ebook img

Arbitrarily Varying Wiretap Channels with Type Constrained States PDF

0.62 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Arbitrarily Varying Wiretap Channels with Type Constrained States

1 Arbitrarily Varying Wiretap Channels with Type Constrained States Ziv Goldfeld, Student Member, IEEE, Paul Cuff, Member, IEEE, and Haim H. Permuter, Senior Member, IEEE Abstract—Determiningasingle-lettersecrecy-capacityformula Index Terms—Arbitrarily varying wiretap channel, distri- forthearbitrarilyvaryingwiretapchannel(AVWTC)isanopen bution coupling, information theoretic security, physical layer problemlargelybecauseoftwomainchallenges.Notonlydoesit security, soft-covering lemma. capturethedifficultyof thecompoundwiretapchannel(another 6 open problem), it also requires that secrecy is ensured with 1 I. INTRODUCTION respect to exponentially many possible channel state sequences. 0 Byextendingthestrongsoft-coveringlemma,recentlyderivedby Moderncommunicationsystemsusuallypresentanarchitec- 2 the authors, to the heterogeneous scenario, this work accounts tural separation between error correction and data encryption. t for the exponential number of secrecy constraints while only c Theformeris typicallyrealizedatthe physicallayer bytrans- imposing single-letter constraints on the communication rate. O forming the noisy communication channel into a reliable “bit Throughthisapproachwederiveasingle-lettercharacterization of the correlated-random (CR) assisted semantic-security (SS) pipe”. The data encryption is implemented on top of that by 8 capacity of an AVWTC with a type constraint on the allowed applyingcryptographicprinciples.Thecryptographicapproach 1 state sequences. The allowed state sequences are the ones in a assumes no knowledge on the quality of the eavesdropper’s typical set around a single constraining type. The stringent SS ] channel and relies solely on restricting the computational T requirement is established by showing that the mutual informa- power of the eavesdropper.The looming prospectof quantum tionbetweenthemessage andtheeavesdropper’s observationsis I . negligible even when maximized over all message distributions, computers (QCs) (some companies have recently reported a s c choices of state sequences and realizations of the CR-code. workingprototypeofaQCwithoverthan1000qbits[1]–[5]), [ Both the achievability and the converse proofs of the type however,wouldboostcomputationalabilities, renderingsome constrainedcodingtheoremrelyonstrongerclaimsthanactually critical cryptosystems insecure and weakening others.1 Post- 3 required. The direct part establishes a novel single-letter lower v bound on the CR-assisted SS-capacity of an AVWTC with state QC cryptography offers partial solutions that rely on larger 0 sequences constrained by any convex and closed set of state keys, but even now considerable efforts are made to save 6 probabilitymass functions. This bound achieves the best known this expensive resource. Nonetheless, cryptography remains 6 single-lettersecrecyratesforacorrespondingcompoundwiretap the main practical tool for protecting data, at least for the 3 channelover thesameconstraintset.Incontrasttoothersingle- time being. 0 letter results in the AVWTC literature, this work does not Physical Layer Security, rooted in information-theoretic 1. assume the existence of a best channel to the eavesdropper. principles, is an alternative approachto provablysecure com- 0 Instead,SSfollowsbyleveragingtheheterogeneousversionofthe 6 strong soft-covering lemma and a CR-code reduction argument. munication that dates back to Wyner’s celebrated paper on 1 Optimality is a consequence of a max-inf upper bound on the the wiretap channel (WTC) [9]. Essentially, Wyner’s main : CR-assisted SS-capacity of an AVWTC with state sequences idea was to exploit the noise of the communication channel v constrained to any collection of type-classes. When adjusted to along with proper physical layer coding to guarantee secrecy i theaforementionedcompoundWTC,theupperboundsimplifies X against a computationally-unlimited eavesdropper. Protection to a max-min structure, thus strengthening the previously best r known single-letter upper bound by Liang et al. that has a against such an eavesdropper, however, comes at a price of a min-max form. The proof of the upper bound uses a novel assumingthattheeavesdropper’schannelisperfectlyknownto distributioncouplingargument.Thecapacityformulashowsthat the legitimate parties and stays fixed during the transmission. the legitimate users effectively see an averaged main channel, Manyoftheinformation-theoreticsecrecyresultsthatfollowed while security must be ensured versus an eavesdropper with relied on extending Wyner’s ideas, and therefore, are derived perfect channel state information. An example visualizes our single-letter results, and their relation to the past multi-letter under the same hypothesis. Much of the critique by the cryp- secrecy-capacity characterization of theAVWTC ishighlighted. tographiccommunitytowardsinformation-theoreticsecurityis aimed exactly at that assumption. Practicalsystemssufferfromlimitedchannelstateinforma- Z. Goldfeld and H. H. Permuter were supported in part by the Cyber Security ResearchCenter withintheBen-Gurion University oftheNegev,in tion(CSI)duetoinaccuraciesinthechannel’sestimationpro- partbytheEuropeanResearchCouncilundertheEuropeanUnion’sSeventh cess and imperfect feedback. Furthermore, adversarial eaves- FrameworkProgramme(FP7/2007-2013)/ERCgrantagreementn◦337752and dropperswillrefrainfromprovidingthelegitimatepartieswith inpartbytheIsraelScienceFoundation.P.Cuffwassupportedinpartbythe National Science Foundation under Grant CCF-1350595 and in part by the AirForceOfficeofScientific ResearchunderGrantFA9550-15-1-0180. 1Morespecifically,asymmetricciphersthatrelyonthehardnessofinteger Thispaperwaspresentedinpartatthe2016International Conferenceonthe factorization ordiscrete logarithms canbecompletely brokenusingQCsvia Science ofElectrical Engineers (ICSEE),Eilat,Israel. Shor’salgorithm(oravariantthereof)[6],[7].Symmetricencryption,onthe Z. Goldfeld and H. H. Permuter are with the Department of Electrical other hand, would be weakened by QCattacks but could regain its strength and Computer Engineering, Ben-Gurion University of the Negev, Beer- byincreasingthesizeofthekey[8].ThisessentiallyfollowssinceaQCcan Sheva, Israel ([email protected], [email protected]). Paul Cuff is with the searchthroughaspaceofsize2n intime2n2,sobydoublingthesizeofthe Department of Electrical Engineering, Princeton University, Princeton, NJ keyasymmetric cryptosystem wouldoffer thesameprotection versusaQC 08544USA(e-mail: [email protected]). attack, astheoriginal systemdidversusaclassicattack. 2 any information about their channels to make securing the whose number grows exponentially with the blocklength. To data even harder. Accordingly, limited CSI (especially about get single-letter results, the latter is usually dealt with by the eavesdropper’s channel) must be assumed to successfully assuming the existence of a best channelto the eavesdropper model a practical communication system. The model of an andestablishingsecrecywithrespecttothatchannelonly(see, arbitrarily varying WTC (AVWTC), that is the focus of this e.g., [21], [35]). Yet, the only single-letter secrecy-capacity work, does just that. The AVWTC combines the WTC [9], characterization for an AVWTC that the authors are aware of [10] and the arbitrarily varying channel (AVC) [11]–[15]. It assumes even more [21, Theorem 4]. On top of the existence consistsofacollectionofdiscrete-memorylessWTCsindexed of such a best channel, the derivation of [21, Theorem 4] by elements in a finite state space. The state at each time alsoreliesontheAVWTCbeingstrongly-degradedandhaving instance is chosen in an arbitrary manner and is unknown independent (main channel and eavesdropper channel) states. to the legitimate parties. Being aware of the state space, A relatedsetting for whicha single-letterformulais knownis however, the legitimate users can place the actual channel anAVWTCwheretheCRisusedasasecretkeyandthereisa realizationwithinacertainuncertaintyset,whichmodelstheir sufficientamountthereof[22].Althoughsuchamodelslightly limitedeavesdropper’sCSI.Arelaxedscenariowherethemain deviatesfromtheoperationalmeaningofCR as consideredin channel is fixed in time but the eavesdropper’s channel is this work, formally, it can be viewed as another scenario for varyingandunknownwasstudiedin[16].Theauthorsof[16] whichthe multi-letterformulafrom[25] is single-letterizable. consideredtheMIMOGaussiancaseandprovedtheexistence We consider a general AVWTC with a type constraint of a universal secure coding scheme. on the allowed state sequences, and establish in Theorem 1 Inspired by wiretap channel instances that involve active a single-letter characterization of its CR-assisted semantic- eavesdroppers [17]–[20], the AVWTC was first introduced in security (SS) capacity. Our approach relies neither on the [21]. The author of [21] derived single-letter lower and upper existence of a best channel to the eavesdropper nor on the boundsonthe correlated-random(CR) assisted weak secrecy- benefit of secret CR. Instead, we show that the exponential capacityoftheAVWTC.TherelationbetweentheCR-assisted numberofsecurityrequirementsaresatisfied,evenwhileusing weak secrecy-capacity and the uncorrelated weak secrecy- arandomcodebookconstructionundersingle-letterconstraints capacity was also established in Theorem 5 of that work (see on the communication rate, via a finer analysis that uses also[22]forsimilarresultsforstrongsecrecy).Itturnsoutthat a heterogeneous strong soft-covering lemma, on which we it makes a difference whether CR codes or their uncorrelated expandthe discussion subsequently.A fullcharacterizationof counterparts are used. In particular, the uncorrelated secrecy- both the CR-assisted and the uncorrelated capacities of the capacity may be zero (if the main channel is symmetrizable classic AVC with a pair of linear constraints on the state and [23, Definition 2]), while the CR-assisted secrecy-capacity is inputsequencesis dueto Csisza´r andNarayan[23], [36]. The positive.Thus,viewingCRasanadditionalresourceforcom- extension of this setting to the AVWTC scenario is the focus munication, this resource can make communication possible of [37], where a multi-letter description of the CR-assisted where it is impossible without, as long as the choice of the secrecy-capacity is given. In our case, the type constraint state sequenceis independentoftherealizationoftheCR. On essentially means that the viable state sequences are only the the other hand, CR should not be viewed as a cryptographic onesoftheprescribedtype.However,sinceafixeddistribution keyto beexploitedforsecrecy,andtherefore,itisassumedto (even if rational) is not a valid type for all blocklengths, we be knownto the eavesdropper.A single-letter characterization define achievability by allowing the empirical distribution of of the CR-assisted secrecy-capacity remains an open problem the state sequences to be within a small gap from the type. and only a multi-letter description has been established [24], By doing so, the type constrained AVWTC is well defined [25].Despitethecomputationalinfeasibilityofthatformula,it for all blocklengths. As a consequence, our uncertainty set wasusedin[25]toprovethattheCR-assistedsecrecy-capacity is a typical set around the allowed type, which still contains of the AVWTC is a continuous function of the uncertainty exponentiallymany state sequences. The structure of the CR- set. In contrast, the work of [26] showed that the same in assistedSS-capacityformulasuggeststhatthelegitimateusers not true for uncorrelated secrecy-capacity, by exemplifying a effectively see the averaged channel (i.e., the expectation of discontinuity point. the main channels with respect to the type) while security The challenge presented by the AVWTC is twofold. First, must be ensured versus an eavesdropper with perfect CSI. A it subsumes the difficulty of the compound WTC (where specific instance of a type constrainedAVWTC thatis related the channel’s state is constant in time), for which a single- to binary symmetric - binary erasure (BS-BE) WTC that was lettersecrecy-capacitycharacterizationisalsoanopenproblem studied in [38] is used to visualize the result. [27]–[34]. While a multi-letter description of the compound The results are derived while adopting the prescription of WTC’s secrecy-capacitywas found in [33], it is currentlyun- [39] to replacethecommonlyused strongsecrecymetricwith knownhow to single-letterize this expression.The underlying the stricter SS metric [40], [41]. The authorsof [39] advocate gap is that while reliability must be ensured with respect to SS as the new standard for information-theoretic security, the worst main channel, security is measured under the best because from a cryptographic point of view, strong secrecy eavesdropperchannel;asinglechannelstateunderwhichthese is insufficient to provide security of applications. Its main extremessimultaneouslymaterialize,however,doesnotneces- drawback lies in the assumption that the message is random sarilyexist.TheseconddifficultyconcerningAVWTCsisthat and uniformly distributed, as real-life messages are neither security must be ensured under all possible state sequences, (messages may be files, votes or any type of structured data, 3 often with low entropy). In turn, the uniformly distributed blocklenght.Thelemmaisstillsharpenoughtoimplythatthe message makes the strongsecrecy metric an average quantity, probabilityofarandomcodebookviolatingsecurityisdoubly- that might converge even when many2 of the messages are exponentially small. The obtained single-letter achievability actually not secured. Furthermore, to eliminate the benefit of formula is shown to be recoverable from the multi-letter CR- CR for secrecy purposes, we demand that SS holds for each assisted secrecy-capacity description from [24], [25] when realization of the CR (a similar approach was taken in [24], specialized to the unconstrained states scenario. [25]withrespecttothestrongsecrecymetric).Thisessentially The polynomial size of the reduced CR-code is of conse- means that the transmission is semantically-secureeven if the quence for the uncorrelated scenario as well. Provided that choice of the state sequence depends on the realization of the uncorrelated SS-capacity is strictly positive, the relatively the CR. small CR-code allows to replace the shared randomness be- In Lemma 1 we develop a heterogeneous soft-covering tween the legitimate parties (used for selecting a code from analysistoolthatiskeyinensuringSSundertheexponentially the family) with a local randomness at the transmitter. The many state sequences of the AVWTC. By means of the transmittermayselect thecodeand informthe receiverwhich Chernoff bound, the lemma guarantees a double-exponential code is in use by sending its index as a short prefix. The decayoftheprobabilitythatsoft-coveringfailstooccurunder positivity of the uncorrelated capacity is essential to allow the relative entropy metric. The probability is taken with the reliable transmission of the short prefix with a vanishing respect to a random codebook and the convergence occurs rate. Thus, the missing piece for establishing the uncorrelated as long as the rate of the codebookis greater than the mutual SS-capacity of the type constrained AVWTC is a dichotomy information between the channel’s input and output random result (in the spirit of [12], [15]) based on a condition variables. In turn, this allows us to furnish a single-letter that distinguishes weather its uncorrelated and CR-assisted achievabilityresultwithoutassumingthatabestchanneltothe secrecy-capacities are equal or not. Such results are available eavesdropper exists. Doubly-exponentiallydecaying probabil- forAVWTCswithoutconstraintsonthestatespace[21],[22], ities coming from the Chernoff bound were previously used [35].CRSS-capacitybeingthefocusofthiswork,weposethe in the context of secrecy in, e.g., [22], [24], [25], [33], [35], dichotomyresultandthecorrespondingthresholdpropertyfor [42]. In particular, claims similar to these presented in this theconstrainedstatesscenarioasquestionsforfutureresearch. work (but under the total variation metric) were used in [22], To prove the converse part of the main result, we claim [24],[25]forthesecurityanalysisundertheAVWTCscenario. in Theorem 3 an upper bound on CR-assisted SS-capacity of Similarconcentrationresultsalsopreviouslyappearedinquan- an AVWTC with state sequencesfrom any collection of type- tum information theory sources [43], [44]. Nevertheless, we classes. The upper bound is of a max-inf form, i.e., first an emphasize the significance of the strong soft-coveringlemma infimumoverthe constraintset is taken, and then the result is as a stand-alone claim because of the effectiveness of soft- maximizedovertheinputdistributions.Whenspecializingthe covering in proofs of secrecy, resolvability [45], [46], and result to the aforementioned compound WTC, it produces an channel synthesis [47]. Furthermore, the convergence to 0 of upper bound that improves upon the previously best known the relative entropy implied by Lemma 1 naturally relates to single-letter upper bound for this setting [29, Theorem 2]. the definition of SS that uses mutual information. The latter result has a min-max structure, while our upper To prove our coding theorem for the type constrained bound has a max-min form. This strengthening is due to a AVWTC (i.e., the main result in Theorem 1), we provide derivationthatisuniformoverthe constraintset. Theanalysis both a stronger achievability and a stronger converse than is ispreformedpereachtypeinthesetandshowsthatreliability actually required. The broader achievability claim, found in andSSunderstatesfromevenasingletype-classimplysimilar Theorem 2, is a lower bound on the CR-assisted SS-capacity performance limits as the same channel but where the state ofanAVWTCwithstatesequencesconstrainedbyanyconvex sequence is independently and identically distributed (i.i.d.) and closed set of state PMFs. This bound shows that the best accordingtothetype.Themainchallengeisinupperbounding known achievable single-letter secrecy rates for a similarly the normalized equivocation of the message given an output constrained compound WTC [29], [33] can be achieved also sequence that is generated by the average channel. This step intheAVWTC.3Thelowerboundisderivedbyfirstgenerating reliesontheequivocationbeingcontinuousinthesetofviable a CR-code over a large family of uncorrelated codes, whose state sequences. A novel distribution coupling argument is size grows doubly-exponentially with the blocklength, and used to establish this desired property. establish reliability byargumentssimilar to those usedfor the This paper is organized as follows. Section II provides classic AVC with constrained states [36]. Then, we invoke a definitions and basic properties. In Section III we state and ChernoffboundtoshowthatauniformCR-codeoverafamily prove the heterogeneous strong soft-covering lemma. The that is no more than polynomial in size is sufficient. Having AVWTC with type constrained states is studied in Section this, SS follows via the union bound and the strong soft- IV, where the setup is defined and the CR-assisted SS- coveringlemma,becausethecombinednumberofcodes,state capacity is characterized and proven. Section IV also states sequences and messages grows only exponentially with the thelowerandupperboundsforthemoregeneralsetup,relates the achievability result to past multi-letter descriptions of the CR-assisted secrecy-capacity and provides an example. 2Thenumberofunsecuredmessagesmayevengrowexponentiallywiththe The lower and upper bounds are proven in Sections V and blocklength, whilestillhavingaconverging strongsecrecy metric. 3Thisconnection isexpounded inRemark15. VI, respectively. Finally, Section VII summarizes the main 4 achievements and insights of this work. denote by P ; accordingly, P A)= Q(x), for every Q Q x A ∈ F. For a sequence of random va∈rAiable Xn, if the (cid:0) P II. NOTATIONSAND PRELIMINARIES entries of Xn are drawn in an independent and identically distributed (i.i.d.) manner according to P , then for every We use the following notations. As customary N is the set X x ∈ Xn we have P (x) = n P (x ) and we write of natural numbers (which does not include 0), Q denotes Xn i=1 X i the rational numbers,while R are the reals. We furtherdefine wPXenh(axv)e=PPXn(x)(.yS|xim)i=larly,nif fQPor eve(yry|x(x),,yt)he∈nXwne×wrYitne R = {x ∈ R|x ≥ 0} and R = {x ∈ R|x > 0}. Given YnXn i=1 Y X i i + ++ P (y|x)|= Pn (y|x). We o|ften use Qn or Qn two real numbers a,b, we denote by [a:b] the set of integers wYhenn|Xnreferring to aYn|Xi.i.dQ. sequence of randomX variabYle|Xs. n∈N ⌈a⌉≤n≤⌊b⌋ .Calligraphiclettersdenotesets,e.g., TheconditionalproductPMFPn givena specific sequence X, the complement of X is denoted by Xc, while |X| stands Y X (cid:8) (cid:12) (cid:9) x∈Xn is denoted by Pn . | forits c(cid:12)ardinality.Xn denotesthe n-foldCartesian productof Y X=x The type ν of a sequen|ce x∈Xn is X. An element of Xn is denoted by xn = (x ,x ,...,x ); x 1 2 n whenever the dimension n is clear from the context, vectors ν (x), N(x|x), (2) (orsequences)aredenotedbyboldfaceletters,e.g.,x.Forany x n S ⊆ [1 : n], we use xS = (xi)i to denote the substring of where N(x|x) = n 1 . The subset of P(X) that xn defined by S, with respect ∈toSthe natural ordering of S. contains all possible tiy=p1es{oxfi=sxe}quences x ∈ Xn is denoted For instance, if S =[i:j], where 1≤i<j ≤n, then xS = by P (X). By [48,PLemma II.1], n (x ,x ,...,x ). For S = [i : j] as before we sometimes i i+1 j write xji instead of xS; when i=1, the subscript is omitted. Pn(X) = n+|X|−1 ≤(n+1)|X|. (3) Wealsousexn i insteadx ,whenS =[1:i−1]∪[i+1:n], |X|−1 \ S (cid:18) (cid:19) for 1≤i≤n. ForP ∈P(cid:12)(cid:12) (X), t(cid:12)(cid:12)hetype-class x∈Xn ν =P isdenoted n x Let X,F,P beaprobabilityspace,whereX isthesample by Tn. We use Tn(P) to denote the set of letter-typical space, F is the σ-algebra and P is the probability measure. sequePnces with respǫect to the P(cid:8)MF P ∈(cid:12)(cid:12)P(X) a(cid:9)nd the non- (cid:0) (cid:1) Random variables over X,F,P are denoted by uppercase negative number ǫ defined by letters, e.g., X, with conventions for random vectors similar to those for determinist(cid:0)ic sequen(cid:1)ces. The probability of an Tn(P)= x∈Xn ν (x)−P(x) ≤ ǫ 1 . (4) event A ∈ F is denoted by P(A), while P(A B) denotes ǫ x |X| {P(x)>0} conditional probability of A given B. We use 1 to denote Thisdefinitinonofthe(cid:12)(cid:12)(cid:12)l(cid:12)(cid:12)etter-typicalset(cid:12)(cid:12)resemblesthisfroom[49, the indicator function of A. The set of all prob(cid:12)(cid:12)aAbility mass Chapter2],withtheonlydifferencebeingthenormalizationof functions (PMFs) on a finite set X is denoted by P(X), i.e., ǫ by |X|. Thisgivesrise to an upperboundonthe probability of an i.i.d. sequence being atypical that is uniform in the underlying i.i.d. distribution. Namely, by a simple adaptation P(X)= P :X →[0,1] P(x)=1] . (1) ( (cid:12) ) of [49, Lemma 2.12], if Xn is i.i.d. according to P ∈P(X), (cid:12)(cid:12)xX∈X then PwMithFsaasreubdsecnriopttedthbayt itdheentuipfipeesrctha(cid:12)(cid:12)eserlaentdteorms suvacrhiaabslePanodr Qits, PPn Xn ∈/ Tǫn(P) ≤2|X|e−2n|Xǫ2|2. (5) possible conditioning. For example, for a discrete probability This uniform bo(cid:16)und plays an (cid:17)important role in the proof of space X,F,P and two correlated random variables X and Theorem 3, where an upper bound on the CR-assisted SS- Yrespoevcet(cid:0)rivtehlayt,tshpe(cid:1)acmea,rwgienaulsPeMPFXo,fPXX,,YtheajnodinPtPXM|YFtoofd(Xen,oYte), capacity of the AVWTC is established. and the conditional PMF of X given Y. In particular, PXY Definition 1 (Relative Entropy) Let (X,F) be a measur- represents the stochastic matrix whose elements are give|n able space and let P and Q be two probability measures on by PXY(x|y) = P X = x|Y = y . Expressions such as F, with P ≪Q (i.e., P is absolutely continuouswith respect PPX,(Yx)P|= PX(yP|xY)|X, fo(cid:0)arreallto(xb,ey)u∈ndXer×s(cid:1)toYod. AacscoPrXdi,nYg(lxy,,yw)he=n to Q). The relative entropy between P and Q is thXree ranYd|oXm variables X, Y and Z satisfy PXY,Z = PXY, D(P||Q)= dP log dP , (6) they form a Markov chain, which we denote by|X −Y −|Z. ZX (cid:18)dQ(cid:19) We omit subscripts if the arguments of a PMF are lowercase where dP denotes the Radon-Nikodym derivative between P dQ versionsoftherandomvariables.ThesupportofaPMFP and and Q. If the sample space X is countable, (6) reduces to theexpectationofareal-valuedrandomvariableX aredenoted P(x) bysupp(P)andE X ,respectively.IfX ∼P,weemphasize D(P||Q)= P(x)log . (7) Q(x) tXhatbaynwerxiptiencgtaEtion(cid:2)oisr(cid:3)tEaken(cwhoitohsrinesgpethcettsoimthpeledrisotrfibthuetiotnwoo)n. x∈sXupp(P) (cid:18) (cid:19) X P Similarly, we use H and I to indicate that an entropy or Definition 2 (Total Variation) Let (X,F) be a measurable P P a mutual information term are calculated with respect to a and P and Q be two probability measures on F. The total PMF P. variation between P and Q is For a discrete measurablespace (X,F), a PMF Q∈P(X) ||P −Q|| = sup P(A)−Q(A) . (8) gives rise to a probability measure on (X,F), which we TV A∈F(cid:12) (cid:12) (cid:12) (cid:12) 5 W ∼Unif(W ) A. Soft-Covering Setup and Result n Let S be a finite set and let s∈Sn be a sequence with an empirical PMF ν . Let B = U(w) , where4 W = U(W) V∼P(s) [1 : 2nR] with Rs ∈ R n, be a set ofw∈raWndnom vectorsnthat Bn= U(w) QnV U,S=s V|Bn=Bn are i.i.d. according to Q+n (cid:8), wher(cid:9)e Q : S → P(U). | U S=s U S We refer to B as the rand|om codebook, d|enote by B the (cid:8) (cid:9) n n Fig. 1: Coding problem with the goal of making P(s) set of all its possible realizations, while a specific realization resemble QnV|S=s. V|Bn=Bn isseqdueennocteedu(bwy)Bisnra=ndomu(lwy)anwd∈uWninfo.rFmolryesveleercyteBdnan∈dpBasns,eda (cid:8) (cid:9) through a memoryless non-stationary channel Qn . For V U,S=s each s ∈ Sn, the induced joint distribution of B ,|W and V n If the sample space X is countable, (8) reduces to is ||P −Q||TV = 12 P(x)−Q(x) . (9) PB(sn),W,V(Bn,w,v) x X∈X(cid:12)(cid:12) (cid:12)(cid:12) = QnU S u(w′) s 2−nR·QnV U,S v u(w),s , " | # | III. HETEROGENEOUSSTRONG SOFT-COVERING LEMMA w′Y∈Wn (cid:0) (cid:12)(cid:12) (cid:1) (cid:0) (cid:12)(cid:12) (cid:1)(10) which gives rise to a probability measure denoted by P.5 We presenthereageneralizationofthe originalstrong soft- When switching to other probability measures, we do so in coveringlemmafirstestablishedbytheauthorsin[50,Lemma accordance to the notations defined in Section II. On account 1]. The lemma in this work is a heterogeneousversion on the of (10), the induced output distribution conditioned on a original homogeneous claim. Lemma 1 from [50] considers codebook B ∈B for each state sequence s∈Sn is: a discrete-memoryless channel (DMC) that does not change n n throughouttheblocktransmission,whileherethememoryless P(s) (v|B )=2 nR Qn v u(w),s . (11) channel may vary from symbol to symbol. This variation is V|Bn n − V|U,S modeled as an n-fold state-dependent channel Qn over wX∈Wn (cid:0) (cid:12) (cid:1) V U,S Thefollowinglemmastatesthataslongas(cid:12)thecodebookisof which a codeword u ∈ Un is transmitted unde|r a state size 2nR, with6 R > I (U;V|S), the induced output PMF sequence s∈Sn. Thus, in each time instance i∈[1:n], the νsQ constitutes a good approximation of Qn in the limit of i-th symbol of u is transmitted over the channel Q . V S=s V|U,S=si large n, with high probability. Namely,|the probability that Let B be a randomly generated codebook of u-sequence, n the relative entropy between the induced PMF and product one of which is selected uniformly at random and passed PMF vanishes exponentially quickly with the blocklength n, through the channel Qn . Lemma 1 gives a sufficient V U,S=s is double exponentially close to 1. conditionforthe induced|conditionaldistributionof the chan- neloutputgiventhe state toresultina goodapproximationof Lemma 1 (Heterogeneous Strong Soft-Covering Lemma) pQrnVox|Sim=sityinbtehtweeliemnitthoefinladrugceedn,anfodrtahneydess∈ireSdndi(sFtriigb.u1ti)o.nTshies For s ∈ Sn with empirical PMF νs, and any ζ > 0, Q :S →P(U ×V), and R>I (U;V|S)+ζ, where measured in terms of relative entropy. Specifically, we show |SU|,,V|V|S| < ∞, there exist γ ,γ > 0ν,sQsuch that for n large 1 2 that as long as the codebook is of size |B | = 2nR with n enough R > I(U;V|S), where the mutual information is calculated rweiltahtivreespenectrtotpoythveaneimshpeisriecxaploPnMenFtiνaslloyfqtuhieckstlaytewsitehqutheencbelo,cthke- P(cid:18)D(cid:16)PV(s|)Bn(cid:12)(cid:12)QnV|S=s(cid:17)>e−nγ1(cid:19)≤e−enγ2. (12) lceondgetbhoonk,.wViitahthhieghChpernoobfafbibloituynwd,itthherensepgelcigtitbolethperorbaanbdiloimty Moreprecisely,for(cid:12)(cid:12)a(cid:12)(cid:12)nyn∈Nandδ ∈ 0,R−IνsQ(U;V|S) eoxfpTthoheneernahtneiadtelolrymogsesmentaelonl.uost psrtorodnugcinsgoftth-cisovdeersiinrgedleremsumltaisisdosuubbslye-- P(cid:18)D(cid:16)PV(s|)Bn(cid:12)(cid:12)(cid:12)(cid:12)QnV|S=s(cid:17)>cδn2−nγδ(cid:19)(cid:0)≤(cid:0)1+|V|n(cid:1)e−132(1nδ3(cid:1),) where (cid:12)(cid:12) quentlyinvokedfortheSSanalysisoftheAVWTC,wherethe double-exponentialdecayit providesplaysa keyrole. Similar η−1 γ =sup R−δ−maxd (Q ,Q Q ) claims that use total variation were previously made in the δ η>1 2η−1(cid:18) s∈S η U,V|S=s U|S=s V|S=s(cid:19) contextof AVWTCs in [22], [24], [25] (in particular,see [22, (14a) Lemma1]),thoughthecodebookdesignwasslightlydifferent in those works. The stronger notion of soft-coveringwas also 4To simplify notation, we assume that 2nR is an integer, for all n ∈ N. previously observed in works on quantum information theory Otherwise,simplemodificationsofsomeofthesubsequentexpressionsusing [43], [44]. We emphasize Lemma 1 as a stand-alone tool due flooroperations areneeded. to its simplicity, and consequently, the prospect of it coming 5Sinces∈Snstaysfixedthroughoutthissection,thenotationPomitsthe dependence ofthestatesequence. in handy for other proofs of secrecy, channel resolvability, 6ThesubscriptνsQindicatesthatthemutualinformationiscalculatedwith channel synthesis, etc. respecttoνsQU|SQV|U,S 6 In (16), the argumentof the logarithm is the Radon-Nikodym 1 c =3loge+γ 2log2+2log max , derivative between Q and Q . Let ǫ ≥ 0 be δ δ Q(sV,v|S)∈(vS|s×)>V:0QV|S(v|s)(14b) aarnbditvra-rsye,quanendcedsefigniveentVh|esUa=csoun,Sd=itsional joiVnt|lSy=tsypical set of u- and dη(µ,ν) = η11log2 dµ ddµν 1−η is the Re´nyi diver- Aǫ(s), (u,v)∈Un×Vn n1iQnU,V|S=s(u,v)<I(U;V|S)+ǫ gence of order η. − R (cid:16) (cid:17) (cid:26) (cid:12)(cid:12)(cid:12) (17(cid:27)) and note that (cid:12) TheproofofLemma1bearscloseresemblancetotheproof n ofthehomogeneousversionofthestrongsoft-coveringlemma from [50, Lemma 1]. The main difference,is in the boundon iQnU,V|S=s(u,v)= iQU,V|S=st(ut,vt). (18) t=1 the expected value of the probability of atypical sequences. X For brevity,in (17) andhenceforth,we use I(U;V|S) instead To avoid verbatim repetition of the arguments from [50], we of I (U;V|S). summarize (most of) the technicalparts from the proof of the νsQ hLoemmomgaen1e.ouscase in our Lemma 2 and invoke it to establish maNkeinxgt,ufsoereovfetrhyeBinndi∈caBtonr,fuwnecstipolnit.PFVo(sr|)Benv=erBynvin∈toVtwn,odpeafirntse, The important quantity in the lemma above is γ , which is δ P(1) (v),2 nR Qn v u(w),s 1 tthheedeoxupbolnee-netxpthoantensotifatl-ccoovnevreinrggenaccheioefvepsr.oWbaebislieteyioncc(u1r3s)wthitaht Bn,s − wX∈Wn V|U,S(cid:0) (cid:12)(cid:12) (cid:1) (cid:8)(cid:0)u(w),v(cid:1)∈A(ǫ1(s9)(cid:9)a) exponentδ >0.Thus,thebestsoft-coveringexponentthatthe lγem∗ m=asuacphγieδves with confidence, over all δ >0, is PB(2n),s(v),2−nRwX∈WnQnV|U,S(cid:0)v(cid:12)(cid:12)u(w),s(cid:1)1(cid:8)(cid:0)u(w),v(cid:1)∈/A(ǫ1(s9)b(cid:9)). δ>0 =γ The measures P(1) and P(2) on the space Vn are not 0 η−1 probabilitymeasuBrens,s,butP(1B)n+,sP(2) =P(s) foreach =sηu>p1 2η−1(cid:18)R−ms∈aSxdη(QU,V|S=s,QU|S=sQV|S=s)(cid:19). codebook Bn ∈Bn. For evBenry,sv∈BVn,ns, weVde|Bfinn=eBn (15) dP(s) Thedouble-exponentialconfidencerateδactsasareductionin ∆Bn,s(v)= dQVn|Bn=Bn(v), (20) codebookrateR inthedefinitionofγ . Consequently,γ =0 V S=s δ δ | for δ ≥R−I (U;V|S). where the right-hand side (RHS) is the Radon-Nikodym νsQ derivative between P(s) and Qn , and also split it Remark 1 Theroleofζ inthestatementofLemma1ismerely into ∆ (v)=∆(1)V|(Bvn)=+Bn∆(2) (vV)|,Sw=hsere to ensure that a fixed δ ∈ 0,R − IνsQ(U;V|S) can be Bn,s Bn,s Bn,s found for all n. Since the mutual information is calculated dP(1) Iwith(rUes;pVe|cSt)t+oζνsim, pitlsievsatlhuaet(cid:0)(m0a,yζ)v⊆ary0w,Rith−nI. Ta(kU(cid:1)in;gV|RS)>, ∆(B1n),s(v), dQnVBnS,=ss(v) (21a) νsQ νsQ | and therefore, a fixed value of δ as needed exists. dP(2) (cid:0) (cid:1) ∆(2) (v), Bn,s (v). (21b) Remark 2 (Total Variation Exponent of Decay) The Bn,s dQnV S=s | strong soft-covering lemma can be reproduced while To see that the RHS of (20) indeed exists, on could easily replacing the relative entropy with total variation. Although, verify that P(s) is absolutely continuous with respect relative entropy can be used to bound total variation via to Qn . TVh|iBsn=esBsnentially follows since if Qn (A) = Pinsker’s inequality, this approach causes a loss of a factor V S=s V S=s 0, for |some A ⊆ Vn, then Qn (A) = 0|, for every of 2 in the exponent of decay. Alternatively, the proof of V U=u,S=s | Lemma 1 can be modified to produce the bound on the total u ∈ supp Qn . The structure of P(s) given in variation instead of the relative entropy. This direct method U|S=s V|Bn=Bn (11) then im(cid:16)plies tha(cid:17)t P(s) (A)=0. keeps the error exponents the same for the total variation V|Bn=Bn case as it is for relative entropy. Notethat dP(2) isanaverageofexponentiallymanyi.i.d. Bn,s random variables bounded between 0 and 1, given by Proof of Lemma 1: We state the proof in terms of arbi- R trarydistributionsQ andQ (notnecessarilydiscrete). (2) We assume |S| < ∞U|,Sand wiVll|Us,pSecialize to a finite output dPBn,s Z alphabet V only when needed. = 2−nR·PQn U(w),V ∈/ Aǫ(s) U(w) . First, define conditional information density i , V|U,S=s which is a function on the space U ×V specified byQU,V|S=s wX∈Wn (cid:16)(cid:0) (cid:1) (cid:12)(cid:12) (2(cid:17)2) (cid:12) iQU,V|S=s(u,v),log dQdVQ|U=u,S=s(v) . (16) Wgeintehouresspsetrcotntgo s(o2f2t)-caonvderitnhge laebmovmeadiesfineisttiaobnlsi,shtehde hbeytetrhoe- (cid:18) V|S=s (cid:19) 7 n following technical lemma. (a) 2λms∈aSxλ1log2(cid:18)EQU,V|S=s2λiQU,V|S=s(Us,Vs)(cid:19) =  2λ(I(U;V S)+ǫ)  |   sLuecmhmthaat2 Let|S|,|V|<∞andǫ≥0.Ifthereexistα,βǫ >0 =2nλ(cid:18)ms∈aSxλ1log2EQU,V|S=s 2λiQU,V|S=s(Us,Vs) −I(U;V|S)−ǫ(cid:19) (cid:2) (cid:3) EBnPQnV|U,S=s U(w),V ∈/ Aǫ(s) U(w) ≤2−nβǫ (23a) (=b)2nλ ms∈aSxdλ+1(QU,V|S=s,QU|S=sQV|S=s)−I(U;V|S)−ǫ , (27) (cid:0) (cid:1) P ∆(B2n),s(v)≤(cid:16)(cid:0)αn =1,(cid:1) ∀v∈V(cid:12)(cid:12)(cid:12)n, (cid:17) (23b) wrehsterriecti(nag) iλs bteocabuesesttrhiectllyogaproisthitmivei,s wnohnil-ede(cbr)eaissinfgroamndtbhye (cid:16) (cid:17) then definitionof the Re´nyidivergenceoforderλ+1.Substituting η =λ+1 into (27) yields P(cid:18)D(cid:16)P≤V(s|e)B−n13(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)2Qn(nVR−|Sβ=ǫ)s(cid:17)+≥|Vc|nβe,ǫ−,α13n22n−(Rn−βIǫ(U(cid:19);V|S)−ǫ−2βǫ), (24) EBnPQnV|U,S=s(cid:16)(cid:0)U(w),V(cid:1)∈/ Aǫ(s)(cid:12)(cid:12)U(w)(cid:17) ≤2−nβη,ǫ(,28) where c =3loge+2β log2+2logα. where (cid:12) β,ǫ,α ǫ β =(η−1) I(U;V|S)+ǫ η,ǫ Lemma 2 essentially follows from the proof of Lemma 1 (cid:18) from [50]. More specifically, the derivation repeats the steps −maxd (Q ,Q Q ) , η U,V S=s U S=s V S=s s | | | between Equations (18) and (40) in the proof of [50, Lemma ∈S (cid:19) (29) 1] and is, therefore, omitted. Having this, it remains to be shownthat(23)holdsforcertainpositiveβǫ andα. For(23a), for every η >1 and ǫ≥0. Thus (23a) holds with βη,ǫ in the observe that role of βǫ. EBnPQnV|U,S=s U(w),V ∈/ Aǫ(s) U(w) The relation in (23b) follows by noting that |S|,|V| < ∞ =PQnU,V|S=s (cid:16)(cid:0)U,V ∈/ A(cid:1)ǫ(s) (cid:12)(cid:12)(cid:12) (cid:17) implies that for any v∈Vn and Bn ∈Bn, we have n (cid:16)(cid:0) n (cid:1) (cid:17) =PQnU,V|S=s t=1iQU,V|S=st(Ut,Vt)≥n I(U;V|S)+ǫ ! ∆(B2n),s(v)≤(s,vm) ax : QV S1(v|s) . (30) (=a)PQnU,V|S=s X2λPnt=1iQU,V|S=st(Ut,Vt) ≥(cid:0)2nλ(I(U;V|S)+ǫ(cid:1)) Notice that the maximuQmV|Sis∈(vS|os×n)>Vly0 ove|r the pair (s,v) for (≤b) EQnU,V|S=s2(cid:16)λPnt=1iQU,V|S=st(Ut,Vt), (2(cid:17)5) wunhdicehrlyQinVg|Sre(avs|so)n >for0t,hiwshriecshtrimctaioknesisthtihsabtowuinthd pfirnoibtea.biTlihtye 2nλ(I(U;V S)+ǫ) | one a conditional distribution is absolutely continuous with where(a)istrueforanyλ≥0and(b)isMarkov’sinequality. respect to its associated marginal distribution. By (30), we For the numerator on the RHS of (25), we have obtain EQnU,V|S=s2λPnt=1iQU,V|S=st(Ut,Vt) P ∆(B2n),s(v)≤αn =1, ∀v∈Vn, (31) n (cid:16) (cid:17) (=a) EQU,V|S=st2λiQU,V|S=st(Ut,Vt) with α= max 1 . (32) tY=1 (s,v) : QV S(v|s) ≤ tm[1a:xn]EQU,V|S=st2λiQU,V|S=st(Ut,Vt) n QV|S∈(vS|s×)>V0 | (cid:18) ∈ (cid:19) (≤b) msaxEQU,V|S=s2λiQU,V|S=s(Us,Vs) n, (26) andTh(u3s2,),byreLspeemcmtivae2ly.wReehcaavllein(g24t)hwatitwheβηm,ǫaaynodpαtimfriozme o(2v9e)r (cid:18) ∈S (cid:19) η >1 and ǫ≥0, we fix δ ∈ 0,R−I(U;V|S) and set where(a)usestheindependenceacrosstime,while(b)follows Pbelucgaguisneg|S(2|6)<ba∞ck ianntod(b2y5),degfiivneisng (Us,Vs) ∼ QU,V|S=s. ǫη,δ= 21(R−δ)+(η−1)ms∈aS1x(cid:0)+dη((ηQ−U,V1|)S=s,QU(cid:1)|S=sQV|S=s) 2 EBnPQnV|U,S=s U(w),V ∈/ Aǫ(s) U(w) −I(U;V|S). (33) ≤ maxs∈S(cid:16)E(cid:0)QU,V|S=s2λ(cid:1)iQU,V|S=s((cid:12)(cid:12)(cid:12)Us,Vs)(cid:17)n Substituting into βη,ǫ gives 2λ(I(U;V|S)+ǫ) ! β ,β n η,δ η,ǫη,δ =2log2(cid:18)ms∈aSxEQ2Uλ,V(I|(SU=;sV2λSiQ)+Uǫ,V)|S=s(Us,Vs)(cid:19) =2ηη−−11(cid:18)R−δ−ms∈aSxdη(QU,V|S=s,QU|S=sQV|S=s)(cid:19). | (34)     8 Plugging α and β into c , which we relabel as c , we s∈Sn η,δ β,ǫ,α η,δ have Q Yn mˆ 1 AVWTC s Dec φ c =3loge+2β log2+2log max . n η,δ η,δ (s,v) : QV S(v|s) QV|S∈(vS|s×)>V0 | (35) m Enc fn Xn (W,V) Observethatǫ in(33)isnon-negativeundertheassumption η,δ Zn that R−δ >I(U;V|S), because η >1 and s Eavesdropper m maxd (Q ,Q Q ) η U,V S=s U S=s V S=s s | | | Fig. 2: The AVWTC with Q-constrainedstates, i.e., when the ∈S ≥maxd1(QU,V S=s,QU S=sQV S=s) allowedstatesequenceshaveempiricalPMFsthatbelongtoQ. s | | | ∈S ≥I(U;V|S). (36) Reevaluating (24) based on (33)-(35) gives V = V : X → P(Z) s ∈ S , from X to Y and Z, s P(cid:18)D(cid:16)P≤V(s|e)B−n13(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)2Qn(nVR−|Sβ=η,sǫ(cid:17)) +≥|cVη|,nδne−2−132nnβ(ηR,δ−(cid:19)I(U;V|S)−ǫη,δ−2βη,δ) aprenasdiTprhe(cecWat(cid:8)ninv,-eVbtlhye).e∈iTxnthtWeeunrsps×,rioesVtne∈d.ofaStsh(cid:12)(cid:12)edaencnhoiantnedsne(cid:9)extlhieldawesntsatitffeoyrionfigntphauetpcxahrat∈incnuXelalnsr =e−312n(R−βη,δ) +|V|n·e−132nδ asn∈dSonutpaurets y ∈ Yn and z ∈ Zn, under the state sequence (a) ≤ (1+|V|n)e−312nδ, (37) Wn(y|x), n W (y |x ) (40a) where (a) is because βη,δ ≤ 12(R − δ). Denoting cδ , s iY=1 si i i sup c , (37) further gives n η>1 η,δ Vn(z|x), V (z |x ). (40b) s si i i P(cid:18)D(cid:16)PV(s|)Bn(cid:12)(cid:12)QnV|S=s(cid:17)≥cδn2−nβη,δ(cid:17)≤(1+|V|n)e−13(23n8δ.) The families of channels WsniY=1: Xn → P(Yn) and Vsn : (cid:12)(cid:12) Xn → P(Zn), for s ∈ Sn, are denoted by Wn and Vn, Since(38)ist(cid:12)r(cid:12)ueforallη >1,itmustalsobetrue,withstrict respectively, and (Wn,Vn) is referred to as the (n-fold) inequality in the LHS, when replacing β with η,δ AVWTC.Therandomvariablesrepresentingtheoutputsofthe γ ,supβ AVWTC(Wn,Vn)observedbythelegitimateuserandbythe δ η,δ η>1 eavesdropperunder the state sequence s∈Sn are denoted by η−1 Yn and Zn, respectively. =sup R−δ−maxd (Q ,Q Q ) s s η>1 2η−1(cid:18) s∈S η U,V|S=s U|S=s V|S=s(cid:19) For any Q⊆P(S) define which is the exponential rate of convergence stated in (14a) Sn , s∈Sn ν ∈Q . (41) s that we derive for the heterogeneous strong soft-covering Q n (cid:12) o lemma. This establishes the statement from (13) and proves WeimposeaconstraintQonthea(cid:12)llowedstatesequences,i.e., Lemma 1. onlys∈Sn arepermitted.Thetri(cid:12)ple(Wn,Vn,Q)isreferred Concluding,ifR>I(U;V|S)+ζ,foranyζ >0arbitrarily to as the (Qn-fold) Q-constrained AVWTC. We subsequently small,thenforanyδ ∈ 0,R−I(U;V|S) ,wegetexponential focus on the type constrained AVWTC formally defined in convergence of the relative entropy at rate O(2−nγδ) with Definitions 9 and 10. Intuitively, one may think of the type (cid:0) (cid:1) double-exponentialcertainty.Discardingthepreciseexponents constrainedscenario as correspondingto Q being a singleton, of convergence and coefficients, we state that there exist i.e., Q = Q , for some Q ∈ P(S). However, such a S S γ1,γ2 >0, such that for n large enough setting would not be well-defined if QS is not a rational (cid:8) (cid:9) distribution. Even if Q is rational, it is not a valid type for S P(cid:18)D(cid:16)PV(s|)Bn(cid:12)(cid:12)QnV|S=s(cid:17)>e−nγ1(cid:19)≤e−enγ2. (39) AalVl WnT∈C.NT,othcuisrcruemstvriecntitngthethsee pfeaathsioblloegibelso,ciknlenDgetfihnsitfioornsth9e (cid:12)(cid:12) (cid:12)(cid:12) and 10 we restrict the state sequences to have types that are close to Q , but not necessarily Q itself. S S IV. ARBITRARILY VARYING WIRETAP CHANNELS WITH TYPECONSTRAINED STATES Remark 3 One easily verifies that defining an AVWTC in A. Problem Setup and Definitions terms of the pair (Wn,Vn) is without loss of generality. In Let X, Y, Z and S be finite sets. A discrete-memoryless general, any state-input pair (s,x) ∈ S ×X induces a joint (DM) arbitrarily varying wiretap channel (AVWTC), as il- conditionaloutputPMF U (·,·|x)∈P(Y×Z). However, the s lustrated in Fig. 2, is defined by a pair (W,V) of families performance of any of the codes defined below is measured of channels W = W : X → P(Y) s ∈ S and with respect to the marginal output PMFs W (·|x) ∈ P(Y) s s (cid:8) (cid:12) (cid:9) (cid:12) 9 and V (·|x) ∈ P(Z). Thus, under the framework presented information term in (45) is maximized over P when c s M n here, all AVWTCs with the same marginals W and V are is known. In other words, although not stated explicitly, the equivalent. optimal P is a function of c . M n We proceed with defining correlated random (CR) codes, Definition 3 (Uncorrelated Code) An uncorrelated (n,M )-code c for the AVWTC (Wn,Vn) has a message theirassociatedmaximalerrorprobabilityandSS-metric,CR- n n assisted achievability and CR-assisted secrecy-capacity. set M =[1:M ], a stochasticencoderf :M →P(Xn) n n n n and decoder φ : Yn → Mˆ , where Mˆ , M ∪{e} and n n n n Definition 6 (CR Code, Error Probability and SS Metric) e∈/ M is an error symbol. n A CR (n,M ,K )-code C for the AVWTC (Wn,Vn) n n n For any uncorrelated (n,Mn)-code cn and state sequence is given by a family of uncorrelated (n,Mn)-codes s∈Sn,theinducedjointPMFonMn×Xn×Yn×Zn×Mˆ is Cµn ∈=P(cΓn()γ.)Foγr∈Γann,ywmhe∈reMΓn a=nd[1s ∈: SKnn,],thaenadssaocPiaMteFd PM(c,nX,s,)Ys,Zs,Mˆ(m,x,y,z,mˆ) ernror pr(cid:8)obanbili(cid:9)ty with respect tonCn is ,P (m)f (x|m)Wn(y|x)Vn(z|x)1 , (42) M n s s mˆ=φn(y) Em(Wsn,Cn)= µn(γ)em Wsn,cn(γ) (46) where PM ∈ P(Mn). The performance o(cid:8)f cn on t(cid:9)he type γX∈Γn (cid:0) (cid:1) constrained AVWTC (Wn,Vn,QS) is evaluated in terms of The maximal error probability and SS-metric of Cn for the its rate 1 logM , the maximaldecodingerrorprobabilityand Q-constrained AVWTC (Wn,Vn,Q) are defined as n n the SS-metric. Reliability and security must be ensured with E(Wn,Q,C )= max E (Wn,C ) (47a) respect to every allowed constrained state sequence. n s n, m s n ∈SQ m∈Mn Dcoerfirenliatitoedn(4n(,MMes)s-acgoedeEfrorrorthPerAoVbWabTilCity()WLne,tVcnn)b.eFoarnaunny- LSem(Vn,Q,Cn)=γm∈aΓxnℓSem Vn,Q,cn(γ) n = max (cid:0)ℓ Vn,P ,c(cid:1)(γ) . (47b) imn d∈ecModninagndmsu∈ndSenr,tlheetesmta(teWssneq,cunen)cbeesth,egievrernorbpyrobability sγ∈∈SΓQnn,, (cid:0) s M n (cid:1) PM∈P(Mn) e (Wn,c )= f (x|m) Wn(y|x). (43) m s n n s x n y n: X∈X φn(X∈yY)6=m Remark 6 The choice of encoder-decoder in a CR code is basedonarealizationofarandomexperimentthatisavailable Definition 5 (SS Metric) Letc beanuncorrelated(n,M )- to the transmitted and the legitimate receiver. However, this n n code for the AVWTC (Wn,Vn). The information leakage to CR the legitimate users share should not be viewed as a the eavesdropper under the state sequence s ∈ Sn and the cryptographickeytobeexploitedforsecrecy.Thisisaccounted message PMF P ∈P(M ) is for in (47b) by requiring that every uncorrelated code in M n the family C is semantically-secure. The choice of the state ℓ(Vn,P ,c )=I (M;Z ), (44) n s M n cn s sequence, on the other hand, may depend on the family Cn where the subscript cn denotes that the mutual information and the PMF µn, but not on the realization itself. termiscalculatedwithrespecttotheinducedjointdistribution P(cn,s) from (42). For any Q ⊆ P(S), the SS metric with Definition 7 (CR-Assisted Achievability) A number R ∈ reMsp,Zecsnttoc andtheQ-constrainedAVWTC(Wn,Vn,Q)is7 R+ is called an achievable CR-assisted SS-rate for the Q- n constrained AVWTC (Wn,Vn,Q), if for every ǫ > 0 and ℓSem(Vn,Q,cn)= smanx, ℓ(Vsn,PM,cn). (45) sufficiently large n, there exists a CR (n,Mn,Kn)-code Cn ∈SQ with PM∈P(Mn) 1 logM >R−ǫ (48a) Remark 4 We use the convention that the maximum over n n an empty set is −∞. Accordingly if Q contains no rational E(Wn,Q,C )≤ǫ (48b) n distributions then ℓ (Vn,Q,c ) = −∞, for all n ∈ N. Sem n L (Vn,Q,C )≤ǫ. (48c) Even when there exists Q ∈P (S) such that Q ∈Q, there Sem n S n S are blocklengths n for which ν 6=Q for every s∈Sn, and s S consequently, ℓ (Vn,Q,c ) = −∞ for these values of n Sem n as well. Remark 7 Note that if there are no types in Q then any rate is achievable. Consequently, if Q ⊆ Q ⊆ P(S), then any 1 2 Remark 5 SS requires that the uncorrelated code c works R that is achievable for the Q -constrained AVWTC is also n 2 well for all message PMFs. This means that the mutual achievable for the Q -constrained AVWTC. The achievable 1 rates are therefore an increasing set as the constraint set 7ℓSem(Vn,Q,cn)isactually themutual-information-security (MIS)met- decreases. When specializing to the type constrainedAVWTC, ric,whichisequivalenttoSSby[39].Weusetherepresentationin(45)rather we allow state sequences with types that are δ-close to the thantheformaldefinitionofSS(see,e.g.,[39,Equation(4)])outofanalytical convenience. constrainingdistribution(seeDefinition10).Consequently,the 10 setoffeasiblestatesequencesisneverempty,forlargeenough B. Single-Letter CR-Capacity Results values of n. Nonetheless, the aforementioned monotonicity of Ourmainresultisasingle-lettercharacterizationoftheCR- the type constrained CR-assisted capacity still holds. assisted SS-capacity C (W,V,Q ) of the type constrained R S AVWTC (Wn,Vn,Q ), for any Q ∈ P(S). A multi-letter S S Remark 8 Our achievability proof shows that characterization of the CR-assisted strong secrecy-capacity of L (Vn,Q,C ) vanishes exponentially fast. This is a the AVWTC without constraints on the state sequences was Sem n standard requirement in cryptography, commonly referred to found in [25]. The uncorrelated secrecy-capacity was then as strong-SS (see, e.g., [39, Section 3.2]). derived in [22] by relating it to the CR-assisted secrecy- capacity via the corresponding coding result for the classic AVC[15].Tothebestofourknowledge,theonlysingle-letter Definition 8 (CR-Assisted Capacity) The CR-assisted SS- capacity C (W,V,Q) of the Q-constrained AVWTC is the characterization of a secrecy-capacity of an AVWTC outside R the current work [21, Theorem 4] is under the following supremum of the set of achievable CR-assisted SS-rates. assumptions: (i) security under the weak secrecy metric (as Our main goal is solving the type constrained AVWTC shown in [25, Corollary 1] an upgrade to strong secrecy (Wn,Vn,Q ),forQ ∈P (S).However,sinceafixedratio- under the same conditions (ii)-(iv) is possible); (ii) the state S S n naldistributionQS isnotavalidtypeforallblocklengths,the space decomposes as S = Sy × Sz, where sy ∈ Sy and definitionsofthetypeconstrainedperformancemetricsandits sz ∈Sz arethestatesofthemainAVCandoftheAVCtothe achievability use a relaxation parameter. For any Q ∈P(S) eavesdropper, respectively; (iii) the eavesdroppers output is a S and δ > 0, let Q (Q ) , ν ∈ P (S) s ∈ Tn(Q ) . The degraded version of the output of the main AVC under any δ S s n δ S pair of state, i.e., X −Y −Z forms a Markov chain, for definitions of the error pronbability and th(cid:12)e SS-metric ofor the sy sz type constrainedAVWTC repeatthose fro(cid:12)(cid:12)mDefinition 6 with aelalve(ssdyr,ospzp)e∈r,Si.ey.,×thSeze;x(iisvt)stsh⋆er∈eSexisstuscha tbheasttXch−anZnel−toZthe Qδ(QS) instead of Q. forms a Markov chain, for allzs ∈zS .8 s⋆z sz z z Our single-letter CR-capacity characterization is derived Definition 9 (Type Constrained Error Probability & SS) without assuming any of the above, while upgrading the For any QS ∈ P(S) and δ > 0, the maximal error secrecy metric to SS. Constrained state sequences were con- probability and SS-metric of a CR (n,Mn,Kn)-code Cn for sideredin thecontextofthe classic point-to-point(PTP) AVC the type constrained AVWTC (Wn,Vn,QS) with relaxation andthecorrespondingCR-assistedanduncorrelatedcapacities δ are E Wn,Qδ(QS),Cn and LSem Vn,Qδ(QS),Cn , were derived in [36] and [23], respectively. An AVWTC with respectively (see (47)). linear peak constraints on the input and the state sequences (cid:0) (cid:1) (cid:0) (cid:1) was studied in [37], where a multi-letter description of its Definition 10 (Type Constrained Achievability & Capacity) CR-assisted strong secrecy-capacity was found. A number R ∈ R is called an achievable CR-assisted SS- + rate for the type constrained AVWTC (Wn,Vn,Q ), if there Theorem 1 (AVWTC CR-Assisted SS-Capacity) For any S exists a δ >0 such that for every ǫ>0 and sufficiently large QS ∈ P(S), the CR-assisted SS-capacity of the type n, there exists a CR (n,Mn,Kn)-code Cn with constrained AVWTC (Wn,Vn,QS) is 1 C (W,V,Q )= max I(U;Y)−I(U;Z|S) , (50) logM >R−ǫ (49a) R S n n QU,X h i E Wn,Q (Q ),C ≤ǫ (49b) where the mutual information terms are calculated with δ S n LSem(cid:0)Vn,Qδ(QS),Cn(cid:1)≤ǫ. (49c) Qrespect(yto|x,sa) =joinWt (Py|MxF) anQdUQ,XQSQ(Yz||Xx,,SsQ)Z=|X,VS (zw|xit)h, The CR-assisted SS(cid:0)-capacity CR(W,(cid:1)V,QS) of the type con- forY|aXll,S(s,x,y,z)∈Ss×X ×Y ×ZZ,|Xa,nSd |U|≤|X|. s strained AVWTC (Wn,Vn,Q ) is the supremum of the set of S achievable CR-assisted SS-rates. Theorem 1 is a consequence of two other stronger results that state a lower and upper bound on the CR-assisted SS- capacity of a general Q-constrained AVWTC. These bounds Remark 9 The definition of type constrained achievability match when specialized to the type constrained scenario. The allowstheempiricalPMFsofthestatesequencestobewithin lower and upper bounds are given in Theorem 2 and 3, a δ > 0 gap from Q . By doing so, the type constrained S respectively. Theorem 1 is proven in Section IV-E. AVWTC is well-defined for all sufficiently large blocklengths n∈N, evenwhen Q is notactuallya type but a PMF on S. S Remark 11 (SS-Capacity Interpretation) The character- ization of the CR-assisted SS-capacity C (W,V,Q ) in R S Remark 10 If R is an achievable CR-assisted SS-rate for (50) has the common structure of two subtracted mutual the type constrained AVWTC (Wn,Vn,Q ) and δ > 0 S is its corresponding parameter, then (49b)-(49c) also hold 8An even stronger version ofassumptions (iii) and (iv) was used in [21]. for any δ ∈ (0,δ). This implies that C (W,V,Q ) = Specifically, thedegradedpropertyandtheexistenceofabestchanneltothe ′ R S eavesdropperwereassumedtoholdnotonlyforeverypairoforiginalstates, supCR W,V,Qδ(QS) . but also for any pair of averaged states (defined as convex combinations of δ>0 theoriginal ones). (cid:0) (cid:1)

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.