IEEE paper problem statements

148 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Security Embedding CodesHung D. Ly, Student Member, IEEE, Tie Liu, Member, IEEE, and Yufei Blankenship, Member, IEEE

Abstract—This paper considers the problem of simultaneouslycommunicating two messages, a high-security message and a low-securitymessage, to a legitimate receiver, referred to as the securityembedding problem. An information-theoretic formulation of theproblem is presented. A coding scheme that combines rate split-ting, superposition coding, nested binning, and channel prefixingis considered and is shown to achieve the secrecy capacity regionof the channel in several scenarios. Specifying these results to bothscalar and independent parallel Gaussian channels (under an av-erage individual per-subchannel power constraint), it is shown thatthe high-security message can be embedded into the low-securitymessage at full rate (as if the low-security message does not exist)without incurring any loss on the overall rate of communication(as if both messages are low-security messages). Extensions to thewiretap channel II setting of Ozarow and Wyner are also consid-ered, where it is shown that “perfect” security embedding can beachieved by an encoder that uses a two-level coset code.

Index Terms—Channel uncertainty, multilevel security, phys-ical-layer security, secrecy capacity, security embedding, wiretapchannel.

I. INTRODUCTION

P HYSICAL-LAYER security has been a very active areaof research in information theory. See [1] and [2] for

overviews of recent progress in this field. A basic model ofphysical-layer security is a wiretap/broadcast channel [6], [7]with two receivers, a legitimate receiver and an eavesdropper.Both the legitimate receiver and the eavesdropper channelsare assumed to be known at the transmitter. By exploring thestatistical difference between the legitimate receiver and theeavesdropper channel, one may design coding schemes thatcan deliver a message reliably to the legitimate receiver whilekeeping it asymptotically perfectly secret from the eaves-dropper.While assuming the transmitter’s knowledge of the legitimate

receiver channel might be reasonable (particularly when a feed-back link is available), assuming that the transmitter knows theeavesdropper channel is unrealistic in most scenarios. This ismainly because the eavesdropper is an adversary, who usually

Manuscript received February 08, 2011; revised June 01, 2011; accepted July18, 2011. Date of publication August 04, 2011; date of current version January13, 2012. This work was supported in part by the National Science Foundationunder Grant CCF-09-16867 and in part by a gift grant from the Huawei Tech-nologies USA. The material in this paper was presented in part at the 2010 IEEEInternational Symposium on Information Theory, Austin, TX, June 2010. Theassociate editor coordinating the review of this manuscript and approving it forpublication was Dr. Z. Jane Wang.H. D. Ly and T. Liu are with the Department of Electrical and Computer

Engineering, Texas A&M University, College Station, TX 77843 USA (e-mail:[email protected]; [email protected]).Y. Blankenship was with Huawei Technologies USA. She is now

with Research In Motion, Rolling Meadows, IL 60008 USA (e-mail:[email protected]).Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TIFS.2011.2163713

has no incentive to help the transmitter to acquire its channelstate information. Hence, it is critical that physical-layer secu-rity techniques are designed to withstand the uncertainty of theeavesdropper channel.In this paper, we consider a communication scenario where

there are multiple possible realizations for the eavesdropperchannel. Which realization will actually occur is unknown tothe transmitter. Our goal is to design coding schemes such thatthe number of secure bits delivered to the legitimate receiverdepends on the actual realization of the eavesdropper channel.More specifically, when the eavesdropper channel realization isweak, all bits delivered to the legitimate receiver need to be se-cure. In addition, when the eavesdropper channel realization isstrong, a prescribed part of the bits needs to remain secure. Wecall such codes security embedding codes, referring to the factthat high-security bits are now embedded into the low-securityones. We envision that such codes are naturally useful for thesecrecy communication scenarios where information bits arenot created equal: some of them have more security prioritiesthan others and hence require stronger security protectionduring communication. For example, in real wireless commu-nication systems, control plane signals have higher secrecyrequirements than data plane transmissions, and signals thatcarry users’ identities and cryptographic keys require strongersecurity protections than the other signals.A key question that we consider is at what expense one may

allow part of the bits to enjoy additional security protections.Note that a “naive” security embedding scheme is to design twoseparate secrecy codes to provide two different levels of secu-rity protections, and apply them to two separate parts of the in-formation bits via time sharing. In this scheme, the high-secu-rity bits are protected using a stronger secrecy code and henceare communicated at a lower rate. The overall communicationrate is a convex combination of the low-security bit rate andthe high-security bit rate and hence is lower than the low-secu-rity bit rate. Another simple scheme for security embedding ispower sharing [3], where the transmitted signal is given by thesuperposition of two secrecy codes separately designed to pro-tect the low-security and high-security bits. Though generallybetter than the time-sharing scheme, the overall rate of commu-nication for the power-sharing scheme is still lower than thatwhen all bits delivered are lower-security ones.The main result of this paper is to show that it is possible

to have a significant portion of the information bits enjoyingadditional security protections without sacrificing the overallrate of communication. This further justifies the name “secu-rity embedding,” as now having part of the information bits en-joying additional security protections is only an added bonus.More specifically, in this paper, we call a secrecy communica-tion scenario embeddable if a nonzero fraction of the informa-tion bits can enjoy additional security protections without sac-rificing the overall communication rate, and we call it perfectly

1556-6013/$26.00 © 2011 IEEE

LY et al.: SECURITY EMBEDDING CODES 149

Fig. 1. Wiretap channel.

embeddable if the high-security bits can be communicated atfull rate (as if the low-security bits do not exist) without sac-rificing the overall communication rate. Key to achieving ef-ficient security embedding is to jointly encode the low-securityand high-security bits (as opposed to separate encoding as in thetime- and power-sharing schemes). In particular, the low-secu-rity bits can be used as (part of) the transmitter randomness toprotect the high-security bits (when the eavesdropper channelrealization is strong); this is the key feature of our proposed se-curity embedding codes.Our definition of security embedding and proposed coding

schemes are mainly motivated by the special case where thereare no secrecy constraints on the “low-security” bits. In thiscase, the problem of security embedding reduces to the problemof simultaneously communicating a private message and a con-fidential message, for which the secrecy capacity region was es-tablished in [4, p. 411] and [5]. Our main technical contributionin this paper is to extend the setting of [4, p. 411] and [5] to thegeneral case where both low-security and high-security bits aresubject to (different) asymptotic perfect secrecy constraints.The rest of the paper is organized as follows. In Section II, we

briefly review some basic results on the secrecy capacity andoptimal encoding scheme for several classical wiretap channelsettings. These results provide performance and structuralbenchmarks for the proposed security embedding codes. InSection III, an information-theoretic formulation of the securityembedding problem is presented, which we term as two-levelsecurity wiretap channel. A coding scheme that combines ratesplitting, superposition coding, nested binning, and channelprefixing is proposed and is shown to achieve the secrecy ca-pacity region of the channel in several scenarios. Based on theresults of Section III, in Section IV we study the engineeringcommunication models with real channel input and additivewhite Gaussian noise, and show that both scalar and indepen-dent parallel Gaussian (under an individual per-subchannelaverage power constraint) two-level security wiretap channelsare perfectly embeddable. In Section V, we extend the resultsof Section III to the wiretap channel II setting of Ozarow andWyner [8], and show that two-level security wiretap channelsII are also pefectly embeddable. Finally, in Section VI, weconclude the paper with some remarks.

II. WIRETAP CHANNEL: A REVIEW

Consider a discrete memoryless wiretap channel with tran-sition probability , where is the channel input, andand are the channel outputs at the legitimate receiver and

the eavesdropper, respectively (see Fig. 1). The transmitter has amessage , uniformly drawn from where is theblock length and is the rate of communication. The messageis intended for the legitimate receiver, but needs to be kept

asymptotically perfectly secret from the eavesdropper. Mathe-matically, this secrecy constraint can be written as

(1)

in the limit as , where is the col-lection of the channel outputs at the eavesdropper during com-munication. A communication rate is said to be achievable ifthere exists a sequence of codes of rate such that the messagecan be reliably delivered to the legitimate receiver while sat-

isfying the asymptotic perfect secrecy constraint (1). The largestachievable rate is termed as the secrecy capacity of the channel.A discrete memoryless wiretap channel is said to be

degraded if forms a Markov chain in that order.The secrecy capacity of a degraded wiretap channel was char-acterized by Wyner [6] and can be written as

(2)

where the maximization is over all possible input distributions.1 The scheme proposed in [6] to achieve the secrecy ca-

pacity (2) is random binning, which can be described as follows.Consider a codebook of codewords, each of length. The codewords are partitioned into bins, each containingcodewords. Given a message (which is uniformly drawn

from ), the encoder randomly and uniformlychooses a codeword in the th bin and sends it throughthe channel. The legitimate receiver needs to decode the entirecodebook (and hence recover the transmitted message ),so the overall rate cannot be too high. On the otherhand, the rate of the subcodebooks in each bin representsthe amount of external randomness injected by the transmitter(transmitter randomness) into the channel and hence needsto be sufficiently large to confuse the eavesdropper. With anappropriate choice of the codebooks and the partitions of bins,it was shown in [6] that any communication rate less thanthe secrecy capacity (2) is achievable by the aforementionedrandom binning scheme.For a general discrete memoryless wiretap channel

where the channel outputs and are not necessarily ordered,the random binning scheme of [6] is not necessarily optimal. Inthis case, the secrecy capacity of the channel was characterizedby Csiszár and Körner [7] and can be written as

(3)

where is an auxiliary random variable satisfying the Markovchain . The scheme proposed in [7] is to firstprefix the channel input by and view as the input of theinduced wiretap channel . Ap-plying the random binning scheme of [6] to the induced wiretapchannel proves the achievability of rate

for any given joint auxiliary-input distribution .In communication engineering, communication channels are

usually modeled as discrete-time channels with real input andadditive white Gaussian noise. Consider a (scalar) Gaussian

1Later in [7], it was shown that the degradation requirement can be replacedby a weaker “more capable” condition.


wiretap channel where the channel outputs at the legitimatereceiver and the eavesdropper are given by

(4)

Here, is the channel input which is subject to the averagepower constraint

(5)

and are the channel gains for the legitimate receiver and theeavesdropper channel, respectively, and and are additivewhite Gaussian noise with zero means and unit variances. Thesecrecy capacity of the channel was characterized in [9] and canbe written as

(6)

where . Note from (6) that ifand only if . That is, for the Gaussian wiretap channel(4), asymptotic perfect secrecy communication is possible ifand only if the legitimate receiver has a larger channel gainthan the eavesdropper. In this case, we can equivalently writethe channel output at the eavesdropper as a degraded ver-sion of the channel output at the legitimate receiver, and therandom binning scheme of [6] with Gaussian codebooks andfull transmit power achieves the secrecy capacity of the channel.A closely related engineering scenario consists of a bank ofindependent parallel scalar Gaussian wiretap channels [10].

In this scenario, the channel outputs at the legitimate receiverand the eavesdropper are given by and

, where

(7)

Here, is the channel input for the th subchannel, andare the channel gains for the legitimate receiver and the eaves-dropper channel, respectively, in the th subchannel, andand are additive white Gaussian noise with zero meansand unit variances. Furthermore, are independentfor so all subchannels are independent of eachother.Two different types of power constraints have been consid-

ered: the average individual per-subchannel power constraint

(8)

and the average total power constraint

(9)

Under the average individual per-subchannel power constraint(8), the secrecy capacity of the independent parallel Gaussianwiretap channel (7) is given by [10]

(10)

where is defined as in (6). Clearly, any communi-cation rate less than the secrecy capacity (10) can be achievedby using separate scalar Gaussian wiretap codes, each for oneof the subchannels. The secrecy capacity, ,under the average total power constraint (9) is given by

(11)

where the maximization is over all possible power allocationssuch that . A waterfilling-like so-

lution for the optimal power allocation was derived in [10, Th.1], which provides an efficient way to numerically calculate thesecrecy capacity .

III. TWO-LEVEL SECURITY WIRETAP CHANNEL

A. Channel Model

Consider a discrete memoryless broadcast channel with threereceivers and transition probability . The receiverthat receives the channel output is a legitimate receiver. Thereceivers that receive the channel outputs and representtwo possible realizations of an eavesdropper. Assume that thechannel output is degradedwith respect to the channel output, i.e., forms a Markov chain in that order, sorepresents a stronger realization of the eavesdropper than .The transmitter has two independent messages: a high-se-

curity message uniformly drawn fromand a low-security message uniformly drawn from

, where is the block length, and and arethe corresponding rates of communication. Both messagesand are intended for the legitimate receiver, and need tobe kept asymptotically perfectly secure when the eavesdropperrealization is weak, i.e.,

(12)

in the limit as . In addition, when the eavesdropper real-ization is strong, the high-security message needs to remainasymptotically perfectly secure, i.e.,

(13)

in the limit as . A rate pair is said to be achiev-able if there is a sequence of codes of rate pair suchthat both messages and can be reliably delivered to thelegitimate receiver while satisfying the asymptotic perfect se-crecy constraints (12) and(13). The collection of all possible


Fig. 2. Two-level security wiretap channel.

achievable rate pairs is termed as the secrecy capacity regionof the channel. Fig. 2 illustrates this communication scenario,which we term as two-level security wiretap channel.The above setting of two-level security wiretap channel

is closely related to the traditional wiretap channel settingof [6] and [7]. More specifically, without the additionalsecrecy constraint (13) on the high-security message ,we can simply view the messages and as a single(low-security) message with rate . In this case,the problem reduces to communicating the message overthe traditional wiretap channel with transition probability

, and the maximum achievableis given by . Similarly, without needing to

communicate the low-security message (i.e., ), thebasic secrecy constraint (12) reduces to ,which is implied by the additional secrecy constraint (13) dueto the assumption that is degraded with respect to . Inthis case, the problem reduces to communicating the high-se-curity message over the traditional wiretap channel withtransition probability , and themaximum achievable is given by . We thus havethe following simple observation.Fact 1: A two-level security wiretap channel

where is degraded with respect to is embeddable if thereexists a sequence of codes with rate pair such that

and , and it is perfectly embeddableif there exists a sequence of codes with rate pair suchthat and .An important special case of the two-level security wiretap

channel problem considered here is when the channel outputis a constant signal. In this case, the secrecy constraint

(12) becomes obsolete, and the low-security message be-comes a private message without being subject to any secrecyconstraints. The problem of simultaneously communicatinga private message and a confidential message over a discretememoryless wiretap channel was considered in [4, p. 411]and [5], where a single-letter characterization of the secrecycapacity region was established. For the general two-levelsecurity wiretap channel problem that we consider here, bothhigh-security message and the low-security messageare subject to asymptotic perfect secrecy constraints, whichmakes the problem much more involved.

B. Main Results

The following theorem provides a sufficient condition for es-tablishing the achievability of a rate pair for the discrete mem-oryless two-level security wiretap channel.Theorem 1: Consider a discrete memoryless two-level se-

curity wiretap channel with transition probabilitywhere is degraded with respect to . A nonnegative pair

is an achievable rate pair of the channel if it satisfies

and

(14)

for some joint distribution , where , , andare auxiliary random variables satisfying the Markov chain

.A proof of the theorem is provided in Section III-C.

Note that to show that every rate pair that satisfies (14)is achievable, we only need to consider the case where

. This can be seen as follows. As-suming that , we have

It follows that every rate pair that satisfies (14) must satisfy

and

(15)

which is a special case of (14) by setting so that.

To show that every rate pair that satisfies (14) for whichis achievable, we shall consider

a coding scheme that combines rate splitting, superpositioncoding, nested binning, and channel prefixing. In particular,(part of) the low-security message will be used as (part of)the transmitter randomness to protect the high-security message

(when the eavesdropper channel realization is strong). SeeSection III-C for the details of the proof.


Combining Theorem 1 with Fact 1, we have the followingsufficient conditions for establishing that a two-level securitywiretap channel is (perfectly) embeddable. The conditions arestated in terms of the existence of a joint auxiliary-input distri-bution.Corollary 2: A two-level security wiretap channel

, where is degraded with respect to isembeddable if there exists a joint distributionsatisfying the Markov chainand such that

and

(16)

and it is perfectly embeddable if there exists a jointdistribution satisfying the Markov chain

and such that

and

(17)

Assume that is less noisy than , i.e.,for any random variable satisfying the Markov

chain . In this case, we have a precise char-acterization of the secrecy capacity region as summarized inthe following theorem.Theorem 3: Consider a discrete memoryless two-level se-

curity wiretap channel with transition probabilitywhere is degraded with respect to and is less noisy than. The secrecy capacity region of the channel is given by the

set of all nonnegative pairs that satisfy

and

(18)

for some joint distribution , where and areauxiliary random variables satisfying the Markov chain

.The forward part of the theorem follows directly from The-

orem 1 by setting to be constant. The converse part of thetheorem is proved in Appendix A, which mainly involves iden-tifying a choice for the auxiliary random variables and .Note that when the channel output is constant, the condi-tions that is degraded with respect to and is less noisythan are trivially met by any channel outputs . In thiscase, Theorem 3 recovers the results of [4, p. 411] and [5] onsimultaneously communicating a private message and a confi-dential message over a discrete memoryless wiretap channel.Assume, instead, that is less noisy than . Given that

is degraded with respect to , this implies that is also lessnoisy than . In this case, we have

(19)

(20)

(21)

(22)

and

(23)

(24)

where (20) and (22) are due to the fact that is less noisy than, and (24) is due to the fact that is less noisy than . Thus,

without loss of generality, we may set and to beconstant in (18), which leads to a simpler characterization ofthe secrecy capacity region that does not involve any auxiliaryrandom variables. We summarize this result in the followingtheorem.Theorem 4: Consider a discrete memoryless two-level se-

curity wiretap channel with transition probability ,where is degraded with respect to and is less noisy than. The secrecy capacity region of the channel is given by the

set of all nonnegative pairs that satisfy

and

(25)

for some input distribution .

C. Proof of Theorem 1

As mentioned previously in Section III-B, to proveTheorem 1, we only need to consider the case where

. To show that every rate pairthat satisfies (14) for which

is achievable, we shall consider a coding scheme that combinesrate splitting, superposition coding, (nested) binning, and prefixcoding. Our code construction relies on a random-codingargument, which can be described as follows.Fix a joint auxiliary-input distribution

with and . Split the low-securitymessage into two independent submessages andwith rates and , respectively.Codebook generation. Our entire codebook consists of three

layers: the -codebook as the bottom layer, the -codebookas the middle layer, and the -codebook as the top layer. The-codebook consists of a single length- sequence , gener-ated according to an -product of .Given , randomly and independently generate

codewords of length according to an-product of . Randomly partition the codewords into

bins so each bin contains codewords.Label the codewords as , where denotes the bin number,and denotes the codeword number within each bin. We shallrefer to the codeword collection as the -codebook.For each codeword in the -codebook, randomly and in-

dependently generate codewords of length ac-cording to an -product of . Randomly partition the code-words into bins so each bin contains codewords.


Fig. 3. Codebook structure for a coding scheme that combines rate splitting, superposition coding, (nested) binning, and prefix coding.

Further partition each bin into subbins so each subbin con-tains codewords. Label the codewords as , where

indicates the base codeword from whichwas generated, denotes the bin number, denotes the subbinnumber within each bin, and denotes the codeword numberwithin each subbin. We shall refer to the codeword collection

as the -subcodebook corresponding to the basecodeword and as the -codebook.Once all three codebooks are chosen, they are revealed to all

terminals. Fig. 3 illustrates the structure of the entire codebook.Encoding. To send a message triple , the trans-

mitter randomly (according a uniform distribution) chooses acodeword from the th bin in the -codebook. Oncea is chosen, the transmitter looks into the corresponding-subcodebook and randomly chooses

a codeword from the subbin identified by. Once a is chosen, an input sequence

is generated according to an -product of and is thensent through the channel. Note that the sole codeword in the-codebook simply serves as an “averaging base” for the -and -codebooks and does not play any role in the encoding.Decoding at the legitimate receiver. Given the channel

outputs , the legitimate receiver looks into the -codebookand its -subcodebooks and searches for a pair of codewords

such that is jointly typical[11] with . In the case when

(26)

and

(27)

with high probability the codeword pair selectionis the only one that is jointly typical

[11] with .Security at the eavesdropper. To analyze the security of the

high-security message and the submessage at the eaves-dropper, we shall assume (for now) that both the submessage

and the codeword selection are known at the eaves-dropper. Note that such an assumption can only strengthen oursecurity analysis. For any given codeword , the high se-curity message and the submessage are encoded usingthe corresponding -subcodebook . In partic-ular, each bin in the -subcodebook corresponds to a message

and contains codewords, each randomly and in-dependently generated according to an -product of . Fora given message , the transmitted codeword is randomly anduniformly chosen from the corresponding bin (where the ran-domness is from both the submessage and the transmitter’schoice of ). Following [7], in the case when

(28)

we have

(29)

in the limit as . From (29), we conclude thatin the limit as . Furthermore,

each subbin in the -subcodebook corresponds to a messagepair and contains codewords, each randomly andindependently generated according to an -product of .For a given message pair , the transmitted codewordis randomly and uniformly chosen from the corresponding


subbin (where the randomness is from the transmitter’s choiceof ). Again, following [7], in the case when

(30)

we have

(31)

in the limit as .To analyze the security of the submessage , note that each

bin in the -codebook corresponds to a submessage andcontains codewords, each randomly and in-dependently generated according to an -product of . Fora given submessage , the codeword is randomly anduniformly chosen from the corresponding bin (where the ran-domness is from the transmitter’s choice of ). Note from (30)that the rate of each -subcodebook is greater than .Following [12, Lemma 1], we have

(32)

in the limit as . Putting together (31) and (32) and usingthe fact that and are independent, we have

(33)

(34)

(35)

which tends to zero in the limit as .Finally, note that the overall communicate rate of the low-

security message is given by

(36)

Eliminating , , and from (26)–(28), (30), (36),and using Fourier–Motzkin elimination, sim-plifying the results using the facts that 1)

by the assumption, 2)due to the Markov chain , and 3)

anddue to the Markov chain , andletting , we conclude that any rate pair satisfying(14) for which is achievable. Thiscompletes the proof of Theorem 1.

IV. GAUSSIAN TWO-LEVEL SECURITY WIRETAP CHANNELS

A. Scalar Channel

Consider a discrete-time two-level security wiretap channelwith real input and outputs , and given by

(37)

where , , and are the corresponding channel gains, and, , and are additive white Gaussian noise with zero

means and unit variances. Assume that so the channeloutput is (stochastically) degraded with respect to . Thechannel input is subject to the average power constraint (5).We term the above communication scenario as (scalar)

Gaussian two-level security wiretap channel. The followingtheorem provides an explicit characterization of the secrecycapacity region.Theorem 5: Consider the (scalar) Gaussian two-level secu-

rity wiretap channel (37) where , and the channel inputis subject to the average power constraint (5). The secrecy

capacity region of the channel is given by the collection of allnonnegative pairs that satisfy

and

(38)

where is defined as in (6).Proof: Following the same argument as that for Fact 1, any

achievable secrecy rate pair must satisfy (38). We maythus focus on the forward part of the theorem.To show that any nonnegative pair that satisfies (38)

is achievable, let us first consider two simple cases. First, when, both and are equal to

zero [cf., definition (6)]. So (38) does not include any positiverate pairs and hence there is nothing to prove. Next, when

, and (38) reduces to

and

(39)

Since the high-security message does not need to be trans-mitted, any rate pair in this region can be achieved by using ascalar Gaussian wiretap code to encode the low-security mes-sage . This has left us with the only case with .For the case where , the channel output is

less noisy than . Thus, the achievability of any rate pair in(38) follows from that of (25) by choosing to be Gaussianwith zero mean and variance .2 This completes the proof ofthe theorem.The following corollary follows directly from the achiev-

ability of the corner point

(40)

of (38) and Fact 1. (Alternatively, it can also be proved fromTheorem 1 by letting be Gaussian with zero mean andvariance , , and , wheredenotes the indicator function for event .)Corollary 6: Scalar Gaussian two-level security wiretap

channels under an average power constraint are perfectlyembeddable.Fig. 4 illustrates the secrecy capacity region (38) for the case

where . Also illustrated in the figure are the rate

2Although the results of Section III were proved for discrete memorylesschannels, by the standard quantization argument, those results can be readily ex-tended to continuous-alphabet problems under an average input cost constraint.


Fig. 4. Secrecy capacity region of the scalar Gaussian two-level securitywiretap channel . For comparison, the dashed line and thedotted line are the boundary of the time-sharing and power-sharing rate regions,respectively.

regions that can be achieved by time-sharing and power-sharingbetween two secrecy codes that are separately designed forthe low-security and high-security messages. The time-sharingrate region includes all nonnegative pairs below thestraight line connecting the corner points and

. The power-sharing rate region [3] includesall nonnegative pairs such that

(41)

for some . Note that the corner point (40) is strictlyoutside the time-sharing and power-sharing rate regions, illus-trating the superiority of nested binning over the separate codingschemes.

B. Independent Parallel Channel

Consider a discrete-time two-level security wiretap channelwhich consists of a bank of independent parallel scalarGaussian two-level security wiretap channels. In this model,the channel outputs are given by ,

and , where

(42)

Here, is the channel input for the th subchannel, , , andare the corresponding channel gains in the th subchannel,

and , , and are additive white Gaussian noise withzero means and unit variances. We assume that forall , so the channel output is (stochastically) de-graded with respect to . Furthermore,

, are independent so all subchannels are independentof each other.We term the above communication scenario as independent

parallel Gaussian two-level security wiretap channel. Thefollowing theorem provides an explicit characterization of thesecrecy capacity region under an average individual per-sub-channel power constraint.Theorem 7: Consider the independent parallel Gaussian

two-level security wiretap channel (42), where forall , and the channel input is subject to theaverage individual per-subchannel power constraint (8). The

secrecy capacity region of the channel is given by the collectionof all nonnegative pairs that satisfy

and

(43)

where is defined as in (6).Proof: We first prove the converse part of the theorem.

Following the same argument as that for Fact 1, we have

and

(44)

for any achievable secrecy rate pair . By the secrecycapacity expression (10) for the independent parallel Gaussianwiretap channel under an average individual per-subchannelpower constraint, we have

and

(45)

Substituting (45) into (44) proves the converse part of the the-orem.To show that any nonnegative pair that satisfies

(43) is achievable, let us consider independent coding over eachof the subchannels. Note that each subchannel is a scalarGaussian two-level security wiretap channel with averagepower constraint and channel gains . Thus, byTheorem 5, any nonnegative pair that satisfies

and

(46)

is achievable for the th subchannel. The overall communicationrates are given by

and

(47)

Substituting (46) into (47) proves that any nonnegative pairthat satisfies (43) is achievable. This completes the

proof of the theorem.Similar to the scalar case, the following corollary is an imme-

diate consequence of Theorem 7.Corollary 8: Independent parallel Gaussian two-level se-

curity wiretap channels under an average individual per-sub-channel power constraint are perfectly embeddable.


Fig. 5. Secrecy capacity region of the independent parallel Gaussian two-levelsecurity wiretap channel under an average total power constraint. The intersec-tion of the dashed lines are outside the secrecy capacity region, indicating thatthe channel is not perfectly embeddable.

The secrecy capacity region of the channel under an averagetotal power constraint is summarized in the following corollary.The results follow from the well-known fact that an averagetotal power constraint can be written as the union of averageindividual per-subchannel power constraints, where the unionis over all possible power allocations among the subchannels.Corollary 9: Consider the independent parallel Gaussian

two-level security wiretap channel (42), where forall , and the channel input is subject to theaverage total power constraint (9). The secrecy capacity regionof the channel is given by the collection of all nonnegativepairs that satisfy

and

(48)

for some power allocation such that.Fig. 5 illustrates the secrecy capacity region with sub-

channels where

As we can see, under the average total power constraint (9),the independent parallel Gaussian two-level security wiretapchannel is embeddable but not perfectly embeddable. Thereason is that the optimal power allocation thatmaximizes is suboptimalin maximizing . By com-parison, under the average individual per-subchannel power

constraint (8), the power allocated to each of the subchannelsis fixed so the channel is always perfectly embeddable.

V. TWO-LEVEL SECURITY WIRETAP CHANNEL II

In Section II, we briefly summarized the known results ona classical secrecy communication setting known as wiretapchannel. A closely related classical secrecy communication sce-nario is wiretap channel II, which was first studied by Ozarowand Wyner [8]. In the wiretap channel II setting, the transmittersends a binary sequence of length noise-lessly to a legitimate receiver. The signalreceived at the eavesdropper is given by

otherwise(49)

where represents an erasure output, and is a subset ofof size representing the locations of the trans-

mitted bits that can be accessed by the eavesdropper.If the subset is known at the transmitter, a message of

bits can be noiselessly communicated to the legitimatereceiver through . Since the eaves-dropper has no information regarding to , perfectly securecommunication is achieved without any coding. It is easy to seethat in this scenario, is also the maximum number ofbits that can be reliably and perfectly securely communicatedthrough transmitted bits.An interesting result of [8] is that for any , a total

of bits can be reliably and asymptotically per-fectly securely communicated to the legitimate receiver evenwhen the subset is unknown (but with a fixed size ) apriori at the transmitter. Here, by “asymptotically perfectly se-curely” we mean in the limit as .Unlike the case where the subset is known a priori, codingis necessary when is unknown at the transmitter. In partic-ular, [8] considered a random binning scheme that partitionsthe collection of all length- binary sequences into an appropri-ately chosen group code and its cosets. For the wiretap channelsetting, as shown in Section III, a random binning scheme canbe easily modified into a nested binning scheme to efficientlyembed high-security bits into low-security ones. The main goalof this section is to extend this result from the classical settingof wiretap channel to wiretap channel II.More specifically, assume that a realization of the subset

has two possible sizes, and , where .The transmitter has two independent messages, the high-secu-rity message and the low-security message , uniformlydrawn from and , respectively.When the size of the realization is , both messagesand need to be secure, i.e., inthe limit as . In addition, when the size of the realizationof is , the high-security message needs to remainsecure, i.e., in the limit as . Weterm this communication scenario as two-level security wiretapchannel II, in line with our previous terminology in Section III.By the results of [8], without needing to communicate

the low-security message , the maximum achievableis . Without the additional secrecy constraint

on the high-security message , the


messages can be viewed as a single messagewith rate , and the maximum achievable is

. The main result of this section is to show that the ratepair is indeed achievable, from which wemay conclude that two-level security wiretap channels II areperfectly embeddable. Moreover, perfect embedding can beachieved by a nested binning scheme that uses a two-level cosetcode. The results are summarized in the following theorem.Theorem 10: Two-level security wiretap channels II are

perfectly embeddable. Moreover, perfect embedding can beachieved by a nested binning scheme that uses a two-level cosetcode.

Proof: Fix . Consider a binary parity-check matrix

where the size of is and the size ofis . Let be a one-on-one mapping

between and the binary vectors of length, and let be a one-on-one mapping between

and the binary vectors of length.

For a given message pair , the transmitter randomly(according to a uniform distribution) chooses a solution tothe linear equations

(50)

and sends it to the legitimate receiver.When the parity-check matrix has full (row) rank, the

above encoding procedure is equivalent of a nested binningscheme that partitions the collection of all length- binarysequences into bins and subbins using a two-level coset codewith parity-check matrices . Moreover, letbe the columns of and let . Define asthe dimension of the subspace spanned by and

(51)

When the size of the realization of is , by [8, Lemma 4]we have

(52)

Note that the low-security message is uniformly drawnfrom . So by (50), for a given high-securitymessage , the transmitted sequence is randomly chosen(according to a uniform distribution) as a solution to the linearequations . If we let be thecolumns of and define

(53)

where is the dimension of the subspace spanned by, we have again from [8, Lemma 4]

(54)

when the size of the realization of is .Let when we have either does not have full

rank, or , or ,

and let otherwise. By using a randomized argumentthat generates the entries of independently according to auniform distribution in , we can show that there exists anwith for sufficiently large (see Appendix B

for details). For such an , we have from (52) and (54) thatwhen the size of the realization

of is , and when the size ofthe realization of is .Letting and (in that order) proves the achiev-

ability of the rate pair and hence completesthe proof of the theorem.

VI. CONCLUDING REMARKS

In this paper, we considered the problem of simultaneouslycommunicating two messages, a high-security message and alow-security message, to a legitimate receiver, referred to as thesecurity embedding problem. An information-theoretic formu-lation of the problem was presented. With appropriate codingarchitectures, it was shown that a significant portion of the infor-mation bits can receive additional security protections withoutsacrificing the overall rate of communication. Key to achieve ef-ficient embedding was to use the low-security message as partof the transmitter randomness to protect the high-security mes-sage when the eavesdropper channel realization is strong.For the engineering communication scenarios with real

channel input and additive white Gaussian noise, it was shownthat the high-security message can be embedded into thelow-security message at full rate without incurring any loss onthe overall rate of communication for both scalar and indepen-dent parallel Gaussian channels (under an average individualper-subchannel power constraint). The scenarios with multipletransmit and receive antennas are considerably more complexand hence require further investigations.Finally, note that even though in this paper we have only con-

sidered providing two levels of security protections to the infor-mation bits, most of the results extend to multiple-level securityin the most straightforward fashion. In the limit scenario whenthe security levels change continuously, the number of securebits delivered to the legitimate receiver would depend on therealization of the eavesdropper channel even though such real-izations are unknown a priori at the transmitter.

APPENDIX APROOF OF THEOREM 3

Assume that the channel output is less noisy than . Toshow that in this case the sufficient condition (18) is also nec-essary, let be an achievable rate pair. By Fano’s in-equality [11] and the asymptotic perfect secrecy constraints (12)and (13), there exists a sequence of codes (indexed by the blocklength ) of rate pair such that

(55)

(56)

and

(57)

where in the limit as .


Let , ,, and

. By (55) and (56), we have

(58)

(59)

(60)

(61)

(62)

(63)

(64)

(65)

where (65) follows from the well-known Csiszár–Körner sumequality [7]. Similarly, by (55), (57), and the Csiszár–Körnersum equality [7], we may also obtain

(66)

Further note that

(67)

(68)

(69)

(70)

(71)

where (69) is due to the fact that is less noisy than so wehave

andand (71) is due to the Markov chain

so wehave

(72)

Substituting (71) into (66), we have

(73)

Define , and . Wecan rewrite (65) and (73) as

(74)

and

(75)

Let be a standard time-sharing variable [11], and let, , , ,

, . We have from (74) and (75)

(76)

(77)

(78)

and

(79)

(80)

(81)

(82)

where (81) is due to the fact that is less noisy than so wehave

(83)

Divide both sides of (78) and (82) by and then let . Theproof is complete by noting that the channel is memoryless, sowe have for all

.


APPENDIX BEXISTENCE OF AN WITH

To show that there exists a parity-check matrix such that, it is sufficient to show that , where

denotes the expectation of a random variable .Let

otherwise(84)

and

otherwise,(85)

By the union bound

(86)

Following [8, Lemma 6], we have

(87)

for sufficiently large . Furthermore, by [8, Lemma 5], for anysuch that , we have

(88)

Since the total number of different subsets of is ,we have

(89)

for any . Substituting (87) and (89) into (86) proves thatfor sufficiently large , and hence the existence of

a parity-check matrix such that .

REFERENCES[1] Y. Liang, H. V. Poor, and S. Shamai (Shitz), Information Theoretic

Security. Dordrecht, The Netherlands: Now Publisher, 2009.[2] , R. Liu and W. Trappe, Eds., Securing Wireless Communications at

the Physical Layer. New York: Springer Verlag, 2010.[3] Y. Liang, L. Lai, H. V. Poor, and S. Shamai (Shitz), “The broadcast

approach to fading wiretap channels,” in Proc. IEEE Inf. Theory Work-shop, Taormina, Sicily, Italy, Oct. 2009.

[4] I. Csiszár and J. Körner, Information Theory: Coding Theorems forDiscrete Memoryless Systems. Budapest, Hungary: Academic, 1982.

[5] R. Liu, T. Liu, H. V. Poor, and S. Shamai (Shitz), “New results on mul-tiple-input multiple-output Gaussian broadcast channels with confiden-tial messages,” IEEE Trans. Inf. Theory [Online]. Available: http://arxiv.org/abs/1101.2007, submitted for publication

[6] A. D. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, no.8, pp. 1355–1387, Oct. 1975.

[7] I. Csiszár and J. Körner, “Broadcast channels with confidential mes-sages,” IEEE Trans. Inf. Theory, vol. IT-24, no. 3, pp. 339–348, May1978.

[8] L. H. Ozarow and A. D. Wyner, “Wire-tap channel II,” Bell Syst. Tech.J., vol. 63, no. 10, pp. 2135–2157, Dec. 1984.

[9] S. K. Leung-Yan-Cheong and M. Hellman, “The Gaussian wire-tapchannel,” IEEE Trans. Inf. Theory, vol. IT-24, no. 4, pp. 451–456, Jul.1978.

[10] Z. Li, R. Yates, and W. Trappe, “Secrecy capacity of independent par-allel channels,” in Proc. 44th Annu. Allerton Conf. Communication,Control and Computing, Monticello, IL, Sep. 2006.

[11] T.M. Cover and J. A. Thomas, Elements of Information Theory. NewYork: Wiley, 1991.

[12] Y. K. Chia and A. E. Gamal, “3-receiver broadcast channels withcommon and confidential messages,” IEEE Trans. Inf. Theory[Online]. Available: http://arxiv.org/abs/0910.1407, submitted forpublication

Hung D. Ly (S’07) received the B.S. degree inelectronics and telecommunications engineeringfrom Posts and Telecommunications Institute ofTechnology (PTIT), Hanoi, Vietnam, in 2002, andthe M.S. degree in electrical engineering from theUniversity of Texas at Arlington in 2007. SinceAugust 2007, he has been pursuing the Ph.D. degreein electrical and computer engineering at TexasA&M University, College Station.From June 2002 to July 2005, he was a Lecturer

with the Faculty of Telecommunications Engi-neering, PTIT. His research interests include information theory, wirelesscommunication, and statistical signal processing.

Tie Liu (S’99–M’06) received the B.S. and M.S.degrees, both in electrical engineering, from Ts-inghua University, Beijing, China, in 1998 and2000, respectively, and a second M.S. degree inmathematics and the Ph.D. degree in electricaland computer engineering from the University ofIllinois at Urbana-Champaign, in 2004 and 2006,respectively.Since August 2006 he has been with Texas A&M

University, College Station, where he is currently anAssistant Professor with the Department of Electrical

and Computer Engineering. His research interests are in the field of informationtheory, wireless communication, and statistical signal processing.Dr. Liu is a recipient of the M. E. Van Valkenburg Graduate Research Award

(2006) from the University of Illinois at Urbana-Champaign and the FacultyEarly Career Development (CAREER) Award (2009) from the National ScienceFoundation.

Yufei Blankenship (S’98–M’00) received the B.S.and M.S. degrees from Northwestern PolytechnicalUniversity, Xi’an, Shaanxi, China in 1993 and 1996,respectively, and the Ph.D. degree from VirginiaPolytechnic Institute and State University, Blacks-burg, VA, in 2000, all in electrical engineering.From June 2000 to October 2008, she was with

Motorola Inc. working on communication systemsresearch and intellectual property asset management.FromNovember 2008 to February 2011, shewaswiththe Wireless R&D Department of Huawei Technolo-

gies (USA). Since February 2011, she has been with the Advanced TechnologyDepartment, Research In Motion, Rolling Meadows, IL. Her research interestsinclude information theory, wireless communication, and wireless standards.She holds 23 issued U.S. patents, and is a registered patent agent with USPTO.

IEEE paper problem statements

Documents

Transcript of IEEE paper problem statements