1 On MMSE Properties of Codes for the Gaussian Broadcast and Wiretap Channels Ronit Bustin, Rafael F. Schaefer, H. Vincent Poor and Shlomo Shamai (Shitz) 5 1 Abstract 0 2 This work concerns the behavior of “good” (capacity achieving) codes in several multi-user settings b e in the Gaussian regime, in terms of their minimum mean-square error (MMSE) behavior. The settings F investigated in this context include the Gaussian wiretap channel, the Gaussian broadcast channel (BC) 5 2 and the Gaussian BC with confidential messages (BCC). In particular this work addresses the effects of ] transmitting such codes on unintended receivers, that is, receivers that neither require reliable decoding T I of the transmitted messages nor are they eavesdroppers that must be kept ignorant, to some extent, of . s c the transmitted message. This work also examines the effect on the capacity region that occurs when we [ limit the allowed disturbance in terms of MMSE on some unintended receiver. This trade-off between 2 v thecapacityregionandthedisturbanceconstraintisgivenexplicitlyfortheGaussianBCandthesecrecy 4 9 capacity region of the Gaussian BCC. 9 5 0 . I. INTRODUCTION 1 0 In this work we consider the scalar Gaussian channel with various requirements on transmission. The 5 1 scalar Gaussian channel is a degraded channel, meaning that a receiver at a higher signal-to-noise ratio : v i (SNR) is a stronger receiver and can obtain all the information that a weaker receiver (i.e., a receiver X r at a lower SNR) can. The basic requirement is that of reliable communication. This requirement defines a the Gaussian point-to-point channel, the capacity of which has been derived by Shannon in his seminal paper [1]. In [2] and [3] the behavior of the input-output mutual information, at every SNR, assuming the input is a codeword from a “good” codebook sequence (a capacity achieving code sequence), has been investigated. It was shown that in the limit, as blocklength n goes to infinity, this quantity follows TheworkofR.BustinwassupportedinpartbythewomenpostdoctoralscholarshipofIsrael’sCouncilforHigherEducation (VATAT) 2014-2015, in part by the the U. S. Army Research Office under MURI Grant W911NF-11-1-0036, and in part by the U. S. National Science Foundation under Grant ECCS-1343210. The work of R. F. Schaefer was supported by the German ResearchFoundation(DFG)undergrantWY151/2-1.TheworkofS.ShamaiwassupportedbyTheIsraeliScienceFoundation (ISF) and the European FP7 Network of Excellence in Wireless COMmunications NEWCOM#. 2 the behavior of an independent and identically distributed (i.i.d.) Gaussian input to the channel, up to the SNR at which reliable decoding is possible. This property is also related to [4] where it was shown that the output statistics of a “good” code sequence approaches the output distribution produced by the i.i.d. capacity achieving input distribution. It follows that the behavior of the minimum mean-square error (MMSE) when estimating a codeword from a “good” codebook sequence from the channel output at different SNRs follows the MMSE of an i.i.d. Gaussian input to the channel [2], [3]. As such the effect of a “good” code on receivers at lower SNRs in terms of the MMSE is well defined. More recently the effect of “bad” code sequences has been investigated [5], that is, reliable codes of lower rates than the capacity. More specifically, the exact minimal MMSE that can be obtained by a code of rate R was derived,andwasshowntobethatobtainedbyasuperpositioncodesequence.Thisgivessomeengineering intuition into the efficiency of the Han-Kobayashi achievable region to the two-user Gaussian interference channel [6]. When considering potential receivers of the transmission at lower SNRs, an immediate requirement is confidentiality. This is exactly the degraded Gaussian wiretap channel, where we have one legitimate receiver,whichrequiresreliablecommunication,andoneeavesdropper,whichmustbekeptasignorantas possible with respect to the transmitted message. The degraded wiretap channel was presented by Wyner [7], who showed that secrecy can be obtained simply by taking advantage of the physical layer - the channel to the legitimate receiver as compared to the channel of the eavesdropper. Since this initial work many have investigated the model and important results have been obtained: specifying the results for the Gaussian model [8], extending to the general non-degraded channel [9], extensions to the Gaussian multiple-input/multiple-output (MIMO) channel, independently in [10], [11] and in [12] (for a more detailed review of the topic see [13] and [14] and references therein). Recently, more attention has been giventothedesignof“good”codesforthewiretapchannel.Thiswasfirstdoneforthediscrete,degraded, wiretap channel [15], [16], [17]. Tyagi and Vardi have shown a construction for the scalar Gaussian wiretap channel [18]. The approach in both cases was to use existing capacity approaching codes for the point-to-point channel to construct from them codes that comply with the secrecy constraint. More recently, Chou and Bloch considered the discrete broadcast channel (BC) with confidential messages and developed a low-complexity polar code scheme [19]. InthisworkwecontinuetoexaminethescalarGaussianwiretapchannelandspecificallytheproperties of the MMSE function of specific families of codes for this setting. This analysis proves known “rules of thumb” in the design of such codes, and extends upon them to provide a good understanding to what is expected from a “good” code for this channel. Moreover, similar to the analysis of optimal point-to- 3 point codes done in [2] and [3], such an understanding allows us to determine the effect/disturbance of these codes on other possible unintended receivers that are neither eavesdroppers nor require the reliable decoding of the message. A different requirement to consider is reliable communication to an additional, weaker, receiver on top of the reliable communication to the stronger receiver. This defines the degraded Gaussian BC. The BC was originally presented by Cover [20], who also defined the degraded BC, and conjectured its capacity region. The achievability proof of the degraded BC was presented by Bergmans [21], while the converse proof was derived by Gallager [22]. A converse proof for the Gaussian BC was derived in parallel by Bergmans [23] using the entropy power inequality (EPI). An alternative proof based on the single-letter expression and using the I-MMSE relationship was presented in [24]. A comprehensive survey of the BC can be found in [25] or [26]. In[3]thebehavioroftheMMSEfunctionofatypicalcodesequencefromahierarchicalcodeensemble, designed to achieve capacity of the Gaussian BC, has been derived, via statistical physics methods. In this work we extend upon the above results and show that any “good” code sequence for the degraded Gaussian BC exhibits the same behavior for the mutual information and MMSE functions. This behavior is that of a capacity achieving superposition code sequence, but holds for any “good” code sequence, that is, also code sequences designed using the “Dirty Paper Coding” (DPC) approach [27], [28]. As such, the full effect of “good” code sequences in term of the mutual information and MMSE functions is well defined. Moreover, we provide necessary and sufficient conditions for reliable decoding in general and for “good” code sequences for the degraded scalar Gaussian BC, specifically. These conditions are given in the form of properties on the MMSE and conditional MMSE functions. The two requirements mentioned above, that is, confidentiality and an additional weaker receiver, can be combined into a degraded Gaussian BC with confidential messages (BCC). This problem has been considered already in the work of Csisz´ar and Ko¨rner [9], as the reliable rate to the weaker receiver can be considered as a rate of a common message (due to the degraded nature of the channel). Csisz´ar and Ko¨rner [9] provide a full single-letter solution for the rate equivocation region of this problem. In this work we explore the case of maximum level of equivocation (secrecy) for the message sent to the stronger receiver in the BCC. We distinguish between the cases of maximum possible rate for this message and the case of complete secrecy. We show that in both cases the MMSE when estimating the codeword from the output follows that of the Gaussian BC, and the difference in the capacity region is due to the different behavior of the other relevant MMSE functions. So far we have mentioned two types of requirements: reliable communication and confidentiality 4 (equivocation). Another requirement concerns unintended receivers that are not interested in the trans- mission (i.e., do not require reliable communication) and are also not potential eavesdroppers (i.e., so no confidentiality is required). As shown in [5] an MMSE constraint at such receivers provides useful insightsintothedisturbancethatthetransmissionimposesonthesetypesofreceivers.Withrespecttothis we examine two problems: the capacity region of the degraded Gaussian BC given an MMSE constraint and the secrecy capacity region of the degraded Gaussian BCC given an MMSE constraint. In both problems we need to distinguish between two cases depending on the SNR of the unintended receiver. We show that the capacity achieving scheme in both is based on superposition, whereas in the Gaussian BCC, depending on the SNR of this receiver, we can obtain capacity by using either a superposition code sequence for the wiretap code sequence to the stronger receiver, or a superposition code sequence to the weaker receiver. As this work concerns the MMSE performance of code sequences, we use the fundamental relationship betweeninformationtheoryandestimationtheory,namelythesocalledI-MMSErelationship[29].Aswe discuss “good” code sequences, we consider the behavior of the MMSE function in the limit as n → ∞. This limit might not always exist; however if we restrict ourselves to information stable distributions (for which the information rate is defined), we can discuss the limsup of the MMSE function. We show that the relevant properties used in the context of the limit can also be considered with regard to the limsup. Specifically, this holds for the “single crossing point” property, originally derived in [24], which examines the difference between the MMSE function assuming a Gaussian input distribution and the MMSE function of any arbitrary input distribution. This property shows that this difference has at most a single crossing of the horizontal axis, meaning that if for some SNR the two MMSE functions are equal, for any higher SNR the MMSE function of the Gaussian input will attain a higher value (assuming the two are not equal for all SNR, which occurs only when both have the same Gaussian input distribution). In this paper we extend the simplest vector version of this property, derived in [30], to a conditioned version. Notation: We denote a random variable using uppercase letter, such as X. Its realizations are denoted using a lower case letter (e.g., x). We denote a length n random vector with bold uppercase letter and the subscript n (e.g., X ). Specific realization of the random vector are denoted using the equivalent n lower case (e.g., x ). When we consider quantities after taking the dimension to infinity, n → ∞, we n remove all subscripts n. The trace operator is denoted by Tr and the transpose operator is denoted by (·)T. The standard vector norm is denoted by (cid:107) · (cid:107). The expectation operator is denoted by E and the derivative of some function with respect to one of its parameter, for example γ, is denoted by D . γ 5 The paper is structured as follows: we begin with some preliminary results and definitions in Section II. The Gaussian wiretap problem is discussed in Section III. The Gaussian BC problem is discussed in Section IV. The Gaussian BCC is discussed in Section V, and the disturbance constraints are considered in Section VI. We then conclude and summarize the paper. II. PRELIMINARY DEFINITIONS In this section we provide the central definitions and results that will be used throughout the paper. A. The Code Sequences Inthisworkwesplitthedefinitionofacodesequenceanddistinguishbetweenthesetofcodewordsand the mapping of messages to these codewords. We define a codebook sequence C = {C }∞ where C n n=1 n is a set of length-n codewords denoted as the random vector X with realizations denoted as x . These n n codewords must comply with a power constraint. With no loss of generality we assume the following: 1 (cid:107) x (cid:107)2≤ 1, ∀x ∈ C . (1) n n n n We further define a mapping sequence f = {f }∞ where f is a mapping from a message W to a n n=1 n codeword of length-n, i.e., f (W) = x . (2) n n Thestandarddefinitionofacodesequenceisapair(C,f).SuchapairissaidtohaverateRifthemessage W is one of {1,2,...,2nR} (assumed uniformly distributed over the set) and is mapped to a codeword x ∈ C . Note that these mappings are not necessarily deterministic, specifically if confidentiality is n n required then stochastic encoding is necessary [14, Section 3.4.1], in which case, for each message W i there is a subset S ⊂ C such that f (W ) ∈ S . These subsets are disjoint in order to allow reliable i n n i i communication over the channel. The code sequence pairs (C,f) considered in this paper are assumed to be information stable, meaning all mutual information rates are assumed to converge as n → ∞. B. The I-MMSE Approach The main approach used here is the I-MMSE approach, that is to say that we make use of the fundamental relationship between the mutual information and the MMSE in the Gaussian channel and its generalizations [29], [31], [32], [33]. Even though we are examining scalar settings, the n-dimensional 6 version of this relationship is required since we are looking at the transmission of length-n codewords through the channel. In our setting the relationship is as follows: 1I(cid:0)Xn;√snrXn+Nn(cid:1) = 1 (cid:90) snrMMSE(Cn,fn)(γ)dγ (3) n 2 0 where N is standard additive Gaussian noise, X is the input signal of any arbitrary distribution (as n n long as the above mutual information is finite [34]), MMSE(Cn,fn)(γ) = n1Tr(EXn(γ)) and EXn(γ) is the MMSE matrix defined as follows: E (γ) = E(cid:8)(X −E{X |√γX +N })(X −E{X |√γX +N })T(cid:9). (4) X n n n n n n n n n Note that in our setting the distribution of X is defined by the mapping f and the assumption of n n uniformly distributed messages, W. The I-MMSE relationship has also been extended to conditional cases [24]. Consider a joint distri- bution over (X ,U) independent of the additive Gaussian noise. Denote the random vector X with n n,u distribution P . Applying the I-MMSE relationship we have X|U=u 1I(cid:0)Xn,u;√snrXn,u+Nn(cid:1) = 1 (cid:90) snrMMSE(Cn,fn)(γ|U = u)dγ (5) n 2 0 where MMSE(Cn,fn)(γ|U = u) = n1Tr(EXn(γ,u)) and E (γ,u) = E(cid:8)(X −E{X |√γX +N })(X −E{X |√γX +N })T(cid:9). (6) X n,u n,u n,u n n,u n,u n,u n n Since (X ,U) is independent of the noise we have that n (cid:8) √ E (γ,u) = E (X −E{X | γX +N ,U = u}) X n n n n n (X −E{X |√γX +N ,U = u})T|U = u(cid:9). (7) n n n n Taking the expectation over U results with E{E (γ,U)} = E(cid:8)(X −E{X |√γX +N ,U})(X −E{X |√γX +N ,U})T(cid:9) (8) X n n n n n n n n n and MMSE(Cn,fn)(γ|U) = E(cid:8)n1Tr(EXn(γ,U))(cid:9). Moreover, this independence also allows us to write (5) as 1I(cid:0)Xn;√snrXn+Nn|U = u(cid:1) = 1 (cid:90) snrMMSE(Cn,fn)(γ|U = u)dγ. (9) n 2 0 7 Taking the expectation on both sides of (9) with respect to U we obtain the following conditioned version of the I-MMSE relationship: 1I(cid:0)Xn;√snrXn+Nn|U(cid:1) = 1 (cid:90) snrMMSE(Cn,fn)(γ|U)dγ. (10) n 2 0 We now take the limit as n → ∞ on both sides of the I-MMSE relationship (3). In order to simplify notation the quantities at the limit, as n → ∞ are simply denoted by removing the subscript n. For code sequences for which the relevant MMSE quantities converge as n → ∞, the exchange of limit and integration is according to Lebesgue’s dominated convergence theorem [35], since the MMSE quantities are always bounded. Thus, we have (cid:0) √ (cid:1) 1 (cid:0) √ (cid:1) I X; snrX +N ≡ lim I X ; snrX +N n n n n→∞ n 1 (cid:90) snr = lim MMSE(Cn,fn)(γ)dγ n→∞ 2 0 1 (cid:90) snr = MMSE(C,f)(γ)dγ. (11) 2 0 When this is not the case (i.e., the MMSE does not converge) we can apply the reverse Fatou’s Lemma [35] and conclude that (cid:90) snr (cid:90) snr lim MMSE(Cn,fn)(γ)dγ = MMSE(C,f)(γ)supdγ (12) n→∞ 0 0 where MMSE(C,f)(γ)sup = limsupMMSE(Cn,fn)(γ) (13) n→∞ due to the stability of the information rates. We show this precisely in Appendix A. In this case the MMSE quantities throughout the paper are the limsup of the MMSE sequences, which always exist and, since the MMSE function is bounded, are also finite. Another property used in the proof is a simple extension of the n-dimensional “single crossing point” property derived in [30] to the conditioned case considered here. For an arbitrary random vector X we n consider the following function σ2 (cid:26)1 (cid:27) q(X |U,σ2,γ) = −E Tr(E (γ,U)) (14) n 1+σ2γ n Xn σ2 = −MMSE(Cn,fn)(γ|U). (15) 1+σ2γ 8 Note that σ2 is the MMSE function assuming the input distribution is i.i.d. Gaussian with variance 1+σ2γ σ2.Thus,theabovefunctionisthedifferencebetweentheMMSEfunctionofani.i.d.Gaussianinputand the averaged MMSE function assuming an arbitrary joint distribution over (X ,U), that is independent n of the Gaussian noise. The following theorem is proved in Appendix B: Theorem 1. The function γ (cid:55)→ q(X |U,σ2,γ), defined in (15), has no nonnegative-to-negative zero n crossings and, at most, a single negative-to-nonnegative zero crossing in the range γ ∈ [0,∞). Moreover, let snr ∈ [0,∞) be that negative-to-nonnegative crossing point. Then, 0 1) q(X |U,σ2,0) ≤ 0. n 2) q(X |U,σ2,γ) is a strictly increasing function in the range γ ∈ [0,snr ). n 0 3) q(X |U,σ2,γ) ≥ 0 for all γ ∈ [snr ,∞). n 0 4) lim q(X |U,σ2,γ) = 0. γ→∞ n The above properties are valid for all natural n. As explained above, if the limit of MMSE(Cn,fn)(γ|U) exists then we may simply take the limit of the function q(X |U,σ2,γ). Alternatively, we show in Ap- n pendixCthatthe“singlecrossingpoint”propertyholdsalsobetween σ2 andlimsupMMSE(Cn,fn)(γ|U). 1+σ2γ Finally, in this section we denoted the MMSE function using MMSE(Cn,fn)(γ) (and its conditional version as MMSE(Cn,fn)(γ|U)) so as to emphasize the dependence on the code sequence. In the sequel we will simplify the notation and use the following: MMSE(Xn;γ) = MMSE(Cn,fn)(γ) (16) and MMSE(X ;γ|U) for the conditioned version. n III. THE GAUSSIAN WIRETAP CHANNEL A. Model and Definitions The Gaussian wiretap channel [7], over which length-n codewords are being transmitted, is denoted here as follows: √ Y = snr X +N n y n 1n √ Z = snr X +N (17) n z n 2n where X is the length-n transmitted codeword. N and N are standard additive Gaussian noise n 1n 2n vectorsthatcanbeassumedindependentofeachother,andsnr andsnr aretheSNRsatthetworeceivers. y z 9 We assume that snr > snr . Y represents the legitimate receiver, and Z represents the eavesdropper. A y z message W is transmitted to Y and needs to be reliably decoded. The message must be kept secret, to y some extent, from the eavesdropper. An (R,d) code sequence for this channel must reliably transmit the message, W , of cardinality 2nR, y to the legitimate receiver, and also guarantee an equivocation rate of d. These requirements can be written as follows: 1 lim I(W ;Y ) = R y n n→∞ n 1 lim H(W |Z ) = d. (18) y n n→∞ n The basic requirement from the pair (R,d) is that R ≥ d. As stated in [9] these conditions do not specify the joint conditional distribution of the outputs given the channel inputs, but only the marginals of this joint conditional distribution have an effect. As such, we may assume, without loss of generality, N = N = N . The rate-equivocation region (R,d) for this model was obtained by Wyner [7] and 1n 2n n is as follows:   (R,d) :      0 ≤ R ≤ I(X;Y) C = . (19)  0 ≤ d ≤ R       d ≤ [I(X;Y)−I(X;Z)] In the Gaussian setting considered here the capacity region is well-known [8], and is obtained by the standard Gaussian input in the above expression. We wish to distinguish between three rate-equivocation phenomena, which we define next. Definition 1. A code sequence obtains complete secrecy when R = d1. Definition 2. A code sequence is optimally secure when 1 d = d = lim [I(X ;Y )−I(X ;Z )]. (20) opt n n n n n→∞ n Definition 3. A code sequence (R,d) is at its maximum possible rate if 1 R = R = lim I(X ;Y ). (21) max n n n→∞ n 1Complete secrecy is sometimes referred to in the literature as full secrecy [14] or perfect secrecy. 10 We further define two quantities. The maximum level of equivocation, 1 1 d = log(1+snr )− log(1+snr ); (22) max y z 2 2 and the capacity of the point-to-point channel, which is also the maximum possible rate for the Gaussian wiretap channel, for any possible d, 1 C = log(1+snr ). (23) y 2 B. Main Results In this subsection we provide our main results and observations on code sequences for the scalar Gaussian wiretap channel. The proofs of these results are given in the next subsection. Theorem 2. Any code sequence for the Gaussian wiretap channel attains (R,d ), that is, optimal opt security, if and only if MMSE(X;γ|W ) = 0, γ ≥ snr (24) y z and MMSE(X;γ) = 0, γ ≥ snr (25) y regardless of the rate of the code (R ≥ d ). opt Note that optimally secure codes do not necessarily contain any confidential information; for example, any “good” point-to-point code sequence to Z will also be optimally secure with d = d = 0 (as opt I(X;Y) = I(X;Z)). Nonetheless, the importance of the above result is in emphasizing two properties ofthefamilyofcodesequencesthatareoptimallysecure.First,atsnr wecanfullydecodethetransmitted y codeword and not only the message sent. Second, given the message, full decoding of the codeword will be possible at and above snr . This observation supports the capacity achieving schemes in which the z knowledge of the message leads to full decoding of the codeword by the eavesdropper. Note that the above is valid for any point (R,d ) regardless of R (R ≥ d ). opt opt The above behavior can be further specified for the particular case of d = d as follows: opt max Corollary1. AnycodesequencefortheGaussianwiretapchannelattains(R,d ),thatis,themaximum max

