second Proof of Theorem 2 − − K 1EK 1 dK The error covariance matrix of the optimal estimator E can K0 Kr be written as E = EL − E0, where both EL and E0 are positive = I(U; Y0) − I(U; Yr ) semidefinite, and EL is the error covariance matrix of the optimal linear estimator of E[X | Y, U]fromY. Using this = I − I (X; Y0) (X; Yr ) in (29), we have (42) 1 ∗ −1 = log det I + Kx K −1 −1 2 0 I(U; Yr ) − I(U; Ye) ≤ K EK dK K0Ke − 1 ∗ −1 log det I + Kx Kr −1 −1 2 = K EL − E0 K dK K0Ke = 0, = −1 −1 d U ≡ K ELK K (B.1) where the second transition is due to the choice X, the K0Ke third is due to the choice of a Gaussian distribution for X ∗ −1 −1 with covariance matrix Kx , and the last equality is due to − K E0K dK Lemma 4. K0 Ke −1 −1 ≤ K ELK dK, Appendices K0Ke A. Proof of Lemma 1 where the last inequality is again due to Lemma 1.Equality will be attained when EL = E, that is, when E0 = 0. The inner product between matrices A and B is defined as We denote Z = E[X | Y, U]. The optimal linear estimator T A · B = vec A vec B,(A.1)has the following form: −1 and the Schur product between matrices A and B is defined EL = Cz − CzyCy Cyz,(B.2) as where Cz is the covariance matrix of Z, Czy and Cyz are = . [A B]ij [A]ij[B]ij (A.2) the cross-covariance matrices of Z and Y,andCy is the EURASIP Journal on Wireless Communications and Networking 7

∗ covariance matrix of Y. We can easily calculate Czy and Cy Since C is invertible, in order to prove Kx S,itisenough (assuming zero mean): to show that T Czy = E E[X | Y, U]Y

⎛ − ⎞ T T 1 = E E XY | Y, U −1 ⎝ C1 C1 0⎠ −1 −T = T . C C C C (C.1) 00 = E XYT (B.3)

= Cxy = Kx

Cy = (Kx + K). We notice that,

Regarding Cz we can claim the following: ⎛ ⎞ T T T 0 E (X − E[X | Y, U])(X − E[X | Y, U]) C C1 C C2 T = T = ⎝ 1 1 ⎠. (B.4) C C [C1C2] [C1C2] T T (C.2) T C2 C1 C2 C2 = Kx − E E[X | Y, U]E[X | Y, U] thus, T Using blockwise inversion [20]wehave E E[X | Y, U]E[X | Y, U] = Cz Kx,(B.5) where equality, Cz = Kx, is attained when the estimation error is zero, that is, when X = E[X | Y, U]. Since Y = − T 1 X + N this can only be achieved when U ≡ X or U ≡ N; C C however since the Markov property, U − X − (Ye, Yr ), must ⎛ ⎞ I I T −1 T I −I T −1 (C.3) be preserved, we conclude that U ≡ X inordertoachieve + C1 C2M C2 C1 C1 C2M = ⎝ ⎠, equality. − −1 T I −1 M C2 C1 M We have Kx −C0 = Cz,whereC0 is a positive semideﬁnite matrix, and the linear estimator is

−1 EL = Kx − C0 − Kx(Kx + K) Kx. (B.6) I T −1 where denotes (C1 C1) and Substituting this into the integral in (B.1)wehave

I(U; Yr ) − I(U; Ye) − T T T 1 T M = C C2 − C C1 C C1 C C2 0(C.4) −1 −1 2 2 1 1 ≤ K ELK dK K0Ke − −1 − ≤ K 1 Kx − Kx(Kx + K) Kx K 1 dK (B.7) T K0 Ke due to the positive deﬁnite quality of C C and the Schur 1 −1 1 −1 Complement Lemma [20]. Hence, = log det I + KxK − log det I + KxKe 2 0 2 ≤ 1 −1 − 1 −1 log det I + SK0 log det I + SKe , ⎛ ⎞ 2 2 −1 I 0 CT C − ⎝ ⎠ where the second inequality is due to Lemma 1, and the last 00 inequality is due to Theorem 1,(16). The resulting upper ⎛ ⎞ bound equals the one given in (30). The rest of the proof I T −1 T I −I T −1 C1 C2M C2 C1 C1 C2M follows via similar steps to those in the proof given in = ⎝ ⎠ − −1 T I −1 Section 4. M C2 C1 M (C.5) ⎛ ⎞⎛ ⎞⎛ ⎞ T I −IC C2 00 I 0 = ⎝ 1 ⎠⎝ ⎠⎝ ⎠ C. Proof of Lemma 2 −1 − T I 0 I 0 M C2 C1 I T Since the sub-matrix C1 C1 is positive semideﬁnite it is ∗ ∗ . evident that 0 Kx . Thus, it remains to show that Kx S. 0 8 EURASIP Journal on Wireless Communications and Networking

D. Deriving Equation (35) [6] F. Oggier and B. Hassibi, “The secrecy capacity of the MIMO wiretap channel,” in Proceedings of IEEE International Symposium on Information Theory (ISIT ’08), pp. 524–528, ∗ −1 det I + Kx K0 Toronto, Canada, July 2008. ⎛ ⎛ ⎞ [7] H. Weingarten, Y. Steinberg, and S. Shamai (Shitz), “The I capacity region of the Gaussian multiple-input multiple- ⎝ / ⎝ 0⎠ T = det I + S1 2C C output broadcast channel,” IEEE Transactions on Information 00 Theory, vol. 52, no. 9, pp. 3936–3964, 2006. ⎡ ⎛ ⎞ ⎤ ⎞ [8] D. Guo, S. Shamai (Shitz), and S. Verdu,´ “Mutual information Λ 1 0 and minimum mean-square error in Gaussian channels,” IEEE ×⎣C−T ⎝ ⎠C−1 − I⎦S−1/2⎠ 0 I Transactions on Information Theory, vol. 51, no. 4, pp. 1261– ⎛ ⎛ ⎞ ⎡ ⎛ ⎞ ⎤ ⎞ 1282, 2005. [9] D. P. Palomar and S. Verdu,´ “Gradient of mutual information I 0 Λ1 0 = det⎝I + ⎝ ⎠CT ⎣C−T ⎝ ⎠C−1 − I⎦C⎠ in linear vector Gaussian channels,” IEEE Transactions on 00 0 I Information Theory, vol. 52, no. 1, pp. 141–154, 2006. ⎛ ⎛ ⎞ ⎛ ⎞⎞ [10] D. Guo, S. Shamai (Shitz), and S. Verdu,´ “Proof of entropy I IΛ power inequalities via MMSE,” in Proceedings of IEEE Interna- ⎝ ⎝ 0⎠ T ⎝ 1 0⎠⎠ = det( I − C C + tional Symposium on Information Theory (ISIT ’06), pp. 1011– 00 00 1015, Seattle, Wash, USA, July 2006. ⎛ ⎛ ⎞⎛ ⎞ [11] A. Lozano, A. M. Tulino, and S. Verdu,´ “Optimum power I I−1 T 0 C1 C2 allocation for parallel Gaussian channels with arbitrary input = det⎝I − ⎝ ⎠⎝ ⎠ 00 CT C CT C distributions,” IEEE Transactions on Information Theory, vol. 2 1 2 2 52, no. 7, pp. 3033–3051, 2006. ⎛ ⎞⎞ [12] S. Christensen, R. Agarwal, E. Carvalho, and J. Cioffi, IΛ1 0 +⎝ ⎠⎠ “Weighted sum-rate maximization using weighted MMSE 00 for MIMO-BC beamforming design,” IEEE Transactions on ⎛ ⎛ ⎞ ⎛ ⎞⎞ Wireless Communications, vol. 7, no. 12, pp. 4792–4799, 2008. I T IΛ [13] M. Peleg, A. Sanderovich, and S. Shamai (Shitz), “On extrinsic ⎝ ⎝I C1 C2⎠ ⎝ 1 0⎠⎠ = det I − + information of good binary codes operating over Gaussian 00 00 channels,” European Transactions on Telecommunications, vol. ⎛ ⎞ 18, no. 2, pp. 133–139, 2007. IΛ −I T 1 C1 C2 [14] A. M. Tulino and S. Verdu,´ “Monotonic decrease of the non- = det⎝ ⎠ 0 I Gaussianness of the sum of independent random variables: a simple proof,” IEEE Transactions on Information Theory, vol. = det I det(Λ ). 52, no. 9, pp. 4295–4297, 2006. 1 [15] D. Guo, S. Shamai (Shitz), and S. Verdu,´ “Estimation in (D.1) Gaussian noise: properties of the minimum mean-square error,” in Proceedings of IEEE International Symposium on Acknowledgments Information Theory (ISIT ’08), Toronto, Canada, July 2008. [16] E. Ekrem and S. Ulukus, “Secrecy capacity region of the This work has been supported by the Binational Science Gaussian multi-receive wiretap channel,” in Proceedings of Foundation (BSF), the FP7 Network of Excellence in Wireless IEEE International Symposium on Information Theory (ISIT Communications NEWCOM++, and the U.S. National ’09), Seoul, Korea, June-July 2009. Science Foundation under Grants CNS-06-25637 and CCF- [17] R. Liu, T. Liu, H. V. Poor, and S. Shamai (Shitz), “Multiple- input multiple-output Gaussian broadcast channels with 07-28208. coonfidential messages,” submitted to IEEE Transactions on Information Theory and in Proceedings of IEEE International References Symposium on Information Theory (ISIT’09), Seoul, Korea, June-July 2009. [1] Y. Liang, H. V. Poor, and S. Shamai (Shitz), “Information [18] T. M. Apostol, Calculus, Multi-Variable Calculus and Linear theoretic security,” Foundations and Trends in Communications Algebra, with Applications to Differential Equations and Prob- and Information Theory, vol. 5, no. 4-5, pp. 355–580, 2008. ability, Wiley, New York, NY, USA, 2nd edition, 1969. [2] T. Liu and S. Shamai (Shitz), “A note on secrecy capacity [19] G. Strang, Linear Algebra and Its Applications,Wellesley- of the multi-antenna wiretap channel,” IEEE Transaction on Cambridge Press, Wellesley, Mass, USA, 1998. Information Theory, vol. 55, no. 6, pp. 2547–2553, 2009. [20]R.A.HornandC.R.Johnson,Matrix Analysis, University [3] A. D. Wyner, “The wire-tap channel,” Bell System Technical Press, Cambridge, UK, 1985. Journal, vol. 54, no. 8, pp. 1355–1387, 1975. [4] I. Csiszar´ and J. Korner,¨ “Broadcast channels with confidential messages,” IEEE Transactions on Information Theory, vol. 24, no. 3, pp. 339–348, 1978. [5] A. Khisti and G. Wornell, “The MIMOME channel,” in Proceedings of the 45th Annual Allerton Conference on Com- munication, Control and Computing,Monticello,Ill,USA, September 2007. Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 142374, 12 pages doi:10.1155/2009/142374

Research Article Compound Wiretap Channels

Yingbin Liang,1 Gerhard Kramer,2 H. Vincent Poor,3 and Shlomo Shamai (Shitz)4

1 Department of Electrical Engineering, University of Hawaii, Honolulu, HI 96822, USA 2 Department of Electrical Engineering, University of Southern California, Los Angeles, CA 90089, USA 3 Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA 4 Department of Electrical Engineering, Technion-Israel Institute of Technology, Technion City, Haifa 32000, Israel

Correspondence should be addressed to Yingbin Liang, [email protected]

Received 1 December 2008; Revised 5 August 2009; Accepted 24 August 2009

Recommended by Hesham El-Gamal

This paper considers the compound wiretap channel, which generalizes Wyner’s wiretap model to allow the channels to the (legitimate) receiver and to the eavesdropper to take a number of possible states. No matter which states occur, the transmitter guarantees that the receiver decodes its message and that the eavesdropper is kept in full ignorance about the message. The compound wiretap channel can also be viewed as a multicast channel with multiple eavesdroppers, in which the transmitter sends information to all receivers and keeps the information secret from all eavesdroppers. For the discrete memoryless channel, lower and upper bounds on the secrecy capacity are derived. The secrecy capacity is established for the degraded channel and the semideterministic channel with one receiver. The parallel Gaussian channel is further studied. The secrecy capacity and the secrecy degree of freedom (s.d.o. f.) are derived for the degraded case with one receiver. Schemes to achieve the s.d.o. f. for the case with two receivers and two eavesdroppers are constructed to demonstrate the necessity of a preﬁx channel in encoder design. Finally, the multi-antenna (i.e., MIMO) compound wiretap channel is studied. The secrecy capacity is established for the degraded case and an achievable s.d.o. f. is given for the general case.

Copyright © 2009 Yingbin Liang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction not at the transmitter. However, we note that having the channel state information at the receivers comes at no cost The compound channel models transmission over a channel to the communication rate, because the channel states can be that may take a number of states and reliable communication learned by the receivers at the beginning of transmission via needs to be guaranteed regardless of which state occurs. training symbols whose length is negligible compared to the For example, this type of channel might arise in real- codeword length. time wireless communications when the transmitter has We can also interpret the compound wiretap channel no knowledge of the channel state, but zero performance as the multicast channel with multiple eavesdroppers (see outage needs to be guaranteed subject to a stringent delay Figure 1). In this case, the number of states to the receiver constraint. In this paper, we are interested in the compound now becomes the number of receivers with each state channel with an eavesdropper that receives outputs via corresponding to one receiver, and the number of states a compound channel that may also take a number of to the eavesdropper becomes the number of eavesdroppers states. Now the transmitter not only needs to guarantee with each state corresponding to one eavesdropper. The reliable communication to the legitimate receiver, but also transmitter wishes to transmit information to all receivers needs to prevent the information from being known by the and keep the information secret from all eavesdroppers. In eavesdropper. This is a generalization of Wyner’s wiretap this paper, we adopt this interpretation. From this viewpoint, channel [1] to the case of multiple channel states. the compound wiretap channel provides a general frame- We consider the situation in which the channel remains work that includes a number of models studied previously in the same state during the entire transmission, and the as special cases. These models include the parallel wiretap channel state is known at the corresponding receivers, but channel with two eavesdroppers studied in [2, 3], the fading 2 EURASIP Journal on Wireless Communications and Networking

Gaussian channels while secure network coding addresses P y |x Y n Y1|X ( 1 ) 1 deterministic networks.

n We then study an example parallel Gaussian compound PY |X (y |x) Y 2 2 2 Legitimate wiretap channel with two receivers and two eavesdroppers. . receivers . For this channel, we propose three schemes. Scheme 1 is to . map source information directly to Gaussian channel inputs, P y |x Y n YJ |X ( J ) J and this scheme is shown to be strictly suboptimal. Scheme 2 Transmitter Xn is to introduce a key random variable to randomize the n source information, and this scheme achieves the s.d.o. f. PZ |X (z |x) Z 1 1 1 Scheme 3 is to randomize the encoder by introducing a n PZ |X (z |x) Z random prefix channel, and this scheme is also shown to 2 2 2 s.d.o. f. . Eavesdroppers achieve the This example channel demonstrates that . randomization of either source information or encoder is n necessary to achieve the s.d.o. f. for the parallel Gaussian PZ |X (zK |x) Z K K compound channels. We finally study the multiinput multioutput (MIMO) Figure 1: Compound wiretap channel. compound wiretap channel. We first provide the secrecy capacity for the degraded MIMO compound wiretap channel. We then study the general MIMO compound wiretap channel, for which we propose an input scheme and derive an achievable s.d.o. f. (a lower bound on the s.d.o. f.) wiretap channels with multiple eavesdroppers studied in [4], based on this scheme. Comparing with the MIMO channel and the wiretap channel with multiple receivers studied in without eavesdroppers, the achievable s.d.o. f. of the MIMO [5]. compound wiretap channel is reduced by the maximal In this paper, we first study the discrete memoryless dimension of the projection of wiretap channel matrices on compound wiretap channel, for which we provide lower and the vector space spanned by the eigenvectors corresponding upper bounds on the secrecy capacity. The lower bound to nonzero eigenvalues of channel matrices to the receiver. indicates that the channel input scheme needs to balance We further note that after our conference publication the rates for all receiver-eavesdropper pairs, and hence none [7] appeared with the results presented here, another upper of them may achieve their best secrecy rate. We further bound on the secrecy capacity of the compound wiretap establish the secrecy capacity for the degraded channel and channel was derived in [8]. The secrecy capacity result for the semideterministic channel with one receiver and multiple the parallel Gaussian compound wiretap channel was also eavesdroppers. extended to the nondegraded parallel Gaussian compound We further study the parallel Gaussian compound wire- wiretap channel with one receiver and multiple eavesdrop- tap channel, in which the channels to each receiver and pers in [8]. We also refer the reader to [9]forareviewof to each eavesdropper are parallel Gaussian channels with recent studies on compound wiretap channels. multiple Gaussian subchannels. Channels of this type arise, The rest of the paper is organized as follows. In Section 2, for example, in wideband wireless communication systems we introduce the model of the compound wiretap channel. In such as frequency division multiplexing (FDM) systems in Section 3, we present our results on the discrete memoryless which transmission takes place over a number of frequency compound wiretap channel. In Sections 4 and 5,weprovide bands, and the eavesdroppers can tune their receivers to the results on the secrecy capacity and the s.d.o. f. for two access some of these frequency bands. Understanding this cases of the parallel Gaussian compound wiretap channel. In channel is also important for studying the compound time- Section 6, we provide our results on the MIMO compound varying fading wiretap channels, as the parallel channel wiretap channel. In the last section, we give concluding serves as a general model for the fading channel. remarks. We first consider the degraded parallel Gaussian compound channel with one receiver and multiple eavesdroppers, for which we obtain the secrecy capacity. To further 2. Channel Model illustrate our results, we study the secrecy degree of freedom s.d.o. f. We consider the following compound wiretap channel ( ), which characterizes how the secrecy capacity scales model. with log SNR. We show that the s.d.o. f. depends only on the total number of subchannels that the receiver accesses and Definition 1. The compound wiretap channel consists of the maximal number of subchannels that one eavesdropper one finite channel input alphabet X, J finite channel can access. It is somewhat interesting that the s.d.o. f. does output alphabets Y1, ..., YJ , K finite channel output alpha- not depend on the total number of subchannels that all bets Z1, ..., ZK , and a set of the transition probability eavesdroppers can access and does not depend on the distributions for one channel use number of eavesdroppers either. We observe that there is a s.d.o. f. connection between the and secure network coding P y z | x j = ... J k = ... K studied in [6]. However, the s.d.o. f. is defined for noisy Yj Zk|X j , k for 1, , , 1, , ,(1) EURASIP Journal on Wireless Communications and Networking 3 where x ∈ X is the channel input from the transmitter, where U is an auxiliary random variable, and the maximum is yj ∈ Yj is the channel output at receiver j,andzk ∈ Zk taken over all distributions PUX that satisfy the Markov chain is the channel output at eavesdropper k. The channel is relationships: memoryless across channel uses. As the correlation between Yj and Zk does not affect the U −→ X −→ Yj , Zk for j = 1, ..., J, k = 1, ..., K. (7) secrecy capacity (similar to [10, Lemma 1]), without loss of optimality, we assume a transition probability of the form Proof. See Appendix A. PYj |X PZk|X as shown in Figure 1. Theorem 1 can be interpreted as a worst case result that nR Definition 2. A(2 , n) code for the compound wiretap is, the worst receiver and the best eavesdropper dominate the channel consists of the following: secrecy rate. (i) a message set: W ={1, 2, ...,2nR} with the message Theorem 2. An upper bound on the secrecy capacity of the W uniformly distributed over W; compound wiretap channel is given by f W → Xn w ∈ (ii) an encoder : mapping each message W xn ∈ Xn to a codeword ; R = min max I U; Yj − I(U; Zk) , j k P P P (8) n (j) , UX Yj Zk |X (iii) J decoders gj : Yj → W for j = 1, ..., J,each n (j) mapping received sequence yj to a message w ∈ W where U is an auxiliary random variable whose joint distribu- for j = 1, ..., J. tion with X, Yj ,andZk factors was shown in (8). The average block error probability for receiver j for j = 1, ..., J is defined as Proof. It can be seen that the quantity 2nR 1 j max I U; Yj − I(U; Zk) P = Pr w( ) = w . P P (9) e,j nR / (2) UX Yj Zk |X 2 w=1 The secrecy level of the message W at eavesdropper k for k = in (8) is the secrecy capacity of the wiretap channel with the P 1, ..., K is defined by the following equivocation rate: transition probability distribution Yj Zk|X [11, Corollary 2]. But the secrecy capacity of the compound wiretap channel 1 n is less than the secrecy capacity of any receiver-eavesdropper H W | Zk . (3) n pair. A rate-equivocation pair (R, Re)is achievable if there exists a sequence of (2nR, n) codes with the average error We note that it may not be possible to achieve the upper probabilities bound given in Theorem 2 in general. This is because the input scheme needs to balance the rates that can be achieved P(n) −→ j = ... J for all receiver-eavesdropper pairs, and consequently, none e,j 0for 1, , (4) of them can achieve its best rate. This can also be seen from n as goes to infinity and with the equivocation rate satisfying the achievable rate in (6). The input distribution PUX that maximizes the minimum of the secrecy rates of all receiver- 1 n Re ≤ lim H W | Zk for k = 1, ..., K. (5) n →∞n eavesdropper pairs may not be optimal for any single pair. We now give an example channel in which the lower In this paper, we are interested in the case of perfect bound given in Theorem 1 can be shown to be the secrecy secrecy, that is, R = Re. A secrecy rate R is achievable if capacity. We say that the compound wiretap channel is the rate-equivocation pair (R, R)isachievable.Thesecrecy degraded if the transition probability satisfies the Markov capacity is defined to be the maximal achievable secrecy rate. chain relationships:

3. Discrete Memoryless Compound X −→ Yj −→ Zk (10) Wiretap Channels for all j = 1, ..., J and k = 1, ..., K. For the degraded In the following, we provide lower and upper bounds on the compound wiretap channel, we have the following capacity secrecy capacity of the compound wiretap channel. theorem.

Theorem 1. Thefollowingsecrecyrateisachievableforthe Theorem 3. The secrecy capacity of the degraded compound compound wiretap channel: wiretap channel is given by R = max min I U; Yj − max I(U; Zk) C = max min I X; Yj − max I(X; Zk) j k PX j k (6) (11) = max min I U; Yj − I(U; Zk) , = max min I X; Yj − I(X; Zk) . j,k PX j,k 4 EURASIP Journal on Wireless Communications and Networking

Deterministic X1 Y1 channel X2 Y2 X Y 3 . 3 Y Transmitter. . . Receiver Receiver . . . XN−1 YN−1 XN YN Transmitter X Z1 Eavesdropper 1 ··· Z Z2 Eavesdropper 2 11 . Z12 Eavesdropper 1 ...... ZK3 ZK Eavesdropper K K ZKN Eavesdropper Figure 2: Semideterministic compound wiretap channel. Figure 3: Parallel compound wiretap channel with one receiver and K eavesdroppers. Proof. The achievability follows from Theorem 1 by setting U = X j k . The converse follows because for each ( , )andan 4. Parallel Gaussian Compound Wiretap input distribution PX ,anupperbound Channels: J = 1 Re ≤ I X; Yj − I(X; Zk) (12) In this section, we focus on the case in which J = 1andK>1, that is, one receiver and K eavesdroppers (see Figure 3). We can be derived as given in [1]. further assume that the channel from the transmitter to the receiver is the parallel Gaussian channel with N independent We next provide the secrecy capacity for the semide- subchannels, and the outputs of the subchannels at the terministic compound wiretap channel, which has one receiver for one channel use are given by receiver (J = 1) and K eavesdroppers. The channel from the Ya = Xa + Wa for a = 1, ..., N, transmitter to the receiver is a deterministic channel; that (17) is, the transition probability distribution PY|X takes on the where W1, ..., Wa are independent Gaussian random vari- 2 2 values 0 or 1 only, where the output at the receiver is denoted ables with variances w , ..., wa, and these noise variables Y 1 by (see Figure 2). are independent and identically distributed (i.i.d.) across channel uses. We note that for this model, Y1, ..., YN indicate Theorem 4. The secrecy capacity of the semideterministic N J = the outputs at the receiver from the subchannels, and do compound wiretap channel with 1 is given by not indicate the outputs corresponding to diﬀerent receivers. The channel input is subject to the average power constraint Cs = max min H(Y | Zk). P PX k (13) , that is, n N Proof. To prove the achievability, we apply (6) and obtain the 1 X2 ≤ P n ai , (18) following achievable rate: i=1 a=1

R = I U Y − I U Z where i is the symbol time index. We assume that each max min[ ( ; ) ( ; k)], (14) k eavesdropper can access some subchannels. On letting A ⊆{ ... N} P k 1, , include all indices of the subchannels that where the maximum is taken over all distributions UX that eavesdropper k can access, the outputs at eavesdropper k are satisfy the Markov chain relationship: given by

U −→ X −→ (Y, Zk) for k = 1, ..., K. (15) Zka = Xa + Vka for a ∈ Ak, (19) V a ∈ A We further let U = Y. It is clear that this choice satisﬁes where ka for k are independent Gaussian random v2 v2 ≥ w2 the previous Markov chain condition, and results in an variables with variances ka. We further assume that ka a a ∈ A achievable rate for all k, and hence the channel is degraded. For the degraded parallel Gaussian compound wiretap R = max min H(Y | Zk). channel, we have the following secrecy capacity. k (16) Corollary 1. The secrecy capacity of the degraded parallel The converse is relegated to Appendix B. Gaussian compound wiretap channel is given by ⎡ ⎤ N We note that the achievable scheme involves choosing an 1 Pa 1 Pa U = Y C = max min⎣ log 1+ − log 1+ ⎦. auxiliary random variable . This indicates that a preﬁx N k w2 v2 Pa≤P 2 a 2 ka channel from U to the actual channel input X at the encoder a=1 a=1 a∈Ak is necessary to achieve the secrecy capacity. (20) EURASIP Journal on Wireless Communications and Networking 5

Proof. The achievability follows from Theorem 3 by choosing X1 Y1 Receiver 1 X = X1, ..., XN with independent components and each X ∈ N P a (0, a).Theconversefollowsfrom[12,Theorem2] Transmitter R = Y by setting 0 0 for each eavesdropper. X21 21 Y Receiver 2 X22 22 We note that the parallel Gaussian compound wiretap channel is a more general model than the model in [3]in Z that the number of eavesdroppers is arbitrary, each eaves- 1 Eavesdropper 1 dropper may access an arbitrary number of subchannels, Z2 Eavesdropper 2 and the transmitter is allowed to allocate power among the subchannels to achieve better secrecy rate. We also note that Figure 4: Parallel Gaussian compound wiretap channel example. the parallel Gaussian compound wiretap channel reduces to the Gaussian/fading wiretap channel with multiple eavesdroppers studied in [4] if there is only one subchannel. based on network coding. However, we note that Corollary 2 We further note that after our conference publication is applicable for noisy Gaussian channels while the secure [7] appeared with the results presented here, the secrecy rate given in [6, Theorem 2] is derived for deterministic capacity of the general (i.e., not necessarily degraded) parallel networks. Gaussian compound wiretap channel with one receiver and We also refer the reader to [7] for some example channels multiple eavesdroppers has been obtained in [8]. We refer the for which simple schemes were constructed to achieve the reader to [8] for further details. s.d.o. f. To gain further insight into the secrecy capacity, we consider the rate at which the secrecy capacity scales with 5. Parallel Gaussian Compound logSNR. In particular, we define the secrecy degree of Wiretap Channels: J>1 freedom (s.d.o.f.) as In this section, we study the parallel Gaussian compound C(SNR) s.d.o. f. = lim , (21) wiretap channel, in which J>1andK>1. We address →∞ / SNR (1 2) log SNR optimal schemes that achieve the best secrecy rate scaling w2 with SNR. For the sake of clarity of exposition on this issue, where without loss of generality, we choose 1 as the J = K = = P/ Nw2 we study the simplest example when 2and 2to reference noise level and define SNR ( 1). We refer illustrate the key factors that affect optimal schemes. to a lower bound on the s.d.o. f. as an achievable s.d.o. f. Example 1. Consider the parallel Gaussian compound wire- Corollary 2. Assume that the maximal number of subchannels J = K = L tap channel with 2and 2 (see Figure 4). The channel that one eavesdropper can access is .Thesecrecydegreeof output at receiver 1 is given by freedom of the degraded parallel Gaussian compound wiretap channel with one receiver is given by Y1 = X1 + W1, (23) W s.d.o. f. = N − L. (22) where 1 is a zero-mean Gaussian random variable with w2 variance 1. The channel outputs at receiver 2 are given by Proof. The achievability follows by applying Corollary 1 and Y21 = X21 + W21, Y22 = X22 + W22, (24) choosing Pa = P/N for a = 1, ..., N. The converse follows by k L considering only eavesdropper that accesses subchannels, where W21 and W22 are zero-mean independent Gaussian |Ak|=L w2 w2 that is, , and evaluating the first-order SNR random variables with variances 21 and 22. expansion of the secrecy capacity. The outputs at the two eavesdroppers are given by

Remark 1. The s.d.o. f. depends only on the maximal Z1 = X21 + V1, (25) number of subchannels that one eavesdropper can access and Z = X V does not depend on the total number of subchannels that 2 22 + 2, all eavesdroppers access. This is because the eavesdroppers where V1 and V2 are zero-mean independent Gaussian do not cooperate with each other. This implies that, even if v2 v2 random variables with variances 1 and 2,respectively. every subchannel is accessed by some eavesdropper, positive The channel input includes three components X , X , s.d.o. f. 1 21 is still possible if none of the eavesdroppers accesses and X22, and they are subject to an average power constraint a full set of the subchannels. This can also be seen from the P, that is, examplesgivenin[7]. n 1 2 2 2 E X i + X i + X i ≤ P. Remark 2. The s.d.o. f. does not depend on the number of n 1 21 22 (26) i=1 eavesdroppers. For this channel, we study the s.d.o. f.,forwhichwe s.d.o. f. w2 = We note that the in Corollary 2 is similar to the choose 1 as the reference noise level and deﬁne SNR P/w2 secure rate given in [6, Theorem 2] for multicast networks 1. 6 EURASIP Journal on Wireless Communications and Networking

An achievable rate follows from (6) and is given by W Y1 Receiver 1 R = max min{I(U; Y ) − I(U; Z ), I(U; Y ) − I(U; Z ), P 1 1 1 2 Transmitter W M UX Y I U Y Y − I U Z I U Y Y 21 ( ; 21, 22) ( ; 1), ( ; 21, 22) M Receiver 2 Y22 −I(U; Z2)}. (27) Z1 Eavesdropper 1

In the following, we study three schemes, two of which Z2 Eavesdropper 2 are based on (27). It can be seen that a prefix channel U → X is necessary to achieve the optimal s.d.o. f. For computational Figure 5: Illustration of Scheme 2. w2 = w2 = w2 = convenience, in the following we assume 1 21 22 v2 = v2 = ff s.d.o. f. 1 2 1. This assumption does not a ect the , whichwecomputeforeachscheme. Scheme 2. We choose a Gaussian input and allocate the source power equally for X1, X21,andX22. Each subchannel Scheme 1. Choose U = X = (X1, X21, X22)andX1 ∼ can hence support the following rate: N (0, P1), X21 ∼ N (0, P21), and X22 ∼ N (0, P22)in 1 P (27). Based on these distributions, Scheme 1 achieves the R = log 1+ . (33) following secrecy rate: 2 3 Recall that the source message W is uniformly distributed R = max min{I(X1; Y1) − I(X21; Z1), P P P ≤P nR 1+ 21+ 22 over the set {0, ...,2 − 1}. We generate a key random variable M that is independent of W and is also uniformly I X Y − I X Z ( 1; 1) ( 22; 2), distributed over the set {0, ...,2nR − 1}.WetransmitW over the channel X1 → Y1 and transmit W ⊕ M and M I(X21; Y21) + I(X22; Y22) − I(X21; Z1), over the channels X21 → Y21 and X22 → Y22,respectively I(X21; Y21) + I(X22; Y22) −I(X22; Z2)} (see Figure 5). It is clear that receiver 1 decodes W,and receiver 2 decodes W ⊕ M and M, and hence decodes W.For 1 1 W ⊕M M = max min log(1+P1) − log(1+P21), eavesdroppers 1 and 2, each obtains either or ,both P P P ≤P 1+ 21+ 22 2 2 of which are independent of W. Hence eavesdroppers 1 and W 1 1 2 do not get any information about , and perfect secrecy is log(1+P ) − log(1+P ), 2 1 2 22 achieved. It is clear that this scheme achieves 1 1 s.d.o. f. = 1. log(1+P ), log(1+P ) . (34) 2 22 2 21 (28) This is clearly the largest achievable s.d.o. f., because the maximal degree of freedom achievable for receiver 1 is 1. P∗ P∗ P∗ It can be seen that the optimal power allocation ( 1 , 21, 22) should result in four equal terms in the minimum in (28). We note that Scheme 2 introduces randomness into Hence we obtain the following condition: the information source to achieve secrecy. Interestingly, Scheme 2 can be interpreted as turning the channel into a 1 log 1+P∗ = log 1+P∗ = log 1+P∗ . (29) state dependent wiretap channel as studied in [13]. The key 2 1 21 22 random variable M in Scheme 2 now corresponds to the channel state, which is known to the transmitter only. As Combining the preceding equation and the power constraint shown in [13], the state variable helps improving the secrecy P∗ P∗ P∗ = P 1 + 21 + 22 ,weobtain rate. √ As remarked in Section 4,Scheme2 for the noisy P∗ = P − P 1 2 4+ +4, √ (30) Gaussian channel is similar to the scheme designed for P∗ = P∗ = P − . 21 22 4+ 2 deterministic wiretap network models in [6]. More recently, deterministic network models have been proposed and Substituting the optimal power allocation into (28), we studied (see, e.g., [14]) to obtain sufficiently accurate obtain performance for Gaussian networks. It is hence interesting to apply this approach to study the secrecy capacity or 1 √ . 1 s.d.o. f. R = log 4+P − 1 = log SNR, (31) for the Gaussian or other noisy wiretap networks. 2 4 The key step is to come up with deterministic models that approximate the performance (e.g., in terms of s.d.o. f.)of where (a =˙ b) denotes that limP →∞(a/b) = 1. noisy wiretap networks, and whose secrecy capacity can be Therefore, Scheme 1 achieves determined easily. 1 Scheme 2 also suggests that Scheme 1 is strictly subopti- s.d.o. f. = . (32) 2 mal. It is then natural to ask if we can modify Scheme 1 by EURASIP Journal on Wireless Communications and Networking 7 defining the auxiliary random variable U in (27)properlyto The channel input-output relationship at one time instant is achieve the optimal s.d.o. f. We hence propose the following given by Scheme 3. Y j = Hj X + W j for j = 1, ..., J, Scheme 3. Choose U = (X1, X21 + X22)andX1 ∼ (38) Z = G X V k = ... K N (0, P/3), X21 ∼ N (0, P/3), and X22 ∼ N (0, P/3) in (27). k k + k for 1, , , It is clear that the above choice of U satisfies the Markov chain relationship U → X → (YZ) and is hence valid. The where Hj for j = 1, ..., J and Gk for k = 1, ..., K are W ... W V ... V achievable secret rate under this scheme is given by fixed matrices, and 1, , J and 1, , K are i.i.d. Gaussian random vectors with identity covariance matrices.

R = min{I(X1; Y1) − I(X21 + X22; Z1), We assume that the channel input is subject to an average power constraint: I(X1; Y1) − I(X21 + X22; Z2), (35) n I X X Y Y − I X X Z 1 XT X ≤ P ( 21 + 22; 21, 22) ( 21 + 22; 1), n E i i , (39) i=1 I(X21 + X22; Y21, Y22) − I(X21 + X22; Z2)}. where i is the symbol time (i.e., channel use) index. Based on the joint distribution of U and X,weobtain In the following, we first study the degraded MIMO compound wiretap channel, and then study the general . 1 MIMO compound wiretap channel. We use the following I(X ; Y ) = log SNR, 1 1 2 notation associated with matrices. We use A 0 to indicate . . that A is a positive semidefinite matrix, A 0 to indicate I X X Z = I X X Z = · ( 21 + 22; 1) ( 21 + 22; 2) 0 log SNR, that A is a positive definite matrix, and A B to indicate A − B . 1 (36) that is a positive semidefinite matrix. The symbols I(X + X ; Y , Y ) = log SNR, ≺ 21 22 21 22 2 and indicate the oppositive meanings to those of and , respectively. . 1 I(X21 + X22; Y21, Y22) = log SNR. 2 6.1. Degraded MIMO Compound Wiretap Channels. As in Hence R=˙ (1/2) log SNR, and Scheme 3 achieves [19], we define the MIMO compound wiretap channel to be degraded if for each (j, k) pair, there exists a matrix Djk such D H = G D DT I s.d.o. f. = 1. (37) that jk j k and jk jk . It is easy to check that for each (j, k) pair, the channel satisfies the Markov chain X → Y → Z Compared to Scheme 1 and Scheme 3 introduces extra relationship j k. randomness in the encoder by introducing a prefix channel U → X, and hence achieves the optimal s.d.o. f. We also Theorem 5. ThesecrecycapacityofthedegradedMIMO note that for Gaussian wiretap channels, including the single- compound wiretap channel is given by input single-output channel studied in [15] and the multi- T I + Hj QHj input multi-output channel studied in [16–18], the prefix 1 C = max min log . (40) Q Q Tr Q ≤P j k T channel is not necessary to achieve the secrecy capacity, that : 0, ( ) , 2 I + GkQGk is, U = X. However, the prefix channel is necessary to achieve s.d.o. f. the optimal for the parallel Gaussian compound Proof. We only need to show that the secrecy capacity is given wiretap channel. by From Schemes 2 and 3, we also observe that introducing randomness either into the information source or into the T 1 I + Hj QHj encoder strictly improves the s.d.o. f. and hence improves the min log , (41) j k T secrecy rate. , 2 I + GkQGk

6. MIMO Compound Wiretap Channels if the input is subject to the covariance matrix constraint n In this section, we consider the MIMO compound wiretap 1 K Q n Xi , (42) channel in which the transmitter, the receivers, and the i=1 eavesdroppers are equipped with multiple antennas. We let N N K X t denote the number of antennas of the transmitter, r where Xi denotes the covariance matrix of i at symbol time denote the number of antennas of the receivers, and Ne i.Theorem5 then follows by maximizing (41)overallQ that denote the number of antennas of the eavesdroppers. We satisfy the power constraint, that is, Tr(Q) ≤ P. assume that all receivers have the same number of antennas The achievability follows from Theorem 3 by choosing and all eavesdroppers have the same number of antennas, but X ∼ N (0, Q). The proof of the converse is relegated to our analysis below is also applicable without this assumption. Appendix C. 8 EURASIP Journal on Wireless Communications and Networking

6.2. General MIMO Compound Wiretap Channels. In this Hencewehave subsection, we study the general MIMO compound wiretap / I H QHT /I G QGT channel deﬁned in (38), where we do not make the the (1 2) log + j j + k k lim →∞ / degradedness assumption. SNR (1 2) log SNR (49) Based on Theorem 1 by choosing U = X ∼ N (0, Q), it is easy to see that the following secrecy rate is achievable. = Rank Hj UL − Rank(GkUL).

Lemma 1. For the general MIMO compound wiretap channel, Therefore, we have the following theorem. an achievable secrecy rate is given by Theorem 6. An achievable secrecy degree of freedom of the T I + Hj QHj 1 MIMO compound wiretap channel is given by R = max min log . (43) Q Q Tr Q ≤P j k T : 0, ( ) , 2 I + GkQGk s.d.o. f. ≥ max min Rank Hj UL − Rank(GkUL) . L j,k In general, the maximization problem in (43)isdiﬃcult (50) to solve. To gain some insight, we study the s.d.o. f. deﬁned P/N as in (21), but with SNR = t. We note that each set L corresponds to one set of r = We design the following beamforming scheme. Let directions for which the transmitter allocates power, and hence J T Rank( j= Hj Hj )and{u , ..., ur } be the eigenvectors of 1 1 corresponds to one power allocation strategy. The optimal J HT H s.d.o. f. j=1 j j that correspond to nonzero eigenvalues. These achievable canbeobtainedbysearchingoverall vectors are directions along which at least one receiver power allocation strategies. We note that Rank(Hj UL) and {u ... u } Rank(GkUL) in (50) can be interpreted as the dimensions of may receive input signals. In fact, if we let j1, , jrj T the projections of Hj and Gk, respectively, onto the vector space be the eigenvectors of Hj Hj that correspond to nonzero spannedbythecolumnvectorsofUL. Hence the achievable eigenvalues, then the vectors in the set {(uj , ..., ujr ):j = 1 j s.d.o. f. ... J} {u ... u } is determined by the geometry of the channel matrices 1, , span the same vector space as 1, , r. {u ... u } J HT H tothereceiversandeavesdroppers. We let r+1, , Nt be the eigenvectors of j=1 j j that correspond to zero eigenvalues. We further let For the special case J = 1, that is, there is only one ⊥ receiver, the channel matrix to the receiver is H,andr U = u ···ur , U = ur ···uN . (44) T 1 +1 t becomes the rank of H H and hence the rank of H.We L ={ ... r} Then we have should always choose 1, , , and the resulting ⎡ ⎤⎡ ⎤ s.d.o. f. J T is given in the following corollary to Theorem 6. r U T ⊥ ⎣Λ ⎦⎣ ⎦ Hj Hj = [UU] , ⊥ T (45) Corollary 3. For the MIMO compound wiretap channel with j= 0Nt −r (U ) 1 J = 1, an achievable secrecy degree of freedom is given by where Λr denotes the diagonal matrix with the eigenvalues of s.d.o. f. H − G U } J HT H ≥ min{Rank( ) Rank( k ) , (51) j=1 j j as the diagonal components, and 0Nt −r denotes k the all-zero matrix of dimension (Nt − r) × (Nt − r). U We now let L be a subset of {1, 2, ..., r} and assume L = where is the matrix whose columns are the eigenvectors of HT H corresponding to nonzero eigenvalues. {l1, ..., l|L|},where|L| indicates the number of components in the set L. We then let Lc denote the complement of L with respect to the set {1, 2, ..., r} and assume Lc = We refer the reader to [7] for an example of MIMO {l ... l } compound wiretap channel for which particular signaling 1, , r−|L| .Let scheme transforms the channel into an equivalent parallel Gaussian compound wiretap channel, and a simple scheme UL = ul ···ul , ULc = ul ···ul . (46) 1 |L| 1 r−|L| can hence be constructed to achieve the s.d.o. f. for the If we choose the beamforming directions to be column channel. vectors in UL and allocate power equally for these directions, then the input covariance matrix is given by 7. Discussion and Conclusions ⎡ ⎤⎡ ⎤ I UT ⎢ |L| ⎥⎢ L ⎥ In this paper, we have studied the compound wiretap P ⊥ ⎢ ⎥⎢ T ⎥ QL = UL ULc U ⎢ 0 ⎥⎢ ULc ⎥ channel, which provides a general framework for examining |L| [ ]⎣ ⎦⎣ ⎦ (47) T multicast communication with multiple eavesdroppers. We 0 U⊥ ( ) have obtained lower and upper bounds on the secrecy and we obtain capacity for the general compound wiretap channel and T have established the secrecy capacity for the degraded and T P I Hj QLH = I Hj UL Hj UL semideterministic channel. We have further obtained the + j + |L| , secrecy capacity for the degraded parallel Gaussian and (48) P degraded MIMO compound wiretap channels. The secrecy I G Q GT = I G U T G U . + k L k + |L| ( k L) ( k L) rate/capacity in general has a worst-case interpretation. EURASIP Journal on Wireless Communications and Networking 9

We have also introduced the notion of the secrecy degree Proof. Let U be a binary random variable with distribution of freedom, which captures the most important factors that Pr{U = 1}=p and Pr{U = 2}=1 − p,andU aﬀect the scaling behavior of the secrecy capacity at high is independent of all other random variables in the model SNR. For the parallel Gaussian compound channel, we have under consideration. Let Z = (ZU , U). Clearly, Z satisﬁes the demonstrated that the s.d.o. f. depends only on the maximal Markov chain condition given in the lemma. Let number of subchannels that one eavesdropper can access p I X Z Z I X Z Z U and does not depend on the number of eavesdroppers. We f = ; 1, = ( ; 1, U , ) have also shown that randomizing either source information = I X Z Z | U or the encoder strictly improves the s.d.o. f. for an example ( ; 1, U ) (A.2) case when J>1andK>1. For the MIMO compound = pI(X; Z ) + 1 − p I(X; Z , Z ). wiretap channel, we have shown that the achievable s.d.o. f. 1 1 2 is determined by the geometries of the matrices describing It is clear that the channels to the receivers and eavesdroppers. We have also f (1) = I(X; Z1)

B.ProofoftheConverseforTheorem4 Proof. We prove the lemma by a random coding technique. We follow steps that are similar to those given in [25]except We define the following sum of error probabilities: for the step of single letter characterization. We include the proof here for the sake of completeness. pe = λj + ηk = pabλjab + ηkb|a. We consider a code with length n and average error j (A.8) k jab kab probability Pe. The probability distribution we consider is ⎡ ⎤ We show that the average of pe over a random codebook n K ffi n n ⎣ ⎦ ensemble is small for su ciently large codeword length . PW PX |W PYi|Xi PZki|Xi ,(B.1) Then, there must exist at least one codebook such that pe is i=1 k=1 small for sufficiently large n. n PY |X For a given distribution PX , we generate codewords xab, where i i is a deterministic distribution, and thus takes n n each uniformly drawn from the set T (PX ). Index xab via a = values of only 0 or 1. 1, ...,2nR and b = 1, ...,2nmaxkI(X;Zk ). By Fano’s inequality [24, Section 2.11], we have Suppose that the codeword xn is transmitted and define ab H W | Y n ≤ nRP = nδ the following decoding strategies at the receivers and the ( ) e +1: , (B.2) eavesdroppers. where δ → 0ifPe → 0. n k (1) Receiver j declares that the index pair of xab is (a, b) For each eavesdropper , since we achieve perfect secrecy, n n if there is a unique index pair such that (x , yj ) ∈ we obtain the following bound: a,b n T (PXYj ). nR = nR ≤ H W | Zn k a e k (2) Eavesdropper , given the index , declares that the n n n n n index of xab is b if there is a unique index such = I W Y | Z H W | Y Z n n n ; k + , k that (x , zk ) ∈ T (PXZ ), where Zk denotes the a,b k (a) enhanced output. ≤ H Y n | Zn − H Y n | W Zn nδ k , k + (B.3) We can compute E C[pe] by following the standard ≤ H Y n | Zn nδ techniques as in [24, Chapter 14], where EC indicates an k + average over the random codebook ensemble. We can show n that (b) ≤ H Yi | Zki + nδ, i=1 EC pe < , (A.9) where (a) follows from Fano’s inequality, and (b)follows for sufficiently large codeword length n, based on the sizes of a b from the chain rule and because conditioning does not indices and . increase entropy. Hence there exists one codebook such that for sufficiently Q n We now introduce a random variable that is inde- large codebook size pendent of all other random variables in this model, and is uniformly distributed over {1, 2, ..., n}.DefineX = XQ, pe = λj + ηk < . (A.10) Y = YQ,andZk = ZkQ. It is clear that these random variables j k satisfy the Markov chain condition Q → X → (Y, Zk). Using This leads to the conclusion that for sufficiently large these definitions, (B.3)becomes codebook size n, R ≤ H YQ | ZkQ, Q + δ λj < , ηk < (A.11) ≤ H YQ | ZkQ + δ (B.4) j = ... J k = ... K for 1, , and 1, , . = H(Y | Zk) + δ. Based on the codebook that satisfies the property given in Lemma A.2, we define the encoding as follows. We map Theboundgivenin(B.4)isapplicablefork = 1, ..., K, w xn b each message to a codeword wb with chosen uniformly and hence we obtain over the set {1, ...,2nmaxkI(X;Zk)}. Based on Lemma A.2,itis W R ≤ min H(Y | Zk) + δ clear that each receiver can decode the message with small k (B.5) probability of error. For each enhanced eavesdropper, we follow steps similar to those in [10] to obtain the following which completes the proof. equivocation rate: 1 H W | Z n ≥ R − C. Proof of the Converse for Theorem 5 n k 1, (A.12) We first prove the following lemma, which gives two useful where 1 → 0asn →∞. This concludes the proof. properties. EURASIP Journal on Wireless Communications and Networking 11

Lemma C.1. Consider matrices D, H, G,andX of dimensions where (a) follows from the degradedness assumption and conformal with the following operations. If DH = G and the concavity property given in Lemma C.1,and(b)follows DDT I f X = |I HXHT |/|I GXGT | /n n K Q , then ( ) log( + + ) is a because (1 ) i=1 Xi and from the monotonicity concave function of X 0.Furthermore, f (X) ≤ f (X + Δ) if property given in Lemma C.1. X 0, and Δ 0. Acknowledgments Proof. I + HXHT The material in this paper has been presented in part at f (X) = log the 45th Annual Allerton Conference on Communication, |I + HXHT DT D| Control, and Computing, Monticello, IL, USA, Sept. 2007, T and in part at the Annual IEEE International Symposium I + HXH = log . on Personal, Indoor and Mobile Radio Communications T −1 T T (D D) − I + I + HXH |D D| (PIMRC), Cannes, France, Sept. 2008. The work of Y. (C.1) Liang was supported by the National Science Foundation CAREER Award under Grant CCF-08-46028. The work of By [26, Lemma II.3], the preceding function is concave in I + T G. Kramer was supported in part by the Board of Trustees HXH and is hence concave in X. of the University of Illinois Subaward no. 04-217 under NSF To show the second property, we recall the following Grant CCR-0325673 and the Army Research Office under propertygivenin[27, page 3942]. If A 0, Δ 0andB 0, ARO Grant W911NF-06-1-0182. The work of H. V. Poor then |B| |B | was supported by the National Science Foundation under ≤ + Δ . Grants ANI-03-38807, CNS-06-25637 and CCF-07-28208. |A B| |A B | (C.2) + + + Δ The work of S. Shamai was supported by the European Applying the above property to (C.1), we obtain Commission in the framework of the FP7 Network of I H X HT Excellence in Wireless Communications NEWCOM++. + ( + Δ) f (X) ≤ log DT D −1 − I I H X HT DT D| ( ) + + ( + Δ) | References I + H(X + Δ)HT [1] A. D. Wyner, “The wire-tap channel,” Bell System Technical = log = f (X + Δ). |I + G(X + Δ)GT | Journal, vol. 54, no. 8, pp. 1355–1387, 1975. (C.3) [2] H. Yamamoto, “Coding theorem for secret sharing communication systems with two noisy channels,” IEEE Transactions on Information Theory, vol. 35, no. 3, pp. 572–578, 1989. To prove the converse, we first have the following bound [3] H. Yamamoto, “A coding theorem for secret sharing commu- for any (j, k) pair by referring to [15, Section III]: nication systems with two Gaussian wiretap channels,” IEEE Transactions on Information Theory,vol.37,no.3,part1,pp. n R = R ≤ 1 I X Y | Z 634–638, 1991. e n i; j,i k,i [4] P. Wang, G. Yu, and Z. Zhang, “On the secrecy capacity of i= 1 fading wireless channel with multiple eavesdroppers,” in Pro- n ceedings of the IEEE International Symposium on Information ≤ 1 h Y | Z − h Y | X Z n j,i k,i j,i i, k,i (C.4) Theory (ISIT ’07), pp. 1301–1305, Nice, France, June 2007. i=1 [5] A. Khisti, A. Tchamkerten, and G. Wornell, “Secure broadcast- n ing over fading channels,” IEEE Transactions on Information 1 Theory, vol. 54, no. 6, pp. 2453–2469, 2008. = h Y j i | Zk i − h W j i | Vk i . n , , , , [6] N. Cai and R. W. Yeung, “Secure network coding,” in Pro- i=1 ceedings of the IEEE International Symposium on Information It is easy to see that the second term is independent of the Theory (ISIT ’02), p. 323, Lausanne, Switzerland, June-July distribution of Xi. The first term is maximized by Gaussian 2002. X X K i if the covariance matrix of i is fixed to be Xi . This is [7] Y. Liang, G. Kramer, H. V. Poor, and S. Shamai (Shitz), h Y | Z Y because ( j,i k,i) is maximized by jointly Gaussian j,i “Compound wire-tap channels,” in Proceedings of the 45th Z QY Z Annual Allerton Conference on Communication, Control, and and k,i for a fixed covariance matrix j,i k,i . Therefore, we have the following bound: Computing, Monticello, IL, USA, September 2007. [8]T.Liu,V.Prabhakaran,andS.Vishwanath,“Thesecrecy n T I HKx H 1 1 + i capacity of a class of parallel Gaussian compound wiretap Re ≤ log n T channels,” in Proceedings of IEEE International Symposium on 2 I GKx G i=1 + i Information Theory (ISIT ’08), pp. 116–120, Toronto, Canada, July 2008. n T a I H /n Kx H ( ) 1 + (1 ) i=1 i [9] Y. Liang, H. V. Poor, and S. Shamai (Shitz), “Information ≤ log (C.5) n T theoretic security,” Foundations and Trends in Communications 2 I G /n Kx G + (1 ) i=1 i and Information Theory, vol. 5, no. 4-5, pp. 355–580, 2008. T [10] Y. Liang and H. V. Poor, “Multiple-access channels with (b) I HQH ≤ 1 + confidential messages,” IEEE Transactions on Information log T , 2 |I + GQG | Theory, vol. 54, no. 3, pp. 976–1002, 2008. 12 EURASIP Journal on Wireless Communications and Networking

[11] I. Csiszar´ and J. Korner,¨ “Broadcast channels with conﬁdential [27] H. Weingarten, Y. Steinberg, and S. Shamai (Shitz), “The messages,” IEEE Transactions on Information Theory, vol. 24, capacity region of the Gaussian multiple-input multiple- no. 3, pp. 339–348, 1978. output broadcast channel,” IEEE Transactions on Information [12] Y. Liang, H. V. Poor, and S. Shamai (Shitz), “Secure communi- Theory, vol. 52, no. 9, pp. 3936–3964, 2006. cation over fading channels,” IEEE Transactions on Information Theory, Special Issue on Information Theoretic Security, vol. 54, no. 6, pp. 2470–2492, 2008. [13] C. Mitrpant, A. J. H. Vinck, and Y. Luo, “An achievable region for the Gaussian wiretap channel with side information,” IEEE Transactions on Information Theory, vol. 52, no. 5, pp. 2181– 2190, 2006. [14] D. Tse, “A deterministic model for wireless channels and its applications,” in Proceedings of the IEEE Information Theory Workshop (ITW ’07), p. 607, Lake Tahoe, Calif, USA, September 2007. [15] S. K. Leung-Yan-Cheong and M. E. Hellman, “The Gaussian wire-tap channel,” IEEE Transactions on Information Theory, vol. 24, no. 4, pp. 451–456, 1978. [16] A. Khisti and G. Wornell, “The MIMOME channel,” in Proceedings of the 45th Annual Allerton Conference on Com- munication, Control, and Computing,Monticello,IL,USA, September 2007. [17] F. Oggier and B. Hassibi, “The secrecy capacity of the MIMO wire-tap channel,” in Proceedings of the 45th Annual Allerton Conference on Communication, Control, and Computing,Mon- ticello, IL, USA, September 2007. [18] T. Liu and S. Shamai (Shitz), “A note on the secrecy capacity of the multiple-antenna wiretap channel,” IEEE Transactions on Information Theory, vol. 55, no. 6, pp. 2547–2553, 2009. [19] H. Weingarten, T. Liu, S. Shamai (Shitz), Y. Steinberg, and P. Viswanath, “The capacity region of the degraded MIMO compound broadcast channel,” in Proceedings of the IEEE International Symposium on Information Theory (ISIT ’07),pp. 766–770, Nice, France, June 2007. [20] H. Weingarten, S. Shamai (Shitz), and G. Kramer, “On the compound MIMO broadcast channel,” in Proceedings of the Information Theory and Applications Workshop (ITA ’07),La Jolla, Calif, USA, January-February 2007. [21] M. Kobayashi, Y. Liang, S. Shamai (Shitz), and M. Debbah, “On the compound MIMO broadcast channels with conﬁ- dential messages,” in Proceedings of the IEEE International Symposium on Information Theory (ISIT ’09), pp. 1283–1287, Seoul, Korea, June-July 2009. [22] G. Bagheri-Karam, A. Motahari, and A. K. Khandani, “The secrecy capacity region of the degraded vector Gaussian broadcast channel,” in Proceedings of the IEEE International Symposium on Information Theory (ISIT ’09), pp. 2772–2776, Seoul, Korea, June-July 2009. [23] I. Csiszar´ and J. Korner,¨ Information Theory: Coding Theorems for Discrete Memoryless Systems,Akademiai´ Kiado,´ Budapest, Hungary, 1981. [24] T. M. Cover and J. A. Thomas, Elements of Information Theory, John Wiley & Sons, New York, NY, USA, 1991. [25] J. Grubb, S. Vishwanath, Y. Liang, and H. V. Poor, “Secrecy capacity of semi-deterministic wire-tap channels,” in Proceed- ings of the IEEE Information Theory Workshop on Information Theory for Wireless Networks (ITW ’07), pp. 199–202, July 2007. [26] S. N. Diggavi and T. M. Cover, “The worst additive noise under a covariance constraint,” IEEE Transactions on Information Theory, vol. 47, no. 7, pp. 3072–3081, 2001. Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 452907, 10 pages doi:10.1155/2009/452907

Research Article Physical Layer Security Game: Interaction between Source, Eavesdropper, and Friendly Jammer

Zhu Han,1 Ninoslav Marina,2 Merouane´ Debbah,3 and Are Hjørungnes2

1 Electrical and Computer Engineering Department, University of Houston, TX 77004, USA 2 UniK—University Graduate Center, University of Oslo, Gunnar Randers vei 19, P.O. Box 70, NO-2027 Kjeller, Norway 3 SUPELEC, Plateau de Moulon, 3 rue Joliot-Curie, Bureau 5-24, 91192 Gif-sur-Yvette Cedex, France

Correspondence should be addressed to Zhu Han, [email protected]

Received 31 December 2008; Revised 4 August 2009; Accepted 9 November 2009

Recommended by Hesham El-Gamal

Physical layer security is an emerging security area that achieves perfect secrecy data transmission between intended network nodes, while malicious nodes that eavesdrop the communication obtain zero information. The so-called secrecy capacity can be improved using friendly jammers that introduce extra interference to the eavesdroppers. We investigate the interaction between the source that transmits the useful data and friendly jammers who assist the source by “masking” the eavesdropper. To obtain distributed solution, we introduce a game theoretic approach. The game is defined such that the source pays the jammers to interfere the eavesdropper, therefore, increasing the secrecy capacity. The friendly jammers charge the source with a certain price for the jamming, and there is a tradeoff for the price. If too low, the profit of the jammers is low; and if too high, the source would not buy the “service” (jamming power) or would buy it from other jammers. To analyze the game outcome, we investigate a Stackelburg type of game and construct a distributed algorithm. Our analysis and simulation results show the effectiveness of friendly jamming and the tradeoff for setting the price. The distributed game solution is shown to have similar performances to those of the centralized one.

Copyright © 2009 Zhu Han et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction destination, while all malicious nodes are kept as ignorant of that information as possible. This maximum reliable rate is The future communication systems will be decentralized known as secrecy capacity. and adhoc, therefore allowing various types of network This line of work was pioneered by Wyner, who deﬁned mobile terminals to join and leave. This aspect makes the wiretap channel and established the possibility to create the whole system vulnerable and susceptible to attacks. almost perfect secure communication links without relying Anyone within communication range can listen and possibly on private (secret) keys [1]. Wyner showed that when extract information. While these days we have numerous the eavesdropper channel is a degraded version of the cryptographic methods with high level security, there is no main channel, the source and the destination can exchange system with perfect security on physical layer. Therefore, perfectly secure messages at a nonzero rate. The main the physical layer security is regaining a new attention. idea proposed by him is to exploit the additive noise The main goal of this paper is to design a decentralized impairing the eavesdropper by using a stochastic encoder system that will protect the broadcasted data and make that maps each message to many codewords according to it impossible for the eavesdropper to receive the packets an appropriate probability distribution. With this scheme, even if it knows the encoding/decoding schemes used by a maximal equivocation (i.e., uncertainty) is induced at the the transmitter/receiver. In approaches where physical layer eavesdropper. In other words, a maximal level of secrecy is security is applied, the main objective is to maximize the obtained. By ensuring that the equivocation rate is arbitrarily rate of reliable information from the source to the intended close to the message rate, one can achieve perfect secrecy 2 EURASIP Journal on Wireless Communications and Networking

C1 Secrecy capacity as a function of jammer power S D 1 0.9 C2 0.8 . s 0 7

J1 C M 0.6

0.5 J2 J J 0.4

Secrecy capacity 0.3 0.2 S:Source D: Destination 0.1 M: Malicious node (eavesdropper) 0 J1, ..., JJ : J friendly jammers 00.005 0.01 0.015 0.02 Useful data Jamming power Interference Jammer location (50, 75) Payment Jammer location (10, 75) Figure 1: System model for the proposed physical layer security Figure 2: Secrecy capacity versus the power of the single jammer. game.

in the sense that the eavesdropper is now limited to learn pays the jammers to interfere the malicious eavesdropper, almost nothing about the source-destination messages from and therefore, to increase the secrecy capacity. The friendly its observations. Follow-up work by Leung-Yan-Cheong and jammers charge the source with a certain price for their service of jamming the eavesdropper. One could notice that Hellman characterized the secrecy capacity of the additive ff white Gaussian noise (AWGN) wiretap channel [2]. In their there is a tradeo for the proposed price. If the price of a landmark paper, Csiszar and Korner generalized Wyner’s certain jammer is too low, its profit is also low; if its price approach by considering the transmission of confidential is too high, the source will buy from the other jammers. messages over broadcast channels [3]. Recently, there have In modeling the outcome of the above games our analysis been considerable efforts on generalizing these studies to the uses the Stackelberg type of game. Initially, the existence of wireless channel and multiuser scenarios (see [2, 4–11]and equilibrium will be studied. Then, a distributed algorithm references therein). Jamming [12–14] has been studied for will be proposed and its convergence will be investigated. The a long time to analyze the hostile behaviors of malicious outcome of the distributed algorithm will be compared to nodes. Recently, jamming has been employed to physical the centralized genie aided solution. Some implementation concerns are also discussed. From the simulation results, we layer security to reduce the eavesdropper’s ability to decode ffi ff the source’s information [15]. In other words, the jamming can see the e ciency of friendly jamming and tradeo for is friendly in this context. Moreover, the friendly helper can setting the price, the source prefers buying service from only assist the secrecy by sending codewords, and bring further one jammer, and the centralized scheme and the proposed gains relative to unstructured Gaussian noise [15–17]. game scheme have similar performance. Game theory [18] is a formal framework with a set The rest of the paper is organized as follows. In Section 2, of mathematical tools to study some complex interactions the system model of physical layer security with friendly among interdependent rational players. During the past jamming users is described. In Section 3, the game models decade, there has been a surge in research activities that are formulated, and the outcomes as well as properties of the employ game theory to model and analyze modern dis- game are analyzed. Simulation results are shown in Section 4, tributed communication systems. Most of these works [19– and conclusions are drawn in Section 5. 22] concentrate on the distributed resource allocation for wireless networks. As far as the authors’ knowledge, the game 2. System Model theory has not yet been used in the physical layer security. In this paper, we investigate the interaction between the Weconsideranetworkwithasource,adestination,a source and its friendly jammers using game theory. Although malicious eavesdropper node, and J friendly jammer nodes the friendly jammers help the source by reducing the data as shown in Figure 1. The malicious node tries to eavesdrop rate that is “leaking” from the source to the malicious node, the transmitted data coming from the source node. When at the same time they also reduce the useful data rate from the eavesdropper channel from the source to the malicious the source to the destination. Using well chosen amounts of node is a degraded version of the main source-destination power from the friendly jammers, the secrecy capacity can channel, the source and destination can exchange perfectly be maximized. In the game that we define here, the source secure messages at a nonzero rate. By transmitting a message EURASIP Journal on Wireless Communications and Networking 3 at a rate higher than the rate of the malicious node, the How much power bought versus jammer price 0.016 malicious node can learn almost nothing about the messages from its observations. The maximum rate of secrecy infor- 0.014 mation from the source to its intended destination is defined by the term secrecy capacity. 0.012 Suppose the source transmits with power P . The channel 0 . gains from the source to the destination and from the source 0 01 Gsd Gsm to the malicious node are and ,respectively.Each 0.008 friendly jammer i, i = 1, ..., J, transmits with power Pi and the channel gains from it to the destination and the malicious 0.006 Gid Gim J node are and ,respectively.Wedenoteby the set Amount of power bought of indices {1, 2, ..., J}. If the path loss model is used, the 0.004 channel gain is given by the distance to the negative power of . the path loss coefficient. The thermal noise for each channel 0 002 σ2 W is and the bandwidth is . The channel capacity for the 0 source to the destination is 0 50 100 150 200 Jammer price P Gsd C = W 0 . Jammer location (50, 75) 1 log2 1+ 2 (1) σ + i∈J PiGid Jammer location (10, 75)

Figure 3: How much power the source buys as a function of the The channel capacity from the source to the malicious node price. is P Gsm C = W 0 . U = aC − M 2 log2 1+ (2) Source’s Game: max s max( s ),(4) σ2 + i∈J PiGim

s.t.Pi ≤ Pmax,(5) The secrecy capacity is where a is the gain per unit capacity, Pmax is the maximal + power that a jammer can provide, and M is the cost to pay Cs = (C1 − C2) ,(3) for the other friendly jamming nodes. Here + where (·) = max(·,0).Both C1 and C2 are decreasing and M = p P i i, (6) convex functions of jamming power Pi.However,Cs = C1 − i∈J C2 might not be a monotonous and convex function.( Minus of two convex functions is not a convex function anymore.) where pi is the price per unit power for the friendly jammer, This is because the jamming power might decrease C1 faster Pi is the friendly jammer’s power, and J is the set of than C2. As a result, Cs might increase in some region of value friendly jammers. From (4) we note that the source will not Pi. When Pi further increases, both C1 and C2 approach zero. participate in the game if C1

3. Game for Physical Layer Security where ci ≥ 1 is a constant to balance from the payment piPi from the source and the transmission cost Pi.With In this section, we study how to use game theory to analyze different values of ci, jammers have different strategies for the physical layer security. First, we define the game between asking the price pi. Notice that Pi is also a function of the the source and friendly jammers. Next, we optimize the vector of prices (p1, ...pN ), since the power that the source source and jammer sides, respectively. Then, we prove some will buy also depends on the price that the friendly jammers properties of the proposed game. Furthermore, a comparison ask. Hence, for each friendly jammer, the optimization with the centralized scheme is constructed. Finally, we problem is discuss some implementation concerns. Friendly Jammer’s Game: max Ui. pi (8) 3.1. Game Definition. The source can be modeled as a buyer who wants to optimize its secrecy capacity minus cost In the next two subsections, we analyze the optimal by modifying the “service” (jamming power Pi) from the strategies for the source and friendly jammers to maximize friendly jammers, that is, their own utilities. 4 EURASIP Journal on Wireless Communications and Networking

3.2. Source (Buyer) Side Analysis. Introducing A = Source (0,0), dest. (100,0), malic. node (50,90), 2 2 2 2 user 1 (50,50), user 2 (50,75) P0Gsd/σ , B = P0Gsm/σ , ui = Gid/σ ,andvi = Gim/σ , i ∈ J,wehave A B + 1 Us =aW log 1+ −log 1+ 1+ j∈J uj Pj 1+ j∈J vj Pj 0.8

s U − pj Pj . 0.6 j∈J Source (9) 0.4 C >C For the source (buyer) size, we analyze the case 1 2. 0.2 By diﬀerentiating (4), we have 0 100 ∂Us aWAui/ ln 2 User 1 price 0 =− ∂P 200 50 i 1+A + j∈J uj Pj 1+ j∈J uj Pj p 100 p1 2 300 150 User 2 price aWBvi/ ln 2 − pi = . + 0 U 1+B + j∈J vj Pj 1+ j∈J vj Pj Figure 4: s versus the prices of both users. (10)

Rearranging the above equation, we have Note that 0 ≤ Pi ≤ P . Since Pi satisﬁes the polynomial max 4 3 2 function, we can have the optimal strategy as Pi + Fi,3Pi + Fi,2 pi Pi + Fi,1 pi Pi + Fi,0 pi = 0, (11)

∗ where Pi = min[max(Pi,0), Pmax]. (14) 2 2 Fi,3 = (2+2αi + A) + 2+2βi + B , Because of the complexity of the closed form solution (2+2αi + A) 2+2βi + B of the quartic equation in (14), we also consider two special Fi,2 pi = uivi cases: low interference case and high interference case. L K aW B A i i − − + v2 + u2 p u v v u , 3.2.1. Interference at the Destination Is Much Smaller than i i i i i i i 2 the Noise. Remember the deﬁnitions: A = P0Gsd/σ , B = L C K D aW AD − BC P Gsm/σ2, ui = Gid/σ2,andvi = Gim/σ2. Imagine a situation F p = i i + i i ( i i) 0 i,1 i 2 2 + 2 2 , ui vi piui vi in which all jammers are close to the malicious node and far from the destination node. In that case the interference from K L aW Au L − Bv K F p = i i ( i i i i) the jammers to the destination is very small in comparison i,0 i 2 2 + 2 2 , ui vi piui vi to the additive noise and therefore we have (12) αi = GjdPj , B + j = i U ≈ aW A − / s log(1+ ) log 1+ v P 1+ j∈J j j (15) βi = GjmPj , j =/ i − pj Pj . j∈J Ki = (1+αi)(1+αi + A), Then Li = 1+βi 1+βi + B ,

Ci = ui(2+2αi + A), ∂Us aWBvi/ ln 2 = − pi = . ∂P 0 i 1+B + j∈J vj Pj 1+ j∈J vj Pj Di = vi 2+2βi + B . (16) The solutions of the quartic equation (11) can be expressed in closed form but this is not the primary goal here. It is Rearranging we get important that the solution we are interested in is given by the following function: 2+2βi + B 1+βi 1+B + βi aWB P2 Pi − = . i + v + v2 p v 0 ∗ ∗ i i i i ln 2 Pi = Pi pi, A, B, uj , vj , Pj . (13) j =/ i (17) EURASIP Journal on Wireless Communications and Networking 5

Source (0,0), dest. (100,0), malic. node (50,90), If (B/v1) − (A/u1) ≤ 0, Us is a decreasing function of user 1 (50,50), user 2 (50,75) P1. As a result, Ps is optimized when P1 = 0, that is, the jammer would not participate the game. On the other hand, if (B/v1)−(A/u1) > 0, in order to ﬁnd the maximizing powers we have to calculate ×10−7 ∂U aWA aWB s =− − p = . ∂P u P2 + v P2 1 0 (21) 3 i 1 1 1 1 1

U 2 Hence ∗ aW B A D1

Source P = − = . 1 150 1 (22) p1 v1 u1 p1 100 0 p 1 300 From this equation we get the optimal closed-form solution 250 P∗ P∗ 200 50 i , and similarly by comparing 1 with the power under the 150 P = P = P C = User 1 price 100 User 2 price boundary conditions ( 1 0, 1 max,and s 0), we p 50 2 0 can obtain the optimal solution for the this special case.

Figure 5: U1 versus the prices of both users. 3.3. Friendly Jammer (Seller) Side Analysis. In this subsection, we study how the friendly jammers can set the optimal ff Solving the above equation we obtain a closed-form solution price to maximize its utility. By di erentiating the utility in (7) and setting it to zero, we have ∗ 2+2βi + B Pi =− , ∗ v ∂U c c − ∂P 2 i i = P∗ i p c P∗ i 1 i = . ∂p i + i i i ∂p 0 (23) i i β B 2 β B β aWB 2+2 i + − 1+ i 1+ + i + 2 2 + , This is equivalent to 4vi vi pivi ln 2 ∂P∗ z ∗ ci−1 ∗ i i Pi Pi + pici · = 0. (24) = qi + wi + , ∂pi pi ∗ (18) This happens either if Pi = 0orif where ∂P∗ P∗ p c · i = . 2+2βi + B i + i i ∂pi 0 (25) qi =− 2vi ∗ ∗ From the closed form solution of Pi the solution of pi will β B 2 β B β w = 2+2 i + − 1+ i 1+ + i be a function given as i 2 2 (19) 4vi vi ∗ ∗ 2 pi = pi σ ; Gsd; Gsm; {Gid}; {Gim} . (26) aWB zi = . ∗ vi ln 2 Notice that pi should be positive. Otherwise, the friendly ∗ jammer would not play. Finally, by comparing Pi with the power under the boundary conditions (Pi = 0, Pi = Pmax,andCs = 0), the ∗ optimal Pi in the low SNR region can be obtained. 3.4. Properties. In this subsection, we prove some properties of the proposed game. First, we prove that the power is monotonous function of the price under the two extreme 3.2.2. One Jammer with Interference That Is Much Higher cases. The properties can help for the proof of equilibrium than the Noise but Much Smaller than the Received Power existence in the later part of this subsection. at the Destination and the Malicious Node. In this case the interference from the jammer is much higher than the Property 1. Under the two special cases, the optimal power additive noise but much smaller than the power of the ∗ consumption Pi for friendly jammer i is monotonous with its received signal at the destination and the malicious node. In p u P A v P B price i, when the other friendly jammers prices are fixed. The other words, that means 1 1 1 and 1 1 1 . proof is straightforward from (18) and (22). Therefore the utility function of the source is given by A B We investigate the following analysis of the relation U ≈ aW − − p P s log 1+ log 1+ 1 1 between the price and the power. We find out that the u1P1 v1P1 (20) friendly jammer power Pi bought from the source is convex aWA aWB ≈ − − p P . in its own price pi under some conditions. To prove this we u P v P 1 1 2 2 1 1 1 1 need to check whether the second derivative ∂ Pi/∂pi < 0. 6 EURASIP Journal on Wireless Communications and Networking

In the ﬁrst special case in which the interference is small Source (0,0), dest. (100,0), malic. node (50,90), user 1 (50,50), user 2 (50,75) ∗ ∂Pi zi =− , ∂pi 2 × −6 2pi wi + zi/pi 10 (27) 4 2 ∗ ∂ Pi zi 1 = − . 2 3

1 U ∂p2 3 1/2 p w /z i pi wi + zi/pi 4 i i i +1 2

The above equation is greater than zero when pi is small. This Source 1 means when the interference is small and the price is small, the power is convex as a function of the price. 0 300 In the second special case in which the interference is severe User 1price 200 ∂P∗ i =−1 D p−3/2 100 150 1 1 , 100 ∂pi 2 p 2 50 p (28) 0 1 ∂2P∗ User2price i = 3 D p−5/2 > . 2 1 1 0 U ∂pi 4 Figure 6: 2 versus the prices of both users.

This means when the interference is severe, the power is a convex function of the price. Two user case, Us versus jammer 2 location . Next, we investigate the equilibrium of the proposed 1 4 game. At the equilibrium, no user can improve its utility by 1.3 changing its own strategy only. We first define the Stackelberg 1.2 equilibrium as follows. 1.1 SE SE Definition 1. Pi and pi are the Stackelberg equilibrium of 1 the proposed game, if when pi is fixed, 0.9 SE Us P = Us {Pi} ∀i ∈ J 0.8 i sup ( ), Source utility SE (29) P ≥{Pi }≥0, ∀i max 0.7 and when Pi is fixed, 0.6 0.5 U pSE U p ∀i ∈ J. i i = sup i i , (30) pi 0.4 −50 0 50 100 Finally, from the analysis in the previous two subsections, Jammer 2’s location we can show the following property for the proposed game. Game Centralized ∗ N ∗ N Property 2. The pair of {Pi } in (14) and {pi } in (26) i=1 i=1 U is the Stackelberg equilibrium for the proposed game. Figure 7: s versus the location of the second jammer.

Notice that there might be multiple roots in (11), as a result, there might be multiple Stackelberg equilibria. In the for the update can be obtained from the source node. This is simulation results shown in later section, we will show that similar to the distributed power control [25]. The update of the proposed scheme can still achieve the equilibria with the friendly jammers’ prices can be written in a vector form better performances than those of the no-jammer case. as

3.5. Distributed Algorithm and Convergence. In this subsec- Distributed Algorithm: p(t +1) = I p(t) , tion, we study how the distributed game can converge to (32) the Stackelberg equilibrium deﬁned in the above subsection. T After rearranging (23), we have where I = [I1, ..., IN ] , and the iteration is from time t to time t+1. Next we show that the convergence of the proposed P∗ i scheme by proving that the price update function in (32)isa pi = Ii p =− ∗ , (31) ci ∂Pi /∂pi standard function [23] deﬁned as follows.

T where p = [p1, ..., pN ] and Ii(p) is the price update Deﬁnition 2. AfunctionI(p) is standard, if for all p ≥ 0, the ∗ function. Notice that Pi is a function of p. The information following properties are satisﬁed EURASIP Journal on Wireless Communications and Networking 7

> Two user case, jamming power versus jammer 2 location (1) Positivity: p 0. . 0 025 (2) Monotonicity: if p ≥ p , then I(p) ≥ I(p ), or I(p) ≤

I(p ). . (3) Scalability: for all η>1, ηI(p) ≥ I(ηp). 0 02

In [23], it has been proved that the price will converge to 0.015 the fixed point (i.e., the Stackelberg equilibrium in our case) from any feasible initial price vector. The positivity is very p easy to prove. If the price i goes up, the source would buy 0.01 ∗ Jamming power less from the ith friendly jammer. As a result, (∂Pi /∂pi)in (23) is negative, and we prove positivity pi = Ii(p) > 0. The monotonicity and scalability can only be shown in 0.005 the two special cases. For the low interference case, from (18) it is obvious that 0 P∗ −50 0 50 100 i Ii p =− ∗ ci ∂Pi /∂pi Jammer 2 location (33) 2 2 Jammer 1 power 2 wi pi + zi pi qi pi + wi pi + zi pi = Jammer 2 power cizi Figure 8: Power versus the location of the second jammer. which is monotonically increasing in pi. For scalability, we have w p2 z p /η q p w p2 z p /η Rearranging we get Ii ηp i i + i i i i + i i + i i = < 1, ηIi p w p2 z p q p w p2 z p Au2 B β − Bv2 A α i i + i i i i + i i + i i P2 i 2+ +2 i i (2+ +2 i)P i + 3 3 i (34) Aui − Bvi since η>1. Aui 1+βi 1+B + βi − Bvi(1+αi)(1+A + αi) + 3 3 For the large interference case, from (22)wehave Aui − Bvi P∗ p i 2 i = 0. Ii p =− ∗ = (35) ci ∂Pi /∂pi ci (38) p which is monotonically increasing in i and scalable. Using the KKT condition theorem [24], the final solution For more general cases, the analysis is tractable. In the would be obtained by comparing the boundary conditions simulation section later, we employ the general simulation (i.e., Pi = 0, Pi = Pmax,andCs = 0). setups. The simulation results show that the proposed Notice that our proposed algorithm is distributive, scheme can converge and outperform the no-jammer case. in the sense that only the pricing information needs to be exchanged. In the simulation results, we compare the 3.6. Centralized Scheme. Traditionally, the centralized proposed game theoretical approach with this centralized scheme is employed assuming that all channel information scheme. is known. The objective is to optimize the secrecy capacity Finally, from the simulation results in the next section, we under the constraints of maximal jamming power. see that the distributed solution and the centralized solution ⎡ ⎛ ⎞ ⎤ are asymptotically the same if a is sufficiently large (the 2 1+ P0Gsd/ σ + i∈J PiGid C = ⎣W ⎝ ⎠ ⎦. source cares more about the secrecy capacity than for the max s max log2 ,0 Pi 2 ffi 1+ P0Gsm/ σ + i∈J PiGim payment, i.e., the source is su ciently rich).

s.t. 0 ≤ Pi ≤ Pmax, ∀i. 3.7. Implementation Discussion. Thereareseveralimplemen- (36) tation concerns for the proposed scheme. First, the channel information from the source to the malicious eavesdropper The centralized solution is found by maximizing the might not be known or accurately known. Under this secrecy capacity only. If we do not consider the constraint, condition, the secrecy capacity formula should be rewritten we have considering the uncertainty. If the direction of arrival is ∂C AWu s =− i known, multiple antenna techniques can be employed such ∂Pi (1+αi + uiPi)(1+A + αi + uiPi) as in [11]. Second, the proposed scheme needs to iteratively (37) update the price and power information. A natural question BWvi + = 0. arises if the distributed scheme has less signalling than the 1+βi + uiPi 1+B + βi + uiPi centralized scheme. The comparison is similar to distributed 8 EURASIP Journal on Wireless Communications and Networking

×10−5 Finally, for the multisource multidestination case, there are Two user case, jamming utility versus jammer 2 location 2 two possible choices to solve the problem. First, we can use clustering method to divide the network into sub-networks, 1.8 and then employ the single-source-destination pair and 1.6 multiple-friendly-jammer solution proposed in this paper. 1.4 If we believe that the jamming power can be useful for multiple eavesdroppers, some techniques such as double . 1 2 auction could be investigated. The detailed discussion is 1 beyond the scope of this paper and would be considered in our future research. 0.8 Jammer utility 0.6 0.4 4. Simulation Results 0.2 The simulation is set up as follows. The source and friendly 0 jammer have power of 0.02, the bandwidth is 1, the −50 0 50 100 noise level is 10−8, the propagation loss factor is 3, and Jammer 2 location AWGN channel is assumed. The source, destination, and Jammer 1 utility eavesdropper are located at the coordinates (0,0), (100,0), a = Jammer 2 utility and (50,50), respectively. Here we select 2 for the friendly jammer utility in (7). Figure 9: Utility versus the location of the second jammer. For single friendly jammer case, we show the simulation with the friendly jammer at the location of (50,75) and (10,75). In Figure 2, we show the secrecy capacity as a Effect of parameter a: jammer 2 location (0, 75) 1 function of the jamming power. We can see that with the increase of the jamming power, the secrecy capacity first 0.95 increases and then decreases. This is because the jamming power has different effects on C1 and C2. So there is an 0.9 optimal point for the jamming power. Also the optimal point depends on the location of the friendly jammer, and the 0.85 friendly jammer close to the eavesdropper is more effective 0.8 to improve the secrecy capacity. Moreover, notice that the curve is neither convex nor concave. Figure 3 shows how the

Secrecy capacity 0.75 amount of the power bought by the source from the jammer depends on the requested price. We can see that the power . 0 7 is reduced if the price goes high. At some point, the source ff 0.65 would stop buying the power. So there is a tradeo for setting the price, that is, if the price too high, the source would buy less power or even stop buying. 22.533.544.55 For the two-jammer case, we set up the following a Factor simulations. Malicious node is located at (50,90), the first Optimal solution friendly jammer is located at (50,50), and the second friendly Game result jammer is located at (50,75). In Figures 4, 5 and 6, the source’s utility Us, the first jammer’s utility U , and the Figure 10: Effect of the parameter a on the game. 1 second jammer’s utility U2 as function of both users’ price, are shown respectively. We can see that the source would buy service from only one of the friendly jammers. If the friendly and centralized power control in the literature [23, 25]. jammer asks too low price, the jammer’s utility is very low. Since the channel condition is continuously changing, the On the other hand, if the jammer asks too high price, it risks distributed solution only needs to update the difference of the situation in which the source would buy the service from the parameters such as power and price to be adaptive, while the other friendly jammer. There is an optimal price for each the centralized scheme requires all channel information in friendly jammer to ask, and the source would always select each time period. As a result, the distributed solution has the one that can provide the best performance improvement. a clear advantage and dominates the current and future Next, we set up a simulation of mobility. The first friendly wireless network designs. For example, the power control for jammer is fixed at (50,50), while the second friendly jammer cellular networks, the open loop power control is done only moves from (−50,75) to (100,75). In Figure 7, we show the once during the link initialization, while the close loop power source utilities of the centralized scheme and the proposed control (distributed power allocation such as [23]) is per- game. We can see that the centralized scheme serves as formed 1500 times for UMTS and 800 times for CDMA2000. a performance upper bound. The game result is not far EURASIP Journal on Wireless Communications and Networking 9 away from the upper bound, while the game solution can References be implemented in a distributed manner. The performance game is trivial when the friendly jammer 2 is close to the [1] A. D. Wyner, “The wire-tap channel,” Bell System Technical malicious eavesdropper from (20,75) to (70,75). In Figure 8, Journal, vol. 54, no. 8, pp. 1355–1387, 1975. [2] S. K. Leung-Yan-Cheong and M. E. Hellman, “The Gaussian we show the jammers’ power as a function of jammer wiretap channel,” IEEE Transactions on Information Theory, 2’s location. We can see that depending on the jammers’ vol. 24, pp. 451–456, 1978. location, the source switches between two jammers for the [3] I. Csiszar and J. Korner, “Broadcast channels with confidential best performance. Moreover, the source also buys the optimal messages,” IEEE Transactions on Information Theory, vol. 24, amount of jamming power: when the jammer is close to no. 3, pp. 339–348, 1978. the malicious eavesdropper, the source would buy less power [4] A. O. Hero III, “Secure space-time communication,” IEEE since the jammer is more effective to improve the secrecy Transactions on Information Theory, vol. 49, no. 12, pp. 3235– capacity. In Figure 9, we show the corresponding friendly 3249+3351, 2003. jammers’ utilities of the proposed game. [5] Z. Li, W. Trappe, and R. Yates, “Secret communication via Finally, we show the effect of parameter a for the friendly multi-antenna transmission,” in Proceedings of the 41st Annual jammer utility in (7). When a is large, the friendly jammer’s Conference on Information Sciences and Systems (CISS ’07),pp. utility reduces quick if the source does not buy the service. As 905–910, Baltimore, Md, USA, March 2007. [6] R. Negi and S. Goelm, “Secret communication using artificial a result, the friendly jammer would not ask arbitrary price, noise,” in Proceedings of IEEE Vehicular Technology Conference, and performance gap to the optima solution is small. In a vol. 3, pp. 1906–1910, September 2005. Figure 10, we show the secrecy capacity as a function of [7] P. Parada and R. Blahut, “Secrecy capacity of SIMO and when the second jammer is located at (0,75). We can see that slow fading channels,” in Proceedings of IEEE International the performance gap is shrinking when a is increasing. Notice Symposium on Information Theory (ISIT ’05), pp. 2152–2155, that for the condition in which the game almost converges to Adelaide, South Australia, September 2005. the optimal solution, most value of a>1 will achieve good [8] S. Shafiee and S. Ulukus, “Achievable rates in Gaussian MISO solution, for example, the second friendly jammer located at channels with secrecy constraints,” in Proceedings of IEEE (50,75). International Symposium on Information Theory, pp. 2466– 2470, Nice, France, June 2007. [9] Y. Liang, H. V. Poor, and S. Shamai, “Secure communication 5. Conclusions over fading channels,” IEEE Transactions on Information Physical layer security is an emerging security technique Theory, vol. 54, no. 6, pp. 2470–2492, 2008. [10] P. K. Gopala, L. Lai, and H. El Gamal, “On the secrecy capacity that is an alternative for traditional cryptographic-based of fading channels,” IEEE Transactions on Information Theory, protocols to achieve perfect secrecy capacity as eavesdroppers vol. 54, no. 10, pp. 4687–4698, 2008. obtain zero information. Jamming has been shown in the [11] L. Dong, Z. Han, A. P. Petropulu, and H. V. Poor, “Secure ff literature to e ectively improve secrecy capacity. In this collaborative beamforming,” in ProceedingsofAllertonConfer- paper, we investigate the interaction between the source ence on Communication, Control, and Computing,Allerton,Ill, and friendly jammers using the game theory in order to USA, October 2008. have a distributed solution. The source pays the friendly [12] A. Kashyap, T. Bas¸ar, and R. Srikant, “Correlated jamming jammers to interfere the malicious eavesdropper such that on MIMO Gaussian fading channels,” IEEE Transactions on the secrecy capacity is increased, and therefore the security Information Theory, vol. 50, no. 9, pp. 2119–2123, 2004. of the network. The friendly jammers charge the source with [13] S. Shafiee and S. Ulukus, “Mutual Information Games in a price for the jamming. To analyze the game outcome, we Multi-user Channels with Correlated Jamming,” IEEE Trans. on Information Theory, vol. 55, no. 10, pp. 4598–4607, 2009. investigate the Stackelburg game and construct a distributed ffi algorithm. Some properties such as equilibrium and conver- [14] M. H. Brady, M. Mohseni, and J. M. Cio ,“Spatially- correlated jamming in Gaussian multiple access and broadcast gence are analyzed. From the simulation results, we conclude ff channels,” in Proceedings of the 40th IEEE Conference on the following. First, there is a tradeo for the price: If the Information Sciences and Systems (CISS ’06), pp. 1635–1639, price is too low, the profit is low; and if the price is too Princeton, NJ, USA, March 2006. high, the source would not buy or buy from other jammers. [15] L. Lai and H. El Gamal, “The relay-eavesdropper channel: Second, for the multiple jammer case, the source would buy cooperation for secrecy,” IEEE Transactions on Information service from only one jammer. Third, the centralized scheme Theory, vol. 54, no. 9, pp. 4005–4019, 2008. and distributed scheme have similar performance, especially [16]X.Tang,R.Liu,P.Spasojevic,´ and H. V. Poor, “The Gaussian when a is sufficiently large. Overall, the proposed game wiretap channel with a helping interferer,” in Proceedings of theoretical scheme can achieve a comparable performance IEEE International Symposium on Information Theory (ISIT with distributed implementation. ’08), pp. 389–393, Toronto, Canada, July 2008. [17] X. Tang, R. Liu, P. Spasojevic,´ and H. V. Poor, “Interference- assisted secret communication,” in Proceedings of the IEEE Acknowledgments Information Theory Workshop (ITW ’08), pp. 164–168, Porto, Portugal, May 2008. This work was supported by NSF CNS-0910461 and NSF [18] D. Fudenberg and J. Tirole, Game Theory, MIT Press, Cam- CNS-0905556 and was supported by the Research Council bridge, Mass, USA, 1991. of Norway through the project entitled “Mobile-to-Mobile [19]C.U.Saraydar,N.B.Mandayam,andD.J.Goodman, Communication Systems (M2M).” “Efficient power control via pricing in wireless data networks,” 10 EURASIP Journal on Wireless Communications and Networking

IEEE Transactions on Communications, vol. 50, no. 2, pp. 291– 303, 2002. [20] G. Scutari, S. Barbarossa, and D. P. Palomar, “Potential games: a framework for vector power control problems with coupled constraints,” in Proceedings of IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP ’06), vol. 4, pp. 241–244, Toulouse, France, May 2006. [21] B. Wang, Z. Han, and K. J. R. Liu, “Distributed relay selection and power control for multiuser cooperative communication networks using buyer/ seller game,” in Proceedings of Annual IEEE Conference on Computer Communications (INFOCOM ’07), pp. 544–552, Anchorage, Alaska, USA, May 2007. [22] N. Bonneau, M. Debbah, E. Altman, and A. Hjørungnes, “Non-atomic games for multi-user systems,” IEEE Journal on Selected Areas in Communications, vol. 26, no. 7, pp. 1047– 1058, 2008. [23] R. D. Yates, “A framework for uplink power control in cellular radio systems,” IEEE Journal on Selected Areas in Communications, vol. 13, no. 7, pp. 1341–1347, 1995. [24] S. Boyd and L. Vandenberghe, Convex Optimization,Cam- bridge University Press, Cambridge, UK, 2006. [25] Z. Han and K. J. R. Liu, Resource Allocation for Wireless Networks: Basics, Techniques, and Applications, Cambridge University Press, Cambridge, UK, 2008. Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 824235, 29 pages doi:10.1155/2009/824235

Research Article Secrecy Capacity of a Class of Broadcast Channels with an Eavesdropper

Ersen Ekrem and Sennur Ulukus

Department of Electrical and Computer Engineering, University of Maryland, College Park, MD 20742, USA

Correspondence should be addressed to Sennur Ulukus, [email protected]

Received 1 December 2008; Accepted 21 June 2009

Recommended by Shlomo Shamai (Shitz)

We study the security of communication between a single transmitter and many receivers in the presence of an eavesdropper for several special classes of broadcast channels. As the first model, we consider the degraded multireceiver wiretap channel where the legitimate receivers exhibit a degradedness order while the eavesdropper is more noisy with respect to all legitimate receivers. We establish the secrecy capacity region of this channel model. Secondly, we consider the parallel multireceiver wiretap channel with a less noisiness order in each subchannel, where this order is not necessarily the same for all subchannels, and hence the overall channel does not exhibit a less noisiness order. We establish the common message secrecy capacity and sum secrecy capacity of this channel. Thirdly, we study a class of parallel multireceiver wiretap channels with two subchannels, two users and an eavesdropper. For channels in this class, in the first (resp., second) subchannel, the second (resp., first) receiver is degraded with respect to the first (resp., second) receiver, while the eavesdropper is degraded with respect to both legitimate receivers in both subchannels. We determine the secrecy capacity region of this channel, and discuss its extensions to arbitrary numbers of users and subchannels. Finally, we focus on a variant of this previous channel model where the transmitter can use only one of the subchannels at any time. We characterize the secrecy capacity region of this channel as well.

Copyright © 2009 E. Ekrem and S. Ulukus. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction model in its most general form is difficult, because the version of this problem without any secrecy constraints, is Information theoretic secrecy was initiated by Wyner in his the broadcast channel with an arbitrary number of receivers, seminal work [1], where he introduced the wiretap channel whose capacity region is open. Consequently, to have and established the capacity-equivocation region of the progress in understanding the limits of secure broadcasting, degraded wiretap channel. Later, his result was generalized we resort to studying several special classes of channels, to arbitrary, not necessarily degraded, wiretap channels by with increasing generality. The approach of studying special Csiszar and Korner [2]. Recently, many multiuser channel channel structures was also followed in the existing literature models have been considered from a secrecy point of view on secure broadcasting [8, 9]. [3–22]. One basic extension of the wiretap channel to the Theworkin[9] first considers an arbitrary wiretap multiuser environment is secure broadcasting to many users channel with two legitimate receivers and one eavesdropper, in the presence of an eavesdropper. In the most general and provides an inner bound for achievable rates when each form of this problem (see Figure 1), one transmitter wants to user wishes to receive an independent message. Secondly, [9] have confidential communication with an arbitrary number focuses on the degraded wiretap channel with two receivers of users in a broadcast channel, while this communication and one eavesdropper, where there is a degradedness order is being eavesdropped by an external entity. Our goal is among the receivers, and the eavesdropper is degraded with to understand the theoretical limits of secure broadcast- respect to both users (see Figure 2 for a more general ing, that is, largest simultaneously achievable secure rates. version of the problem that we study). For this setting, the Characterizing the secrecy capacity region of this channel work in [9] finds the secrecy capacity region. This result is 2 EURASIP Journal on Wireless Communications and Networking

Y (2) We then focus on a class of parallel multireceiver p(y |x) 1 1 wiretap channels with an arbitrary number of legitimate receivers and an eavesdropper, see Figure 3,whereineach . . subchannel, for any given user, either the user’s channel is . X less noisy with respect to the eavesdropper’s channel, or vice versa. We establish the common message secrecy capacity of YK p(yK |x) this channel, which is a generalization of the corresponding capacity result in [8] to a broader class of channels. Secondly, Z p(z|x) we study the scenario where each legitimate receiver wishes to receive an independent message for another subclass of parallel multireceiver wiretap channels. For channels Figure 1: Secure broadcasting to many users in the presence of an belonging to this subclass, in each subchannel, there is eavesdropper. a less noisiness order which is not necessarily the same for all subchannels. Consequently, this ordered class of channels is a subset of the class for which we establish the concurrently and independently obtained in this work as a common message secrecy capacity. We find the sum secrecy special case, see Corollary 2, which is also published in a capacity for this class, which is again a generalization of the conference version in [23]. corresponding result in [8] to a broader class of channels. Another relevant work on secure broadcasting is [8] (3) We also investigate a class of parallel multireceiver which considers secure broadcasting to K users using M wiretap channels with two subchannels, two users, and one subchannels (see Figure 3) for two different scenarios. In eavesdropper, see Figure 4. For the channels in this class, the first scenario, the transmitter wants to convey only there is a specific degradation order in each subchannel such a common confidential message to all users, and in the that in the first (resp., second) subchannel the second (resp., second scenario, the transmitter wants to send independent first) user is degraded with respect to the first (resp., second) messages to all users. For both scenarios, the work in [8]con- user, while the eavesdropper is degraded with respect to both siders a subclass of parallel multireceiver wiretap channels, users in both subchannels. This is the model of [8]forK = 2 where in any given subchannel, there is a degradation order users and M = 2 subchannels. This model is more restrictive such that each receiver’s observation (except the best one) compared to the one mentioned in the previous item. Our is a degraded version of some other receiver’s observation, motivationtostudythismorespecialclassistoprovidea and this degradation order is not necessarily the same for stronger and more comprehensive result. In particular, for all subchannels. For the first scenario, the work in [8] finds this class, we determine the entire secrecy capacity region the common message secrecy capacity for this subclass. For when each user receives both an independent message and the second scenario, where each user wishes to receive an a common message. In contrast, the work in [8] gives the independent message, [8] finds the sum secrecy capacity for common message secrecy capacity (when only a common this subclass of channels. message is transmitted) and sum secrecy capacity (when In this paper, our approach will be two-fold: first, we will only independent messages are transmitted) of this class. We identify more general channel models than considered in [8, discuss the generalization of this result to arbitrary numbers 9] and generalize the results in [8, 9] to those channel models, of users and subchannels. and secondly, we will consider somewhat more specialized (4) We finally consider a variant of the previous channel channelmodelsthanin[8] and provide more comprehensive model. In this model, we again have a parallel multireceiver results. More precisely, our contributions in this paper are as wiretap channel with two subchannels, two users, and one follows. eavesdropper, and the degradation order in each subchannel (1) We consider the degraded multireceiver wiretap is exactly the same as in the previous item. However, in channel with an arbitrary number of users and one eaves- this case, the input and output alphabets of one subchannel dropper, where users are arranged according to a degrad- are nonintersecting with the input and output alphabets of edness order, and each user has a less noisy channel with the other subchannel. Moreover, we can use only one of respect to the eavesdropper, see Figure 2. We find the secrecy these subchannels at any time. We determine the secrecy capacity region when each user receives both an indepen- capacity region of this channel when the transmitter sends dent message and a common confidential message. Since both an independent message to each receiver and a common degradedness implies less noisiness [2], this channel model message to both receivers. contains the subclass of channel models where in addition It is clear that all of the channel models we consider to the degradedness order users exhibit, the eavesdropper is exhibit some kind of an ordered structure, where this degraded with respect to all users. Consequently, our result ordered structure is in the form of degradedness in some can be specialized to the degraded multireceiver wiretap channel models, and it is in the form of less noisiness channel with an arbitrary number of users and a degraded in others. This common ordered structure in all channel eavesdropper, see Corollary 2 and also [23]. The two-user models we considered implies that our achievability schemes version of the degraded multireceiver wiretap channel was and converse proofs use some common techniques. In studied and the capacity region was found independently and particular, for achievability, we use stochastic encoding [2] concurrently in [9]. in conjunction with superposition coding [24]; and for the EURASIP Journal on Wireless Communications and Networking 3

YK Y2 Y1 p(yK |x) ... p(y1|y2) X

Z p(z|x)

Figure 2: The degraded multireceiver wiretap channel with a more noisy eavesdropper.

Y Y M 11 p y |x 1 p(y11|x1) ( 1M M )

. . . . X1 ... XM

Y YKM K1 p y |x p(yK1|x1) ( KM M )

Z ZM 1 p z |x p(z1|x1) ( M M )

1st sub-channel Mth sub-channel Figure 3: The parallel multireceiver wiretap channel. converse proofs, we use outer bounding techniques in [1, 2], because the Markov chain in (3) implies the less noisiness more specifically, the Csiszar-Korner identity, [2, Lemma 7]. condition in (2). nR nR nR A(2 0 ,2 1 , ...,2 K , n) code for this channel consists nR of K + 1 message sets, Wk ={1, ...,2 k }, k = 0, 1, ..., K, 2. Degraded Multireceiver Wiretap Channels n an encoder f : W0 × ··· × WK → X , K decoders, n We first consider the generalization of Wyner’s degraded oneateachlegitimatereceiver,gk : Yk → W0 × wiretap channel to the case with many legitimate receivers. Wk, k = 1, ..., K. The probability of error is defined n n In particular, the channel consists of a transmitter with an as Pe = maxk=1,...,K Pr[gk(Yk ) =/ (W0, Wk)].Aratetuple input alphabet x ∈ X, K legitimate receivers with output (R0, R1, ..., RK ) is said to be achievable if there exists a code n alphabets yk ∈ Yk, k = 1, ..., K, and an eavesdropper with with limn →∞Pe = 0and output alphabet z ∈ Z. The transmitter sends a confidential 1 n message to each user, say wk ∈ Wk to the kth user, in lim H(S(W) | Z ) ≥ Rk, ∀S(W),(4) n →∞n addition to a common message, w0 ∈ W0,whichistobe k∈S(W) delivered to all users. All messages are to be kept secret from S W {W W ... W } the eavesdropper. The channel is assumed to be memoryless where ( ) denotes any subset of 0, 1, , K . Hence, we consider only perfect secrecy rates. The secrecy with a transition probability p(y1, y2, ..., yK , z | x). In this section, we consider a special class of these chan- capacity region is defined as the closure of all achievable rate nels, see Figure 2, where users exhibit a certain degradation tuples. order, that is, their channel outputs satisfy the following The secrecy capacity region of the degraded multireceiver Markov chain: wiretap channel with a more noisy eavesdropper is given by the following theorem whose proof is provided in X −→ Y −→ · · · −→ Y K 1 (1) Appendix A. and each user has a less noisy channel with respect to the Theorem 1. The secrecy capacity region of the degraded eavesdropper, that is, we have multireceiver wiretap channel with a more noisy eavesdropper I(U; Yk) >I(U; Z) (2) is given by the union of the rate tuples (R0, R1, ..., RK ) satisfying for every U such that U → X → (Yk, Z). In fact, since a degradation order exists among the users, it is sufficient to say that user 1 has a less noisy channel with respect to the R0 + Rk ≤ I(Uk; Yk | Uk−1) − I(U; Z), = 1, ..., K, eavesdropper to guarantee that all users do. Hereafter, we call k=1 k=1 this channel the degraded multireceiver wiretap channel with (5) a more noisy eavesdropper. We note that this channel model U = φ U = X contains the degraded multireceiver wiretap channel which where 0 , K , and the union is over all probability is defined through the Markov chain: distributions of the form

X −→ YK −→ · · · −→ Y1 −→ Z (3) p(u1)p(u2| u1) ···p(uK−1| uK−2)p(x | uK−1). (6) 4 EURASIP Journal on Wireless Communications and Networking

Y Z X1 11 Y21 1 p(y11|x1) p(y21|y11) p(z1|y21)

X Y Y Z 2 p y |x 22 p y |y 12 2 ( 22 2) ( 22 12) p(z2|y12)

Figure 4: The parallel degraded multireceiver wiretap channel.

Remark 1. Theorem 1 implies that a modified version of general channel models. Toward that goal, in the following superposition coding can achieve the boundary of the section, we consider channel models where the users are capacity region. The difference between the superposition not ordered in a degradedness or noisiness order. However, coding scheme used to achieve (5) and the standard one the concepts of degradedness and noisiness are essential in [24], which is used to achieve the capacity region of in proving capacity results. In the following section, we the degraded broadcast channel, is that the former uses will consider multireceiver broadcast channels which are stochastic encoding in each layer of the code to associate each composed of independent subchannels. We will assume message with many codewords. This controlled amount of some noisiness properties in these subchannels in order redundancy prevents the eavesdropper from being able to to derive certain capacity results. However, even though decode the message. the subchannels will have certain noisiness properties, the As stated earlier, the degraded multireceiver wiretap overall broadcast channel will not have any degradedness or channel with a more noisy eavesdropper contains the noisiness properties. degraded multireceiver wiretap channel which requires the eavesdropper to be degraded with respect to all users as stated 3. Parallel Multireceiver Wiretap Channels in (3). Thus, we can specialize our result in Theorem 1 to the degraded multireceiver wiretap channel as given in the Here, we investigate the parallel multireceiver wiretap chan- following corollary. nel where the transmitter communicates with K legitimate receivers using M independent subchannels in the presence Corollary 2. The secrecy capacity region of the degraded of an eavesdropper, see Figure 3. The channel transition multireceiver wiretap channel is given by the union of the rate probability of a parallel multireceiver wiretap channel is R R ... R tuples ( 0, 1, , K ) satisfying p y ... y z M |{x }M 1m, , Km, m m= m m=1 1 R R ≤ I U Y | U Z = ... K 0 + k ( k; k k−1, ), 1, , ,(7) M (11) k= k= 1 1 = p y1m, ..., yKm, zm | xm , m=1 where U = φ, UK = X, and the union is over all probability 0 x ∈ X m distributions of the form where m m is the input in the th subchannel where Xm is the corresponding channel input alphabet, ykm ∈ Ykm zm ∈ Zm k p(u1)p(u2 | u1) ···p(uK−1 | uK−2)p(x | uK−1). (8) (resp., ) is the output in the th user’s (resp., eavesdropper’s) mth subchannel where Ykm (resp., Zm)is The proof of this corollary can be carried out from the kth user’s (resp., eavesdropper’s) mth subchannel output Theorem 1 by noting the following identity: alphabet. We note that the parallel multireceiver wiretap channel can be regarded as an extension of the parallel wiretap I U Z = I U Z | U ( ; ) ( k; k−1),(9)channel [21, 22] to the case of multiple legitimate users. k=1 Though the work in [21, 22] establishes the secrecy capacity and the following Markov chains: of the parallel wiretap channel for the most general case, for the parallel multireceiver wiretap channel, obtaining the secrecy capacity region for the most general case seems to Uk−1 −→ Uk −→ Yk −→ Z, k = 1, ..., K. (10) be intractable for now. Thus, in this section, we investigate We acknowledge an independent and concurrent work special classes of parallel multireceiver wiretap channels. regarding the degraded multireceiver wiretap channel. The These channel models contain the class of channel models work in [9] considers the two-user case and establishes the studied in [8]asaspecialcase.Similarto[8], our emphasis secrecy capacity region as well. will be on the common message secrecy capacity and the sum So far we have determined the entire secrecy capacity secrecy capacity. region of the degraded multireceiver wiretap channel with a more noisy eavesdropper. This class of channels requires 3.1. The Common Message Secrecy Capacity. We first consider a certain degradation order among the legitimate receivers the simplest possible scenario where the transmitter sends which may be viewed as being too restrictive from a practical a common confidential message to all users. Despite its point of view. Our goal is to consider progressively more simplicity, the secrecy capacity of a common confidential EURASIP Journal on Wireless Communications and Networking 5 message (hereafter will be called the common message R, is said to be achievable if there exists a code such that n secrecy capacity) in a general broadcast channel is unknown. limn →∞Pe = 0, and The common message secrecy capacity for a special class of parallel multireceiver wiretap channels was studied in [8]. 1 H W | Zn ... Zn ≥ R. lim 0 1 , , M (17) In this class of parallel multireceiver wiretap channels [8], n →∞n each subchannel exhibits a certain degradation order which The common message secrecy capacity is the supremum of is not necessarily the same for all subchannels, that is, the all achievable secrecy rates. following Markov chain is satisfied: The common message secrecy capacity of the parallel X −→ Y −→ Y −→···−→Y multireceiver wiretap channel with a more noisy eavesdrop- l πl(1) πl(2) πl(K+1) (12) per is stated in the following theorem whose proof is given in l Y Y ... Y Appendix B. in the th subchannel, where ( πl(1), πl(2), , πl(K+1))isa permutation of (Y1l, ..., YKl, Zl). Hereafter, we call this chan- Theorem 3. The common message secrecy capacity, C0,of nel the parallel degraded multireceiver wiretap channel.( In the parallel multireceiver wiretap channel with a more noisy [8], these channels are called reversely degraded parallel eavesdropper is given by channels. Here, we call them parallel degraded multireceiver wiretap channels to be consistent with the terminology M + used in the rest of the paper.) Although [8] established the C0 = max min [I(Xl; Ykl) − I(Xl; Zl)] , (18) k=1,...,K common message secrecy capacity for this class of channels, l=1 in fact, their result is valid for the broader class in which we where the maximization is over all distributions of the form have either p x ... x = M p x ( 1, , M) l=1 ( l). Xl −→ Ykl −→ Zl (13) Remark 2. Theorem 3 implies that we should not use the or subchannels in which there is no user that has a less noisy channel than the eavesdropper. Moreover, Theorem 3 shows that the use of independent inputs in each subchannel is Xl −→ Zl −→ Ykl (14) sufficient to achieve the capacity, that is, inducing correlation between channel inputs of subchannels cannot provide any valid for every Xl and for any (k, l)pairwherek ∈ {1, ..., K}, l ∈{1, ..., M}. Thus, it is sufficient to have a improvement. This is similar to the results of [25, 26] in the degradedness order between each user and the eavesdropper sense that the work in [25, 26] established the optimality of in any subchannel instead of the long Markov chain between the use of independent inputs in each subchannel for the all users and the eavesdropper as in (12). product of two degraded broadcast channels. Here, we focus on a broader class of channels where in As stated earlier, the parallel multireceiver wiretap each subchannel, for any given user, either the user’s channel channel with a more noisy eavesdropper encompasses the is less noisy than the eavesdropper’s channel or vice versa. parallel degraded multireceiver wiretap channel studied in More formally, we have either [8]. Hence, we can specialize Theorem 3 to recover the common message secrecy capacity of the parallel degraded multireceiver wiretap channel established in [8]. This is I(U; Ykl) >I(U; Zl) (15) stated in the following corollary whose proof can be carried X → or out from Theorem 3 by noting the Markov chain l Ykl → Zl,forall(k, l). I(U; Ykl) I U Y > ···>I U Y ; πl(1) ; πl(2) ; πl(K+1) , (20) tireceiver wiretap channels with a less noisiness order in Y Y ... Y Y each subchannel contains the class of parallel degraded where ( πl(1), πl(2), , πl(K+1))isapermutationof( 1l, ... Y Z multireceiver wiretap channels studied in [8], Theorem 5 can , Kl, l). We call this channel the parallel multireceiver be specialized to give the sum secrecy capacity of the latter wiretap channel with a less noisiness order in each subchannel. class of channels as well. This result was originally obtained We note that this class of channels is a subset of the parallel in [8]. This is stated in the following corollary. Since the multireceiver wiretap channel with a more noisy eavesdrop- proof of this corollary is similar to the proof of Corollary 4, per studied in Section 3.1, because of the additional ordering we omit its proof. imposed between users’ subchannels. We also note that the class of parallel degraded multireceiver wiretap channels with Corollary 6. The sum secrecy capacity of the parallel degraded a degradedness order in each subchannel studied in [8]isnot multireceiver wiretap channel is given by only a subset of parallel multireceiver wiretap channels with a more noisy eavesdropper studied in Section 3.1 but also a M subset of parallel multireceiver wiretap channels with a less max I Xl; Yρ(l)l | Zl , (24) noisiness order in each subchannel studied in this section. l=1 nR nR A(2 1 , ...,2 K , n) code for this channel consists of K nRk where the maximization is over all input distributions of the message sets, Wk ={1, ...,2 }, k = 1, ..., K,anencoder, M n n p x ... x = p x ρ l f W × ··· × W → X × ··· × X K form ( 1, , M) l=1 ( l) and ( ) denotes the index of : 1 K 1 M, decoders, g Yn × ··· × Yn → the strongest user in the lth subchannel in the sense that oneateachlegitimatereceiver k : k1 kM W k = ... K Pn = k, 1, , . The probability of error is defined as e X −→ Y −→ Y l ρ(l)l kl (25) maxk=1,...,K Pr[Wk =/ Wk], where Wk is the kth user’s decoder output. The secrecy is measured through the equivocation for all input distributions on Xl and any k ∈{1, ..., K}. /n H W ... W | Zn ... Zn rate which is defined as (1 ) ( 1, , K 1 , , M). A sum secrecy rate, Rs, is said to be achievable if there exists a So far, we have considered special classes of parallel Pn = code such that limn →∞ e 0, and multireceiver wiretap channels for specific scenarios and obtained results similar to [8], only for broader classes of 1 n n lim H W , ..., WK | Z , ..., ZM ≥ Rs. (21) channels. In particular, in Section 3.1, we focused on the n →∞n 1 1 transmission of a common message, whereas in Section 3.2, The sum secrecy capacity is defined to be the supremum of we focused on the sum secrecy capacity when only indepen- all achievable sum secrecy rates. dent messages are transmitted to all users. In the subsequent The sum secrecy capacity for the class of parallel sections, we will specialize our channel model, but we multireceiver wiretap channels with a less noisiness order will develop stronger and more comprehensive results. In in each subchannel studied in this section is stated in the particular, we will let the transmitter send both common and following theorem whose proof is given in Appendix C. independent messages, and we will characterize the entire secrecy capacity region. Theorem 5. Thesumsecrecycapacityoftheparallelmulti- receiver wiretap channel with a less noisiness order in each 4. Parallel Degraded Multireceiver subchannel is given by Wiretap Channels M + max I Xl; Yρ(l)l − I(Xl; Zl) , (22) We consider a special class of parallel degraded multireceiver l=1 wiretap channels with two subchannels, two users, and one eavesdropper. We consider the most general scenario where where the maximization is over all input distributions of the each user receives both an independent message and a p x ... x = M p x ρ l form ( 1, , M) l=1 ( l) and ( ) denotes the index of common message. All messages are to be kept secret from the strongest user in the lth subchannel in the sense that the eavesdropper. For the special class of parallel degraded multireceiver I(U; Ykl) ≤ I U; Yρ(l)l (23) wiretap channels in consideration, there is a specific degradation order in each subchannel. In particular, we have the U → X → Y ... Y Z k ∈{ ... K} for all l ( 1l, , Kl, l) and any 1, , . following Markov chain:

Remark 3. Theorem 5 implies that the sum secrecy capacity X1 −→ Y11 −→ Y21 −→ Z1 (26) is achieved by sending information only to the strongest user in each subchannel. As in Theorem 3, here also, the in the first subchannel, and the following Markov chain: use of independent inputs for each subchannel is capacity- achieving, which is again reminiscent of the result in [25, 26] X2 −→ Y22 −→ Y12 −→ Z2 (27) EURASIP Journal on Wireless Communications and Networking 7 in the second subchannel. Consequently, although in each Remark 5. The capacity-achieving scheme uses either super- subchannel, one user is degraded with respect to the other position coding in both subchannels or superposition coding one, this does not hold for the overall channel, and the overall in one of the subchannels, and a dedicated transmission in channel is not degraded for any user. The corresponding the other one. We again note that this superposition coding channel transition probability is is different from the standard one [24] in the sense that it associates each message with many codewords by using p y11 | x1 p y21 | y11 stochastic encoding at each layer of the code due to secrecy (28) concerns. × p z | y p y | x p y | y p z | y . 1 21 22 2 12 22 2 12 Remark 6. If we set Z1 = Z2 = φ, we recover the capacity If we ignore the eavesdropper by setting Z1 = Z2 = φ, this region of the underlying broadcast channel [26]. channel model reduces to the broadcast channel that was studied in [25, 26]. Remark 7. If we disable one of the subchannels, say the first nR nR nR Y = Y = Z = φ A(2 0 ,2 1 ,2 2 , n) code for this channel consists of one, by setting 11 21 1 , the parallel degraded nR nRj multireceiver wiretap channel of this section reduces to the three message sets, W0 ={1, ...,2 0 }, Wj ={1, ...,2 }, j = f W × W × W → Xn × Xn degraded multireceiver wiretap channel of Section 2.The 1, 2, one encoder : 0 1 2 1 2, g Yn × corresponding secrecy capacity region is then given by the two decoders one at each legitimate receiver j : j1 Yn → W × W j = union of the rate tuples (R0, R1, R2) satisfying j2 0 j , 1, 2. The probability of error is defined Pn = g Y n Y n =/ W W as e max j=1,2 Pr[ j ( j1, j2) ( 0, j)]. A rate tuple R + R ≤ I(U ; Y | Z ) R R R 0 1 2 12 2 ( 0, 1, 2) is said to be achievable if there exists a code such (31) n that limn →∞Pe = 0and R0 + R1 + R2 ≤ I(X2; Y22 | U2, Z2) + I(U2; Y12 | Z2), p u x 1 n n where the union is over all ( 2, 2). This region can lim H S(W) | Z , Z ≥ Rk, ∀S(W), (29) n →∞n 1 2 be obtained through either Corollary 2 or Theorem 7 (by k∈S(W) setting Y11 = Y21 = Z1 = φ and eliminating redundant bounds) implying the consistency of the results. where S(W) denotes any subset of {W0, W1, W2}.The secrecy capacity region is the closure of all achievable secrecy Next, we consider the scenario where the transmitter rate tuples. does not send a common message, and find the secrecy The secrecy capacity region of this parallel degraded mul- capacity region. tireceiver wiretap channel is characterized by the following theorem whose proof is given in Appendix D.1. Corollary 8. The secrecy capacity region of the parallel degraded multireceiver wiretap channel defined by (28) with no Theorem 7. The secrecy capacity region of the parallel deg- common message is given by the union of the rate pairs (R1, R2) raded multireceiver wiretap channel defined by (28) is the satisfying union of the rate tuples (R0, R1, R2) satisfying R1 ≤ I(X1; Y11 | Z1) + I(U2; Y12 | Z2), R0 ≤ I(U1; Y11 | Z1) + I(U2; Y12 | Z2), R2 ≤ I(X2; Y22 | Z2) + I(U1; Y21 | Z1), R0 ≤ I(U1; Y21 | Z1) + I(U2; Y22 | Z2), R1 + R2 ≤ I(X1; Y11 | Z1) + I(U2; Y12 | Z2) R0 + R1 ≤ I(X1; Y11 | Z1) + I(U2; Y12 | Z2), (32) + I(X2; Y22 | U2, Z2), R + R ≤ I(X ; Y | Z ) + I(U ; Y | Z ), 0 2 2 22 2 1 21 1 R R ≤ I X Y | Z I U Y | Z (30) 1 + 2 ( 2; 22 2) + ( 1; 21 1) R0 + R1 + R2 ≤ I(X1; Y11 | Z1) + I(U2; Y12 | Z2) + I(X1; Y11 | U1, Z1), + I(X ; Y | U , Z ), 2 22 2 2 where the union is over all distributions of the form p u p u p x | u p x | u R0 + R1 + R2 ≤ I(X2; Y22 | Z2) + I(U1; Y21 | Z1) ( 1) ( 2) ( 1 1) ( 2 2).

+ I(X1; Y11 | U1, Z1), Proof. Since the common message rate can be exchanged with any user’s independent message rate, we set R0 = α + p u β R = R α R = R β α β ≥ where the union is over all distributions of the form ( 1, , 1 1 + , 2 2 + ,where , 0. Plugging u2, x1, x2) = p(u1, x1)p(u2, x2). these expressions into the rates in Theorem 7 and using Fourier-Moztkin elimination, we get the region given in the Remark 4. If we let the encoder use an arbitrary joint corollary. distribution p(u1, x1, u2, x2) instead of the ones that satisfy p(u1, x1, u2, x2) = p(u1, x1)p(u2, x2), this would not enlarge Remark 8. If we disable the eavesdropper by setting Z11 = the region given in Theorem 7, because all rate expressions Z22 = φ, we recover the capacity region of the underlying in Theorem 7 depend on either p(u1, x1)orp(u2, x2)butnot broadcast channel without a common message, which was on the joint distribution p(u1, u2, x1, x2). found originally in [25]. 8 EURASIP Journal on Wireless Communications and Networking

At this point, one may ask whether the results of this Our intuition comes from the fact that, as of now, the section can be extended to arbitrary numbers of users capacity region of the corresponding broadcast channel and parallel subchannels. Once we have Theorem 7, the without secrecy constraints is unknown [27]. However, if extension of the results to an arbitrary number of parallel we consider the scenario where each user receives only an subchannels is rather straightforward. Let us consider the independent message, that is, there is no common message, parallel degraded multireceiver wiretap channel with M then the secrecy capacity region may be found, because subchannels, and in each subchannel, we have either the the capacity region of the corresponding broadcast channel following Markov chain: without secrecy constraints can be established [27], although there is no explicit expression for it in literature. We expect X −→ Y −→ Y −→ Z l 1l 2l l, (33) this particular generalization to be rather straightforward, and do not pursue it here. or this Markov chain:

X −→ Y −→ Y −→ Z l 2l 1l l (34) 5. Sum of Degraded Multireceiver Wiretap Channels for any l ∈{1, ..., M}. We define the set of indices S1 S l ∈ S l ∈ S (resp., 2) as those where for every 1 (resp., 2), We now consider a different multireceiver wiretap channel the Markov chain in (33) (resp., in (34)) is satisfied. Then, which can be viewed as a sum of two degraded multireceiver using Theorem 7, we obtain the secrecy capacity region of wiretap channels with two users and one eavesdropper. In M the channel with two users and subchannels as given in this channel model, the transmitter has two nonintersecting the following theorem which is proved in Appendix D.2. input alphabets, that is, X1, X2 with X1 ∩X2 =∅,andeach receiver has two nonintersecting alphabets, that is, Yj , Yj Theorem 9. The secrecy capacity region of the parallel 1 2 with Yj ∩ Yj =∅for the jth user, j = 1, 2, and Z , Z degraded multireceiver wiretap channel with M subchannels, 1 2 1 2 with Z1 ∩Z2 =∅for the eavesdropper. The channel is again where each subchannel satisfies either (33) or (34),isgivenby memoryless with transition probability theunionoftheratetuples(R0, R1, R2) satisfying M p y1, y2, z | x R ≤ I U Y | Z 0 ( l; 1l l), ⎧ l= ⎪p y | x p y | y p z | y 1 ⎪ 11 1 21 11 1 21 ⎪ M ⎪ ⎪ x y y z ∈ X × Y × Y × Z ⎪ if , 1, 2, 1 11 21 1, R0 ≤ I(Ul; Y2l | Zl), ⎨ l= = p y | x p y | y p z | y 1 ⎪ 22 2 12 22 2 12 ⎪ ⎪ R R ≤ I X Y | Z I U Y | Z ⎪ x y y z ∈ X × Y × Y × Z 0 + 1 ( l; 1l l) + ( l; 1l l), ⎪ if , 1, 2, 2 12 22 2, ⎪ l∈S1 l∈S2 ⎩ 0 otherwise, R0 + R2 ≤ I(Xl; Y2l | Zl) + I(Ul; Y2l | Zl), (36) l∈S l∈S 2 1 (35) x ∈ X = X ∪ X y ∈ Y = Y ∪ Y j = R R R ≤ I X Y | Z I U Y | Z where 1 2, j j j1 j2, 0 + 1 + 2 ( l; 1l l) + ( l; 1l l) z ∈ Z = Z ∪ Z l∈S l∈S 1, 2 and 1 2. Thus, if the transmitter 1 2 X chooses to use its first alphabet, that is, 1, the second + I(Xl; Y2l | Ul, Zl), user (resp. eavesdropper) receives a degraded version of user l∈S2 1’s (resp., user 2’s) observation. However, if the transmitter uses its second alphabet, that is, X2, the first user (resp. R0 + R1 + R2 ≤ I(Xl; Y2l | Zl) + I(Ul; Y2l | Zl) eavesdropper) receives a degraded version of user 2’s (resp. l∈S l∈S 2 1 user 1’s) observation. Consequently, the overall channel is not degraded from any user’s perspective, however, it is I X Y | U Z + ( l; 1l l, l), degraded from eavesdropper’s perspective. l∈S nR nR nR 1 A(2 0 ,2 1 ,2 2 , n) code for this channel consists of nR nR W ={ ... 0 } W ={ ... j } where the union is over all distributions of the form three message sets, 0 1, ,2 , j 1, ,2 , j = f W × W × W → Xn M p u x 1, 2, one encoder : 0 1 2 and l=1 ( l, l). n two decoders, one at each legitimate receiver, gj : Yj → W × W j = Pn = We are now left with the question whether these results 0 j , 1, 2. The probability of error is defined as e g Y n = W W R R R can be generalized to an arbitrary number of users. If we max j=1,2Pr[ j ( j ) / ( 0, j )]. A rate tuple ( 0, 1, 2)is Pn = consider the parallel degraded multireceiver wiretap channel said to be achievable if there exists a code with limn →∞ e 0 with more than two subchannels and an arbitrary number and of users, the secrecy capacity region for the scenario where 1 n each user receives a common message in addition to an lim H(S(W) | Z ) ≥ Rj , ∀S(W), (37) n →∞n independent message does not seem to be characterizable. j∈S(W) EURASIP Journal on Wireless Communications and Networking 9

where S(W) denotes any subset of {W0, W1, W2}.The general form seems to be intractable for now, since the secrecy capacity region is the closure of all achievable secrecy version of this problem without any secrecy constraints is rate tuples. the broadcast channel with an arbitrary number of receivers, The secrecy capacity region of this channel is given in the whose capacity region is open. Consequently, we took the following theorem which is proved in Appendix E. approach of considering special classes of channels. In particular, we considered degraded multireceiver wiretap Theorem 10. The secrecy capacity region of the sum of two channels, parallel multireceiver wiretap channels with a more degraded multireceiver wiretap channels is given by the union noisy eavesdropper, parallel multireceiver wiretap channels of the rate tuples (R0, R1, R2) satisfying with less noisiness orderings in each subchannel, and parallel degraded multireceiver wiretap channels. For each channel R ≤ αI(U ; Y | Z ) + αI(U ; Y | Z ), 0 1 11 1 2 12 2 model, we obtained either partial characterization of the

R0 ≤ αI(U1; Y21 | Z1) + αI(U2; Y22 | Z2), secrecy capacity region or the entire region. R R ≤ αI X Y | Z αI U Y | Z 0 + 1 ( 1; 11 1) + ( 2; 12 2), Appendices R0 + R2 ≤ αI(U1; Y21 | Z1) + αI(X2; Y22 | Z2), (38) A. Proof of Theorem 1 R0 + R1 + R2 ≤ αI(X1; Y11 | Z1) + αI(U2; Y12 | Z2) First, we show achievability, then provide the converse. + αI(X2; Y22 | U2, Z2), A.1. Achievability. Fix the probability distribution as R0 + R1 + R2 ≤ αI(U1; Y21 | Z1) + αI(X1; Y11 | U1, Z1) p u p u | u ···p u | u p x | u . + αI(X2; Y22 | Z2), ( 1) ( 2 1) ( K−1 K−2) ( K−1) (A.1) where the union is over all α ∈ [0, 1] and distributions of the Codebook Generation. form p(u1, u2, x1, x2) = p(u1, x1)p(u2, x2). n R R R ( 0+ 1+ 1) n (i) Generate 2 length- sequences u1 through Remark 9. This channel model is similar to the parallel p = n p u w w (u1) i=1 ( 1,i) and index them as u1( 0, 1, degraded multireceiver wiretap channel of the previous nR nR w1)wherew0 ∈{1, ...,2 0 }, w1 ∈{1, ...,2 1 } and section in the sense that it can be viewed to consist of two par- nR w ∈{ ... 1 } allel subchannels, however, now the transmitter cannot use 1 1, ,2 . both subchannels simultaneously. Instead, it should invoke a (ii) For each uj−1,wherej = 2, ..., K − 1, generate time-sharing approach between these two so-called parallel n(Rj +Rj ) n p | = 2 length- sequences uj through (uj uj−1) subchannels (α reflects this concern). Moreover, superpo- n p u | u w w i=1 ( j,i j−1,i) and index them as uj ( 0, 1, nRj sition coding scheme again achieves the boundary of the ..., wj , w1, ..., w j ), where wj ∈{1, ...,2 } and secrecy capacity region, however, it differs from the standard nR w j ∈{1, ...,2 j }. one [24] in the sense that it needs to be modified to incor- n(RK +RK ) n porate secrecy constraints, that is, it needs to use stochastic (iii) Finally, for each uK−1, generate 2 length- p | = n p x | encoding to associate each message with multiple codewords. sequences x through (x uK−1) i=1 ( i uK,i) and index them as x(w0, w1, ..., wK , w1, ..., wK ) Remark 10. An interesting point about the secrecy capacity nRK nRK where wK ∈{1, ...,2 } and wK ∈{1, ...,2 }. region is that if we drop the secrecy constraints by setting Z1 = Z2 = φ, we are unable to recover the capacity region (iv) Furthermore, we set of the corresponding broadcast channel that was found in Ri = I Ui Z | Ui− i = ... K [26]. After setting Z1 = Z2 = φ, we note that each expression ( ; 1), 1, , ,(A.2) in Theorem 10 and its counterpart describing the capacity U = φ U = X region [26]differ by exactly h(α). The reason for this is as where 0 and K . follows. Here, α not only denotes the time-sharing variable but also carries an additional information, that is, the change Encoding. Assume the messages to be transmitted are (w0, of the channel that is in use is part of the information w1, ..., wK ). Then, the encoder randomly picks a set (w1, transmission. However, since the eavesdropper can also ..., wK ) and sends x(w0, w1, ..., wK , w1, ..., wK ). decode these messages, the term h(α), which is the amount of information that can be transmitted via changes of the Decoding. It is straightforward to see that if the following channel in use, disappears in the secrecy capacity region. conditions are satisfied:

R R R ≤ I U Y 6. Conclusions 0 + 1 + 1 ( 1; 1), In this paper, we studied secure broadcasting to many Rj + Rj ≤ I Uj ; Yj | Uj−1 , j = 2, ..., K − 1, (A.3) users in the presence of an eavesdropper. Characterizing the secrecy capacity region of this channel in its most RK + RK ≤ I(X; YK | UK−1), 10 EURASIP Journal on Wireless Communications and Networking then all users can decode both the common message and the Proof. The proof of this lemma is as follows. independent message directed to itself with vanishingly small error probability. Moreover, since the channel is degraded, 1 H S W | Zn each user, say the jth one, can decode all of the independent n ( ( ) ) messages intended for the users whose channels are degraded with respect to the jth user’s channel. Thus, these degraded = 1 H S W Sc W | Zn − 1 H Sc W | S W Zn n ( ( ), ( ) ) n ( ( ) ( ), ) users’ rates can be exploited to increase the jth user’s rate (A.10) which leads to the following achievable region: K ≥ R − − 1 H Sc W | S W Zn j n n ( ( ) ( ), ) (A.11) j=0 R0 + Rj + Rj ≤ I Uj ; Yj | Uj−1 , = 1, ..., K, j=1 j=1 j=1 = R − R − 1 H Sc W | S W Zn (A.4) j n + j n ( ( ) ( ), ) j∈S(W) j∈Sc(W) (A.12) where U0 = φ and UK = X. Moreover, after eliminating K 1 c 1 c n {Rj }j= ,(A.4) can be expressed as = R − H S W − H S W | S W Z 1 j n + n ( ( )) n ( ( ) ( ), ) j∈S(W) (A.13) R + Rj ≤ I Uj ; Yj | Uj− − I(U; Z), = 1, ..., K, 0 1 ≥ R − j=1 j=1 j n, (A.14) (A.5) j∈S(W)

where (A.11) is due to the fact that we assumed that sum rate where we used the fact that secrecy constraint (A.8) is satisﬁed and (A.13)followsfrom

1 c R = I U Z | U = I U ... U Z = I U Z Rj = H(S (W)) j j ; j−1 ( 1, , ; ) ( ; ), n , (A.15) j∈Sc W j=1 j=1 ( ) (A.6) which is a consequence of the fact that message sets are uniformly and independently distributed. where the second and the third equalities are due to the following Markov chain: Hence, it is suﬃcient to check whether coding scheme U1 −→···−→UK−1 −→ X −→ Z. (A.7) presented satisﬁes the sum rate secrecy constraint.

H W W ... W | Zn Equivocation Calculation. We now calculate the equivocation ( 0, 1, , K ) (A.16) of the code described above. To that end, we first introduce n n = H(W0, W1, ..., WK , Z ) − H(Z ) the following lemma which states that a code satisfying = H Un ... Un Xn W W ... W Zn − H Zn the sum rate secrecy constraint fulfills all other secrecy 1 , , K−1, , 0, 1, , K , ( ) constraints. − H Un ... Un Xn | W W ... W Zn 1 , , K−1, 0, 1, , K , Lemma 11. If the sum rate secrecy constraint is satisfied, that (A.17) is, = H Un ... Un Xn 1 , , K−1, K n n n n n H W W ... WK Z | U ... U X − H Z 1 n + 0, 1, , , 1 , , K−1, ( ) H(W0, W1, ..., WK | Z ) ≥ Rj − n,(A.8) n n n n n j= − H U ... U X | W W ... W Z 0 1 , , K−1, 0, 1, , K , (A.18) then all other secrecy constraints are satisfied as well, that is, ≥ H Un ... Un Xn − I Un ... Un Xn Zn 1 , , K−1, 1 , , K−1, ; − H Un ... Un Xn | W W ... W Zn 1 , , K−1, 0, 1, , K , , 1 H S W | Zn ≥ R − n ( ( ) ) j n,(A.9) (A.19) j∈S(W) n where each term will be treated separately. Since given Uk = n n n R R where S(W) denotes any subset of {W0, W1, ..., WK }. u U ( k+1+ k+1) k , k+1 can take 2 values uniformly, the first EURASIP Journal on Wireless Communications and Networking 11 term is To provide a converse, we will show H Un ... Un Xn 1 , , K−1, K−1 1 H W W ... W | Zn ≤ I U Y | U − I U Z = H Un H Un | Un H Xn | Un ( 0, 1, , ) ( k; k k−1) ( ; ), 1 + k k−1 + K−1 n k=1 k=2 (A.20) = 1, ..., K, K K (A.32) = nR0 + n Rk + n Rk, (A.21) k=1 k=1 where U0 = φ, UK = X. We show this in three steps. First, let where the first equality follows from the following Markov us write down chain: n n n n U −→ U −→···−→UK− −→ X . (A.22) n n 1 2 1 H(W0, W1, ..., W | Z ) = H(W0, W1 | Z ) The second term in (A.19)is (A.33) n n n n n + H(Wk | W0, W1, ..., Wk−1, Z ). I U , ..., UK− , X ; Z 1 1 k= (A.23) 2 = I Xn Zn I Un Un ... Un Zn | Xn ( ; ) + 1 , 2 , , K−1; = I(Xn; Zn) (A.24) The first term on the right-hand side of (A.33)isboundedas follows: ≤ nI(X; Z) + γn, (A.25)

n where (A.24) follows from the Markov chain in (A.22)and H(W0, W1 | Z ) (A.25) can be shown by following the approach devised in (A.34) ≤ I W W Y n − I W W Zn [1]. We now bound the third term in (A.19). To that end, 0, 1; 1 ( 0, 1; ) + n Un ... assume that the eavesdropper tries to decode ( 1 , , n n n i− n UK− , X ) using the side information (W , W , ..., WK ) ≤ I W W Y | Y 1 Z 1 0 1 0, 1; 1,i 1 , i+1 W ... W R i= which is equivalent to decoding ( 1, , K ). Since j sare 1 (A.35) selected to ensure that the eavesdropper can decode them − I W W Z | Y i−1 Zn successively, see (A.2), then using Fano’s lemma, we have 0, 1; i 1 , i+1 + n n n n n n H U , ..., UK− , X | W , W , ..., WK , Z ≤ n. (A.26) 1 1 0 1 ≤ I W W Y | Y i−1 Zn 0, 1; 1,i 1 , i+1 Thus, using (A.21), (A.25), and (A.26)in(A.19), we get i=1 n − I W W Z | Y i−1 Zn (A.36) H(W0, W1, ..., WK | Z ) 0, 1; i 1 , i+1 K K (A.27) I Y i−1 Zn Y − I Y i−1 Zn Z + 1 , i+1; 1,i 1 , i+1; i + n ≥ n Rj + n Rj − nI(X; Z) − n j=0 j=1 n i−1 n = I W , W , Y , Zi ; Y i K 0 1 1 +1 1, i=1 (A.37) = n Rj − n − γn, (A.28) j=0 − I W W Y i−1 Zn Z 0, 1, 1 , i+1; i + n where (A.28) follows from the following, see (A.2)and(A.6), n ≤ I W W Y i−1 Zn Y K 0, 1, 1 , i+1; 1,i R = I X Z . i=1 j ( ; ) (A.29) j=1 i−1 n − I W , W , Y , Zi ; Zi 0 1 1 +1 (A.38) A.2. Converse. First let us deﬁne the following auxiliary i−1 i−1 n + I Y ; Y i | W , W , Y , Zi random variables: 2 1, 0 1 1 +1 i− n i−1 i−1 n U = W W ···W Y 1Z k = ... K − − I Y ; Zi | W0, W1, Y , Zi + n k,i 0 1 k k+1 i+1, 1, , 1, (A.30) 2 1 +1 n which satisfy the following Markov chain: = I W W Y i−1 Zn Y i−1 Y 0, 1, 1 , i+1, 2 ; 1,i i= U1,i −→ U2,i −→···−→UK−1,i 1 (A.39) (A.31) − I W W Y i−1 Zn Y i−1 Z −→ Xi −→ Zi, YK,i, ..., Y1,i . 0, 1, 1 , i+1, 2 ; i + n 12 EURASIP Journal on Wireless Communications and Networking

n n = I W W Zn Y i−1 Y ≤ I W Y | W Y i−1 Zn 0, 1, i+1, 2 ; 1,i k; k,i k−1, k , i+1 i=1 (A.40) i=1 n i−1 i−1 n − I W , W , Zi , Y ; Zi − I Wk; Zi | Wk− , Y , Zi 0 1 +1 2 1 k +1 (A.49) I Y i−1 Y | W W Zn Y i−1 I Y i−1 Y | W Y i−1 Zn W + 1 ; 1,i 0, 1, i+1, 2 + k+1; k,i k−1, k , i+1, k (A.41) − I Y i−1 Z | W W Zn Y i−1 − I Y i−1 Z | W Y i−1 Zn W 1 ; i 0, 1, i+1, 2 + n k+1; i k−1, k , i+1, k + n n n = I W W Zn Y i−1 Y = I W Y i−1 Y | W Y i−1 Zn 0, 1, i+1, 2 ; 1,i k, k+1; k,i k−1, k , i+1 i=1 (A.42) i=1 (A.50) − I W W Zn Y i−1 Z − I W Y i−1 Z | W Y i−1 Zn 0, 1, i+1, 2 ; i + n k, k+1; i k−1, k , i+1 + n n n = I U1,i; Y1,i − I U1,i; Zi + n, (A.43) = I Uk,i; Yk,i | Uk−1,i i=1 i=1 (A.51) − I Uk,i; Zi | Uk−1,i + n where (A.34) follows from Fano’s lemma, (A.35) is obtained using Csiszar-Korner identity (see [2, Lemma 7]), and (A.36) where (A.47) follows from Fano’s lemma, (A.48) is obtained is due to the fact that through Csiszar-Korner identity, and (A.49) is a consequence of the fact that I Y i−1 Zn Y − I Y i−1 Zn Z > 1 , i+1; 1,i 1 , i+1; i 0, (A.44) I Y i−1 Y | W Y i−1 Zn W k+1; k,i k−1, k , i+1, k (A.52) − I Y i−1 Z | W Y i−1 Zn W > which follows from the fact that each user’s channel is less k+1; i k−1, k , i+1, k 0, noisy with respect to the eavesdropper. Similarly, (A.38) follows from the fact that which follows from the fact that each user’s channel is less noisy with respect to the eavesdropper’s channel. Finally, we bound the following term where we again use the shorthand I Y i−1 Y | W W Y i−1 Zn 2 ; 1,i 0, 1, 1 , i+1 notation WK−1 = (W0, W1, ..., WK−1), (A.45) − I Y i−1 Z | W W Y i−1 Zn > 2 ; i 0, 1, 1 , i+1 0, n H WK | WK−1, Z n n which is a consequence of the fact that each user’s channel is ≤ I WK ; YK | WK−1 − I WK ; Z | WK−1 + n less noisy with respect to the eavesdropper’s channel. Finally, (A.42) is due to the following Markov chain: (A.53) n i− i− n i−1 n Y 1 −→ Y 1 −→ W W Z Y Z ≤ I WK ; YK,i | WK−1, YK , Zi 1 2 0, 1, i+1, 1,i, i , (A.46) +1 i=1 (A.54) − I W Z | W Y i−1 Zn which is a consequence of the fact that the legitimate receivers K ; i K−1, K , i+1 + n exhibit a degradation order. n i−1 n We now bound the terms of the summation in (A.33)for ≤ I WK ; YK i | WK− , YK , Zi , 1 +1 2 ≤ k ≤ K − 1. Let us use the shorthand notation, Wk−1 = i=1 (W0, W1, ..., Wk−1), then i−1 n − I WK ; Zi | WK− , YK , Zi 1 +1 (A.55) H W | W Zn I X Y | W Y i−1 Zn W k k−1, + i; K,i K−1, K , i+1, K (A.47) ≤ I W Y n | W − I W Zn | W − I X Z | W Y i−1 Zn W k; k k−1 k; k−1 + n i; i K−1, K , i+1, K + n n n ≤ I W Y | W Y i−1 Zn = I W X Y | W Y i−1 Zn k; k,i k−1, k , i+1 K , i; K,i K−1, K , i+1 i=1 (A.48) i=1 (A.56) − I W Z | W Y i−1 Zn − I W X Z | W Y i−1 Zn k; i k−1, k , i+1 + n K , i; i K−1, K , i+1 + n EURASIP Journal on Wireless Communications and Networking 13

n Y i−1 = Y ... Y i − Zn = Z i ... i−1 n where kl ( kl(1), , kl( 1)), l,i+1 ( l( +1), , = I Xi; YK,i | WK−1, YK , Zi +1 Zl(n)). Start with the definition i=1 n n i−1 n H(W0 | Z ) = H(W0) − I(W0; Z ) (B.2) + I WK ; YK i | WK− , YK , Zi , Xi , 1 +1 (A.57) ≤ I W Y n − I W Zn − I X Z | W Y i−1 Zn 0; k ( 0; ) + n (B.3) i; i K−1, K , i+1 n − I W Z | W Y i−1 Zn X = I W Y i | Y i−1 K ; i K−1, K , i+1, i + n 0; k( ) k i=1 (B.4) n i− n n = I X Y | W Y 1 Z − I W Z i | Z n i; K,i K−1, K , i+1 0; ( ) i+1 + i=1 (A.58) n n i− i− n = I W Z Y i | Y 1 − I X Z | W Y 1 Z 0, i+1; k( ) k i; i K−1, K , i+1 + n i=1 n n i−1 = I X Y | U − I Zi ; Yk(i) | Yk , W i; K,i K−1,i +1 0 (B.5) i=1 (A.59) i−1 n − I W , Y ; Z(i) | Zi − I X Z | U 0 k +1 i; i K−1,i + n, I Y i−1 Z i | Zn W where (A.53) follows from Fano’s lemma, (A.54) is obtained + k ; ( ) i+1, 0 + n by using Csiszar-Korner identity, and (A.55) follows from the n fact that n i−1 = I W0, Zi ; Yk(i) | Yk i− n +1 I X Y | W Y 1 Z W i= i; K,i K−1, K , i+1, K 1 (B.6) (A.60) i− n i− n − I W Y 1 Z i | Z − I X Z | W Y 1 Z W > 0, k ; ( ) i+1 + n i; i K−1, K , i+1, K 0, which is due to the fact that each user’s channel is less noisy n = I W Y i | Y i−1 Zn with respect to the eavesdropper and (A.58) is due to the 0; k( ) k , i+1 i= Markov chain: 1 i− n n i−1 Y Z −→ X −→ W W ... W Y 1 Z + I Zi ; Yk(i) | Y K,i, i i 0, 1, , K , K , i+1 , (A.61) +1 k (B.7) which follows from the fact that the channel is memoryless. − I W Z i | Zn Y i−1 0; ( ) i+1, k Finally, plugging (A.43), (A.51), and (A.59) into (A.33), we get − I Y i−1 Z i | Zn k ; ( ) i+1 + n n n H(W , W , ..., W | Z ) ≤ n I(Uk; Yk | Uk− ) 0 1 1 = I W Y i | Y i−1 Zn k=1 0; k( ) k , i+1 i=1 (B.8) − nI(U; Z), = 1, ..., K, − I W Z i | Zn Y i−1 (A.62) 0; ( ) i+1, k + n, U = φ U = X where 0 and K , and this concludes the converse. where (B.6)and(B.8) are due the following identities: n n B. Proof of Theorem 3 I Zn Y i | Y i−1 W = I Y i−1 Z i | Zn W i+1; k( ) k , 0 k ; ( ) i+1, 0 , i=1 i=1 Achievability of these rates follows from [8, Proposition 2]. n n We provide the converse. First let us define the following I Zn Y i | Y i−1 = I Y i−1 Z i | Zn random variables: i+1; k( ) k k ; ( ) i+1 , i=1 i=1 Zn = Zn ... Zn 1 , , M , (B.9) Y n = Y n ... Y n k k1, , kM , respectively, which are due to [2,Lemma7].Now,wewill bound each summand in (B.8) separately. First, define the Zn = Zn ... Zn following variables: i+1 1,i+1, , M,i+1 , (B.1) n i− i− i− i− U = Z Y 1 Y 1 = Y 1 ... Y 1 k,i i+1, k , k k1 , kM , l−1 Y i = Yk i ... Yk l− i (B.10) Yk(i) = (Yk1(i), ..., YkM(i)), k ( ) 1( ), , ( 1)( ) , Z i = Z i ... Z i ZM i = Z i ... Z i . ( ) ( 1( ), , M( )), l+1( ) ( l+1( ), , M( )) 14 EURASIP Journal on Wireless Communications and Networking

Hence, the summand in (B.8) can be written as follows: user is less noisy with respect to the eavesdropper. Thus, the summands in (B.18)forl ∈/ S(k)arenegativeandby I W Y i | Y i−1 Zn − I W Z i | Zn Y i−1 0; k( ) k , i+1 0; ( ) i+1, k (B.11) dropping them, we can bound (B.18) as follows: = I W ; Yk(i) | Uk i − I W ; Z(i) | Uk i (B.12) 0 , 0 , I W Y i | Y i−1 Zn − I W Z i | Zn Y i−1 0; k( ) k , i+1 0; ( ) i+1, k = I W0; Yk1(i), ..., YkM(i) | Uk,i l−1 M (B.13) ≤ I W ; Ykl(i) | Uk i, Yk (i), Zl (i) − I W Z i ... Z i | U 0 , +1 (B.20) 0; 1( ), , M( ) k,i l∈S(k) M − I W Z i | U ZM i Yl−1 i . l−1 0; l( ) k,i, l+1( ), k ( ) = I W0; Ykl(i) | Uk,i, Yk (i) l=1 (B.14) Moreover, for l ∈ S(k), we have − I W Z i | U ZM i 0; l( ) k,i, l+1( ) l−1 M I Uk,i, Yk (i), Zl (i); Ykl(i) M +1 = I W ZM i Y i | U Yl−1 i (B.21) 0, l+1( ); kl( ) k,i, k ( ) l−1 M − I Uk,i, Yk (i), Zl (i); Zl(i) ≥ 0 l=1 +1 M l−1 l−1 M − I Z (i) Ykl(i) | Uk i Y (i) W I Xl(i); Ykl(i) | Uk,i, Yk (i), Zl (i), W0 l+1 ; , , k , 0 (B.15) +1 (B.22) l− M M l−1 − I W Y 1 i Z i | U Z i − I Xl(i) Zl(i) | Uk i Z (i) Y (i) W ≥ 0, k ( ); l( ) k,i, l+1( ) ; , , l+1 , k , 0 0, I Yl−1 i Z i | U ZM i W l ∈ S k + k ( ); l( ) k,i, l+1( ), 0 where both are due to the fact that for ( ), in this subchannel the kth user is less noisy with respect to the M eavesdropper. Therefore, adding (B.21)and(B.22)toeach = I W ZM i Y i | U Yl−1 i 0, l+1( ); kl( ) k,i, k ( ) summand in (B.20), we get the following bound: l=1 (B.16) l− M i−1 n n i−1 − I W Y 1 i Z i | U Z i I W0; Yk(i) | Yk , Zi − I W0; Z(i) | Zi , Yk 0, k ( ); l( ) k,i, l+1( ) +1 +1 M l−1 M ≤ I Xl(i), W0, Uk,i, Yk (i), Zl (i); Ykl(i) = I ZM i Y i | U Yl−1 i +1 l+1( ); kl( ) k,i, k ( ) l∈S(k) l=1 l−1 M − I Xl(i), W , Uk i, Yk (i), Zl (i); Zl(i) l−1 M 0 , +1 I W Ykl(i) | Uk i Y (i) Z (i) + 0; , , k , l+1 (B.17) (B.23) − I Yl−1 i Z i | U ZM i k ( ); l( ) k,i, l+1( ) = I(Xl(i); Ykl(i)) − I(Xl(i); Zl(i)), (B.24) l∈S(k) − I W Z i | U ZM i Yl−1 i 0; l( ) k,i, l+1( ), k ( ) where an equality follows from the following Markov chain: M = I W Y i | U Yl−1 i ZM i 0; kl( ) k,i, k ( ), l+1( ) l−1 M W , Uk i, Y (i), Z (i) −→ Xl(i) −→ (Ykl(i), Zl(i)), l=1 (B.18) 0 , k l+1 (B.25) − I W Z i | U ZM i Yl−1 i 0; l( ) k,i, l+1( ), k ( ) , which is a consequence of the facts that channel is memory- where (B.16)and(B.18) follow from the following identities: less and subchannels are independent. Finally, using (B.24) M in (B.8), we get I ZM i Y i | U Yl−1 i W l+1( ); kl( ) k,i, k ( ), 0 l=1 n n M H(W0 | Z ) ≤ I(Xl(i); Ykl(i)) − I(Xl(i); Zl(i)) + n l− M = I Y 1 i Z i | U Z i W i=1 l∈S(k) k ( ); l( ) k,i, l+1( ), 0 l=1 (B.19) M ≤ n I(Xl; Ykl) − I(Xl; Zl) + n I ZM i Y i | U Yl−1 i l∈S(k) l+1( ); kl( ) k,i, k ( ) l= 1 M M = n I X Y − I X Z + l−1 M [ ( l; kl) ( l; l)] + n, = I Y i Zl i | Uk i Z i k ( ); ( ) , , l+1( ) , l=1 l=1 (B.26) respectively, which are again due to [2, Lemma 7]. Now, deﬁne the set of subchannels, say S(k), in which the kth which completes the proof. EURASIP Journal on Wireless Communications and Networking 15

C. Proof of Theorem 5 This lemma implies that Achievability of Theorem 5 is a consequence of the achiev- H W | Yn ≤ H W | Y n ≤ ability result for wiretap channels in [2]. We provide the k k k n,(C.6) converse proof here. We first define the function ρ(l)which denotes the index of the strongest user in the lth subchannel where the second inequality is due to Fano’s lemma. Using in the sense that (C.6), we get I(U; Ykl) ≤ I U; Yρ l l (C.1) ( ) K n n H W1, ..., WK | Y ≤ H Wk | Y ≤ Kn,(C.7) for all U → Xl → (Y1l, ..., YKl, Zl)andanyk ∈{1, ..., K}. k= Moreover, we define the following shorthand notations: 1 Yn = Y n l = ... M where the first inequality follows from the fact that condi- l ρ(l)l, 1, , , tioning cannot increase entropy. Yn = Yn ... Yn We now start the converse proof: 1 , , M , n n n n Y = Y ... Y k = ... K H(W , ..., WK | Z ) k k1, , kM , 1, , , 1 (C.8) Zn = Zn ... Zn ≤ I W ... W Yn − I W ... W Zn K 1 , , M , 1, , K ; ( 1, , K ; ) + n Y i−1 = Y i−1, ..., Y i−1 , k = 1, ..., K, n M k k1 kM = I W ... W Y i | Zi−1 Yn Zl−1 i YM i (C.2) 1, , K ; l( ) , i+1, ( ), l+1( ) i= l= Zi−1 = Zi−1 ... Zi−1 1 1 1 , , M , i−1 n − I W1, ..., WK ; Zl(i) | Z , Yi , Yn = Yn ... Yn +1 i+1 1,i+1, , M,i+1 , l− M Z 1 i Y i Kn l−1 ( ), l+1( ) + , Y (i) = Yk (i), ..., Yk l− (i) , l = 1, ..., M, k 1 , 1 (C.9) l−1 Z (i) = (Z1(i), ..., Zl−1(i)), l = 1, ..., M, where (C.8) is a consequence of (C.7)and(C.9) is obtained YM i = Y i ... Y i l = ... M. l+1( ) l+1( ), , M( ) , 1, , via consecutive uses of the Csiszar-Korner identity [2]aswe did in Appendix B. We define the set of indices S such that We first introduce the following lemma. for all l ∈ S, the strongest user in the lth subchannel has a less noisy channel with respect to the eavesdropper, that is, Lemma 12. For the parallel multireceiver wiretap channel we have with less noisiness order, one has n n I U Yl i ≥ I U Zl i I Wk; Yk ≤ I Wk; Y , k = 1, ..., K. (C.3) ; ( ) ( ; ( )) (C.10)

Proof. Consecutive uses of Csiszar-Korner identity [2], as in for all U → Xl(i) → (Yl(i), Zl(i)) and any l ∈ S.Thus,we Appendix B,yield can further bound (C.9) as follows: n n I Wk; Y − I Wk; Y k n H(W1, ..., WK | Z ) n M = I W Y i | Y i−1 Yn Y l−1 i YM i n k; kl( ) k , i+1, k ( ), l+1( ) i− n l− M ≤ I W ... WK Yl i | Z 1 Y Z 1 i Y i i=1l=1 1, , ; ( ) , i+1, ( ), l+1( ) i=1 l∈S i−1 n l−1 M −I Wk Yl i | Y Y Y i Y i ; ( ) k , i+1, k ( ), l+1( ) , i−1 n l−1 M −I W , ..., WK ; Zl(i) | Z , Yi , Z (i), Y (i) (C.4) 1 +1 l+1 K where each of the summand is negative, that is, we have + n (C.11) i−1 n l−1 M I Wk; Ykl(i) | Y , Yi , Y (i), Y (i) k +1 k l+1 n (C.5) i−1 n l−1 M ≤ I W , ..., WK , Z , Yi , Z (i), Y (i); Yl(i) − I W Y i | Y i−1 Yn Y l−1 i YM i ≤ 1 +1 l+1 k; l( ) k , i+1, k ( ), l+1( ) 0 i=1 l∈S i− n l− M Yl i −I W ... W Z 1 Y Z 1 i Y i Z i because ( ) is the observation of the strongest user in the 1, , K , , i+1, ( ), l+1( ); l( ) lth subchannel, that is, its channel is less noisy with respect to all other users in the lth subchannel. This concludes the + Kn proof of the lemma. (C.12) 16 EURASIP Journal on Wireless Communications and Networking

n ≤ I X i W ... W Zi−1 Yn Zl−1 i (ii) Second surface: l( ), 1, , K , , i+1, ( ), i=1 l∈S R ≤ I U Y | Z 0 ( 1; 21 1) M (C.13) Yl (i); Yl(i) − I(Xl(i), W1, ..., WK , +1 R1 ≤ I(X1; Y11 | U1, Z1) Zi−1 Yn Zl−1 i YM i Z i K R R ≤ I X Y | Z I U Y | Z U = φ. , i+1, ( ), l+1( ); l( ) + n 0 + 2 ( 2; 22 2) + ( 1; 21 1), 2 (D.2) n = I Xl(i); Yl(i) − I(Xl(i); Zl(i)) + Kn, (C.14) i=1 l∈S (iii) Third surface:

where (C.11) is obtained by dropping the negative terms, R0 ≤ I(U1; Y11 | Z1) + I(U2; Y12 | Z2) (C.12)-(C.13) are due to the following inequalities: R0 ≤ I(U1; Y21 | Z1) + I(U2; Y22 | Z2) (D.3) I Zi−1 Yn Zl−1 i YM i Y i R ≤ I X Y | U Z , i+1, ( ), l+1( ); l( ) 1 ( 1; 11 1, 1) R ≤ I X Y | U Z . ≥ I Zi−1 Yn Zl−1 i YM i Z i 2 ( 2; 22 2, 2) , i+1, ( ), l+1( ); l( ) , We now show the achievability of these regions separately. I X i Y i | W ... W Zi−1 Yn Zl−1 i YM i l( ); l( ) 1, , K , , i+1, ( ), l+1( ) Start with the first region. ≥ I X i Z i | W ... W Zi−1 Yn Zl−1 i YM i l( ); l( ) 1, , K , , i+1, ( ), l+1( ) , Proposition 13. The region defined by (D.1) is achievable. (C.15) Proof. Fix the probability distribution which come from the fact that for any l ∈ S, the strongest p(x1)p(u2)p(x2 | u2)p y1, y2, z | x . (D.4) user in the lth subchannel has a less noisy channel with respect to the eavesdropper. Finally, we get (C.14) using the Codebook Generation. following Markov chain: R = R (i) Split the private message rate of user 1 as 1 11 + R W ... W Zi−1 Yn Zl−1 i YM i 12. 1, , K , , i+1, ( ), l+1( ) n R R ( 11+ 11) n (C.16) (ii) Generate 2 length- sequences x1 through p = n p x w w −→ Xl(i) −→ Yl, Zl(i) , (x1) i=1 ( 1,i) and index them as x1( 11, 11) nR nR where w11 ∈{1, ...,2 11 } and w11 ∈{1, ...,2 11 }. n R R R ( 0+ 12+ 12) n which is a consequence of the facts that channel is memory- (iii) Generate 2 length- sequences u2 p = n p u less, and the subchannels are independent. through (u2) i=1 ( 2,i) and index them nR as u2(w0, w12, w12)wherew0 ∈{1, ...,2 0 }, nR nR w12 ∈{1, ...,2 12 } and w12 ∈{1, ...,2 12 }. D. Proofs of Theorems 7 and 9 n R R ( 2+ 2) n (iv) For each u2, generate 2 length- sequences x2 p = n p x | u D.1. Proof of Theorem 7. We prove Theorem 7 in two parts, through (x2) i=1 ( 2,i 2,i) and index them nR first achievability and then converse. Throughout the proof, as x2(w0, w02, w2, w2)wherew2 ∈{1, ...,2 2 }, w2 ∈ n n n n Y = Y Y Y = nR2 we use the shorthand notations 1 ( 11, 12), 2 {1, ...,2 }. (Y n , Y n ), Zn = (Zn, Zn). 21 22 1 1 2 (v) Furthermore, set the confusion message rates as follows: D.1.1. Achievability. To show the achievability of the region R = I X Z given by (30), first we need to note that the boundary of 11 ( 1; 1), this region can be decomposed into three surfaces as follows R = I U Z [26]. 12 ( 2; 2), (D.5) R2 = I(X2; Z2 | U2). (i) First surface:

Encoding. If (w0, w11, w12, w2) is the message to be transmit- R ≤ I U Y | Z 0 ( 2; 12 2) ted, then the receiver randomly picks (w11, w12, w2) and sends the corresponding codewords through each channel. R2 ≤ I(X2; Y22 | U2, Z2)

R0 + R1 ≤ I(X1; Y11 | Z1) + I(U2; Y12 | Z2), U1 = φ. Decoding. It is straightforward to see that if the following (D.1) conditions are satisﬁed, then both users can decode the EURASIP Journal on Wireless Communications and Networking 17 messages directed to themselves with vanishingly small error that both messages and confusion codewords are uniformly probability. distributed. The second and the third terms in (D.10)are H Zn − H Zn | Un Xn Xn ( ) 2 , 2 , 1 R R R ≤ I U Y (D.12) 0 + 12 + 12 ( 2; 12), = H Zn Zn − H Zn | Un Xn Xn 1 , 2 2 , 2 , 1 R R ≤ I X Y 11 + 11 ( 1; 11), (D.6) ≤ H Zn H Zn − H Zn Zn | Un Xn Xn 1 + 2 1 , 2 2 , 2 , 1 (D.13) n n n n n n R2 + R2 ≤ I(X2; Y22 | U2). = H Z H Z − H Z Z | X X 1 + 2 1 , 2 2 , 1 (D.14) = H Zn H Zn − H Zn | Xn − H Zn | Xn 1 + 2 1 1 2 2 (D.15) After eliminating R11 and R12 and plugging the values of = I Xn; Zn + I Xn; Zn (D.16) R11, R12, R2, we can reach the following conditions: 1 1 2 2

≤ nI(X1; Z1) + nI(X2; Z2) + γ1,n + γ2,n, (D.17) R ≤ I(U ; Y | Z ), 0 2 12 2 where the equalities in (D.14)and(D.15) are due to the

R2 ≤ I(X2; Y22 | U2, Z2), (D.7) following Markov chains: R R ≤ I X Y | Z I U Y | Z Un −→ Xn −→ Xn Zn Zn 0 + 1 ( 1; 11 1) + ( 2; 12 2), 2 2 1 , 1 , 2 , (D.18) Zn −→ Xn −→ Xn −→ Zn 2 2 1 1 , where we used the degradedness of the channel. Thus, we only need to show that this coding scheme satisfies the respectively, and the last inequality in (D.17) can be shown secrecy constraints. using the technique devised in [1]. To bound the last term in (D.10), assume that the eavesdropper tries to decode Un Xn Xn W W W ( 2 , 2 , 1 ) using the side information 0, 1, 2 and its Equivocation Computation. As shown previously in observation. Since the rates of the confusion codewords are Lemma 11 of Appendix A, checking the sum rate secrecy selected such that the eavesdropper can decode them given condition is sufficient: W0 = w0, W1 = w1, W2 = w2 (see (D.5)), using Fano’s lemma, we get n H(W0, W1, W2 | Z ) H Un Xn Xn | W W W Zn ≤ 2 , 2 , 1 0, 1, 2, n (D.19) n n = H(W0, W1, W2, Z ) − H(Z ) (D.8) for the third term in (D.10). Plugging (D.11), (D.17), and = H W W W Un Xn Xn Zn (D.19) into (D.10), we get 0, 1, 2, 2 , 2 , 1 , − H Un Xn Xn | W W W Zn − H Zn H W W W | Zn ≥ n R R R − − γ − γ 2 , 2 , 1 0, 1, 2, ( ) ( 0, 1, 2 ) ( 0 + 1 + 2) n 1,n 2,n, (D.20) = H Un Xn Xn 2 , 2 , 1 which completes the proof. H W W W Zn | Un Xn Xn − H Zn + 0, 1, 2, 2 , 2 , 1 ( ) (D.9) − H Un Xn Xn | W W W Zn Achievability of the region defined by (D.2) follows due 2 , 2 , 1 0, 1, 2, to symmetry. We now show the achievability of the region ≥ H Un Xn Xn H Zn | Un Xn Xn defined by (D.3). 2 , 2 , 1 + 2 , 2 , 1 (D.10) − H Zn − H Un Xn Xn | W W W Zn . Proposition 14. The region described by (D.3) is achievable. ( ) 2 , 2 , 1 0, 1, 2, Proof. Fix the probability distribution as follows: We treat each term in (D.10) separately. The first term in p u p x | u p u p x | u p y y z | x . (D.10)is ( 1) ( 1 1) ( 2) ( 2 2) 1, 2, (D.21)

Codebook Generation. H Un Xn Xn 2 , 2 , 1 n R R ( 0+ 01) n n n n (i) Generate 2 length- sequences u1 through = H U , X + H X p = n p u w w 2 2 1 (D.11) (u1) i=1 ( 1,i) and index them as u1( 0, 01) nR nR where w ∈{1, ...,2 0 }, w ∈{1, ...,2 01 }. = n R + R + R + R + R + R + R , 0 01 0 11 2 12 11 12 2 n R R ( 1+ 1) n (ii) For each u1, generate 2 length- sequences x1 p = n p x | u through (x1) i=1 ( 1,i 1,i) and index them nR where the ﬁrst equality is due to the independence of as x1(w0, w01, w1, w1)wherew1 ∈{1, ...,2 1 }, w1 ∈ n n n nR U X X { ... 1 } ( 2 , 2 )and 1 , and the second equality is due the fact 1, ,2 . 18 EURASIP Journal on Wireless Communications and Networking

n R R ( 0+ 02) n (iii) Generate 2 length- sequences u2 through where the ﬁrst equality is due to the independence of sub- p = n p u w w (u2) i=1 ( 2,i) and index them as u2( 0, 02) channels and codebooks used for each channel. Therefore, nR nR where w0 ∈{1, ...,2 0 }, w02 ∈{1, ...,2 02 }. error probability can be bounded as n R R ( 2+ 2) n (iv) For each u2, generate 2 length- sequences x2 E p = n p x | u Pr( i) through (x2) i=1 ( 2,i 2,i) and index them nR w w w w w ∈{ ... 2 } w ∈ nR as x2( 0, 02, 2, 2)where 2 1, ,2 , 2 20 nR { ... 2 } n(R01−I(U1;Yi1)+R02−I(U2;Yi2)+2n) 1, ,2 . ≤ n + 2 (D.28) (v) Moreover, set the rates of confusion messages as j=2 follows: n R R −I U Y R −I U Y = n +2 ( 0+ 01 ( 1; i1)+ 02 ( 2; i2)+2 n) R01 = I(U1; Z1), which vanishes if the following are satisﬁed: R02 = I(U2; Z2), (D.22) R R R ≤ I U Y I U Y i = . 0 + 01 + 02 ( 1; i1) + ( 2; i2), 1, 2 (D.29) R1 = I(X1; Z1 | U1), After decoding the common message, both users decode their R = I(X Z | U ). 2 2; 2 2 private messages if the rates satisfy

Encoding. Assume that the messages to be transmitted R1 + R1 ≤ I(X1; Y11 | U1), (D.30) are (w0, w1, w2). Then, after randomly picking the tuple (w , w , w , w ), corresponding codewords are sent. 01 02 1 2 R2 + R2 ≤ I(X2; Y22 | U2). (D.31) w Decoding. Users decode 0 using their both observations. If After plugging the values of R , R , R , R given by (D.22) w 01 02 1 2 0 is the only message that satisﬁes into (D.29)–(D.31), one can recover the region described by w E 0 = ∃w w w ∈ An (D.3) using the degradedness of the channel. i1 01 : u1( 0, 01), yi1 w (D.23) E 0 = ∃w w w ∈ An i2 02 : u2( 0, 02), yi2 Equivocation Calculation. It is suﬃcient to check the sum rate constraint: simultaneously for user i, w0 is declared to be transmitted. Assume w = 1 is transmitted. The error probability for user n n n 0 H(W , W , W | Z ) = H(W , W , W , Z ) − H(Z ) i can be bounded as 0 1 2 0 1 2

2nR0 c j j E ≤ E1 E1 E E Pr( i) Pr i1, i2 + Pr i1, i2 , (D.24) (D.32) j=2 = H Un Un Xn Xn W W W Zn 1 , 2 , 1 , 2 , 0, 1, 2, using the union bound. Let us consider the following: (D.33) − H Un Un Xn Xn | W W W Zn − H Zn j 1 , 2 , 1 , 2 0, 1, 2, ( ) E = ∃w j w ∈ An Pr i1 Pr 01 : u1 , 01 , yi1 = H Un Un Xn Xn 1 , 2 , 1 , 2 ≤ j w ∈ An Pr u1 , 01 , yi1 H W W W Zn | Un Un Xn Xn ∀w + 0, 1, 2, 1 , 2 , 1 , 2 (D.34) 01 (D.25) n n n n n n nR −n I U Y − − H(Z ) − H U , U , X , X | W , W , W , Z ≤ 01 ( ( 1; i1) n) 1 2 1 2 0 1 2 2 2 ≥ H Un Un Xn Xn H Zn | Un Un Xn Xn − H Zn , , , + , , , ( ) n(R −I(U ;Yi )+n) 1 2 1 2 1 2 1 2 = 2 01 1 1 . n n n n n − H U , U , X , X | W0, W1, W2, Z , Similarly, we have 1 2 1 2 (D.35) j n(R −I(U ;Yi )+n) Pr Ei ≤ 2 02 2 2 . (D.26) 2 where each term will be treated separately. The first term is Thus, the probability of declaring that the jth message was H Un Un Xn Xn transmitted can be bounded as ( 1 , 2 , 1 , 2 ) E j E j = H Un Un H Xn | Un Un H Xn | Un Un Pr i1, i2 1 , 2 + 1 1 , 2 + 2 1 , 2 (D.36) j j = Pr Ei × Pr Ei 1 2 (D.27) = n R0 + R1 + R2 + R01 + R02 + R1 + R2 , (D.37) n R −I U Y n R −I U Y ≤ 2 ( 01 ( 1; i1)+ n) × 2 ( 02 ( 2; i2)+ n) Xn Xn where we first use the fact that 1 and 2 are independent n R −I U Y R −I U Y n n ( 01 ( 1; i1)+ 02 ( 2; i2)+2 n) U U = 2 , given ( 1 , 2 ), and secondly, we use the fact that messages EURASIP Journal on Wireless Communications and Networking 19 are uniformly distributed. The second and third terms of with respect to the first user’s channel. We bound each term (D.35)are in (D.50) separately. First term is H(Zn) − H Zn | Un Un Xn Xn n n 1 , 2 , 1 , 2 I W0, W1; Y | Z 12 n n n n n n (D.38) = H Z Z − H Z | X − H Z | X n 1 , 2 1 1 2 2 (D.51) i−1 n n = I W0, W1; Y12,i | Y , Z , Z ≤ H Zn H Zn − H Zn | Xn − H Zn | Xn 12 1 2 1 + 2 1 1 2 2 (D.39) i=1 = I Xn; Zn + I Xn; Zn (D.40) n 1 1 2 2 = H Y | Y i−1 Zn Zn 12,i 12 , 1 , 2 i= ≤ nI(X1; Z1) + nI(X2; Z2) + γ1,n + γ2,n, (D.41) 1 (D.52) − H Y | Y i−1 Zn Zn W W where the first equality is due to the independence of the sub- 12,i 12 , 1 , 2 , 0, 1 channels. We now consider the last term of (D.35)forwhich n n n n n assume that eavesdropper tries to decode (U , U , X , X ) 1 2 1 2 ≤ H Y12,i | Z2,i using the side information (W , W , W ) and its observation. 0 1 2 i=1 (D.53) Since the rates of the confusion messages are selected to Un Un Xn Xn − H Y | Y i−1 Zn Zn W W Y n Y i−1 ensure that the eavesdropper can decode ( 1 , 2 , 1 , 2 ) 12,i 12 , 1 , 2 , 0, 1, 21, 22 given (W0 = w0, W1 = w1, W2 = w2)(see(D.22)), using n Fano’s lemma we have = H Y | Z 12,i 2,i H Un Un Xn Xn | W W W Zn ≤ . i=1 (D.54) 1 , 2 , 1 , 2 0, 1, 2, n (D.42) − H Y | W W Y n Y i−1 Zn Z Plugging (D.37), (D.41), and (D.42) into (D.35), we have 12,i 0, 1, 21, 22 , 2,i+1, 2,i n n H(W0, W1, W2 | Z ) ≥ n(R0 + R1 + R2) − n − γ1,n − γ2,n, = I U2,i; Y12,i | Z2,i , (D.55) (D.43) i=1 which concludes the proof. where (D.53) follows from the fact that conditioning cannot increase entropy and the equality in (D.54) is due to the D.1.2. Converse. First let us define the following auxiliary following Markov chains: random variables: Zn −→ Y n −→ W , W , Y n , Zn, Y n , U = W W Y n Y i−1Zn 1 21 0 1 22 2 12 1,i 0 2 12 11 1,i+1, (D.56) (D.44) Y i−1Zi−1 −→ Y i−1 −→ W W Y n Y Zn Zn U = W W Y n Y i−1Zn 12 2 22 0, 1, 21, 12,i, 2,i, 1 , 2,i 0 1 21 22 2,i+1, which satisfy the following Markov chains: both of which are due to the fact that subchannels are independent, memoryless, and degraded. We now consider U1,i −→ X1,i −→ Y11,i, Y21,i, Z1,i , the second term in (D.50), (D.45) U i −→ X i −→ Y i Y i Z i . I W W Y n | Y n Zn 2, 2, 12, , 22, , 2, 0, 2; 11 12, n We remark that although U1,i and U2,i are correlated, at the (D.57) = I W W Y | Y n Zn Zn Y i−1 end of the proof, it will turn out that selection of them as 0, 2; 11,i 12, 1 , 2 , 11 independent will yield the same region. We start with the i=1 common message rate: n n i−1 n = I W0, W2; Y11,i | Y , Y , Z i , Z1,i (D.58) n n 12 11 1, +1 H(W0 | Z ) = H(W0) − I(W0; Z ) (D.46) i=1 ≤ I W Y n − I W Zn n 0; 1 ( 0; ) + n (D.47) ≤ I W W Y n Y i−1 Zn Y | Z 0, 2, 12, 11 , 1,i+1; 11,i 1,i (D.59) = I W Y n | Zn i=1 0; 1 + n (D.48) n n n n n n = I W ; Y | Z + I W ; Y | Y , Z + n 0 12 0 11 12 = I U1,i; Y11,i | Z1,i , (D.60) (D.49) i=1 ≤ I W W Y n | Zn 0, 1; 12 where (D.58) follows from the following Markov chains: (D.50) n n n + I W , W ; Y | Y , Z + n, 0 2 11 12 Zn −→ Y n −→ W W Y i−1 Zn Y 2 12 0, 2, 11 , 1 , 11,i , where (D.47) is due to Fano’s lemma, the equality in (D.48) (D.61) Zi−1 −→ Y i−1 −→ W W Y n Zn Z Y is due to the fact that the eavesdropper’s channel is degraded 1 11 0, 2, 12, 1,i+1, 1,i, 11,i , 20 EURASIP Journal on Wireless Communications and Networking

n both of which are due to the fact that subchannels are = H Y i | Z i − H Y i | Z i, X i (D.74) independent, memoryless, and degraded. Plugging (D.55) 11, 1, 11, 1, 1, i=1 and (D.60) into (D.50), we get the following outer bound on n the common rate. = I X1,i; Y11,i | Z1,i , (D.75) n i= H(W0 | Z ) 1 n n where (D.70) is due to the fact that conditioning cannot ≤ I U2,i; Y12,i | Z2,i + I U1,i; Y11,i | Z1,i + n. increase entropy, (D.71) is due to the following Markov i=1 i=1 chain: (D.62) Y n Zn −→ Xn −→ Y n Zn W W 11, 1 1 12, 2 , 0, 1 , (D.76) Using the same analysis on the second user, we can obtain the following outer bound on the common rate as well. and (D.73) follows from the fact that conditioning cannot increase entropy. Finally, (D.74) is due to the fact that n H(W0 | Z ) each subchannel is memoryless. Hence, plugging (D.68)and (D.75) into (D.67), we get the following outer bound: n n n ≤ I U i Y i | Z i I U i Y i | Z i n. 2, ; 22, 2, + 1, ; 21, 1, + n i=1 i=1 H(W0, W1 | Z ) ≤ I X1,i; Y11,i | Z1,i (D.63) i=1 (D.77) n We now bound the sum of independent and common + I U2,i; Y12,i | Z2,i + n. message rates for each user, i=1 H W W | Zn ≤ I W W Y n − I W W Zn Similarly, for the second user, we can get the following outer ( 0, 1 ) 0, 1; 1 ( 0, 1; ) + n bound: (D.64) n n H(W , W | Z ) ≤ I X i; Y i | Z i = I W W Y n | Zn 0 2 2, 22, 2, 0, 1; 1 + n (D.65) i=1 n n n n (D.78) = I W0, W1; Y , Y | Z + n (D.66) 11 12 I U Y | Z . + 1,i; 21,i 1,i + n n n = I W W Y | Z i=1 0, 1; 12 I W W Y n | Y n Zn We now bound the sum rates to conclude the converse: + 0, 1; 11 12, + n, n (D.67) H(W0, W1, W2 | Z ) n (D.79) where (D.64) is due to Fano’s lemma, (D.65) is due to the fact = H(W0, W1, W2) − I(W0, W1, W2; Z ) that the eavesdropper’s channel is degraded with respect to ≤ I W W Y n I W Y n | W W the first user’s channel. Using (D.55), the first term in (D.67) 0, 1; 1 + 2; 2 0, 1 can be bounded as n (D.80) − I(W0, W1, W2; Z ) + n n n n n n n n I W W Y | Z ≤ I U Y | Z . = I W W Y | Z I W Y | W W Z n 0, 1; 12 2,i; 12,i 2,i (D.68) 0, 1; 1 + 2; 2 0, 1, + i=1 (D.81) = I W W Y n | Zn I W W Y n | Zn Y n Thus, we only need to bound the second term of (D.67): 0, 1; 12 + 0, 1; 11 , 12 I W W Y n | Y n Zn I W Y n | W W Zn 0, 1; 11 12, + 2; 21 0, 1, n n n n n n n = H Y | Y Z Z I W Y | W W Z Y n 11 12, 1 , 2 (D.69) + 2; 22 0, 1, , 21 + (D.82) − H Y n | Y n Zn Zn W W 11 12, 1 , 2 , 0, 1 = I W , W , Y n ; Y n | Zn − I Y n ; Y n | W , W , Zn ≤ H Y n | Zn 0 1 21 12 21 12 0 1 11 1 (D.70) + I W , W ; Y n | Zn, Y n + I W ; Y n | W , W , Zn − H Y n | Y n Zn Zn W W Xn 0 1 11 12 2 21 0 1 11 12, 1 , 2 , 0, 1, 1 I W Y n | W W Zn Y n + 2; 22 0, 1, , 21 + n = H Y n | Zn − H Y n | Zn Xn 11 1 11 1 , 1 (D.71) (D.83) = I Xn; Y n | Zn (D.72) 1 11 1 = S1 − S2 + S3 + S4 + S5, (D.84) n ≤ H Y | Z − H Y | Zn Xn Y i−1 where (D.80) follows from Fano’s lemma, (D.81)isdueto 11,i 1,i 11,i 1 , 1 , 11 (D.73) i=1 the fact that the eavesdropper’s channel is degraded with EURASIP Journal on Wireless Communications and Networking 21 respect to both users’ channels, (D.83) is obtained by adding which is due to the degradedness of the channel. Moreover, and subtracting S2 from the first term of (D.82). Now, we the second term in (D.97) is zero as we show in what follows: proceed as follows: I W W W Y n | Zn Y n Xn 0, 1, 2; 11 1 , 12, 1 S − S = I W ; Y n | W , W , Zn 4 2 2 21 0 1 = H W W W | Zn Y n Xn (D.85) 0, 1, 2 1 , 12, 1 (D.99) − I Y n ; Y n | W , W , Zn 21 12 0 1 − H W W W | Zn Y n Xn Y n 0, 1, 2 1 , 12, 1 , 11 ≤ I W , Y n ; Y n | W , W , Zn 2 12 21 0 1 = H W W W | Y n Xn (D.86) 0, 1, 2 12, 1 − I Y n ; Y n | W , W , Zn (D.100) 21 12 0 1 − H W W W | Y n Xn = 0, 1, 2 12, 1 0, = I W Y n | W W Zn Y n . 2; 21 0, 1, , 12 (D.87) where (D.100) follows from the following Markov chain: S n n n n Adding 3 to (D.87), we get Y , Z −→ X −→ W , W , W , Y . (D.101) 11 1 1 0 1 2 12 S S − S ≤ I W W Y n | Zn Y n 3 + 4 2 0, 1; 11 , 12 Thus, (D.97)turnsouttobe n n n (D.88) + I W ; Y | W , W , Z , Y S S − S ≤ I Xn Y n | Zn Y n . 2 21 0 1 12 3 + 4 2 1 ; 11 1 , 12 (D.102) ≤ I W W Y n | Zn Y n 0, 1; 11 , 12 which can be further bounded as follows: (D.89) n n n I W Y n Y n | W W Zn Y n S + S − S ≤ H Y | Z , Y + 2; 11, 21 0, 1, , 12 3 4 2 11 1 12 n n n n (D.103) = I W W Y n | Zn Y n − H Y | Z , Y , X 0, 1; 11 , 12 11 1 12 1 n n I W Y n | W W Zn Y n ≤ H Y | Z + 2; 11 0, 1, , 12 (D.90) 11 1 n n n n (D.104) I W Y n | W W Zn Y n Y n − H Y | Z , Y , X + 2; 21 0, 1, , 12, 11 11 1 12 1 n n n n n = I W W W Y n | Zn Y n = H Y | Z − H Y | Z , X (D.105) 0, 1, 2; 11 , 12 11 1 11 1 1 I W Y n | W W Zn Y n Y n n + 2; 21 0, 1, , 12, 11 , ≤ I X1,i; Y11,i | Z1,i , (D.106) (D.91) i=1 where the second term is zero as we show in what follows: where (D.104) is due to the fact that conditioning cannot I W Y n | W W Zn Y n Y n increase entropy, (D.105) is due to the following Markov 2; 21 0, 1, , 12, 11 chain: = H W | W W Zn Zn Y n Y n 2 0, 1, 1 , 2 , 12, 11 Y n Zn −→ Xn −→ Y n . 11, 1 1 12 (D.107) − H W | W W Zn Zn Y n Y n Y n 2 0, 1, 1 , 2 , 12, 11, 21 (D.92) Finally, (D.106) is due to our previous result in (D.75). We = H W | W , W , Y n , Y n keep bounding terms in (D.84): 2 0 1 12 11 n n n n n n S = I W Y | W W Y Z Z − H W | W , W , Y , Y = 0, 5 2; 22 0, 1, 21, 1 , 2 (D.108) 2 0 1 12 11 = I W Y n | W W Y n Zn where we used the following Markov chain: 2; 22 0, 1, 21, 2 (D.109) W W W −→ Y n Y n −→ Y n Zn Zn n ( 0, 1, 2) 11, 12 21, 1 , 2 , (D.93) = I W Y | W W Y n Zn Y i−1 2; 22,i 0, 1, 21, 2 , 22 (D.110) which is a consequence of the degradation orders that i=1 subchannels exhibit. Thus, (D.91) can be expressed as n n n i−1 = I W ; Y i | W , W , Y , Z i , Y , Z i (D.111) S S − S ≤ I W W W Y n | Zn Y n 2 22, 0 1 21 2, +1 22 2, 3 + 4 2 0, 1, 2; 11 , 12 (D.94) i=1 = I W W W Y n | Zn Y n n 0, 1, 2; 11 1 , 12 (D.95) = I W ; Y i | U i, Z i (D.112) n n n n 2 22, 2, 2, ≤ I X W W W Y | Z Y i= 1 , 0, 1, 2; 11 1 , 12 (D.96) 1 n = I Xn Y n | Zn Y n 1 ; 11 1 , 12 ≤ H Y | U Z 22,i 2,i, 2,i + I W , W , W ; Y n | Zn, Y n , Xn , i=1 (D.113) 0 1 2 11 1 12 1 (D.97) − H Y22,i | U2,i, Z2,i, W2, X2,i where (D.95) follows from the following Markov chain: n ≤ I X i; Y i | U i, Z i , (D.114) Zn −→ Y n −→ W W W Y n Zn 2, 22, 2, 2, 2 12 0, 1, 2, 11, 1 , (D.98) i=1 22 EURASIP Journal on Wireless Communications and Networking where (D.109)and(D.111) are due to the following Markov Following similar steps, we can also get the following one: chains: H W W W | Zn Zn −→ Y n −→ W W W Y n Zn ( 0, 1, 2 ) 1 21 0, 1, 2, 22, 2 , (D.115) n i− i− n n Z 1 −→ Y 1 −→ W W W Y Z Y ≤ I X i Y i | Z i I X i Y i | U i Z i 2 22 0, 1, 2, 21, 2,i, 22,i , 2, ; 22, 2, + 1, ; 11, 1, , 1, i=1 respectively, (D.113) follows from that conditioning cannot + I U i; Y i | Z i + n. increase entropy and (D.114) is due to the following Markov 1, 21, 1, chain: (D.125) Y22,i, Z2,i −→ X2,i −→ W2, U2,i , (D.116) So far, we derived outer bounds, (D.62), (D.63), (D.77), (D.78), (D.124), (D.125), on the capacity region which match which is a consequence of the fact that each subchannel is the achievable region provided. The only difference can be memoryless. Thus, we only need to bound S1 in (D.84)to on the joint distribution that they need to satisfy. However, reach the outer bound for the sum secrecy rate: the outer bounds depend on either p(u1, x1)orp(u2, x2)but not on the joint distribution p(u , u , x , x ). Hence, for the S = I W W Y n Y n | Zn 1 2 1 2 1 0, 1, 21; 12 (D.117) outer bound, it is sufficient to consider the joint distributions p u u x x = p u x p u x n having the form ( 1, 2, 1, 2) ( 1, 1) ( 2, 2). Thus, = I W W Y n Y | Zn Zn Y i−1 0, 1, 21; 12,i 1 , 2 , 12 (D.118) the outer bounds derived and the achievable region coincide i=1 yielding the capacity region. n ≤ H Y12,i | Z2,i D.2. Proof of Theorem 9. i=1 (D.119) n n i−1 n i−1 D.2.1. Achievability. To show the achievability of the region − H Y i | Z , Z , Y , W , W , Y , Y 12, 1 2 12 0 1 21 22 given in Theorem 9,weuseTheorem 7. First, we group n subchannels into two sets Sj , j = 1, 2, where Sj , j = = H Y12,i | Z2,i 1, 2, contains the subchannels in which user j has the best i=1 (D.120) observation. In other words, we have the Markov chain: n i− n i− − H Y i | Z , Y 1, W , W , Y , Y 1 12, 2 12 0 1 21 22 Xl −→ Y1l −→ Y2l −→ Zl, (D.126) n for l ∈ S , and we have this Markov chain: = H Y12,i | Z2,i 1 i=1 (D.121) Xl −→ Y2l −→ Y1l −→ Zl (D.127) − H Y | W W Y n Y i−1 Zn Z 12,i 0, 1, 21, 22 , 2,i+1, 2,i for l ∈ S2. n We replace Uj with {Ul}l∈S , Xj with {Xl}l∈S , Yj with = I U Y | Z j j 1 2,i; 12,i 2,i , (D.122) {Y } Y {Y } Z {Z } j = jl l∈S , j2 with jl l∈S ,and j with l l∈Sj , 1, 2, i=1 1 2 { U X }M in Theorem 7. Moreover, if we select the pairs ( l, l) l=1 where (D.119) is due to the fact that conditioning cannot to be mutually independent, we get the following joint increase entropy, (D.120)and(D.121) follow from the distribution: following Markov chains: M M n n i− n n Z −→ Y −→ W W Y 1 Y Z p {ul, xl, y1l, y2l, zl}l= = p(ul, xl)p y1l, y2l, zl | xl , 1 21 0, 1, 22 , 12, 2 , 1 l= 1 Y i−1 Zi−1 −→ Y i−1 −→ W W W Y n Zn Y (D.128) 12 , 2 22 0, 1, 2, 21, 2,i, 12,i , (D.123) which implies that random variable tuples { u x y y z }M respectively. Thus, plugging (D.106), (D.114), and (D.122) ( l, l, 1l, 2l, l) l=1 are mutually independent. Using into (D.84), we get the following outer bound on the sum this fact, one can reach the expressions given in Theorem 9. secrecy rate: D.2.2. Converse. For the converse part, we again use the H W W W | Zn ( 0, 1, 2 ) proof of Theorem 7. First, without loss of generality, we assume S ={1, ..., L },andS ={L +1,..., M}.Wedefine n 1 1 2 1 the following auxiliary random variables: ≤ I X1,i; Y11,i | Z1,i + I X2,i; Y22,i | U2,i, Z2,i i=1 n i−1 n U1,i = W0W2Y L M Y L Z L i , I U Y | Z . 1[ 1+1: ] 1[1: 1] [1: 1], +1 + 2,i; 12,i 2,i + n (D.129) n i−1 n U i = W W Y Y Z (D.124) 2, 0 1 2[1:L1] 2[L1+1:M] [L1+1:M],i+1, EURASIP Journal on Wireless Communications and Networking 23 which satisfy the Markov chains: We now bound the second term in (D.131) as follows: I U Y | Z 2,i; 1[L1+1:M],i [L1+1:M],i U i −→ Xl i −→ Y l i, Y l i, Zl i , l = 1, ..., L , 1, , 1 , 2 , , 1 M (D.139) U −→ X −→ Y Y Z l = L ... M. = I U i Y l i | Z L M i Y L l− i 2,i l,i 1l,i, 2l,i, l,i , 1 +1, , 2, ; 1 , [ 1+1: ], , 1[ 1+1: 1], l=L (D.130) 1+1 M = I U i; Y l i | Z l M i, Y L l− i (D.140) Using the analysis carried out for the proof of Theorem 7,we 2, 1 , [ : ], 1[ 1+1: 1], l=L +1 get 1 M ≤ H Y1l,i | Zl,i n l=L1+1 (D.141) nR ≤ I U i Y L i | Z L i 0 1, ; 1[1: 1], [1: 1], i= 1 − H Y l i | Z l M i, Y L l− i, U i (D.131) 1 , [ : ], 1[ 1+1: 1], 2, n M + I U2,i; Y1[L +1:M],i | Z[L +1:M],i + n, 1 1 ≤ H Y l i | Zl i i=1 1 , , l=L1+1 − H Y l i | Z l M i Y L l− i U i Y L l− i where each term will be treated separately. The first term can 1 , [ : ], , 1[ 1+1: 1], , 2, , 2[ 1+1: 1], be bounded as follows: (D.142)

M I U Y | Z = H Y l i | Zl i 1,i; 1[1:L1],i [1:L1],i 1 , , l=L1+1 (D.143) L 1 (D.132) = I U Y | Y Z − H Y l i | Z l M i, U i, Y L l− i 1,i; 1l,i 1[1:l−1],i, [1:L1],i 1 , [ : ], 2, 2[ 1+1: 1], l=1 M L1 = I Z U Y Y | Z [l+1:M],i, 2,i, 2[L1+1:l−1],i; 1l,i l,i , (D.144) = I U Y | Y Z l=L 1,i; 1l,i 1[1:l−1],i, [l:L1],i (D.133) 1+1 l=1 where (D.140) follows from the Markov chain: L 1 ≤ I U i Y l− i Z l L i Y l i | Zl i Z −→ Y −→ U Z Y 1, , 1[1: 1], , [ +1: 1], ; 1 , , , (D.134) [L1+1:l−1],i 1[L1+1:l−1],i 2,i, [l:M],i, 1l,i , (D.145) l=1 which is a consequence of the degradedness of the subchannels, (D.141)and(D.142) follow from the fact that where (D.133) follows from the Markov chain: conditioning cannot increase entropy, and (D.143)isdueto the Markov chain: Z l− i −→ Y l− i −→ U i Y l i Z l L i [1: 1], 1[1: 1], 1, , 1 , , [ : 1], , (D.135) Y −→ Y −→ U Z Y 1[L1+1:l−1],i 2[L1+1:l−1],i 2,i, [l:M],i, 1l,i , (D.146) which is due to the degradedness of the subchannels. To this which is again a consequence of the degradedness of the end, we deﬁne the following auxiliary random variables: subchannels. To this end, we deﬁne the following auxiliary random variables: Vl i = Y l− iZ l L iU i, l = 1, ..., L , , 1[1: 1], [ +1: 1], 1, 1 (D.136) V = Y Z U l = L ... M l,i 2[L1+1:l−1],i [l+1:M],i 2,i, 1 +1, , , (D.147) which satisfy the Markov chains: which satisfy the Markov chains: Vl i −→ Xl i −→ Y l i, Y l i, Zl i , l = L +1,..., M Vl,i −→ Xl,i −→ Y1l,i, Y2l,i, Zl,i , l = 1, ..., L1. (D.137) , , 1 , 2 , , 1 , (D.148)

Thus, using these new auxiliary random variables in (D.134), Thus, using these new auxiliary random variables in (D.144), we get we get M L I U i Y L M i | Z L M i ≤ I Vl i Y l i | Zl i . 1 2, ; 1[ 1+1: ], [ 1+1: ], , ; 1 , , I U Y | Z ≤ I V Y | Z . l=L1+1 1,i; 1[1:L1],i [1:L1],i l,i; 1l,i l,i (D.138) l=1 (D.149) 24 EURASIP Journal on Wireless Communications and Networking

Finally, using (D.138)and(D.149)in(D.131), we obtain Due to symmetry, we also have n n M n(R0 + R2) ≤ I Xl,i; Y2l,i | Zl,i nR0 ≤ I Vl,i; Y1l,i | Zl,i + n. (D.150) i=1 l∈S i=1 l= 2 1 (D.159) n Due to symmetry, we also have + I Vl,i; Y2l,i | Zl,i + n. i= 1 l∈S1 n M nR0 ≤ I Vl,i; Y2l,i | Zl,i + n. (D.151) We now bound the sum secrecy rate. We ﬁrst borrow i=1 l=1 the following outer bound from the converse proof of Theorem 7: We now bound the sum of common and independent message rates. Using the converse proof of Theorem 7,weget n(R0 + R1 + R2)

n n (D.160) n R R ≤ I X Y | Z ≤ I X L i Y L i | Z L i ( 0 + 1) [1:L1],i; 1[1:L1],i [1:L1],i [1: 1], ; 1[1: 1], [1: 1], i=1 i=1 n n I U Y | Z I X L M i Y L M i | U i Z L M i + 2,i; 1[L1+1:M],i [L1+M],i + n, + [ 1+1: ], ; 2[ 1+1: ], 2, , [ 1+1: ], i=1 i=1 (D.152) n I U Y | Z + 2,i; 1[L1+1:M],i [L1+1:M],i , where, for the second term we already obtained, an outer i=1 bound given in (D.149). We now bound the first term: (D.161) I X Y | Z [1:L1],i; 1[1:L1],i [1:L1],i where, for the first and third terms, we already obtained outer bounds given in (D.156)and(D.149), respectively. We now L 1 (D.153) bound the second term as follows: = I X Y | Z Y [1:L1],i; 1l,i [1:L1],i, 1[1:l−1],i l= I X Y | U Z 1 [L1+1:M],i; 2[L1+1:M],i 2,i, [L1+1:M],i L 1 M ≤ H Y l i | Zl i = I X Y | U Z Y 1 , , [L1+1:M],i; 2l,i 2,i, [L1+1:M],i, 2[L1+1:l−1],i l= 1 (D.154) l=L1+1 − H Y | Z Y X (D.162) 1l,i [1:L1],i, 1[1:l−1],i, [1:L1],i M L 1 = I X Y | U Z Y [L1+1:M],i; 2l,i 2,i, [l:M],i, 2[L1+1:l−1],i = H Y1l,i | Zl,i − H Y1l,i | Zl,i, Xl,i (D.155) l=L1+1 l= 1 (D.163) L 1 M = I Xl,i; Y1l,i | Zl,i , (D.156) = I X L M i Y l i | Vl i Zl i l=1 [ 1+1: ], ; 2 , , , , (D.164) l=L1+1 where (D.154) follows from the fact that conditioning cannot M increase entropy, and (D.155) is due to the following Markov = H Y l i | Vl i, Zl i chain: 2 , , , l=L1+1 (D.165) Y l i, Zl i −→ Xl i 1 , , , − H Y2l,i | Vl,i, Zl,i, X[L +1:M],i 1 −→ X l− i X l L i Y l− iZ l− i Z l L i M [1: 1], , [ +1: 1], , 1[1: 1], [1: 1], , [ +1: 1], , (D.157) = H Y2l,i | Vl,i, Zl,i l=L1+1 (D.166) which follows from the facts that channel is memoryless and − H Y | V Z X subchannels are independent. Thus, plugging (D.149)and 2l,i l,i, l,i, l,i (D.156) into (D.152), we obtain M = I X Y | V Z n l,i; 2l,i l,i, l,i , (D.167) l=L n(R0 + R1) ≤ I Xl,i; Y1l,i | Zl,i 1+1 i= 1 l∈S1 (D.158) where (D.163) follows from the Markov chain: n Z L l− i −→ Y L l− i −→ U i Z l M i X L M i Y l i + I Vl,i; Y1l,i | Zl,i + n. [ 1+1: 1], 2[ 1+1: 1], 2, , [ : ], , [ 1+1: ], , 2 , , i= 1 l∈S2 (D.168) EURASIP Journal on Wireless Communications and Networking 25 which is a consequence of the degradedness of the subchan- (iii) Third surface: nels, (D.164) is obtained via using the definition of V2,i given R ≤ αI X Y | U Z in (D.147), and (D.166) follows from the Markov chain: 1 ( 1; 11 1, 1) Z Y −→ X −→ V X X R ≤ αI X Y | U Z l,i, 2l,i l,i l,i, [L1+1:l−1],i, [l+1:M] , (D.169) 2 ( 2; 22 2, 2) (E.3) which is due to the facts that channel is memoryless R0 ≤ αI(U1; Y11 | Z1) + αI(U2; Y12 | Z2) and subchannels are independent. Thus, plugging (D.149), R ≤ αI U Y | Z αI U Y | Z . (D.156), and (D.167) into (D.161), we get 0 ( 1; 21 1) + ( 2; 22 2) n To show the achievability of each surface, we first introduce n(R0 + R1 + R2) ≤ I Xl,i; Y1l,i | Zl,i i= 1 l∈S1 a codebook structure. n Codebook Structure. Fix the probability distribution as + I Xl,i; Y2l,i | Vl,i, Zl,i (D.170) i= 1 l∈S2 p(u1, x1)p(u2, x2)p y1, y2, z | x . (E.4) n + I Vl,i; Y1l,i | Zl,i + n. i= 1 l∈S2 n(R +R +R ) (i) Generate 2 01 11 11 length-n1 sequences u1 thro- n Due to symmetry, we also have p = 1 p u w ugh (u1) i=1 ( 1,i) and index them as u1( 01, n nR w11, w11)wherew01 ∈{1, ...,2 01 }, w11 ∈{1, ..., n R R R ≤ I X Y | Z ( 0 + 1 + 2) l,i; 2l,i l,i nR11 nR11 2 } and w11 ∈{1, ...,2 }. i= 1l∈S2 n(R +R ) (ii) For each u1, generate 2 12 12 length-n1 sequences n n p = 1 p x | u I X Y | V Z x1 through (x1) i=1 ( 1,i 1,i) and index + l,i; 1l,i l,i, l,i (D.171) them as x (w , w , w , w , w )wherew ∈ i= l∈S 1 01 11 11 12 12 12 1 1 nR nR {1, ...,2 12 }, w12 ∈{1, ...,2 12 }. n n(R +R +R ) (iii) Generate 2 02 21 21 length-(n − n1)sequencesu2 + I Vl i; Y l i | Zl i + n. n−n , 2 , , p = 1 p u i= l∈S through (u2) i=1 ( 2,i) and index them as 1 1 nR u2(w02, w21, w21)wherew02 ∈{1, ...,2 02 }, w21 ∈ Finally, we note that all outer bounds depend on the distri- nR nR {1, ...,2 21 } and w21 ∈{1, ...,2 21 }. butions p(vl i, xl i, y l i, y l i, zl i) = p(vl i, xl i)p(y l i, y l i, zl i | , , 1 , 2 , , , , 1 , 2 , , n(R +R ) (iv) For each u2, generate 2 22 22 length-(n − n1) xl,i) but not on any joint distributions of the tuples n−n p = 1 p x i | u i (vl i, xl i, y l i, y l i, zl i) implying that selection of the pairs sequences x2 through (x2) i=1 ( 2, 2, ) , , 1 , 2 , , w w w w w vl i xl i and index them as x2( 02, 21, 21, 22, 22)where ( , , , ) to be mutually independent is optimum. nR nR w22 ∈{1, ...,2 22 }, w22 ∈{1, ...,2 22 }. n E. Proof of Theorem 10 (v) We remark that this codebook uses first channel 1 times and the other one (n − n1) times. We define We prove Theorem 10 in two parts; first, we show achievabil- n α = 1 ity, and then we prove the converse. n (E.5)

E.1. Achievability. Similar to what we have done to show the and α = 1 − α. achievability of Theorem 7, we ﬁrst note that boundary of the (vi) Furthermore, we set capacity region can be decomposed into three surfaces [26]. (i) First surface: R11 = αI(U1; Z1),(E.6) R ≤ αI(U ; Y | Z ) 0 2 12 2 R12 = αI(X1; Z1 | U1),(E.7) R2 ≤ αI(X2; Y22 | U2, Z2) R21 = αI(U2; Z2),(E.8) R0 + R1 ≤ αI(X1; Y11 | Z1) + αI(U2; Y12 | Z2), U1 = φ. (E.1) R22 = αI(X2; Z2 | U2),(E.9)

(ii) Second surface: R1 = R11 + R12, (E.10) R ≤ αI U Y | Z 0 ( 1; 21 1) R2 = R21 + R22. (E.11)

R1 ≤ αI(X1; Y11 | U1, Z1) Encoding. When the transmitted messages are (w01, w02, R0 + R2 ≤ αI(U1; Y21 | Z1) + αI(X2; Y22 | Z2), U2 = φ. w11, w12, w21, w22), we randomly pick (w11, w12,w21, w22)and (E.2) send corresponding codewords. 26 EURASIP Journal on Wireless Communications and Networking

Decoding. Using this codebook structure, we can show that also satisfies the secrecy conditions. For that purpose, it is all three surfaces which determine the boundary of the sufficient to consider the sum rate secrecy condition: capacity region are achievable. For example, if we set U = φ 1 R = R = R = R = n n−n (that implies 01 11 11 0) and 21 0, then H W W W | Z 1 Z 1 0, 1, 2 1 , 2 we achieve the following rates with vanishingly small error (E.16) n n−n n n−n probability: = H W W W Z 1 Z 1 − H Z 1 Z 1 0, 1, 2, 1 , 2 1 , 2 n n−n n n−n n n−n = H W , W , W , U 1 , U 1 , X 1 , X 1 , Z 1 , Z 1 R ≤ αI(X Y | Z ) 0 1 2 1 2 1 2 1 2 1 1; 11 1 , n n−n − H Z 1 , Z 1 R ≤ αI(U ; Y | Z ), (E.12) 1 2 0 2 12 2 n n−n n n−n n n−n − H U 1 U 1 X 1 X 1 | W W W Z 1 Z 1 1 , 2 , 1 , 2 0, 1, 2, 1 , 2 R2 ≤ αI(X2; Y22 | U2, Z2). (E.17) n n−n n n−n = H U 1 U 1 X 1 X 1 Exchanging common message rate with user 1’s independent 1 , 2 , 1 , 2 message rate, one can obtain the first surface. Second surface n n−n n n−n n n−n H W W W Z 1 Z 1 | U 1 U 1 X 1 X 1 follows from symmetry. For the third surface, we first set + 0, 1, 2, 1 , 2 1 , 2 , 1 , 2 R = R = 11 21 0. Moreover, we send common message in its n n−n − H Z 1 Z 1 entirety, that is, we do not use a rate splitting for the common 1 , 2 message, hence we set R = R = R , w = w = w .In 01 02 0 01 02 0 n n−n n n−n n n−n − H U 1 U 1 X 1 X 1 | W W W Z 1 Z 1 this case, each user, say the jth one, decodes the common 1 , 2 , 1 , 2 0, 1, 2, 1 , 2 message by looking for a unique w0 which satisfies (E.18) n n−n n n−n ≥ H U 1 U 1 X 1 X 1 1 , 2 , 1 , 2 w n E 0 = ∃w w w j ∈ A j1 01 : u1( 0, 01), y 1 , n n−n n n−n n n−n + H Z 1 , Z 1 | U 1 , U 1 , X 1 , X 1 (E.13) 1 2 1 2 1 2 w0 n Ej = ∃w : u (w , w ), yj ∈ A . n n−n 2 02 2 0 02 2 − H Z 1 Z 1 1 , 2 n n−n n n−n n n−n − H U 1 , U 1 , X 1 , X 1 | W , W , W , Z 1 , Z 1 , Following the analysis carried out in (D.24)-(D.29), the suf- 1 2 1 2 0 1 2 1 2 ficient conditions for the common message to be decodable (E.19) by both users can be found as where each term will be treated separately. The first term is n n−n n n−n R ≤ αI U Y | Z αI U Y | Z j = . H U 1 U 1 X 1 X 1 0 1; j1 1 + 2; j2 2 , 1, 2 1 , 2 , 1 , 2 (E.14) n n−n n n n−n n−n = H U 1 U 1 H X 1 | U 1 H X 1 | U 1 1 , 2 + 1 1 + 2 2 (E.20) After decoding the common message, each user can decode its independent message if = n R0 + R11 + R11 + R21 + R21 (E.21) + n R12 + R12 + n R22 + R22 R1 ≤ αI(X1; Y11 | U1, Z1), = n R R R n I X Z (E.15) ( 0 + 1 + 2) + 1 ( 1; 1) R2 ≤ αI(X2; Y22 | U2, Z2). (E.22) + (n − n1)I(X2; Z2),

Thus, the third surface can be achieved with vanishingly where the ﬁrst equality is due to the Markov chain small error probability. As of now, we showed that all rates in n n n−n n−n X 1 −→ U 1 −→ U 1 −→ X 1 the so-called capacity region are achievable with vanishingly 1 1 2 2 . (E.23) small error probability, however we did not claim anything n n−n about the secrecy conditions which will be considered next. U 1 U 1 The equality in (E.21) is due to the fact that ( 1 , 2 ) n R R R R R n ( 0+ 11+ 11+ 21+ 21) U 1 can take 2 values uniformly, and given 1 n−n n n−n n R R U 1 X 1 X 1 ( 12+ 12) Equivocation Calculation. To complete the achievability part (resp., 2 ), 1 (resp., 2 ) can take 2 (resp., n R R of the proof, we need to show that this codebook structure 2 ( 22+ 22)) values with equal probability. To reach (E.22), we EURASIP Journal on Wireless Communications and Networking 27

use the definitions in (E.6)–(E.11). We consider the second Similar to the converse of Theorem 7, here again, U1,i and U2,i and third terms in (E.19): can be arbitrarily correlated. However, at the end of converse, n n−n n n−n n n−n n n−n it will be clear that selection of them as independent would H Z 1 Z 1 − H Z 1 Z 1 | U 1 U 1 X 1 X 1 1 , 2 1 , 2 1 , 2 , 1 , 2 yield the same region. Start with the common message rate: n n−n ≤ H Z 1 H Z 1 1 + 2 n n−n H W | Z 1 Z 1 n n−n n n−n n n−n 0 1 , 2 (E.34) − H Z 1 Z 1 | U 1 U 1 X 1 X 1 1 , 2 1 , 2 , 1 , 2 n n−n n n−n ≤ I W Y 1 Y 1 − I W Z 1 Z 1 (E.24) 0; 11 , 12 0; 1 , 2 + n (E.35) n n−n n n−n n n−n = H Z 1 H Z 1 = I W Y 1 Y 1 | Z 1 Z 1 1 + 2 0; 11 , 12 1 , 2 + n (E.36) (E.25) n n n−n n−n n−n n n−n − H Z 1 | X 1 H Z 1 | X 1 = I W Y 1 | Z 1 Z 1 1 1 + 2 2 0; 12 1 , 2 (E.37) n n n−n n−n n n n−n n−n = I X 1 Z 1 I X 1 Z 1 I W Y 1 | Z 1 Z 1 Y 1 1 ; 1 + 2 ; 2 (E.26) + 0; 11 1 , 2 , 12 + n ≤ n I X Z n − n I X Z n−n n n−n 1 ( 1; 1) + ( 1) ( 2; 2) ≤ I W , W ; Y 1 | Z 1 , Z 1 (E.27) 0 1 12 1 2 γ γ (E.38) + 1,n + 2,n, n n n−n n−n I W W Y 1 | Z 1 Z 1 Y 1 + 0, 2; 11 1 , 2 , 12 + n, where (E.24) is due to the fact that conditioning cannot increase entropy, (E.25) follows from the Markov chain: n n n n−n n−n n−n where (E.35) is due to Fano’s lemma, (E.36) is due to the Z 1 −→ X 1 −→ U 1 −→ U 1 −→ X 1 −→ Z 1 1 1 1 2 2 2 (E.28) fact that the eavesdropper’s channel is degraded with respect and (E.27) can be shown using the technique devised in [1]. to the first user’s channel. Once we obtain (E.38), using the We bound the fourth term of (E.19). To this end, assume analysis carried out in the proof of Theorem 7,wecanobtain n n n−n n−n U 1 X 1 U 1 X 1 the following bounds: that the eavesdropper tries to decode ( 1 , 1 , 2 , 2 ) given side information (W0 = w0, W1 = w1, W2 = w2). Since the confusion message rates are selected as given in n−n 1 n−n n n−n (E.6)-(E.9), the eavesdropper can decode them as long as this I W W Y 1 | Z 1 Z 1 ≤ I U Y | Z 0, 1; 12 1 , 2 2,i; 12,i 2,i , side information is available. Consequently, the use of Fano’s i=1 lemma yields (E.39) n1 n−n1 n1 n−n1 n1 n−n1 n H U U X X | W W W Z Z < . 1 1 , 2 , 1 , 2 0, 1, 2, 1 , 2 n n n n−n n−n I W W Y 1 | Z 1 Z 1 Y 1 ≤ I U Y | Z (E.29) 0, 2; 11 1 , 2 , 12 1,i; 11,i 1,i , i=1 Finally, plugging (E.22),(E.27), and (E.29) into (E.19), we get (E.40) n n−n H W W W | Z 1 Z 1 0, 1, 2 1 , 2 (E.30) where (E.39) (resp., (E.40)) can be derived following the lines ≥ n(R0 + R1 + R2) − n − γ1,n − γ2,n, from (D.51) (resp., (D.57)) to (D.55) (resp., (D.60)). Thus, we have which completes the achievability part of the proof. n n−n H W | Z 1 Z 1 E.2. Converse. First, let us define the following auxiliary 0 1 , 2 random variables: n−n1 n1 n−n n U = W W Y 1 Y i−1Z 1 i = ... n 1,i 0 2 12 11 1,i+1, 1, , 1, ≤ I U2,i; Y12,i | Z2,i + I U1,i; Y11,i | Z1,i + n, i=1 i=1 n n−n (E.31) U = W W Y 1 Y i−1Z 1 i = ... n − n 2,i 0 1 21 22 2,i+1 , 1, , 1, (E.41) where we assume that first channel is used n1 times. We again define and similarly, we can get n α = 1 . (E.32) n n n−n H W | Z 1 , Z 1 We note that the auxiliary random variables, U1,i, U2,i,satisfy 0 1 2 the Markov chains: n−n n 1 1 ≤ I U Y | Z I U Y | Z . U1,i −→ X1,i −→ Y11,i, Y21,i, Z1,i , 2,i; 22,i 2,i + 1,i; 21,i 1,i + n (E.33) i=1 i=1 U2,i −→ X2,i −→ Y21,i, Y22,i, Z2,i . (E.42) 28 EURASIP Journal on Wireless Communications and Networking n−n n n−n = I W W Y 1 | Z 1 Z 1 We now consider the sum of common and independent 0, 1; 12 1 , 2 message rates: n n n−n n−n + I W , W ; Y 1 | Z 1 , Z 1 , Y 1 0 1 11 1 2 12 n1 n−n1 (E.51) H W , W | Z , Z n n n−n 0 1 1 2 + I W ; Y 1 | W , W , Z 1 , Z 1 2 21 0 1 1 2 n n−n n n−n ≤ I W W Y 1 Y 1 − I W W Z 1 Z 1 0, 1; 11 , 12 0, 1; 1 , 2 + n n−n n n−n n + I W ; Y 1 | W , W , Z 1 , Z 1 , Y 1 + n (E.43) 2 22 0 1 1 2 21 n1 n−n1 n1 n−n1 n n−n n n−n = I W0, W1, Y ; Y | Z , Z = I W , W ; Y 1 , Y 1 | Z 1 , Z 1 + n (E.44) 21 12 1 2 0 1 11 12 1 2 n n−n n n−n n−n n n−n − I Y 1 ; Y 1 | Z 1 , Z 1 , W , W = I W , W ; Y 1 | Z 1 , Z 1 21 12 1 2 0 1 0 1 12 1 2 (E.45) n1 n1 n−n1 n−n1 n n n−n n−n + I W0, W1; Y | Z , Z , Y (E.52) + I W , W ; Y 1 | Z 1 , Z 1 , Y 1 + n, 11 1 2 12 0 1 11 1 2 12 n n n−n I W Y 1 | W W Z 1 Z 1 + 2; 21 0, 1, 1 , 2 where (E.43) is due to Fano’s lemma, (E.44) follows from the n−n n n−n n I W Y 1 | W W Z 1 Z 1 Y 1 fact that the eavesdropper’s channel is degraded with respect + 2; 22 0, 1, 1 , 2 , 21 + n to the first user’s channel. The first term of (E.45)isalready bounded in (E.39). The second term can be bounded as = S1 − S2 + S3 + S4 + S5 + n, (E.53)

n 1 n n n−n n−n where in (E.49), we used Fano’s lemma and (E.50)follows I W W Y 1 | Z 1 Z 1 Y 1 ≤ I X Y | Z 0, 1; 11 1 , 2 , 12 1,i; 11,i 1,i , from the fact that the eavesdropper’s channel is degraded i=1 (E.46) with respect to both users’ channels. We can again use the analysis carried out in the converse proof of Theorem 7 to bound (E.53). For example, following lines from (D.85)to which can be obtained following the lines from (D.69)to (D.106), we can obtain (D.75). Hence, plugging (E.39)and(E.46) into (E.45), we get n 1 n n−n S S − S ≤ I X Y | Z . H W W | Z 1 Z 1 4 + 3 2 1,i; 11,i 1,i (E.54) 0, 1 1 , 2 i=1 n−n n 1 1 ≤ I U2,i; Y12,i | Z2,i + I X1,i; Y11,i | Z1,i + n. Similarly, if we follow the analysis from (D.108)to(D.114), i=1 i=1 we can get (E.47)

n−n 1 Similarly, we can obtain S5 ≤ I X2,i; Y22,i | U2,i, Z2,i , (E.55) i=1 n n−n H W , W | Z 1 , Z 1 0 2 1 2 and if we follow the lines from (D.117)to(D.122), we can get n−n n 1 1 ≤ I X Y | Z I U Y | Z . n−n 2,i; 22,i 2,i + 1,i; 21,i 1,i + n 1 i= i= 1 1 S1 ≤ I U2,i; Y12,i | Z2,i . (E.56) (E.48) i=1

Finally, we derive the outer bounds for the sum secrecy rate: Thus, plugging (E.54), (E.55), and (E.56) into (E.53), we get n n−n n n−n H W W W | Z 1 Z 1 H W W W | Z 1 Z 1 0, 1, 2 1 , 2 0, 1, 2 1 , 2 n1 n1 n−n1 n1 n−n1 ≤ I W0, W1; Y , Y + I W2; Y , Y | W0, W1 11 12 21 22 ≤ I X1,i; Y11,i | Z1,i i=1 n n−n − I W W W Z 1 Z 1 n 0, 1, 2; 1 , 2 + n−n 1 (E.57) (E.49) + I U2,i; Y12,i | Z2,i i=1 n1 n−n1 n1 n−n1 = I W W Y Y | Z Z n−n 0, 1; 11 , 12 1 , 2 1 (E.50) + I X i; Y i | U i, Z i + n. n n−n n n−n 2, 22, 2, 2, I W Y 1 Y 1 | W W Z 1 Z 1 i= + 2; 21 , 22 0, 1, 1 , 2 + n 1 EURASIP Journal on Wireless Communications and Networking 29

Similarly, it can be shown that [9] G. Bagherikaram, A. S. Motahari, and A. K. Khandani, “The secrecy rate region of the broadcast channel,” in Proceedings n 1 n n−n of the Allerton Conference on Communications, Control and H W W W | Z 1 Z 1 ≤ I U Y | Z 0, 1, 2 1 , 2 1,i, 21,i 1,i Computing,, July 2008. i=1 [10] Y. Oohama, “Relay channels with confidential messages,” n http://arxiv.org/abs/cs/0611125. 1 [11] L. Lai and H. El Gamal, “The relay-eavesdropper channel: + I X1,i; Y11,i | U1,i, Z1,i i=1 cooperation for secrecy,” IEEE Transactions on Information Theory, vol. 54, no. 9, pp. 4005–4019, 2008. n−n 1 [12] M. Yuksel and E. Erkip, “The relay channel with a wire- I X Y | Z . + 2,i; 22,i 2,i tapper,” in Proceedings of the 41st Annual Conference on i=1 Information Sciences and Systems, March 2007. (E.58) [13] X. He and A. Yener, “Cooperation with an untrusted relay: a secrecy perspective,” submitted to IEEE Transactions on So far, we derived outer bounds on the secrecy capacity Information Theory. region which match the achievable region. Hence, to claim [14] X. He and A. Yener, “On the equivocation region of relay that this is indeed the capacity region, we need to show channels with orthogonal components,” in Proceedings of the that computing the outer bounds over all distributions of Conference Record Asilomar Conference on Signals, Systems and the form p(u1, x1)p(u2, x2) yields the same region which Computers, pp. 883–887, November 2007. [15] E. Ekrem and S. Ulukus, “Effects of cooperation on the we would obtain by computing over all p(u1, u2, x1, x2). Since all the expressions involved in the outer bounds secrecy of multiple access channels with generalized feedback,” depend on either p(u , x )orp(u , x ) but not on the in Proceedings of the Conference on Information Sciences and 1 1 2 2 Systems, March 2008. joint distribution p(u , u , x , x ), this argument follows, 1 2 1 2 [16] E. Ekrem and S. Ulukus, “Secrecy in cooperative relay broad- establishing the secrecy capacity region. cast channels,” submitted to IEEE Transactions on Information Theory. Acknowledgments [17] M. Bloch and A. Thangaraj, “Confidential messages to a cooperative relay,” in Proceedings of the IEEE Information This work was supported by NSF Grants CCF 04-47613, Theory Workshop, May 2008. CCF 05-14846, CNS 07-16311, and CCF 07-29127, and [18] Y. Liang and H. V. Poor, “Generalized multiple access channels was presented in part at the 42nd Asilomar Conference on with confidential messages,” IEEE Transactions on Information Signals, Systems and Computers, Pacific Grove, Calif, USA, Theory, vol. 54, no. 3, pp. 976–1002, 2008. [19] R. Liu, I. Maric, R. D. Yates, and P. Spasojevic, “The October 2008 [23]. discrete memoryless multiple access channel with confidential messages,” in Proceedings of the IEEE International Symposium References on Information Theory, July 2006. [20] X. Tang, R. Liu, P. Spasojevic, and H. V. Poor, “Multiple [1] A. Wyner, “The wire-tap channel,” Bell System Technical access channels with generalized feedback and confidential Journal, vol. 54, no. 8, pp. 1355–1387, 1975. messages,” in Proceedings of the IEEE Information Theory [2] I. Csiszar and J. Korner, “Broadcast channels with confidential Workshop on Frontiers in Coding Theory, September 2007. messages,” IEEE Transactions on Information Theory, vol. 24, [21] Y. Liang, H. V. Poor, and S. Shamai, “Secure communication no. 3, pp. 339–348, 1978. over fading channels,” IEEE Transactions on Information [3] E. Tekin and A. Yener, “The Gaussian multiple access wire-tap Theory, vol. 54, no. 6, pp. 2470–2492, 2008. channel,” IEEE Transactions on Information Theory, vol. 54, no. [22] Z. Li, R. Yates, and W. Trappe, “Secrecy capacity of indepen- 12, pp. 5747–5755, 2008. dent parallel channels,” in Proceedings of the 44th Annual Aller- [4] E. Tekin and A. Yener, “The general Gaussian multiple access ton Conference on Communication, Control, and Computing, and two-way wire-tap channels: achievable rates and cooper- pp. 841–848, September 2006. ative jamming,” IEEE Transactions on Information Theory, vol. [23] E. Ekrem and S. Ulukus, “On secure broadcasting,” in 54, no. 6, pp. 2735–2751, 2008. Proceedings of the Asilomar Conference on Signals, Systems and [5] E. Ekrem and S. Ulukus, “On the secrecy of multiple access Computers, October 2008. wiretap channel,” in Proceedings of the 46th Annual Allerton [24] T. Cover and J. Thomas, Elements of Information Theory,John Conference on Communication, Control, and Computing,pp. Wiley & Sons, 2nd edition, 2006. 1014–1021, September 2008. [25] G. S. Poltyrev, “Capacity for a sum of certain broadcast [6]R.Liu,I.Maric,P.Spasojevic,andR.D.Yates,“Discrete channels,” Problemy Peredachi Informatsii,vol.15,no.2,pp. memoryless interference and broadcast channels with confi- 40–44, 1979. dential messages: secrecy rate regions,” IEEE Transactions on [26] A. El Gamal, “Capacity of the product and sum of two Information Theory, vol. 54, no. 6, pp. 2493–2507, 2008. unmatched broadcast channels,” Problemy Peredachi Informat- [7] R. Liu and H. V. Poor, “Secrecy capacity region of a sii, vol. 16, no. 1, pp. 3–23, 1980. multi-antenna Gaussian broadcast channel with confidential [27] A. J. Goldsmith and M. Effros, “The capacity region of messages,” IEEE Transactions on Information Theory, vol. 55, broadcast channels with intersymbol interference and colored no. 3, pp. 1235–1249, 2009. Gaussian noise,” IEEE Transactions on Information Theory, vol. [8] A. Khisti, A. Tchamkerten, and G. W. Wornell, “Secure 47, no. 1, pp. 219–240, 2001. broadcasting over fading channels,” IEEE Transactions on Information Theory, vol. 54, no. 6, pp. 2453–2469, 2008. Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 494696, 14 pages doi:10.1155/2009/494696

Research Article Secrecy Capacity of a Class of Orthogonal Relay Eavesdropper Channels

Vaneet Aggarwal, Lalitha Sankar, A. Robert Calderbank (EURASIP Member), and H. Vincent Poor

Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA

Correspondence should be addressed to Vaneet Aggarwal, [email protected]

Received 1 December 2008; Accepted 9 June 2009

Recommended by Shlomo Shamai (Shitz)

The secrecy capacity of relay channels with orthogonal components is studied in the presence of an additional passive eavesdropper node. The relay and destination receive signals from the source on two orthogonal channels such that the destination also receives transmissions from the relay on its channel. The eavesdropper can overhear either one or both of the orthogonal channels. Inner and outer bounds on the secrecy capacity are developed for both the discrete memoryless and the Gaussian channel models. For the discrete memoryless case, the secrecy capacity is shown to be achieved by a partial decode-and-forward (PDF) scheme when the eavesdropper can overhear only one of the two orthogonal channels. Two new outer bounds are presented for the Gaussian model using recent capacity results for a Gaussian multiantenna point-to-point channel with a multiantenna eavesdropper. The outer bounds are shown to be tight for two subclasses of channels. The ﬁrst subclass is one in which the source and relay are clustered, and the eavesdropper receives signals only on the channel from the source and the relay to the destination, for which the PDF strategy is optimal. The second is a subclass in which the source does not transmit to the relay, for which a noise-forwarding strategy is optimal.

Copyright © 2009 Vaneet Aggarwal et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction Recently, the problem of secure communications has also been studied for a variety of multiterminal networks; see, In wireless networks for which nodes can benefit from for example, [3–10], and the references therein. In [11], cooperation and packet-forwarding, there is also a need to Lai and El Gamal show that a relay node can facilitate the preserve the confidentiality of transmitted information from transmission of confidential messages from the source to the untrusted nodes. Information privacy in wireless networks destination in the presence of a wiretapper, often referred to has traditionally been the domain of the higher layers of as an eavesdropper in the wireless setting. Lai and El Gamal the protocol stack via the use of cryptographically secure develop the rate-equivocation region for this four node relay- schemes. In his seminal paper on the three-node wiretap eavesdropper channel and introduce a noise forwarding channel, Wyner showed that perfect secrecy of transmitted scheme in which the relay, even if it is unable to aid the source data from the source node can be achieved when the in its transmissions, transmits codewords independent of the physical channel to the eavesdropper is noisier than the source to confuse the eavesdropper. A special case where the channel to the intended destination, that is, when the eavesdropper receives a degraded version of the destination’s channel is a degraded broadcast channel [1]. This work signal is studied in [12]. In contrast, the relay channel with was later extended by Csiszar´ and Kornertoallbroadcast¨ confidential messages in which the relay node acts as both a channels with confidential messages, in which the source helper and eavesdropper is studied in [13]. Note that in all node sends common information to both the destination the three papers, the relay is assumed to be full-duplex; that and the wiretapper and confidential information only to the is, it can transmit and receive simultaneously over the entire destination [2]. bandwidth. 2 EURASIP Journal on Wireless Communications and Networking

In this paper, we study the secrecy capacity of a relay memoryless model. We illustrate these results with examples channel with orthogonal components in the presence of a in Section 4.InSection 5, we present inner and outer bounds passive eavesdropper node. The orthogonality comes from for the Gaussian channel model and illustrate our results the fact that the relay and destination receive signals from the with examples. We conclude in Section 6. source on orthogonal channels; furthermore, the destination also receives transmissions from the relay on its (the desti- 2. Channel Models and Preliminaries nation’s) channel. The orthogonal model implicitly imposes a half-duplex transmission and reception constraint on the 2.1. Discrete Memoryless Model. A discrete-memoryless relay relay. For this channel, in the absence of an eavesdropper, El eavesdropper channel is denoted by (X1 × X2, p(y, y1, y2 | Gamal and Zahedi showed that a partial decode-and-forward x1, x2), Y × Y1 × Y2) such that the inputs to the channel (PDF) strategy, in which the source transmits two messages in a given channel use are X1 ∈ X1 and X2 ∈ X2 at the on the two orthogonal channels and the relay decodes its source and relay, respectively, the outputs of the channel are received signal, achieves the capacity [14]. Y1 ∈ Y1, Y ∈ Y,andY2 ∈ Y2, at the relay, destination, We study the secrecy capacity of this channel for both and eavesdropper, respectively, and the channel transition the discrete memoryless and Gaussian channel models. As p y y y | x x probability is given by YY1Y2|XX2 ( , 1, 2 , 2)[11]. The a first step toward this, we develop a PDF strategy for channel is assumed to be memoryless; that is, the channel the full-duplex relay eavesdropper channel and extend it outputs at time i depend only on channel inputs at time i. to the orthogonal model. Further, since the eavesdropper The source transmits a message W1 ∈ W1 ={1, 2, ..., M} to can receive signals from either orthogonal channel or both, the destination using the (M, n) code consisting of three cases arise in the development of the secrecy capacity. We specialize the outer bounds developed in [11] for the (1) a stochastic encoder f at the source such that f : W → Xn ∈ Xn orthogonal case and show that, for the discrete memoryless 1 1 1, channel, PDF achieves the secrecy capacity for the two cases (2) a set of relay encoding functions fr,i :(Y1,1, Y1,2, ..., where the eavesdropper receives signals in only one of the two Y1,i−1) → x2,i at every time instant i,and orthogonal channels. Yn → W For the Gaussian model, we develop two new outer (3) a decoding function at the destination Φ : 1. bounds using recent results on the secrecy capacity of the The average error probability of the code is defined as Gaussian multiple-input multiple-output channels in the presence of a multiantenna eavesdropper (MIMOME) in 1 Pn = { Y n =/ w | w }. [4–6]. The first outer bound is a genie-aided bound that e M Pr Φ( ) 1 1 was sent (1) w ∈W allows the source and relay to cooperate perfectly resulting 1 1 in a Gaussian MIMOME channel for which jointly Gaussian The equivocation rate at the eavesdropper is defined as inputs maximize the capacity. We show that these bounds R = /n H W | Y n R e (1 ) ( 1 2 ). A perfect secrecy rate of 1 is are tight for a subclass of channels in which the multiaccess achieved if, for any > 0, there exists a sequence of codes channel from the source and relay to the destination is the (M, n) and an integer N such that, for all n ≥ N,wehave bottleneck link, and the eavesdropper is limited to receiving signals on the channel from the source and the relay to the R = 1 M destination. For a complementary subclass of channels in 1 nlog2 , which the source-relay link is unusable due to noise resulting Pn ≤ in a deaf relay, we develop a genie-aided bound where the e , (2) relay and destination act like a two-antenna receiver. We 1 H W | Y ≥ R − . also show that noise forwarding achieves this bound for this n ( 1 2) 1 subclass of channels. In [15], He and Yener study the secrecy rate of the The secrecy capacity is the maximum rate satisfying (2). channel studied here under the assumption that the relay The model described above considers a relay that transmits is colocated with the eavesdropper, and the eavesdropper is and receives simultaneously in the same orthogonal channel. completely cognizant of the transmit and receive signals at Inner and outer bounds for this model are developed in [11, the relay. The authors found that using the relay does not Theorem 1]. increase the secrecy capacity, and hence there is no security In this paper, we consider a relay eavesdropper channel advantage to using the relay. In this paper, we consider with orthogonal components in which the relay receives and the eavesdropper as a separate entity and show that using transmits on two orthogonal channels. The source transmits the relay increases the secrecy capacity in some cases. In on both channels, one of which is received at the relay and the model of [15], the eavesdropper can overhear only on the other at the destination. The relay transmits along with the channel to the relay, while we consider three cases in the source on the channel received at the destination. Thus, which the eavesdropper can overhear on either or both the the source signal X1 consists of two parts XR ∈ XR and XD ∈ channels. XD, transmitted to the relay and the destination, respectively, The paper is organized as follows. In Section 2,we such that X1 = XD × XR. The eavesdropper can receive present the channel models. In Section 3, we develop the transmissions in one or both orthogonal channels such that inner and outer bounds on the secrecy capacity of the discrete Y2,i ∈ Y2,i denotes the received signal at the eavesdropper in EURASIP Journal on Wireless Communications and Networking 3

Y 1 2.2. Gaussian Model. For a Gaussian relay eavesdropper Relay channel with orthogonal components, the signals Y1 and Y received at the relay and the destination, respectively, in each X2 time symbol i ∈{1, ..., n},are W XD Y W 1 p(y, y , y | xR, xD, x ) 1 Encoder1 2 2 Decoder Y1[i] = hs,r XR[i] + Z1[i],(6) XR Y[i] = hs,dXD[i] + hr,dX2[i] + Z[i],(7) Y 2,2 Eavesdropper where hk,m is the channel gain from transmitter k ∈{s, r} to Y 2,1 receiver m ∈{r, d},andwhereZ1 and Z are zero mean unit variance Gaussian random variables. The transmitted signals Figure 1: The relay-eavesdropper channel with orthogonal compo- X X X nents. R, D,and 2 are subject to average power constraints given by 2 E XR ≤ PR, i i = Y = Y × Y orthogonal channel , 1, 2, and 2 2,1 2,2.More 2 E XD ≤ PD, (8) formally, the relay eavesdropper channel with orthogonal E X2 ≤ P components is defined as follows. 2 2, Definition 1. A discrete-memoryless relay eavesdropper where E[·] denotes expectation of its argument. The signals channel is said to have orthogonal components if the sender at the eavesdropper are alphabet X1 = XD × XR and the channel can be expressed Y [i] = hs e XR[i]1e + Z [i], as 2,1 , ,1 ,1 2,1 (9) Y2,2[i] = hs,e,2xD[i]1e,2 + hr,eX2[i]1e,2 + Z2,2[i], p y, y1, y2 | x1, x2 = p y1, y2,1 | xR, x2 · p y, y2,2 | xD, x2 . (3) where hs,e,1 and hs,e,2 are the channel gains from the source to the eavesdropper in the two orthogonal channels, hr,e is Z Definition 1 assumes that the eavesdropper can receive the channel gain from the relay to the eavesdropper, 2,1 and Z signals in both channels. In general, the secrecy capacity 2,2 are zero-mean unit variance Gaussian random variables bounds for this channel depend on the receiver capabilities assumed to be independent of the source and relay signals, of the eavesdropper. To this end, we explicitly include and ⎧ the following two definitions for the cases in which the ⎪ ⎪1, if the eavesdropper can eavesdrop eavesdropper can receive signals in only one of the channels. ⎨⎪ = j = 1e,j ⎪ in orthogonal channel 1, 2, (10) ⎪ Definition 2. The eavesdropper is limited to receiving signals ⎩⎪ on the channel from the source to the relay, if 0, otherwise. Throughout the sequel, we assume that the channel gains are p y, y , y , y | xR, xD, x 1 2,1 2,2 2 fixed and known at all nodes. (4) = p y1, y2,1 | xR, x2 · p y | xD, x2 · p y2,2 . For a relay channel with orthogonal components, El Gamal and Zahedi of show that a strategy where the source Definition 3. The eavesdropper is limited to receiving signals uses each channel to send an independent message and the on the channel from the source and the relay to the relay decodes the message transmitted in its channel achieves destination, if capacity [14]. Due to the fact that the relay has partial access to the source transmissions, this strategy is sometimes also referred to as partial decode and forward (see [16]). p y, y1, y2,1, y2,2 | xR, xD, x2 (5) The achievable scheme involves block Markov superposition = p y1 | xR, x2 · p y, y2,2 | xD, x2 · p y2,1 . encoding while the converse is developed using the max-flow, min-cut bounds. The following proposition summarizes this Remark 4. In the absence of an eavesdropper, that is, for result. y2,1 = y2,2 = 0, the channels in (3)–(5) simplify to that of a relay channel with orthogonal components. Proposition 5 ([14]). The capacity of a relay channel with orthogonal component is given by Thus, depending on the receiver capabilities at the C = {I X Y | X I X Y | X eavesdropper, there are three cases that arise in developing max min ( R; 1 2) + ( D; 2), the secrecy capacity bounds. For brevity, we henceforth (11) I X X X Y } identify the three cases as Cases 1, 2,and3, where Cases 1 and ( R D 2; ) , 2 correspond to Definitions 2 and 3, respectively, and Case where the maximum is over all input distributions of the form 3 is the general case where the eavesdropper receives signals from both the channels. p(x2)p(xR | x2)p(xD | x2). (12) 4 EURASIP Journal on Wireless Communications and Networking

For the Gaussian model, the bounds in (11) are maximized by Proof. The proof is extended from the outer bound in jointly Gaussian inputs transmitting at the maximum power [11, Theorem 1] to include auxiliary random variables and subject to (12). corresponding to each of the transmitted signals and is developed in Appendix A. Remark 6. While the converse allows for all possible joint distributions of XR, XD,andX2, from the form of the mutual ﬃ Following Proposition 5, a natural question for the information expressions in (11), it su ces to consider relay-eavesdropper channel with orthogonal components is distributions only of the form given by (12). whether the PDF strategy can achieve the secrecy capacity. To this end, we ﬁrst develop the achievable PDF secrecy We use the standard notation for entropy and mutual ratesfortheclassoffull-duplex relay-eavesdropper channels information [17] and take all logarithms to the base 2 so that and then specialize the result for the orthogonal model. our rate units are bits. For ease of exposition, we write C(x) The following theorem summarizes the inner bounds on to denote (1/2) log(1 + x) and write x+ to denote max(x,0). the secrecy capacity achieved by PDF for the full-duplex We also write random variables with uppercase letters (nonorthogonal) relay-eavesdropper channels. (e.g., Wk) and their realizations with the corresponding w lowercase letters (e.g., k). We drop subscripts on probability Theorem 8. An inner bound on the secrecy capacity of a distributions if the arguments are lowercase versions of full-duplex relay eavesdropper channel, achieved using partial the corresponding random variables. Finally, for brevity, decode and forward, is given by we henceforth refer to the channel studied here as the orthogonal relay eavesdropper channel. Cs ≥ min{I(X1; Y | X2, V) + I(V; Y1 | X2), I(X1X2V; Y)} − I X X Y 3. Discrete Memoryless Channel: ( 1 2; 2) Outer and Inner Bounds (16) In this section, we develop outer and inner bounds for the for all joint distributions of the form secrecy capacity of the discrete-memoryless orthogonal relay eavesdropper channel. The proof of the outer bounds follows p(v)p(x1 | v)p(x2 | v)p y1, y | x1, x2 . (17) along the same lines as that in [11, Theorem 1] for the full- duplex relay-eavesdropper channel and is specialized for the Proof. The proof is developed in Appendix B and uses block orthogonal model considered here. The following theorem Markov superposition encoding at the source such that, in summarizes the bounds for the three cases in which the each block, the relay decodes a part of the source message eavesdropper can receive in either one or both orthogonal while the eavesdropper has access to both source messages. channels.

Theorem 7. An outer bound on the secrecy capacity of the relay The following theorem specializes Theorem 8 for the eavesdropper channel with orthogonal components is given by orthogonal relay-eavesdropper channel. the following. Theorem 9. An inner bound on the secrecy capacity of the Case 1. orthogonal relay eavesdropper channel, achieved using partial Cs ≤ max[min{I(VDVR; YY1 | V2U), I(VDV2; Y | U)} decode and forward over all joint distributions of the form p(xR, xD, x2),isgivenbythefollowing. + −I(VR; Y2 | U)] . (13) Case 1.

Case 2. Cs ≥ min{I(XDXR; YY1 | X2), I(XDX2; Y)} (18) Cs ≤ {I VDVR YY | V U I VDV Y | U } max[min ( ; 1 2 ), ( 2; ) − I(XR; Y2). −I V V Y | U +. ( D 2; 2 )] Case 2. (14) Cs ≥ min{I(XDXR; YY1 | X2), I(XDX2; Y)} Case 3. (19) − I(XD, X ; Y ). Cs ≤ max[min{I(VDVR; YY1 | V2U), I(VDV2; Y | U)} 2 2

+ −I(VRVDV2; Y2 | U)] , (15) Case 3. where U, VD, VR,andV are auxiliary random variables, and 2 Cs ≥ min{I(XDXR; YY1 | X2), I(XDX2; Y)} the maximum is over all joint distributions satisfying U → (20) V V V → X X X → Y Y Y ( R, D, 2) ( R, D, 2) ( , 1, 2). − I(XR; Y2 | X2) − I(XD, X2; Y2). EURASIP Journal on Wireless Communications and Networking 5

Proof. The proof is developed in Appendix C and involves 4. Examples specializing the bounds in Theorem 8 for the orthogonal model. It is further shown that the input distribution Example 12. Consider an orthogonal relay eavesdropper X = X = X ={ } can be generalized to all joint probability distributions channel with R D 2 0, 1 . The outputs at the p(xR, xD, x2). relay and destination are given by

The bounds in (20) can be generalized by randomizing Y1 = XR, Y = XDX2, (25) the channel inputs. We now prove that PDF with randomization achieves the secrecy capacity. while the output at the eavesdropper is

Theorem 10. The secrecy capacity of the relay channel with Y2,1 = XR (channel 1), orthogonal complements is the following. ⎧ ⎨ 1, if XD ≤ X2, (26) Y = . Case 1. 2,2 ⎩ (channel 2) 0, otherwise, Cs = max[min{I(VDVR; YY1 | V2U), I(VDV2; Y | U)} + Since the destination can receive at most 1 bit in every use of −I(VR; Y2 | U)] . (21) the channel, the secrecy capacity of this channel is at most 1 bit per channel use. We now show that this secrecy capacity Case 2. can be achieved. In each channel use, let the source send bit w ∈{0, 1} such that XR = 0, XD = w,andX2 = 1. Cs = max[min{I(VDVR; YY1 | V2U), I(VDV2; Y | U)} Since X2 = 1, the receiver obtains w while the eavesdropper + Y = Y = −I(VDV ; Y | U)] . receives 2,1 0and 2,2 1 irrespective of the value of bit 2 2 w (22) . Hence, a perfect secrecy capacity of 1 can be achieved. Case 3. ThecodedesigninExample 12 did not require randomization. We now present an example where randomization is Cs ≤ {I(VDVR YY | V U) I VDV Y | U } max[min ; 1 2 , ( 2; ) necessary. + −I(VRVDV ; Y | U)] , 2 2 Example 13. Consider an orthogonal relay eavesdropper (23) channel where all the input and output alphabets are the { }2 X = a b X = where U, VD, VR,andV2 are auxiliary random variables, and same and given by 0, 1 .Wewrite R ( R, R), D the maximum is over all joint distributions satisfying U → (aD, bD), and X2 = (a1, b1) to denote the vector binary (VR, VD, V2) → (XR, XD, X2) → (Y, Y1, Y2). Furthermore, signals at the source and the relay. The outputs of this for Case 3, channel, shown in Figure 2(a), at the relay, destination, and the eavesdropper are given by Cs ≥ [min{I(VDVR; YY1 | V2U), I(VDV2; Y | U)} (24) + Y = (aD, bD ⊕ a1), −I(VR; Y2 | V2U) − I(VD, V2; Y2 | U)] Y = (aR, bR), for all joint distributions satisfying U → (VR, VD, V ) → 1 2 (27) (XR, XD, X ) → (Y, Y , Y ). 2 1 2 Y2,1 = (aR, bR),

Proof. The upper bounds follow from Theorem 7. For the Y2,2 = (a1, b1 ⊕ aD), lower bound, we prefix a memoryless channel with inputs VR, VD,andV2 and transition probability p(xR, xD, x2 | where ⊕ denotes the binary XOR operation. The capacity vR, vD, v2) (this prefix can potentially increase the achievable of this channel is at most 2 bits per channel use as the secrecy rates as in [2, 11]). The time-sharing random variable destination, via Y, can receive at most 2 bits per channel U ensures that the set of achievable rates is convex. use. We will now show that a secrecy capacity of 2 bits per channel use can be achieved. Consider the following coding Remark 11. In contrast to the nonsecrecy case, where the scheme. In every channel use, the relay flips an unbiased coin orthogonal channel model simplifies the cut-set bounds to to generate a bit n ∈{0, 1} such that its transmitted signal is match the inner PDF bounds, for the orthogonal relay- eavesdropper model in which the eavesdropper receives X2 = (0, n). (28) in both channels, that is, when the orthogonal receiver restrictions at the relay and intended destination do not In every use of the channel, the source transmits 2 bits, apply to the eavesdropper, in general, the outer bound can denoted as w1 and w2, using be strictly larger than the inner PDF bound. XR = (0, 0), In the following section, we illustrate these results with (29) three examples. XD = (w1, w2). 6 EURASIP Journal on Wireless Communications and Networking

Y X 1 2 Example 14. Consider an orthogonal relay eavesdropper a1 channel where the input and output signals at the source, XR relay, and destination are binary two-tuples while Y2,1 and b1 aR Y2,2 at the eavesdropper are binary alphabets. We write XR = Y (aR, bR), XD = aD,andX2 = (a1, b1) to denote the vector binary signals at the source and the relay. The outputs at bR the relay, destination, and the eavesdropper are also vector binary signals given by

aD Y = (a1, aD), Y2,2 bD Y1 = (aR, bR), (31) XD Y2,1 = (bR),

Y2,1 Y2,2 = (b1 ⊕ aD), (a) Example 13 as shown in Figure 2(b). As in the previous example, the capacity of this channel is also at most 2 bits per channel use. Y X We now show that a secrecy capacity of 2 bits per channel 1 a 2 1 use can be achieved for this example channel. Consider the XR following coding scheme: in the ith use of the channel, the b 1 source encodes 2 bits, denoted as w1,i and w2,i as aR Y XR = w1,i,0 , bR (32) XD = w2,i .

The relay receives w1,i−1 in the previous use of the channel. a Furthermore, in each channel use, it also generates a D Y2,2 uniformly random bit ni, and transmits X D X2 = w1,i−1, ni . (33) Y2,1 With these transmitted signals, the received signals at the receiver and the eavesdropper are (b) Example 14 Figure 2: Orthogonal relay eavesdropper channel model of Exam- Y = w1,i−1, w2,i , ples 13 and 14. Y2,1 = (0), (34) Y2,2 = ni ⊕ w2,i . For these transmitted signals, the receiver and eavesdropper receive Thus, over n + 1 uses of the channel the destination receives all 2n + 1 bits transmitted by the source. On the other hand, Y = w w ( 1, 2), in every use of the channel, the eavesdropper cannot decode either source bit. Y2,1 = (0, 0), (30)

Y2,2 = (0, n ⊕ w1). 5. Gaussian Model Thus, the receiver receives both bits while the eavesdropper is unable to decode any information due to the randomness 5.1. Inner and Outer Bounds. We now develop inner and of n. This is an example where transmitting a random code outer bounds for the Gaussian orthogonal relay eavesdropper from the relay is required to achieve the secrecy capacity. channel. Determining the optimal input distribution for all the auxiliary random variables in the outer bounds in In the above two examples, the source to relay link was Theorem 10 is not straightforward. To this end, we develop completely available to the eavesdropper, and hence the relay new outer bounds using a recent result on the secrecy could at best be just used to send random bits. In the next capacity of the class of Gaussian multiple input, multiple example, we show that the secrecy capacity is achieved by the output, and multiantenna eavesdropper channels (see [4– relay transmitting a part of the message as well as a random 6]). The class of MIMOME channels is characterized by a signal. single source with an m × 1 vector input X and k × 1and EURASIP Journal on Wireless Communications and Networking 7

6 6

5 5

4 4

3 3 Secrecy rate Secrecy rate 2 2

1 Destination Eavesdropper 1 Destination Eavesdropper

Source Source 0 0 −1 −0.50 0.511.522.5 −1 −0.50 0.511.522.5 Location of the relay Location of the relay

Upper bound—Case 1 Upper bound—Band 2 Lower bound—Case 1 Lower bound—Band 2 (PDF) Direct link Lower bound—Band 2 (NF) Wiretap channel (a) Case (b) Case 6

3 Secrecy rate 2

1 Destination Eavesdropper

Source 0 −1 −0.5 00.511.522.5 Location of the relay

Upper bound—Case 3 Lower bound—Case 3 (PDF) Lower bound—Case 3 (NF) Wiretap channel (c) Case 3

Figure 3: Source is at (0, 0), destination is at (1, 0), and eavesdropper is at (1.5, 0). A distance fading model with α = 2 is taken, and power constraints for XR, XD,andX2 are all unity.

t × 1vectoroutputsY and Ye at the intended destination and independent across time symbols. The channel input satisﬁes eavesdropper, respectively, given by an average transmit power constraint: n 1 2 ≤ P. Y[i] = HX[i] + Z[i], (35) n x (37) i=1 Ye[i] = HeX[i] + Ze[i], (36) In applying the multiantenna secrecy capacity results, we develop an outer bound in which the source and relay are where in every channel use i, Z[i]andZe[i] are zero-mean modeled jointly as a multiantenna transmitter. However, Gaussian vectors with identity covariance matrices that are unlike the average power constraint for the MIMOME 8 EURASIP Journal on Wireless Communications and Networking

T X X X channels in (37), our outer bound requires a per antenna Lemma 15 and using the form in (40), for X = [ R D 2 ] ∼ power constraint. To this end, we apply the results developed N (0, KX), the secrecy capacity can be upper bounded as in [5] in which a more general transmitter covariance constraint is considered such that Cs ≤ max[I(XRXDX2; Y) − I(XRXDX2; Y2)] (42)

n 1 = max[I(XDX ; Y) + I(XR; Y | XDX ) − I(XRXDX ; Y )] x[i]xT [i] S, (38) 2 2 2 2 n (43) i=1 = I X X Y − I X X X Y where S is a positive semidefinite matrix, and A B denotes max[ ( D 2; ) ( R D 2; 2)], (44) that B − A is a positive semidefinite matrix. The secrecy capacity of this channel is summarized in the following where (44) follows from the orthogonal model in (3). Finally, theorem. applying the conditions on the eavesdropper receiver for the three cases simplifies the bounds in (44)to(41a), (41b), and Lemma 15 ([5]). The secrecy capacity of the MIMOME (41c). channel of (36) subject to (38) is given by The PDF inner bounds developed in Section 3 for the discrete memoryless case can be applied to the Gaussian C = 1 T s max log det I + HKXH model with Gaussian inputs at the source and relay. In 0KXS 2 (39) fact, for all three cases, the inner bounds require taking a 1 T minimum of two rates, one achieved jointly by the source and − log det I + HeK He . 2 X relay at the destination and the other achieved by the source at the relay and destination. Comparing the inner bounds in Remark 16. The expression in (39) can also be written as (19) with the outer bounds in (41b), for those channels in which the source and relay are clustered close enough that ∗ ∗ Cs = max[I(X ; Y) − I(X ; Ye)], (40) the bottle-neck link is the combined source-relay link to the destination and the eavesdropper overhears only the channel ∗ where he maximum is over all X ∼ N (0, KX). from the source and the relay to the destination, the secrecy capacity can be achieved. This is summarized in the following We now present an outer bound on the Gaussian theorem. orthogonal relay eavesdropper channel using Lemma 15. Theorem 19. For a class of clustered orthogonal Gaussian relay Theorem 17. An outer bound on the secrecy capacity of the channels with Gaussian orthogonal relay eavesdropper channel is given by the following. I(XDX2; Y) < max I(XDXR; YY1 | X2), (45) p(xR|xD,x2) Case 1. the secrecy capacity for Case 2 is achieved by PDF and is given by the following. Cs ≤ max[I(XDX2; Y) − I(XR; Y2)]. (41a) Case 2. Case 2.

Cs = max[I(XDX2; Y) − I(XD, X2; Y2)], (46) Cs ≤ max[I(XDX2; Y) − I(XDX2; Y2)]. (41b) T X X X where the maximum is over X = [ R D 2 ] ∼ N (0, KX). Case 3. For a relay channel without secrecy constraints, the Cs ≤ max[I(XDX2; Y) − I(XRXDX2; Y2)], (41c) cut-set outer bounds are equivalent to two multiple-input multiple-output (MIMO) bounds, one that results from T X X X assuming a noiseless source-relay link and the other that where the maximum is over all [ R D 2 ] ∼ N (0, KX) T where KX = E[XX ] has diagonal entries that satisfy (8). results from assuming a noiseless relay-destination link. Under a secrecy constraint, the outer bound in Theorem 17 ∗ Remark 18. In (41a)and(41c), the XR maximizing the outer is based on the assumption of a noiseless source-relay link. ∗ bound on the secrecy capacity is XR = 0. On the other hand, The corresponding bound with a noiseless relay-destination ∗ XR can be chosen to be arbitrary for (41b). link remains unknown. We now consider a subclass of Gaussian orthogonal relay Proof. An outer bound on the secrecy capacity of the eavesdropper channels for which hs,r = 0. For this subclass, relay eavesdropper channel results from assuming that the the source does not send any messages on channel 1, that source and relay can cooperate over a noiseless link without is, XR = 0. Such a subclass is a subset of a larger subclass causality constraints. Under this assumption, the problem of channels with very noisy unreliable links from the source reduces to that of a MIMOME channel. Thus, applying to the relay. We present an upper bound on the secrecy EURASIP Journal on Wireless Communications and Networking 9 capacity for this subclass and show that the noise-forwarding from having a genie that shares perfectly the transmitted and strategy introduced in [11] achieves this outer bound. received signals at the relay with the destination. Since X2 Central to our proof is an additional constraint introduced is independent of XD, the destination can perfectly cancel in developing the outer bounds on the eavesdropper that X2 from its received signal, and thus, from (7), the eﬀective does not decode the relay transmissions. Clearly, limiting received signal at the destination can be written as the eavesdropper capabilities can only improve the secrecy rates, and thus, an outer bound for this channel with a Y = hs,dXD + Z. (49) constrained eavesdropper is also an outer bound for the original channel (with hs,r = 0inbothcases)withan unconstrained eavesdropper. We show that the outer bound On the other hand for the constrained eavesdropper, since X for the constrained channel can be achieved by the strat- the relay’s signal 2 acts as interference and is independent X egy of noise-forwarding developed for the unconstrained of D, the information received at the eavesdropper is X channel. minimized when 2 is the worst case noise, that is, when it is Gaussian distributed [18, Theorem II.1]. The equivalent Theorem 20. The secrecy capacity of a subclass of Gaussian signal received at the eavesdropper is then orthogonal relay eavesdropper channels with hs,r = 0 for Cases 2 and 3 is given by Y = h X h 2E X2 Z 2,2 s,e,2 D + r,e 2 +1 2,2, (50)

Cs = max Z 2 2 where 2,2 is Gaussian with zero mean and unit variance. E[XD] ≤PD,E[X2] ≤P2 Thus, the constrained eavesdropper channel simpliﬁes to a MIMOME channel with a single-antenna source trans- C h 2E X2 h 2E X2 min s,d D + r,d 2 mitting XD and single-antenna receiver and eavesdropper Y Y receiving and 2,2, respectively. For this channel, from 2 2 2 2 Lemma 15, the secrecy capacity of this constrained eaves- −C hs e E XD + hr e E X , , ,2 , 2 dropper channel is upper bounded as 2 2 2 hs,e,1 E XD C h E X2 − C . 2 s,d D 2 h E X2 hr e E X2 2 2 s,e,1 D 1+ , 2 Cs ≤ C hs d E XD − C . (51) , h 2E X2 (47) 1+ r,e 2

Finally, since (51) is an upper bound for the channel with Proof. Outer Bound. Since hs r = 0, it is sufficient to set , an eavesdropper constrained to ignore X , it is also an upper XR = 0. This follows from the fact that due to a lack of 2 bound for the channel in which the eavesdropper is not a communication link between the source and the relay, constrained. that is, hs,r = 0, the relay is oblivious to the source transmissions. Since the relay and the source do not share Inner Bound. The lower bound follows from the noise forwarding strategy introduced in [11, Theorem 3]. In this common randomness, one can set XR = 0. Finally, since X2 strategy, the relay sends codewords independent of the source depends on XD only via XR and XR = 0, X2 is independent of XD. message, which helps in confusing the eavesdropper. The 2 We now provide two outer bounds for fixed E[XD]and noise forwarding strategy transforms the relay-eavesdropper E X2 channel into a compound multiple access channel, where [ 2 ]. Thus, the minimum of the two is also an outer bound. E X2 E X2 the source/relay to the receiver is the first multiple access Maximizing over [ D]and [ 2 ] will then yield the outer bound as in the statement of Theorem 20. channel, and the source/relay to the eavesdropper is the An outer bound on the secrecy capacity is obtained by second one. applying Theorem 17 for Cases 2 and 3 as 5.2. Illustration of Results. We illustrate our results for the Gaussian model for a class of linear networks in which C ≤ C h 2E X2 h 2E X2 s s,d D + r,d 2 the source is placed at the origin, and the destination is (48) unit distance from the source at (1, 0). The eavesdropper − C h 2E X2 h 2E X2 . h m s,e,2 D + r,e 2 , is at (1 5, 0). The channel gain m,k, between transmitter and receiver k,foreachm and k, is modeled as a distance dependent path-loss gain given by where (48)holdsbecauseXD and X2 are independent, and the Gaussian signaling is optimal, which follows from 1 Theorem 17. hm k = ∀m ∈{s, r}, k ∈{r, d, e}, , dα/2 (52) We develop a second outer bound under the assumption m,k that the relay and the destination have a noiseless channel such that they act like a two-antenna receiver. One can where α is the path-loss exponent. The maximum achievable alternately view this as an improved channel that results PDF secrecy rate is plottedas a function of the relay position 10 EURASIP Journal on Wireless Communications and Networking along the line connecting the source and the eavesdropper Appendices as shown in Figure 3. Furthermore, as a baseline assuming that the relay does not transmit, that is, XR = 0, the secrecy A. Proof of Theorem 7 capacity of the resulting direct link and the wire-tap channel for Cases 2 and 3, respectively, are included in all three plots In this section, we will prove the upper bounds on the secrecy in Figure 3. The rates are plotted in separate subfigures for capacity for all the three cases. Following a proof similar to the three cases in which the eavesdropper receives signals in that in [11, Theorem 1], we bound the equivocation as only one or both channels. In all cases, the path loss exponent α is set to 2, and the average power constraint on XR, XD,and n i− n nRe ≤ I W Yi | Y 1 Y X2 is set to unity. In addition to PDF, the secrecy rate achieved 1; , 2,i+1 by noise forwarding (NF) is also plotted. i=1 (A.1) In Figure 3, for all three cases, the PDF secrecy rates are −I W Y | Y i−1 Y n nδ . T 1; 2,i , 2,i+1 + n X X X obtained by choosing the input signal X = [ R D 2 ] to be Gaussian distributed and numerically optimizing the rates T Now, let J be a random variable uniformly distributed over over the covariance matrix KX = E[XX ] (more precisely the i−1 n {1, 2, ..., n} and set U = JY Y i , VR = JY i W , VD = three variances of XR, XD, X2 and the pairwise correlation 2, +1 2, +1 1 JYn W V = JYi−1 Y = Y Y = Y Y = Y among these three variables). We observe that the numerical 2,i+2 1, 2 , 1 1,J , 2 2,J ,and J .We results match the theoretical capacity result for Case 2 that specialize the bounds in (A.1) separately for each case. PDF is optimal when the relay is close to the source. Further, Case 1. From (A.1), we have theupperboundsforCases2 and 3 are the same as seen also in (41b)-(41c). On the other hand, when the relay is farther n away than the eavesdropper and destination are from the R ≤ 1 I W Y | Y i−1 Y n source, there are no gains achieved by using the relay relative e n 1; i , 2,i+1 i=1 to the nonrelay wiretap secrecy capacity. Finally, for Cases 2 and 3, NF performs better than PDF when the relay is closer −I W Y | Y i−1 Y n δ 1; 2,i , 2,i+1 + n to the destination. n = 1 I W Y n Y i−1 Y | Y i−1 Y n (A.2) n 1, 2,i+2, ; i , 2,i+1 i=1 6. Conclusions −I W Y Y | Y i−1 Y n δ We have developed bounds on the secrecy capacity of relay 1, 2,i+1; 2,i , 2,i+1 + n eavesdropper channels with orthogonal components in the = I V V Y | U − I V Y | U δ . presence of an additional passive eavesdropper for both ( D, 2; ) ( R; 2 ) + n the discrete memoryless and Gaussian channel models. Our results depend on the capability of the eavesdropper to Furthermore, overhear either or both of the two orthogonal channels that the source uses for its transmissions. For the discrete n memoryless model, when the eavesdropper is restricted to R ≤ 1 I W Y | Y i−1 Y n e n 1; i , 2,i+1 receiving in only one of the two channels, we have shown i=1 that the secrecy capacity is achieved by a partial decode-and- −I W Y | Y i−1 Y n δ forward strategy. 1; 2,i , 2,i+1 + n For the Gaussian model, we have developed a new n 1 n n outer bound using recent results on the secrecy capacity = I W Y Y i−1 Y | Y i−1 Y n 1, 2,i+1, ; i , 2,i+1 of Gaussian MIMOME channels. When the eavesdropper is i=1 restricted to overhearing on the channel from the source and −I W Y Y | Y i−1 Y n δ the relay to the destination, our bound is tight for a subclass 1, 2,i+1; 2,i , 2,i+1 + n of channels where the source and the relay are clustered such n that the combined link from the source and the relay to ≤ 1 I W Y n Y i−1 Y Y | Y i−1 Y n n 1, 2,i+1, ; i, 1,i , 2,i+1 the destination is the bottleneck. Furthermore, for a subclass i=1 where the source-relay link is not used, we have developed a −I W Y Y | Y i−1 Y n δ new MIMOME-based outer bound that matches the secrecy 1, 2,i+1; 2,i , 2,i+1 + n rate achieved by the noise forwarding strategy. = I V V V Y Y | V U A natural extension to this model is to study the sec- ( D, R, 2; , 1 2, ) recy capacity of orthogonal relay channels with multiple − I(VR; Y | U) + δn. relays and multiple eavesdroppers (see, e.g., [19]). Also, 2 (A.3) the problem of developing an additional outer bound that considers a noiseless relay destination link remains open for the channel studied here. This proves theupper bound for Case 1. EURASIP Journal on Wireless Communications and Networking 11

Case 2. From (A.1), we have Furthermore, n R ≤ 1 I W Y | Y i−1 Y n n e n 1; i , 2,i+1 1 i−1 n i=1 Re ≤ I W ; Yi | Y , Y i n 1 2, +1 i= 1 −I W Y | Y i−1 Y n δ 1; 2,i , 2,i+1 + n i− n −I W Y i | Y 1 Y δn 1; 2, , 2,i+1 + n = 1 I W Y n Y i−1 Y | Y i−1 Y n n n 1, 2,i+1, ; i , 2,i+1 1 n i−1 i−1 n i=1 = I W , Y i , Y ; Yi | Y , Y i n 1 2, +2 2, +1 i= 1 −I W Y n Y i−1 Y | Y i−1 Y n δ 1, 2,i+1, ; 2,i , 2,i+1 + n n i− i− n −I W Y Y 1 Y i | Y 1 Y δn 1, 2,i+2, ; 2, , 2,i+1 + n 1 n i−1 i−1 n ≤ I W1, Y i , Y ; Yi, Y1,i | Y , Y i = I(VD, V ; Y | U) − I(VD, V ; Y | U) + δn. n 2, +1 2, +1 2 2 2 i=1 (A.4) −I W Y n Y i−1 Y | Y i−1 Y n δ 1, 2,i+1, ; 2,i , 2,i+1 + n

Furthermore, = I(VD, VR, V2; Y, Y1 | V2, U)

− I(VD, V2; Y2 | U) + δn. n (A.7) R ≤ 1 I W Y | Y i−1 Y n e n 1; i , 2,i+1 i=1 This proves the upper bound for Case 3. For perfect secrecy, setting R = Re yields the upper bound on the secrecy −I W Y | Y i−1 Y n δ 1 1; 2,i , 2,i+1 + n capacity. n = 1 I W Y n Y i−1 Y | Y i−1 Y n n 1, 2,i+1, ; i , 2,i+1 B. Proof of Theorem 8: PDF for Relay i=1 Eavesdropper Channel n i−1 i−1 n −I W , Y i , Y ; Y i | Y , Y i + δn 1 2, +2 2, 2, +1 Random Coding. n n(I(X ;Y)−) ≤ 1 I W Y n Y i−1 Y Y | Y i−1 Y n (1) Generate 2 2 independent and identically n 1, 2,i+1, ; i, 1,i , 2,i+1 p = i= distributed (i.i.d.) x2’s, each with probability (x2) 1 n n I X Y − p x x m m ∈ ( ( 2; ) ) Πi=1 ( 2i). Label them 2( ), [1, 2 ]. n i−1 i−1 n −I W Y i Y Y i | Y Y i δn nR1 1, 2, +2, ; 2, , 2, +1 + (2) For each x2(m), generate 2 i.i.d. v’s, each with p | x m = n p v | x m probability (v 2( )) Πi=1 ( i 2i( )). Label = I V V V Y Y | V U nR ( D, R, 2; , 1 2, ) these v(w | m), w ∈ [1, 2 1 ]. nR − I(VD, V2; Y2 | U) + δn. (3) For every v(w | m), generate 2 2 i.i.d. x1’s, each with p | v w | m = n p | v w | (A.5) probability (x1 ( )) Πi=1 (x1i i( nR m)). Label these x1(w | m, w ), w ∈ [1, 2 2 ].

This proves the upper bound for Case 2. Random Partition. Randomly partition the set {1, 2, ..., nR n I X Y − 2 1 } into 2 ( ( 2; ) ) cells Sm. Case 3. From (A.1), we have

Encoding. Let wi be the message to be sent in block i where n R R −I X X Y n the total number of messages is 2 ( 1+ 2 ( 1 2; 2)). Further, 1 i− n nI X X Y R ≤ I W Y | Y 1 Y g = w l l ∈{ ... ( 1 2: 2)} e n 1; i , 2,i+1 let i ( i, i)where i 1, 2, ,2 .Wecan i= 1 further partition gi into two parts (wi , wi )ofratesR1 and R2, respectively. Assume that (y (i−1), v(wi− | mi− ), x (mi− )) i−1 n 1 1 1 2 1 −I W1; Y2,i | Y , Y i + δn w ∈ S 2, +1 are jointly -typical and i−1 mi . Then the codeword x w | m w x m i n ( 1( i i, i ), 2( i)) will be transmitted in block . = 1 I W Y n Y i−1 Y | Y i−1 Y n n 1, 2,i+2, ; i , 2,i+1 i=1 Decoding. At the end of block i, we have the following. −I W Y n Y i−1 Y | Y i−1 Y n δ m 1, 2,i+1, ; 2,i , 2,i+1 + n (1) The receiver estimates i by looking at jointly - typical x2(mi)withyi.Forsuﬃciently large n, this = I(VD, V2; Y | U) − I(VR, VD, V2; Y2 | U) + δn. decoding step can be done with arbitrarily small (A.6) probability of error. Let the estimate of mi be m i. 12 EURASIP Journal on Wireless Communications and Networking

(2) The receiver calculates a set L1(y(i − 1)) of w such can be achieved by partial decode and forward. Let X1 =

that w ∈ L1(y(i − 1)) if (v(w | mi−1), y(i − 1)) are (XR, XD)andV = XR such that the input distribution is of w p x p x | x p x | x jointly -typical. The receiver then declares that i−1 the form ( 2) ( R 2) ( D 2). The achievable secrecy i − w ∈ S ∩ L y i − was sent in block 1if i−1 mi 1( ( 1)). rate is then given by w = w The probability that i−1 i−1 with arbitrarily high probability provided that n is suﬃciently large and R = min{I(XRXD; Y | X2, XR) + I(XR; Y1 | X2), R1

typical. wi = w with high probability if R1 < I(XDX2; Y)}−I(XRXDX2; Y2). I(V; Y1 | X2)andn is suﬃciently large. Thus, the w ∈ S The equality in (C.16) follows from the fact that XD − X − relay knows that i mi+1 . 2 XR is a Markov chain. We further specialize the bounds Thus, we obtain for the three cases based on the receiving capability of the R1

maximizing over general p(xD, xR, x2), and henceforth, with- References out loss of generality we consider the general probability [1] A. Wyner, “The wire-tap channel,” Bell System Technical distribution p(xD, xR, x2). Journal, vol. 54, no. 8, pp. 1355–1387, 1975. We now prove that I(XD; Y | X2)+I(XR; Y1 | X2) ≥ [2] I. Csiszar´ and J. Korner,¨ “Broadcast channels with conﬁdential I(XDXR; YY1 | X2) which completes the proof of this part of the theorem. We have messages,” IEEE Transactions on Information Theory, vol. 24, no. 3, pp. 339–348, 1978.

I(XD; Y | X2) + I(XR; Y1 | X2) [3] E. Tekin and A. Yener, “The general Gaussian multiple-access and two-way wiretap channels: achievable rates and coopera- = H(Y | X2) − H(Y | X2XD) + I(XR; Y1 | X2) tive jamming,” IEEE Transactions on Information Theory, vol. 54, no. 6, pp. 2735–2751, 2008. ≥ H Y | X Y − H Y | X X I X Y | X ( 2 1) ( 2 D) + ( R; 1 2) [4] A. Khisti and G. W. Wornell, “The MIMOME channel,” in Proceedings of the 45th Annual Allerton Conference on = I(YY ; XDXR | X ), 1 2 Communication, Control, and Computing,Monticello,Ill, (C.20) USA, September 2007. [5] T. Liu and S. Shamai, “A note on the secrecy capacity of where the last step follows as was shown earlier in (C.18). the multi-antenna wiretap channel,” IEEE Transactions on Information Theory, vol. 55, no. 6, pp. 2547–2553, 2009. Case 3. [6] F. Oggier and B. Hassibi, “The secrecy capacity of the MIMO R = {I X Y | X I X Y | X I X X Y } wiretap channel,” in Proceedings of the IEEE International min ( D; 2) + ( R; 1 2), ( D 2; ) Symposium on Information Theory, pp. 524–528, Toronto, Canada, July 2008. − I(XR; Y2 | X2XD) − I(XDX2; Y2) [7] M. Bloch and A. Thangaraj, “Confidential messages to a = min{I(XD; Y | X2) + I(XR; Y1 | X2), I(XDX2; Y)} cooperative relay,” in Proceedings of the IEEE Information Theory Workshop (ITW ’08), pp. 154–158, Porto, Portugal, − I(XR; Y2 | X2) − I(XDX2; Y2). May 2008. (C.21) [8] Y. Liang and H. V. Poor, “Multiple-access channels with confidential messages,” IEEE Transactions on Information Note that maximization of above term over p(xD, Theory, vol. 54, no. 3, pp. 976–1002, 2008. xR, x2) = p(x2)p(xR | x2)p(xD | x2) is equivalent to max- [9] Y. Liang, H. V. Poor, and S. Shamai, “Secure communication imizing over general p(xD, xR, x2). over fading channels,” IEEE Transactions on Information We now prove that I(XD; Y | X2)+I(XR; Y1 | X2) ≥ Theory, vol. 54, no. 6, pp. 2470–2492, 2008. I(XDXR; YY1 | X2) which completes the proof of this part [10] Y. Liang, A. Somekh-Baruch, H. V. Poor, S. Shamai, and S. of the theorem. We have Verdu,´ “Capacity of cognitive interference channels with and without secrecy,” IEEE Transactions on Information Theory, I(XD; Y | X2) + I(XR; Y1 | X2) vol. 55, no. 2, pp. 604–619, 2009. [11] L. Lai and H. El Gamal, “The relay-eavesdropper channel: = H Y | X − H Y | X X I X Y | X ( 2) ( 2 D) + ( R; 1 2) cooperation for secrecy,” IEEE Transactions on Information Theory, vol. 54, no. 9, pp. 4005–4019, 2008. ≥ H(Y | X2Y1) − H(Y | X2XD) + I(XR; Y1 | X2) [12] M. Yuksel and E. Erkip, “The relay channel with a wire- = I(YY1; XDXR | X2), tapper,” in Proceedings of the 41st Annual Conference on (C.22) Information Sciences and Systems (CISS ’07), pp. 13–18, March 2007. where the last step follows as was shown earlier in (C.18). [13] Y. Oohama, “Capacity theorems for relay channels with confidential messages,” in Proceedings of the IEEE International Symposium on Information Theory, Nice, France, June 2007. Acknowledgments [14] A. El Gamal and S. Zahedi, “Capacity of a class of relay channels with orthogonal components,” IEEE Transactions on The authors wish to thank Elza Erkip of Polytechnic Institute Information Theory, vol. 51, no. 5, pp. 1815–1817, 2005. of NYU and Lifeng Lai and Ruoheng Liu of Princeton Uni- [15] X. He and A. Yener, “On the equivocation region of relay versity for useful discussions related to this paper. The work channels with orthogonal components,” in Proceedings of of V. Aggarwal and A. R. Calderbank was supported in part the 41st Annual Asilomar Conference on Signals, Systems and by NSF under Grant 0701226, by ONR under Grant N00173- Computers, pp. 883–887, Pacific Grove, Calif, USA, November 06-1-G006, and by AFOSR under Grant FA9550-05-1-0443. 2007. The work of L. Sankar and H. V. Poor was supported in [16] G. Kramer, “Models and theory for relay channels with receive part by the National Science Foundation under Grant CNS- constraints,” in Proceedings of the 42nd Annual Allerton Confer- 06-25637. The material in this paper was presented in part ence on Communication, Control, and Computing,Monticello, at the Information Theory and Applications Workshop, San Ill, USA, September 2004. Diego, CA, 2009 and at the IEEE International Symposium [17] T. M. Cover and J. A. Thomas, Elements of Information Theory, on Information Theory, Seoul, Korea, 2009. John Wiley & Sons, New York, NY, USA, 1991. 14 EURASIP Journal on Wireless Communications and Networking

[18] S. N. Diggavi and T. M. Cover, “The worst additive noise under a covariance constraint,” IEEE Transactions on Information Theory, vol. 47, no. 7, pp. 3072–3081, 2001. [19] V. Aggarwal, L. Sankar, A. R. Calderbank, and H. V. Poor, “Information secrecy from multiple eavesdroppers in orthogonal relay channels,” in Proceedings of the IEEE International Symposium on Information Theory, Seoul, Korea, June-July 2009. Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 506973, 17 pages doi:10.1155/2009/506973

Research Article Secret Sharing over Fast-Fading MIMO Wiretap Channels

Tan F. Wong, 1 Matthieu Bloch,2, 3 and John M. Shea1

1 Wireless Information Networking Group, University of Florida, Gainesvilles, FL 32611-6130, USA 2 School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA 30332, USA 3 GT-CNRS UMI 2958, 2-3 rue Marconi, 57070 Metz, France

Correspondence should be addressed to Tan F. Wong, twong@uﬂ.edu

Received 1 December 2008; Revised 25 June 2009; Accepted 14 September 2009

Recommended by Shlomo Shamai (Shitz)

Secret sharing over the fast-fading MIMO wiretap channel is considered. A source and a destination try to share secret information over a fast-fading MIMO channel in the presence of an eavesdropper who also makes channel observations that are diﬀerent from but correlated to those made by the destination. An interactive, authenticated public channel with unlimited capacity is available to the source and destination for the secret sharing process. This situation is a special case of the “channel model with wiretapper” considered by Ahlswede and Csiszar.´ An extension of their result to continuous channel alphabets is employed to evaluate the key capacity of the fast-fading MIMO wiretap channel. The eﬀects of spatial dimensionality provided by the use of multiple antennas at the source, destination, and eavesdropper are then investigated.

Copyright © 2009 Tan F. Wong et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction present work. We refer interested readers to the introduction and reference list of [4] for a concise and extensive overview The wiretap channel considered in the seminal paper [1]is of recent works. the first example that demonstrates the possibility of secure When the destination and eavesdropper channels experi- communications at the physical layer. It is shown in [1] ence independent fading, the strict requirement of having a that a source can transmit a message at a positive (secrecy) more capable destination channel for positive secrecy capac- rate to a destination in such a way that an eavesdropper ity can be loosened. This is due to the simple observation only gathers information at a negligible rate, when the that the destination channel may be more capable than the source-to-eavesdropper channel is a degraded version of the eavesdropper’s channel under some fading realizations, even source-to-destination channel, the source-to-eavesdropper if the destination is not more capable than the eavesdropper and source-to-destination channels will hereafter be referred on average. Hence, if the channel state information (CSI) of to as eavesdropper and destination channels, respectively. A both the destination and eavesdropper channels is available similar result for the Gaussian wiretap channel is provided in at the source, it is shown in [4, 5] that a positive secrecy [2]. The work in [3] further removes the degraded wiretap capacity can be achieved by means of appropriate power channel restriction showing that positive secrecy capacity is control at the source. The key idea is to opportunistically possible if the destination channel is “more capable” (“less transmit only during those fading realizations for which noisy” for a full extension of the rate region in [1]) than the the destination channel is more capable [6]. For block- eavesdropper’s channel. Recently, there has been a flurry of ergodic fading, it is also shown in [5] (see also [7]) that a interest in extending these early results to more sophisticated positive secrecy capacity can be achieved with a variable-rate channel models, including fading wiretap channels, mul- transmission scheme without any eavesdropper CSI available tiinput multi-output (MIMO) wiretap channels, multiple- at the source. access wiretap channels, broadcast wiretap channels, and When the source, destination, and eavesdropper have relay wiretap channels. We do not attempt to provide a multiple antennas, the resulting channel is known as a comprehensive summary of all recent developments but MIMO wiretap channel (see [8–12]), which may also have highlight only those results that are most relevant to the positive secrecy capacity. Since the MIMO wiretap channel 2 EURASIP Journal on Wireless Communications and Networking is not degraded, the characterization of its secrecy capacity the subsequent shared secret message [18]. A detailed study is not straightforward. For instance, the secrecy capacity of of secret sharing over an unauthenticated public channel is the MIMO wiretap channel is characterized in [9] as the givenin[19–21]. saddle point of a minimax problem, while an alternative Other approaches to employ feedback have also been characterization based on a recent result for multiantenna recently considered [22–24]. In particular, it is shown in broadcast channels is provided in [11]. Interestingly all [22] that positive secrecy capacity can be achieved for the characterizations point to the fact that the capacity achieving modulo-additive discrete memoryless wiretap channel and scheme is one that transmits only in the directions in the modulo-Λ channel if the destination is allowed to send which the destination channel is more capable than the signals back to the source over the same wiretap channel and eavesdropper’s channel. Obviously, this is only possible when both terminals can operate in full-duplex manner. In fact, the destination and eavesdropper CSI is available at the for the former channel, the secrecy capacity is the same as the source. It is shown in [9] that if the individual channels capacity of such a channel in the absence of the eavesdropper. from antennas to antennas suffer from independent Rayleigh In this paper, we consider secret sharing over a fast-fading fading, and the respective ratios of the numbers of source MIMO wiretap channel. Thus, we are interested in the CW and destination antennas to that of eavesdropper antennas model of [14] with memoryless conditionally independent are larger than certain fixed values, then the secrecy capacity destination and eavesdropper channels and continuous is positive with probability one when the numbers of source, channel alphabets. We provide an extension of the key destination, and eavesdropper antennas become very large. capacity result in [14] for this case to include continuous As discussed above, the availability of destination (and channel alphabets (Theorem 1). Using this result, we obtain eavesdropper) CSI at the source is an implicit requirement the key capacity of the fast-fading MIMO wiretap channel for positive secrecy capacity in the fading and MIMO (Section 3). Our result indicates that the key capacity is wiretap channels. Thus, an authenticated feedback channel always positive, no matter how large the channel gain of is needed to send the CSI from the destination back to the eavesdropper’s channel is; in addition this holds even the source. In [5, 7], this feedback channel is assumed to if the destination and eavesdropper CSI is available only at be public, and hence the destination CSI is also available the destination and eavesdropper, respectively. Of course, the to the eavesdropper. In addition, it is assumed that the availability of the public channel implies that the destination eavesdropper knows its own CSI. With the availability of a CSI could be fed back to the source. However, due to the feedback channel, if the objective of having the source send restrictions imposed on the secret-sharing strategies (see secret information to the destination is relaxed to distilling Section 2), only causal feedback is allowed, and thus any a secret key shared between the source and destination, it is destination CSI available at source is “outdated.” This does shown in [13] that a positive key rate is achievable when the not turn out to be a problem since, unlike the approaches destination and eavesdropper channels are two conditionally mentioned above, the source does not use the CSI to avoid independent (given the source input symbols) memoryless sending secret information when the destination is not more binary channels, even if the destination channel is not more capable than the eavesdropper’s channel. As a matter of capable than the eavesdropper’s channel. This notion of fact, the fading process of the destination channel provides secret sharing is formalized in [14] based on the concept a significant part of the common randomness from which of common randomness between the source and destination. the source and the destination distill a secret key. This Assuming the availability of an interactive, authenticated fact is readily obtained from the alternative achievability public channel with unlimited capacity between the source proof given in Section 4.Wenotethat[25, 26] consider and destination [14] suggests two different system models, the problem key generation from common randomness over called the “source model with wiretapper” (SW) and the wiretap channels and exploit a Wyner-Ziv coding scheme “channel model with wiretapper” (CW). The CW model is to limit the amount of information conveyed from the similar to the (discrete memoryless) wiretap channel model source to the destination via the wiretap channel. Unlike that we have discussed before. The SW model differs in that these previous works, we only employ Wyner-Ziv coding the random symbols observed at the source, destination, and to quantize the destination channel outputs. Our code eavesdropper are realizations of a discrete memoryless source construction still relies on a public channel with unlimited with multiple components. Both SW and CW models have capacity to achieve the key capacity. been extended to the case of secret sharing among multiple Finally, we also investigate the limiting value of the terminals, with the possibility of some terminals acting as key capacity under three asymptotic scenarios. In the first helpers [15–17]. Key capacities have been obtained for the scenario, the transmission power of the source becomes two special cases in which the eavesdropper’s channel is a asymptotically high (Corollary 1). In the second scenario, degraded version of the destination channel and in which the destination and eavesdropper have a large number of the destination and eavesdropper channels are conditionally antennas (Corollary 2). In the third scenario, the gain advan- independent [13, 14]. Similar results have been derived for tage of the eavesdropper’s channel becomes asymptotically multiterminal secret sharing [16, 17], with the two special large (Corollary 3). These three scenarios reveal two different cases above subsumed by the more general condition that effects of spatial dimensionality upon key capacity. In the first the terminal symbols form a Markov chain on a tree. scenario, we show that the key capacity levels off as the power Authentication of the public channel can be achieved by increases if the eavesdropper has no fewer antennas than the use of an initial short key and then a small portion of the source. On the other hand, when the source has more EURASIP Journal on Wireless Communications and Networking 3 antennas, the key capacity can increase without bound with the source. Both transmissions are carried over the the source power. In the second scenario, we show that the public channel. spatial dimensionality advantage that the eavesdropper has (ii) At time instant i = ij for j = 1, 2, ..., n, the source ff i − over the destination has exactly the same e ect as the channel sends the symbol Xj = Xj (MX , Ψ j 1) to the (X, Y, Z) gain advantage of the eavesdropper. In the third scenario, channel. The destination and eavesdropper observe we show that the limiting key capacity is positive only if the the corresponding symbols Yj and Zj . There is no eavesdropper has fewer antennas than the source. The results message exchange via the public channel, that is, Φi in these scenarios confirm that spatial dimensionality can be and Ψi are both null. used to combat the eavesdropper’s gain advantage, which was i 0, there exists a permissible and Z, respectively. Unlike in [14], X, Y,andZ need not to secret-sharing strategy of the form described above such that be discrete. In fact, in Section 3 we will assume that they are (1) Pr{K =/ L} <ε, multi-dimensional vector spaces over the complex field. The n k k channel from the source to the destination and eavesdropper (2) (1/n)I(K; Z , Φ , Ψ ) <ε, is assumed memoryless. A generic symbol sent by the source (3) (1/n)H(K) >R− ε, is denoted by X and the corresponding symbols observed by (4) (1/n)log|K| < (1/n)H(K)+ε, the destination and eavesdropper are denoted by Y and Z, respectively. For notational convenience (and without loss of for sufficiently large n.Thekey capacity of the channel generality), we assume that (X, Y, Z) are jointly continuous, (X, Y, Z) is the largest achievable key rate through the and the channel is specified by the conditional probability channel. We are interested in finding the key capacity. For density function (pdf) pY,Z|X (y, z | x). In addition, we the case of continuous channel alphabets considered here, restrict ourselves to cases in which Y and Z are conditionally we also add the following power constraint to the symbol n independent given X, that is, pY,Z|X (y, z | x) = pY|X (y | sequence X sent out by the source: x)pZ|X (z | x), which is a reasonable model for symbols n broadcast in a wireless medium. Hereafter, we drop the 1 2 Xj ≤ P subscripts in pdfs whenever the concerned symbols are well n (1) j=1 specified by the arguments of the pdfs. We assume that an interactive, authenticated public channel with unlimited with probability one (w.p.1) for sufficiently large n. capacity is also available for communication between the source and destination. Here, interactive means that the Theorem 1. The key capacity of a CW model (X, Y, Z) with channel is two-way and can be used multiple times, unlimited conditional pdf p(y, z | x) = p(y | x)p(z | x) is given by I X Y − I Y Z capacity means that it is noiseless and has infinite capacity, maxX:E[|X|2]≤P[ ( ; ) ( ; )]. and public and authenticated mean that the eavesdropper can perfectly observe all communications over this channel but Proof. The case with discrete channel alphabets is established cannot tamper with the messages transmitted. in [14, Corollary 2 of Theorem 2], whose achievability proof We consider the class of permissible secret-sharing (also the ones in [16, 17]) does not readily extend to strategies suggested in [14]. Consider k time instants labeled continuous channel alphabets. Nevertheless the same single by 1, 2, ..., k,respectively.The(X, Y, Z) channel is used n backward message strategy suggested in [14] is still applicable k = n times during these k time instants at i1 0, we can choose 2 Employing the continuous alphabet extension of the well σU large enough such that known result in [3], the secrecy capacity of the conceptual wiretap channel (and hence the key capacity of the original I(U; U + Y, X) − I(U; U + Y, Z) channel) is lower bounded by ≥ h(Y | Z) − h(Y | X) − ε (6) = I X Y − I Y Z − ε. max[I(U; U + Y, X) − I(U; U + Y, Z)]. ( ; ) ( ; ) U (2) Since ε is arbitrary, the key capacity is lower bounded by I X Y − I Y Z Note that the input symbol U has no power constraint since maxE[|X|2]≤P[ ( ; ) ( ; )]. the public channel has infinite capacity. But The converse proof in [14] is directly applicable to continuous channel alphabets, provided that the average power constraint (1) can be incorporated into the arguments I(U; U + Y, X) − I(U; U + Y, Z) in [14, pp. 1129-1130]. This latter requirement is simplified by the additive and symmetric nature of the average power = I(U; X) + I(U; U + Y | X) constraint [28, Section 3.6]. Toavoid too much repetition, we outline below only the steps of the proof that are not directly − [I(U; Z) + I(U; U + Y | Z)] available in [14, pp. 1129-1130]. R = h(U) − h(U | X) + h(U + Y | X) − h(U + Y | U, X) For every permissible strategy with achievable key rate , we have − h(U) + h(U | Z) − h(U + Y | Z) + h(U + Y | U, Z) 1 1 1 I(K; L) = H(K) − H(K | L) = h(Y | Z) − h(Y | X) + [h(U + Y | X) − h(U | X)] n n n 1 1 − [h(U + Y | Z) − h(U | Z)] ≥ H K − {K =/ L}· |K| n ( ) n 1+Pr log ≥ h(Y | Z) − h(Y | X) − [h(U + Y | X) − h(U | X)] (7) 1 1 1 > H(K) − − ε H(K) + ε ≥ h(Y | Z) − h(Y | X) − [h(U + Y) − h(U)], n n n (3) > − ε R − ε − 1 − ε2 (1 )( ) n , h U Y | U X = where the third equality results from ( + , ) where the second line follows from Fano’s inequality, the h Y | U X = h Y | X U ( , ) ( ) due to the independence of and third line results from conditions (1)and(7) in the definition Y , the first inequality follows from the fact of achievable key rate, and the last line is due to condition (5). Thus it suffices to upper bound I(K; L). From condition (3) h(U + Y | Z) − h(U | Z) ≥ h(U + Y | Z, Y) − h(U | Z) in the definition of achievable key rate and the chain rule, we have = h(U | Z, Y) − h(U | Z) = 0, 1 I K L < 1 I K L | Zn k k ε (4) n ( ; ) n ; , Φ , Ψ + (8) ≤ 1 I M M Y n | Zn k k ε which is again due to independence between (Y, Z)andU, n X ; Y , , Φ , Ψ + , and the inequality on the last line follows from h(U + Y | X) − h(U | X) = h(U + Y | X) − h(U) ≤ h(U + Y) − h(U). where the second inequality is due to the fact that K = k n k Without loss of generality and for notational simplicity, K(MX , Ψ )andL = L(MY , Y , Φ ). By repeated uses of the assume that Y and U are both one-dimensional real random chain rule, the construction of permissible strategies, and EURASIP Journal on Wireless Communications and Networking 5 the memoryless nature of the (X, Y, Z) channel, it is shown (ii) YD is the mD × 1 complex-valued receive symbol in [14, pp. 1129-1130] that vector at the destination, n (iii) YW is the mW × 1 complex-valued receive symbol 1 I M M Y n | Zn k k ≤ 1 I X Y | Z . vector at the eavesdropper, n X ; Y , , Φ , Ψ n j ; j j (9) j= 1 (iv) ND is the mD × 1 noise vector with independent identically distributed (i.i.d.) zero-mean, circular- Now let Q be a uniform random variable that takes value { ... n} symmetric complex Gaussian-distributed elements from 1, 2, , and is independent of all other random σ2 of variance D (i.e., the real and imaginary parts of quantities. Define (X, Y, Z) = (Xj , Yj , Zj )ifQ = j. Then p y z | x = p y z | x each elements are independent zero-mean Gaussian it is obvious that Y,Z|X( , ) Y,Z|X ( , ), and (9) random variables with the same variance), can be rewritten as N m × (v) W is the W 1 noise vector with i.i.d. 1 n n k k I MX ; MY , Y | Z , Φ , Ψ zero-mean, circular-symmetric complex Gaussian- n 2 distributed elements of variance σW , (10) ≤ I X; Y | Z, Q ≤ I X; Y | Z , (vi) HD is the mD × mS channel matrix from the source to destination with i.i.d. zero-mean, circular-symmetric where the second inequality is due to the fact that Q → X → complex Gaussian-distributed elements of unit variance, (Y, Z) forms a Markov chain. On the other hand, the power constraint (1) implies that (vii) HW is the mW × mS channel matrix from the source to eavesdropper with i.i.d. zero-mean, circular- n 2 2 symmetric complex Gaussian-distributed elements E X = 1 E X ≤ P. n j (11) of unit variance, j=1 (viii) α>0 models the gain advantage of the eavesdropper Combining (7), (8), and (10), we obtain over the destination. 1 1 Note that HD, HW , ND,andNW are independent. The R< I X; Y | Z +2ε + . (12) 1 − ε n wireless channel modeled by (14) is used n timesasthe (X, Y, Z) channel described in Section 2 with Y = [YD HD] ε n ffi Since can be arbitrarily small when is su ciently large, and Z = [YW HW ]. We assume that the n uses of the wireless (12), together with (11), gives channel in (14) are i.i.d. so that the memoryless requirement of the (X, Y, Z) channel is satisfied. Since HD and HW are R ≤ I X; Y | Z included in the respective channel symbols observable by the destination and eavesdropper (i.e., Y and Z,resp.), ≤ max I(X; Y | Z) X:E[|X|2]≤P (13) this model also implicitly assumes that the destination and eavesdropper have perfect CSI of their respective channels = max [I(X; Y) − I(Y; Z)], from the source. In practice, we can separate adjacent uses X:E[|X|2]≤P of the wireless channel by more than the coherence time of the channel to approximately ensure the i.i.d. channel use where the last line is due to the fact that p(y, z | x) = p(y | assumption. Training (known) symbols can be sent right x)p(z | x). before or after (within the channel coherence period) by the source so that the destination can acquire the required CSI. 3. Key Capacity of Fast-Fading MIMO The eavesdropper may also use these training symbols to Wiretap Channel acquire the CSI of its own channel. If the CSI required at the destination is obtained in the way just described, then Consider that the source, destination, and eavesdropper have a unit of channel use includes the symbol X together with mS, mD,andmW antennas, respectively. The antennas in the associated training symbols. However, as in [29], we do each node are separated by at least a few wavelengths, and not count the power required to send the training symbols hence the fading processes of the channels across the transmit (cf. (1)). Moreover we note that the source (and also the and receive antennas are independent. Using the complex eavesdropper) may get some information about the outdated baseband representation of the bandpass channel model: CSI of the destination channel, because information about the destination channel CSI, up to the previous use, may be Y = H X N D D + D, fed back to the source from the destination via the public (14) channel. More specifically, at time instant ij , the source YW = αHW X + NW , i − symbol Xj is a function of the feedback message Ψ j 1, H where which is in turn some function of the realizations of D at time i1, i2, ..., ij−1. We also note that neither the source nor (i) X is the mS × 1 complex-valued transmit symbol destination has any eavesdropper CSI. Referring back to (14), vector by the source, these two facts imply that X is independent of HD, HW , ND, 6 EURASIP Journal on Wireless Communications and Networking

and NW ; that is, the current source symbol X is independent where KU|v is the covariance of U with respect to the of the current channel state. conditional density pU|V (u | v)[29, Lemma 2]. This implies Since the fading MIMO wiretap channel model in (14)is a special case of the CW model considered in Section 2, the mU h(U | V) ≤ EV log (πe) det KU|V key capacity CK is given by Theorem 1 as ≤ log det EV KU|V + mU log(πe) CK = max [I(X; YD, HD) − I(YD, HD; YW , HW )]. X E |X|2 ≤P : [ ] ≤ K − K K −1K m πe . (15) log det U UV V VU + U log( ) (21) Note that

I(X; YD, HD) − I(YD, HD; YW , HW ) The second inequality above is due to the concavity of the function logdet over the set of positive definite symmetric = I(X; YD | HD) − I(YD; YW | HD, HW ) matrices [30, 7.6.7], and the Jensen’s inequality. To get the (16) third inequality, observe that EV [KU|V ] can be interpreted as = h Y | Y H H − h Y | X H ( D W , D, W ) ( D , D) the covariance of the estimation error of estimating U by the E U | V = h Y | Y H H − m πeσ2 . conditional mean estimator [ ]. On the other hand, ( D W , D, W ) D log D −1 KU − KUVKV KVU is the covariance of the estimation error Substituting this back into (15), we get of using the linear minimum mean squared error estimator K K −1V UV V instead. The inequality results from the fact that 2 K − K K −1K ≥ E K K − K K −1K − CK = max h(YD | YW , HD, HW ) − mD log πeσD . U UV V VU V [ U|V ](i.e.,[ U UV V VU] X E |X|2 ≤P : [ ] EV [KU|V ] is positive semidefinite) [31] and the inequality of (17) det(A) ≥ det(B)ifA and B are positive definite, and A ≥ B [30, , 7.7.4]. As a result, the key capacity of the fast-fading wiretap channel T T T Suppose that [U V ] is a circular-symmetric com- described by (14) can be obtained by maximizing the con- plex Gaussian random vector. For each v, the conditional ditional entropy h(YD | YW , HD, HW ). This maximization covariance of U, conditioned on V = v, is the same as problem is solved below. −1 the (unconditional) covariance of U − KUVKV V. Since U − K K −1V Theorem 2. One has UV V is a circular-symmetric complex Gaussian random vector [29,Lemma3],soisU conditioned on V = v. CK Hence by [29, Lemma 2], the upper bound in (20)isachieved −1 ⎡ ⎤ with KU|v = KU − KUVKV KVU, which also gives the upper 2 2 † 2 † det ImS + α P/mSσW HW HW + P/mSσD HDHD bound in (21). =E⎣log ⎦, 2 2 † det ImS + α P/mSσW HW HW (18) To prove the theorem, we first obtain an upper bound on where † denotes conjugate transpose. CK and then show that the upper bound is achievable. Using Proof. To determine the key capacity, we need the following Lemma 1,wehave h U | V upper bound on the conditional entropy ( ). 2 h(YD | YW , HD, HW ) − mD log πeσD Lemma 1. Let U and V be two jointly distributed complex random vectors of dimensions mU and mV ,respectively.LetKU , −1 2 ≤ E log det KYD − KYDYW KY KYW YD − mD log σD, K K U V W V ,and UV be the covariance of ,covarianceof ,and (22) cross-covariance of U and V,respectively.IfKV is invertible, then KY KY − where D and W are, respectively, the conditional covari- h U | V ≤ KU − KUVK 1KVU mU πe . ( ) log det V + log( ) ances of YD and YW ,givenHD and HW ,andKYDYW and

(19) KYW YD are the corresponding conditional cross-covariances. CK T Substituting (22) into (17), an upper bound on is Theupperboundisachievedwhen[UT V T ] is a circular- symmetric complex Gaussian random vector. E K − K K −1 K − m σ2 . max log det YD YDYW YW YW YD D log D X E |X|2 ≤P Proof. We can assume that both U and V have zero means : [ ] without loss of generality. Also assume the existence of all (23) unconditional and conditional covariances stated below. For each v, Thus we need to solve the maximization problem (23). To do λ λ ... λ K mU so, let 1, 2, , mS be the (nonnegative) eigenvalues of X . h(U | V = v) ≤ (πe) KU|v log det , (20) Since both the distributions of HD and HW are invariant to EURASIP Journal on Wireless Communications and Networking 7 any unitary transformation [29, Lemma 5], we can without Now define the! constraint set ΛP ={λi ≥ 0fori = ... m mS λ ≤ P} any ambiguity define 1, 2, , S and i=1 i . Lemma 2 implies that we can find the upper bound on CK by calculating f λ λ ... λ f λ λ ... λ 1, 2, , mS maxΛP ( 1, 2, , mS ), whose value is given by the next lemma. = E I 1 H K 1/2 log det mD + 2 D X σD Lemma 3. One has ⎞⎤ " # − P P P α2 1 f λ λ ... λ = f ... . × I K 1/2H† H K 1/2 K 1/2H† ⎠⎦. max 1, 2, , mS m , m , , m (27) mS + 2 X W W X X D ΛP S S S σW (24) Proof. Since the elements of both HD and HW are i.i.d., f is invariant to any permutation of its arguments. This K = λ λ ... λ f f That is, we can assume X diag( 1, 2, , mS )withno means that is a symmetric function. By Lemma 2, is loss of generality. Then we have the following lemma, which also concave in ΛP.ThusitisSchur-concave[33]. Hence suggests that the objective function in (23)isaconcave a Schur-minimal element (an element majorized by any function depending only on the eigenvalues of the covariance another element) in ΛP maximizes f .Itiseasytocheck of X. that (P/mS, P/mS, ..., P/mS) is Schur-minimal in ΛP.Hence f λ λ ... λ = f P/m P/m ... P/m maxΛP ( 1, 2, , mS ) ( S, S, , S). Lemma 2. Suppose that X has an arbitrary covariance KX , Combining the results in (23), (24), Lemmas 2 and 3,we λ λ ... λ whose (nonnegative) eigenvalues are 1, 2, , mS , then obtain the upper bound on the key capacity as E K − K K −1 K − m σ2 CK log det YD YDYW YW YW YD D log D ⎡ ⎛ ⎞ ⎤ (25) − = f λ λ ... λ P α2P 1 1, 2, , mS ≤E⎣ ⎝I H I H† H ⎠H† ⎦ log det mD + 2 D mS + 2 W W D mSσD mSσW is concave in Λ ={λi ≥ 0 for i = 1, 2, ..., mS}. ⎡ ⎤ I α2P/m σ2 H† H P/m σ2 H† H A H K 1/2 A = αH K 1/2 det mS + S W W W + S D D D Proof. First write D = D X and W W X .Itis =E⎣log ⎦, † 2 I α2P/m σ2 H† H easy to see from (14) that KYD = ADAD + σDImD , KYW = det mS + S W W W † 2 † AW AW + σW ImW ,andKYDYW = ADAW . Then (28)

K − K K −1 K I UV−1U† = V U†U / V YD YDYW YW YW YD where the identity det( + ) det( + ) det( ) V for invertible [34, Theorem 18.1.1] has been used. −1 X =σ2 I 1 A I −A† A A† σ2 I A A† On the other hand, consider choosing to have D mD + 2 D mS W W W + W mW W D σD i.i.d. zero-mean, circular-symmetric complex Gaussian- ⎧ ⎫ distributed elements of variance P/mS. Then conditioned on ⎨ −1 ⎬ T T T HD HW Y Y =σ2 I 1 A I 1 A† A A† and ,[ D W ] are a circular-symmetric complex D⎩ mD + 2 D mS + 2 W W D⎭, σD σW Gaussian random vector, by applying [29, Lemmas 3 and 4] (26) to the linear model of (14). Hence Lemma 1 gives

h(YD | YW , HD, HW ) where the last equality is due to the matrix inversion formula. Substituting this result into the left-hand side of (25), we −1 = E log det KYD − KYDYW KY KYW YD + mD log(πe), obtain the right-hand side of (24), and hence (25). W To show concavity of f ,itsuffices to consider only diag- (29) K = λ λ ... λ onal X diag( 1, 2, , mS )inΛ. Note that the mapping † K K 2 2 YD YDYW where KYD = (P/mS)HDHD + σDImD , KYW = (α P/ H KX → F † † : K K is linear in Λ. Also the mapping : m H H σ2 I K = αP/m H H YW YD YW S) W W + W mW ,and YDYW ( S) D W .Sub- K K YD YDYW − stituting this back into (16) and using the matrix inversion → KY − KY Y K 1 KY Y K K D D W YW W D is matrix-concave YW YD YW formula to simplify the resulting expression, we obtain the H in (Λ)[32, Ex. 3.58]. Thus the composition theorem [32] same expression on the first line of (28)forI(X; YD, HD) − G K → K − K K −1 K gives that the mapping : X YD YDYW YW YW YD I(YD, HD; YW , HW ). Thus the upper bound in (28)isachiev- is matrix-concave in Λ, since G = F ◦ H. Another use of able with this choice of X; hence it is in fact the key the composite theorem together with the concavity of the capacity. function logdet as mentioned in the proof of Lemma 1 shows that log det G is concave in Λ.Thus(25) implies that f is also In Figure 1, the key capacities of several fast-fading concave in Λ. MIMO channels with different numbers of source, destination, and eavesdropper antennas are plotted against the 2 2 2 Hence it suffices to consider only those X with zero mean in source signal-to-noise ratio (SNR) P/σ ,whereσD = σW = (23). σ2. The channel gain advantage of the eavesdropper is set 8 EURASIP Journal on Wireless Communications and Networking

5.5 deﬁned in the proof of Lemma 2 as a function of P. Also 5 deﬁne ⎛ ⎞ 4.5 − P α2P 1 f P = ⎝I H I H† H H†⎠. 4 ( ) log det mD + 2 D mS + 2 W W D mSσD mSσW . 3 5 (32) 3 2.5 Thus CK (P) = E[ f (P)]. It is not hard to check that

(bits/channel symbol) for any P

K 2 C det(G(P)) ≤ det(G(P)). Hence f is increasing in P. Since 1.5 † the elements of HW are continuously i.i.d., rank(HW HW ) = 1 † rank(HW HW ) = rank(HW ) = min(mS, mW ) w.p.1. Thus 0.5 H† H H H† 02468101214161820 the matrix W W (resp., W W ) is invertible w.p.1 when mW ≥ mS mW

† Since HW HW is invertible w.p.1, α2 = ﬀ to 1. We observe that the key capacity levels o H† H σ2 /α2σ2 H† H P/σ 2 det W W + W D D D as increases in three of the four channels, except the lim f(P) = log w.p.1. P →∞ † case of (mS, mD, mW ) = (2, 1, 1), considered in Figure 1.It det HW HW appears that the relative antenna dimensions determine the (34) asymptotic behavior of the key capacity when the SNR is large. To more precisely study this behavior, we evaluate the Hence Part (1) of the lemma results from monotone C P limiting value of K as the input power of the source convergence. C becomes very large. To highlight the dependence of K on For the case of mW

−1 columns of V. Employing the unitary property of UW and where HW denotes the Penrose-Moore pseudoinverse of HW . VW , it is not hard to verify that Then (40) implies that 0 ≤ lim inf f (P) − f∞(P) f(P) P →∞ P † † † † ≤ lim sup f (P) − f∞(P) = I H V V H H V P V H P →∞ log det mD + 2 D W W D + D W ΛW ( ) W D , mSσD " # (37) σ2 † ≤ m − j W H−1H† H−1H† . . . D log 1+ 2 tr W D W D w p 1 P α2σD f P = I H V V † H† ∞( ) log det mD + 2 D W W D , (38) (42) mSσD Hence by Fatou’s lemma, we get − 2 2 2 2 2 2 1 where ΛW (P) = (σW /α σD)((mSσW /α P)ImW + SW ) .From 0 ≤ lim inf[CK (P) − C∞(P)] (37)and(38), it is clear that f∞(P) ≤ f (P). P →∞ † † Further let t(P) = tr(HDVW ΛW (P)VW HD). Since † † ≤ lim sup[CK (P) − C∞(P)] t(P)ImD ≥ HDVW ΛW (P)VW HD, P →∞ " # σ2 † ≤ E m − j W H−1H† H−1H† . P D log 1+ 2 tr W D W D f P ≤ t P I H V V † H† α2σD ( ) log det [1+ ( )] mD + 2 D W W D mSσD (43) = m t P D log(1+ ( )) From (38), it is clear that f∞(P) increases without bound P in P w.p.1; hence C∞(P) also increases without bound. I H V V † H† . +logdet mD + 2 D W W D mSσD[1+t(P)] Combining this fact with (43), we arrive at the conclusion (39) of Part (2) of the lemma.

Part (1) of the lemma verifies the observations shown in † † Let μ1, μ2, ..., μj be the positive eigenvalues of HDVW VW HD. Figure 1 that the key capacity levels off as the SNR increases Note that 1 ≤ j ≤ min(mD, mS − mW ), because of the if the number of source antennas is no larger than that of fact that the elements of HD are continuously i.i.d. and are eavesdropper antennas. When the source has more antennas, independent of the elements of HW .Hence,from(38), (39), Part (2) of the lemma suggests that the key capacity can and the fact that f∞(P) ≤ f (P), we have grow without bound as P increases similarly to a MIMO fading channel with capacity C∞(P). Note that the matrix † † −1 ImS −HW (HW HW ) HW in the expression that defines C∞(P) 0 ≤ f (P) − f∞(P) is a projection matrix to the orthogonal complement of the column space of HW .ThusC∞(P) has the physical ≤ m t P D log(1+ ( )) interpretation that the secret information is passed across ⎛ ⎞ j 2 the dimensions not observable by the eavesdropper. The i= 1+ Pμi/mSσD(1+t(P)) +log⎝ 1 ⎠ most interesting aspect is that this mode of operation can be j Pμ /m σ2 i=1 1+ i S D (40) achieved even if neither the source nor the destination knows the channel matrix HW . = mD log(1+t(P)) We note that the asymptotic behavior of the key capacity j in the high SNR regime summarized in Corollary 1 is similar 2 (1/(1+t(P))) + mSσD/Pμi to the idea of secrecy degree of freedom introduced in [35]. + log . mSσ2 /Pμi The subtle difference here is that no up-to-date CSI of the i=1 1+ D destination channel is needed at the source. Another interesting observation from Figure 1 is that for Now note that the case of (mS, mD, mW ) = (1, 10, 10), the source power P seems to have little effect on the key capacity. A small amount of source power is enough to get close to the leveling key σ2 t P = W H V S−2V † H† capacityofabout1bitperchanneluse.Thisobservation lim ( ) 2 tr D W W W D P →∞ α2σD is generalized below by Corollary 2, which characterizes " # (41) the effect of spatial dimensionality of the destination and σ2 † = W H−1H† H−1H† eavesdropper on the key capacity when the destination and 2 tr W D W D , α2σD eavesdropper both have a large number of antennas. 10 EURASIP Journal on Wireless Communications and Networking

Corollary 2. When mD and mW approach inﬁnity in such a 101 m /m = β way that limmD,mW →∞ W D , 1 C −→ m . 0 K S log 1+ 2 2 (44) 10 βα2σD/σW Proof. This corollary is a direct consequence of the fact that † † /m H H → I /m H H → I −1 (1 D) D D mS and (1 W ) W W mS w.p.1, 10 which is in turn due to the strong law of large numbers.

Note that we can interpret the ratio β as the spatial (bits/channel symbol) K − dimensionality advantage of the eavesdropper over the C 10 2 destination. The expression for the limiting CK in the corollary clearly indicates that this spatial dimensionality advantage affects the key capacity in the same way as the 10−3 channel gain advantage α2. 0 5 10 15 20 25 30 35 In Figure 2, the key capacities of several fast-fading α2 (dB) ff MIMO channels with di erent numbers of source, desti- mS = 1, mD = 1, mW = 1 nation, and eavesdropper antennas are plotted against the mS = 2, mD = 1, mW = 1 2 2 eavesdropper’s channel gain advantage α ,withP/σ = mS = 2, mD = 2, mW = 2 10 dB. The results in Figure 2 show the other effect of spatial dimensionality. We observe that the key capacity Figure 2: Key capacities of fast-fading MIMO wiretap channels decreases almost reciprocally with α2 in the channels with with different numbers of source, destination, eavesdropper anten- 2 2 (mS, mD, mW ) = (1,1,1)and(mS, mD, mW ) = (2,2,2),but nas. The source signal to noise ratio P/σ = 10 dB, where σD = σ2 = σ2 stays almost constant for the channel with (mS, mD, mW ) = W . (2, 1, 1). It seems that the relative numbers of source and eavesdropper antennas again play the main role in differentiating these two different behaviors of the key capacity. To verify that, we evaluate the limiting value of CK as the (3) the destination uses a binning scheme with the gain advantage α2 of the eavesdropper becomes very large. quantized symbol sequences to determine the secret To highlight the dependence of CK on α2, we use the notation key and the information to feedback to the source CK (α2). over the public channel; Corollary 3. One has (4) the source exploits the information sent by the ⎧ destination to reconstruct the destination’s quantized ⎨ m ≥ m 0, if W S, Yn CK α2 = sequence and uses the same binning scheme to αlim→∞ ⎩ (45) C∞(P), if mW 0andI(Y; Z) > 0, and let p(y) The main steps of the key agreement procedure are the denote the corresponding marginal. Note that the existence following: of such p(y | y) can be assumed without loss of generality if I X Y − I Y Z > I Y Z > I X Y − I Y Z = Xn ( ; ) ( ; ) 0and ( ; ) 0. If ( ; ) ( ; ) (1) the source sends a sequence of i.i.d. symbols ; 0, there is nothing to prove. Similarly, if I(Y; Z) = 0, the n (2) the destination “quantizes” its received sequence Y construction below can be trivially modified to show that into Yn with a Wyner-Ziv compression scheme; I(X; Y)isanachievablekeyrate. EURASIP Journal on Wireless Communications and Networking 11

Fix a small (small enough so that the various rate sequence index m. If there is no such sequence, it sets M = 0. definitions and bounds on probabilities below make sense Let L and J be the unique indices such that Yn(M) ∈ C(J, L). and are nontrivial) ε>0. Let us define The index L will be used as the key while the index J is fed back to the source over the public channel, that is, Ψk = J.If R =Δ I Y Y ε nR 1 ; +4 , M = 0, set J = 0andchooseL randomly over {1, 2, ...,2 3 } with uniform probabilities. Δ R2 = I Y; Y − I X; Y +22ε, After receiving the feedback information J via the public (46) channel, the source attempts to find a unique Yn(m) ∈ C Δ n n R3 = I X; Y − I Y; Z − ε, such that Tε(X , Y (m)) = 1andm ∈ C(J). If there is such n a unique Y (m), the source decodes M = m. If there is no Δ R4 = I Y; Z − 17ε. such sequence or more than one such sequence, the source sets M = 0. If J = 0, it sets M = 0. Finally, if M> 0, the nR nR j = ... 2 l = ... 3 For each 1, 2, ,2 and 1, 2, ,2 ,gen- source generates its key K = k, such that M ∈ C(J, k). If nR n n n nR erate 2 4 codewords Y (j, l,1),Y (j, l,2),..., Y (j, l,2 4 ) M = 0, it sets K = 0. n n according to p(y ). The set of codewords {Y (j, l, k)} with We also consider a fictitious receiver who observes the nR k = 1 ...2 4 forms a subcode denoted by C(j, l). The sequence Zn and obtains both indices J and L via the nR union of all subcodes C(j, l)forj = 1, 2, ...,2 2 and l = M = J = nR public channel. This receiver sets 0if 0. 1, 2, ...,2 3 forms the code C. For convenience, we denote Yn m ∈ C nR n n n nR Otherwise, it attempts to find a unique ( ) such 1 C Y Y ... Y 1 the 2 codewords in as (1), (2), , (2 ), where T Yn m Zn = m ∈ C J L n nR n R R n that ε( ( ), ) 1and ( , ). If there is such Y (j +(l − 1)2 2 +(w − 1)2 ( 2+ 3)) = Y (j, l, w)forj = n nR nR nR a unique Y (m), the source decodes M = m. If there is no ... 2 l = ... 3 w = ... 4 1, 2, ,2 , 1, 2, ,2 ,and 1, 2, ,2 .The such sequence or more than one such sequence, the source code C and its subcodes C(j, l) is revealed to the source, sets M = 0. destination, and eavesdropper. In the following, we refer to a codeword or its index in C interchangeably. Under this convention, the subcode C(j, l) are also the set that contains 4.3. Analysis of Probability of Error. We use a random coding nR C j = 2 3 C j l argument to establish the existence of a code with rates given all the indices of its codewords. Denote ( ) l=1 ( , ) nR 2 2 by (46) such that Pr{K =/ L} and Pr{M =/ M} vanish in the and C(l) = j= C(j, l). 1 limit of large block length n. Without further clarification, we note that the probabilities of the events below, except 4.2. Secret Sharing Procedure. For convenience, we define otherwise stated, are over the joint distribution of the T · the joint typicality indicator function ε( ) that takes in a codebook C, codewords, and all other random quantities T · number of sequences as its arguments. The value of ε( ) involved. ε is 1 if the sequences are -jointly typical, and the value is Before we proceed, we introduce the following lemma 0 otherwise. Further define the indicator function for the regarding the indicator function Sε. sequence pair (yn, yn): ⎧ n n n n n n n n Lemma 4. (1) If (Y , Y ) distributes according to p(y , y ), ⎨1, if Pr Tε X , y , y , Z = 1 ≥ 1 − ε, n n {S Y n Yn = } > − ε ffi n Sε y , y = then Pr ε( , ) 1 1 for su ciently large . ⎩ n n n 0, otherwise, (2) If Y distributes according to p(y ), then Pr{Sε(y , n −n R − ε n (47) Y ) = 1}≤2 ( 1 7 )/(1 − ε) for all y . n n n (3) If Y distributes according to p(y ), then Pr{Sε(Y , Xn Zn p xn zn | yn yn n −n R − ε n where ( , ) is distributed according to ( , , ) y ) = 1}≤2 ( 1 7 )/(1 − ε) for all y . in the definition above. Y n Yn p yn p yn Xn (4) If ( , ) distributes according to ( ) ( ), then Thesourcegeneratesarandomsequence distributed n n −n(R −ε) n n Pr{Sε(Y , Y ) = 1} > (1 − ε) · 2 1 for sufficiently large according to p(x ). If X satisfies the average power n n. constraint (1), the source sends X through the (X, Y, Z) channel. Otherwise, it ends the secret-sharing process. Since Proof. (1) This claim is actually shown in [36]. We briefly p x E |X|2 ≤ P ( )satisfies [ ] , the law of large numbers implies sketch the proof here using our notation for completeness that the probability of the latter event can be made arbitrarily and easy reference. By the reverse Markov inequality [36], small by increasing n.Hencewecanassumebelow,with no loss of generality, that Xn satisfies (1) and is sent by S Y n Yn = the source. This assumption helps to make the probability Pr ε , 1 calculations in Section 4.3 less tedious. n T Xn Y n Yn Zn = Upon reception of the sequence Y , the destination tries 1 − Pr ε , , , 1 ≥1 − > 1 − ε , to quantize the received sequence. Let M be the output of its 1 − (1 − ε) quantizer. Specifically, if there is a unique sequence Yn(m) ∈ (48) nR n n C for some m ∈{1, 2, ...,2 1 } such that Sε(Y , Y (m)) = 1, then it sets the output of the quantizer to M = m. If there where the second inequality is due to that fact that n n n n is more than one such sequence, M is set to be the smallest Pr{Tε(X , Y , Y , Z ) = 1} > 1 − ε2 for sufficiently large n. 12 EURASIP Journal on Wireless Communications and Networking

(2) First, we only need to consider typical yn since the Lemma 5. (1) Pr{M = 0} < 2ε for sufficiently large n. n nR −n R − ε bound is trivial when y is not typical. Notice that for any (2) For m = 1, 2, ...,2 1 , Pr{M = m}≤2 ( 1 7 )/(1 − such yn, ε). n ffi {M = m}≥ (3) When is su ciently large, Pr n n n n n n n n n n n −n R − ε m−1 −n R −ε 1 ≥ Tε x , y , y , z p x , y , z | y dx dz dy [1 − (2 ( 1 7 )/(1 − ε))] · (1 − ε)2 ( 1 ) uniformly for nR all m = 1, 2, ...,2 1 . n n n ffi {J = j L = l} > n n n n p y , y n (4) When is su ciently large, Pr , = T X y y Z = · dy 4 −n R −R ε nR Pr ε , , , 1 p yn (1 − ε) · 2 ( 1 4+6 ) uniformly for all j = 1, 2, ...,2 2 and nR l = 1, 2, ...,2 3 . −n(h(Y,Y)+ε) n n n n 2 n ≥ Tε X y y Z = · dy Proof. (1) We will use an argument similar to the one in Pr , , , 1 −n(h(Y)−ε) 2 the achievability proof of rate distortion function in [27, {M = } {M = } −n h Y|Y ε n n n n n Section 10.5] to bound Pr 0 . First note that 0 = 2 ( ( )+2 ) Pr Tε X , y , y , Z = 1 dy . n n is the event that Sε(Y , Y (m)) = 0forallm ∈{1, 2, ..., R1}, (49) and hence ⎧ ⎫ Hence ⎨2nR1 ⎬ n n Pr{M = 0}=Pr Sε Y , Y (m) = 0 n(h(Y|Y)+2ε) n n n n n ⎩ ⎭ 2 ≥ Pr Tε X , y , y , Z = 1 dy m=1 nR 1 n n 2 n n n n n n n n n = Pr Sε y , Y (1) = 0 p y dy , ≥ Sε y , y · Pr Tε X , y , y , Z = 1 dy (53) n n n ≥ (1 − ε) Sε y , y dy . where the second equality is due to the fact that n n nR n (50) Y (1), ..., Y (2 1 ) are i.i.d. given each fixed y .But Now nR n n 2 1 n n Pr Sε y , Y (1) = 0 Pr Sε y , Y = 1 nR 2 1 n n n n n n n n = − Sε y y p y dy = Sε y , y p y dy 1 ,

nR1 (51) p yn p yn 2 n n −n h Y −ε n n n n n n ≤ Sε y , y 2 ( ( ) )dy = 1 − Sε y , y p y | y dy p yn, yn

−n I Y Y − ε 2nR1 2 ( ( ; ) 3 ) −n(h(Y)+ε) −n(h(Y)+ε) ≤ n n n n 2 · 2 n − ε , ≤ 1− Sε y , y p y | y dy 1 2−n(h(Y,Y)−ε) where the last inequality is due to (50). nR 2 1 yn yn −n I Y Y ε n n n n n (3) Same as Part (2), interchanging the roles of and . = 1 − 2 ( ( ; )+3 ) Sε y , y p y | y dy (4) From Part (1), we get n n n n n nε n n n n n n ≤1 − Sε y , y p y | y dy +exp(−2 ), 1 − ε< Sε y , y p y , y dy dy (54) n n n n p y , y n n n n = Sε y , y p y p y dy dy p yn p yn where the inequality on the fourth line is due to the fact n n n n Sε y y = Tε y y = that ( , ) 1implies ( , ) 1, and the last line −n(h(Y,Y)−ε) k −ky n n 2 results from the inequality (1 − xy) ≤ 1 − x + e for all ≤ Sε y , y · 2−n(h(Y)+ε) · 2−n(h(Y)+ε) 0 ≤ x, y ≤ 1 and positive integer k [27, Lemma 10.5.3]. Substituting (54) back into (53) and using Lemma 4 Part (1), n n n n · p y p y dy dy we get n(I(Y;Y)−3ε) n n = 2 Pr Sε Y , Y = 1 . n n Pr{M = 0}≤1 − Pr Sε Y , Y = 1 (52) (55) +exp(−2nε) <ε+ ε = 2ε Moreover we need to bound the probabilities of the following events pertaining to M. for suﬃciently large n. EURASIP Journal on Wireless Communications and Networking 13

nR (2) Notice that for m = 1, 2, ...,2 1 , Thus applying Part (3) of the lemma, we get Pr J = j, L = l

Pr{M = m} −n R −ε ≥ (1 − ε)2 ( 1 ) n n = Sε Y Y m = nR j− l− nR w− n(R +R ) Pr , ( ) 1, 24 −n R − ε 1+( 1)2 2 +( 1)2 2 3 2 ( 1 7 ) · 1 − n n n n − ε Sε Y , Y (m−1) =0, ..., Sε Y , Y (1) =0 w=1 1 n(R2+R3) −n(R −7ε) 2 = S yn Yn = −n R −ε 2 1 Pr ε , (1) 1 ≥ (1 − ε)2 ( 1 ) 1 − 1 − ε m−1 n n n n nR1 × Pr Sε y , Y (1) = 0 p y dy , −n R − ε 2 1 − 1 − 2 ( 1 7 )/(1 − ε) (56) × n R R −n R − ε 2 ( 2+ 3) 1 − [1 − 2 ( 1 7 )/(1 − ε)] −n(R −7ε) −n R −ε 2 4 where the second equality results from the i.i.d. nature of ≥ (1 − ε)2 ( 1 ) 1 − 1 − ε Yn(1), ..., Yn(m). Thus we have nR1 −n R − ε 2 1 − 1 − 2 ( 1 7 )/(1 − ε) · −n R − ε −n R − ε ( 1 7 ) 1 − [1 − 2 ( 4 7 )/(1 − ε)] {M = m}≤ S Y n Yn = ≤ 2 Pr Pr ε , (1) 1 − ε , 1 −n(R −7ε) 7nε −n R −R ε 2 4 exp −2 (57) ≥ (1−ε)2 · 2 ( 1 4+6 ) 1− 1− 1 − ε 1 − ε

−n R −R ε > (1 − ε)4 · 2 ( 1 4+6 ) where the last inequality is due to Part (2) of Lemma 4 since (60) Y n and Yn(1) are independent. nR nR (3) From (56), we have the lower bound uniformly for all j = 1, 2, ...,2 2 and l = 1, 2, ...,2 3 , when n is sufficiently large. The third lower bound of (60)above k is obtained from the inequality (1 − x) ≥ 1 − kx for any {M = m} Pr 0 ≤ x ≤ 1 and positive integer k. The fourth lower bound is k −kx m− − x ≤ e ≤ x ≤ −n(R −7ε) 1 in turn based on the inequality (1 ) for 0 1 2 1 n n k ≥ 1 − Pr Sε Y , Y (1) = 1 and positive integer . 1 − ε We first consider the error event {K =/ L}. Note that m− −n(R −7ε) 1 2 1 −n R −ε ≥ 1 − · (1 − ε)2 ( 1 ), Pr{K =/ L}=Pr{M = 0} +Pr{M>0, K =/ L} 1 − ε (58) 2nR1 = Pr{M = 0} + Pr Em ∪ Em, M = m m=1 where the first inequality is due to Part (2) of Lemma 4,and 2nR1 n the second inequality is from Part (4) of Lemma 4 when ≤ Pr{M = 0} + Pr Em, M = m ffi ffi n is su ciently large. Note that the same su ciently large is m=1 enough to guarantee the validity of the lower bound above nR nR1 for all m = 1, 2, ...,2 1 . 2 nR {E M = m} (4) First note that, for j = 1, 2, ...,2 2 and l = + Pr m, , nR m=1 ... 3 1, 2, ,2 , (61)

n n where Em is the event {Tε(X , Y (m)) = 0},andEm is the J = j L = l Pr , event that there is an m ∈ C (j) such that m ∈ C (j), m =/ m, T Xn Yn m = = {M = m} and ε( , ( )) 1. From (56), we have Pr m∈C(j,l) Pr Em, M = m 2nR4 nR n R R n n n n = Pr M = j + (l − 1)2 2 + (w − 1)2 ( 2+ 3) . = Pr Tε X , Y (m) = 0, Sε Y , Y (m) = 1, w=1 n n n n (59) Sε Y , Y (m − 1) = 0, ..., Sε Y , Y (1) = 0 14 EURASIP Journal on Wireless Communications and Networking n n n n n n ≤ Pr Tε X , Y , Y (m), Z = 0, Sε Y , Y (m) = 1, bounds in (62)and(63) back into (61) and using Part (1) of Lemma 5,weobtain n n n n Sε Y , Y (m − 1) = 0, ..., Sε Y , Y (1) = 0 ⎡ ⎧ ⎫ Pr{K =/ L} ⎨ ⎬ n n n n n n nR nR = ⎣ T x y Y m z = S y Y m = 21 21 −n R ε Pr⎩ ε , , ( ), 0, ε , ( ) 1⎭ ( 1+8 ) ≤ ε ε · {M = m} 2 2 + Pr + − ε (64) ⎤ m=1 m=1 1

− nε ×p xn, zn | yn dxndzn⎦ 2 8 = 2ε + ε + < 4ε 1 − ε m−1 n n n n for n is sufficiently large. · Pr Sε y , Y (m ) = 0 p y dy {M = M} F m =1 Next we consider the event / .Define m as the n n " {Tε Y m Z = } Fm event ( ( ), ) 0 and as the event that there n n n n n n n n n n m ∈ C l j m ∈ C l j m = m = 1 − Tε x , y , y , z p x , z | y , y dx dz is an ( , ) such that ( , ), / ,and n n Tε(Y (m ), Z ) = 1. Then we have, when n is sufficiently # nR nR 2 3 n n n n large, uniformly for all j = 1, 2, ...,2 and l = 1, 2, ...,2 , ·Sε y , y p y dy M=/ M | J = j L = l m−1 Pr , n n n n · Pr Sε y , Y (m ) = 0 p y dy m =1 ≤ Pr Fm, M = m | J = j, L = l m∈C(j,l) n n n n ≤ ε · Pr Sε Y , Y (m) = 1, Sε Y , Y (m − 1) = 0, ..., + Pr Fm, M = m | J = j, L = l n n Sε Y , Y (1) = 0 m∈C(j,l) = ε · Pr{M = m}, ≤ ε · Pr M = m | J = j, L = l m∈C j l (62) ( , ) (65)

−n(R1+7ε) 2 · 1 + − ε J = j L = l where the equality on the fourth line is due to the i.i.d. nature m∈C(j,l) 1 Pr , n n nR of Y (1), ..., Y (2 1 ), the equality on the fifth line results n n n n n n n −n R ε nR p x z | y = p x z | y y ( 1+7 ) 4 from the fact that ( , ) ( , , ) (since ≤ ε 2 · 2 + 4 −n R −R ε (X, Z) → Y → Y), and the inequality on the second last 1 − ε (1 − ε) · 2 ( 1 4+6 ) S line is from the definition of the indicator function ε. −nε 2 Similarly assuming m ∈ C(j), we have from (56) = ε + < 2ε. (1 − ε)5 E M = m} Pr{ m, Note that the inequality on the third line of (65) results from upper bounds of Pr{Fm, M = m} and Pr{Fm, M = ≤ T Xn Yn m = S Y n Yn m = Pr ε , ( ) 1, ε , ( ) 1 m}, which can be obtained in ways almost identical to the m ∈C (j) m =/ m derivations in (62)and(63), respectively. The inequality on the fourth line is, on the other hand, due to Part (4) of n n Lemma 5. = Pr Tε x , Y (m ) = 1 By expurgating the random code ensemble, we obtain the m ∈C (j) m =/ m following lemma. n n n n n n ε> n ffi · Pr Sε y , Y (m) = 1 p x , y dx dy Lemma 6. For any 0 and su ciently large, there exists acodeCn with the rates R1, R2, R3,andR4 given by (46) such −n(R −7ε) −n(R +8ε) n R −R −n I X Y − ε 2 1 2 1 that ≤ 2 ( 1 2) · 2 ( ( ; ) 3 ) · = , 1 − ε 1 − ε (63) (1) Pr{K =/ L | C = Cn} < 8ε, (2) Pr{M =/ M | C = Cn} < 8ε, where the equality on the third line is due to the −n R − ε {M = m | C = C }≤ ( 1 7 )/ − ε n n (3) Pr n 2 (1 ) for all independence between Y (m )andY (m), and the last nR m = 1, 2, ...,2 1 , inequality results from Part (2) of Lemma 4 and the bound n n −n I X Y − ε −n(R3−8ε) Pr{Tε(x , Y (m )) = 1}≤2 ( ( ; ) 3 ), which is a (4) Pr{L = l | C = Cn} < 2 for all l = nR direct result of [27, Theorem 15.2.2]. Hence, substituting the 1, 2, ...,2 3 . EURASIP Journal on Wireless Communications and Networking 15

Proof. Combining Part (1) of Lemma 5,(64), and (65), we Next we bound I(K; Zn, J). Note that have I(K; Zn, J) = I(L; Zn, J) + I(K; Zn, J | L) Pr{M = 0} +Pr{K =/ L} +Pr M =/ M < 8ε (66) − I(L; Zn, J | K) for suﬃciently large n. This implies that there must exist a Cn ≤ I L Zn J I K Zn J | L satisfying Pr{K =/ L | C = Cn} < 8ε,Pr{M =/ M | C = Cn} < ( ; , ) + ( ; , ) (73) ε {M = | C = C } < ε 8 ,andPr 0 n 8 . Thus, Parts (1) and (2) ≤ I(L; Zn, J) + H(K | L) are proved. nR n C m = ... 1 y m n Now, ﬁx this n.For 1, 2, ,2 ,let ( ) be the ≤ I(L; Z , J) +8nεR3 +1, mth codeword of Cn.Then,byPart(3)ofLemma 4, {M =m | C =C } where the last inequality is obtained from Part (1) of Pr n Lemma 6 and Fano’s inequality like before. In addition, it

−n(R1−7ε) (67) holds that n n 2 ≤ Pr Sε Y , y (m) =1 ≤ , 1 − ε I(L; Zn, J) = H(L) − H(L | Zn, J) hence, Part (3) results. n n nR = H(L) − H(L, J | Z ) + H(J | Z ) Note that, for l = 1, 2, ...,2 3 , = H L H J | Zn − H L J M | Zn Pr{L = l | C = Cn} ( ) + ( ) ( , , ) H M | Zn L J = Pr{L = l | M = 0, C = Cn}Pr{M = 0 | C = Cn} + ( , , ) (74) ≤ H L H J − H M | Zn +Pr{L = l, M>0 | C = Cn}. ( ) + ( ) ( ) (68) − H(L, J | M, Zn) + H(M | Zn, L, J) We know from the discussion above that Pr{L = l | M = ≤ H L H J I M Zn −nR ( ) + ( ) + ( ; ) 0, C = Cn}Pr{M = 0 | C = Cn} < 2 3 · 8ε. Also from Part (3) of the lemma, − H(M) +8nR1ε +1, {L = l M> | C = C } Pr , 0 n where the second last inequality follows from H(J | Zn) ≤ H J H L J | M Zn = n(R −R ) ( ), and the last inequality follows from ( , , ) = Pr{M = m | C = Cn}≤2 1 3 n 0 (by deﬁnition of J and L)andH(M | Z , L, J) ≤ 1+ m∈Cn(l) (69) 8nR1ε (by Fano’s inequality applied to the ﬁctitious receiver).

−n(R1−7ε) −n(R3−7ε) By construction of the code Cn, it holds that H(L) ≤ · 2 = 2 . nR2 and H(J) ≤ nR3. In addition, Part (3) of Lemma 6 1 − ε 1 − ε n implies H(M) ≥ n(R1 − 8ε). Finally, note that I(M; Z ) ≤ Putting these back into (68), we get I(Y n; Zn) = nI(Y; Z) by the data-processing inequality since M is a deterministic function of Y n and the memoryless Pr{L = l | C = Cn} property of the channel between Y n and Zn. Combining (70) R R −n R − ε − nε 1 −n R − ε these observations and substituting the values of 1, 2,and < 2 ( 3 7 ) 8ε · 2 7 + < 2 ( 3 8 ) R 1 − ε 3 given by (46) back into (73), we obtain for sufficiently large n.Thus,Part(4)isproved. 1 I K Zn J ≤ R R − R I Y Z n ( ; , ) 2 + 3 1 + ( ; ) In the remainder of the paper, we use a fixed code Cn identified by Lemma 6. For convenience, we drop the 2 + (8R1 +8R3 +8)ε + conditioning on Cn. n ≤ I Y Z − I Y Z R R ε 4.4. Secrecy Analysis. First we proceed to bound H(K). Note ( ; ) ; + (8 1 +8 3 +26) , that (75) H K = H L H K | L − H L | K ( ) ( ) + ( ) ( ) when n is sufficiently large. Without any rate limitation on (71) the public channel, we can choose the transition probability ≥ H(L) − H(L | K). p(y | y) such that I(Y; Z) − I(Y; Z) ≤ ε; therefore, Using Part (1) of Lemma 6 together with Fano’s inequality H L | K ≤ nεR gives ( ) 1+8 3. Moreover Part (4) of Lemma 6 1 I K Zn J ≤ R R ε. n ( ; , ) (8 1 +8 3 +27) (76) implies that H(L) >n(R3 − 8ε). Putting these bounds back into (71), we have Since ε>0 can be chosen arbitrarily, Part (1) of Lemma 6, 1 1 R − (8R +8)ε − < H(K) ≤ R . (72) (72), and (76), establish the achievability of the secret key 3 3 n n 3 rate I(Y; X) − I(Y; Z). 16 EURASIP Journal on Wireless Communications and Networking

5. Conclusion [10] F. Oggier and B. Hassibi, “The secrecy capacity of the MIMO wiretap channel,” in Proceedings of the 45th Allerton Conference We evaluated the key capacity of the fast-fading MIMO wire- on Communication, Control and Computing, pp. 848–855, tap channel. We found that spatial dimensionality provided Monticello, Ill, USA, September 2007. by the use of multiple antennas at the source and destination [11] T. Liu and S. Shamai, “A note on the secrecy capacity of can be employed to combat a channel-gain advantage of the multi-antenna wiretap channel,” IEEE Transactions on the eavesdropper over the destination. In particular if the Information Theory, vol. 55, no. 6, pp. 2547–2553, 2009. source has more antennas than the eavesdropper, then [12] R. Bustin, R. Liu, H. V. Poor, and S. Shamai, “An MMSE the channel gain advantage of the eavesdropper can be approach to the secrecy capacity of the MIMO Gaussian wiretap channel,” in Proceedings of the IEEE International completely overcome in the sense that the key capacity does Symposium on Information Theory (ISIT ’09), pp. 2602–2606, not vanish when the eavesdropper channel gain advantage Seoul, Korea, July 2009. becomes asymptotically large. This is the most interesting [13] U. M. Maurer, “Secret key agreement by public discussion observation of this paper, as no eavesdropper CSI is needed from common information,” IEEE Transactions on Informa- at the source or destination to achieve the non-vanishing key tion Theory, vol. 39, no. 3, pp. 733–742, 1993. capacity. [14] R. Ahlswede and I. Csiszar,´ “Common randomness in information theory and cryptography—part I: secret sharing,” IEEE Transactions on Information Theory,vol.39,no.4,pp. Acknowledgments 1121–1132, 1993. [15] I. Csiszar´ and P. Narayan, “Common randomness and secret TheworkofT.F.WongandJ.M.Sheawassupportedin key generation with a helper,” IEEE Transactions on Informa- part by the National Science Foundation under Grant CNS- tion Theory, vol. 46, no. 2, pp. 344–366, 2000. ffi 0626863 and by the Air Force O ce of Scientific Research [16] I. Csiszar´ and P. Narayan, “Secrecy capacities for multiple under Grant FA9550-07-10456. The authors would also like terminals,” IEEE Transactions on Information Theory, vol. 50, to thank Dr. Shlomo Shamai and the anonymous reviewers no. 12, pp. 3047–3061, 2004. for their detailed comments and thoughtful suggestions. [17] I. Csiszar´ and P.Narayan, “Secrecy capacities for multiterminal Theyaregratefultothereviewerwhopointedouta channel models,” IEEE Transactions on Information Theory, significant oversight in the proof of Theorem 1 in the original vol. 54, no. 6, pp. 2437–2452, 2008. version of the paper. They are also indebted to another [18] C. H. Bennett, G. Brassard, C. Crepeau, and U. M. Maurer, reviewer who suggested the concavity argument in the proof “Generalized privacy amplification,” IEEE Transactions on of Lemma 2, which is much more elegant than the authors’ Information Theory, vol. 41, no. 6, pp. 1915–1923, 1995. [19] U. Maurer and S. Wolf, “Secret-key agreement over unauthen- original one. ticated public channels—part I: definitions and a completeness result,” IEEE Transactions on Information Theory, vol. 49, References no. 4, pp. 822–831, 2003. [20] U. Maurer and S. Wolf, “Secret-key agreement over unauthen- [1] A. Wyner, “The wire-tap channel,” Bell System Technical ticated public channels—part II: the simulatability condition,” Journal, vol. 54, pp. 1355–1387, 1975. IEEE Transactions on Information Theory,vol.49,no.4,pp. [2] S. K. Leung-Yan-Cheong and M. Hellman, “The Gaussian 832–838, 2003. wire-tap channel,” IEEE Transactions on Information Theory, [21] U. Maurer and S. Wolf, “Secret-key agreement over unauthen- vol. 24, no. 4, pp. 451–456, 1978. ticated public channels—part III: privacy amplification,” IEEE [3] I. Csiszar´ and J. Korner, “Broadcast channels with confidential Transactions on Information Theory, vol. 49, no. 4, pp. 839– messages,” IEEE Transactions on Information Theory, vol. 24, 851, 2003. no. 3, pp. 339–348, 1978. [22] L. Lai, H. El Gamal, and H. Poor, “The wiretap channel with [4] Y. Liang, H. Poor, and S. Shamai, “Secure communication over feedback: encryption over the channel,” IEEE Transactions on fading channels,” IEEE Transactions on Information Theory, Information Theory, vol. 54, no. 11, pp. 5059–5067, 2008. vol. 54, no. 6, pp. 2470–2492, 2008. [23] E. Tekin and A. Yener, “Effects of cooperation on the secrecy [5] P. Gopala, L. Lai, and H. El Gamal, “On the secrecy capacity of multiple access channels with generalized feedback,” in of fading channels,” IEEE Transactions on Information Theory, Proceedings of the 40th Annual Conference on Information vol. 54, no. 10, pp. 4687–4698, 2008. Sciences and Systems (CISS ’08),Princeton,NJ,USA,March [6] M. Bloch, J. Barros, M. Rodrigues, and S. W. McLaughlin, 2008. “Wireless information-theoretic security,” IEEE Transactions [24] E. Tekin and A. Yener, “The general Gaussian multiple-access on Information Theory, vol. 54, no. 6, pp. 2515–2534, 2008. and two-way wiretap channels: achievable rates and coopera- [7] A. Khisti, A. Tchamkerten, and G. Wornell, “Secure broadcast- tive jamming,” IEEE Transactions on Information Theory, vol. ing over fading channels,” IEEE Transactions on Information 54, no. 6, pp. 2735–2751, 2008. Theory, vol. 54, no. 6, pp. 2453–2469, 2008. [25] A. Khisti, S. Diggavi, and G. Wornell, “Secret-key generation [8] S. Shafiee, N. Liu, and S. Ulukus, “Towards the secrecy capacity with correlated sources and noisy channels,” in Proceedings of of the Gaussian MIMO wire-tap channel: the 2-2-1 channel,” IEEE International Symposium on Information Theory (ISIT IEEE Transactions on Information Theory,vol.55,no.9,pp. ’08), pp. 1005–1009, Toronto, Canada, July 2008. 4033–4039, 2009. [26] V. Prabhakaran, K. Eswaran, and K. Ramchandran, “Secrecy [9] A. Khisti and G. Wornell, “The MIMOME channel,” in via sources and channels—a secret key—secret message rate Proceedings of the 45th Annual Allerton Conference on Commu- tradeoff region,” in Proceedings of the IEEE International nication, Control, and Computing,p.8,Monticello,IL,USA, Symposium on Information Theory (ISIT ’08), pp. 1010–1014, October 2007, http://arxiv.org/abs/0710.1325. Toronto, Canada, July 2008. EURASIP Journal on Wireless Communications and Networking 17

[27] T. Cover and J. Thomas, Elements of Information Theory, Wiley-Interscience, New York, NY, USA, 2nd edition, 2006. [28] T. Han, Information-Spectrum Methods in Information Theory, Springer, Berlin, Germany, 2003. [29] E. Telatar, “Capacity of multi-antenna Gaussian channels,” European Transactions on Telecommunications,vol.10,no.6, pp. 585–595, 1999. [30] R. Horn and C. Johnson, Matrix Analysis, Cambridge Univer- sity Press, Cambridge, UK, 1985. [31] L. L. Scharf, Statistical Signal Processing: Detection, Estimation, and Time Series Analysis, Addison-Wesley, New York, NY, USA, 1990. [32] S. Boyd and L. Vandenberghe, Convex Optimization,Cam- bridge University Press, Cambridge, UK, 2004. [33] A. Marshall and I. Olkin, Inequalities: Theory of Majorization and Its Applications, Academic Press, Boston, Mass, USA, 1979. [34] D. Harville, Matrix Algebra from a Statistician’s Perspective, Springer, New York, NY, USA, 1997. [35] A. Khisti, G. Wornell, A. Wiesel, and Y. Eldar, “On the Gaussian MIMO wiretap channel,” in Proceedings of the IEEE International Symposium on Information Theory (ISIT ’07),pp. 2471–2475, Nice, France, June 2007. [36] Y. Oohama, “Gaussian multiterminal source coding,” IEEE Transactions on Information Theory, vol. 43, no. 6, pp. 1912– 1923, 1997. Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 386547, 19 pages doi:10.1155/2009/386547

Research Article Secured Communication over Frequency-Selective Fading Channels: A Practical Vandermonde Precoding

Mari Kobayashi,1 Merouane´ Debbah,2 and Shlomo Shamai (Shitz)3

1 Department of Telecommunications, SUPELEC, 3 Rue Joliot-Curie, Gif-sur-Yvette, 91192, France 2 Alcatel-Lucent Chair on Flexible Radio, SUPELEC, 3 Rue Joliot-Curie, Gif-sur-Yvette, 91192, France 3 Department of Electrical Engineering, Technion-Israel Institute of Technology, Haifa 32000, Israel

Correspondence should be addressed to Mari Kobayashi, [email protected]

Received 2 February 2009; Accepted 16 June 2009

Recommended by H. Vincent Poor

We study the frequency-selective broadcast channel with confidential messages (BCC) where the transmitter sends a confidential message to receiver 1 and a common message to receivers 1 and 2. In the case of a block transmission of N symbols followed by a guard interval of L symbols, the frequency-selective channel can be modeled as a N × (N + L) Toeplitz matrix. For this special type of multiple-input multiple-output channels, we propose a practical Vandermonde precoding that projects the confidential messages in the null space of the channel seen by receiver 2 while superposing the common message. For this scheme, we provide the achievable rate region and characterize the optimal covariance for some special cases of interest. Interestingly, the proposed scheme can be applied to other multiuser scenarios such as the K + 1-user frequency-selective BCC with K confidential messages and the two-user frequency-selective BCC with two confidential messages. For each scenario, we provide the secrecy degree of freedom (s.d.o.f.) region of the corresponding channel and prove the optimality of the Vandermonde precoding. One of the appealing features of the proposed scheme is that it does not require any specific secrecy encoding technique but can be applied on top of any existing powerful encoding schemes.

Copyright © 2009 Mari Kobayashi et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction rate). The secrecy capacity of the Gaussian wiretap channel was given in [2]. Csiszar´ and Korner¨ considered a more We consider a secured medium such that the transmitter general wiretap channel in which a common message for wishes to send a confidential message to its receiver while both receivers is sent in addition to the confidential message keeping the eavesdropper, tapping the channel, ignorant of [3]. For this model known as the broadcast channel with the message. Wyner [1] introduced this model named the confidential messages (BCC), the rate-tuple of the common wiretap channel to model the degraded broadcast channel and confidential messages was characterized. where the eavesdropper observes a degraded version of Recently, a significant effort has been made to oppor- the receiver’s signal. In this model, the confidentiality is tunistically exploit the space/time/user dimensions for measured by the equivocation rate, that is, the mutual secrecy communications (see, e.g., [4–14] and references information between the confidential message and the therein). In [4], the secrecy capacity of the ergodic slow fad- eavesdropper’s observation. For the discrete memoryless ing channels was characterized and the optimal power/rate degraded wiretap channel, Wyner characterized the capacity- allocation was derived. The secrecy capacity of the parallel equivocation region and showed that a nonzero secrecy rate fading channels was given [6, 7] where [7] considered can be achieved [1]. The most important operating point the BCC with a common message. Moreover, the secrecy on the capacity-equivocation region is the secrecy capacity, capacity of the wiretap channel with multiple antennas that is, the largest reliable communication rate such that the hasbeenstudiedin[8–13, 15] and references therein. eavesdropper obtains no information about the confidential In particular, the secrecy capacity of the multiple-input message (the equivocation rate is as large as the message multiple-output (MIMO) wiretap channel has been fully 2 EURASIP Journal on Wireless Communications and Networking characterized in [5, 11, 12, 14] and more recently its closed- might provide a new paradigm to design physical layer form expressions under a matrix covariance constraint have secrecy systems. been derived in [15]. Furthermore, a large number of recent In the case of a block transmission of N symbols followed works have considered the secrecy capacity region for more by a guard interval of L symbols discarded at both receivers, general broadcast channels. In [16], the authors studied the frequency-selective channel can be modeled as an N × the two-user MIMO Gaussian BCC where the capacity (N + L) MIMO Toeplitz matrix. In this contribution, we region for the case of one common and one confidential aim at designing a practical linear precoding scheme that message was characterized. The two-user BCC with two fully exploits the degrees of freedom (d.o.f.) offered by confidential messages, each of which must be kept secret to this special type of MIMO channels to transmit both the the unintended receiver, has been studied in [17–20]. In [18], common message and the confidential message. To this end, Liu and Poor characterized the secrecy capacity region for the let us start with the following remarks. On one hand, the multiple-input single-output (MISO) Gaussian BCC where idea of using OFDM modulation to convert the frequency- the optimality of the secret dirty paper coding (S-DPC) selective channel represented by the Toeplitz matrix into a scheme was proved. A recent contribution [19]extended set of parallel fading channel turns out to be useless from the result to the MIMO Gaussian BCC. The multireceiver a secrecy perspective. Indeed, it is known that the secrecy wiretap channels have been also studied in [21–26](and capacity of the parallel wiretap fading channels does not reference therein) where the confidential messages to each scale with SNR [7]. On the other hand, recent contributions receiver must be kept secret to an external eavesdropper. [5, 11, 12, 14, 15] showed that the secrecy capacity of the It has been proved that the secrecy capacity region of the MIMO wiretap channel grows linearly with SNR, that is, MIMO Gaussian multireceiver wiretap channels is achieved r log SNR where r denotes the secrecy degree of freedom by S-DPC [24, 26]. (s.d.o.f.) (to be specified). In the high SNR regime, the However, very few work have exploited the frequency secrecy capacity of the MISO/MIMO wiretap channel is selectivity nature of the channel for secrecy purposes [27] achieved by sending the confidential message in the null where the zeros of the channel provide an opportunity space of the eavesdropper’s channel [10, 11, 14, 15, 18, 19]. to “hide” information. This paper shows the opportuni- Therefore, OFDM modulation is highly suboptimal in terms ties provided by the broad-band channel and studies the of the s.d.o.f. frequency-selective BCC where the transmitter sends one Inspired by these remarks, we propose a linear Vander- confidential message to receiver 1 and one common message monde precoder that projects the confidential message in the to both receivers 1 and 2. The channel state information null space of the channel seen by receiver 2 while superposing (CSI) is assumed to be known to both the transmitter and the common message. Thanks to the orthogonality between the receivers. We consider the quasistatic frequency-selective the precoder of the confidential message and the channel fading channel with L + 1 paths such that the channel of receiver 2, receiver 2 obtains no information on the remains fixed during an entire transmission of n blocks for confidential message. This precoder is regarded as a single- an arbitrary large n. It should be remarked that in general antenna frequency beamformer that nulls the signal in the secrecy rate cannot scale with signal-to-noise ratio (SNR) certain directions seen by receiver 2. The Vandermonde over the channel at hand, unless the channel of receiver 2 structure comes from the fact that the frequency beamformer 2 N+L T has a null frequency band of positive Lebesgue measure (on is of the type [1, ai, ai , ..., ai ] where ai is one of which the transmitter can “hide” the confidential message). the roots of the channel seen by receiver 2. Note that In this contribution, we focus on the realistic case where Vandermonde matrices [31] have already been considered for receiver 2 has a full frequency band (without null subbands) cognitive radios [32] and CDMA systems [33]toreduce/null but operates in a reduced dimension due to practical interference but not for secrecy applications. One of the complexity issues. This is typical of current orthogonal appealing aspects of Vandermonde precoding is that it does frequency division multiplexing (OFDM) standards (such as not require a specific secrecy encoding technique but can be IEEE802.11a/WiMax or LTE [28–30]) where a guard interval applied on top of any classical capacity achieving encoding of L symbols is inserted at the beginning of each block to scheme. avoid the interblock interference and both receivers discard For the proposed scheme, we characterize its achiev- these L symbols. We assume that both users have the same able rate region, the rate-tuple of the common message, standard receiver, in particular receiver 2 cannot change the confidential message, respectively. Unfortunately, the its hardware structure. Studying secure communications optimal input covariances achieving their boundary are under this assumption is of interest in general and can be generally difficult to compute due to the nonconvexity of justified since receiver 2 is actually a legitimate receiver which the weighted sum rate maximization problem. Nevertheless, can receive a confidential message in other communication we show that there are some special cases of interest such periods. Of course, if receiver 2 is able to access the guard as the secrecy rate and the maximum sum rate point interval symbols, it can extract the confidential message and which enable an explicit characterization of the optimal the secrecy rate falls down to zero. Although we restrict input covariances. In addition, we provide the achievable ourselves to the reduced dimension constraint in this paper, d.o.f. region of the frequency-selective BCC, reflecting the other constraints on the limited capability at the unintended behavior of the achievable rate region in the high SNR receiver such as energy consumption or hardware complexity regime, and prove that the Vandermonde precoding achieves EURASIP Journal on Wireless Communications and Networking 3

AWGN Receiver 1 W0 Transmitter T (h) Decoder 1 W W Y n 1 0 Xn 1 Encoder W1 AWGN

T (g) Decoder 2 W0 Zn 1 Receiver 2 Figure 1: Frequency-selective broadcast channels with conﬁdential messages.

this region. More specifically, it enables to simultaneously NC (0, IN ) are mutually independent additive white Gaussian transmit l streams of the confidential message and N − l noise (AWGN). The input vector is subject to the power streams of the common message for l ≤ L simultaneously constraint given by over a block of N + L dimensions. Interestingly, the proposed n Vandermonde precoding can be applied to multiuser secure 1 H x[t] x[t] ≤ P,(2) communication scenarios: (a) a K + 1-user frequency- n t=1 selective BCC with K confidential messages and one common message, (b) a two-user frequency-selective BCC with where we let P = (N + L)P. The structure of T (h)isgivenby two confidential messages and one common message. For ⎡ ⎤ each scenario, we characterize the achievable s.d.o.f. region hL ··· h0 0 ··· 0 ⎢ ⎥ of the corresponding frequency-selective BCC and show the ⎢ ⎥ ⎢ . . . . ⎥ ⎢ ...... ⎥ optimality of the Vandermonde precoding. ⎢ 0 . ⎥ T (h) = ⎢ ⎥. (3) The paper is organized as follows. Section 2 presents ⎢ ⎥ ⎢ ...... ⎥ the frequency-selective fading BCC. Section 3 introduces ⎣ . . . . 0 ⎦ the Vandermonde precoding and characterizes its achievable 0 ··· 0 hL ··· h rate region as well as the optimal input covariances for 0 some special cases. Section 4 provides the application of the We assume that the channel matrices T (h), T (g)remain Vandermonde precoding to the multiuser secure communi- constant for the whole duration of the transmission of n cations scenarios. Section 5 shows some numerical examples blocks and are known to all terminals. At each block t,we of the proposed scheme in the various settings, and finally transmit N + L symbols by appending a guard interval of size Section 6 concludes the paper. L N larger than the delay spread, which enables to avoid Notation. In the following, upper (lower boldface) sym- the interference between neighbor blocks. bols will be used for matrices (column vectors) whereas T The transmitter wishes to send a common message W0 to lower symbols will represent scalar values, (·) will denote W two receivers and a confidential message 1 to receiver 1. A H T nR nR transpose operator, (·) conjugation, and (·) = ((·) ) (2 0 ,2 1 , n) code consists of the following: (1) two message n × n nR0 nR1 hermitian transpose. In,0n×m represent the identity sets W0 ={1, ...,2 } and W1 ={1, ...,2 } with the n×m | | matrix, zero matrix. A ,rank(A), tr(A)denoteadeter- messages W0, W1 uniformly distributed over the sets W0, W1, n minant, rank, trace of a matrix A,respectively.x denotes respectively; (2) a stochastic encoder that maps each message ... n w u v n the sequence (x[1], , x[ ]). , , , x, y, z denote the pair (w0, w1) ∈ (W0, W1)toacodewordx ;(3)onedecoder realization of the random variables W, U, V, X, Y, Z. Finally, at receiver 1 that maps a received sequence yn to a message “” denotes less or equal to in the positive semidefinite w (1) w ∈ W W pair ( 0 , 1) ( 0, 1) and another at receiver 2 that ordering between positive semidefinite matrices, that is, we n w (2) ∈ W maps a received sequence z to a message 0 0.The have A B if B − A is positive semidefinite. nR nR average error probability of a (2 0 ,2 1 , n)codeisdefinedas n 1 n 2. System Model Pe = Pe (w0, w1),(4) nR0 nR1 2 2 w ∈W w ∈W We consider the quasistatic frequency-selective fading BCC 0 0 1 1 t t ∈ CN×1 n illustrated in Figure 1. The received signal y[ ], z[ ] where Pe (w0, w1) denotes the error probability when the t of receivers 1, 2 at block is given by message pair (w0, w1)issentdefinedby y[t] = T (h)x[t] + n[t], n (1) (2) Pe (w , w ) Pr w , w =/ (w , w ) ∪ w =/ w . (5) (1) 0 1 0 1 0 1 0 0 z[t] = T g x[t] + ν[t], t = 1, ..., n, The secrecy level of the confidential message W1 at R where T (h), T (g)denoteanN × (N + L) Toeplitz matrix receiver 2 is measured by the equivocation rate e defined as with the L + 1-path channel vector h = [hL, ..., h0]of = gL ... g t ∈ user 1, g [ , , 0]ofuser2,respectively,x[ ] 1 n N L × R H W | Z C( + ) 1 denotes the transmit vector, and finally n[t], ν[t] ∼ e n ( 1 ) (6) 4 EURASIP Journal on Wireless Communications and Networking which is the normalized entropy of the confidential message (In [15, 19] the authors consider the real matrices H, G. conditioned on the received signal at receiver 2 and available Nevertheless, it is conjectured that for complex matrices CSI. the following expression without 1/2 in the prelog holds.) Arate-equivocationtuple(R0, R1, Re)issaidtobe As explicitly characterized in [15, Theorem 2], the optimal achievable if for any > 0 there exists a sequence of codes input covariance achieving the above region is chosen such nR nR (2 0 ,2 1 , n) such that we have that the confidential message is sent over r subchannels where receiver 1 observes stronger signals than receiver 2. Pn ≤ e , Moreover, in the high SNR regime the optimal strategy (7) converges to beamforming into the null subspace of G [5, 11, R − Re ≤ . 1 12, 14] as for the MISO case [14, 18].Inordertocharacterize In this paper, we focus on the perfect secrecy case where the behavior of the secrecy capacity region in the high SNR receiver 2 obtains no information about the confidential regime, we define the d.o.f. region as message W1, which is equivalent to Re = R1. In this R R R0 R1 setting, an achievable rate region ( 0, 1) of the general BCC (r0, r1) lim , , (13) (expressed in bit per channel use per dimension) is given by P →∞ log P log P [3] r where 1 denotes s.d.o.f. which corresponds precisely to the 1 number r of the generalized eigenvalues greater than one in Cs = (R R ) R ≤ {I(U Y) I(U Z)} 0, 1 : 0 N L min ; , ; , the high SNR. p(u,v,x) + 1 R ≤ [I(V; Y | U) − I(V; Z | U)] , 3. Vandermonde Precoding 1 N + L (8) For the frequency-selective BCC specified in Section 2,we wish to design a practical linear precoding scheme which U V X where the union is over all possible distribution , , fully exploits the d.o.f. offered by the frequency-selective satisfying [20, Lemma 1] channel. We remarked previously that for a special case when only the confidential message is sent to receiver 1 U, V −→ X −→ Y, Z,(9) (without a common message), the optimal strategy consists where U might be a deterministic function of V.Recently, of beamforming the confidential signal into the null subspace the secrecy capacity region Cs of the two-user MIMO-BCC of receiver 2. By applying this intuitive result to the special (1) was characterized in [16] and is given by all possible rate Toeplitz MIMO channels T (h), T (g) while including a tuples (R0, R1) satisfying common message, we propose a linear precoding strategy named Vandermonde precoding. Prior to the definition of the 1 I + HSHH I + GSGH Vandermonde precoding, we provide some properties of a R ≤ min log ,log , 0 N + L |I + HKHH | |I + GKGH | Vandermonde matrix [31]. 1 H H Property 1. Given a full-rank Toeplitz matrix T (g) ∈ R ≤ logI + HKH − logI + GKG 1 N L N×(N+L) (N+L)×l + C , there exists a Vandermonde matrix V1 ∈ C (10) for l ≤ L whose structure is given by ⎡ ⎤ for some 0 K S with S denotes the input covariance 1 ··· 1 ≤ P ⎢ ⎥ satisfying tr(S) and H, G denotes the channel ⎢ ⎥ ⎢ a ··· al ⎥ matrix of receiver 1, 2, respectively. Obviously, when only ⎢ 1 ⎥ ⎢ ⎥ the confidential message is transmitted to receiver 1, the ⎢ a2 ··· a2 ⎥ V = ⎢ 1 l ⎥, (14) frequency-selective BCC (1) reduces to the MIMO flat- 1 ⎢ ⎥ ⎢ ⎥ ⎢ . .. . ⎥ fading wiretap channel whose secrecy capacity has been ⎣ . . . ⎦ characterized in [10–12, 14, 15]. In particular, Bustin et al. aN+L−1 ··· aN+L−1 derived its closed-form expression under a power-covariance 1 l constraint [15]. Under a total power (trace) constraint, the where {a , ..., al} are the l ≤ L roots of the polynomial secrecy capacity of the MIMO Gaussian wiretap channel is 1 S z = L g zL−i L ffi expressed as [19,Theorem3] ( ) i=0 i with +1coe cients of the channel g. Clearly V1 satisfies the following orthogonal condition: r 1 Cs = log φj , (11) T = N + L g V1 0N×l, (15) S 0; tr(S)≤P j=1 = l a a ... a ff {φ }r and rank (V1) if 1, 2, , l are all di erent. where j j=1 are the generalized eigen-values greater than one of the following pencil: It is well known that as the dimension of N and L 1/2 H 1/2 1/2 H 1/2 . increases, the Vandermonde matrix V1 becomes ill- I + S HH S , I + S GG S (12) conditioned unless the roots are on the unit circle. In other EURASIP Journal on Wireless Communications and Networking 5

R 1 Theorem 3. The Vandermonde precoding achieves the following secrecy rate region: A ⎧ ⎨ R = R R R s cov ⎩( 0, 1) : 0 R s (S0,S1)∈F 1 Rs ≤ N + L ⎧ ⎨ H H IN + H0S0H + H1S1H C × 0 1 min⎩log H , N B I + H1S1H1 ⎫ ⎬ R 0 H log IN + G0S0G0 ⎭, Figure 2: Achievable rate region Rs obtained by the convex hull on Rs. ⎫ ⎬ 1 H R ≤ logIN + H S H , 1 N + L 1 1 1 ⎭ words, the elements of each column either grow in energy or tend to zero [31]. Hence, instead of the brut Vandermonde (19) matrix (14), we consider a unitary Vandermonde matrix where cov denotes the convex hull and we let H = T (h)V , obtained either by applying the Gram-Schmidt orthogonal- 0 0 H = T (h)V , G = T (g)V . ization or singular value decomposition (SVD) on T (g). 1 1 0 0 Proof. Due to the orthogonal property (16) of the unitary Deﬁnition 1. We let V1 be a unitary Vandermonde matrix Vandermonde matrix, receiver 2 only observes the common obtained by orthogonalizing the columns of V1.WeletV0 ∈ (N+L)×(N+L−l) message, which yields the received signals given by C be a unitary matrix in the null space of V1 such H = W that V0 V1 0. The common message 0, the conﬁdential y = T (h)V0u0 + T (h)V1u1 + n, message W1,issentalongV0, V1,respectively.WecallV = (20) (N+L)×(N+L) = T ν [V0, V1] ∈ C Vandermonde precoder. z g V0u0 + ,

Further, the precoding matrix V for the confidential where we drop the block index. We examine the achievable 1 R message satisfies the following property. rate region s of the Vandermonde precoding. By letting the auxiliary variables U = V0u0, V = U + V1u1 and X = V,we Lemma 2. Given two Toeplitz matrices T (h), T (g) where h, have g are linearly independent, there exists a unitary Vandermonde I U Y (N+L)×l ( ; ) matrix V1 ∈ C for 0 ≤ l ≤ L satisfying 1 T g V = 0N×l, = 1 N + L (16) rank(T (h)V1) = l. H H H H IN + T (h)V S V T (h) + T (h)V S V T (h) 0 0 0 1 1 1 × log , Proof. Appendix A. T H T H IN + (h)V1S1V1 (h) In order to send the confidential message intended to receiver 1 as well as the common message to both receivers I U Z = 1 T H T H ( ; ) N L log IN + g V0S0V0 (g) , over the frequency-selective channel (1), we consider the + Gaussian superposition coding based on the Vandermonde 1 H H I(V; Y | U) = logIN + T (h)V S V T (h) , precoder of Definition 1. Namely, at block t, we form the N + L 1 1 1 transmit vector as I(V; Z | U) = 0. t = t t x[ ] V0u0[ ] + V1u1[ ], (17) (21) t where the common message vector u0[ ] and the confidential Plugging these expressions to (8), we obtain (19). message vector u1[t] are mutually independent Gaussian vectorswithzeromeanandcovarianceS0, S1,respectively. The boundary of the achievable rate region of the Under this condition, the input covariances subject to Vandermonde precoding can be characterized by solving the weighted sum rate maximization. Any point (R, R) on the tr(S ) +tr(S ) ≤ P (18) 0 1 0 1 boundary of the convex region Rs is obtained by solving satisfy the power constraint (2). We let F denote the feasible max γ0R0 + γ1R1 (22) set (S0, S1) satisfying (18). (R0,R1)∈Rs 6 EURASIP Journal on Wireless Communications and Networking

γ γ γ γ = for nonnegative weights 0, 1 satisfying 0 + 1 1. When Case 3. (S0 , S1 ) maximizes the region Rs, obtained without convex hull, is nonconvex, ⎡ the set of the optimal covariances (S , S ) achieving the H H 0 1 IN + H S H + H S H ⎣ 1 1 1 0 0 0 boundary point might not be unique. Figure 2 depicts an f3(S0, S1) = γ0 θ log H example in which the achievable rate region Rs is obtained IN + H1S1H1 by the convex hull operation on the region Rs, that is, ⎤ A replacing the non-convex subregion by the line segment , H ⎦ (27) +(1 − θ) logIN + G S G B. For the weight ratio γ1/γ0 corresponding to the slope 0 0 0 of the line segment A, B, there exist two optimal sets of A B the covariances yielding the points and (which clearly γ H dominate the point C). These points are the solution to + 1 log IN + H1S1H1 the weighted sum rate maximization (22). In summary, an R = R <θ< optimal covariance set achieving (22) (might not be unique) and satisﬁes 01(S0 , S1 ) 02(S1 ) for some 0 1. is the solution of Before considering the weighted sum rate maximization N×l N×(N+L−l) (23),oneappliesSVDtoH1 ∈ C , G0 ∈ C max γ0R0 + γ1R1 = max γ0 min{R01, R02} + γ1R1, (S ,S )∈F (S ,S )∈F 0 1 0 1 H (23) H1 = Uh1Λh1Vh1 , (28) H G0 = Ug0Λg0Vg0 , where we let ∈ CN×N ∈ Cl×l ∈ where Uh1, Ug0 , Vh1 ,andVg0 N L−l × N L−l H H C( + ) ( + ) are unitary, Λh , Λg contain positive singular IN + H0S0H0 + H1S1H1 ! ! 1 0 1 g R01(S0, S1) = log , h1 l 0 N+L−l N L H values { λi }i= , { λi }i= ,respectively.Following[7, + IN + H1S1H 1 1 1 Theorem 3], one applies Lemma 4 to solve the weighted sum rate maximization. R = 1 H (24) 02(S0) log IN + G0S0G0 , N + L Theorem 5. Thesetoftheoptimalcovariances(S0 , S1 ), R 1 H achieving the boundary of the achievable rate region s of the R (S ) = logIN + H S H . 1 1 N + L 1 1 1 Vandermonde precoding, corresponds to one of the following three solutions.

Following [34, Section II-C] (and also [7, Lemma 2]), we = 1 1 1 1 Case 1. (S0 , S1 ) (S0, S1), if (S0, S1), solution of the remark that the solution to the max-min problem (23)can R 1 1

= 3 3 3 3 Case 3. (S0 , S1 ) (S0, S1), if (S0, S1), solution of the Theorem 8. The d.o.f. region of the frequency-selective BCC Rθ 3 = Rθ 3 3 N L × L T T following KKT conditions, satisﬁes 02(S1) 01(S0, S1)for (1) with ( + ) Toeplitz matrices (h), (g) is given as some 0 <θ<1 aunionof(r0, r1) = (1/(N + L))(l0, l) satisfying −1 l ≤ L θ H Γ−1 − θ H H Ψ , (33) H0 H0 + (1 )G0 IN + G0S0G0 G0 + 0 l0 + l ≤ N, (34) = μIN+L−l, l l −1 where 0, denote non-negative integers. The Vandermonde γ θ H Γ−1 γ − γ θ H H Ψ 0 H1 H1 + 1 0 H1 IN + H1S1H1 H1 + 1 precoding achieves the above d.o.f. region.

= μIl, Proof. The achievability follows rather trivially by applying (31) Theorem 3. By considering equal power allocation over all N + L streams such that S0 = PIN+L−l, S1 = PIl,weobtain where tr(ΨiSi) = 0 with a positive semidefinite Ψi for i = the rate tuple (R0, R1)whereR0 ≤ min(R01, R02) 0, 1, μ ≥ 0 is determined such that tr(S0)+tr(S1) = P. R01 Proof. Appendix B. = 1 N + L Remark 6. Due to the non-concavity of the underlying ffi H H H H weighted sum rate functions, it is generally di cult to IN + PT (h)V V T (h) + PT (h)V V T (h) 0 0 1 1 characterize the boundary of the achievable rate region Rs × log , PT H T H except for some special cases. The special cases include the IN + (h)V1V1 (h) corner points, in particular, the secrecy rate for the case of γ = R = 1 PT H T H sending only the confidential message ( 1 1), as well as the 02 N L log IN + g V0V0 (g) , maximum sum rate point for the equal weight case (γ = γ ). + 0 1 It is worth noticing that under equal weight the objective R ≤ 1 PT H T H . 1 log IN + (h)V1V1 (h) functions in three cases are all concave in S0, S1 since f1 is N + L concave if γ1 ≥ γ0 and f3 is concave if γ1 ≥ γ0θ and 0 <θ<1. (35) We first notice that the prelog factor of log |I+PA| as P →∞ The maximum sum rate point γ0 = γ1 can be found by applying the following greedy search [7]. depends only on the rank of A.FromLemma 2,weobtain T H T H rank (h)V1V1 (h) Greedy Search to Find the Maximum Sum Rate Point. (1) (36) f R

(b) L = rank(T (h)) = N, = 1 μλh1 N L log ( i )+, + i= 1 where (a) follows from orthogonality between T (g)andV1, (32) (b) follows from the fact that V = [V0V1] is unitary satisfying H VV = I. Notice that (36) yields r1 = l/(N +L). For the d.o.f. = where the last equality is obtained by applying SVD to H1 r0 = l0/(N + L) of the common message, (36)and(38)yield T γ = (h)V1 and plugging the power allocation of (30) with 0 0, γ = μ L p ≤ P l = T H H T H 1 1, is determined such that l=1 1i . 0 rank (h) V0V0 + V1V1 (h) − T H T H Finally, by focusing the behavior of the achievable rank (h)V1V1 (h) (39) rate region in the high SNR regime, we characterize the achievable d.o.f. region of the frequency-selective BCC (1). = N − l 8 EURASIP Journal on Wireless Communications and Networking

l The received signal yk of receiver k and the received signal z of receiver K + 1 at any block are given by

yk = T (hk)x + nk, k = 1, ..., K, AB (40) L z = T g x + ν, (41)

l l = N 0 + where x is the transmit vector satisfying the total power constraint and n1, ..., nK , ν are mutually independent AWGN with covariance I. We assume that the K +1vectors C h1, ..., hK , g of length L + 1 are linearly independent and l0 N − L N perfectly known to all the terminals. As an extension of the frequency-selective BCC in Section 2, we say that the rate Figure 3: d.o.f. region (l0, l1) of frequency-selective BCC. tuple (R0, R1, ..., RK )isachievableifforany > 0 there exists nR nR nR asequenceofcodes(2 0 ,2 1 , ...,2 K , n) such that

Pn ≤ which is dominated by the pre-log of R02 in (37). This e , establishes the achievability. 1 (42) The converse follows by noticing that the inequalities R − H W | Zn ≤ K ⊆{ ... K} k n ( K ) , 1, , , (33)and(34) correspond to trivial upper bounds. The first k∈K inequality (33) corresponds to the s.d.o.f. of the MIMO W ={∀k ∈ K W } wiretap channel with the legitimate channel T (h) and the where we denote K , k and define eavesdropper channel T (g), which is bounded by L.The n 1 Pe = $K second inequality (34) follows because the total number of nRk T k=02 streams for receiver 1 cannot be larger than the d.o.f. of (h), ⎛ ⎞ that is, N. K × ··· ⎝ w (k) w = w w ⎠. Pr 0 , k / ( 0, k) w ∈W w ∈W k= Figure 3 illustrates the region (l, l0) of the frequency- 0 0 K K 1 selective BCC over N + L dimensions. We notice that the (43) s.d.o.f. constraint (33) yields the line segment A, B while the constraint (34) in terms of the total number of streams for First, we state the following lemma that characterizes an K receiver 1 yields the line segment B, C. achievable rate region of the + 1-user BCC. Lemma 9. An achievable rate region R of the K +1-user BCC, 4. Multiuser Secure Communications where the transmitter sends K confidential messages intended to the first K receivers as well as a common message to all users, In this section, we provide some applications of the Vander- is given by monde precoding in the multi-user secure communication scenarios where the transmitter wishes to send confidential R = conv Rπ , (44) messages to more than one intended receivers. The scenarios π thatweaddressare:(a)aK + 1-user frequency-selective BCC with K confidential messages and one common message, (b) where conv denotes the convex hull, the union is over all π a two-user frequency-selective BCC with two confidential possible K! encoding orders and R denotes an achievable messages and one common message. For each scenario, region for a specific encoding order π given as a union of all by focusing on the behavior in the high SNR regime, we non-negative rate-tuple satisfying characterize the achievable s.d.o.f. region and show the optimality of the Vandermonde precoding. R0 ≤ min I(U; Z),minI(U; Yk) , k 4.1. K + 1-User BCC with K Confidential Messages. As an Rπ(1) ≤ I Vπ(1); Yπ(1)U − I Vπ(1); ZU , extension of Section 3, we consider the K +1-user frequency- R ≤ I V Y U selective BCC where the transmitter sends K ≤ L confidential π(k) π(k); π(k) messages W1, ..., WK to the first K receiversaswellasone − I Vπ(k); Vπ( ), ··· , Vπ(k− ), Z | U , k = 2, ··· , K, common message W to all receivers. Each of the confidential 1 1 0 (45) messagesmustbekeptsecrettoreceiverK + 1. Notice that this model, called multireceiver wiretap channel, has been where the random variables U, V1, ··· , VK , X, Y1, ··· , YK , Z studied in the literature ([20, 22–26] and reference therein). satisfy the Markov chain In particular, the secrecy capacity region of the Gaussian MIMO multireceiver wiretap channel has been characterized U, V1, ··· , VK → X → Y1, ··· , YK , Z (46) in [24, 26]forK = 2, an arbitrary K, respectively, where the optimality of the S-DPC is proved. Proof. Appendix C. EURASIP Journal on Wireless Communications and Networking 9

l0 N + L = 6, N = 4 C N Rx 1

N − L l1 + l2 = 2 B 2 B1 Rx 2

A2 A1 LL l2 l1 Eavesdropper

Figure 4: s.d.o.f. region (l0, l1, l2)overN + L dimensions of three- user frequency-selective BCC. Figure 5: Equivalent MIMO interpretation for three-user frequency-selective BCC with two confidential messages. We remark that some special cases of the K + 1-user BCC have been studied in the literature. These include the case of MIMO interpretation [36]. More specifically, the frequency- K = 2 without the common message [26], the case without selective BCC (40) is equivalent to the MIMO-BCC where the secrecy constraint and K = 2. In the latter case, the above the transmitter with N + L dimensions (antennas) sends region reduces to the Marton’s achievable region [37]. messages to K receivers with N antennas each in the presence In order to focus on the behavior of the region in the high of the eavesdropper with N antennas. The secrecy constraint SNR regime, we define the s.d.o.f. region as (orthogonal constraint) consumes N dimensions of the

R0 Rk channel seen by the virtual receiver and lets the number of r0 = lim , rk = lim , k = 1, ..., K, (47) ff L P →∞log P P →∞log P e ective transmit antennas be . The resulting channel is the MIMO-BC without secrecy constraint with L transmit K N where r0 denotes the d.o.f. of the common message and rk antennas and receivers with antennas each, whose denotes the s.d.o.f. of confidential message k.Asanextension multiplexing gain is min(L, KN) = L (we assume L 0 1 2 n A A B B any 0 there exists a sequence of codes (2 ,2 ,2 , ) subspace 1, 2, 2, 1. We remark that for the special case of such that one confidential message and one common message (K = 1), n the region reduces to Figure 3. Pe ≤ , Remark 11. When only the K confidential messages are 1 n 1 n R1 − H W1 | Y ≤ , R2 − H W2 | Y ≤ , transmitted to the K intended receivers in the presence n 2 n 1 of the eavesdropper, the s.d.o.f. region has the equivalent (51) 10 EURASIP Journal on Wireless Communications and Networking

l where we deﬁne the average error probability as 0

n 1 C N Pe = $ 2 nRk k=02 × w (1) w = w w Pr 0 , 1 / ( 0, 1) (52) w0∈W0w1∈W1w2∈W2 N − L ∪ w (2) w = w w 0 , 2 / ( 0, 2) , B2 B1 w (1) w w (2) w E where ( 0 , 1), ( 0 , 2) is the output of decoders 1, 2, respectively. A secrecy achievable rate region of the two-user BCC with two confidential messages and a common message A A is given by [20,Theorem1] 2 1 LL l l2 1 R0 ≤ min{I(U; Y1), I(U; Y2)}, F Figure 6: s.d.o.f. region (l , l , l )overN + L dimensions of K = 2- R1 ≤ I(V1; Y1 | U) − I(V1; Y2, V2 | U), (53) 0 1 2 user frequency-selective BCC. R2 ≤ I(V2; Y2 | U) − I(V2; Y1, V1 | U), where the random variables satisfy the Markov chain of the s.d.o.f. has the equivalent MIMO interpretation [36]. More specifically, the frequency-selective BCC (40)is U V V −→ X −→ Y Y . , 1, 2 1, 2 (54) equivalent to the MIMO-BCC where the transmitter with N+L dimensions (antennas) sends two confidential messages We extend Theorem 8 to the two-user frequency-selective to two receivers with N antennas. The secrecy constraint BCC (50) and obtain the following s.d.o.f. result. consumes N dimensions for each MIMO link and lets the ff L Theorem 12. The s.d.o.f. region of the two-user frequency- number of e ective transmit antennas be for each user. The resulting channel is a two parallel L × N point-to-point selective BCC (50) is a union of (r0, r1, r2) = (1/(N + MIMO channel without eavesdropper. Notice that the same L))(l0, l1, l2) satisfying parallel MIMO links can be obtained by applying the block lk ≤ L, k = 1, 2, (55) diagonalization on the MIMO-BC without secrecy constraint [36]. In other words, the secrecy constraint in the BCC l0 + lk ≤ N, k = 1, 2, (56) with inner eavesdroppers is equivalent to the orthogonal constraint in the classical MIMO-BC. Figure 7 shows the where {l0, l1, l2} are non-negative integers. The Vandermonde example with N = 4, L = 2, and K = 2confidential precoding achieves the region. messages. Proof. Appendix F. 5. Numerical Examples Figure 6 represents the s.d.o.f. region (l0, l1, l2)overN +L dimensions of the two-user frequency-selective BCC. The In order to examine the performance of the proposed Van- per-receiver s.d.o.f. constraints (55) yield the subspace A1, dermonde precoding, this section provides some numerical ff B1, E, F for user 1 and the subspace A2, B2, E, F foruser2. results in di erent settings. The constraints (56) in terms of the total number of streams C B E per receiver yield the subregion , 1, for user 1 and the 5.1. Secrecy Rate versus SNR. We evaluate the achievable subregion C, B2, E for user 2. For the special case of one Rvdm secrecy rate 1 in (32) when the transmitter sends only confidential message and one common message, the region a confidential message to receiver 1 (without a common reduces to Figure 3. message) in the presence of receiver 2 (eavesdropper) over the frequency-selective BCC studied in Section 3. Remark 13. Comparing Theorems 10, 12 as well as Figures 4, 6 for K = 2, it clearly appears that the s.d.o.f. of K +1- user BCC with K confidential messages is dominated by 5.1.1. MISO Wiretap Channel. For the sake of comparison the s.d.o.f. of K-user BCC with K confidential messages. (albeit unrealistic), we consider the special case of the In other words, the s.d.o.f. region critically depends on frequency-selective wiretap channel when receiver 1 has a N the assumption on the eavesdropper(s) to whom each scalar observation and the eavesdropper has observations. confidential message must be kept secret. This is equivalent to the MISO wiretap channel with the receiver 1 channel h ∈ C1×(N+L) and the eavesdropper channel T (g) ∈ CN×(N+L). Without loss of generality, we Remark 14. When only two confidential messages are trans- assume that the observation at receiver 1 is the first row mitted in the two-user frequency-selective BCC, the set of T (h). We consider that all entries of h, g are i.i.d. ∼ EURASIP Journal on Wireless Communications and Networking 11

. N + L = 6, N = 4 0 25

0.2 l1 = 2

0.15

0.1 Rate (bps/Hz)

l2 = 2

0.05

N = 64, L = 16 Figure 7: Equivalent MIMO interpretation for the two-user 0 − − − − frequency-selective BCC with two conﬁdential messages. 20 15 10 5 0 5 1015202530 SNR (dB)

N / L Secrecy capacity C (0, 1 ( + 1)) and average the secrecy rate over a large Vandermonde number of randomly generated channels with N = 64, L = 16. In Figure 8, we compare the optimal beamforming Figure 8: Achievable secrecy rate with one observation at receiver 1 N = L = strategy [10, 13, 14] and the Vandermonde precoding as a and 64, 16 (MISO wiretap channel). function of SNR P. Since only one stream is sent to receiver 1, the s.d.o.f. is 1/(N + L). In fact, the MISO secrecy capacity 2 in the high SNR regime is given by 1 2 log 1+(N + L)P max hφ , (57) 1.5 N + L φ:T (g)φ=0 where φ ∈ C(N+L)×1 is the beamforming vector. The Vandermonde precoding achieves 1 1 2 log 1+(N + L)P max hv1,i , (58) N + L i=1,...,L 0.5 Secrecy rate (bps/Hz) (N+L)×L where v1,i denotes the ith column of V1 ∈ C orthogonal to T (g). Clearly, there exists a constant gap between (57)and(58) due to the suboptimal choice of the N = 64, L = 16 0 beamforming vector. −10 −5 0 5 1015202530 SNR (dB) 5.1.2. MIMO Wiretap Channel. We consider the frequency- N = L = 0Vandermonde + WF selective wiretap channel with 64, 16. Although Vandermonde + equal power there exists a closed-form expression under a power- Generalized SVD covariance constraint [15], the secrecy capacity under a N = L = total power constraint in (11)isstilldifficult to compute Figure 9: Achievable secrecy rate with 64, 16 (MIMO (especially for a large dimension of N and L)because wiretap channel). it requires a search over all possible power covariances constraints. Therefore, in Figure 9, we compare the averaged secrecy rate achieved by the generalized SVD scheme [5] 5.2. The Maximum Sum Rate Point (R0,R1)versusSNR. We and the Vandermonde precoding. We assume that all entries consider the frequency-selective BCC with one confidential of h, g are i.i.d. ∼ NC (0, 1/(L + 1)). For the Vandermonde message to receiver 1 and one common message to two precoding, we show the achievable rate with waterfilling receivers. In particular, we characterize the maximum sum power allocation (32) and equal power allocation (36)by rate-tuple corresponding to γ0 = γ1 on the boundary of allocating p = (N + L)P/L to L streams. As observed, these the achievable rate region Rs. Figure 10 shows the averaged two suboptimal schemes achieve the same s.d.o.f. of L/(N + maximum sum rate-tuple (R0, R1) of the Vandermonde L) = 1/5 although the generalized SVD incurs a substantial precoding both with optimal input covariance computed by powerloss.TheresultagreeswellwithTheorem 8.We the greedy algorithm and with equal power allocation. We remark also that the optimal waterfilling power allocation remark that there is essentially no loss with the equal power yields a negligible gain. allocation. 12 EURASIP Journal on Wireless Communications and Networking

10 Vandermonde precoding achieves the secrecy rate region given by all possible rate-tuples (R1, R2) 8 1 2 R1 ≤ log 1+p1 max h1v1,i , L +1 i=1,...,L (59) 6 1 2 R2 ≤ log 1+p2 max h2v2,i Sum rate L +1 i=1,...,L

4 R satisfying p1 + p2 = (L +1)P where v1,i, v2,i denotes the ith 0 (N+L)×L (N+L)×L column of V1 ∈ C orthogonal to h2, V2 ∈ C orthogonal to h1,respectively.Figure 11 compares the aver- 2

Common/secrecy rate (bps/Hz) R 1 aged secrecy rate region of the Vandermonde precoding, zero-forcing beamforming, and the optimal S-DPC scheme N = L = 64, 16 L = ∼ NC / L 0 for 5whereallentriesofh1, h2 are i.i.d. (0, 1 ( + −10 −5 0 5 1015202530 1)). As observed, the Vandermonde precoding achieves the SNR (dB) near-optimal rate region. As the number of paths L increases, the gap with respect to the S-DPC becomes smaller since Vandermonde + WF the Vandermonde precoding tends to choose the optimal Vandermonde + equal power beamformer matched to the channels. Figure 10: Achievable secrecy/common rates N = 64, L = 16 in the frequency-selective BCC. 6. Conclusions We considered the secured communication over the frequency-selective channel by focusing on the frequency- selective BCC. In the case of a block transmission of N . 1 4 symbols followed by a guard interval of L symbols discarded . at both receivers, the frequency-selective channel can be 1 2 modeled as an N × (N + L) Toeplitz matrix. For this special 1 type of MIMO channels, we proposed a practical yet order- optimal Vandermonde precoding which enables to send l ≤ L N − l 0.8 streams of the confidential messages and streams of the common messages simultaneously over a block of 0.6 N + L dimensions. The key idea here consists of exploiting the frequency dimension to “hide” confidential information 0.4 Secrecy rate 2 (bps/HZ) in the zeros of the channel seen by the unintended receiver similarly to the spatial beamforming. We also provided some 0.2 application of the Vandermonde precoding in the multiuser L = 5, SNR= 10 dB secured communication scenarios and proved the optimality 0 00.20.40.60.811.21.4 of the proposed scheme in terms of the achievable s.d.o.f. Secrecy rate 1 (bps/HZ) region. We conclude this paper by noticing that there exists a sDPC simple approach to establish secured communications. More Vandermonde specifically, perfect secrecy can be built in two separated ZF blocks: (1) a precoding that cancels the channel seen by Figure 11: Achievable secrecy rate region N = 1, L = 5 (MISO- the eavesdropper to fulfill the equivocation requirement, (2) BCC). the powerful off-the-shelf encoding techniques to achieve the secrecy rate. Since the practical implementation of secrecy encoding techniques (random binning) remains a formidable challenge, such design is of great interest for the 5.3. Two-User Secrecy Rate Region in the Frequency-Selective future secrecy systems. BCC. We consider the two-user frequency-selective BCC where the transmitter sends two confidential messages (no Appendices common message) of Section 4.2. For the sake of comparison (albeit unrealistic), we consider the special case of one A. Proof of Lemma 2 observation N = 1 at each receiver. Notice that the two- user frequency-selective BCC is equivalent to the two-user In this appendix, we consider the rank of T (h)V1 where V1 1×(L+1) MISO BCC with h1, h2 ∈ C whose secrecy capacity satisfies the orthogonality T (g)V1 = 0. By letting v1,i denote region is achieved by the S-DPC scheme [18]. The proposed the ith column of V1 we have V1 = [v1,1, ..., v1,L] for the EURASIP Journal on Wireless Communications and Networking 13

case of l = L. We define the matrix G orthogonal to V1 by which are necessary for the optimality. It can be easily shown L − l H ... H T Ψ appending rows v1,l+1, , v1,L to (g) that the KKT conditions are given by (29)where i ⎡ ⎤ 0 is the Lagrangian dual matrix associated to the positive T g semidefiniteness constraint of Si for i = 0, 1 and μ ≥ 0is ⎢ ⎥ ⎢ H ⎥ the Lagrangian dual variable associated to the total power ⎢v ⎥ ⎢ 1,l+1 ⎥ constraint. It clearly appears that for γ ≥ γ the objective G = ⎢ ⎥. (A.1) 1 0 ⎢ . ⎥ is concave in S , S and the problem at hand is convex. In ⎢ . ⎥ 0 1 ⎣ ⎦ this case, any convex optimization algorithm, the gradient- H v1,L based algorithm [37] for example, can be applied to find the optimal solution while the algorithm converges to a local N L − l Notice that all + rows are linearly independent. By optimal solution for γ1 <γ0. ffi H definition of V1,itisnotdi cult to see that G and V1 form a complete set of basis for an N +L-dimensional linear space. Case 2. Supposing R02 0. Notice that if where (a) follows from the orthogonality GV1 = 0and 0 H H γ = R = R = V V = Il,(b)followsfromrank(BB ) = rank(B). The 0 0wehave 01 02 0 which yields the corner point 1 1 Rvdm Rvdm equality (c) is obtained as follows. We notice (0, 1 )where 1 denotes the secrecy rate characterized ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ in (32). The KKT conditions, necessary for the optimality, T are given by (31)whereΨi 0 is the Lagrangian dual matrix HV (d) HV + HG (h) rank⎣ ⎦ = rank⎣ ⎦ = rank⎣ ⎦ associated to the positive semidefiniteness constraints for G G G (A.4) i = 0, 1 and μ ≥ 0 is the Lagrangian dual variable associated

(e) to the total power constraint. The gradient-based algorithm = min(N + L,2N + L − l) = N + L, [37] can be applied to ﬁnd the solution satisfying these KKT conditions. Although this algorithm yields the optimal and where in (d) adding HG does not change the rank, (e) follows unique solution for γ1 ≥ γ0θ, the algorithm converges to a because any set of N + L rows taken from T (h), G is linearly local optimal solution for γ1 <γ0θ. independent (from the assumption that h, g are linearly independent). Since HV is orthogonal to G,(A.4) yields C. Proof of Lemma 9 rank(HV ) = N + L − (N + L − l) = l (A.5) In the following, we provide the encoding/decoding scheme which establishes (c). to achieve a vertex point within R corresponding to a speciﬁc encoding order π. Our proof builds on the successive Gel’fand-Pinsker coding [38] and random binning for B. Proof of Theorem 5 ensuring the perfect secrecy. The overall region R is obtained K We consider the following three cases given in Lemma 4. by taking the union over all possible ! encoding orders followed by the convex hull operation. We extensively use (n) Case 1. Supposing R01 0 arbitrary small for a large n. 14 EURASIP Journal on Wireless Communications and Networking

P u P v | u ... P v | u w(k) w (a) Codebook Generation. Fix ( ), ( 1 ), , ( K ) if such pair 0 , k exists and unique. Otherwise it declares and P(x | u, v1, ..., vK ). We deﬁne for k = 1, ..., K an error.

L I V Z | V ... V U − ε (d) Error Probability Analysis. Without loss of generality, we π(k) π(k); π(1), , π(k−1), w = w = ... = w = (C.1) assume that the message set is 0 1 k 1. We remark that an error is declared if one or more of the Mπ k I Vπ(k); Vπ , ..., Vπ k− | U + ε ( ) (1) ( 1) following events occur. and we let Mπ(1) = 0. the joint distribution factors as The (i) Encoding fails stochastic encoder randomly generates

$n u w P n = P u E1 u(1),vπ(1) 1, jπ(1) , ...,vπ(k) 1, jπ(K), iπ(K) (i) i.i.d. codewords ( 0) according (u ) i=1 ( i) n R −ε where w ∈{1, ...,2 ( 0 )}. (C.6) 0 ∈/ A(n) P . ε U,V1,...,VK

nI V Y |U n R L (ii) For user π(1), 2 ( π(1); π(1) ) = 2 ( π(1)+ π(1)) i.i.d. n From the construction of the codebook above, we have codewords vπ(1)(wπ(1), jπ(1))withP(vπ ) = $n (1) P v P(E1) ≤ ε. i=1 ( π(1)), where the indices are given by

(ii) Decoding step 1 fails; there does not exist a jointly nRπ(1) nLπ(1) k wπ(1) ∈ 1, ...,2 , jπ(1) ∈ 1, ...,2 . (C.2) typical sequence for some , that is,

Ek j i ∈/ A(n) P . 2 u(1),vk 1, k, k ,yk ε U,Vk,Yk (C.7) nI V Y |U n R L M (iii) For user π(k), 2 ( π(k); π(k) ) = 2 ( π(k)+ π(k)+ π(k)) i.i.d. w j i P n = $codewords vπ(k)( π(k), π(k), π(k))with (vπ(k)) P Ek ≤ ε k n P v From joint typicality [39]wehave ( 2) for any . i=1 ( π(k)), where the indices are given by (iii) Decoding step 2 fails; there exits other sequences k nRπ(k) nLπ(k) satisfying the joint typicality for some wπ(k) ∈ 1, ...,2 ,jπ(1) ∈ 1, ...,2 , (C.3) nL i ∈ ... π(k) . π(k) 1, ,2 Ek ∀ w(k) w = w w j i 3 0 , k / (1, 1), u( 0),vk k, k, k ,yk w w ... w (b) Encoding. To send the messages 0, 1, , k,weﬁrst ∈ A(n) P . ε U,Vk,Yk choose randomly the index w and the corresponding 0 (C.8) codeword u(w0). Given the common message u(w0), we choose randomly the codeword vπ(1) within the bin wπ(1), n k jπ π ∈ Aε PU V P E ≤ ε that is, the index (1), such that (u, v (1)) ( , π(1) ). It can be shown that we have ( 3) if Then successively choose the codeword vπ(k), that is, the indices jπ k , iπ k , such that ( ) ( ) Rk + Lk + Mk ≤ I(Vk; Yk | U) (C.9)

(n) ... ∈ An P ... . for any k. Hence, the error probability Pe = u, vπ(1), ,vπ(k) ε U,Vπ(1) , ,Vπ(k) (C.4) P(E1 (∪kE2k) (∪kE3k)) ≤ ε if the rate-tuple satisﬁes (44). If there are more than one such sequence, it randomly selects P x|v ... v one. Finally the encoder selects according to ( 1, , K ). (e) Equivocation Calculation. To prove the equivocation requirement K (c) Decoding. The received signals at the legitimate n ... n 1 n ε receivers are$ y1, ,yk, the outputs of the channels Rk − H(WK | Z ) ≤ , K ⊆{1, ..., K}, (C.10) P yn|xn = n P yn|xn k k n n ( k ) i=1 ( k )forany .Receiver chooses k∈K w(k) w 0 , k so that where we denote WK ={Wk, k ∈ K},weremarkthatitis suﬃcient to verify the above inequality for K ={1, ..., K} w(k) w j ∈ A(n) P u 0 ,vk k, k ,yk ε U,Vk,Yk (C.5) due to [24, Lemma 1]. Hence, we check whether the the sum EURASIP Journal on Wireless Communications and Networking 15

rate secrecy constraint is satisfied by the proposed encoding (d) follows by ignoring a nonnegative term H(W1, ..., WK | V n ... V n U H V n ... V n | Un = strategy. 1 , , K , ), (e) follows because ( 1 , , K ) K H V n | Un − K I V n V n ... V n | Un k=1 ( k ) j=2 ( π(j); π(1), , π(j−1) ) n (a) n n H(W1, ..., WK | Z ) ≥H(W1, ..., WK | Z , U ) for any permutation π over the set {1, ..., K},(f)follows n n n n n because H(Vk | U ) ≥ I(Vk ; Yk | U )foranyk,finally = H W ... W Zn | Un − H Zn | Un ( 1, , K , ) ( ) (g) follows because the successive encoder yields the sum rate = H W ... W V n ... V n Zn | Un given by 1, , K , 1 , , K , n n n n n n K K − H V , ..., VK | W , ..., WK , Z , U − H(Z | U ) 1 1 I V n Y n | U − I V n V n ... V n | U k ; k π(j); π(1), , π(j−1) n n n = H W ... W V ... V | U k=1 j=2 1, , K , 1 , , K n n n H Zn | W ... W V n ... V n Un − I V ... V Z U . + 1, , K , 1 , , K , 1 , , K ; (C.13) − H V n ... V n | W ... W Zn Un − H Zn | Un 1 , , K 1, , K , , ( ) This establishes the achievability. (b) ≥ H W ... W V n ... V n | Un 1, , K , 1 , , K H ZnW ... W V n ... V n Un − nε − H Zn D. Proof of Theorem 10 + 1, , K , 1 , , K , ( ) The achievability follows by extending Theorem 8 to the (c)= H W ... W V n ... V n | Un 1, , K , 1 , , K case of K confidential messages. First we remark that as a n n n n n n straightforward extension of Lemma 2 the following lemma + H Z | V , ..., VK , U − nε − H(Z | U ) 1 holds. (d) n n n n n n n K ≥ H V , ..., VK | U + H Z | V , ..., VK , U l ≤ L 1 1 Lemma D.15. For k=1 k , there exists a matrix K n n ... l N L − nε − H(Z | U ) [V1, , VK ] with k=1 k orthonormal columns with size + satisfying = H V n ... V n Un − I V n ... V n Zn | Un − nε 1 , , K 1 , , K ; T = k = ... K g Vk 0N×lk , 1, , , (D.1) K K (e) n n n n n n ⎛ ⎛ ⎞ ⎞ = H Vk | U − I V ; Vπ , ..., V U π(j) (1) π(j−1) ⎝ ⎝ H ⎠ H ⎠ k=1 j=2 rank T (hk) Vj Vj T (hk) = lj , j∈K j∈K (D.2) − I V n ... V n Zn | Un − nε 1 , , K ; ∀K ⊆{1, ..., K}, K K (f) ≥ I V n; Y n |Un − I V n ; V n , ..., V n |Un k k π(j) π(1) π(j−1) where lk denotes the number of columns of Vk k=1 j=2 n n n n AsketchofproofisgiveninAppendix E. − I V , ..., VK ; Z | U − nε 1 N L − K l We let V0 be unitary matrix with + k=1 k K (g) orthonormal columns in the null space of [V1, ..., VK ]such ≥ n Rk − nε H ... = , that V0 [V1, , VK ] 0. In other words, the Vandermonde k=1 precoder V = [V0, ..., VK ] is a squared unitary matrix (C.11) H satisfying VV = IN+L. Based on the Vandermonde precoder where (a) follows because the conditioning decrease the V, we construct the transmit vector x as entropy, (b) follows from Fano’s inequality [39] stating that K ffi n for a su ciently large we have x = Vkuk,(D.3) k= H V n ... V n | W ... W Zn Un 0 1 , , K 1, , K , , where u , u , ..., uK are mutually independent Gaussian vec- K (C.12) 0 1 (n) tors with zero mean and covariance S0, S1, ..., SK satisfying ≤ 1+nPe Lπ k + Mπ k ≤ nε, ,eav ( ) ( ) K ≤ N L P k=1 i=0 tr(Si) ( + ) . From the orthogonality properties (D.1), the received signals become (n) where Pe,eav denotes the eavesdropper’s error probability V n ... V n = T T when decoding 1 , , K with the knowledge on the yk (hk)V0u0 + (hk)Vkuk w ... w P(n) → message indices 1, , K . We have that e,eav 0as K n n n + T (hk) Vj uj + nk, k = 1, ..., K, n →∞if k= (Lπ(k) + Mπ(k)) ≤ I(V , ..., VK ; Z | U )+ (D.4) 1 1 j =/ k K I V n V n ... V n | Un j=2 ( π(j); π(1), , π(j−1) ). (c) follows from the W ... W → V n ... V n → Zn ... Zn Markov chain 1, , K 1 , , K 1 , , K , z = T g V0u0 + ν, 16 EURASIP Journal on Wireless Communications and Networking ⎛ ⎛ ⎞ ⎞ where receiver k observes the common message, the intended K ⎝T ⎝ H ⎠T H ⎠ confidential message, and the interference from other users, rank (hk) Vj Vj (hk) j= while receiver K + 1 observes only the common message. By 0 U = V = U k = ... K X = (D.11) letting V0u0, k + Vkuk for 1, , , = T H T H U K V rank (hk)VV (hk) + k=1 k and considering the equal power allocation to all N + L streams, we readily obtain (b) = rank(T (hk)) = N, ⎛ ⎛ ⎞ ⎞ K K ⎝ ⎝ H ⎠ H ⎠ (c) I(U; Yk) rank T (hk) Vj Vj T (hk) = lj , (D.12) j=1 j=1 = 1 ⎛ ⎛ ⎞ ⎞ N L K K + ⎝ ⎝ H ⎠ H ⎠ (c) rank T (hk) Vj Vj T (hk) = lj , (D.13) K H H (D.5) j= j = k j= j = k IN + PT (hk) j= Vj Vj T (hk) 1, / 1, / 0 × log , PT K H T H IN + (hk) j=1 Vj Vj (hk) where (a) follows from orthogonality between T (g)andVk ∀k , for k ≥ 1, (b) follows from the fact that V = [V0 ···VK ] is unitary satisfying VVH = I, and (c) follows from I(U; Z) Lemma D.15.From(D.11)and(D.12), we readily obtain (D.6) r ≤ N − K l / N L 1 H H 0 ( k=1 k) ( + ), which is dominated by (D.10). = logIN + PT g V V T (g) , N + L 0 0 Combining (D.12)and(D.13), we obtain rk ≤ lk/(N + L)for k = 1, ..., K. This completes the achievability. I V Y | U ( k; k ) The converse follows by a natural extension of Theorem 8 K 1 to the + 1-user BCC. To obtain the constraint (48), = K N L we consider that the first receivers perfectly cooperate + K to decode the confidential messages and one common K H H K IN + PT (hk) j= Vj Vj T (hk) message. By treating these receiversasavirtual receiver 1 × log , with KN antennas, we immediately obtain the bound (48) PT K H T H IN + (hk) j=1,j =/ k Vj Vj (hk) corresponding to the s.d.o.f. of the MIMO wiretap channel T T T with the virtual receiver channel [T (h ) , ..., T (hK ) ] and ∀k, 1 the eavesdropper channel T (g). The bound (49) is obtained (D.7) by noticing that the total number of streams that receiver k T k N I(VK ; Z | U) = 0, ∀K ⊆{1, ..., K},(D.8)can decode is limited by the d.o.f. of (h ), that is, . Namely,wehavethefollowingK inequalities:

H V | U = H V | U and we also have ( K ) k∈K ( k )from l0 + lk ≤ N, k = 1, ..., K (D.14) the independency between V1, ..., VK conditioned on U. Plugging this together with (D.7)and(D.8) into (44), we have which yields l0 ≤ N − maxk lk. Further by letting lk = L for any k ∈{1, ..., K} and and lj = 0foranyj =/ k,weobtain l0 ≤ N − L. Adding the last inequality and (48), we obtain Rk ≤ I(Vk; Yk | U), k = 1, ..., K, (49). This establishes the converse. (D.9) Rk ≤ I(Vk; Yk | U). k∈K k∈K E. Proof of Lemma D.15 H H We consider rank(T (hk) j∈K Vj Vj T (hk) )forasub- set K ⊆{1, ..., K}. First we let vc , ..., vc L denote In order to ﬁnd the d.o.f. region, we notice ,1 , L orthonormal columns that form a unitary Vander- monde matrix orthogonal to T (g). For any subset L ⊆ {1, ..., L},weletVc,L be the unitary matrix formed by T H T H rank g V0V0 (g) |L| columns corresponding to the subset L taken from vc,1, ..., vc,L. Since a unitary matrix formed by {Vk}k∈K for = T rank g V0 any K can be expressed equivalently as Vc,L, we consider H H T k c L T k L c L (a) rank( (h )V , Vc,L (h ) ). For a given ,weletV , = rank T g [V0V1, ..., VK ] denote a unitary matrix composed by L −|L| columns corresponding to the complementary set L such that L + (b) = rank T g = N, (D.10) L ={1, ..., L}. In order to derive the rank, we follow the EURASIP Journal on Wireless Communications and Networking 17

same approach as Appendix A. We deﬁne the matrix GL ∈ By letting U = V0u0, Vk = U +Vkuk for k = 1, 2, X = V1 +V2 N L−|L| × N L H C( + ) ( + ) c L orthogonal to V , by appending Vc,L to and considering equal power allocation to all streams with T (g) p = (N + L)P/(M + l1 + l2), we readily obtain

⎡ ⎤ I(U; Yk) T g ⎣ ⎦ H H H L = pT T G H ,(E.1)1 IN + (hk) V0V0 + VkVk (hk) Vc L = × , N L log H H , + IN + pT (hk)VkVk T (hk) N L −|L| where the + rows are linearly independent. Since I V Y | U = 1 pT H T H H N L ( k; k ) log IN + (hk)VkVk (hk) , GL and Vc,L form a complete set of an + -dimensional N + L linear space, T (hk) can be expressed as I(V1; Y2, V2 | U) = I(V2; Y1, V1 | U) = 0. (F.4) T = H k = ... K (hk) Ak,LGL + Bk,LVc,L, 1, , ,(E.2) We remark H H T k k T k where Ak,L, Bk,L is a coefficient matrix with dimension N × rank (h )V Vk (h ) (N + L −|L|), N ×|L|, respectively. By recalling that any set = T = l k = of N +L rows taken from T (hk), T (g) is linearly independent rank( (hk)Vk) k, 1, 2, for k = 1, ..., K (from the assumption that g, h , ..., hK are 1 T H H T H linearly independent), we can repeat the same argument as rank (hk) V0V0 + VkVk (hk) Appendix A and obtain ⎛ ⎡ ⎤ ⎞ VH (F.5) = ⎝T ⎣ 0 ⎦T H ⎠ rank (hk)[V0Vk] H (hk) Vk T H T H =|L| rank (hk)Vc,LVc,L (hk) , (E.3) (a) = rank T (hk) V VkVj ∀L ⊆{1, ..., L}, k = 1, ..., K 0 (b) = rank(T (hk)) = N, which yields the result. where (a) follows from orthogonality between T (hk)andVj for j =/ k, (b) follows because [V0V1V2]or[V0V2V1] spans F. Proof of Theorem 12 acompleteN + L-dimensional space. These equations yield l0 + lk ≤ N for k = 1, 2. This establishes the achievability. The achievability follows by generalizing Theorem 8 for The converse follows by noticing that the constraints the case of two confidential messages. We remark that by (55)and(56) correspond to trivial upper bounds. To obtain symmetry Lemma 2 for one beamforming matrix V1 can be (55), we consider the special case when the transmitter sends trivially extended to two beamforming matrices V1 and V2. only one confidential message to one of two receivers in the Namely, we have presence of the eavesdropper. When sending one confidential l ≤ L l ≤ L l message to receiver 1, the two-user frequency-selective BCC Lemma F.16. For 1 and 2 , there exists Vk with k reduces to the MIMO wiretap channel with the legitimate orthnormal columns for k = 1, 2 satisfying channel T (h1) and the eavesdropper channel T (h2), whose s.d.o.f. is upper bounded by L. The same bound holds for T = k = j = k receiver 2 when transmitting one confidential message to (hk)Vj 0N×lj , 1, 2, / , (F.1) receiver 2 in the presence the eavesdropper (receiver 1). rank(T (hk)Vk) = lk, k = 1, 2. (F.2) The upper bounds (56) follow because the total number of streams per receiver is limited by the individual (N + L) × N MIMO link. This establishes the converse. Further, we let V0 be a unitary matrix with M = N + L − rank([V1V2]) orthonormal columns in the null space of H = Acknowledgments [V1V2] such that V0 [V1V2] 0M×(l1+l2).Weconstructx by Gaussian superposition coding based on the Vandermonde The work is supported by the European Commission in the precoder V0, V1,andV2.From(F.1), each user observes the framework of the FP7 Network of Excellence in Wireless vector of its confidential message and that of the common COMmunications NEWCOM++. The work of Merouane´ message, that is, Debbah is supported by Alcatel-Lucent within the Alcatel- Lucent Chair on Flexible Radio at Supelec. The authors wish to thank Yingbin Liang, Pablo Piantanida for helpful y1 = T (h1)(V0u0 + V1u1) + n1, (F.3) discussions, as well as Li Chia Choo and the anonymous y2 = T (h2)(V0u0 + V2u2) + n2. reviewers for constructive comments. 18 EURASIP Journal on Wireless Communications and Networking

References [18] R. Liu and H. V. Poor, “Secrecy capacity region of a multi-antenna Gaussian broadcast channel with confidential [1] A. D. Wyner, “The wiretap channel,” Bell System Technical messages,” IEEE Transactions on Information Theory, vol. 55, Journal, vol. 54, 1975. no. 3, pp. 1235–1249, 2009. [2] S. K. Leung-Yan-Cheong and M. E. Hellman, “The Gaussian [19] R. Liu, T. Liu, H. V. Poor, and S. Shamai (Shitz), “MIMO wire-tap channel,” IEEE Transactions on Information Theory, Gaussian broadcast channels with confidential messages,” in vol. 24, no. 4, pp. 451–456, 1978. Proceedings of the IEEE Symposium on Information Theory [3] I. Csiszar´ and J. Korner,¨ “Broadcast channels with confidential (ISIT ’09), Seoul, Korea, June-July 2009. messages,” IEEE Transactions on Information Theory, vol. 24, [20] L. C. Choo and K. K. Wong, “The K-receiver broadcast no. 3, pp. 339–348, 1978. channel with confidential messages,” in Proceedings of the IEEE [4] P. K. Gopala, L. Lai, and H. El Gamal, “On the secrecy capacity International Symposium on Information Theory (ISIT ’09), of fading channels,” IEEE Transactions on Information Theory, Seoul, Korea, 2009. vol. 54, no. 10, pp. 4687–4698, 2008. [21] A. Khisti, A. Tchamkerten, and G. W. Wornell, “Secure [5] A. Khisti and G. Wornell, “The MIMOME channel,” in broadcasting over fading channels,” IEEE Transactions on Proceedings of the 45th Annual Allerton Conference on Commu- Information Theory, vol. 54, no. 6, pp. 2453–2469, 2008. nication, Control, and Computing, 2007. [22] L. C. Choo and K. K. Wong, “The three-receiver broadcast [6]T.Liu,V.Prabhakaran,andS.Vishwanath,“Thesecrecy channel with degraded message sets and confidential mes- capacity of a class of parallel Gaussian compound wiretap sages,” submitted to IEEE Transactions on Information Theory. channels,” in Proceedings of the IEEE International Symposium [23] E. Ekrem and S. Ulukus, “Secrecy capacity of a class of broad- on Information Theory (ISIT ’08), pp. 116–120, Toronto, cast channels with an eavesdropper,” submitted to EURASIP Canada, 2008. Journal on Wireless Communications and Networking. [7] Y. Liang, H. V. Poor, and S. Shamai, “Secure communication [24] E. Ekrem and S. Ulukus, “The secrecy capacity region of the over fading channels,” IEEE Transactions on Information Gaussian MIMO multi-receiver wiretap channel,” submitted Theory, vol. 54, no. 6, pp. 2470–2492, 2008. to IEEE Transactions on Information Theory. [8] S. Goel and R. Negi, “Secret communication in presence of [25] G. Bagherikaram, A. S. Motahari, and A. K. Khandani, “The colluding eavesdroppers,” in Proceedings of the 62nd IEEE secrecy rate region of the broadcast channel,” preprint, 2008, Vehicular Technology Conference (VTC ’05), vol. 3, Atlantic http://arxiv.org/abs/0806.4200. City, NJ, USA, 2005. [26] G. Bagherikaram, A. S. Motahari, and A. K. Khandani, “The [9] P. Parada and R. Blahut, “Secrecy capacity of SIMO and secrecy capacity region of the Gaussian MIMO broadcast slow fading channels,” in Proceedings of the IEEE International channel,” preprint, 2009, http://arxiv.org/abs/0903.3261. Symposium on Information Theory (ISIT ’05), pp. 2152–2155, [27] O. O. Koyluoglu, H. El Gamal, L. Lai, and H. V. 2005. Poor, “Interference alignment for secrecy,” preprint, 2008, [10] A. Khisti and G. Wornell, “Secure transmission with multiple http://arxiv.org/abs/0810.1187. antennas: the MISOME wiretap channel,” submitted to IEEE [28] ANSI/IEEE Std 802.11, Edition (R2003), 1999, http://stand- Transactions on Information Theory, 2007. ards.ieee.org/getieee802/download/802.11-1999.pdf. [11] T. Liu and S. Shamai, “A note on the secrecy capacity of the multi-antenna wiretap channel,” submitted to IEEE [29] Air Interface for Fixed and Mobile Broadband Wireless Transactions on Information Theory, 2007. Access Systems, 2005, http://standards.ieee.org/getieee802/ download/802.16e-2005.pdf. [12] F. Oggier and B. Hassibi, “The secrecy capacity of the MIMO wiretap channel,” in Proceedings of the IEEE International [30] http://www.3gpp.org/Highlights/LTE/LTE.htm. Symposium on Information Theory (ISIT ’08), pp. 524–528, [31] Ø. Ryan and M. Debbah, “Asymptotic behaviour of random Toronto, Canada, 2008. vandermonde matrices with entries on the unit circle,” IEEE [13] S. Shafiee and S. Ulukus, “Achievable rates in Gaussian MISO Transactions on Information Theory, vol. 55, no. 7, 2009. channels with secrecy constraints,” in Proceedings of the IEEE [32] L. S. Cardoso, M. Kobayashi, Ø. Ryan, and M. Debbah, International Symposium on Information Theory, pp. 2466– “Vandermonde frequency division multiplexing for cognitive 2470, 2007. radio,” in Proceedings of the 9th IEEE Workshop on Signal [14] A. Khisti, G. Wornell, A. Wiesel, and Y. Eldar, “On the Processing Advances in Wireless Communications (SPAWC ’08), Gaussian MIMO wiretap channel,” in Proceedings of the IEEE pp. 421–425, Recife, Brazil, 2008. International Symposium on Information Theory (ISIT ’07),pp. [33] A. Scaglione, G. B. Giannakis, and S. Barbarossa, 2471–2475, Nice, France, 2007. “Lagrange/Vandermonde MUI eliminating user codes [15] R. Bustin, R. Liu, H. V. Poor, and S. Shamai (Shitz), “An forquasi-synchronous CDMA in unknown multipath,” IEEE MMSE approach to the secrecy capacity of the MIMO Transactions on Signal Processing, vol. 48, no. 7, pp. 2057–2073, Gaussian wiretap channel,” EURASIP Journal on Wireless 2000. Communications and Networking. In press. [34] H. V. Poor, An Introduction to Signal Detection and Estimation, [16] H. D. Ly, T. Liu, and Y. Liang, “MIMO broadcasting with Springer, New York, NY, USA, 1994. common, private, and confidential messages,” in Proceedings [35] P. Viswanath and D. N. C. Tse, “Sum capacity of the vector of the International symposium on Information Theory and Its Gaussian broadcast channel and uplink-downlink duality,” Applications (ISITA ’08), Auckland, New Zealand, December IEEE Transactions on Information Theory,vol.49,no.8,pp. 2008. 1912–1921, 2003. [17] R. Liu, I. Maric, P. Spasojevic, and R. D. Yates, “Discrete [36] J. Lee and N. Jindal, “High SNR analysis for MIMO broadcast memoryless interference and broadcast channels with confi- channels: dirty paper coding versus linear precoding,” IEEE dential messages: secrecy rate regions,” IEEE Transactions on Transactions on Information Theory, vol. 53, no. 12, pp. 4787– Information Theory, vol. 54, no. 6, pp. 2493–2507, 2008. 4792, 2007. EURASIP Journal on Wireless Communications and Networking 19

[37] H. Viswanathan, S. Venkatesan, and H. Huang, “Down- link capacity evaluation of cellular networks with known- interference cancellation,” IEEE Journal on Selected Areas in Communications, vol. 21, no. 5, pp. 802–811, 2003. [38] X. Zhang, J. Chen, SB. Wicker, and T. Berger, “Successive coding in multiuser information theory,” IEEE Transactions on Information Theory, vol. 53, no. 6, pp. 2246–2254, 2007. [39] T. Cover and J. Thomas, Elements of Information Theory,John Wiley & Sons, New York, NY, USA, 1991. Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 437824, 18 pages doi:10.1155/2009/437824

Research Article Securing OFDM over Wireless Time-Varying Channels Using Subcarrier Overloading with Joint Signal Constellations

Gill R. Tsouri1 and Dov Wulich (EURASIP Member)2

1 Department of Electrical Engineering, Rochester Institute of Technology, Rochester, NY 14623, USA 2 Department of Electrical and Computer Engineering, Ben-Gurion University of the Negev, Beer-sheva 84105, Israel

Correspondence should be addressed to Gill R. Tsouri, [email protected]

Received 29 November 2008; Revised 29 May 2009; Accepted 30 July 2009

Recommended by Merouane Debbah

A method of overloading subcarriers by multiple transmitters to secure OFDM in wireless time-varying channels is proposed and analyzed. The method is based on reverse piloting, superposition modulation, and joint decoding. It makes use of channel randomness, reciprocity, and fast decorrelation in space to secure OFDM with low overheads on encryption, decryption, and key distribution. These properties make it a good alternative to traditional software-based information security algorithms in systems where the costs associated with such algorithms are an implementation obstacle. A necessary and sufficient condition for achieving information theoretic security in accordance with channel and system parameters is derived. Security by complexity is assessed for cases where the condition for information theoretic security is not satisfied. In addition, practical means for implementing the method are derived including generating robust joint constellations, decoding data with low complexity, and mitigating the effects of imperfections due to mobility, power control errors, and synchronization errors.

Copyright © 2009 G. R. Tsouri and D. Wulich. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction distribution impose overheads on data throughput, energy consumption, memory space, and computation power. Orthogonal Frequency Division Multiplexing (OFDM) is a These overheads are a crucial implementation issue for leading choice for many current and future air interfaces. low complexity systems with strict constraints on system When using OFDM over a wireless channel the broadcast resources [5], such as sensor and mobile networks [6–8]. nature of the channel exposes transmission to eavesdropping. Secrecy capacity analysis of random, noisy, and fading Securing communication links from eavesdropping is com- channels showed that in theory, a communication link can monly done by implementing enciphering and deciphering be perfectly secured from eavesdropping for certain limited algorithms in software, and is usually detached from the information rates [9–11]. Recent work provided specific physical layer of communication. Prominent methods rely analysis of the secrecy capacity of wireless fading channels on public keys cryptography such as RSA [1], or symmetric [12–17]. Past work suggested practical methods for using cryptography with a common secret, such as the US randomness in the wireless channel to alleviate the need for National Data Encryption Standard (DES) [2]. There are key distribution. In [18–20], reciprocal channel estimation some encryption methods which rely on the physical layer of a slow fading wireless time varying channel was used as a of communication for their implementation, such as spread common secret to generate and distribute encryption keys spectrum Frequency Hopping (FH) and Direct Sequence (DS) to be used by traditional encryption algorithms. In [21]a [3]. In FH and DS a key has to be generated and distributed differential frequency modulation technique coupled with securely between the communicating parties. The key is used reverse piloting was used in a multitone channel to achieve to set the FH hopping pattern or DS spreading sequence. secure transmission for point-to-point systems. In [22]a Prominent key distribution methods rely on the Diffie- practical approach is depicted for key agreement in wireless Hellman algorithm [4]. Encryption, decryption, and key channels based on multilevel and Low Density Parity Check 2 EURASIP Journal on Wireless Communications and Networking

(LDPC) codes. In [18–22] the wireless channel was assumed power. Although we focus our attention on OFDM, our to be a reciprocal slow flat fading channel, which decorrelates analysis and results hold for securing narrowband single rapidly in space. The assumptions of reciprocity and space carrier transmission as well. The novelty of this work is decorrelation were well established in previous work [21] in suggesting the use of reverse piloting for implementing and are adopted in this work as well. superposition modulation with joint decoding to achieve It is common practice in wireless communications to information security. The main contributions are in two have the transmitter use asynchronous bursts of transmission categories: analysis of security strength of the proposed to access the channel. The burst starts with a prior known method and practical implementation of the proposed pilot signal followed by modulated data symbols. The pilot method. The analysis of security strength results in a is used by the receiver to estimate the channel. The receiver quantitative condition for achieving information theoretic then uses the channel estimate to compensate for channel security, given a prior known channel and system param- attenuation and phase prior to decoding. Decoding of the eters and assessment of security by complexity when the received data symbols is done based on the a prior known condition is not satisfied. Practical implementation consid- signal constellation of the transmitter. Since the wireless erations include generating robust signal constellations, low channel changes with time, a pilot signal has to be sent every complexity Maximum Likelihood (ML) decoding, network- channel coherence time. An eavesdropper can use the pilot optimization, evaluation of the effects of mobility, power signal to estimate the channel from the transmitter to itself control errors and synchronization errors, and formulating and decode the information in exactly the same manner as simple piloting rules for mitigating their effect. the intended receiver. This means that sending a pilot signal The rest of the paper is organized as follows. In Section 2 from the transmitter to the receiver compromises security. the method is presented using a multiple access protocol. In [23] the asynchronous burst transmission approach In Section 3 the mathematical model used for analysis was replaced with synchronous transmission to achieve is defined. In Section 4 security strength is analyzed. In security. A reverse piloting protocol was proposed to secure Section 5 practical implementation is considered. Section 6 transmission bursts in a narrow-band single carrier point- depicts an illustrative scenario of Rayleigh fading and three to-point system over slow flat fading channels. Synchronous transmitters, and Section 7 concludes the work. transmission allows for the pilot signal to be sent from the receiver instead of the transmitter. The transmitter can 2. Proposed Method estimate the channel from the receiver to itself using the receiver’s pilot signal and deduce the channel from itself to In the proposed method the frequency and phase of subcarri- the receiver based on channel reciprocity. The transmitter ers from multiple transmitters are matched and synchronized can then send a burst of channel-compensated data symbols at the receiver. All transmitters transmit together and over the same frequency as the pilot, and the receiver would their start of transmission is coordinated by the receiver receive a readily decodable channel-compensated signal. The to have their signals reach the receiver simultaneously. receiver can use decision feedback to compensate for small All transmitters use the same subcarrier frequencies. The changes in the channel, so that its channel estimate remains receiver is equipped with a single Matched Filter (MF) accurate until the original channel is fully decorrelated in matched to each subcarrier. Each transmitter is assigned time. After the channel decorrelates in time the receiver (offline) a set of arbitrary Base Band (BB) symbols to can send a new pilot signal. Since no pilot signal is sent represent its information bits. Since the transmit-channel- from the transmitter, the eavesdropper would be deprived receive path is linear, the receiver’s MF output is a sum of of estimating the channel from the transmitter to itself the BB symbols of all the transmitters, and represents the prior to receiving the data symbols, and would be forced transmitted bits of all the transmitters at once. This is in to estimate the channel using blind estimation. Even for a fact superposition modulation of multiple transmitters on a noiseless channel, no decoding of the data would be possible single subcarrier which is repeated individually for multiple until blind estimation is completed because the eavesdropper subcarriers. The BB symbol sets are computed offline to have will not be able to map the received symbols to decoded all their possible summations create a signal constellation bits. In this work, the reverse piloting protocol presented in with highest resistance to noise. The receiver decodes the [23] is elaborated to support a plurality of transmitters in information bits of all the transmitters at once from a single a superposition modulation setting with joint decoding at received symbol as if originating from a single transmitter. the receiver. It is shown that the elaborated protocol can be Since the received signal constellation is jointly formed by practically used to obtain information theoretic security and all the transmitters BB symbols, the proposed method is security by complexity with low implementation complexity, herein termed Joint Constellation Multiple Access (JCMA). no memory requirements and no overhead on throughput A multiple access reverse piloting protocol over a single and energy. subcarrier is given in what follows to implement the method. In contradistinction to previous work in literature, the focus of this work is on facilitating channel overloading of (1) The receiver obtains knowledge on signal propaga- multipletransmittersoversubcarriersinanOFDMsystem. tion time from each transmitter to itself through The purpose is to increase security strength and decoding some standard association procedure. gain for transmitters in an OFDM system with limited (2) The receiver assigns index and delay parameter to emission power, memory space, and online computation each transmitter. EURASIP Journal on Wireless Communications and Networking 3

(3) Each transmitter uses its index to access a preloaded work in [28–30] uses symbol-synchronous superposition table for retrieving a BB symbol set. modulation to create a joint rectangular lattice at the receiver (4) The receiver sends a pilot signal and starts sensing for to support multiple transmitters using trellis codes. There an incoming signal. are also numerous works dealing with the adder-channel for performing joint coding from multiple transmitters (5) Each transmitter individually estimates the reciprocal through superimposed signals. In general, codebooks of channel’s phase and amplitude using the pilot signal individual transmitters are optimized under some criterion from the receiver. over the joint signal at the receiver—usually the focus is (6) Each transmitter awaits its delay and sends a burst of on coding gain. More relevant to the focus of this work is information symbols compensated for channel phase the work in [31, 32], where the joint minimal Euclidean and amplitude. distance was used as the optimizing criterion of a symbol- (7) The receiver receives a burst of joint information synchronous superimposed signal. A comprehensive review symbols, which belong to its predefined joint signal of other channel overloading techniques is provided in [39]. set. The work in [25, 27–32] addresses the issue of designing joint signal constellations to satisfy various optimization (8) The receiver decodes all transmitters at once. criteria according to the problem explored. We are unaware (9) The receiver uses decision feedback to compensate for of previous work (including [25, 27–32]) using secure, slow channel decorrelation in time. low complexity, joint symbol by symbol decoding as the (10) Steps 4–9 are repeated after a channel decorrelation optimization criteria. period has passed. As would be apparent in the following sections, the suggested method offers a low complexity solution for A preliminary simpler version of the proposed protocol securing OFDM over the time-varying wireless channel. The in this work was disclosed in [24], with the purpose of receiver uses a single MF and performs decoding of multiple enhancing decoding but no information security consider- transmitters with the same complexity as decoding a single ations. transmitter. The transmitters’ complexity is the same as that JCMA is superposition modulation with joint decoding. of a point-to-point scenario without security features. No It should be distinguished from the well-known Superpo- memory space, computation power, or transmitted energy sition Modulation with Successive Decoding (SM-SD) [25]. is required in order to secure transmission. For compari- In SM-SD the transmitters transmit at the same time and son, consider the analysis of energy consumption due to frequency and a joint signal is formed at the receiver. implementing security algorithms performed in [5]. In [5], Each transmitter’s symbol is treated as noise to the other it was shown that a typical sensor-node using asymmetric transmitters. The receiver decodes the information of each key establishment coupled with symmetric encryption per transmitter individually in a successive manner. First, the transmission session losses 20%–80% of its battery life due transmitter with the highest received signal energy is to encryption, depending on the session length. See [5] decoded. The decoded bits are used as feedback to remove for energy consumption of RSA, DES, and DH in specific the transmitter’s signal from the received joint signal. The systems. Other analysis provided in [8] considered the next transmitter with the highest received signal energy is Central Processing Unit (CPU), memory and transmission decoded and so on. In SM-SD the transmitters send pilot overheads required for implementing standard security signals to facilitate channel estimation at the receiver. As algorithms implemented in specific off-the-shelf nodes. The explained before, this compromises security. In JCMA pilots analysis in [8] concluded that DES is too resource demanding are sent only by the receiver. It follows that knowledge of the to be used in a sensor network and that a minimum of channel is obtained only by the transmitters. 128 KB RAM and ability to tolerate a considerable delay in JCMA should also be distinguished from multiuser data delivery are required to implement security algorithms detection [26] and rather recent advances in cooperative of lesser strength. See [8] for CPU processing and memory transmit diversity [27]. In multiuser detection the structure and transmission overheads of encryption algorithms DES, of the interfering signals from multiple transmitters is TEA, RC6, RC5, and SkipJack in specific systems. used to reduce their effect. The achievable coding gains are considerable, but the use of multiple MFs is required 3. Mathematical Model and the computational complexity grows exponentially with the number of transmitters. In addition, no security is In JCMA a joint constellation is constructed over each gained. In cooperative transmit diversity, the transmitter subcarrier separately. It follows that most of the analysis sends its own information while relaying the information of can be done using a model for a single subcarrier. In what another transmitter to the receiver. The method offers some follows, a single subcarrier is considered. The expansion performance gains, but the limited power of the relaying of the analysis to an entire OFDM symbol is done when transmitter has to be distributed between the data streams evaluating security of the entire OFDM transmission. of the participating nodes and no security is gained. The BB model of the multiple access scheme for a Beside SM-SD and multiuser detection, literature single subcarrier is depicted in Figure 1, xi; i = 1, 2, ..., N presents other approaches to channel overloading of trans- represent the transmitted complex BB symbols. Subcarriers mitters over the same frequency band. For example, the in OFDM experience flat fading. It follows that the channel 4 EURASIP Journal on Wireless Communications and Networking

h 1 transmitter symbols to be less than P (peak power constraint x on transmitted power). Finding the best BB symbol sets is s 1 1 TX1 Superposition explicitly formulated as follows. due to Receiver h channel n Given the definition: 2 linearity x y ML def s 2 r dmin = min yi − yj ,(3) 2 TX2 decision i =/ j device . . find Si; i = 1, ..., N which yield max{dmin}, while satisfying . h N the constraint: xN sN TXN 2M 2 1 Si ≤ P i = ... N. M j ; 1, , (4) 2 j=1 Figure 1: Baseband model of JCMA. For additive Gaussian noise, ML detection translates to finding the joint constellation symbol g in y which has the over a single subcarrier is flat and is described by a single smallest Euclidean distance from the received symbol q,so complex number hi. The transmitted symbols are summed via channel superposition and the MF output, without noise, y. n g = arg min q − yi . (5) is given by Also, is the BB additive white complex yi Gaussian noise. The received signal r is fed to an ML decision device, which decodes all the transmitted bits at once, as if originating from a single transmitter (the so-called “super- 4. Security Analysis user” in [25]). To facilitate analysis, we assume that the eavesdropper uses a Let us define single MF for decoding the data. At first glance, this seems to be an unreasonable limitation on the eavesdropper resources. exp − jβi hi = αi exp jβi ; xi = si,(1)The justification for this constraint would be given as part of αi the discussion in this section. where si is an information-carrying symbol with unit energy In JCMA, the joint constellation at the receiver’s MF which belongs to a predefined set Si. It is assumed that output is the result of a coherent sum of the transmitter BB 1/αi is small enough to allow the transmitter to adjust its symbols and is unique to the location of the transmitters power within its power constraint. If this is not the case, and receiver in space. This is achieved due to the individual communication would be severed, as would also happen in compensation of delay, phase, and attenuation of each a standard point to point scenario. transmitter. The receiver’s joint constellation would always For now, it is assumed that βi, αi are known without be the same and the bit mapping from the transmitters to error at the ith transmitter-perfect Channel State Information the joint symbols would be known a prior to the receiver. ff (CSI), and that hi remains constant during the decorrelation Since an eavesdropper would naturally occupy a di erent time. In later sections, derivations to the model are defined to location in space, the transmitters BB symbols would create ff analyze the effects of imperfect CSI and mobility on system adi erent joint constellation than that of the receiver. This performance. is practically always true even when the eavesdropper is From (1)andFigure 1 it follows that close to the receiver because the wireless channel decorrelates fast in space. A distance of a few carrier wavelengths apart N (a few centimeters for frequencies of the order of GHz) r = y + n = si + n. (2) decorrelates the channel almost completely [33]. It follows i=1 that the eavesdropper would have no a prior knowledge of the bit mapping from transmitters to joint symbols. This is The joint signal constellation at the receiver is made up of all the basis for achieving information theoretic security. s i = ... N y the permutations in i, 1, 2, , which generate . The joint constellation is constructed optimally at the S i = ... N Note that i; 1, , are sets of complex numbers, receiver’s location in space. It follows that the joint constel- S ={si si ... si }. M where i 1, 2, , 2M In addition, is the number lation at the eavesdropper location would have suboptimal of bits per symbol per transmitter, and y is a set of N structure and would change after every reverse pilot sent complex numbers made of all possible summations of due to different channel compensation performed at the numbers, where each number belongs to a different set Si. N j j transmitters. In addition, the signals from the transmitters y ={y y ... y MN } y = l l ∈ S Moreover, 1, 2, , 2 , i j=1 i ; i j where would not reach the eavesdropper simultaneously. It follows 1 2 N 1 2 N {li , li , ..., li } ={/ lk, lk, ..., lk } for all i =/ k. that even after discovering the bit mapping from transmitters The symbol sets are determined offline. For additive to joint symbols, the eavesdropper would have to decode the Gaussian noise, the minimum Euclidian distance in the information based on a deteriorated joint signal constellation joint constellation represented by y should be maximal and the decoding complexity would be higher than that of while constraining the average instantaneous energy over the the receiver. This is the basis for security by complexity. EURASIP Journal on Wireless Communications and Networking 5

◦ [s1, s2, ···sN ] ⇐⇒ y : Element wise multiplication . −1 M ( ) : Element wise inversion

Message Encipherer 1 Encipherer 2 source x1 s TX1 1 −1 x TK2 = sum(TK1(M) ◦ K ) TK1 = M ◦ K 2 s2 TX2 y . . . . Channel fading . Channel . compensation and superposition at eavesdropper done at TXs xN E sN location TXN

h h h h h h 1 2 ··· N 1 2 ··· N

K K Key source

Dynamic fading channel

Figure 2: JCMA as a Shannon secrecy model.

For decoding data successfully the eavesdropper must M from E using all possible prior knowledge, such as the first perform blind channel estimation to map its received offline-determined transmitters BB symbol sets, the channel joint constellation symbols to information bits. Finding the statistics, and the prior probabilities of the messages M. bit mapping is an act of deciphering, where the received joint A new key is generated every time a reverse pilot signal symbols are the cipher-text, the channel coefficients are the is sent by the receiver. Due to the time varying nature of encryption key and the information bits are the encrypted the fading channel, a key uncorrelated with previous keys message. After deciphering, the eavesdropper must decode is invoked after the channel decorrelates in time. This is the data from a deteriorated signal. why the receiver is required to track the channel during the decorrelation period. Note that encryption and decryption are done automatically by the channel, so no overheads are 4.1. Information Theoretic Security. We start by describing required for these operations. the JCMA BB model as a Shannon secrecy model. Figure 2 The unicity distance was defined in [34] as the amount depicts the secrecy model for an eavesdropper. The pilot of intercepted cryptograms by the eavesdropper beyond from the receiver invokes key generation and distribution which the eavesdropper can deduce the key. Equivalently, the from the wireless medium to the transmitters. This key is cryptogram is undecipherable when the message length is the channel estimates at the transmitters. Each part of the less than the unicity distance [34]. So, to achieve information key is known exclusively at each transmitter. In accordance theoretic security the message should be enciphered by a new with the Shannon secrecy model and its notation in [34], key before the eavesdropper gathers enough cryptograms the message M as defined in [34] corresponds to the vector for deciphering. To secure an entire OFDM transmission of transmitted symbols across the transmitters. This joint burst, the number of joint symbols within the channel message is encrypted by the transmitters—each transmitter decorrelation period must be less than the unicity distance. transforms its symbol by scaling and rotating it with the key. In the point-to-point narrow-band scenario (N = 1) So K in [34] corresponds to the vector of channel estimates described in [23] a single channel took part in encrypting at the transmitters. For the receiver’s location in space, the a single message. It was shown that the channel acts as channel itself performs a deciphering operation by rotating a shift cipher for cases where the phase of the complex and scaling the encrypted message back to the original y. Random Variable (RV) representing the channel is uniformly For the eavesdropper location in space the channel performs distributed. Uniform distribution of phase is a common another enciphering operation with another key K , being assumption for describing wireless time-varying channels. the channels from the transmitters to the eavesdropper loca- For the multipoint to point scenario we assume that the tion. The eavesdropper constellation point y corresponds to phase of each channel is uniformly distributed over the the cryptogram E in [34]. The eavesdropper has to decipher range [0, 2π). We derive the unicity distance for JCMA based 6 EURASIP Journal on Wireless Communications and Networking on this single assumption. For clarity of presentation we Due to the cyclic property of the phase (modulo 2π), (10)is consider the case where a single bit is transmitted by each equivalent to transmitter (M = 1). The derivation scales easily for general f z M. θi −θi ( ) The received joint constellation at the eavesdropper is ⎧ ⎪ 1 1 given by (see Figure 2) ⎪ + z + + z ,0≤ z<π, ⎨ (4π) (4π) = ⎪ ⎪ 1 N h ⎩ − (z − π) + (z − π), π ≤ z<2π, (11) y = s i . (2π) i h (6) i= i ⎧ 1 ⎪ 1 ⎨⎪ ,0≤ z<2π, = (2π) ⎪ Using amplitude-phase representation a single transmitter ⎩⎪ symbol set is given by 0, otherwise. It follows that θi − θi is uniformly distributed over the i i i i S = s jθ s jθ . π θs θ − θi i 1 exp 1 , 2 exp 2 (7) range [0, 2 ). Adding to i results in a cyclic shift of phase values over the range [0, 2π) but does not change the PDF regardless the value of θs. It follows that ϕi is always The structure of any signal constellation must be constrained uniformly distributed over the range [0, 2π). This means that to achieve an output signal with zero mean, so that no power the mappings from the two possible transmitter bit values to is wasted. This means that the two signals in the constellation areceivedsymbolsi at the eavesdropper are equally probable. are antipodal: Since the channel decorrelates fast across space, the received individual symbols from the different transmitters s i = ... N at the eavesdropper i, 1, , are uncorrelated, each i i i i s = s ≡|si|; θ = θ + π. (8) received symbol from a transmitter has two equally probable 1 2 1 2 bit mappings. The result is 2N equally probable bit mappings for the joint signal constellation at the eavesdropper. It Using si =|si| exp(jθs), hi =|hi| exp(jθi), hi =|hi | exp(jθi ), follows that JCMA is analogous to a substitution cipher with (7)and(8)in(6)give 2N equally probable keys. The unicity distance of a substitution cipher is given by [34] N N y = δi exp j ϕi ≡ si,(9) H(K) i=1 i=1 Ud = , (12) 1 − η

where ϕi = θs + θi − θi and δi =|si||hi |/|hi|. where H(K) is the entropy of the key. Also, η is the efficiency We find that si originating from a single transmitter def of the information source defined as η = 1 − D,whereD is arrives at the eavesdropper with the same amplitude δi for the redundancy of the information source [34]. In our case, either of the two possible bit values. The phase of si is the N H(K) = H(2 ) = N and the JCMA unicity distance is given sum of three RVs. Two of the RVs (θi,θi ) are uniformly by and independently distributed over the range [0, 2π)and θ θi θi the third ( s) assumes one of two possible values 1, 2 N Ud = . (13) corresponding to the two possible bit values. 1 − η Since the phase is uniformly distributed and cyclic over π [0, 2 ), taking its colinear values (multiplying the RV with The model in Figure 2 depicts a single subcarrier. Neigh- − 1) results in the same distribution. It follows that the boring subcarriers in OFDM experience similar channel θ − θ Probability Density Function (PDF) of i i is equal to the response due to channel correlation across bandwidth. This θ θ PDF of i + i which is the result of convolution of two means that neighboring subcarriers can be used by the uniform PDFs: eavesdropper to discover their similar channel response (encryption key). It is common to assume that the channel 1 z − π 1 z − π decorrelates in frequency every coherence bandwidth (Bc). f z = ∗ θ −θi ( ) Π Π , i 2π 2π 2π 2π To be on the safe side, it is assumed that all subcarriers ⎧ B ⎪ z − π within c experience exactly the same channel. This is a strict ⎪ ( ) B ⎪ , π ≤ z<3π, assumption, since subcarriers which are less than c apart are ⎪ (4π2) ⎨⎪ (10) not fully correlated. = z − π ⎪ 1 − ( 3 ) π ≤ z< π Secrecy is required for the entire data transmission burst. ⎪ ,3 5 , ⎪ (2π) (4π2) This means that the unicity distance must be larger than ⎪ ⎩⎪ the number of received joint symbols during the channel 0, otherwise. decorrelation period (Lc) times the number of subcarriers EURASIP Journal on Wireless Communications and Networking 7 within the channel coherence bandwidth (Nc). It follows would try to use multiple antennas for finding the bit map- from (13) that for ping faster (for decreasing the unicity distance), the result would be multiple equivalent deciphering problems and the N eavesdropper would gain nothing as far as deciphering time NcLc ≤ , (14) 1 − η is concerned. information theoretic security is achieved for the entire data 4.2. Security by Complexity. In the previous section, infor- burst. L N mation theoretic security of the entire data transmission Note that c and c are given by burst was found. Deciphering amounted to discovering the N = B T bit mapping from the transmitters to each joint symbol. c c s, Knowledge of the mapping is obtained by the eavesdropper Td (15) after the unicity distance has passed only if the eavesdropper Lc = , Ts uses the best possible algorithm to decipher the data. After deciphering is accomplished, the eavesdropper still has to where Ts is the transmitted symbol time. decode the data. When information theoretic security is The channel temporal decorrelation time (Td), is gov- not achievable, security boils down to making decoding ffi erned by the Doppler spread (Bd) and is defined as much more di cult for the eavesdropper compared to the intended receiver. We identify four such security-by- def α complexity features of JCMA. Td = , (16) Bd (1) The eavesdropper would have difficulty to know where α is set to achieve sufficient channel decorrelation in the expected joint symbol constellation at its MF time. However, Bd is determined by the relative movement output, since it has no knowledge of the channel of the transmitter with respect to the receiver described by compensation done at each transmitter, no immedi- the Doppler shift, and by the movement of reflectors in ate knowledge of the CSI from the nodes to itself, and their path. Moreover, Bd increases with mobility and carrier it receives noisy samples. frequency. In the context of encryption strength a short (2) The signals from the group nodes would not reach channel decorrelation time (higher mobility) is preferred. the eavesdropper simultaneously, resulting in an This results in a higher key generating rate. In this sense, the overlap of past and present symbols. worse-case scenario is a stationary transmitter and receiver, for which Bd has the smallest possible value. (3) The eavesdropper joint constellation would change Using (15), (16)in(14) results in every decorrelation period. This is due to the changing of channel compensation at the transmitters. This 1 − η αBc makes it impossible to design a constant and com- B ≥ . ffi d N (17) putationally e cient decoding algorithm, meaning that the eavesdropper would have to perform an If the system and channel parameters satisfy (17) the data exhaustive search for ML detection of every received transmission burst is secured from eavesdropping. symbol. At the same time, the receiver decoding If (17)isdifficult to satisfy due to small Bd,security algorithm would be constant because each channel can be obtained by shortening the number of data symbols instance is compensated for. in the transmission burst so that it equals the unicity (4) The joint constellation formed at the eavesdropper distance. This results in an equality in (14) regardless of the MF output is not optimal for decoding, since it was channel decorrelation period. This approach would result made to be optimal at a different and unique location in throughput reduction as the transmitters must wait in in space—that of the receiver. idle mode for the channel to decorrelate. Throughput loss can be avoided by having multiple JCMA groups accessing Due to Factor 1, the eavesdropper must first decide the channel in a TDMA fashion, so that one group uses on its joint signal constellation. This precedes deciphering the channel while the others wait for it to decorrelate. (mapping bits to joint symbols) and could prove to be a Alternatively, the protocol can be applied to only some of difficult task, since the joint samples are noisy and the joint the subcarriers preferably spaced apart as much as possible constellation changes with every new pilot from the receiver. across the bandwidth. The deterioration of the signal at the eavesdropper due to We now justify constraining the use of a single MF at Factor 2 is substantial when the eavesdropper is far from the the eavesdropper. An MF is the optimal demodulator for receiver and is difficult to evaluate as it depends greatly on achieving a maximal SNR from the received signal [35]. the multipath propagation of the transmitted signal. Factor Using multiple MFs connected to a signal antenna makes no 2 could be compromised when the eavesdropper is close sense because the joint constellation is constructed over a enough to the receiver. single complex dimension for any number of transmitters. Due to Factor 3, the asymptotic decoding complexity of It follows that the optimal choice for the eavesdropper is the eavesdropper is O(2N ), corresponding to an exhaustive to use a single MF with soft decoding. If the eavesdropper search over all possible constellation points. It would be 8 EURASIP Journal on Wireless Communications and Networking shown in Section 5 that the asymptotic decoding complexity From (2), of the receiver is O(N). The difference in complexity can N N become substantial for small as well. For example, for y = s N = N n, (18) 5 the receiver would be required to perform five simple n=1 calculations per symbol, while the eavesdropper would have to calculate and compare 32 Euclidean distances. Although where the index N is introduced to denote that y was created the decoding complexity of the eavesdropper is expected to by N transmitters. be high, it is prudent to assume that the eavesdropper might Assuming equal probability for each transmitted symbol have unlimited computational power, which would allow it per transmitter, to perform ML detection using exhaustive search, so Factor s = sn = −M l = ... M. 3 could be compromised. Pr n l 2 , 1, 2, ,2 (19)

Due to Factor 4, the eavesdropper has to perform 2 Let μn and σn denote the mean value and the variance of the decoding using a suboptimal joint symbol constellation s and is expected to suffer a considerable penalty on Bit RV n, respectively. It is assumed that the transmitters trans- {s }N Error Rate (BER) compared to the receiver. The exact mit independent data and, therefore, n n=1 are mutually N ffi y decoding loss depends on the number of transmitters, and independent. For su ciently large, N is a complex normal μ = N μ the characteristics of the channel which prevents a general RV with mean N n=1 n and variance analysis. Evaluation of decoding loss for three transmitters N over a Rayleigh channel is given in Section 6. 2 2 σN = σn . (20) The eavesdropper could use soft decoding and reception n=1 using multiple antennas to achieve decoding gains. However, at least some of the gains can be matched by the receiver. The The following RV is defined illustrative scenario provided in Section 6 demonstrates that def y(1) − y(2) the required gain to match the receiver’s hard-decoding BER ΔN = N N , (21) is 20 dB for three transmitters in Rayleigh fading. (1) (2) where yN and yN are two received constellation points. Since the probability for receiving one joint constellation 5. Practical Implementation point is independent of the probability for receiving any (1) (2) other constellation point, yN and yN are independent RVs. JCMA is based on superposition modulation with joint (1) (2) Also, yN and yN are characterized by complex normal decoding. Superposition modulation schemes require accu- 2 distributions with mean μN and variance σN . Another RV is rate symbol synchronization and power control, and defined as are adversely affected by mobility. These limitations are def 2 commonly deemed prohibitive in practical applications. ρN =|ΔN | , (22) Although superposition modulation is assumed in many theoretical works, practical means of implementation are where ρN has a chi-squared distribution with two degrees of usually not addressed, see [28–32], for examples. freedom and its PDF is given by [36] To implement JCMA, robust joint signal constellations −x/ σ2 and the transmitters’ symbols sets that construct them f x = exp 2 N ρN ( ) σ2 , (23) must be found offline. The joint constellations must not 2 N result in performance loss. Efficient low complexity joint where ρN is the squared Euclidean distance between two ran- decoding must be formulated as well. The expected increased domly chosen points from the joint constellation. It follows sensitivity to synchronization and power control errors must that for Gaussian noise, ρN governs system performance as it be mitigated without increasing implementation complexity. is directly related to BER. These issues are addressed in what follows. 2 To proceed, let us define a dN such that 2 Pr ρN >dN = 1 − δ, (24) 5.1. Joint Signal Constellations where δ is a small positive number. However, (24)means 5.1.1. Decoding Gain for Power Limited Transmitters. The that the probability that the Euclidian distance between two overall signal energy collected by the receiver’s MF in JCMA arbitrarily chosen points from the joint constellation would grows with the number of transmitters. However, this does be greater than dN is very close to 1. not necessarily mean that performance would be enhanced. 2 Let us find dN that satisfies (24). From (23), The BER of ML detection in Gaussian noise is governed by the Euclidean distance between points in the constellation ∞ d2 2 N Pr ρN >dN = fρN (x)dx = exp − . (25) [35]. A key requirement for enhancing performance with 2 2 dN 2σN JCMA is that the increased energy per joint symbol translates to an increase in the minimal Euclidean distance. In what Introducing (24)to(25) yields follows, a probabilistic approach is taken to prove that this 2 2 2 −2 is indeed the case. dN =−2σN ln(1 − δ) = σN ln (1 − δ) . (26) EURASIP Journal on Wireless Communications and Networking 9

σ2 >σ2 8 From (20), it follows that N+1 N , therefore, from (26),

7 d2 >d2 . N+1 N (27) 6

-QAM TDMA) 5 The minimum distance increases (in a probability sense) N as N increases. In other words, the increased energy reaching (2 min 4 the receiver is translated to increased distance between joint d constellation points at the receiver. 3 Now consider a Time Division Multiple Access (TDMA) (JCMA)/

system with power limited transmitters and the same data min

d 2 rate as a JCMA system. To maintain the same data rate as that of the JCMA system, the constellation of each 1 transmitter would have to become more crowded as N 2345678910 increases. Because the overall constellation power remains Number of transmitters N constant, the minimal distance of the received constellation Figure 3: Performance gain buildup using random symbol search. would decrease and performance would deteriorate.

5.1.2. Suboptimal Symbol Search. To find the optimal joint A parametric symbol search approach can be used as constellation, one must solve (3), (4)analytically.Thegoal well. The phase and amplitude of each BB constellation is to find BB symbol sets which maximize the minimal point is quantized with some resolution. The resulting joint Euclidean distance in the resulting joint symbol constel- constellation is tested for each sample of phase and ampli- lation. This is an optimization problem with quadratic tude. The granularity of the parametric search increases with constraint. While a closed form solution may be found the quantization resolution, and the result is asymptotically under limiting assumptions, this approach is avoided and optimal for infinitely small granularity. suboptimal search methods are used instead. This alternative To explore the proposed approach the joint constellation for N transmitters was optimized using a random symbol approach is justified because optimization is done only once N for a set of transmitters and is performed offline, so there is search. For comparison, a TDMA system using a 2 -QAM no need for a fast real-time solution. constellation is used, which results in the same overall bit d For simplicity of presentation it is assumed that each rate. Figure 3 displays the gain in min for the received transmitter has two symbols in its symbol set, which means constellations. It is clearly seen that JCMA results in better N that each transmitter has a single information bit represented constellations for all tested . This result shows that the in the joint constellation (or chip when forward error performance gain buildup proven before is achievable using correction is employed). To make sure no transmission the random symbol search approach and that JCMA is ffi power is wasted, each BB symbol set is made to be a rotated energy e cient. An example of a joint constellation obtained andscaledversionofBinary Phase Shift Keying (BPSK). viarandomsymbolsearchisgiveninSection 6. This insures that the mean value of each BB symbol set and the mean value of the joint constellation are zero. The 5.2. Maximum Likelihood Detection. The received joint sig- derivations that follow are easily applicable to more than one nal sample at the MF output is to be decoded based on bit (chip) per symbol. the expected joint constellation using ML detection. ML A random search approach can be used, for which detection in the presence of Gaussian noise boils down to symbol sets are found using a Monte Carlo simulation. A finding the constellation point which is closest to the received random set of BB symbols for each transmitter is randomly sample (minimal Euclidean distance). Performing ML detec- generated and is normalized to meet the power constraint tion using exhaustive search over all possible constellation in (4). The resulting joint constellation is derived and its points has algorithmic complexity of O(2N ). This complexity minimal Euclidean distance as defined in (3)isevaluated. grows exponentially with the number of transmitters. For Thisprocessisrepeatedinnumeroustrialsandthecollection systems with constrained resources, exhaustive search might of BB sets which result in the best joint constellation is be impractical to implement even for small values of N. chosen. It is possible to add constraints on the BB symbol For example, N = 3 requires calculating and comparing sets sizes to comply with Quality of Service (QoS) demands. eight Euclidean distances for every received symbol. This In addition, the peak power constraints may vary across complexity problem exists for any single transmitter user transmitters to address unequal channel fading attenua- constellation with 2N constellation points. Traditionally, in tions which could represent near-far scenarios common point-to-point systems the decoding complexity is reduced in multiple access scenarios. Preliminary results for such by using suboptimal constellations such as rectangular QAM. optimization scenarios were presented in [37]. The solutions Suboptimal constellations are designed to exhibit structural found with the random symbol search are asymptotically symmetries which are used for efficient decoding of the optimal as the number of search trials approaches infinity. received samples [38]. 10 EURASIP Journal on Wireless Communications and Networking

The JCMA constellation exhibits structural symmetries CSI by estimating the channel coefficient using some linear as well. Using a simple manipulation on the expression for estimator, such as a linear Minimum Mean Square Error the received joint symbol gives (MMSE) estimator. In Appendix A the required energy of the JCMA receiver N− 1 sent pilot signal is found with respect to that of a TDMA y = s s i = ... N. N i + n; 1, , (28) system, so that the JCMA system performance loss would n=1 n =/ i be the same as the TDMA system performance loss. This analysis results in a quantitative estimate of the effects of s Symmetry lines can be drawn between the BB symbols of i synchronization and power control errors, and the required N−1 s shifted to n=1 n. If the symmetry lines are drawn for all pilot energy to support the synchronization demands of n =/ i JCMA. In Appendix A it is shown that in order to achieve i = 1, ..., N symbol sets, the receiver’s observation space is the same synchronization/power control error in JCMA as divided to decision regions with a constellation point at the that of TDMA while maintaining the decoding gain, the center of each region. The ML decoding problem in Gaussian pilot energy used for channel estimation must have N times noise reduces to finding the decision region in which the more energy. This increase in energy can be achieved by received sample is located. using longer pilots resulting in decreased throughput or by Assuming the angles of the symmetry lines with the real increasing pilot signal power. Alternatively, the performance axis value in the complex plane are given by φi; i = 1, ..., N, gain can be waived by reducing the transmitters’ power the following guidelines for finding a computationally emission resulting in no need for increasing pilot energy. efficient ML decoding algorithm are defined. In JCMA a pilot is sent every channel decorrelation time. (1) Rotate the received joint symbol sample r by an angle In Appendix A the rate of pilot transmission for JCMA is of ϕ1: q = r exp(− jφ1). calculated to achieve the same channel decorrelation as for TDMA. This analysis results in a quantitative estimate of the (2) If qR = Re(q) is to the right of the symmetry line effects of mobility of transmitters and the required system intersection with the real axis, set Li = 1, else set Li resources to support such mobility (throughput loss due to = 0. pilot signal transmission). It is also shown that the JCMA (3) Repeat steps 1,2 for all i. system effectively shortens the channel decorrelation time. (4) Use Li; i = 1, ..., N to access a predefined Look This results in a need for more frequent pilot transmission Up Table (LUT) containing the bit loading of the which causes throughput reduction. As far as security is constellation point in the decision region of the concerned, the shortening of decorrelation time is a benefit. received sample. This is because faster variation in the channel allows for a higher cryptographic key generating rate. If the coding The algorithmic complexity of the suggested efficient ML gain is waived by reducing power emission, the decorrelation decoding is O(N). This is also the complexity of traditional N time is the same for JCMA and TDMA and no overhead on 2 -QAM ML decoding of a single transmitter with equal rate throughout is incurred. to a JCMA system with N transmitters and 1 bit per symbol Following the analysis in Appendix A we define the per transmitter. following piloting rule: if the transmitters in a JCMA setting use all their available power, decoding gain and faster key 5.3. Effects of Imperfect Power Control, Synchronization Errors generating rate are obtained at the expense of higher energy and Mobility. JCMA requires synchronization between the consumption. To support these benefits without degrading transmitters at the symbol level. This is a higher synchroniza- decoding the receiver’s pilot energy must be increased times tion demand than that of TDMA, for example. Methods with the number of transmitters. Alternatively, the decoding gain equivalent synchronization demands as those of JCMA are and fast channel decorrelation can be waived by reducing symbol-synchronous Code Division Multiple Access (CDMA) the transmitters’ power emission. This would result in same [26, 41], SM-SD [25], and the methods defined in [28–32]. energy consumption as that of a single transmitter and there In addition, JCMA demands a higher accuracy in power would be no need to increase pilot energy. control. In this section, the effects of synchronization errors, power control errors, and mobility on JCMA are discussed. For coherency of presentation, the rigorous analysis leading 5.4. Network Management. JCMA is expected to operate in to this discussion is given in Appendix A. a multiple access scenario. Multiple access scenarios require Lack of perfect synchronization is manifested by errors network management protocols to resolve near-far problems, in the channel phase estimates, and inaccurate power control facilitate QoS requirements, and optimize the overall data is manifested by errors in the channel amplitude estimate. throughput. It follows that both are accurately modeled by an additive In the classical CDMA near-far scenario, a dominant complex RV representing an error in the channel estimate transmitter deprives other transmitters from service by (CSI errors). The effects of CSI errors (phase and amplitude) masking their transmitted signal at the receiver. The solution on system performance are analyzed in a comparative is to use power-control by the receiver to reduce the power of manner to TDMA. Since the transmitters are required to be the dominant transmitter so that other transmitters can be simple in design, we assume that each transmitter obtains its detected as well. In JCMA each transmitter adjusts its power EURASIP Journal on Wireless Communications and Networking 11 emission according to channel fading and the symbol set it 500 is assigned by the receiver. The receiver can solve near-far 450 scenarios by assigning symbol sets which should be received N = 1, 2, 3, 4, 5 with low power to transmitters with higher attenuating 400 channels. Transmitters with lower attenuating channels can 350 N be assigned a symbol set with higher power in the joint 300 = 1, 2, 3, 4, 5 constellation. Another possible solution is to match transmitters into 250 η = 0.9 JCMA groups according to the channel they experience over 200 different subcarriers. This is an extension of OFDM-Access Doppler spread (Hz) 150 (OFDMA). In OFDMA subcarriers are allocated to different η = 0.99 transmitters according to the quality of their channel over the 100 frequency selective bandwidth. The basic idea is to allocate 50 parts of the bandwidth to each transmitter in an efficient 0 way so that the overall network throughput is increased. 20 40 60 80 100 120 140 160 180 200 In JCMA transmitters should be grouped to facilitate the Coherent bandwidth (KHz) construction of the joint signal constellation at the receiver with minimal power-loss due to power reduction at the Figure 4: Minimal Doppler spread for security, Rayleigh fading; N = dominant transmitters. 1, 2, 3, 4, 5. In addition, it is possible to perform offline optimization of symbol sets to resolve specific near-far scenarios. The B resulting symbol sets would be kept at the transmitters’ Figure 4 depicts the minimum d required for achiev- symbol sets tables and used when the receiver dims it ing information theoretic security for the entire channel B N = appropriate. This possibility does not exist in a classical decorrelation period as a function of c for 1, 2, 3, 4, 5 η = . . CDMA system. and 0 9, 0 99. The arrows directions indicate increasing N N Offline optimization of symbol sets can be defined with values of . It is evident that increasing lowers the B B different sizes of the transmitters’ symbols sets. A transmitter required d dramatically for a given c. The decrease is N η = . B with a larger symbol set size would be represented at the joint moderated as increases. For 0 9, the required d is ffi constellation with more bits and so its throughout would be very high, making it di cult to use the method for securing η = . higher than that of the other transmitters. the entire decorrelation period. However, for 0 99, the required Bd is reasonably low for practical channels. For example, consider the IEEE 802.16e standard (a.k.a. mobile 6. Illustrative Scenario—Rayleigh Fading WiMax) [42]. In [42] the delay spread is assumed to be μ B = Performance in Rayleigh fading channels is evaluated in 10 s, which means that c 100 kHz. For this value of B N = what follows. First, the channel conditions for achieving c, the Rayleigh fading channel achieves security for B ≥ information theoretic security are depicted for various N in 1, 2, 3, 4, 5 when d 382 Hz, 191 Hz, 127 Hz, 96 Hz, 76 Hz, respectively. Assuming a carrier frequency of fc = 3.5 GHz, accordance with the condition in (17). Following analysis B of information theoretic security, a JCMA setting of three these values of d correspond to relative velocities between v ≥ / transmitters is depicted, including generating the joint transmitter and receiver of 60, 30, 20, 15, 12 [km h], constellation and an algorithm for efficient ML decoding. respectively. These velocities are expected for many mobile The effects of security factors 1, 3, and 4 described before are scenarios. evaluated and demonstrated as well. A scenario with three transmitters was also used in the preliminary analysis given 6.2. Security by Complexity—Three Transmitters. In this in [40]. illustrative Rayleigh fading scenario, subcarriers are over- loaded by 3 transmitters in a JCMA setting. The symbol sets S n = 6.1. Information Theoretic Security. Recall that α in (17)has n, 1, 2, 3 were found using a random symbol search {d } to be set according to the temporal decorrelation behavior with max min defined in (3) being the optimizing criterion of the channel. The normalized temporal autocorrelation and (4) being the optimization constraint. The following ffl function for a Rayleigh fading channel is given by [33] symbol sets were found o ine and assigned arbitrarily to the transmitters: R(τ) = J0(2πBdτ), (29) S = 0.7124 exp − j2.5558 ;0.7124 exp j0.5858 , J · 1 where 0( ) is the zero-order Bessel function of the first kind and τ is the time difference. J0(2.4) ≈ 0 for the shortest S2 = 0.9965 exp j1.3720 ;0.9965 exp − j1.7696 , elapsed time. This is equivalent to setting τ = 2.4/2πBd in S = . − j . . j . . (29), so it makes sense to set α = TdBd(2.4/2π) = 0.382. 3 0 9890 exp 0 2016 ;09890 exp 2 9400 Using α = 0.382 in (17) results in (31) 1 − η 0.382Bc The received joint constellation at the intended receiver Bd ≥ . (30) N along with the corresponding bit mapping is depicted in 12 EURASIP Journal on Wireless Communications and Networking

Table 1: LUT for ML detection of the three transmitters scenario.

qI < −0.775 −0.775 ≤ qI < 0.775 0.775 ≤ qI qR < −1.545 If (uI < 0.555) 010 else 011 011 If (uR < −0.555) 011 else 001 −1.545 ≤ qR < 0 010 111 001 0 ≤ qR < 1.545 110 000 101 1.545 ≤ qR If (uR < 0.555) 110 else 100 100 If (uI < −0.555) 100 else 101

90 2.5 90 1.5 120 60 120 110 60 2 1 101 1.5 150 30 150 30 100 1 010 0.5 000 001 0.5 000 111 100 180 0 180 0

111 011 001 110

011 210 330 210 330 010 101 240 300 240 300 270 270 Figure 5: Joint constellation for the three transmitters scenario. Figure 6: 8QAM constellation of TDMA reference system.

Figure 5. Each set of 3 bits represents the bits of TX1, TX2, 100 and TX3 from left to right, respectively. Notice that the average energy of the received constellation is larger than 1. Interestingly, this joint constellation has the exact structure of a type of 8QAM constellation used in some industry 10−1 standards for a single transmitter signal [43, page 53]. Note that the joint constellation is not Gray coded. Although this increases BER, it would be shown below that performance is satisfactory. Bit error rate Next an eﬃcient ML decoding algorithm is designed, 10−2 based on constellation symmetries. The algorithm comprises three steps for decoding a received joint sample r. (1) Rotate the received sample: q = r exp(− j 0.1865π). 10−3 (2) Calculate 0 5 10 15 20 25 30 Signal to noise ratio (Es/N0)(dB) qR = Re q , 1 TX 8-QAM, exhaustive ML 3 TX JCMA, exhaustive ML qI = Im q , 3TXJCMA,eﬃcient ML jπ (32) Eavesdropper, exhaustive ML uR = Re q ∗ exp − , 4 Figure 7: Performance curves for the three transmitters scenario. jπ uI = Im q ∗ exp − . 4 For hard decoding, each table entry denotes the decoded bits of TX1, TX2, and TX3 from left to right, respectively. (3) Use Table 1 for decoding. For soft decoding, the distance between q and the closest EURASIP Journal on Wireless Communications and Networking 13

90 5 90 3 90 1.5 120 60 120 60 120 60 2.5 2 010 1 150 001 30 150 100 30 150 110 30 1 0.5 000 101 001 000 101 000 180 100 011 0 180 0 180 100 011 0 010 111 111 111 110 011 010 210 110 330 210 330 210 001 330 101 240 300 240 300 240 300 270 270 270 Time Td 2Td 3Td Figure 8: Consecutive joint constellations of eavesdropper. joint constellation point has to be evaluated. This efficient To gain insight on the impact of security factors 1 decoding algorithm consists of three easy steps and its com- and 3 described in Section 4.2 on decoding, representative plexity is much lower than that of exhaustive ML decoding. joint constellations of the eavesdropper are depicted in The JCMA setting is compared to a TDMA transmitter using Figure 8. Note how the joint constellation varies from apowerefficient circular 8-QAM constellation with the same pilot to pilot, implying the high decoding complexity. In power constraint. The 8-QAM constellation is depicted in addition, note how close the constellation points are to Figure 6. one another, implying the high probability for decoding In Figure 7, hard decoding BER versus SNR (defined errors. here as the ratio between the average energy per transmitter symbol and the noise variance at the receiver) is depicted for the JCMA setting and compared to TDMA. Results were 7. Conclusion obtained using computer simulation. A gain of 4.4 dB is achieved with JCMA while adhering to the transmitters’ A multiple access method for securing OFDM over wireless power constraint. This means that the increased overall time-varying channels was proposed and analyzed. The energy invested in JCMA (3 times more than TDMA, method uses reverse piloting for implementing superpo- equivalent to 4.7 dB) was successfully translated to perfor- sition modulation with joint decoding at the receiver. It mance gain. The marginal loss of 0.3 dB is attributed to the makes use of channel randomness, reciprocity, and fast lack of Gray coding. Note that the efficient ML decoding decorrelation in space to secure transmission with low algorithm performs as well as the exhaustive ML decoding overheads. Security strengths of the method were evaluated algorithm. and practical means of implementation were suggested To analyze the impact of security Factor 4 described in based on analytical analysis. Channel and system parameters Section 4.2, BER of the receiver is also compared to that were explicitly derived for achieving information theoretic of an eavesdropper using a single MF and exhaustive ML security of entire transmission bursts, and features of security hard decoding. Both receiver and eavesdropper experience by complexity were assessed and demonstrated. Means a Rayleigh fading on all channels. It is clear that for for generating and efficiently decoding joint constellations the eavesdropper ML decoding BER is unsatisfactory for were presented. It was proven that in addition to security, decoding the data. For example, if the receiver operates at the method also offers decoding gain for power-limited −3 Es/N0 of 9 dB, it would experience a BER of 10 , and the transmitters. The effects of imperfections due to mobility, eavesdropper would experience a BER of 10−1. It follows that power control errors, and synchronization errors were for the given scenario the eavesdropper cannot effectively analyzed and practical means for addressing them were decode the messages from the nodes, even when the unicity given. It was proven and demonstrated that both security distance has passed and security factors 1–3 described in strength and decoding gain increase with the number of Section 4.2 are compromised. transmitters and that information theoretic security with The eavesdropper can reduce BER by applying soft low overheads is achievable for mobile scenarios in practical decoding instead of hard decoding and also apply multiple communication systems. Implementing the method requires antennas reception. However, to match the receivers hard the same computational complexity as a standard point-to- decoding BER of 10−3 the eavesdropper would need to point communication system, and mitigating the effects of achieve an SNR gain of 20 dB, and at least some of the mobility, power control errors, and synchronization errors gain achieved by the eavesdropper would be matched by reduces to a simple piloting rule. The low computational implementing low complexity soft decoding at the receiver. complexity and feasibility of implementation make the It follows that the decoding complexity of the eavesdropper method a good solution for securing OFDM transmis- must be high enough to obtain an SNR gain of at least 20 dB. sion in wireless systems where the complexity associated The SNR gain required at the eavesdropper for decoding is a with implementing traditional security algorithms is pro- clear indication of security by complexity. hibitive. 14 EURASIP Journal on Wireless Communications and Networking

TX RX TXChannel RX Channel h εJ ∗ h εT ∗ ( i + i ) 1 ( i + i ) J |h ε |2 |h εT | |h εT | i + i i + i hi i + i hi

T E sJ y E0si y 0 i

Figure 9: Single transmitter in TDMA. Figure 10: Single transmitter in JCMA.

Appendix JCMA System. The JCMA BB model for a single transmitter with CSI errors and power control is depicted in Figure 10, J J A. Effects of Imperfections on Performance where si and εi are the JCMA transmitted symbol and channel estimation error of transmitter i,respectively. A.1. Synchronization and Power Control Errors Here the channel is estimated at TX alone and is compensated prior to transmission. In the same manner as TDMA reference system. The TDMA BB model for a single in (A.2) it follows that for a single transmitter, transmitter (indexed i) with CSI errors and power control E is depicted in Figure 9,where 0 is the energy per symbol J ∗ hi + εi hi h needed at the receiver to achieve a certain performance level, y = E sJ = E sJ i T 0 i 0 i J hi is the complex valued channel fading coefficient, si is the J 2 h ε T hi + εi i + i TDMA symbol, and εi is the channel estimation error. (A.3) Since the transmitters are required to be simple in design, εJ ≈ E sJ E sJ i . we assume that a linear estimator is used at each transmitter 0 i + 0 i h for estimating the channel coefficient, such as a linear MMSE i εT estimator. For MMSE estimators, i is modeled as a complex The last estimation in (A.3) is given using a Taylor expansion normal random variable with zero mean and arbitrary J T with |εi | |hi|. The synchronization error of a single variance [44–49], and εi is uncorrelated with hi. zJ def= E sJ εJ /h At RX, the channel is estimated and compensated transmitter in JCMA 0 i ( i i) has the same for phase by an erroneous estimate of the channel statistics as that of TDMA. T ∗ T Now consider the entire JCMA system: (hi + εi ) /|hi + εi |. The channel estimated at RX is fed back to the transmitter for allowing the transmitter to compensate N εJ N N εJ for channel fading before performing power control. It is J J i J J i y = E0si + E0si = E0si + E0si . /|h εT | hi hi assumed this is done without error. It follows that, 1 i + i i=1 i=1 i=1 represents the TX compensation for fading. (A.4) Power control is achieved by setting E0 and compensat- N ing for the fading |hi|. It follows that J def J J The JCMA synchronization error is Z = ( E0si (εi /hi)). h i=1 T i J y = E si . (A.1) ε i = ... N 0 h εT The estimation errors i ; 1, 2, , are uncorrelated i + i and identically distributed. The same is true for the channels J Since channel estimation has to be fairly accurate, the hi and information symbols si . It follows that pilot energy is such that high SNR is achieved for channel T J J estimation. It follows that εi is expected to be much smaller var Z = N var z . (A.5) in magnitude than hi and so Pr(|hi| |εi|) ≈ 1. Using this assumption (A.1)reducesto The channel is estimated at TX using a pilot signal ⎛ ⎞ T from RX. Channel estimation using pilot signaling is well T ⎝ 1 ⎠ T 1 εi ffi y = E s hi ≈ E s hi − established in theory and practice [44–49], and an “e cient 0 i T 0 i h 1 h hi 1+εi /hi i i estimate” as defined in [50] is obtained. This means that the Cramer Rao Bound (CRB) for the channel estimation error is T T T εi achievable. = E0si − E0si . hi It is assumed that all transmitters are able to compensate (A.2) for the channel fading |hi| with their limited peak power. This means that |hi| is higher than some threshold value. T def T T The term z = E0si (εi /hi) represents the synchroniza- If |hi| falls beneath this threshold the transmitter fails tion error and its variance is with relation to δ. to compensate for it and the connection between this EURASIP Journal on Wireless Communications and Networking 15 transmitter and the receiver cannot be maintained. This Equation (A.13) gives the required energy of the JCMA phenomenon occurs in all multiple access methods in fading pilot signal sent by the receiver to achieve the same degrada- channels and is usually solved at a high level protocol. In tion in decoding as for an equivalent TDMA system. cellular telephony, for example, a failing transmitter roams to a different Base Station (BS) for service. A.2. Mobility and Channel Decorrelation. Channel decorre- The CRB for efficient ML estimation of a random lation manifests itself in a shift of the joint constellation variable in AWGN is given by [50] points from their original position. The probability for a −1 more significant shift increases as time passes from the 2var(h)Ep var(ε) = var(h) ,(A.6)last channel estimation time (pilot transmission time). It N0 follows that channel decorrelation directly influences the shift in constellation points over time. We evaluate this where Ep is the energy of the pilot symbol, and N0 is the influence by deriving the expected shift of a constellation AWGN noise variance. point over time. A closely related approach is used when Using (A.6), it is possible to calculate the needed increase evaluating transmitter performance in the presence of linear in pilot energy for JCMA in order to achieve the same and nonlinear distortions using Error Vector Magnitude synchronization/power control error as that of TDMA. For (EVM) [51–53]. EVM is a well-founded parameter used to this the error variances must be equated: characterize the quality of communication and is closely related to BER [51–53]. var ZJ = var zT . (A.7) An EVM-like approach is used here for JCMA. Dis- regarding the additive noise and errors in the channel Since the variance of a sum is the sum of variance, (A.7)is estimate at the receiver, the received constellation points also of any communication system are supposed to remain constant over time. However, as the channel decorrelates J T the points shift randomly, due to a discrepancy between the Nvar z = var z (A.8) last channel estimate and the true value of the time-varying channel. Equivalently, in accordance with (A.2), (A.4): The shift of a specific constellation point over time is a J T stochastic process defined as J εi T εi N var E0si = var E0si ,(A.9) hi hi Δy0(t) = y0(t) − y0(t0), (A.14)

J J T T where si , εi , si , εi , hi; i = 1, ..., N are all uncorrelated and where t0 ≤ t is the last time the channel was estimated (a have zero mean, so (A.9) is also pilot signal was sent) and y0(t0) ∈ y,wherey denotes the J constellation set. For ease of notation the index is dropped 2 2 2 NE E sJ E εJ E 1 from the following derivation. There is a one to one mapping 0 i i h i between x ≡ [x1, x2, ..., xN ]; xi ≡ sihi(t0)andy0(t)given (A.10) by 2 2 2 = E E sT E εT E 1 . 0 i i h i N y0(t) = [xihi(t)]. (A.15) 2 Note that E(|1/hi| ) < ∞ because it is assumed that the i=1 2 transmitter can compensate for fading, so |hi| is higher than some threshold. According to the peak power constraint, It follows that J 2 T 2 E(|si | ) = E(|si | ), and (A.10)reducesto N N N y t = xihi t − xihi t = xi hi t − hi t . J 2 T 2 Δ 0( ) [ ( )] [ ( 0)] [ ( ( ) ( 0))] NE εi = E εi . (A.11) i=1 i=1 i=1 (A.16) Now using (A.6), In a classical EVM approach, the variance of − 2 J 1 T −1 Δy0(t)/maxy (t )(|y0(t0)| )shouldbeaveragedoverall 2var(h)Ep 2var(h)Ep 0 0 N h = h . points in the constellation. Because the focus of analysis var( ) N var( ) N 0 0 is performance degradation of a communication link due (A.12) to channel decorrelation, it would be biased in favor of JCMA to normalize Δy0(t), since higher overall energy is Equation (A.12) reduces to the compact expression: invested in the JCMA constellation. In the following analysis the conditional variance of Δy0(t) is evaluated without J T Ep = NEp . (A.13) normalization and then averaged over all points in the 16 EURASIP Journal on Wireless Communications and Networking constellation: that since the in-phase and quadrature components of all channels are uncorrelated, R(t) is a real function and, E Δy0(t) | x ∗ ∗ therefore, R(t) = E(hi(t)hi (t0)) = E(hi(t0)hi (t)). It follows N (A.17) that = x E h t − E h t = [ i( ( i( )) ( i( 0)))] 0, N i= ∗ 2 1 E y (t )y (t) | x = |xi| R(t) . (A.22) 0 0 0 i=1 var Δy0(t) | x Using (A.20), (A.21), (A.22)in(A.18) yields = E y t | x 2 (Δ 0( ) ) yJ t | xJ # $ ∗ var Δ 0( ) = E y0(t) | x − y0(t0) | x [y0(t) | x − y0(t0) | x] N J 2 J 2 2 = x h − R t def= y t = E y0(t) | x + E y0(t0) | x 2 i (var( ) ( )) var Δ 0( ) , i= 1 − E y t | x y∗ t | x (A.23) 0( ) 0 ( 0) − E y t | x y∗ t | x J 0( 0) 0 ( ) , where the superscript was reintroduced. (A.18) ForTDMAthisvarianceisgivenby 2 yT t | xT E y0(t) | x var Δ 0 ( ) i ⎛ ⎞ 2 N N = yJ t | xJ | = xT h − R t ⎝ ∗ ∗ ⎠ var Δ 0( ) N=1 2 i (var( ) ( )), = E [xihi(t)] xj hj (t) (A.24) i=1 j=1 (A.19) ⎡ ⎤ J N N xT ≡ sT h t yT t < y t where i i i( 0). Obviously, var(Δ 0 ( )) var (Δ 0( )) ⎣ ∗ ∗ ⎦ J = xixj E hi(t)hj (t) . y t N and var(Δ 0( )) increases with . It is easy to show that if i=1 j=1 2 normalization of Δy0(t)/|y0(t0)| was initially introduced to The channels are i.i.d, therefore, (A.18), the result would have been the same for TDMA and JCMA. E y (t) | x2 To compare decorrelation times (A.23)and(A.24) 0 tJ tT ⎛ ⎞ should be equated. Let p and p be the time passed N N between consecutive pilots in JCMA and TDMA respectfully. ⎝ ∗ ⎠ = xixj δi,j var(h) Equating (A.23)and(A.24) yields i=1 j=1 (A.20) T T T J J J var y tp | xi = var y tp | x . (A.25) N Δ 0 Δ 0 2 = var(h) |xi| , i=1 Now, using (A.23)and(A.24)in(A.25),

2 N where var(h) ≡ E(|hi(t)| )forall(i, t.), T 2 T J 2 J 2xi var(h) − R tp = 2 xi var(h) − R tp . E y t y∗ t | x i=1 0( ) 0 ( 0) (A.26) ⎛ ⎞ N N ⎝ ∗ ∗ ⎠ The solution to (A.26) depends on the channel fading = E [xihi(t)] xj hj (t0) i=1 j=1 instance and the symbols being transmitted. Averaging over ⎛ ⎞ all channel instances and symbol types on both sides of N N (A.26)gives = ⎝ x x∗E h t h∗ t ⎠ i j i( ) j ( 0) i=1 j=1 (A.21) T 2 T 2E xi var(h) − R tp N 2 ∗ N (A.27) = |xi| E hi(t)hi (t ) 2 0 = E xJ h − R tJ i=1 2 i var( ) p , i=1 N 2 T 2 2 T = |xi| R(t) , E si E |hi| var(h) − R tp i=1 N (A.28) def ∗ J 2 2 J where R(t) = E(hi(t)hi (t0)) is the channel autocorrelation = E si E |hi| var(h) − R tp . function and depends on the channel fading statistics. Notice i=1 EURASIP Journal on Wireless Communications and Networking 17

T 2 J 2 2 However, E(|si | ) = E(|si | ), E(|hi| ) = var(h)foralli,so [13] P. K. Gopala, L. Lai, and H. El Gamal, “On the secrecy capacity (A.28)reducesto of fading channels,” IEEE Transactions on Information Theory, vol. 54, no. 10, pp. 4687–4698, 2008. R tT h N − [14] Y. Liang and H. V. Poor, “Secure communication over fading J p +var( )( 1) R tp = . (A.29) channels,” in Proceedings of the 44th Annual Allerton Confer- N ence on Communication Control, and Computing,Monticello, Ill, USA, September 2006. J T The functions R(tp)andR(tp ) are monotonic decreasing [15] Y. Liang, H. V. Poor, and S. Shamai, “Secrecy capacity region functions until full decorrelation is reached for the ﬁrst time, of fading broadcast channels,” in Proceedings of the IEEE so if the inverse of (A.29) is taken and noting that R(t = 0) = International Symposium on Information Theory (ISIT ’07),pp. var(h), we get 1291–1295, Nice, France, June 2007. [16] Y. Liang, H. V. Poor, and S. Shamai, “Secrecy capacity region R tT R N − of parallel broadcast channels,” in Proceedings of the IEEE J − p + (0)( 1) tp = R 1 μ , μ = . (A.30) Information Theory and Applications Workshop (ITA ’07),pp. N 245–250, San Diego, Calif, USA, February 2007. μ [17] M. Debbah and M. Kobayashi, “On the secrecy capacity of Rearranging gives frequency-selective fading channels: a practical vandermonde approach,” in Proceedings of IEEE Annual International Sym- T (N − 1) T posium on Personal, Indoor and Mobile Radio Communications μ = R tp + R(0) − R tp . (A.31) N (PIMRC ’08), pp. 1–5, Cannes, France, September 2008. [18] J. E. Hershey, A. A. Hassan, and R. Yarlagadda, “Uncon- T T J T Since R(0) >R(tp ), μ>R(tp ) which means that tp

[30] F. N. Brannstr¨ om,¨ T. M. Aulin, and L. K. Rasmussen, “Iterative [50] H. L. Van Trees, Detection, Estimation, and Modulation detectors for trellis-code multiple-access,” IEEE Transactions Theory—Part I, John Wiley & Sons, New York, NY, USA, 2001. on Communications, vol. 50, no. 9, pp. 1478–1485, 2002. [51] A. Georgiadis, “Gain, phase imbalance, and phase noise effects [31] J. A. F. Ross and D. P. Taylor, “Vector assignment scheme for on error vector magnitude,” IEEE Transactions on Vehicular M+N users in N-Dimensional global additive channel,” IEEE Technology, vol. 53, no. 2, pp. 443–449, 2004. Electronic Letters, vol. 28, no. 17, pp. 1634–1636, 1992. [52] R. A. Shafik, M. S. Rahman, A. H. M. R. Islam, and N. S. [32] J. A. F. Ross and D. P. Taylor, “Multiuser signaling in the Ashraf, “On the error vector magnitude as a performance symbol-synchronous AWGN channel,” IEEE Transactions on metric and comparative analysis,” in Proceedings of the 2nd Information Theory, vol. 41, no. 4, pp. 1174–1178, 1995. International Conference on Emerging Technologies (ICET ’06), [33] W. C. Lee, Mobile Communication Engineering, McGraw-Hill, pp. 27–31, Islamabad, Pakistan, November 2006. New York, NY, USA, 1982. [53] J. L. Pinto and I. Darwazeh, “Error vector magnitude relation [34] C. E. Shannon, “Communication theory of secrecy systems,” to magnitude and phase distortion in 8-PSK systems,” Elec- Bell Systems Technical Journal, vol. 28, pp. 656–715, 1949. tronics Letters, vol. 37, no. 7, pp. 437–438, 2001. [35] J. G. Proakis, Digital Communication,McGrawHill,NewYork, NY, USA, 2000. [36] A. Papoulis, Probability, Random Variables, and Stochastic Processes, McGraw-Hill, New York, NY, USA, 3rd edition, 1991. [37] G. R. Tsouri and D. Wulich, “Wireless channel access through jointly formed signal constellations,” in Proceedings of the IEEE Annual International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC ’06), pp. 1–5, San Diego, Calif, USA, September 2006. [38] E. A. Lee and D. G. Messerschmitt, Digital Communication, Kluwer Academic Publishers, Dordrecht, The Netherlands, 1988. [39] F. Vanhaverbeke, Digital communications through oversatu- rated channels, Ph.D. thesis, Ghent University, Ghent, Bel- gium, 2005, http://telin.ugent.be/∼fv/eigen publicaties.html. [40] G. R. Tsouri and D. Wulich, “A Physical transmission security layer for wireless multiple access communication systems,” in Proceedings of the European Signal Processing Conference (EUSIPCO ’07), Poznan, Poland, September 2007. [41] S. Verdu,´ “Capacity region of gaussian CDMA channels: the symbol- synchronous case,” in Proceedings of 24th Allerton Conference on Communication, Control and Computing,pp. 1025–1034, Urbana, Ill, USA, October 1986. [42] IEEE, “Part 11: wireless LAN medium access control (MAC) and physical layer (PHY) specifications,” IEEE Standard 802.16e, November 2005. [43] ANSI/SCTE 79-1, “Data Over Cable Systems 2.0, Part 1: Radio Frequency Interface,” 2003. [44] Y. Li, “Pilot-symbol-aided channel estimation for OFDM in wireless systems,” IEEE Transactions on Vehicular Technology, vol. 49, no. 4, pp. 1207–1215, 2000. [45]O.Edfors,M.Sandell,J.J.D.Beek,S.K.Wilson,andP. O. Borjesson, “OFDM channel estimation by singular value decomposition,” IEEE Transactions on Communications, vol. 46, no. 7, pp. 931–939, 1998. [46] L. Berriche, K. Abed-Meraim, and J. C. Belfiore, “Cramer- rao bounds for MIMO channel estimation,” in Proceedings of the IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP ’04), vol. 4, pp. 397–400, Montreal, Canada, May 2004. [47] B. Hassibi and B. M. Hochwald, “How much training is needed in multiple-antenna wireless links?” IEEE Transactions on Information Theory, vol. 49, no. 4, pp. 951–963, 2003. [48] M. Dong and L. Tong, “Optimal design and placement of pilot symbols for channel estimation,” IEEE Transactions on Signal Processing, vol. 50, no. 12, pp. 3055–3069, 2002. [49] X. Tang, M. S. Alouini, and A. J. Goldsmith, “Effect of channel estimation error on MQAM BER performance in rayleigh fading,” IEEE Transactions on Communications, vol. 47, no. 12, pp. 1856–1864, 1999. Hindawi Publishing Corporation EURASIP Journal on Wireless Communications and Networking Volume 2009, Article ID 305146, 13 pages doi:10.1155/2009/305146

Research Article Two-Hop Secure Communication Using an Untrusted Relay

Xiang He and Aylin Yener

Wireless Communications and Networking Laboratory, Electrical Engineering Department, The Pennsylvania State University, University Park, PA 16802, USA

Correspondence should be addressed to Aylin Yener, [email protected]

Received 4 December 2008; Revised 8 August 2009; Accepted 8 October 2009

Recommended by Hesham El-Gamal

We consider a source-destination pair that can only communicate through an untrusted intermediate relay node. The intermediate node is willing to employ a designated relaying scheme to facilitate reliable communication between the source and the destination. Yet, the information it relays needs to be kept secret from it. In this two-hop communication scenario, where the use of the untrusted relay node is essential, we ﬁnd that a positive secrecy rate is achievable. The center piece of the achievability scheme is the help provided by either the destination node with transmission capability, or an external “good samaritan” node. In either case, the helper performs cooperative jamming that confuses the eavesdropping relay and disables it from being able to decipher what it is relaying. We next derive an upper bound on the secrecy rate for this system. We observe that the gap between the upper bound and the achievable rate vanishes as the power of the relay node goes to inﬁnity. Overall, the paper presents a case for intentional interference, that is, cooperative jamming, as an enabler for secure communication.

Copyright © 2009 X. He and A. Yener. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction to steer the transmitted signal away from an eavesdropper [14–16], transmitting with the intention of jamming the Information theoretic security was proposed by Shannon [1]. eavesdropper [8, 10, 17], and taking advantage of variations The idea of measuring secrecy using mutual information in channel state to provide secrecy [18–20]. lends itself naturally to the investigation of how the channel The focus of this work is on a class of relay networks can influence secrecy and further to the characterization of where the source and the destination have no direct link the fundamental limit of secure transmission rate. Wyner, and thus can only communicate utilizing an intermediate in [2], defined the wiretap channel, and showed that secure relay node. This models the practical scenario where direct communication from a transmitter to a “legitimate” receiver communication between the source and the destination is is possible when the signal received by the wiretapper too “expensive” in terms of power consumption: direct com- (eavesdropper) is degraded with respect to that received by munication may be used to send some very low rate control the legitimate receiver. Reference [3] identified the secrecy packages, for example to initialize the communication, but capacity of the general discrete memoryless wiretap channel. it is infeasible to sustain a nontrivial reliable communication The secrecy capacity of the Gaussian wiretap channel is rate due to the power constraint. found in [4]. In such a scenario, the source-destination pair needs the Recent progress in this area has extended classical infor- relay to communicate. On the other hand, more often than mation theory channel models to include secrecy constraints. not, this relay node may be “untrusted” [11]. This does not Examples are the multiple access channel, the broadcast mean the relay node is malicious, in fact quite the opposite, channel, the two-way channel, the three-node relay channel it may be part of the network and we will assume that it is and the two-user interference channel [5–13]. These studies willing to faithfully carry out the designated relaying scheme. are beginning to lead to insights for designing secure The relay simply has a lower security clearance in the network wireless communication systems from the physical layer up. and hence is not trusted with the confidential message it Prominent such examples include using multiple antennas is relaying. Equivalently, we can assume the confidential 2 EURASIP Journal on Wireless Communications and Networking

Phase 1 Y Phase 1 X message is one used for identification of the source node X1 1 2 for authentication, which should never be revealed to a relay R/E 2 node in order not to be vulnerable to an impersonation 1 X Y attack. In all these cases, we must assume there is an r Phase 2 2 eavesdropper colocated at the relay node when designing the system. Figure 1: Two-hop communication using an untrusted relay. The “untrusted” relay model, or the eavesdropper being colocated with the relay node, was first studied in [9]for the general relay channel, with a rather pessimistic outlook, case where both the eavesdropper and the legitimate receiver finding that for the degraded or the reversely degraded observes a modulus Λ channel and the destination carries relay channel the relay node should not be deployed. More out the jamming. We note that all these works deal with optimistic results for the relay channel with a colocated an external eavesdropper, in contrast to the focus of this eavesdropper have been identified recently in [11, 21, 22]. work, which is an untrusted (but legitimate) node in the Specifically, it has been shown that the cooperation from network. the relay may, in fact, be essential to achieving nonzero In general, the optimality of recruiting a helpful jammer secrecy rate [11, 21]. The model is later extended to the remains open as the converse results are limited. For the more symmetric case in [23, 24] where the relay also has a Gaussian case, the main difficulty is to find a upper bound confidential message of its own, which must be kept secret for which the optimal input distribution can be found from the destination. and evaluated. Doing so usually involves the introduction All these models assume that a direct link between the of genie information, as in the converse for the Gaussian source and the destination is present including our previous wiretap channel [4], MIMO wiretap channel [14]andMAC work [11]. In contrast, when there is no direct link, it is wiretap channel [31]. The proofs then typically invoke the impossible for this network to convey a confidential message entropy power inequality, as in [4], or the generalized from the source to the destination while keeping it secret entropy power inequality, as in [32]. from the relay [9]. This is because the destination can In this work, we derive a computable upper bound for only receive signals from the relay resulting in a physically the model in consideration by first introducing a second degraded relay channel [25]. Therefore, the relay knows eavesdropper, an approach first used for a three-node relay everything the destination knows regarding the confidential channel in [11]. Next, after several steps of genie arguments, message, and the secrecy capacity is zero. the channel is transformed into a wiretap channel with The differentiating feature of the model studied in this a helpful jammer, whose outer bound is then evaluated. work from those described above including [11] is that The resulting bound is nontrivial in the sense that it is the destination has transmission capability. This opens the strictly tighter than the bound for the same channel without possibility of the destination node to actively participate in secrecy constraints. We also prove that it is tighter than an ensuring the secrecy of the information it wants to obtain. upper bound derived using the generalized entropy power In an effort to address a practical two-hop communication inequality following a similar approach to [32], when the scenario, we shall consider each node to be half-duplex, maximum sum received SNR at the relay is greater than 0 dB. which leads to a two-phase communication model. In We show that the gap between the bound and the achievable addition, feedback to the source is not considered in the rates converges to zero when the power of the relay goes to channel model. Interestingly, in this model, the transmission infinity. capability of the destination proves to be the enabler of secure The paper is organized as follows. Section 2 presents communication. By recruiting the help of the destination the channel model and the two-phase protocol that utilizes to do “cooperative jamming”, positive secrecy rate can be cooperative jamming. In Section 3, we derive the achievable achieved that would not have been possible otherwise. We rates. Section 4 presents our upper bound and compares with also remark that in case the transmission by the destination is other known upper bounds. Section 5 presents the numerical not possible or desired, the help from an external cooperative results. Finally, Section 6 presents the conclusion. jammer will do as well. The following notation is used throughout this work: We Theideaofusingahelpfuljammergoesbackto[17, use H to denote the entropy, h to denote the differential 26, 27] and has since been used in many different models. entropy, and εk to denote any variable that goes to 0 when Besides the multiple access, two-way [8] and relay wiretap n goes to ∞.WedefineC(x) = (1/2)log (1 + x). channels [10], other recent results that use “cooperative 2 jamming” as the part of the achievability scheme, include [28–30]. In [28], a separate jammer is added to the classical 2. Channel Model Gaussian wiretap channel model. The jamming signal is revealed to the legitimate receiver via a wired link so that The system model is shown in Figure 1. We assume all nodes an advantage over the eavesdropper is gained. Reference are half-duplex and the communication alternates between [30] does not assume the wired connection, and employs a two phases, called phase one and phase two respectively. scheme tantamount to the two user multiple access channel During phase one, shown with solid lines in Figure 1, the with an external eavesdropper where one of the users source transmits signal X1. At the same time, the destination perform cooperative jamming. Reference [29] considers the node transmits jamming signal X2 in order to confuse the EURASIP Journal on Wireless Communications and Networking 3

relay node. The signal received by the relay in phase one, Y1, during phase one. Since node 1 and 2 are only transmitting is given by during phase one, Pi and Pi are related as

Y = X + X + Z ,(1) Pi 1 1 2 1 P = i = . (7) i α , 1, 2 where Z1 is a zero mean Gaussian random variable with unit variance. In an effort to reflect on the design of a practical Similarly, we use Pr to denote the average power of the relay system, we assume that the computation of Xi, i = 1, 2 does node during phase two. Since the relay node only transmits not rely on the signals received by node i in the past. during the second phase, Pr is related to Pr as follows: In phase two, shown with dashed lines, the relay trans- X Pr mits signal r , which is computed from the local randomness Pr = . (8) at the relay, the signal transmitted and received by the relay 1 − α in the past. After a number of phases, the destination node (node 2) The signal received by the destination in phase two is decodes a message W from the signals it transmitted during denoted by Y , which is given below: 2 the periods of phase one and the signals it received during W Y2 = Xr + Z2, (2) the periods of phase two. For reliable communication, should equal the message W from the source node with high where Z2 is a zero mean Gaussian random variable with unit probability. Hence we have the following requirement: variance. The channel alternates between these two phases accord- lim Pr W =/ W = 0. (9) n+m →∞ ing to a random or deterministic schedule, which is generated by a global controller independently from the signals The message W must also be kept secret from the associated with the channel model. Hence here the term eavesdropper at the relay node, who can infer the value of “schedule” is simply a finite number of channel uses which W based on the following knowledges available to it. are either marked as phase one or phase two. We use n to denote the number of channel uses marked as phase one, and (1) The local randomness at the relay, denoted by A. m to denote the number of channel uses marked as phase (2) The n signals the relay transmitted during the periods n Y n two. It should be noted that in general the channelusesof of phase one, denoted by 1 . phase one are not consecutive. Neither are the m channel uses (3) The m signals the relay transmitted during the of phase two. We assume the schedule is stable, in the sense m periods of phase two, denoted by Xr . that the following limit exists: n The information on W that the eavesdropper can extract α = lim . (3) from these knowledges should be limited. Hence we have the n+m →∞m + n following secrecy constraint: For a given α,weuse{T(α)} to denote a sequence of 1 schedules with increasing number of channel uses n+m such lim H(W) α n+m →∞n + m that (3) holds. According to this definition, becomes the (10) limit of the time sharing factor of phase one in the schedule 1 m n T α n m →∞ = lim H W | Xr , Y , A . ( )as + . n+m →∞n + m 1 When transmitting signals, the source, the destination, W −{Xm Y n}−A and the relay must satisfy certain power constraints. The Since r , 1 is a Markov chain, we have average power constraints for the source, the jammer and the 1 m n relay can be expressed as follows: lim H W | Xr , Y , A n+m →∞n + m 1 (11) N 1 1 2 = H W | Xm Y n . E X ≤ Pi, i = 1, 2, (4) lim r , 1 N i,k n+m →∞n + m k=1 Therefore, the secrecy constraint can be expressed as N 1 2 1 E Xr k ≤ Pr ,(5)lim H(W) N , n+m →∞n + m k=1 (12) = 1 H W | Xm Y n . where lim r , 1 n+m →∞n + m N = n + m (6) For a given α, and sequences of schedule {T(α)}, the secrecy rate Re is defined as is the total number of channel uses. For the purpose of completeness, we also introduce the 1 Re = lim H(W) (13) notation Pi, i = 1, 2 to denote the average power of node i n+m →∞n + m 4 EURASIP Journal on Wireless Communications and Networking

The channel alternates between n channelusesforphase CJ one and m channel uses for phase two, where n and m are M X2 Y two positive integers. The alternation takes times. Hence X Y1 J 1 Phase 1 n = n M and m = m M.Foragivenα, the sequence of Phase 1 1 R/E 2 schedules is obtained by letting M, n , m →∞and X Y r 2 n Phase 2 lim = α. (16) n,m →∞m + n Figure 2: Two-hop network with an external cooperative jammer, CJ. With this sequence of schedules, we have the following theorem. such that (9)and(12) are fulfilled. When deriving achievable Theorem 1. Thefollowingsecrecyrateisachievableforthe rate, we will focus on a specific sequence of schedules {T(α)}, model in Figure 1: and maximize the secrecy rate over α. When deriving the + upper bound, we will consider all possible sequences of P P 0 ≤ R ≤ max α C 1 − C 1 , {T(α)}. ≤P ≤P /α <α< σ2 P 0 1 1 ,0 1 1+ c (1+ 2) (17) Remark 1. Since the signals transmitted by node 1 and 2 do W → 2 not depend on the signals they received in the past, where σc is the variance of the Gaussian quantization noise Y n → Xm 1 r is a Markov chain. Therefore, determined by: 1 m n H W | Xr Y P n limm →∞ , 1 1 +1 + n + m αC = (1 − α)C(Pr ), (18) (14) σ2 c = 1 H W | Y n . n limm →∞ 1 + n + m where P2 is defined in (7), Pr is defined in (8). Hence, the following secrecy constraint can be used instead: Proof. The proof is given in the appendix. 1 lim H(W) n+m →∞n + m Remark 4. It can be seen from (17) that, for any fixed (15) α time sharing factor the relay should always transmit at 1 n = lim H W | Y . maximum power Pr . However, the optimal transmission n+m →∞n + m 1 power of the source may be less than P1. This can be seen Remark 2. We observe that in the system model shown in as follows: For a given jamming power P2, the achievable P Figure 1, the destination, as the sender of the jamming signal rate is not a monotonically increasing function of 1. This is P → P →∞R → during the periods of phase one, has perfect knowledge because, if 1 0or 1 , e 0, indicating that even of this signal. This can be viewed as a special case of the if the source power budget is ∞, the optimal transmission P∗ P∗ model shown in Figure 2, where the destination only has powerisactuallyfinite.Letthisvaluebe 1 . 1 may or a noisy copy of the jamming signal YJ = X2 + ZJ . If the may not fall into the interval [0, P1],whichistherangeof jamming signal is corrupted by a noise sequence ZJ that is power consumption allowed for phase one. If it does, then P∗ P independent of the noise sequences at the other receivers, the source should transmit with power 1 rather than 1. then the secrecy capacity of the model in Figure 2 can not If not, then the corresponding optimal value needs to be be larger than the secrecy capacity of the model in Figure 1. determined. This is because giving this noise sequence to the destination as genie information would simply reveal the jamming signal Remark 5. If the power constraint of the relay Pr →∞, then σ2 → α → X2 to it. Therefore, any upper bound we derive for Figure 1 is c 0, 1.Theachievablerateconvergesto also an upper bound for Figure 2. P1 C P1 − C . (19) Remark 3. An apparent vulnerability of the described two 1+P2 phase protocol is that the destination may not be aware that the source has initiated its transmission. In this case, without 4. Upper Bound the protection of the jamming signal from the destination, the message from the source would be revealed to the In this section, we derive an upper bound for the secrecy rate. relay node and hence compromised. To prevent this from We first need to determine the optimal schedule. It turns happening, proper initialization of the protocol is necessary. out that it is easy to find: We simply let the first n channel uses be phase one, and the remaining m channel uses be phase 3. Achievable Rate two. The optimality of this schedule can be proved as follows. Suppose a different schedule is used. Since the signals In this section, we derive the achievable secrecy rate with the received in the past are not used for encoding purposes at following sequence of deterministic periodic schedules. node 1 and 2, we can always move the channel uses of phase EURASIP Journal on Wireless Communications and Networking 5

Zn Zm 1 2

Node 1 Xn 1 Y n Xm 1 r Y m Untrusted relay 2 Node 2 Node 2 Xn 2 Xn 2

Figure 3: Equivalent Channel Model for Deriving the Upper Bound.

n Ze Second eavesdropper Zm 2 n Ye Node 1 Xn 1 n m Y Xr 1 Y m 2 Untrusted relay Zn Node 2 1 Node 2 Xn 2 Xn 2

Figure 4: Two-eavesdropper channel.

ff Zn Zn one to the front without a ecting the signals transmitted Here e is a Gaussian noise with the same distribution as 1 . Zn Zn by these two nodes. On the other hand, we notice that the e can be arbitrarily correlated with 1 . Since relay can only use signals received in the past to compute Y n = Xn Xn Zn. its transmission signals. However, during phase one, the 1 1 + 2 + 1 (21) relay only receives signals. Since moving phase one ahead only means the relay could receive signals sooner, doing we have so will not limit the capability of the relay to calculate its W Y n = W Y n . transmitted signals. Consequently, we observe that no matter Pr , e Pr , 1 (22) what schedule is used to achieve a secrecy rate, we can always modify this schedule such that all channel uses of phase one Therefore, are ahead of those of phase two and still achieve the same H W | Y n = H W | Y n . secrecy rate. Hence in the following we only consider the e 1 (23) optimal schedule. From (15), this means We also observe we can transform the channel into the one shown in Figure 3. The jammer and the receiver are now 1 lim H(W). drawn separately, since the jammer does not use the signal n+m →∞m + n received in the past to compute the jamming signal. Note (24) 1 n that Figure 3 is similar to Figure 12 used in the achievability = lim H W | Ye . proof except that the dimension of the signals is changed n+m →∞m + n from m, n to m, n. Hence the message W is kept secret from the second eaves- We next leverage a technique first used in [11, 22]to dropper. This means, for a given coding scheme that achieves derive the upper bound. Specifically, the upper bound is secrecy rate in Figure 3, the same secrecy rate is achievable obtained via the following transformations. with the introduction of this additional eavesdropper. (1) First, we add a second eavesdropper to the channel, (2) Next, we remove the first eavesdropper at the relay. as shown by Figure 4. Its received signal is denoted by Ye and n Doing so will not decrease secrecy rate either, since we have over n channel uses Ye is given by one less secrecy constraint. From (24), the secrecy rate can be upper bounded via H W | Y n Xm n n n n ( e ). To do that, we provide the signal r to the Y = X X Z . n e 1 + 2 + e (20) X destination by a genie. Similarly, the signal 2 is revealed 6 EURASIP Journal on Wireless Communications and Networking

n Ze Node 2 Xn 2 Y n Second e eavesdropper

Zn 1 Node 1 Xn 1 n Yr Node 2

Figure 5: Channel model after transformation.

n to both the relay and the destination. H(W | Ye ) is then Gaussian sequences [14]. Let the variance of each component n bounded by of Xi be Pi = Pi/α, i = 1, 2. Let ρ be the correlation factor Z Z H W | Y n between 1 and e.Then(37)isequalto e (25) n P P P − P ρ 2 n m m n ( 1 +1)( 1 + 2 +1) 1 + ≤ H W | Ye − H W | Xr Y X + nε log . (38) 2 2 2 2 (P + P +1) 1 − ρ2 1 2 = H W | Y n − H W | XmXn nε e r 2 + (26) It can be verified that, for any fixed ρ,equation(37)isan P P ≤ H W | Y n − H W | Y nXmXn nε increasing function of 1 and 2. Therefore, the upper bound e 1 r 2 + (27) is maximized with maximum average power. Equation (38) = H W | Y n − H W | Y nXn nε can then be tightened by minimizing it over ρ. The optimal ρ e 1 2 + (28) is given below: n n n = H W | Ye − H W | X + Z + nε (29) √ 1 1 P P P P − A 2 1 + 1 2 + 2 ≤ H W | Y n − H W | Y n Xn Zn nε. , (39) e e , 1 + 1 + (30) 2P1 Xm Y m The genie information r causes the signal 2 to be where useless to the relay, as shown by (25)-(26). Equation (28) 2 2 2 2 2 A = 4P2P +4P2P1 + P P +2P P1 + P . (40) is due to the fact that once the signal received by the relay 1 2 1 2 2 Y n Xm 1 is given, the signal transmitted by the relay r ,which As a result, we have the following theorem. Y n is computed from 1 , is independent from the jamming Xn W Theorem 2. The secrecy rate of the channel in Figure 12 is signal 2 and the confidential message . Finally, revealing the genie information Xn to the relay and the destination upper bounded by 2 ⎧ ⎫ essentially removes the influence of the jamming signal from ⎪ α P P P − P ρ 2 ⎪ ⎨ ( 1 +1)( 1 + 2 +1) 1 + ⎬ the relay link, as shown by (28)–(30). These are essentially log2 2 , max min 2 (P1 + P2 +1) 1 − ρ a consequence of the link noises being independent. The 0<α<1 ⎪ ⎪ ⎩ − α C P ⎭ resulting channel is equivalent to the one shown in Figure 5, (1 ) ( r ) and can be viewed as a special case of the channel in [8, 33]. (41) Similar techniques to those in [31, 33]canbeusedhereto where ρ is given by (39). P = P /α, P = P /α,andPr = Yn = Xn Zn 1 1 2 2 bound the secrecy rate. Let r 1 + 1 .Then(30)becomes Pr /(1 − α) are the average power constraints of node 1, 2 and n n n the relay for the time sharing factor α. H W | Ye − H W | Ye Yr (31) Remark 6. If we further fix P , and let Pr , P →∞, then = I W Yn | Y n 2 1 ; r e (32) α → 1. ρ converges to ρ given by n n n 2 ≤ I WX ; Yr | Ye (33) P P 1 ρ = 2 − P 2 . (42) 1+ 2 + n n n 2 4 = I X ; Yr | Ye (34) 1 The difference of the upper bound and the achievable rate = h Yn | Y n − h Zn | Xn Zn converges to r e 1 2 + e (35) 2 P ρ − C 2 + 1 − C P . ≤ h Yn | Y n − h Zn | Xn Zn Xn 2 2 (43) r e 1 2 + e , 2 (36) 1 − ρ n n n n We observe that the difference is only a function of P . = h Yr | Ye − h Z | Ze . (37) 2 1 By comparison, the gap between the achievable rate and Xn W C P C P / P Here (34) follows from the fact that 1 determines .The the trivial upper bound ( 1)is ( 1 (1 + 2)), which is Xn Xn first term in (37) is maximized when 1 and 2 are i.i.d. unbounded. EURASIP Journal on Wireless Communications and Networking 7

9 4.5

8 4 Upper bound without secrecy constraints 7 3.5

6 Upper bound without 3 secrecy constraints 5 2.5 Upper bound with 4 2 Upper bound with secrecy constraints secrecy constraints . Bits per channel use 3 Bits per channel use 1 5 Achievable 2 1 rates

1 0.5 Achievable rate 0 0 −20 0 20 40 −40 0 20 40

P1 (dB) P1 (dB)

Figure 6: Secrecy Rate, Pr →∞, P2 = 0.5 P1,optimalα. Figure 8: Secrecy Rate, Pr = 30 dB, P2 = 0.5 P1, α = 0.5.

4.5 9 4 Upper bound without secrecy constraint 8 Upper bound without secrecy constraint 3.5 7 Upper bound 3 Upper bound with secrecy constraint 6 with secrecy constraint 2.5 5 2 4 . Bits per channel use 1 5 Achievable rate Bits per channel use 3 without power control 1 2 Achievable rate 0.5 1 0 0 02040 02040 P1 (dB) P1 (dB) Figure 9: Secrecy Rate, Pr = 30 dB, P2 = 40 dB, α = 0.5. Figure 7: Secrecy Rate, Pr →∞, P2 = 30 dB, optimal α.

secrecy constraints. To show that, simply let ρ = 0. Equation (41)becomes Remark 7. If we instead fix P2 = βP1, and let Pr →∞, then α → 1.Theachievablerateconvergesto(19). In this case, α P / P P αC P 1+ 1 (( 1 +1)( 2 +1)). if we further let P1 →∞, the upper bound given by (41) ( 1) + log2 (45) 2 1+P1/(P2 +1) converges to The second term in (45)isalwaysnegative. C P − C 1 . 1 β (44) 4.1. Comparison with the Bound Derived with Generalized Entropy Power Inequality. Recently the generalized entropy power inequality [34]wasusedtoderiveacomputableupper Comparing it with (19), we observe the difference of the bound for the Gaussian multiple access channel with secrecy upper bound and the achievable rate converges to 0. Hence, constraints [32]. Here the same technique is applicable and in this case, our upper bound is asymptotically tight. another computable upper bound for the model in Figure 1 can be derived. It is of interest to know which bound is Remark 8. The first term in the bound (41)isstrictlysmaller tighter. Next, we prove that as long as P1 + P2 > 1, this upper than the trivial bound αC(P1) obtained by removing the bound is always looser than the bound given by (38)-(39). 8 EURASIP Journal on Wireless Communications and Networking

4.5 Here step (a) follows from Fano’s inequality. (49)canbe written as: 4 I Xn; Y n | Xn + I Xn; Xn − I Xn; Y n + nε (50) 3.5 Upper bounds without 1 1 2 1 2 1 1 secrecy constraints (b)= I Xn Y n | Xn − I Xn Y n nε 3 1 ; 1 2 1 ; 1 + (51) . = h Xn Zn h Xn Zn 2 5 1 + 1 + 2 + 1 Achievable n n n n (52) 2 Upper bounds with − h Z − h X + X + Z + nε secrecy constraints rate 1 1 2 1 . n n Bits per channel use 1 5 X X Step (b) follows from 1 , 2 being independent. Next, like [32, equation (76)], we invoke the inequality 1 from [34] and obtain

0.5 n n n n (2/n)h(X +Z ) (2/n)h X +Z /n h Xn Xn Zn 2 1 1 +2 ( 2 1 ) 2(2 ) ( 1 + 2 + 1 ) ≥ . (53) 0 2 −40 −20 0 20 40 60

P1 (dB) Hence (52)canbeupperboundedwith P = P = . P h Xn Zn h Xn Zn Figure 10: Secrecy Rate, r 40 dB, 2 0 25 1, optimized over 1 + 1 + 2 + 1 α. n /n h Xn Zn /n h Xn Zn − log 2(2 ) ( 1 + 1 ) +2(2 ) ( 2 + 1 ) 2 2 (54) n 4.5 + log (2). Upper bounds without 2 2 4 secrecy constraints Xn Xn This expression is maximized when 1 , 2 are chosen to be 3.5 i.i.d. Gaussian sequences. Dividing by the total number of channel uses n + m, the ﬁnal expression of the upper bound 3 is given by . α P P 2 5 2( 1 +1)( 2 +1) . log2 (55) 2 P1 + P2 +2 2 Upper bounds with Remark 9. Note that (55) is also tighter than the bound . secrecy constraints Bits per channel use 1 5 αC(P1) when P1 >P2. Hence it is a nontrivial bound when P >P 1 Achievable 1 2. rate 0.5 Remark 10. When Pr →∞, then α → 1, Pi → Pi, i = 1, 2. Comparing (19)with(55), the gap between the achievable 0 rates and the bound given by (55)is −4 −2 0 2 4 6 10 10 10 10 10 P1 (dB) P P 1 1 + 2 . log2 1+ P P (56) Figure 11: Secrecy Rate, Pr = 40 dB, P2 = 30 dB, optimized over α, 2 2+ 1 + 2 power control at the source node enabled. which is smaller than 0.5 bit/channel use.

We next show that for any given α,ifP1 + P2 > 1, (55) is always bigger than the ﬁrst term in (41). We omit the time First, we brieﬂy describe the derivation of the bound sharing factor α in the front since they are present in both based on the approach in [32]: expressions. Then we pick ρ such that P + P +2 1 − ρ2 = 1 2 . (57) H W | Y n P P 1 2( 1 + 2 +1) (46) Note that this is a valid choice for ρ since the right hand side (a)= H W | Y n − H W | Y nXn nε 1 1 2 + is within the interval (0, 1). Then (41), after canceling α in = I W Xn | Y n nε the front, becomes ; 2 1 + (47) (P +1)(P +P +1) ≤ I WXn Xn | Y n nε 1 1 2 1 ; 2 1 + (48) 2 − P ρ 2 1 ( 1+ ) (58) n n n . = I X X | Y nε. log2 1 ; 2 1 + (49) 2 P1 + P2 +2 EURASIP Journal on Wireless Communications and Networking 9

Zn Zm 1 2

Node 1 Xn 1 Y n Xm 1 r Y m Untrusted relay 2 Node 2 Node 2 Xn 2 Xn 2

Figure 12: Equivalent channel model.

Table 1: Scenarios considered in the numerical results. Relay’spower Jammer’spower α Figure 6 ∞ Proportional Optimal Figure 7 ∞ Fixed Optimal Figure 8 Limited Proportional 0.5 Figure 9 Limited Fixed 0.5 Figure 10 Limited Proportional Optimal Figure 11 Limited Fixed Optimal

Henceweonlyneedtoverifythat(55) is greater than (58) still holds, but the gap between the upper bound and when P1 + P2 > 1. This is equivalent to verifying achievable rates would be wider. Figures 6 and 7 demonstrate the asymptotic behavior 2 ∞ (P1 +1)(P2 +1) > (P1 +1)(P1 + P2 +1) − P1 + ρ (59) described in Remark 6 when the power of relay goes to . Note that in this case the optimal time sharing factor α 2 or (2ρ − 1)P1 + ρ > 0. A sufficient condition for this to hold converges to 1. Figures 8 and 9 demonstrate the case where is to require 2ρ − 1 > 0. Substitute (57) into this requirement the power the relay is finite, and the time sharing factor α is we get P1 + P2 > 1. fixed. In all four cases, we observe the upper bound is close to the achievable rate when relay’s power is larger than the Remark 11. Since the gap between the achievable rates and power of the source and the jammer. In this region, typically, the bound given by (55)isboundedby0.5 bit/channel use the achievable rate increases linearly with the source SNR. In when Pr →∞, the gap between the achievable rates and the Figure 6, the gap between the upper bound and achievable . bound given by (41) is also bounded by 0 5 bit/channel use rate goes to zero as P1 →∞.InFigure 7, the upper bound when Pr →∞and P1+P2 > 1. Note that since when Pr →∞ almost coincides with the achievable rate. The gap, given by −4 we have α → 1, the condition P1 + P2 > 1isequivalentto (43), equals 9.98 × 10 bits/channel use. P1 + P2 > 1. Also shown in each figure is the cut-set bound without secrecy constraints. The improvement provided by the new P P < Remark 12. For the case that 1 + 2 1, it is not clear bounds depends on the power budget. In general, the between (55)and(41) which bound is tighter. However, for improvement is small if the power of the jammer is large. these cases, the secrecy capacity is so small that the bounds Note that since we have normalized all channel gains and are of no consequence. included them into the power constraint, the power budget difference can be considered a consequence of the difference 5. Numerical Results in link gains. Figure 9 also illustrates the power control problem Shown in Table 1 are the six cases of interest, corresponding described in Remark 4. Without power control at the source to different power budgets of the relay and the jammer and node, the achievable rate will eventually decrease to zero. whether time sharing factor α is fixed. We included the cases Note that this behavior crystallizes only when the relay’s with fixed time sharing factor because in a real system, for power is limited. simplicity the time sharing factor may not be dynamically Finally, in Figures 10 and 11, we compare the achievable adjusted according to power budgets. The numerical result rates and the upper bound when each are maximized over of each case is shown in the figures listed in the table. We the time sharing factor α. The gap between the upper bound stress that, though not explicitly considered in the numerical and the achievable rate is now wider because the second term results, for the more general case where the cooperative in the upper bound (41) is the same as the upper bound jammer is external, as shown in Figure 2, the upper bound without secrecy constraint. The role played by the second 10 EURASIP Journal on Wireless Communications and Networking term (41) becomes significant when the bound is optimized Theorem 3. Consider a relay network with conditional distri- over the time sharing factor, which as pointed out in [35], bution p(Y, Yr | X, Xr ), with X, Xr being the input from the has a tendency to balance the two terms in the bound (41). source and the relay respectively, and Yr , Y being the signals However, as shown in these figures, compared to the upper received by the relay and the destination, respectively. For the bound without secrecy constraints, the new bound still offers distribution significant improvement. p(X)p(Xr )p(Y, Yr X, Xr )p Yr Yr , Xr ,(A.1)

6. Conclusion the following range of rates R is achievable: + In this paper, we have considered a relay network without 0 ≤ R< I X; YYr | Xr − I(X; Yr | Xr ) (A.2) a direct link, where relaying is essential for the source and the destination to communicate despite the fact that the with relay node is untrusted. Imposing secrecy constraints at the I(Xr Y) >I Yr Yr YXr . relay node, contrary to the previous work, we have shown ; ; (A.3) that a nonzero secrecy rate is indeed achievable. This is Theorem 3 follows from the achievable equivocation accomplished by enlisting the help of the destination (or region given in [11, Theorem 1] by simply considering another dedicated node) who transmits to jam the relay, and rates R that equal the equivocation rate Re. The proof of uses the jamming signal as side information. We have derived Theorem 3 isgivenin[11]. The outline of the achievable an upper bound for the secrecy rate with the assumption that scheme is as follows: The relay does compress-and-forward no feedback is used for encoding at the source or destination. asdescribedin[25]. Therefore, as in [25], Xr is independent The new upper bound is strictly tighter than the upper from X in the input distribution expression (A.1). The bound without secrecy constraints. We have also proved that same decoder in [25] is used at the destination. The same it is tighter than an upper bound derived from generalized codebook as [25] is used at the source node. However, instead entropy power inequality when the maximum sum received of mapping the message to the codeword deterministically SNR at the relay is greater than 0 dB. The gap between the as in [25], a stochastic encoder is used at the source node. bound and the achievable rates converges to 0 when the In this encoder, the codewords are randomly binned into power of the transmitter, the relay and the jammer goes to several bins. The size of each bin is 2NI(X;Yr |Xr ) where N is the ∞ . Numerical results show that our upper bound is in general total number of channel uses. The message W determines close to the achievable rate, and is indistinguishable from it whichbintousebytheencoder.Theactualtransmitted for a fixed time sharing factor with a relay whose power is in codeword is then randomly chosen from the bin according abundance. to a uniform distribution. This randomness serves to confuse In this work, we considered the case where the source the eavesdropper at the relay node at the cost of the rate as or the jammer does not make use of the relay transmission shown by the term −I(X; Yr | Xr )in(A.2). for encoding purposes. An upper bound for the secrecy We next extend this result by considering a relay channel rate when feedback is used is recently found in [36]. A with a jammer defined by gap exists between the upper bound and the achievable rate . in [36], which is bounded by 0 5 bit per channel use but p(Yr, Y | X, X2, Xr), (A.4) does not vanish when the power of the transmitter, the X relay and the jammer goes to infinity. By comparison, the where 2 is the signal transmitted by the jammer and Y Y X X bound presented in this work is asymptotically tighter in this the notation , r , , 2 follows the definition above. case. Then, if the jammer transmits an i.i.d. signal according to p X p X X X = p X p X p X We conclude by reiterating that our findings in this distribution ( 2)and ( , 2, r ) ( ) ( 2) ( r ), the paper presents cooperative jamming as an enabler for induced channel p(Yr , Y | X, Xr )isgivenbelow: secrecy from an internal eavesdropper, and motivates further p Y Y | X X = p X p Y Y | X X X investigation of such cooperation ideas in more general ( r , , r ) ( 2) ( r , , 2, r ) (A.5) X settings including those in larger networks. We also comment 2 whether and when cooperative jamming actually yields the and it is also a memoryless relay channel. Hence, we can use secrecy capacity (region) for various multiuser channels Theorem 3 and obtain the following corollary. remain open problems in information theory. Corollary 1. Thefollowingsecrecyrateisachievable: Appendix 0 ≤ R ≤ max p(X)p(X2)p(Xr )p(Y,Yr |X,X2,Xr )p(Yr |Yr ,Xr ) Proof of Theorem 1 (A.6) + × I X; YYr | Xr − I(X; Yr | Xr ) We first introduce several supporting results used in proving Theorem 1. with In [11, 21], we presented the following achievable secrecy I X Y >I | . rate for a general relay channel. ( r ; ) Yr; Yr YXr (A.7) EURASIP Journal on Wireless Communications and Networking 11

We next reformulate our channel in Figure 1 in a way (A.17) equals: such that Corollary 1 can be applied. This is shown in Figure 12. Here we can draw the jammer and the receiver I Xn Y n Zn | Xm Y m Xn separately, since the jammer does not use the signal received 1 ; 1 + Q r 2 2 (A.18) in the past to compute the jamming signal. The m and n = I Xn Xn Xn Zn Zn are the parameters of the schedule described in Section 3.We 1 ; 1 + 2 + 1 + Q then observe Figure 12 can be viewed as a three node relay (A.19) network with a jammer, deﬁned as follows: | Xm Xm Zm Xn r , r + 2 , 2 p | (Y, Yr X, X2,Xr), (A.8) = I Xn Xn Xn Zn Zn | Xn 1 ; 1 + 2 + 1 + Q 2 (A.20) where = I Xn Xn Zn Zn 1 ; 1 + 1 + Q (A.21) Y = Y m , Xn , 2 2 P 1 = n C , (A.22) = Y n = Xn σ2 Yr 1 ,X1 , (A.9) 1+ c m n = X = X . I(X; Yr | Xr) (A.23) Xr r ,X2 2 = I Xn Y n | Xm The input distributions to this vector input channel are 1 ; 1 r (A.24) chosen as = I Xn Xn Xn Zn | Xm 1 ; 1 + 2 + 1 r (A.25) p Xn Xn Xm = p Xn p Xn p Xm 1 , 2 , r 1 2 r , (A.10) = I Xn Xn Xn Zn 1 ; 1 + 2 + 1 (A.26) n n m where p(X ), p(X )andp(Xr )aregivenbelow. 1 2 P 1 n = n C , (A.27) X ∼ N P n×n P (1) Let 1 (0, 1I ), where 1 is the average 1+P2 power consumption of node 1 during the periods of

Substituting the values of I(X; YYr | Xr), I(X; Yr | Xr), http://allegro.mit.edu/pubs/posted/journal/2007-khisti I(Xr;Y)andI(Yr;Yr | Y, Xr) into Corollary 1, dividing both -wornell-it.pdf. sides by m +n, and taking the limit m +n →∞,weproved [15] F. Oggier and B. Hassibi, “The secrecy capacity of the the theorem. MIMO wiretap channel,” in Proceedings IEEE International Symposium on Information Theory (ISIT ’08), pp. 524–528, Toronto, Canada, July 2008. Acknowledgments [16] S. Shafiee, N. Liu, and S. Ulukus, “Towards the secrecy capacity of the gaussian MIMO wire-tap channel: the 2-2-1 channel,” This work was presented in part at the IEEE Globecom IEEE Transactions on Information Theory,vol.55,no.9,pp. Conference, December 2008. This work is supported in 4033–4039, 2009. part by the National Science Foundation with Grants CCR- [17] E. Tekin and A. Yener, “Achievable rates for the general 0237727, CCF-051483, CNS-0716325, CNS-0721445, and Gaussian multiple access wire-tap channel with collective the DARPA ITMANET Program with Grant W911NF-07-1- secrecy,” in Proceedings of the 44th Annual Allerton Confer- 0028. ence on Communication, Control, and Computing, Urbana- Champaign, Ill, USA, September 2006. [18] Y. Liang, H. V. Poor, and S. Shamai, “Secure communication References over fading channels,” IEEE Transactions on Information Theory, vol. 54, no. 6, pp. 2470–2492, 2008. [1] C. E. Shannon, “Communication theory of secrecy systems,” [19] P. K. Gopala, L. Lai, and H. El Gamal, “On the secrecy capacity Bell System Technical Journal, vol. 28, no. 4, pp. 656–715, 1949. of fading channels,” IEEE Transactions on Information Theory, [2] A. D. Wyner, “The wire-tap channel,” Bell System Technical vol. 54, no. 10, pp. 4687–4698, 2008. Journal, vol. 54, no. 8, pp. 1355–1387, 1975. [20] O. Koyluoglu, H. El-Gamal, L. Lai, and H. V. Poor, “Interfer- [3] I. Csiszar´ and J. Korner,¨ “Broadcast channels with confidential ence alignment for secrecy,” 2008, submitted to IEEE Transac- messages,” IEEE Transactions on Information Theory, vol. 24, tions on Information Theory http://arxiv.org/abs/0810.1187. no. 3, pp. 339–348, 1978. [21] X. He and A. Yener, “On the equivocation region of relay [4] S. K. Leung-Yan-Cheong and M. E. Hellman, “The Gaussian channels with orthogonal components,” in Proceedings of the wire-tap channel,” IEEE Transactions on Information Theory, 41st Asilomar Conference on Signals, Systems and Computers vol. 24, no. 4, pp. 451–456, 1978. (ACSSC ’07), pp. 883–887, Pacific Grove, Calif, USA, Novem- [5] Y. Liang and H. V. Poor, “Multiple-access channels with ber 2007. confidential messages,” IEEE Transactions on Information [22] X. He and A. Yener, “The role of an untrusted relay in Theory, vol. 54, no. 3, pp. 976–1002, 2008. secret communication,” in Proceedings of IEEE International [6] E. Tekin, S. Serbetli, and A. Yener, “On secure signaling for Symposium on Information Theory (ISIT ’08), pp. 2212–2216, the Gaussian multiple access wire-tap channel,” in Proceedings Toronto, Canada, July 2008. of the 39th Asilomar Conference on Signals, Systems and [23] E. Ekrem and S. Ulukus, “Secrecy in cooperative relay broad- Computers (ACSSC ’05), pp. 1747–1751, Pacific Grove, Calif, cast channels,” in Proceedings of IEEE International Symposium USA, October-November 2005. on Information Theory (ISIT ’08), pp. 2217–2221, Toronto, [7] E. Tekin and A. Yener, “The Gaussian multiple access wire-tap Canada, July 2008. channel,” IEEE Transactions on Information Theory, vol. 54, no. [24] E. Ekrem and S. Ulukus, “Secrecy in cooperative relay 12, pp. 5747–5755, 2008. broadcast channels,” 2008, submitted to IEEE Transactions [8] E. Tekin and A. Yener, “The general Gaussian multiple-access on Information Theory http://www.ece.umd.edu/ ulukus/ and two-way wiretap channels: achievable rates and coopera- papers/journal/crbc-secrecy.pdf. tive jamming,” IEEE Transactions on Information Theory, vol. [25] T. M. Cover and A. A. El Gamal, “Capacity theorems for the 54, no. 6, pp. 2735–2751, 2008. relay channel,” IEEE Transactions on Information Theory, vol. [9] Y. Oohama, “Relay channels with confidential messages,” 25, no. 5, pp. 572–584, 1979. submitted to IEEE Transactions on Information Theory [26] S. Goel and R. Negi, “Secret communication in presence http://arxiv.org/abs/cs/0611125. of colluding eavesdroppers,” in Proceedings of IEEE Military [10] L. Lai and H. El Gamal, “The relay-eavesdropper channel: Communications Conference (MILCOM ’05),AtlatnicCity,NJ, cooperation for secrecy,” IEEE Transactions on Information USA, October 2005. Theory, vol. 54, no. 9, pp. 4005–4019, 2008. [27] R. Negi and S. Goel, “Secret communication using artificial [11] X. He and A. Yener, “Cooperation with an untrusted relay: a noise,” in Proceedings of the 62nd IEEE Vehicular Technology secrecy perspective,” 2008, submitted to IEEE Transactions on Conference (VTC ’05), vol. 3, pp. 1906–1910, Stockholm, Information Theory http://arxiv.org/abs/0910.1511. Sweden, September 2005. [12] R. Liu, I. Maric, P. Spasojevic, and R. D. Yates, “Discrete [28] M. L. Jørgensen, B. R. Yanakiev, G. E. Kirkelund, P. Popovski, memoryless interference and broadcast channels with confi- H. Yomo, and T. Larsen, “Shout to secure: physical-layer dential messages: secrecy rate regions,” IEEE Transactions on wireless security with known interference,” in Proceedings of Information Theory, vol. 54, no. 6, pp. 2493–2507, 2008. the 50th Annual IEEE Global Telecommunications Conference [13] R. Liu and H. V. Poor, “Multi-antenna Gaussian broadcast (GLOBECOM ’07), pp. 33–38, Washington, DC, USA, Novem- channels with confidential messages,” in Proceedings of IEEE ber 2007. International Symposium on Information Theory (ISIT ’08),pp. [29] L. Lai, H. El Gamal, and H. V. Poor, “The wiretap channel with 2202–2206, Toronto, Canada, July 2008. feedback: encryption over the channel,” IEEE Transactions on [14] A. Khisti and G. Wornell, “Secure transmission with Information Theory, vol. 54, no. 11, pp. 5059–5067, 2008. multiple antennas: the MISOME wiretap channel,” to [30] X. Tang, R. Liu, P. Spasojevic, and H. V. Poor, “Interference- appear in IEEE Transactions on Information Theory assisted secret communication,” in Proceedings of IEEE EURASIP Journal on Wireless Communications and Networking 13

Information Theory Workshop (ITW ’08), pp. 164–168, Porto, Portugal, May 2008. [31] E. Tekin and A. Yener, “Secrecy sum-rates for the multiple- access wire-tap channel with ergodic block fading,” in Pro- ceedings of the 45th Annual Allerton Conference on Communi- cation, Control, and Computing, Urbana-Champaign, Ill, USA, September 2007. [32] E. Ekrem and S. Ulukus, “On the secrecy of multiple access wiretap channel,” in Proceedings of the 46th Annual Allerton Conference on Communication, Control, and Computing,pp. 1014–1021, Urbana-Champaign, Ill, USA, September 2008. [33] X. Tang, R. Liu, P. Spasojevic, and H. V. Poor, “The Gaussian wiretap channel with a helping interferer,” in Proceedings of IEEE International Symposium on Information Theory (ISIT ’08), pp. 389–393, Toronto, Canada, July 2008. [34] M. Madiman and A. Barron, “Generalized entropy power inequalities and monotonicity properties of information,” IEEE Transactions on Information Theory,vol.53,no.7,pp. 2317–2329, 2007. [35] Y. Liang, V. V. Veeravalli, and H. V. Poor, “Resource allocation for wireless fading relay channels: max-min solution,” IEEE Transactions on Information Theory, vol. 53, no. 10, pp. 3432– 3453, 2007. [36] X. He and A. Yener, “On the role of feedback in two-way secure communication,” in Proceedings of the 42nd Asilomar Conference on Signals, Systems and Computers (ACSSC ’08),pp. 1093–1097, Paciﬁc Grove, Calif, USA, October 2008.