Table Of Content

Construction of wiretap codes from ordinary channel codes Masahito Hayashi Ryutaroh Matsumoto Graduate School of Information Sciences, Tohoku Univ., Japan Dept. of Communications and Integrated Systems, CQT, National Univ. of Singapore, Singapore Tokyo Institute of Technology, 152-8550 Japan Email: [email protected] Email: [email protected] 0 Abstract—From an arbitrary given channel code over a dis- Moreover, previous constructions for discrete memoryless 1 crete or Gaussian memoryless channel, we construct a wiretap channels do not cover all the discrete memoryless channels 0 code with the strong security. Our construction can achieve the except [18]. It is desirable to have a construction of wiretap 2 wiretap capacity under mild assumptions. The key tool is the codes that can be used for any discrete memoryless channels. new privacy amplification theorem bounding the eavesdropped n information in terms of the Gallager function. In this paper, we show two constructions of wiretap codes a from encoder and decoder in an ordinary channel code. We J 8 I. INTRODUCTION donotmodifythechannelencodernordecoder.We attachthe two-universalhash functionto the encoderand the decoderin ] The information theoretical security [15] recently has at- ordertorealizesecrecyfromEve.We showthatourconstruc- T tracted huge interest. The wiretap channel [7], [21] is one tion can achieve the wiretap capacity in the strong security I of its fundamental problems. On a wiretap channel, signals sense over discrete and Gaussian memorylesschannels, while . s from the legitimate sender, called Alice, is delivered to both some of previous constructions do not have proofs of the c [ legitimate receiver, called Bob, and eavesdropper, called Eve. strong security. The goal of Alice is to deliver messages to Bob with low The key tools for our constructions are the new forms of 1 decoding probability while keeping Eve from knowing much the privacy amplification (PA) theorem [3]. The original PA v 7 about the messages. The capacity of wiretap channels has theorem [3] does not achieve the optimal rate of PA, which 9 been determined for discrete memoryless channels [7], [21] is the conditional Shannon entropy of Alice’s information 1 and for Gaussian channels [14] with a weaker notion of conditionedon Eve’sinformation.Renner [19] improvedit so 1 security. The capacity of the above wiretap channels are also that Renner’s version of the theorem can achieve the optimal . 1 determined with a stronger notion of security [2], [6], [11]. rate. However, it does not enable us to construct the wiretap 0 The exponential decreasing rate of eavesdropped information code using an existing channel code. The reason is that we 0 is also evaluated in [11], [12]. Shannon theoretic study of the cannot numerically compute the necessay rate of hashing for 1 wiretap channels is fairly advanced. a given channelcode in order for Eve’s informationon secret : v On the other hand, there is still room for research in the message to become sufficiently small. So we present two i X actual construction of codes for the wiretap channels, which new forms of the PA theorem. One is already given in [12]. r we call the wiretap codes. Thangaraj et al. [20] proposed However,itrequirestherandomselectionofachennelencoder a an LDPC based construction for specific discrete memory- from the given family of channel codes. We shall provide less channels, and Klinc et al. [13] proposed another LDPC anotherform of the PA theorem in Theorem7, which enables based construction for Gaussian channels. Hamada [10] and us to construct a wiretap code from single channel encoder. Hayashi [12] proposedgenerallinear code based construction Our new PA theorem is a nontrivialadaptationof the channel for additive discrete memoryless channels. Muramatsu and resolvability lemma [11, Lemma 2]. Miyakeproposedaconstructionbasedonthehashingproperty This paper is organized as follows: In Sec. II we fix nota- of LDPC matrices [18], whose decoding requires the high- tions used in this paper. In Secs. III and IV two constructions complexity minimum entropy decoder. of wiretap codes are given. In Sec. V we present a novel In those constructions except [12], error correction and privacy amplification theorem bounding the eavesdropped provision of secrecy are combined in the constructed cod- information in terms of the Gallager function. Section VI ing scheme. This prevents us from using well-studied error- concludes the paper. correcting codes for the error correctionin the wiretap codes, andweneedtoadjustexistingerror-correctingcodesorinvent II. PRELIMINARY anewwiretapcode.Thisinconveniencemaynotbenecessary. In this section we shall fix notations used in this paper and In fact, in the quantum key distribution protocols, the error review necessary prior results. Let X be the finite alphabet correction and the provision of secrecy can be separately of channel inputs, Y the alphabet of channel outputs to studied and developed, see [16] and references therein. the legitimate receiver, called Bob, and Z the alphabet of channeloutputstotheeavesdropper,calledEve.Thelegitimate • We know QX|T achieving the maximum of Eq. (1). sender is called Alice. We fix the conditional probability or Denote by T the alphabet of T. conditional probability density QY|X of the channel to Bob • WearegivenafamilychannelencodersµAlice,n,g indexed and Q of the channel to Eve. We assume channels are byg ∈G mappingamessageinthemessagesetL toa Z|X n n memoryless and further assume that codewordinTnandachanneldecoderµ mapping Bob,n,g • both Y and Z are finite, which means that the channels a receivedsignalin Yn to a message in Ln. The channel are discrete memoryless, encoder µAlice,n,g is a one-to-one map, and Tn is equal • or Y =Z =R and the channels are additive Gaussian. to the disjoint union of µAlice,n,g(Ln) for g ∈Gn. Let M be the set of messages transmitted to Bob secretly • WearegivenafamilyFn oftwo-universalhashfunctions n from L to M , where M is the message set of the from Eve, η a stochastic map from M to Xn of a n n n Alice,n n wiretap code. wiretap encoder, and η a deterministic map from Yn Bob,n to M . We use the natural logarithm instead of log for Remark 4: The assumption on the channel encoders is n 2 convenience. usually met with linear codes. We usually use the codebook Definition 1: A rate R>0 is said to be achievableif there of a linear code whose codewordshave zero syndrome.If we exists a sequence (η , η ) of encoders and decoders allow codebooks to have nonzero syndrome, then the family Alice,n Bob,n such that of codebooks with multiple syndromes constitutes the family of encoders {µ |g ∈G }. Alice,n,g n lim Pr[M 6=η (η (M ))]=0, n Bob,n Alice,n n From these assumptions, we can construct a wiretap en- n→∞ lim I(M ;Z )=0, liminfln|M |≥R, coder, which is an extension of Hayashi’s construction [12]. n n n n→∞ n→∞ Choose a hash function F uniformly randomly from F n n where M is the uniform random variable over M and Z and G ∈ G . For a given message M to the wiretap n n n n n is the random variable for Eve’s channel outputfrom channel encoder of code length n, choose a message L uniformly n input η (M ). The supremum of the achievable rates is randomly from F−1(M ) ⊂ L , and compute the codeword Alice,n n n n n the capacity of the wiretap channel (Q , Q ). T =µ (L ) from the channel encoder. Finally, com- Y|X Z|X n Alice,n,G n Note that we employ the strong security criterion introduced pute the actually transmitted signal X by passing T to the n n by Csisza´r [6] and Maurer and Wolf [17]. The necessity for artificialmemorylesschannelQn .Thedecodermapsagiven X|T the strong security is given in [2], [17]. received signal Y in Yn to the message F (µ (Y )) ∈ n n Bob,n n Proposition 2: [2], [6], [11] The capacity of the wiretap M . n channel (Q , Q ) is The random selection of F and G is a fatal problem be- Y|X Z|X n n cause it requiressharingof commonrandomnessbetweenAl- max [I(T;Y)−I(T;Z)]. (1) ice and Bob. However,we shall show that I(M ;Z |F ,G ) PT,PX|T n n n n canbeupperboundedbyanarbitrarypositivenumberǫ ×ǫ , 1 2 In the next section, we shall show a construction of wiretap whichmeansthatatleast100(1−ǫ )%choicesoff ∈F and 1 n n encoderanddecoderfromarbitrarygivenchannelencoderand g ∈G keep I(M ;Z |F =f , G =g ) below ǫ . Thus n n n n n n n n 2 decoder. In the construction, we assume that we are given the legitimate sender and receiver can agree on the random Q achievingthe maximumof Eq. (1). Note that when the X|T choice of f before transmission of the secret messsage M . n n wiretap channel is Gaussian, it is degraded and we can take T =X without losing the optimality. In the construction, we B. Evaluation of the eavesdropped information shallalsouseafamilyofthetwo-universalhashfunctions[5], which is reviewed next. It should be clear that the (block) average decoding error Definition 3: Let S1 and S2 be finite sets and F a subset probability of the constructed wiretap code is lower than or of the set of all mappings from S1 to S2. The family F is equaltothatoftheunderlyingcode(µAlice,n,g, µAlice,n,g)for said to be a family of two-universal hash functions if g ∈ G regardless of random choices of F and L from n n n M . The remaining task is evaluation of the eavesdropped Pr[F(x )=F(x )]≤1/|S |, n 1 2 2 information I(M ,Z ), where Z is Eve’s received signal n n n foralldistinctx1andx2inS1,whereF istheuniformrandom on the channel input Xn. To do so, we introduce Hayashi’s variable on F. version of the privacy amplification theorem [12] Proposition 5: Let L be the uniform random variable with III. RANDOMIZED CONSTRUCTION OFA WIRETAP CODE a finite alphabet L and Z any random variable. If Z is not A. Encoder and decoder discreterandomvariablethenthe conditionalprobabilityofZ givenLisassumedtobeGaussian.LetF beafamilyoftwo- In this section we shall construct wiretap encoder and universalhash functionsfrom L to M, and F be the uniform decoder from arbitrary given ordinary channel encoder and random variable on F. Then decoder. The construction in this section can achieve the wiretap capacity (1) if the uniform distribution on T realizes |M|s×exp(ψ(s,P )) LZ H(F(L)|F,Z)≥ln|M|− the wiretap capacity (1). The assumptions are: s|L|s 2 for 0<s≤1, where right hand side is P (ℓ)(P (z|ℓ))1+s nψ(s,Q Uniform(T)) ψ(s,P )=ln ℓ L Z|L . s ln|M |−ln|L |+ Z|T −lns. LZ P (z)s n n s Xz P Z (cid:18) (cid:19) (4) If Z is conditionally Gaussian should be replaced by the By l’Hoˆpital’s theorem, we have z integration and P , P denote probability densities. Remark 6: TheZaboZv|eLpropoPsition is a combination of [12, lim ψ(s,QZ|TUniform(T)) =I(Uniform(T),Q ), s→+0 s Z|T Eq. (2)] and the argument in proof of [12, Theorem 2]. It was assumed that Z was discrete in [12]. However, when where the right hand side is the mutual information between the conditional probability of Z given L is Gaussian, there the channel output and the uniform channel input to the is no difficulty to extend the original result. It should be also imaginary channel Q . Thus, by choosing s such that Z|T noted that the uniformity assumption on L is indispensable, ψ(s,QZ|TUniform(T)) <I(Uniform(T),Q )+δ, we can see s Z|T otherwise the claim is false. that if ln|M | < ln|L −n(I(Uniform(T),Q )+δ) for n n Z|T By the above proposition, for fixed G=g ∈Gn we have some δ > 0 then Eq. (4) converges to −∞ as n → ∞, which means the eavesdropper Eve has little information on I(M ;Zg,F ) = I(M ;Zg|F ) n n n n n n the secret message. This means that if ln|L |/n convergesto n = H(Mn|Fn)−H(Mn|Zng,Fn) I(Uniform(T),QZ|T)andthewiretapcapacity(1)isachieved ≤ ln|M |−H(M |Zg,F ) withuniformchannelinputthenthisconstructionalsoachieves n n n n |M |s×exp(ψ(s,Pg )) the wiretap capacity. ≤ n LnZn (2) Drawbacks in the proposed construction is the random |L |ss n selection of channel encoders. This requires that almost all for 0 < s ≤ 1, where Pg is the joint probability pairs of encoder and decoder have to provide low decoding LnZn distribution and Zg is Eve’s received signal with a fixed error probability, which is not verified with most of channel n g ∈G codes. Moreover, in some case, for example the channel n A major problem with the last upper bound (2) on encoder using the Trellis shaper [8], it is difficult to prepare I(M ;Z |F )isthatforagivenchannelcodeitispractically a family of encoders that satisfies the requirement. Thus, in n n n impossibletonumericallycomputeψ(s,Pg ).Toovercome the next section, we show a deterministic construction of a this difficulty we shall upper bound exLpn(Zψn(s,Pg )) by wiretap code from a given channel code. LnZn exp(ψ(s,P )), where P is a joint distribution on T ×Z. TZ TZ Let T = µ (L ) that is a random variable IV. DETERMINISTICCONSTRUCTION OF A WIRETAPCODE g Alice,n,g n on Tn. Note that Tg is the uniform random variable on In this section, we assume that the index set G has only n µAlice,n,g(Ln) ⊂ Tn. By the assumption on the given one element, and we are given a pair of an encoder µ Alice,n family of channel encoders µAlice,n,g, g ∈ Gn, the convex a decoder µ . We also assume that the given family F Bob,n n combination of g∈GnPTg/|Gn| is the uniform distribution of hash functions satisfies the condition that for all f ∈ Fn Uniform(Tn) on Tn. By the concavity of exp(ψ(s,·)) on and m ∈ M we have |f−1(m)| = |L |/|M | in order the channelinpuPt probabilitydistribution1 [12, Lemma 1], we n n n to apply Theorem 7 in Sec. V. This assumption on F is n have satisfied, for example when M = Fk and L = Fn, using n q n q 1 exp(ψ(s,Pg ))≤exp(ψ(s,Qn Uniform(Tn)) the set of all the surjective linear maps from Ln to Mn. |G | LnZn Z|T Moreover,thelinearmappingsdefinedbytheconcatenationof n gX∈Gn the identity matrix and the Toeplitz matrix considered in [12, =exp(nψ(s,QZ|TUniform(T)). Appendix] also satisfy the assumption and is more efficiently implemented in practice. Observe that computationof the last mathematicalexpression The construction of the wiretap code is the same as the is easy for almost all channels. previous section except that there is no random selection of What we have proved is encoders. The construction in this section can achieve the |Mn|s×exp(nψ(s,QZ|TUniform(T))) wiretap capacity (1) if the distribution PT on T realizing (1) I(Mn;Zn|Fn,Gn)≤ |L |ss .also maximizes the mutual information I(PT,QZ|T) to the n (3) eavesdropper. In order to evaluate the average of the mutual Observethattheminimizationofthe RHSofEq.(3)overs is information, we develop a new privacy amplification theorem also computable by the bisection method [4, Algorithm 4.1] (Theorem 7) based on Gallager function by modifying [11, because it is convex with respect to s. The logarithm of the Lemma 2] in the next section. Applying this result, one can show that 1Theconcavity isprovedunderthatassumptionthatZ isfinite.However, |M|sexp(φ(s,Qn ,P )) nifothcehacnognedeitxiocnepalt nporotabtaiobnilaitlyoQneZs.|X is Gaussian, the concavity proof needs I(Mn;Zn|Fn)≤ |L|ssZ|T Tn , 3 for 0≤s≤1/2, where for 0 ≤ s ≤ 1/2, where E expresses the expectation F concerning the random variable F, φ(s,Qn ,P ) Z|T Tn 1−s 1−s φ¯(s,Q )=ln E (Q (z|L))1/(1−s) dz Z|L L Z|L = ln PTn(t)(QnZ|T(z|t))1/(1−s) dz. ZZ(cid:16) (cid:17) ZZn t∈Tn ! and dz is an arbitrary measure. X IfZ isfinite,theintegrationshouldbereplacedbysummation Proof. Observe first that the joint probability PFL = PF × andQZ|T shouldbe interpretedas the conditionalprobability. PL and the conditionalprobabilityQZ|L uniquely determines Again, for a given channel encoder µAlice,n, it is also QZ|F(L). We can check that the function s 7→ φ¯(s,QnZ|F(L)) practically impossible to compute φ(s,Qn ,P ). We shall satisfies the following properties: Z|T Tn show that a method to upper bound it. We have d2φ¯(s,Q ) φ¯(0,Q )=0, Z|F(L) ≥0 exp(φ(s,Qn ,P ))≤maxexp(φ(s,Qn ,P )), Z|F(L) ds2 Z|T Tn Pn Z|T n dφ¯(s,Q ) Z|F(L) where P is a probability distribution on T . Observe that =I(F(L);Z). n n ds s=0 φ is essentially same as the function E0 in [1], [9]. Thus if Hence, its convexit(cid:12)(cid:12)y guarantees the inequality P1,s maximizes exp(φ(s,QZ|T,P1,s)), then its n-fold i.i.d. sE I(F(L);Z) ≤ E (cid:12)φ¯(s,Q ), which implies the extension Pn also maximizes max exp(φ(s,Qn ,P )) F F Z|F(L) 1,s Pn Z|T n inequality [1], and we have |M|sexp(nφ(s,QZ|T,P1,s)) E I(F(L);Z)≤E φ¯(s,QZ|F(L)) (7) I(M ;Z |F )≤ . (5) F F n n n |L|ss s for 0 < s ≤ 1. In the following, we denote the uniform Observe that for fixed s and QZ|T, exp(φ(s,QZ|T,P1,s)) is 2 distriburtion on L by P a concave function on a convex set and P can easily be L 1,s Let 1+u = 1 , then 1 ≥ u > 0 and s = u . Since computed [4]. Observe also that for fixed QZ|T, the function x7→xu is concav1−e,s 1+u max [RHS of Eq. (5)] is a convex function of s, thus P1,s minsmaxP1,s[RHS of Eq. (5)] can also be easily computed EF QZ|L(z|ℓ′) u by the bisection method [4, Algorithm 4.1]. The logarithm of the right hand side is (cid:2)ℓ′:F(ℓ′)X=F(ℓ),ℓ′6=ℓ (cid:3) ≤ E Q (z|ℓ′) u F Z|L nφ(s,Q ,P ) s ln|Mn|−ln|Ln|+ Z|T 1,s −lns. (cid:2) ℓ′:F(ℓ′)X=F(ℓ),ℓ′6=ℓ (cid:3) s (cid:18) (cid:19) ≤ 1 Q (z|ℓ′) u≤ |L| Q (z) u=( |L| )uQ (z)u. Since φ is essentially E0 in [9], lims→0φ(s,QZ|T,P)/s = |M| Z|L |M| Z |M| Z ℓ′:ℓ′6=ℓ I(P,QZ|T), where P is a distribution on T. Let Pmax be a (cid:2) X (cid:3) (cid:2) (cid:3) (8) distribution on T maximizing I(P,Q ). Therefore, by the Z|T almost same argument as Section II, if ln|M | < ln|L |− Using(8)andtherelation(x+y)u ≤xu+yu fortwopositive n n n(I(P ,Q )+δ) for all n, then I(M ;Z |F ) goes to real numbers x,y, we obtain max Z|T n n n (z1e)roanads nth→e g∞ive.nIfcPhamnanxelalcsoodmeaaxcihmieivzeesstthhee winifroertmapatciaopnarcaittye eEFφ¯(s,QZ|F(L)) ≤EFeφ¯(s,QZ|F(L)) (9) 1 1 Ith(ePmwairxe,tQapYc|Ta)patchietyn.the construction in this section achieves =EF |M|QZ|F(L)(z|m)1+u 1+udz ZZ(cid:16)mX∈M (cid:17) V. NEWPRIVACY AMPLIFICATION THEOREMIN TERMS OF ≤ E 1 Q (z|m)1+u 1+1udz (10) THE GALLAGERFUNCTION ZZ(cid:16) F mX∈M|M| Z|F(L) (cid:17) We shallshowthe followingnewprivacyamplificationthe- 1 1 orem that is indispensable with the deterministic construction = EF |M|QZ|F(L)(z|m)QZ|F(L)(z|m)u 1+udz of wiretap codes in Sec. IV. ZZ(cid:16) mX∈M (cid:17) Theorem 7: Assume that the given family of two-universal 1 |M| = E Q (z|ℓ) hash function F from L to M satisfies that F |M| |L| Z|L ZZ(cid:16) mX∈M hℓ∈L:XF(ℓ)=m i |L| |F−1(m)|= |M|, ∀m, ||ML||QZ|L(z|ℓ) u 1+1udz a fixed conditionalprobabilityQ is given,and the random hℓ∈L:XF(ℓ)=m i (cid:17) Z|L 1 |M| variable L obeys the uniform distribution on L. Then, = E Q (z|ℓ)( )u Q (z|ℓ) F |L| Z|L |L| Z|L |M|sexp(φ¯(s,QZ|L)) ZZ(cid:16) Xℓ∈L h I(F(L);Z|F)=EFI(F(L);Z)≤ |L|ss , + Q (z|ℓ′) u 1+1udz Z|L (6) ℓ′∈L:F(ℓX′)=F(ℓ),ℓ′6=ℓ i (cid:17) 4 1 |M| ≤ E Q (z|ℓ)( )u Q (z|ℓ)u ACKNOWLEDGMENT F |L| Z|L |L| Z|L ZZ(cid:16) Xℓ∈L h The second author would like to thank Prof. Yasutada 1 Oohama, Prof. TomohikoUyematsu, Dr. Shun Watanabe, and + Q (z|ℓ′) u 1+udz (11) Z|L Dr. Kenta Kasai for helpful discussions. This research was (cid:0)ℓ′∈L:F(ℓX′)=F(ℓ),ℓ′6=ℓ (cid:1) i(cid:17) partially supported by a Grant-in-Aid for Scientific Research = (|M|)u 1 Q (z|ℓ)1+u+ |M| u in the Priority Area “Deepening and Expansion of Statistical ZZ(cid:16) |L1| Xℓ∈L|L| Z|L (cid:0) |L| (cid:1) 1 MMeEcXhTanGicraalnIt-nifno-rAmidatifcosr Y(DouEnXg-SSMciIe)n,”tisNtso(.A1)8N07o9.0210468a6n0d26a. × Q (z|ℓ)E Q (z|ℓ′) u 1+udz |L| Z|L F Z|L REFERENCES Xℓ∈L (cid:0)ℓ6=ℓ′∈XF−1(ℓ) (cid:1) (cid:17) |M| [1] S. Arimoto, “On the converse to the coding theorem for discrete ≤ZZ(cid:16)(+|L(||M)u|E)uLQQZ(|Lz()z|L|L)|1+uuQ (z)u 1+1udz (12) [2] 3m2J.50eB70m–8a3,orr5rsoye9slr,e.asMLnsedaccyMhtua1r.ne9Bn7Nel3olos.c,th”e,sI“EiSnEtrCEoonTmgrpasunectse.reSIcncyfioefrnomcre.wsT,irhReel.oeSsrsya,fcavhvoai-nl.Nn1ea9lisn,,i”n,oiEn.dI3.C,,vIpToplS.. Z Z |L| |M| 5155. Springer-Verlag, 2008,pp.40–53. |M| (cid:0) (cid:1) (cid:17) 1 [3] C.H.Bennett,G.Brassard,C.Cre´peau,andU.M.Maurer,“Generalized = ( )uE Q (z|L)1+u+Q (z)1+u 1+udz privacy amplification,” IEEETrans.Inform. Theory,vol. 41,no.6,pp. ZZ(cid:16) ||ML|| L Z|L 1 Z (cid:17) [4] 1S9.1B5–o1y9d23a,ndNoLv..1V9a9n5d.enberghe, Convex Optimization. Cambridge ≤ZZ(cid:16)( |L| )uELQZ|L(z|L)1+u(cid:17)1+u +(QZ(z)1+u)1+1u(d1z3) [5] JUJ..nLCiv.oemCrsapirtutyte.rPSaryenssdtse,mM2.0S0Nc4i...,Wvoegl.m1a8n,,n“oU.n2i,veprps.al14c3la–s1s5e4s,oAfphra.s1h9f7u9n.ctions,” [6] I. Csisza´r, “Almost independence and secrecy capacity,” Problems of |M| 1 = ( |L| )1+uu ELQZ|L(z|L)1+u 1+u +QZ(z)dz [7] IIn.fCorsmisazta´ironanTdraJn.smKios¨snieorn,,“vBorlo.a3d2c,ansto.c1h,anpnpe.l4s0w–4it7h,1c9o9n6fi.dential mes- ZZ (cid:16) (cid:17) sages,”IEEETrans.Inform.Theory,vol.24,pp.339–348, 1978. |M| 1 =1+( |L| )1+uu ELQZ|L(z|L)1+u 1+udz [8] nGo..D2.,Fpopr.n2ey8,1J–r3.,0“0T,rMellairs.s1h9a9p2in.g,”IEEETrans.Inform.Theory,vol.38, ZZ(cid:16) (cid:17) [9] R.G.Gallager,InformationTheoryandReliableCommunication. New =1+(|M|)seφ¯(s,QnZ|L), York:JohnWiley&Sons,1968. |L| [10] M.Hamada,“Securityofquotientcodesforclassicalwiretapchannels,” inProc.SITA2009,Dec.2009,pp.309–314. where the inequalities can be shown in the following way. [11] M.Hayashi,“Generalnon-asymptoticandasymptoticformulasinchan- nelresolvability andidentification capacity anditsapplication towire- Ineq. (12) follows from (8). Ineq. (11) and (13) follow from tapchannel,”IEEETrans.Inform.Theory,vol.52,no.4,pp.1562–1575, inequality (x+y)u ≤ xu+yu for 0 ≤ u ≤ 1 and x,y ≥ 0. 2006. Ineq.(10) followsfromthe concavityof x7→xu for 0≤u≤ [12] ——, “Exponential evaluations in universal random privacy amplifica- 1. Ineq. (9) follows from the convexity of x7→ex. Since the tion,”2009,arXiv:0904.0308. [13] D.Klinc,J.Ha,S.M.McLaughlin,J.Barros,andB.-J.Kwak,“LDPC above inequality implies codes fortheGaussian wiretap channel,” inProc. ITW,Oct. 2009, pp. 95–99. EFφ¯(s,QZ|F(L))≤ln[1+(||ML||)seφ¯(s,QnZ|L)] [14] Sch.aKnn.eLl,e”uInEgE-YEanT-rCanhse.oInngfoarnmd.TMh.eoEr.y,Hveolllm.2an4,,p“pT.h4e5g1a–u4s5s6ia,nJuwl.ir1e9-7ta8p. [15] Y. Liang, H. V. Poor, and S. Shamai (Shitz), Information Theoretic ≤(|M|)seφ¯(s,QnZ|L), Security. Hanover,MA,USA:NOWPublishers, 2009. |L| [16] R. Matsumoto, “Problems in application of ldpc codes to infor- mation reconciliation in quantum key distribution protocols,” 2009, using (7) we obtain (6). arXiv:0908.2042. [17] U. Maurer and S. Wolf, “Information-theoretic key agreement: From weak to strong secrecy for free,” in EUROCRYPTO 2000, ser. LNCS, VI. CONCLUSION B.Preneel, Ed. Springer-Verlag, 2000,vol.1807,pp.351–368. [18] J. Muramatsu and S. Miyake, “Construction of wiretap channel codes Inthis paper,startingfroman arbitrarygivenchannelcode, byusingsparsematrices,” inProc.ITW,Oct.2009,pp.105–109. we showed two constructions of wiretap codes. The first [19] R.Renner,“Securityofquantumkeydistribution,”InternationalJournal one involves the randomized selection of channel encoders. onQuantumInformation,vol.6,no.1,pp.1–127,Feb.2008,(originally publishedasPh.Dthesis,ETHZu¨rich,Switzerland, 2005). The second one is deterministic. These two construction can [20] A. Thangaraj, S. Dihidar, A. Calderbank, S. McLaughlin, and J.-M. achieve the wiretap capacity under different conditions. Our Merolla,“Applicationofldpccodestothewiretapchannel,”IEEETrans. constructions provide the strong security. Inform.Theory,vol.53,pp.2933–2945,Aug.2007. [21] A.D.Wyner,“Thewire-tapchannel,”BellSystemTech.J.,vol.54,pp. Ideally, the addition of hash functions to an arbitrary given 1355–1387, 1975. channel code should always achieve the wiretap capacity wheneverthe given channel code achieves the capacity of the composition of the artificially added channel Q plus the X|T physicalchannelQ . The proposedconstructionsfall short Z|X of this ideal. The improved construction should be explored. The numerical computation of an optimal Q from given X|T Q and Q is also an open problem. Y|X Z|X 5

ebook img

Construction of wiretap codes from ordinary channel codes PDF

0.12 MB·English
by  Masahito Hayashi
#additional_collections #journals #arxiv
Save to my drive
Quick download
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Construction of wiretap codes from ordinary channel codes

Construction of wiretap codes from ordinary channel codes Masahito Hayashi Ryutaroh Matsumoto Graduate School of Information Sciences, Tohoku Univ., Japan Dept. of Communications and Integrated Systems, CQT, National Univ. of Singapore, Singapore Tokyo Institute of Technology, 152-8550 Japan Email: [email protected] Email: [email protected] 0 Abstract—From an arbitrary given channel code over a dis- Moreover, previous constructions for discrete memoryless 1 crete or Gaussian memoryless channel, we construct a wiretap channels do not cover all the discrete memoryless channels 0 code with the strong security. Our construction can achieve the except [18]. It is desirable to have a construction of wiretap 2 wiretap capacity under mild assumptions. The key tool is the codes that can be used for any discrete memoryless channels. new privacy amplification theorem bounding the eavesdropped n information in terms of the Gallager function. In this paper, we show two constructions of wiretap codes a from encoder and decoder in an ordinary channel code. We J 8 I. INTRODUCTION donotmodifythechannelencodernordecoder.We attachthe two-universalhash functionto the encoderand the decoderin ] The information theoretical security [15] recently has at- ordertorealizesecrecyfromEve.We showthatourconstruc- T tracted huge interest. The wiretap channel [7], [21] is one tion can achieve the wiretap capacity in the strong security I of its fundamental problems. On a wiretap channel, signals sense over discrete and Gaussian memorylesschannels, while . s from the legitimate sender, called Alice, is delivered to both some of previous constructions do not have proofs of the c [ legitimate receiver, called Bob, and eavesdropper, called Eve. strong security. The goal of Alice is to deliver messages to Bob with low The key tools for our constructions are the new forms of 1 decoding probability while keeping Eve from knowing much the privacy amplification (PA) theorem [3]. The original PA v 7 about the messages. The capacity of wiretap channels has theorem [3] does not achieve the optimal rate of PA, which 9 been determined for discrete memoryless channels [7], [21] is the conditional Shannon entropy of Alice’s information 1 and for Gaussian channels [14] with a weaker notion of conditionedon Eve’sinformation.Renner [19] improvedit so 1 security. The capacity of the above wiretap channels are also that Renner’s version of the theorem can achieve the optimal . 1 determined with a stronger notion of security [2], [6], [11]. rate. However, it does not enable us to construct the wiretap 0 The exponential decreasing rate of eavesdropped information code using an existing channel code. The reason is that we 0 is also evaluated in [11], [12]. Shannon theoretic study of the cannot numerically compute the necessay rate of hashing for 1 wiretap channels is fairly advanced. a given channelcode in order for Eve’s informationon secret : v On the other hand, there is still room for research in the message to become sufficiently small. So we present two i X actual construction of codes for the wiretap channels, which new forms of the PA theorem. One is already given in [12]. r we call the wiretap codes. Thangaraj et al. [20] proposed However,itrequirestherandomselectionofachennelencoder a an LDPC based construction for specific discrete memory- from the given family of channel codes. We shall provide less channels, and Klinc et al. [13] proposed another LDPC anotherform of the PA theorem in Theorem7, which enables based construction for Gaussian channels. Hamada [10] and us to construct a wiretap code from single channel encoder. Hayashi [12] proposedgenerallinear code based construction Our new PA theorem is a nontrivialadaptationof the channel for additive discrete memoryless channels. Muramatsu and resolvability lemma [11, Lemma 2]. Miyakeproposedaconstructionbasedonthehashingproperty This paper is organized as follows: In Sec. II we fix nota- of LDPC matrices [18], whose decoding requires the high- tions used in this paper. In Secs. III and IV two constructions complexity minimum entropy decoder. of wiretap codes are given. In Sec. V we present a novel In those constructions except [12], error correction and privacy amplification theorem bounding the eavesdropped provision of secrecy are combined in the constructed cod- information in terms of the Gallager function. Section VI ing scheme. This prevents us from using well-studied error- concludes the paper. correcting codes for the error correctionin the wiretap codes, andweneedtoadjustexistingerror-correctingcodesorinvent II. PRELIMINARY anewwiretapcode.Thisinconveniencemaynotbenecessary. In this section we shall fix notations used in this paper and In fact, in the quantum key distribution protocols, the error review necessary prior results. Let X be the finite alphabet correction and the provision of secrecy can be separately of channel inputs, Y the alphabet of channel outputs to studied and developed, see [16] and references therein. the legitimate receiver, called Bob, and Z the alphabet of channeloutputstotheeavesdropper,calledEve.Thelegitimate • We know QX|T achieving the maximum of Eq. (1). sender is called Alice. We fix the conditional probability or Denote by T the alphabet of T. conditional probability density QY|X of the channel to Bob • WearegivenafamilychannelencodersµAlice,n,g indexed and Q of the channel to Eve. We assume channels are byg ∈G mappingamessageinthemessagesetL toa Z|X n n memoryless and further assume that codewordinTnandachanneldecoderµ mapping Bob,n,g • both Y and Z are finite, which means that the channels a receivedsignalin Yn to a message in Ln. The channel are discrete memoryless, encoder µAlice,n,g is a one-to-one map, and Tn is equal • or Y =Z =R and the channels are additive Gaussian. to the disjoint union of µAlice,n,g(Ln) for g ∈Gn. Let M be the set of messages transmitted to Bob secretly • WearegivenafamilyFn oftwo-universalhashfunctions n from L to M , where M is the message set of the from Eve, η a stochastic map from M to Xn of a n n n Alice,n n wiretap code. wiretap encoder, and η a deterministic map from Yn Bob,n to M . We use the natural logarithm instead of log for Remark 4: The assumption on the channel encoders is n 2 convenience. usually met with linear codes. We usually use the codebook Definition 1: A rate R>0 is said to be achievableif there of a linear code whose codewordshave zero syndrome.If we exists a sequence (η , η ) of encoders and decoders allow codebooks to have nonzero syndrome, then the family Alice,n Bob,n such that of codebooks with multiple syndromes constitutes the family of encoders {µ |g ∈G }. Alice,n,g n lim Pr[M 6=η (η (M ))]=0, n Bob,n Alice,n n From these assumptions, we can construct a wiretap en- n→∞ lim I(M ;Z )=0, liminfln|M |≥R, coder, which is an extension of Hayashi’s construction [12]. n n n n→∞ n→∞ Choose a hash function F uniformly randomly from F n n where M is the uniform random variable over M and Z and G ∈ G . For a given message M to the wiretap n n n n n is the random variable for Eve’s channel outputfrom channel encoder of code length n, choose a message L uniformly n input η (M ). The supremum of the achievable rates is randomly from F−1(M ) ⊂ L , and compute the codeword Alice,n n n n n the capacity of the wiretap channel (Q , Q ). T =µ (L ) from the channel encoder. Finally, com- Y|X Z|X n Alice,n,G n Note that we employ the strong security criterion introduced pute the actually transmitted signal X by passing T to the n n by Csisza´r [6] and Maurer and Wolf [17]. The necessity for artificialmemorylesschannelQn .Thedecodermapsagiven X|T the strong security is given in [2], [17]. received signal Y in Yn to the message F (µ (Y )) ∈ n n Bob,n n Proposition 2: [2], [6], [11] The capacity of the wiretap M . n channel (Q , Q ) is The random selection of F and G is a fatal problem be- Y|X Z|X n n cause it requiressharingof commonrandomnessbetweenAl- max [I(T;Y)−I(T;Z)]. (1) ice and Bob. However,we shall show that I(M ;Z |F ,G ) PT,PX|T n n n n canbeupperboundedbyanarbitrarypositivenumberǫ ×ǫ , 1 2 In the next section, we shall show a construction of wiretap whichmeansthatatleast100(1−ǫ )%choicesoff ∈F and 1 n n encoderanddecoderfromarbitrarygivenchannelencoderand g ∈G keep I(M ;Z |F =f , G =g ) below ǫ . Thus n n n n n n n n 2 decoder. In the construction, we assume that we are given the legitimate sender and receiver can agree on the random Q achievingthe maximumof Eq. (1). Note that when the X|T choice of f before transmission of the secret messsage M . n n wiretap channel is Gaussian, it is degraded and we can take T =X without losing the optimality. In the construction, we B. Evaluation of the eavesdropped information shallalsouseafamilyofthetwo-universalhashfunctions[5], which is reviewed next. It should be clear that the (block) average decoding error Definition 3: Let S1 and S2 be finite sets and F a subset probability of the constructed wiretap code is lower than or of the set of all mappings from S1 to S2. The family F is equaltothatoftheunderlyingcode(µAlice,n,g, µAlice,n,g)for said to be a family of two-universal hash functions if g ∈ G regardless of random choices of F and L from n n n M . The remaining task is evaluation of the eavesdropped Pr[F(x )=F(x )]≤1/|S |, n 1 2 2 information I(M ,Z ), where Z is Eve’s received signal n n n foralldistinctx1andx2inS1,whereF istheuniformrandom on the channel input Xn. To do so, we introduce Hayashi’s variable on F. version of the privacy amplification theorem [12] Proposition 5: Let L be the uniform random variable with III. RANDOMIZED CONSTRUCTION OFA WIRETAP CODE a finite alphabet L and Z any random variable. If Z is not A. Encoder and decoder discreterandomvariablethenthe conditionalprobabilityofZ givenLisassumedtobeGaussian.LetF beafamilyoftwo- In this section we shall construct wiretap encoder and universalhash functionsfrom L to M, and F be the uniform decoder from arbitrary given ordinary channel encoder and random variable on F. Then decoder. The construction in this section can achieve the wiretap capacity (1) if the uniform distribution on T realizes |M|s×exp(ψ(s,P )) LZ H(F(L)|F,Z)≥ln|M|− the wiretap capacity (1). The assumptions are: s|L|s 2 for 0<s≤1, where right hand side is P (ℓ)(P (z|ℓ))1+s nψ(s,Q Uniform(T)) ψ(s,P )=ln ℓ L Z|L . s ln|M |−ln|L |+ Z|T −lns. LZ P (z)s n n s Xz P Z (cid:18) (cid:19) (4) If Z is conditionally Gaussian should be replaced by the By l’Hoˆpital’s theorem, we have z integration and P , P denote probability densities. Remark 6: TheZaboZv|eLpropoPsition is a combination of [12, lim ψ(s,QZ|TUniform(T)) =I(Uniform(T),Q ), s→+0 s Z|T Eq. (2)] and the argument in proof of [12, Theorem 2]. It was assumed that Z was discrete in [12]. However, when where the right hand side is the mutual information between the conditional probability of Z given L is Gaussian, there the channel output and the uniform channel input to the is no difficulty to extend the original result. It should be also imaginary channel Q . Thus, by choosing s such that Z|T noted that the uniformity assumption on L is indispensable, ψ(s,QZ|TUniform(T)) <I(Uniform(T),Q )+δ, we can see s Z|T otherwise the claim is false. that if ln|M | < ln|L −n(I(Uniform(T),Q )+δ) for n n Z|T By the above proposition, for fixed G=g ∈Gn we have some δ > 0 then Eq. (4) converges to −∞ as n → ∞, which means the eavesdropper Eve has little information on I(M ;Zg,F ) = I(M ;Zg|F ) n n n n n n the secret message. This means that if ln|L |/n convergesto n = H(Mn|Fn)−H(Mn|Zng,Fn) I(Uniform(T),QZ|T)andthewiretapcapacity(1)isachieved ≤ ln|M |−H(M |Zg,F ) withuniformchannelinputthenthisconstructionalsoachieves n n n n |M |s×exp(ψ(s,Pg )) the wiretap capacity. ≤ n LnZn (2) Drawbacks in the proposed construction is the random |L |ss n selection of channel encoders. This requires that almost all for 0 < s ≤ 1, where Pg is the joint probability pairs of encoder and decoder have to provide low decoding LnZn distribution and Zg is Eve’s received signal with a fixed error probability, which is not verified with most of channel n g ∈G codes. Moreover, in some case, for example the channel n A major problem with the last upper bound (2) on encoder using the Trellis shaper [8], it is difficult to prepare I(M ;Z |F )isthatforagivenchannelcodeitispractically a family of encoders that satisfies the requirement. Thus, in n n n impossibletonumericallycomputeψ(s,Pg ).Toovercome the next section, we show a deterministic construction of a this difficulty we shall upper bound exLpn(Zψn(s,Pg )) by wiretap code from a given channel code. LnZn exp(ψ(s,P )), where P is a joint distribution on T ×Z. TZ TZ Let T = µ (L ) that is a random variable IV. DETERMINISTICCONSTRUCTION OF A WIRETAPCODE g Alice,n,g n on Tn. Note that Tg is the uniform random variable on In this section, we assume that the index set G has only n µAlice,n,g(Ln) ⊂ Tn. By the assumption on the given one element, and we are given a pair of an encoder µ Alice,n family of channel encoders µAlice,n,g, g ∈ Gn, the convex a decoder µ . We also assume that the given family F Bob,n n combination of g∈GnPTg/|Gn| is the uniform distribution of hash functions satisfies the condition that for all f ∈ Fn Uniform(Tn) on Tn. By the concavity of exp(ψ(s,·)) on and m ∈ M we have |f−1(m)| = |L |/|M | in order the channelinpuPt probabilitydistribution1 [12, Lemma 1], we n n n to apply Theorem 7 in Sec. V. This assumption on F is n have satisfied, for example when M = Fk and L = Fn, using n q n q 1 exp(ψ(s,Pg ))≤exp(ψ(s,Qn Uniform(Tn)) the set of all the surjective linear maps from Ln to Mn. |G | LnZn Z|T Moreover,thelinearmappingsdefinedbytheconcatenationof n gX∈Gn the identity matrix and the Toeplitz matrix considered in [12, =exp(nψ(s,QZ|TUniform(T)). Appendix] also satisfy the assumption and is more efficiently implemented in practice. Observe that computationof the last mathematicalexpression The construction of the wiretap code is the same as the is easy for almost all channels. previous section except that there is no random selection of What we have proved is encoders. The construction in this section can achieve the |Mn|s×exp(nψ(s,QZ|TUniform(T))) wiretap capacity (1) if the distribution PT on T realizing (1) I(Mn;Zn|Fn,Gn)≤ |L |ss .also maximizes the mutual information I(PT,QZ|T) to the n (3) eavesdropper. In order to evaluate the average of the mutual Observethattheminimizationofthe RHSofEq.(3)overs is information, we develop a new privacy amplification theorem also computable by the bisection method [4, Algorithm 4.1] (Theorem 7) based on Gallager function by modifying [11, because it is convex with respect to s. The logarithm of the Lemma 2] in the next section. Applying this result, one can show that 1Theconcavity isprovedunderthatassumptionthatZ isfinite.However, |M|sexp(φ(s,Qn ,P )) nifothcehacnognedeitxiocnepalt nporotabtaiobnilaitlyoQneZs.|X is Gaussian, the concavity proof needs I(Mn;Zn|Fn)≤ |L|ssZ|T Tn , 3 for 0≤s≤1/2, where for 0 ≤ s ≤ 1/2, where E expresses the expectation F concerning the random variable F, φ(s,Qn ,P ) Z|T Tn 1−s 1−s φ¯(s,Q )=ln E (Q (z|L))1/(1−s) dz Z|L L Z|L = ln PTn(t)(QnZ|T(z|t))1/(1−s) dz. ZZ(cid:16) (cid:17) ZZn t∈Tn ! and dz is an arbitrary measure. X IfZ isfinite,theintegrationshouldbereplacedbysummation Proof. Observe first that the joint probability PFL = PF × andQZ|T shouldbe interpretedas the conditionalprobability. PL and the conditionalprobabilityQZ|L uniquely determines Again, for a given channel encoder µAlice,n, it is also QZ|F(L). We can check that the function s 7→ φ¯(s,QnZ|F(L)) practically impossible to compute φ(s,Qn ,P ). We shall satisfies the following properties: Z|T Tn show that a method to upper bound it. We have d2φ¯(s,Q ) φ¯(0,Q )=0, Z|F(L) ≥0 exp(φ(s,Qn ,P ))≤maxexp(φ(s,Qn ,P )), Z|F(L) ds2 Z|T Tn Pn Z|T n dφ¯(s,Q ) Z|F(L) where P is a probability distribution on T . Observe that =I(F(L);Z). n n ds s=0 φ is essentially same as the function E0 in [1], [9]. Thus if Hence, its convexit(cid:12)(cid:12)y guarantees the inequality P1,s maximizes exp(φ(s,QZ|T,P1,s)), then its n-fold i.i.d. sE I(F(L);Z) ≤ E (cid:12)φ¯(s,Q ), which implies the extension Pn also maximizes max exp(φ(s,Qn ,P )) F F Z|F(L) 1,s Pn Z|T n inequality [1], and we have |M|sexp(nφ(s,QZ|T,P1,s)) E I(F(L);Z)≤E φ¯(s,QZ|F(L)) (7) I(M ;Z |F )≤ . (5) F F n n n |L|ss s for 0 < s ≤ 1. In the following, we denote the uniform Observe that for fixed s and QZ|T, exp(φ(s,QZ|T,P1,s)) is 2 distriburtion on L by P a concave function on a convex set and P can easily be L 1,s Let 1+u = 1 , then 1 ≥ u > 0 and s = u . Since computed [4]. Observe also that for fixed QZ|T, the function x7→xu is concav1−e,s 1+u max [RHS of Eq. (5)] is a convex function of s, thus P1,s minsmaxP1,s[RHS of Eq. (5)] can also be easily computed EF QZ|L(z|ℓ′) u by the bisection method [4, Algorithm 4.1]. The logarithm of the right hand side is (cid:2)ℓ′:F(ℓ′)X=F(ℓ),ℓ′6=ℓ (cid:3) ≤ E Q (z|ℓ′) u F Z|L nφ(s,Q ,P ) s ln|Mn|−ln|Ln|+ Z|T 1,s −lns. (cid:2) ℓ′:F(ℓ′)X=F(ℓ),ℓ′6=ℓ (cid:3) s (cid:18) (cid:19) ≤ 1 Q (z|ℓ′) u≤ |L| Q (z) u=( |L| )uQ (z)u. Since φ is essentially E0 in [9], lims→0φ(s,QZ|T,P)/s = |M| Z|L |M| Z |M| Z ℓ′:ℓ′6=ℓ I(P,QZ|T), where P is a distribution on T. Let Pmax be a (cid:2) X (cid:3) (cid:2) (cid:3) (8) distribution on T maximizing I(P,Q ). Therefore, by the Z|T almost same argument as Section II, if ln|M | < ln|L |− Using(8)andtherelation(x+y)u ≤xu+yu fortwopositive n n n(I(P ,Q )+δ) for all n, then I(M ;Z |F ) goes to real numbers x,y, we obtain max Z|T n n n (z1e)roanads nth→e g∞ive.nIfcPhamnanxelalcsoodmeaaxcihmieivzeesstthhee winifroertmapatciaopnarcaittye eEFφ¯(s,QZ|F(L)) ≤EFeφ¯(s,QZ|F(L)) (9) 1 1 Ith(ePmwairxe,tQapYc|Ta)patchietyn.the construction in this section achieves =EF |M|QZ|F(L)(z|m)1+u 1+udz ZZ(cid:16)mX∈M (cid:17) V. NEWPRIVACY AMPLIFICATION THEOREMIN TERMS OF ≤ E 1 Q (z|m)1+u 1+1udz (10) THE GALLAGERFUNCTION ZZ(cid:16) F mX∈M|M| Z|F(L) (cid:17) We shallshowthe followingnewprivacyamplificationthe- 1 1 orem that is indispensable with the deterministic construction = EF |M|QZ|F(L)(z|m)QZ|F(L)(z|m)u 1+udz of wiretap codes in Sec. IV. ZZ(cid:16) mX∈M (cid:17) Theorem 7: Assume that the given family of two-universal 1 |M| = E Q (z|ℓ) hash function F from L to M satisfies that F |M| |L| Z|L ZZ(cid:16) mX∈M hℓ∈L:XF(ℓ)=m i |L| |F−1(m)|= |M|, ∀m, ||ML||QZ|L(z|ℓ) u 1+1udz a fixed conditionalprobabilityQ is given,and the random hℓ∈L:XF(ℓ)=m i (cid:17) Z|L 1 |M| variable L obeys the uniform distribution on L. Then, = E Q (z|ℓ)( )u Q (z|ℓ) F |L| Z|L |L| Z|L |M|sexp(φ¯(s,QZ|L)) ZZ(cid:16) Xℓ∈L h I(F(L);Z|F)=EFI(F(L);Z)≤ |L|ss , + Q (z|ℓ′) u 1+1udz Z|L (6) ℓ′∈L:F(ℓX′)=F(ℓ),ℓ′6=ℓ i (cid:17) 4 1 |M| ≤ E Q (z|ℓ)( )u Q (z|ℓ)u ACKNOWLEDGMENT F |L| Z|L |L| Z|L ZZ(cid:16) Xℓ∈L h The second author would like to thank Prof. Yasutada 1 Oohama, Prof. TomohikoUyematsu, Dr. Shun Watanabe, and + Q (z|ℓ′) u 1+udz (11) Z|L Dr. Kenta Kasai for helpful discussions. This research was (cid:0)ℓ′∈L:F(ℓX′)=F(ℓ),ℓ′6=ℓ (cid:1) i(cid:17) partially supported by a Grant-in-Aid for Scientific Research = (|M|)u 1 Q (z|ℓ)1+u+ |M| u in the Priority Area “Deepening and Expansion of Statistical ZZ(cid:16) |L1| Xℓ∈L|L| Z|L (cid:0) |L| (cid:1) 1 MMeEcXhTanGicraalnIt-nifno-rAmidatifcosr Y(DouEnXg-SSMciIe)n,”tisNtso(.A1)8N07o9.0210468a6n0d26a. × Q (z|ℓ)E Q (z|ℓ′) u 1+udz |L| Z|L F Z|L REFERENCES Xℓ∈L (cid:0)ℓ6=ℓ′∈XF−1(ℓ) (cid:1) (cid:17) |M| [1] S. Arimoto, “On the converse to the coding theorem for discrete ≤ZZ(cid:16)(+|L(||M)u|E)uLQQZ(|Lz()z|L|L)|1+uuQ (z)u 1+1udz (12) [2] 3m2J.50eB70m–8a3,orr5rsoye9slr,e.asMLnsedaccyMhtua1r.ne9Bn7Nel3olos.c,th”e,sI“EiSnEtrCEoonTmgrpasunectse.reSIcncyfioefrnomcre.wsT,irhReel.oeSsrsya,fcavhvoai-nl.Nn1ea9lisn,,i”n,oiEn.dI3.C,,vIpToplS.. Z Z |L| |M| 5155. Springer-Verlag, 2008,pp.40–53. |M| (cid:0) (cid:1) (cid:17) 1 [3] C.H.Bennett,G.Brassard,C.Cre´peau,andU.M.Maurer,“Generalized = ( )uE Q (z|L)1+u+Q (z)1+u 1+udz privacy amplification,” IEEETrans.Inform. Theory,vol. 41,no.6,pp. ZZ(cid:16) ||ML|| L Z|L 1 Z (cid:17) [4] 1S9.1B5–o1y9d23a,ndNoLv..1V9a9n5d.enberghe, Convex Optimization. Cambridge ≤ZZ(cid:16)( |L| )uELQZ|L(z|L)1+u(cid:17)1+u +(QZ(z)1+u)1+1u(d1z3) [5] JUJ..nLCiv.oemCrsapirtutyte.rPSaryenssdtse,mM2.0S0Nc4i...,Wvoegl.m1a8n,,n“oU.n2i,veprps.al14c3la–s1s5e4s,oAfphra.s1h9f7u9n.ctions,” [6] I. Csisza´r, “Almost independence and secrecy capacity,” Problems of |M| 1 = ( |L| )1+uu ELQZ|L(z|L)1+u 1+u +QZ(z)dz [7] IIn.fCorsmisazta´ironanTdraJn.smKios¨snieorn,,“vBorlo.a3d2c,ansto.c1h,anpnpe.l4s0w–4it7h,1c9o9n6fi.dential mes- ZZ (cid:16) (cid:17) sages,”IEEETrans.Inform.Theory,vol.24,pp.339–348, 1978. |M| 1 =1+( |L| )1+uu ELQZ|L(z|L)1+u 1+udz [8] nGo..D2.,Fpopr.n2ey8,1J–r3.,0“0T,rMellairs.s1h9a9p2in.g,”IEEETrans.Inform.Theory,vol.38, ZZ(cid:16) (cid:17) [9] R.G.Gallager,InformationTheoryandReliableCommunication. New =1+(|M|)seφ¯(s,QnZ|L), York:JohnWiley&Sons,1968. |L| [10] M.Hamada,“Securityofquotientcodesforclassicalwiretapchannels,” inProc.SITA2009,Dec.2009,pp.309–314. where the inequalities can be shown in the following way. [11] M.Hayashi,“Generalnon-asymptoticandasymptoticformulasinchan- nelresolvability andidentification capacity anditsapplication towire- Ineq. (12) follows from (8). Ineq. (11) and (13) follow from tapchannel,”IEEETrans.Inform.Theory,vol.52,no.4,pp.1562–1575, inequality (x+y)u ≤ xu+yu for 0 ≤ u ≤ 1 and x,y ≥ 0. 2006. Ineq.(10) followsfromthe concavityof x7→xu for 0≤u≤ [12] ——, “Exponential evaluations in universal random privacy amplifica- 1. Ineq. (9) follows from the convexity of x7→ex. Since the tion,”2009,arXiv:0904.0308. [13] D.Klinc,J.Ha,S.M.McLaughlin,J.Barros,andB.-J.Kwak,“LDPC above inequality implies codes fortheGaussian wiretap channel,” inProc. ITW,Oct. 2009, pp. 95–99. EFφ¯(s,QZ|F(L))≤ln[1+(||ML||)seφ¯(s,QnZ|L)] [14] Sch.aKnn.eLl,e”uInEgE-YEanT-rCanhse.oInngfoarnmd.TMh.eoEr.y,Hveolllm.2an4,,p“pT.h4e5g1a–u4s5s6ia,nJuwl.ir1e9-7ta8p. [15] Y. Liang, H. V. Poor, and S. Shamai (Shitz), Information Theoretic ≤(|M|)seφ¯(s,QnZ|L), Security. Hanover,MA,USA:NOWPublishers, 2009. |L| [16] R. Matsumoto, “Problems in application of ldpc codes to infor- mation reconciliation in quantum key distribution protocols,” 2009, using (7) we obtain (6). arXiv:0908.2042. [17] U. Maurer and S. Wolf, “Information-theoretic key agreement: From weak to strong secrecy for free,” in EUROCRYPTO 2000, ser. LNCS, VI. CONCLUSION B.Preneel, Ed. Springer-Verlag, 2000,vol.1807,pp.351–368. [18] J. Muramatsu and S. Miyake, “Construction of wiretap channel codes Inthis paper,startingfroman arbitrarygivenchannelcode, byusingsparsematrices,” inProc.ITW,Oct.2009,pp.105–109. we showed two constructions of wiretap codes. The first [19] R.Renner,“Securityofquantumkeydistribution,”InternationalJournal one involves the randomized selection of channel encoders. onQuantumInformation,vol.6,no.1,pp.1–127,Feb.2008,(originally publishedasPh.Dthesis,ETHZu¨rich,Switzerland, 2005). The second one is deterministic. These two construction can [20] A. Thangaraj, S. Dihidar, A. Calderbank, S. McLaughlin, and J.-M. achieve the wiretap capacity under different conditions. Our Merolla,“Applicationofldpccodestothewiretapchannel,”IEEETrans. constructions provide the strong security. Inform.Theory,vol.53,pp.2933–2945,Aug.2007. [21] A.D.Wyner,“Thewire-tapchannel,”BellSystemTech.J.,vol.54,pp. Ideally, the addition of hash functions to an arbitrary given 1355–1387, 1975. channel code should always achieve the wiretap capacity wheneverthe given channel code achieves the capacity of the composition of the artificially added channel Q plus the X|T physicalchannelQ . The proposedconstructionsfall short Z|X of this ideal. The improved construction should be explored. The numerical computation of an optimal Q from given X|T Q and Q is also an open problem. Y|X Z|X 5

See more

The list of books you might like

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users