<%BANNER%>

Ldpc-Based Secret-Sharing Schemes for Wiretap Channels

Permanent Link: http://ufdc.ufl.edu/UFE0043592/00001

Material Information

Title: Ldpc-Based Secret-Sharing Schemes for Wiretap Channels
Physical Description: 1 online resource (128 p.)
Language: english
Creator: Wong, Chan-Wong
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2011

Subjects

Subjects / Keywords: design -- key -- ldpc
Electrical and Computer Engineering -- Dissertations, Academic -- UF
Genre: Electrical and Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: This dissertation examines the practical design of secret-sharing schemes that allows a source and a destination to share secret information over a wireless channel so that the knowledge about that information at an eavesdropper or a wiretapper is minimized. This model is the classical wiretap channel. When the objective of secret-sharing is for the source and destinaion to agree upon with a secret key, it is assumed that a public channel exists between the source and destination that they can use to exchange information without any rate and power constraints; however, all public communications are perfectly observed by the wiretapper. We propose a low-density parity-check (LPDC)-based scheme to support secret-key agreement through a combination of direct transmission from the source to destination over the wiretap channel and information exchanges between them over the public channel. To rigorously quantify the secrecy performance of the proposed key-agreement scheme, we introduce the notion of relaxed key capacity, which is defined as the maximum achievable key rate over the wiretap channel subject to the constraint that the leakage rate (about the key) is bounded below a fixed value. We prove that the proposed key-agreement scheme, which employs an ensemble of regular LDPC codes, can asymptotically achieve the relaxed key capacity of the Gaussian wiretap channel with the constraints of binary phase-shift-keyed (BPSK) source symbols and destination hard-decision quantization. This asymptotic result provides us a solid theoretical foundation that motivates us to construct practically implementable key-agreement scheme using both fixed regular and irregular LDPC codes. Moreover, the coding structure in the proposed key-agreement scheme allows us to systematically and efficiently design good irregular LDPC codes using a density-evolution based linear program. We demonstrate by simulation results that the irregular LDPC codes obtained from the code search process outperform other existing key-agreement schemes and provide secrecy performance close to the relaxed key capacity of the Gaussian wiretap channel. In this dissertation, we also suggest that the proposed key-agreement scheme can be further improved by considering the use of punctured irregular LDPC codes. Moreover, we extend the proposed key-agreement scheme to work in the Gaussian wiretap channel with M-ary pulse-amplitude modulated (PAM) source symbols. We show that the M-ary transmission can be transformed into M binary-input channels. As a result, we can then assign the target key rate to the M binary-input channels accordingly, and each of the M irregular LDPC codes will be designed individually for the corresponding binary-input channel. The proposed key-agreement scheme can also be applied to the fast Rayleigh fading wiretap channel in which the source is restricted to transmit quadrature phase-shift-keyed (QPSK) symbols. We show that in such a case, the in-phase (I) and quadrature-phase (Q-) components of the wiretap channel can be separately considered. Thus we only need to design irregular LDPC codes for the I-component, and the resulting codes will also work well for the Q-component. In both cases, we present simulation results to show that the proposed key-agreement scheme provides excellent secrecy performance by employing the irregular LDPC codes obtained through the aforementioned code search process. Finally, we demonstrate that the proposed secret-sharing scheme can be adopted to the case when the objective of secret sharing is for the source to send a secret message to the destination wihtout the help of the public channel. An LDPC-based coding scheme is proposed and a density-based linear program are also developed to find irregular LDPC codes to achieve good secrecy performance.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Chan-Wong Wong.
Thesis: Thesis (Ph.D.)--University of Florida, 2011.
Local: Adviser: Shea, John M.
Local: Co-adviser: Wong, Tan F.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2011
System ID: UFE0043592:00001

Permanent Link: http://ufdc.ufl.edu/UFE0043592/00001

Material Information

Title: Ldpc-Based Secret-Sharing Schemes for Wiretap Channels
Physical Description: 1 online resource (128 p.)
Language: english
Creator: Wong, Chan-Wong
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2011

Subjects

Subjects / Keywords: design -- key -- ldpc
Electrical and Computer Engineering -- Dissertations, Academic -- UF
Genre: Electrical and Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: This dissertation examines the practical design of secret-sharing schemes that allows a source and a destination to share secret information over a wireless channel so that the knowledge about that information at an eavesdropper or a wiretapper is minimized. This model is the classical wiretap channel. When the objective of secret-sharing is for the source and destinaion to agree upon with a secret key, it is assumed that a public channel exists between the source and destination that they can use to exchange information without any rate and power constraints; however, all public communications are perfectly observed by the wiretapper. We propose a low-density parity-check (LPDC)-based scheme to support secret-key agreement through a combination of direct transmission from the source to destination over the wiretap channel and information exchanges between them over the public channel. To rigorously quantify the secrecy performance of the proposed key-agreement scheme, we introduce the notion of relaxed key capacity, which is defined as the maximum achievable key rate over the wiretap channel subject to the constraint that the leakage rate (about the key) is bounded below a fixed value. We prove that the proposed key-agreement scheme, which employs an ensemble of regular LDPC codes, can asymptotically achieve the relaxed key capacity of the Gaussian wiretap channel with the constraints of binary phase-shift-keyed (BPSK) source symbols and destination hard-decision quantization. This asymptotic result provides us a solid theoretical foundation that motivates us to construct practically implementable key-agreement scheme using both fixed regular and irregular LDPC codes. Moreover, the coding structure in the proposed key-agreement scheme allows us to systematically and efficiently design good irregular LDPC codes using a density-evolution based linear program. We demonstrate by simulation results that the irregular LDPC codes obtained from the code search process outperform other existing key-agreement schemes and provide secrecy performance close to the relaxed key capacity of the Gaussian wiretap channel. In this dissertation, we also suggest that the proposed key-agreement scheme can be further improved by considering the use of punctured irregular LDPC codes. Moreover, we extend the proposed key-agreement scheme to work in the Gaussian wiretap channel with M-ary pulse-amplitude modulated (PAM) source symbols. We show that the M-ary transmission can be transformed into M binary-input channels. As a result, we can then assign the target key rate to the M binary-input channels accordingly, and each of the M irregular LDPC codes will be designed individually for the corresponding binary-input channel. The proposed key-agreement scheme can also be applied to the fast Rayleigh fading wiretap channel in which the source is restricted to transmit quadrature phase-shift-keyed (QPSK) symbols. We show that in such a case, the in-phase (I) and quadrature-phase (Q-) components of the wiretap channel can be separately considered. Thus we only need to design irregular LDPC codes for the I-component, and the resulting codes will also work well for the Q-component. In both cases, we present simulation results to show that the proposed key-agreement scheme provides excellent secrecy performance by employing the irregular LDPC codes obtained through the aforementioned code search process. Finally, we demonstrate that the proposed secret-sharing scheme can be adopted to the case when the objective of secret sharing is for the source to send a secret message to the destination wihtout the help of the public channel. An LDPC-based coding scheme is proposed and a density-based linear program are also developed to find irregular LDPC codes to achieve good secrecy performance.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Chan-Wong Wong.
Thesis: Thesis (Ph.D.)--University of Florida, 2011.
Local: Adviser: Shea, John M.
Local: Co-adviser: Wong, Tan F.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2011
System ID: UFE0043592:00001


This item has the following downloads:


Full Text

PAGE 1

LDPC-BASEDSECRET-SHARINGSCHEMESFORWIRETAPCHANNELSByCHANWONGWONGADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFDOCTOROFPHILOSOPHYUNIVERSITYOFFLORIDA2011

PAGE 2

c2011ChanWongWong 2

PAGE 3

Tomyfamily 3

PAGE 4

ACKNOWLEDGMENTS Firstofall,Ithankmyadvisers,ProfessorJohnMarkSheaandProfessorTanFoonWong.Inthepastveyears,IhaveacquiredfromProfessorSheaatheoreticalbutalsopracticalapproachtowardsresearch.IhavealsolearnedfromProfessorSheahowtotechnicallyreportandpresentmyresearchndings.Untilnow,IstillrememberclearlywhenIwasstrugglingwithmyresearch,ProfessorSheashownenormouscareandpatiencetoguidemethroughallthedifculties.IsincerelythankProfessorSheaforhissupportandguidanceduringmydaysinUniversityofFlorida.IamalsoindebtedtoProfessorWongwhoscrutinizesmyresearchandmakessurethattherearenomistakes.IthankProfessorWongforspendingnumeroushoursmeetingwithme,teachingmenotonlytoappreciatemyresearchbutalsotothinkhardandcriticizemyresearchtoachievebetterresults.IamgratefultohavetheopportunitytoworkwithProfessorWongwhoisarolemodelforanenthusiastic,diligentandindependentresearcher.IthankProfessorYuguangFangforhisinterestandvaluablecommentsonmyresearch.IrememberProfessorFangoncetoldmeinaclassthatweshouldallbeproudofwhoandwhereweare.IcansayloudenoughthatIwas,amandwillalwaysbeproudofbeingaFloridaGator.IamgratefultohaveProfessorAndrewRosalskyfromdepartmentofstatisticsinmycommittee.ProfessorRosalskytaughtoneofthebestcourses,measuretheoreticprobability,Ihaveeverhadinmywholelife.Hiscourseinspiresmetoexplorearelativelynewarea,statistics,formyfuturecareerandIwouldliketothankhimforallthesuggestionshehasgivenme.IalsowanttothankallWINGmembersincludingSurendraBoppana,DedeepChatterjeeandLeenhapatNavararongforprovidingmenotonlyaplacetodiscussmyresearchbutalsoaplacetorelaxandhavefun.Specialthanksshouldbegiven 4

PAGE 5

toByonghyokChoiwhoalwaysactslikeanelderbrothertomeandteachesmemanythingswhichareinvaluabletomylife.IwillneverforgetthosewonderfulafternoonswewalkedtogethertoReitzUniontohaveStarbucksCoffee.Lookingback,meetingmywife,HsuanHsu,isthebestthingthathashappenedtomeattheUniversityofFlorida.Ican'tfullyexpresshowgratefulIamtohaveherinmylife.Forme,thebestthingintheworldistoexperiencealltheup-and-down,happiness-and-sadnessinmylifewithher.IamalsogreatlyappreciativetoShih-FenYeh,myaunt-in-law,forhercareandsupportoverthelastcoupleofyears.Thelistofthank-youwon'tbecompletewithoutmentioningmylife-longfriends:Chan-IpChan,IvyIpandKamanLeong.IamluckyenoughtomeetthemwhenIwasyoung.Althoughwearefarawayfromeachother,theyarealwaystheoneswhomIcantrustandrelyon.InclosingIwanttothankmyfamilyfortheirlove,careandsupportovertheyears.Myparentsneverstopmefrompursuingmydream,evenifitisoftenthecasethattheyneedtoscarifythemselves.Withoutthem,noneoftheachievementsinmylifewouldhaveevermaterialized.IleftmyfamilytostudyabroadwhenIwas18.TheonlysinglethingIhaveeverregrettedisthatIamnotabletowitnessthegrowthanddevelopmentofmybrotherandsister.IthankthemfortakingoverandshoulderingmyresponsibilitiesastheoldestsonforthefamilysothatIcanconcentrateonfulllingmyphDdegree.Idedicatethisdissertationtomyfamily. 5

PAGE 6

TABLEOFCONTENTS page ACKNOWLEDGMENTS .................................. 4 LISTOFTABLES ...................................... 8 LISTOFFIGURES ..................................... 9 ABSTRACT ......................................... 11 CHAPTER 1INTRODUCTION ................................... 14 2FUNDAMENTALSOFSECRETSHARING .................... 21 2.1Notations .................................... 21 2.2PermissibleSecret-SharingStrategiesandRelaxedKeyCapacity ..... 21 2.3Low-DensityParity-Check(LDPC)codes .................. 24 3SECRET-SHARINGLDPCCODESFORBPSK-CONSTRAINEDGAUSSIANWIRETAPCHANNEL ................................ 30 3.1BPSK-constrainedGaussianWiretapChannel ............... 30 3.2Secret-SharingSchemeEmployingRegularLDPCCodeEnsembles ... 32 3.3Secret-SharingSchemeEmployingFixedPracticalLDPCCodes ..... 39 3.3.1Secret-SharingRegularLDPCCodes ................ 41 3.3.2Secret-SharingIrregularLDPCCodes ................ 44 3.4Summary .................................... 48 4ANLDPC-BASEDSECRET-SHARINGSCHEMEOVERGAUSSIANWIRETAPCHANNELWITHPAMSYMBOLS ......................... 51 4.1GaussianwiretapchannelwithPAMsymbols ................ 51 4.2LDPC-basedKey-AgreementScheme .................... 55 4.3LDPCCodesDesignandPerformance .................... 62 4.4Summary .................................... 68 5ANLDPC-BASEDSECRET-SHARINGSCHEMEOVERFAST-FADINGWIRETAPCHANNEL ...................................... 74 5.1Fast-FadingWiretapChannel ......................... 74 5.2LDPC-basedKey-AgreementScheme .................... 77 5.3LDPCCodesDesignandPerformance .................... 80 5.4Summary .................................... 82 6CONCLUSIONS ................................... 85 APPENDIX 6

PAGE 7

APROOFOFTHEOREM2.1 ............................. 88 A.1RandomCodeGeneration ........................... 90 A.2SecretSharingProcedure ........................... 91 A.3AnalysisofProbabilityofError ........................ 93 A.4SecrecyAnalysis ................................ 101 BPROOFOFLEMMA1 ................................ 104 CPROOFSOF(3-2)AND(3-3) ............................ 110 C.1Proofof(3-2) .................................. 110 C.2Proofof(3-3) .................................. 113 DLDPCCODEDESIGNFORTHEBPSK-CONSTRAINEDGAUSSIANWIRETAPCHANNEL ...................................... 115 D.1BPSK-constrainedGaussianwiretapchannel ................ 115 D.2SecretLDPCcodingscheme ......................... 116 D.3Codesdesignandperformance ........................ 119 D.4Summary .................................... 123 REFERENCES ....................................... 124 BIOGRAPHICALSKETCH ................................ 128 7

PAGE 8

LISTOFTABLES Table page 3-1Degreedistributionpairsoftherate-0.25andrate-0.12secret-sharingirregularLDPCcodes. ..................................... 48 4-1Degreedistributionpairsoftherate-0.195andrate-0.538irregularLDPCcodes. 65 4-2Degreedistributionpairsoftherate-0.096andrate-0.436irregularLDPCcodes. 68 4-3Degreedistributionpairsoftherate-0.108,rate-0.432andrate-0.689irregularLDPCcodes. ..................................... 70 4-4Degreedistributionpairsoftherate-0.078,rate-0.415andrate-0.687irregularLDPCcodes. ..................................... 72 5-1Degreedistributionpairsoftherate-0.426,rate-0.362,rate-0.276irregularLDPCcodes. ......................................... 80 D-1Degreedistributionpairsoftherate-0.541,rate-0.508,rate-0.505irregularLDPCcodes. ......................................... 120 8

PAGE 9

LISTOFFIGURES Figure page 2-1ExamplesofbipartitegraphsofLDPCcodes. ................... 26 2-2Therstandthesecondhalfiterationofbeliefpropagationalgorithm. ..... 27 3-1ComparisonbetweentherelaxedkeycapacitiesCbandCbqovertheBPSKconstrainedGaussianwiretapchannel. ...................... 33 3-2Plotofthe(Rk,Rl)-trajectoriesachievedbytheproposedsecret-sharingschemeemployingsecret-sharingregularLDPCcodes(C,W). .............. 42 3-3Plotofthe(Rk,Rl)-trajectoryachievedbytheproposedsecret-sharingschemeemployingtherate-0.25secret-sharingirregularLDPCcode. .......... 47 3-4Plotofthe(Rk,Rl)-trajectoryachievedbytheproposedsecret-sharingschemeemployingtherate-0.12secret-sharingirregularLDPCcode. .......... 49 4-1ExamplesofM-aryGray-mappedPAMconstellation. ............... 52 4-2ComparisonbetweentheRl-relaxed(symmetric)keyrateRpqandtherelaxedkeycapacityCkoftheGaussianwiretapchannelwhen2=0dBandRl=0. 55 4-3ComparisonbetweentheRl-relaxed(symmetric)keyrateRpandRpqoftheGaussianwiretapchannelwhnRl=0. ....................... 56 4-4ComparisonbetweentheRl-relaxedkeycapacityCpkandRl-relaxed(symmetric)keyrateRpqoftheGaussianwiretapchannelwhenRl=0. ........... 57 4-5Plotof(Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.195andrate-0.538irregularLDPCcodes. ............... 66 4-6Plotof(Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.096andrate-0.436irregularLDPCcodes. ............... 69 4-7Plotof(Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.108,rate-0.432andrate-0.689irregularLDPCcodes. ......... 71 4-8Plotof(Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.078,rate-0.415andrate-0.687irregularLDPCcodes. ......... 73 5-1TheRl-relaxedkeycapacityCqofthefastRayleighfadingwiretapchannelfordifferentvalueof2,whereRl=0. ......................... 76 5-2Plotofthe(2Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.426irregularLDPCcode. .................. 82 5-3Plotofthe(2Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.362irregularLDPCcode. .................. 83 9

PAGE 10

5-4Plotofthe(2Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.276irregularLDPCcode. .................. 84 D-1ThesecrecycapacityCboftheBPSK-constrainedGaussianwiretapchannelfordifferentvalueof2. ............................... 117 D-2Plotof(Rs,~Re)pairsachievedbytheproposedcodingschemeandbythecodingschemein[20]whenP=2=3.55dBand2=)]TJ /F3 11.955 Tf 9.3 0 Td[(4.4dB. ........ 120 D-3Plotofthe(Rs,~Re)pairachievedbytheproposedcodingschemewhenP=2=1.0dBand2=)]TJ /F3 11.955 Tf 9.3 0 Td[(1.0dB. .............................. 122 10

PAGE 11

AbstractofDissertationPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofDoctorofPhilosophyLDPC-BASEDSECRET-SHARINGSCHEMESFORWIRETAPCHANNELSByChanWongWongDecember2011Chair:JohnM.SheaCochair:TanF.WongMajor:ElectricalandComputerEngineeringThisdissertationexaminesthepracticaldesignofsecret-sharingschemesthatallowsasourceandadestinationtosharesecretinformationoverawirelesschannelsothattheknowledgeaboutthatinformationataneavesdropperorawiretapperisminimized.Thismodelistheclassicalwiretapchannel.Whentheobjectiveofsecret-sharingisforthesourceanddestinaiontoagreeuponwithasecretkey,itisassumedthatapublicchannelexistsbetweenthesourceanddestinationthattheycanusetoexchangeinformationwithoutanyrateandpowerconstraints;however,allpubliccommunicationsareperfectlyobservedbythewiretapper.Weproposealow-densityparity-check(LPDC)-basedschemetosupportsecret-keyagreementthroughacombinationofdirecttransmissionfromthesourcetodestinationoverthewiretapchannelandinformationexchangesbetweenthemoverthepublicchannel.Torigorouslyquantifythesecrecyperformanceoftheproposedkey-agreementscheme,weintroducethenotionofrelaxedkeycapacity,whichisdenedasthemaximumachievablekeyrateoverthewiretapchannelsubjecttotheconstraintthattheleakagerate(aboutthekey)isboundedbelowaxedvalue.Weprovethattheproposedkey-agreementscheme,whichemploysanensembleofregularLDPCcodes,canasymptoticallyachievetherelaxedkeycapacityoftheGaussianwiretapchannelwiththeconstraintsofbinaryphase-shift-keyed(BPSK)sourcesymbolsanddestinationhard-decisionquantization.Thisasymptoticresultprovidesusasolidtheoreticalfoundationthatmotivatesusto 11

PAGE 12

constructpracticallyimplementablekey-agreementschemeusingbothxedregularandirregularLDPCcodes.Moreover,thecodingstructureintheproposedkey-agreementschemeallowsustosystematicallyandefcientlydesigngoodirregularLDPCcodesusingadensity-evolutionbasedlinearprogram.WedemonstratebysimulationresultsthattheirregularLDPCcodesobtainedfromthecodesearchprocessoutperformotherexistingkey-agreementschemesandprovidesecrecyperformanceclosetotherelaxedkeycapacityoftheGaussianwiretapchannel.Inthisdissertation,wealsosuggestthattheproposedkey-agreementschemecanbefurtherimprovedbyconsideringtheuseofpuncturedirregularLDPCcodes.Moreover,weextendtheproposedkey-agreementschemetoworkintheGaussianwiretapchannelwithM-arypulse-amplitudemodulated(PAM)sourcesymbols.WeshowthattheM-arytransmissioncanbetransformedintoMbinary-inputchannels.Asaresult,wecanthenassignthetargetkeyratetotheMbinary-inputchannelsaccordingly,andeachoftheMirregularLDPCcodeswillbedesignedindividuallyforthecorrespondingbinary-inputchannel.Theproposedkey-agreementschemecanalsobeappliedtothefastRayleighfadingwiretapchannelinwhichthesourceisrestrictedtotransmitquadraturephase-shift-keyed(QPSK)symbols.Weshowthatinsuchacase,thein-phase(I)andquadrature-phase(Q-)componentsofthewiretapchannelcanbeseparatelyconsidered.ThusweonlyneedtodesignirregularLDPCcodesfortheI-component,andtheresultingcodeswillalsoworkwellfortheQ-component.Inbothcases,wepresentsimulationresultstoshowthattheproposedkey-agreementschemeprovidesexcellentsecrecyperformancebyemployingtheirregularLDPCcodesobtainedthroughtheaforementionedcodesearchprocess.Finally,wedemonstratethattheproposedsecret-sharingschemecanbeadoptedtothecasewhentheobjectiveofsecretsharingisforthesourcetosendasecretmessagetothedestinationwihtoutthehelpofthepublicchannel.AnLDPC-based 12

PAGE 13

codingschemeisproposedandadensity-basedlinearprogramarealsodevelopedtondirregularLDPCcodestoachievegoodsecrecyperformance. 13

PAGE 14

CHAPTER1INTRODUCTIONThegrowthofanddemandforwirelesstechnologies,devicesandnetworksoverthelastdecadehavefosteredanincreasingneedforreliableandsecurecommunicationschemes.Privacyandsecurityissuesareevenmorecriticalinwirelesscommunicationsthaninwirednetworksbecausewirelesscommunicationisvulnerabletoattackslikechanneljamming,unauthorizedchannelaccessandeavesdropping.Overtheyears,solutionstotheseattackshavebeenengineeredusingalayeredapproachtosimplythedesignofcommunicationschemes.Asexamplesoflayered-speciedsecuritysolutions,spreadspectrummodulationtechniquesareusedwithaspreadingcodetoprovidefeatureslikelowprobabilityofdetection,interceptionandlocalizationtomitigatechanneljammingatthephysicallayer(PHY);admissioncontrolishandledatthemediumaccesscontrollayer(MAC)topreventunauthorizedaccess;andcryptographicprotocolslikeRSAandAESaredesignedandimplementedattheapplicationlayer(API)topreventeavesdropping.Theperformanceofcryptographicprotocolsistraditionallyassessedusingthenotionofcomputationalsecurity,whichreliesontheassumptionthatthecomputingresourcesattheeavesdropperarelimited.Essentially,computationalsecurityensuresthattheamountofcomputingtimeand/ormemoryrequiredtorecoversomeinformationexceedsthevalueofthatinformation.Physical-layersecurity,ontheotherhand,isanewparadigmthatfocusesonprovidingsolutionstovariousissuesofprivacyandsecurityusingtraditionalphysicallayertechniques.Physical-layersecurityaimsatdevelopingsecurecommunicationschemesbyexploitingchannelcharacteristicssuchaschannelfadingandnoises,whichhavehistoricallybeenviewedasimpairmentsfordatacommunicationbetweenterminals.Inaddition,physical-layersecurityschemesaredesignedtoprovideinformation-theoreticsecurityorunconditionalsecurity,whichoffersastrictersenseofsecuritythanconventionalcryptographysincenoassumptiononthecomputational 14

PAGE 15

poweroftheeavesdropper(wiretapper)isrequired.Inhisseminalpaper[ 1 ],Shannonprovidedtherstrigorousstatisticalandmathematicaltreatmentofsecrecy.HeconsideredacryptographicsysteminwhichasourceintendstosendamessageMtoadestinationthroughaninsecurechannel.Itisassumedthatawiretapperhasperfectaccesstotheinsecurechannel,i.e.,thewiretapperreceivesanidenticalcopyoftheencodedmessageCreceivedbythedestination,whereCisobtainedasafunctionofthemessageM.WenotethatMandCareusuallyreferredtoasplaintextandcipher-text,respectively,inacryptographicsystem.WealsonotethatasecretkeyKissharedbetweenthesourceanddestination.WhentheencodedmessageCisstatisticallyindependentofthemessageM,i.e.,I(C;M)=0,perfectsecrecyisachieved[ 1 ].ShannonprovedthatperfectsecrecycanbeachievedonlywhenthesecretkeyKisatleastaslongasthemessageM,i.e.,H(K)>H(M).Asaresult,hestatedthattheonlyencryptionschemesatisfyingtheunconditionalsecuritycriterionistheone-timepad[ 1 ]inwhichtheaboveentropyconditionismet.Shannon'sresultpresentsaverybigchallengeforachievingperfectsecrecybecauseofthepessimisticassumptionthatthewiretapperhasaccesstopreciselythesameinformationasthedestination.However,thisassumptionismuchmorerestrictivethanhasgenerallybeenrealized.Wyner[ 2 ]andlaterCsiszarandKorner[ 3 ]consideredamorereasonablescenarioinwhichthewiretapperisassumedtoreceivethemessagethroughachannelthatisnoisierthanthatofthedestination.Anevenmoregeneralmodelinwhichtheobservationsatthedestinationandwiretapperaredifferentbutcorrelatedisdiscussedin[ 4 ].Moreover,aweaker,butmoreconvenient,notionofsecuritywasemployedin[ 2 4 ],wheretheobjectiveofsecuretransmissionistohavethewiretapper'sequivocationratetobeaslargeastheinformationratefromthesourcetodestination.Thewiretapchannel,whichwasrstintroducedbyWyner[ 2 ]andlaterrenedbyCsiszarandKorner[ 3 ],isprobablythesimplestandmostwell-knownexampletoillustratetheideaofphysical-layersecurity.Inthewiretapchannel,asource 15

PAGE 16

triestosend(secret)informationtoadestinationinthepresenceofawiretapper.Whenthesource-to-wiretapperchannel1isa(physically)degradedversionofthesource-to-destinationchannel,Wyner[ 2 ]showedthatthesourcecantransmitamessageatapositive(secrecy)ratetothedestinationbyhidingthemessageundertheadditionalnoiselevelseenbythewiretapper.GeneralizationofWyner'sworktotheGaussianwiretapchannelwasconsideredin[ 5 ].Thedegradednessconditionwasremovedin[ 3 ],whichshowedthatapositivesecrecyrateispossibleforthecasewherethedestinationchannelismorecapablethanthewiretapperchannel.InWyner'soriginalpaper,hedescribedacodedesignbasedongroupcodesforthewiretapchannel.In[ 6 ],acodedesignbasedoncosetcodeswassuggestedforthetypeIIbinaryerasurewiretapchannel,inwhichthedestinationchanneliserrorfree.However,practicalcodestoachievesecrecyhaveonlybeenfoundforaverylimitedsetofchannels.Theauthorsof[ 7 ]constructedlow-densityparity-check(LDPC)-basedwiretapcodesforcertainbinaryerasurechannel(BEC)andbinarysymmetricchannel(BSC).Reference[ 8 ]consideredthedesignofsecurenestedcodesfortype-IIwiretapchannels.Recently,references[ 9 ]and[ 10 ]concurrentlyestablishedtheresultthatpolarcodes[ 11 ]canachievethesecrecycapacityofthedegradedbinary-inputsymmetric-output(BISO)wiretapchannels.Notethatallthesedesignsareforcodeswithasymptoticallylargeblocklengths.Insomescenarios,itissufcientfortwonodestoagreeuponacommonsecret(akey),insteadofhavingtosendsecretinformationfromonetotheother.Underthisrelaxedcriterion,itisshownin[ 12 ]that,withtheuseofafeedbackchannel,apositivekeyrateisachievablewhenthedestinationandwiretapperchannelsaretwoconditionallyindependent(giventhesourceinputsymbols)memorylessbinary 1Thesource-to-wiretapperandsource-to-destinationchannelswillhereafterbereferredtoaswiretapperanddestinationchannels,respectively. 16

PAGE 17

channels,evenifthedestinationchannelisnotmorecapablethanthewiretapperchannel.Thisnotionofsecretsharingisformalizedin[ 4 ]basedontheconceptofcommonrandomnessbetweenthesourceanddestination,wheretwodifferentsystemmodels,namelythesourcemodelwithwiretapper(SW)modelandthechannelmodelwithwiretapper(CW)model,arestudied.TheCWmodelissimilartothe(discretememoryless)wiretapchannelmodelthatwehavediscussedabove.TheSWmodeldiffersinthattherandomsymbolsobservedatthesource,destination,andwiretapperarerealizationsofadiscretememorylesssourcewithmultiplecomponents.Assumingtheavailabilityofaninteractive,authenticatedpublicchannelwithunlimitedcapacitybetweenthesourceanddestination,athree-phaseprocessofachievingsecretsharingoverthewiretapchannelissuggestedin[ 12 ].Thethreephasesareadvantagedistillation,informationreconciliationandprivacyamplication,inthatorder.Advantagedistillationaimstoprovidethedestinationanadvantageoverthewiretapper.Informationreconciliationaimsatgeneratinganidenticalrandomsequencebetweenthesourceanddestinationbyexploitingthepublicchannel.Privacyamplicationisthestepthatextractsasecretkeyfromtheidenticalrandomsequenceagreedbythesourceanddestination.Informationreconciliationisthemoststudiedandmostessentialpartofanysecret-sharingscheme.Itfallsintothecategoryofsecrecyextractionfromcorrelatedsourcesandhascloseconnectionstotheproblemofsourcecodingwithsideinformation.Perhapsthemostwell-knownpracticalapplicationofreconciliationprotocolsisquantumcryptography,wherenonorthogonalstatesofaquantumsystemprovidetwoterminalscorrelatedobservationsofrandomnesswhichareatleastpartiallysecretfromapotentialeavesdropper.Manyworks[ 13 ][ 19 ]havebeendevotedtothestudyofinformationreconciliationforbothdiscreteandcontinuousrandomvariablesinquantumkeydistribution(QKD)schemes.Forthecaseofdiscreterandomvariables,CascadeisaniterativereconciliationprotocolrstproposedbyBrassardandSalvailin[ 13 ]. 17

PAGE 18

Despitebeinghighlyinteractive,CascadeisthemostwidelyusedreconciliationprotocolinpracticalQKDsetupsbecauseofitssimplicityandreasonableefciency.VariationsaroundtheprincipleofinteractivereconciliationusedinCascadehavesincebeenproposedtolimittheinteractivity.Forexample,LDPCcodeshavebeenemployedin[ 19 ]toreducetheinteractivityandimprovetheefciencyofCascade.Ontheotherhand,theworkonsliceerrorcorrection(SEC)[ 15 ],whichconvertscontinuousvariablesintobinarystringsandmakesuseofinteractiveerrorcorrectingcodesistherstreconciliationprotocolforcontinuousrandomvariables.Moderncodingtechniquesliketurbocodes[ 14 ],andLDPCcodes[ 16 18 ]havebeenusedextensivelywithininformationreconciliationprotocolsforcontinuousrandomvariables.Anotherareaofapplicationofreconciliationprotocolsis(secret)keyagreementoverwirelesschannels.ManyLDPC-basedworkshavebeenproposedtoexploitchannelreciprocityforsecrecy.AnLDPC-basedmethodforsecrecyextractingfromjointlyGaussianrandomsourcesgeneratedbyaRayleighfadingmodelhasbeenstudiedin[ 17 ].In[ 18 ],multilevelcoding/multistagedecoding(MLC/MSD)-likereconciliationusingLDPCcodeshasbeenproposedforaquasi-staticRayleighfadingwiretapchannel.In[ 20 ],acodingschemebasedonpuncturedLDPCcodesforGaussianwiretapchannelswaspresentedtoreducethesecuritygap,whichexpressesthequalitydifferencebetweenthedestinationchannelandwiretapperchannelrequiredtoachieveasufcientlevelofsecurity.Inthisscheme,informationtobebekeptsecretispuncturedattheoutputofthechannelencodertomakeitmoredifcultforthewiretappertorecover.Tofurtherreducethesecuritygap,non-systematicLDPCcodeshavealsobeenexploitedtoperformreconciliationinGaussianwiretapchannelin[ 21 ],wheretheinformationbitsarescrambledbeforeencoding.Unfortunately,thecriterionofsecuritygapdoesnotreadilytranslateintothenotionofinformation-theoreticsecrecyemployedbyWyner[ 2 ]. 18

PAGE 19

Inthisdissertation,weconsidertheproblemofsecretsharing(secretkeyagreement)overwiretapchannels.Ourmaingoalistodevelopacodingstructurebasedonwhichpracticalclose-to-capacitysecret-sharing(key-agreement)codescanbeconstructed.Finiteblocklengthandmoderateencoder/decodercomplexityarethetwomainpracticalconstraintsthatweconsiderwhendesigningthesecodes.Moreover,theabilitytoadmitasystematicandefcientcodedesignisanotherfocusondevelopingsuchacodingstructure.InaccordancewithWyner'snotionofinformation-theoreticsecrecy,theperformanceofourdesignswillbemeasuredbytherateofsecretinformationsharedbetweenthesourceanddestination(whichwillbereferredtoasthekeyrate)aswellastherateofinformationthatisleakedtothewiretapperthroughallitsobservationsofthewiretapandpublicchannels(whichwillbereferredtoastheleakagerate).Theorganizationofthisdissertationisasfollows.Torigorouslygaugethesecrecyperformanceofourcodedesigns,Chapter 2 reviewstheclassesofpermissiblesecret-sharingstrategiessuggestedin[ 4 ]andthenintroducethenotionofrelaxedkeycapacity,whichisthemaximumkeyratethatcanbeachievedoverthewiretapchannelprovidedthattheleakagerateisboundedbelowaxedvalue.LDPCcodes,whichareusedextensivelythroughoutthisdissertation,arealsosummarizedanddiscussedinChapter 2 .Chapter 3 presentsasecret-sharingschemeemployinganensembleofregularLDPCcodesforGaussianwiretapchannelwithbinaryphase-shift-keyed(BPSK)sourcesymbolsandhard-decisiondestinationquantization.Weprovethattheproposedsecret-sharingschemeachievestherelaxedkeycapacitywithasymptoticallylargeblocklength.WenotethatasimilarLDPC-basedkey-agreementschemeemployingobservationsofcorrelateddiscretestationarysourcesatthesource,destination,andwiretapperwasstudiedin[ 16 ].Amoredetailedcomparisonbetweenourschemeandtheoneproposedin[ 16 ]willbeprovidedinthesequel.Theaforementionedasymptoticresultprovidesusareasonabletheoreticaljusticationtodesignpracticalsecret-sharing 19

PAGE 20

schemesbasedontheproposedcodingstructure.WethusproposetoreplacetheregularLDPCcodeensemblewithxedLDPCcodesthataremoreamenabletopracticalimplementation.Wealsodescribeacodesearchprocessbasedondensity-evolutionanalysistoobtaingoodirregularLDPCcodesforuseintheproposedsecret-sharingscheme.InChapter 4 ,theproposedsecret-sharingschemeisextendedandimprovedtoincludethecaseinwhichthesourcetransmitsM-aryequiprobablepulse-amplitudemodulation(PAM)symbols.Weshowthatthesecret-sharingproblemcanbetranslatedintothedesignofMirregularLDPCcodesandeachofthemisdesignedtoworkoverthecorrespondingequivalentbinary-inputwiretapchannels.TheproposedcodesearchprocesswillthenbemodiedtosystematicallydesignirregularLDPCcodestoachievegoodsecrecyperformance.InChapter 5 ,thefast-fadingwiretapchannelisconsidered.Weshowthatthein-phaseandquadrature-phasecomponentsofthefast-fadingwiretapchannelcanbeconsideredseparately.Slightmodicationsarealsomadetotheproposedsecret-sharingschemeandcodesearchprocesstoworkoverthefast-fadingwiretapchannel.Finally,conclusionswillbegiveninChapter 6 20

PAGE 21

CHAPTER2FUNDAMENTALSOFSECRETSHARING 2.1NotationsWestartbyintroducingsomecommonlyusednotationsinthisdissertation.Scalarsaredenotedbynormallettersx,randomvariablesaredenotedbycapitallettersX,matricesaredenotedbyboldfacelettersX.Intherestofdissertation,weusexnandxtorepresenttherowvectorconstructedfromthesequencefx1,x2,...,xnginterchangeably.Wealsouse()T,()and())]TJ /F7 7.97 Tf 6.59 0 Td[(1todenotetranspose,conjugatetransposeandinverseofanymatrixrespectively.The(Shannon)entropyofarandomvariableandthe(Shannon)mutualinformationbetweentworandomvariablesaredenotedbyH()andI(;),respectively.WeusePrfAgtodenotetheprobabilityofaneventA.Theprobabilitydensityfunction(pdf)ofa(continuous)randomvariableXisdenotedbypX(x)andtheconditionaldensityofXgivenanother(continuous)randomvariableYisdenotedbypXjY(xjy).Throughoutthisdissertation,wedropthesubscriptsinpdfswhenevertheconcernedrandomvariablesarewellspeciedbytheargumentsofthepdfs. 2.2PermissibleSecret-SharingStrategiesandRelaxedKeyCapacityIn[ 2 ],Wynerintroducedtheclassicalwiretapchannelwhichconsistsofthreeterminals,namelyasource,adestinationandaneavesdropper(wiretapper).Thesourceattemptstosendasecretmessagetoadestinationinthepresenceofawiretapper.Thewiretapchannelisdenedbyatriple(X,Y,Z),whereXisthesymbolsentbythesource,andYandZdenotethecorrespondingsymbolsobservedbythedestinationandwiretapper,respectively.Inthisdissertation,weconsiderthewiretapchanneltobememorylessandspeciedbytheconditionalpdfpY,ZjX(y,zjx).Inaddition,werestrictourselvestocasesinwhichYandZareconditionallyindependentgivenX,i.e.,pY,ZjX(y,zjx)=pYjX(yjx)pZjX(zjx),whichisareasonablemodelforthenatureofbroadcastinginwirelesscommunication.Inadditiontothewiretapchannel,thereisan 21

PAGE 22

interactive,authenticated,pubicchannelwithunlimitedcapacitybetweenthesourceanddestination.Here,interactivemeansthatthechannelistwo-wayandcanbeusedmultipletimes,authenticatedandpublicmeanthatthewiretappercanperfectlyobserveallcommunicationsoverthepublicchannelbutcannottamperwiththemessagestransmitted,andunlimitedcapacitymeansthatthechannelisnoiselessandhasinnitecapacity.Theobjectiveofsecretsharingisforthesourceanddestinationtosharesecretinformation,thatisobscuretothewiretapper,byexploitingcommonrandomness[ 4 ]availabletothemthroughthewiretapchannel.Thecommonrandomnessistobeextractedbyapropercombinationoftransmissionfromthesourcetothedestinationthroughthewiretapchannel(X,Y,Z)andinformationexchangesbetweenthemoverthepublicchannel.Tosystematicallytackletheproblemofsecretsharing,aclassofpermissiblesecret-sharingstrategies,whichisdescribedindetailbelow,iselegantlysuggestedin[ 4 ].Considerttimeinstantslabeledby1,2,...,t,respectively.Thewiretapchannelisusedntimesduringthesettimeinstantsati1
PAGE 23

Attheendofthettimeinstants,thesourcegeneratesitssecretkeyK=K(MX,t),andthedestinationgeneratesitssecretkeyL=L(MY,Yn,t),whereKandLtakesvaluesfromthesamenitesetK.Slightlyextendingtheachievablekeyratedenitionin[ 4 ],forRl0,wecall(R,Rl)anachievablekey-leakageratepairthroughthewiretapchannel(X,Y,Z)ifforevery">0,thereexistsapermissiblesecret-sharingstrategyoftheformdescribedabovesuchthat 1. PrfK6=Lg<", 2. 1 nI(K;t,t)<", 3. 1 nI(K;Znjt,t)R)]TJ /F6 11.955 Tf 11.96 0 Td[(",and 5. 1 nlog2jKj<1 nH(K)+"forsufcientlylargen.Condition1meansthatthesourceandthedestinationhaveindeedgeneratedacommonkeywithasmallprobabilityoferror.Condition2restrictsthatthepublicmessages(themessagesconveyedthroughthepublicchannel)containnegligiblerateofinformationaboutthekey,whileCondition3limitstoRltherateofkeyinformationthatthewiretappercanextractfromitsownchannelobservationsgiventhepublicmessages.NotethatCondition3)istriviallysatisedifRl1 nlog2jKj.WhenRl=0,wenotethatConditions2and3combinetoessentiallygivetheoriginalcondition1 nI(K;Zn,t,t)<"oftheachievablekeyratedenitionin[ 4 ]1.Condition4denestherateofthesecretkeyachieved,andCondition5meansthatthedistributionofthekeyin 1WhenRl>0,ifthecombinedcondition1 nI(K;Zn,t,t)
PAGE 24

nearlyuniform.ForthecasesinwhichthealphabetofXisnotnite,wealsoimposethefollowingpowerconstrainttothesymbolsequenceXnsentoutbythesource: 1 nnXj=1jXjj2P(2)withprobabilityone(w.p.1)forsufcientlylargen.Wenotethattheideaofkey-leakageratepairissimilartothatofthesecrecy-equivocationratepairoriginallydenedin[ 2 ].TheRl-relaxedkeycapacityisdenedasthemaximumvalueofRsuchthat(R,Rl)isanachievablekey-leakageratepair.Themainreasonforustointroducethenotionofrelaxedkeycapacityistoemployitasagaugetomeasuretheperformanceofpracticalcodeslaterpresentedinthisdissertation.Sincethesecodeshaveniteblocklengthsandaretobedecodedbythebeliefpropagation(BP)algorithm,theydonotachievezeroleakagerate.Thususingtherelaxedkeycapacityprovidesamoresuitablecomparisonthanusingtheoriginalstraightkeycapacityin[ 4 ].Also,sincethesepracticalcodesdonotgivezeroleakagerate,theirusecouldbeconsideredasaninformation-reconciliationstep.Thesecrecyperformancecouldbefurtherimprovedbyadditionalprivacyamplication.Ingeneral,the(secret)keycapacityforwiretapchannelsremainsachallengingopenproblem.Ontheotherhand,forwiretapchannelsthatsatisfytheaforementionedconditionalindependencerequirement,wehavethefollowingresult,whoseproofisgiveninAppendixA: Theorem2.1. TheRl-relaxedkeycapacityofthememorylesswiretapchannel(X,Y,Z)withconditionalpdfp(y,zjx)=p(yjx)p(zjx)isgivenbyCK(Rl)=maxX:E[jXj2]P[minfI(X;Y))]TJ /F4 11.955 Tf 11.96 0 Td[(I(Y;Z)+Rl,I(X;Y)g]. 2.3Low-DensityParity-Check(LDPC)codesOneofthemajorreasonsformakingsecret-sharingschemespracticallyimplementablewasthedevelopmentofcapacity-approachingcodeswithreasonableencoding/decoding 24

PAGE 25

complexity.Inthesection,weprovideareviewofanimportantclassofcapacityapproachingcodes,namelylow-densityparity-check(LDPC)codes[ 22 23 ],whichwillbeusedextensivelythroughoutthisdissertation.LDPCcodeswereproposedbyGallagerin1962[ 22 24 ].However,thefullpotentialofthesecodeswasnotrealizeduntilalmost35yearslaterwhentheywererediscoveredbyMcKayandNeal[ 23 ].TheprimaryreasonthatthesecodeswereforgottenbythecodingcommunityisthatatthetimeoftheirdevelopmentbyGallager,thesecodescouldnotbeusedinanypracticalcommunicationschemebecauseofinsufcientcomputationalpower.LDPCcodesarelinearblockcodescharacterizedbythecorrespondingparity-checkmatrixH,whichisanon-systematicandsparsematrix.ThesetofcodewordsofanLDPCcodecanbeexpressedasthenullspaceofthecorrespondingH,i.e.,xisacodewordifandonlyifxHT=0.GallagerproposedaclassofLDPCcodesthatarenowreferredtoasregularLDPCcodesbecausetheyhaveanequalnumberof1sineachrowandcolumnoftheirparity-checkmatrices.An(n,l)(j,k)-regularLDPCcodehasaparity-checkmatrixwithncolumns,n)]TJ /F4 11.955 Tf 12.43 0 Td[(lrows,j1'spercolumn,andk1'sperrow.AusefulobservationisthatanLDPCcodecanberepresentedasaTannergraph[ 25 ],whichisabipartitegraph,betweenasetofvariablenodesandchecknodes.Forexample,Figure 2-1A showsthebipartitegraphofthe(12,6)(3,6)-regularLDPCcodewithparity-checkmatrix H=26666666666666641110011000101111100000010000011101111001000111010101101110000010110011103777777777777775.(2)InFigure 2-1 ,thevariablenodescorrespondtothecodesymbols,andthechecknodescorrespondtotheparity-checkconstraintsfromtheparity-checkmatrix.Forregular 25

PAGE 26

ABipartitegraphofthe(12,6)(3,6)-regularLDPCcode. BBipartitegraphofanirregu-larLDPCcode.Figure2-1. ExamplesofbipartitegraphsofLDPCcodes. LDPCcodes,eachtypeofnodeshasthesamenumberofconnectionstotheothertypeofnodes.Thenumberofconnectionsiscalledthedegreeofthenodes.Sincetheparity-checkmatrixhaslowdensity,thedegreeofeachtypeofnodesissmall.TheperformanceofLDPCcodeswasfurtherimprovedbytheirgeneralizationtoirregularLDPCcodesthathavevaryingnumbersof1'sintherowsandcolumnsoftheirparity-checkmatrices.ThisisequivalenttoallowingdifferentnodesintheTannergraphtohavedifferentdegrees.IrregularLDPCcodesarespeciedbytheirvariable26

PAGE 27

AThersthalfiteration. BThesecondhalfiteration.Figure2-2. Therstandthesecondhalfiterationofbeliefpropagationalgorithm. andcheck-nodedegreedistributionpolynomials,namely(x)=Pdvi=2ixi)]TJ /F7 7.97 Tf 6.59 0 Td[(1and(x)=Pdci=2ixi)]TJ /F7 7.97 Tf 6.59 0 Td[(1,wherei(i)representsthefractionofedgesemanatingfromthevariable(check)nodesofdegreei.Thecoderateassociatedwiththe(irregular)LDPCcodeswithdegreedistributionpairs(,)isgivenby1)]TJ /F18 7.97 Tf 14.03 12.56 Td[(R(x)dx R(x)dx.ThebipartitegraphofanirregularlDPCcodewithdegreedistributionpairs(x)=0.4x+0.6x2and(x)=0.6x2+0.4x3isshowninFigure 2-1B .TheearlyworkonirregularLDPCcodeswasfocusedonthedesignofcodesfortheerasurechannelthathavegoodperformanceandlowencodinganddecodingcomplexity[ 26 28 ].Ratherthanndingspeciccodes,however,thetechniquesin[ 26 28 ]givewaystonddegreedistributionsforensemblesofcodesthatoffergoodaverageperformance.Thisapproachwasextendedin[ 29 30 ]tomanyotherchannels,includingthebinary-inputadditivewhiteGaussiannoise(AWGN)channel.Byoptimizingthedegreedistribution,irregularLDPCcodescanachieveperformanceextremelyclosetothechannelcapacity.Forexample,irregularLDPCcodeshavebeendesignedthatcanachieveperformancewithin0.0045dBofthecapacityofthebinary-inputAWGNchannel[ 31 ].LDPCcodescanbedecodedusingbeliefpropagationalgorithms(BPAs),whichcanbevisualizedascomputingandexchangingsoft-informationiterativelyamongthevariableandchecknodesintheTannergraph.Letd=(d1,...,dn)bethetransmittedcodeword,andy=d+nbethereceivedsequence.TheBPAsestimatetheaposteriori 27

PAGE 28

LLRsforthecodedbits, L(di)=logPrfdi=+1jyg Prfdi=)]TJ /F3 11.955 Tf 9.3 0 Td[(1jyg,(2)fori=1,...,n.Notethatunliketurbocodes[ 32 ],LDPCcodesaretypicallynon-systematiccodes,andtheBPAestimatesthevaluesforthecodedbits,notthemessagebits.Themessagebitscanberecoveredfromtheestimatedcodewordthroughmatrixoperations.InBPAs,computationisperformedateachvertexofthegraph,andmessagesareexchangedalongtheedges.FortheLDPCcodes,theverticesareeitherchecknodesorvariablenodes.Althoughmanydifferentmessage-passingschedulesarepossible,itisconvenienttodiscusstheBPAasaniterativeprocessinwhicheachiterationconsistsoftwosteps.Intherststep,thechecknodesperformcomputationsonmessagesreceivedfromthevariablenodes.Inthesecondstep,thevariablenodesperformcomputationonmessagesreceivedfromthechecknodes.BPAsareusuallyperformedundertheassumptionthatthemessagesinvolvedinthealgorithmareindependent.Althoughthisistrueforcertaintypesofgraphs,suchastrees,itisnottrueformostcodesofinterest,includingtheLDPCcodes.Thus,theresultingalgorithmisanapproximationtotheMAPdecoder,evenifthecomputationsperformedatthevariableandchecknodesaredoneaccordingtotheMAPrule.Thesum-productalgorithm(SPA)(cf.[ 33 ])isthemostpopularformofBPAtodecodeLDPCcodesbecauseofitssimpleimplementation.WenowbrieyoverviewtheSPAasfollows.ThevariablenodesinputmessagesconsistingofthechannelLLRsL(yj)andextrinsicinformationfromthechecknodes.Let~lk(dj)betheextrinsicinformationfromthekthchecknodeaboutcodedbitj,andlet li(dj)bethesumofthechannelLLRandextrinsicinformationaboutcodebitjtotheithchecknode.Thenbyapplyingtheindependenceassumption, li(dj)isthesumoftheLLRsreceivedonalloftheedgesintothevariablenodej,exceptfortheLLRreceivedontheedgefromcheck 28

PAGE 29

nodei.Thatis, li(dj)=L(yj)+Xk6=i~lk(dj).ThisprocessingisillustratedinFigure 2-2A .Notethatatthebeginningoftherstiteration,thevariablenodeshavenotreceivedanymessagesyet,sothevariablenodejhasonlytheLLRofthechannelobservationL(yj).EachvariablenodepassesamessageequaltothechannelLLRL(yj)ontheverticestoeachofthechecknodestowhichitisconnected.Eachchecknodeenforcesaparitycheckequationfromthelowdensityparity-checkmatrixoftheLDPCcodes.Letsi2f+1,)]TJ /F3 11.955 Tf 9.3 0 Td[(1gdenotestheassociatedparityofthei-thparitycheckequation2.Thechecknodesusethemessagesfromthevariablenodestocomputeextrinsicinformationtopassbacktothevariablenodes.Theextrinsicinformationaboutbitdjfromchecknodei,~li(dj),isgivenby[ 34 ] ~li(dj)=2tanh)]TJ /F7 7.97 Tf 6.58 0 Td[(1(siY`6=jtanh li(d`) 2)(2)andillustratedinFigure 2-2B .Aftersomestoppingcriterionhasbeenmet,thedecodercomputestheLLRandmakesadecisiononthebitsdjaccordingto^dj=sgn(L(yj)+Xi~li(dj)),wheresgnisthesignumfunction.WenotethattheaboveSPAisknownastheprobability-domainSPA.Similartotheprobability-domainViterbi[ 35 ]andBahl-Cocke-Jelinek-Raviv(BCJR)[ 36 ]algorithms,theprobability-domainSPAsuffersfromnumericalinstabilitybecauseofinvolvingmultiplicationsofprobabilities.Thus,alog-domainversionofSPAisusuallypreferredforpracticalimplementation. 2InconventionalLDPCcodes,si=+1foralli. 29

PAGE 30

CHAPTER3SECRET-SHARINGLDPCCODESFORBPSK-CONSTRAINEDGAUSSIANWIRETAPCHANNELInspiredbytheachievabilityproofofTheorem 2.1 (cf.AppendixA),wewilldevelopasecret-sharingschemeemployingthepowerfulLDPCcodesinthischapter.Ourmaingoalistodevelopapracticalsecret-sharingschemesuchthatasystematicandefcientapproachtocodedesigncanbeconstructedtondLDPCcodesthatgivegoodsecrecyperformance. 3.1BPSK-constrainedGaussianWiretapChannelInthischapter,wefocusontheGaussianwiretapchannelinwhichthedestinationandwiretapperchannelsarebothAWGNchannels.WealsorestrictthesourcetotransmitonlyBPSKsymbols.Morespecically,letXi2f1gbetheithtransmitsymbolfromthesource,andletYiandZibethecorrespondingreceivedsymbolsatthedestinationandwiretapper,respectively.TheGaussianwiretapchannelcanthenbemodeledas Yi=Xi+NiZi=Xi+~Ni,(3)whereNiand~Niarei.i.d.zero-meanGaussianrandomvariablesofvariance2.NotethatisthegainoftheBPSKsymbolstransmittedbythesource.Bythesourcepowerconstraint( 2 ),wehave2P.Also,isapositiveconstantwhichmodelsthegainadvantageofthewiretapperoverthedestination.Letthe(noise)normalizedgainbe~==.Thenthereceivedsignal-to-noiseratios(SNRs)atthedestinationandwiretapperare2=2and22=2,respectively.Clearly,theGaussianwiretapchannelsatisesthememorylessandconditionalindependentpropertiesrequiredinTheorem 2.1 30

PAGE 31

SpecializingTheorem 2.1 totheBPSK-constrainedGaussianwiretapchannel,itisnothardtoshow1thattheRl-relaxedkeycapacityisgivenby Cb(Rl)=max0~q P 2(min1 2Z10Z10H2 1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~ye)]TJ /F7 7.97 Tf 6.58 0 Td[(2~z [1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~y][1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~z]!h1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~yih1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~ziexp")]TJ /F3 11.955 Tf 10.5 8.09 Td[((y)]TJ /F3 11.955 Tf 13.43 2.66 Td[(~)2 2)]TJ /F3 11.955 Tf 13.15 8.09 Td[((z)]TJ /F6 11.955 Tf 11.95 0 Td[(~)2 2#dydz+Rl,1)]TJ /F3 11.955 Tf 21.67 8.09 Td[(1 p 2Z10H21 1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~y1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~yexp")]TJ /F3 11.955 Tf 10.49 8.09 Td[((y)]TJ /F3 11.955 Tf 13.43 2.66 Td[(~)2 2#dy), (3) whereH2(p)=)]TJ /F4 11.955 Tf 9.3 0 Td[(plog2p)]TJ /F3 11.955 Tf 12.41 0 Td[((1)]TJ /F4 11.955 Tf 12.41 0 Td[(p)log2(1)]TJ /F4 11.955 Tf 12.41 0 Td[(p)isthebinaryentropyfunction.WenotethatCb(Rl)isachievedwhenXisequiprobable;however,itisnotnecessarilyachievedbytransmittingatthemaximumallowablepowerP.TheachievabilityproofofTheorem 2.1 (cf.AppendixA)employsrandomWyner-Zivcoding,inwhichthereceivedsymbolsatthedestinationneedtobequantizedduetothefactthatthechannelalphabetatthedestinationintheGaussianwiretapchanneliscontinuouslydistributed.Inthischapter,weconsiderasimplesymbol-by-symbolhard-decisionquantizationschemeinwhichtheithquantizeddestinationsymbol^Yi=sgn(Yi).Notethatthisquantizationissuboptimalandleadstoalossinkeycapacity.WequantifythislossbyapplyingTheorem 2.1 totheBPSK-constrainedGaussianwiretapchannelwithhard-decisionquantizationatthedestinationtocalculatetheRl-relaxedkeycapacityCbq(Rl).UsingthestandardnotationQ(x)=R1xe)]TJ /F13 5.978 Tf 5.76 0 Td[(u2=2 p 2du,itisnothardtoestablish1that Cbq(Rl)=max0~q P 2hminfCs(~))]TJ /F4 11.955 Tf 11.96 0 Td[(Cw(~)+Rl,Cs(~)gi,(3) 1Fortheproofsof( 3 )and( 3 ),seeAppendixC. 31

PAGE 32

where Cs(~)=1)]TJ /F4 11.955 Tf 11.96 0 Td[(H2(Q(~)) (3) Cw(~)=1)]TJ /F3 11.955 Tf 21.67 8.08 Td[(1 p 2Z10H2 Q(~)+[1)]TJ /F4 11.955 Tf 11.95 0 Td[(Q(~)]e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~z 1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~z![1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~z]exp")]TJ /F3 11.955 Tf 10.49 8.09 Td[((z)]TJ /F6 11.955 Tf 11.96 0 Td[(~)2 2#dz. (3) are,respectively,thecapacitiesofthequantized-destination-to-sourceandquantized-destination-to-wiretapperchannelsatnormalizedgain~.Likebefore,Cbq(Rl)isachievedwhenXisequiprobable,butitisnotnecessarilyachievedbytransmittingatthemaximumallowablepowerP.Tovisualizethelossinkeycapacity, Figure3-1 illustratesCb(Rl)andCbq(Rl)versusthemaximumallowableSNR(P=2)fordifferentvaluesofRl.Wecanseethatthelossinkeycapacityduetothehard-decisionquantizationisnomorethan0.07bitsper(wiretap)channeluse(bpcu)forthecasesshown. 3.2Secret-SharingSchemeEmployingRegularLDPCCodeEnsemblesAsmentionedabove,theachievabilityproofofTheorem 2.1 inAppendixAemploysasecret-sharingschemewithrandomWyner-Zivcoding.FortheBPSK-constrainedGaussianwiretapchannelwithdestinationhard-decisionquantization,weshowinthissectionthatasecret-sharingschemethatemploysaproperlyconstructedensembleofregularLDPCcodescanalsoasymptoticallyachievetheRl-relaxedkeycapacity.Wedesignpracticalsecret-sharingschemesfortheBPSK-constrainedGaussianwiretapchannelinSection 3.3 basedontheLDPCcodingstructureproposedhere.Tostartdescribingtheproposedsecret-sharingscheme,letusconsideran(n,l)binarylinearblockcodeCwith2ldistinctcodewordsoflengthnandan(l)]TJ /F4 11.955 Tf -418.02 -23.9 Td[(k)-dimensionalsubspaceWinC.Thepair(C,W)deneswhatwecallan(n,l,k)secret-sharingbinarylinearblockcode.Givenanysuch(C,W)pair,letKbethequotientofCbyW.ThenKisalinearspaceof2kdistinctcosetsoftheform^xn+W, 32

PAGE 33

Figure3-1. ComparisonbetweentherelaxedkeycapacitiesCbandCbqovertheBPSKconstrainedGaussianwiretapchannel. where^xn2C.WewillusethecosetindexinKasthesecretkey.WewillseelaterthattheorderingofthecosetsinKisimmaterial.TheratiosRc=l nandRk=k nwillbereferredtoasthecoderateandkeyrateofthe(n,l,k)secret-sharingbinarylinearblockcode,respectively.Next,weconsiderthefollowingrandomensembleof(n,l,k)secret-sharingbinarylinearblockcodes: The(n,l)linearblockcodeCischosenuniformlyfromtheensembleof(dv,dc)-regularLDPCcodesconsideredin[ 29 ].Thatis,weconsiderthatCischosenuniformlyfromthesetofallbipartitegraphs[ 25 ]withndegree-dvvariablenodesandn)]TJ /F4 11.955 Tf 12.36 0 Td[(ldegree-dcchecknodes. 33

PAGE 34

ThesubspaceWischosenuniformlyoverthesetofallpossible(l)]TJ /F4 11.955 Tf 9.43 0 Td[(k)-dimensionalsubspacesinC.NotethatarealizationoftherandomlychosenCmayactuallyhave2l0distinctcodewords,wherel0>l.Insuchcase,Kwillbeofdimensionk+l0)]TJ /F4 11.955 Tf 12 0 Td[(l;sotheactualkeyratewillbelargerthanRk.Hence,wecanconservativelyassumeCisalwaysan(n,l)linearcodewith2ldistinctcodewordstosimplifythenotationbelow.Considerthefollowingsecret-sharingscheme: 1. Randomsourcetransmissionanddestinationquantization:ThesourcerandomlygeneratesasequenceXnofni.i.d.equallylikelyBPSKsymbolsandtransmitsthemconsecutivelyovertheGaussianwiretapchannel(X,Y,Z).ThedestinationreceivesthesequenceYnandobtainsthequantizedsequence~Ynbyperformingsymbol-by-symbolhard-decisionquantizationonYn,i.e.,~Yj=sgn(Yj).Thisquantizationeffectivelyturnsthesource-to-destinationchannelintoaBSC,whosecross-overprobabilitydependsontheSNRoftheoriginalsource-to-destinationchannel.WenotethatthewiretapperalsoobservesZnthroughthesource-to-wiretapperchannel. 2. SyndromegenerationthroughLDPCencodingatdestination:Thenextstepisforthedestinationtofeedacompressedversionof~YnbacktothesourcethroughthepublicchannelsothatthesourcecanresolvethedifferencesbetweenXnand~Yn.Thisissimilartotheproblemconsideredin[ 37 ]ofcompressinganequiprobablememorylessbinarysourcewithsideinformationusingLDPCcodes.Moreprecisely,thedestinationselects(C,W)randomlyfromtheensembleofsecret-sharing(dv,dc)-regularLDPCcodesdescribedabove.ItthengeneratesthesyndromesequenceSn)]TJ /F5 7.97 Tf 6.59 0 Td[(l=~YnHT,whereHisaparity-checkmatrixofC.WenotethateachSn)]TJ /F5 7.97 Tf 6.59 0 Td[(luniquelycorrespondstoacosetEnS+C.Further,thedestinationdetermineswhichcosetinKthatXn0=~Yn+EnS2Cbelongs.Denotethatcosetby^Xn0+W.Finally,thedestinationsendsEnS,C,andWbacktothesourceviathepublicchannel. 3. Decodingatsource:ThesourcethentriestodecodeforXn0fromobservingXnandEnSaccordingto(C,W).TreatingXn+EnSasanoisyversionofXn0,itperformsmaximumlikelihood(ML)decodingtoobtainacodewordinCandthendeterminestowhichcosetinKthedecodedcodewordbelongs.Denotethatcosetby^Xn+W. 4. Keygenerationatsourceanddestination:ThedestinationsetsitskeyLtobeindexof^Xn0+WinK.Similarly,thesourcesetsitskeyKtobetheindexof^Xn+WinK. 34

PAGE 35

Itisclearthatthissecret-sharingschemeispermissible.Indeed,underthenotationofSection 2.2 ,fortheproposedsecret-sharingscheme,t=n+1,ij=jforj=1,2,...,n,MX=Xn,MY=(C,W),andn+1=(EnS,C,W)istheonlymessagesentviathepublicchannel.Hence,wecanevaluatethesecrecyperformanceoftheschemeinthecontextofitsachievablekeyratedenedinSection 2.2 asfollows.First,basedonthelinearityofLDPCcodes,thememorylessnatureoftheGaussianwiretapchannel,thechosendistributionofXn,andthesymbol-by-symbolharddecisionperformedtoobtain~Ynatthedestination,itiseasytocheckthatH(~Yn)=n,H(EnSjC,W)=n)]TJ /F4 11.955 Tf 12.98 0 Td[(l,H(LjC,W)=k,andI(L;EnSjC,W)=0.Then,0I(L;EnS,C,W)=I(L;C,W)=H(L))]TJ /F4 11.955 Tf 13.26 0 Td[(H(LjC,W)k)]TJ /F4 11.955 Tf 13.27 0 Td[(k=0.Hence,I(L;EnS,C,W)=0,I(L;C,W)=0,andH(L)=k.Ifthedecodingprocessatthesourceachievestheensembleaverageerrorprobabilitys,thenwehavePrfK6=Lgs.Thus,H(KjL)1+ksandH(LjK)1+ksbyFano'sinequality[ 38 ].Thatinturnimplies1 nI(K;EnS,C,W)=1 n[I(L;EnS,C,W)+I(K;EnS,C,WjL))]TJ /F4 11.955 Tf 12.67 0 Td[(I(L;EnS,C,WjK)]1 nI(K;EnS,C,WjL)1 nH(KjL)Rks+1 nand 1 nH(K)=1 n[H(L)+H(KjL))]TJ /F4 11.955 Tf 11.95 0 Td[(H(LjK)]Rk)]TJ /F4 11.955 Tf 11.96 0 Td[(Rks)]TJ /F3 11.955 Tf 13.26 8.09 Td[(1 n. (3) Hence,Conditions2and5inSection 2.2 aresatisedwhennissufcientlylargeifscanbemadearbitrarilysmall.Similarly, I(K;Zn,EnS,C,W)=I(L;Zn,EnS,C,W)+I(K;Zn,EnS,C,WjL))]TJ /F4 11.955 Tf 11.96 0 Td[(I(L;Zn,EnS,C,WjK)I(L;Zn,EnS,C,W)+I(K;Zn,EnS,C,WjL)I(L;Zn,EnS,C,W)+H(KjL)I(L;Zn,EnS,C,W)+ks+1=I(L;Zn,EnSjC,W)+ks+1, (3) 35

PAGE 36

wherethelastlineisduetothefactthatI(L;C,W)=0.Here, I(L;Zn,EnSjC,W)=H(LjC,W)+H(EnSjZn,C,W))]TJ /F4 11.955 Tf 11.96 0 Td[(H(L,EnSjZn,C,W)=H(LjC,W)+H(EnSjZn,C,W)+H(~YnjZn,L,EnS,C,W))]TJ /F4 11.955 Tf 9.29 0 Td[(H(L,EnS,~YnjZn,C,W)H(LjC,W)+H(EnSjC,W)+H(~YnjZn,L,EnS))]TJ /F4 11.955 Tf 11.96 0 Td[(H(~YnjZn,C,W)=H(LjC,W)+H(EnSjC,W)+H(~YnjZn,L,EnS))]TJ /F4 11.955 Tf 11.96 0 Td[(H(~Yn)+I(~Yn;Zn), (3) wherethelastequalityfollowsfromthefactthat(~Yn,Zn)isindependentof(C,W).AlsoI(~Yn;Zn)=nI(~Y;Z)=nCw(~)becauseofthememorylessnatureofthechannelfrom~YntoZnandofthefactthatthePr(~Y=+1)=Pr(~Y=)]TJ /F3 11.955 Tf 9.3 0 Td[(1)=0.5achievesthecapacityofthischannel.Moreover,consideractitiousreceiveratthewiretappertryingtodecodefor~YnfromobservingZn,EnS,and^Xn0(orLequivalently).Supposethattheensembleaverageerrorprobabilityachievedbythisreceiver,employingMLdecoding,isw.ThenwehaveH(~YnjZn,L,EnS)1+(l)]TJ /F4 11.955 Tf 12.06 0 Td[(k)wagainbyFano'sinequality.Puttingalltheseand( 3 )backinto( 3 ),weobtain 1 nI(K;ZnjEnS,C,W)1 nI(K;Zn,EnS,C,W)Cw(~))]TJ /F3 11.955 Tf 11.95 0 Td[((Rc)]TJ /F4 11.955 Tf 11.95 0 Td[(Rk)+Rks+(Rc)]TJ /F4 11.955 Tf 11.95 0 Td[(Rk)w+2 n. (3) Theprecedingsecrecyanalysisoftheproposedsecret-sharingschemebasedonthesecret-sharingregularLDPCcodeensemblesallowsustoarriveatthefollowingresult: Theorem3.1. Fix~>0.SupposethatCw(~)RcCs(~).ForanyRl0,chooseRk=minfRc)]TJ /F4 11.955 Tf 12.93 0 Td[(Cw(~)+Rl,Rcg.Then(Rk,Rl)isanachievablekey-leakageratepairthroughtheBPSK-constrainedGaussianwiretapchannelwithsymbol-by-symbolhard-decisiondestinationquantization.Moreover,thisratepaircanbeachievedbythe 36

PAGE 37

aforementionedsecret-sharingschemeusingthesecret-sharing(dv,dc)-regularLDPCcodeensembledescribedbeforewhennincreases. Proof. First,supposethatRc0.SinceRcCw(~),Rk>0.ThenRc)]TJ /F4 11.955 Tf 12.27 0 Td[(Rk=maxfCw(~))]TJ /F4 11.955 Tf 12.27 0 Td[(Rl,0g0,supposethatRc0(forRk=0),and 3. sdecreasespolynomiallywithincreasingn.Finally,notethatthebefore-imposedrestrictionsRc0canberemovedsincethekey-leakagerateregionisclosed. AcomparisonofTheorem 3.1 and( 3 )showsthattherestrictiontothesecretsharingregularLDPCcodeensembledescribedinthissectiondoesnotreducetherelaxedkeycapacityoftheBPSK-constrainedGaussianwiretapchannelwithdestinationhard-decisionquantization. 37

PAGE 38

AsmentionedinChapter 1 ,asimilarLDPC-basedkey-agreementschemeemployingobservationsofcorrelateddiscretestationarysourcesatthesource,destination,andwiretapperwasstudiedin[ 16 ].AfterStep1)ofourproposedsecretsharingscheme,theobservationsXn,~Yn,andZnatthethreeterminalscanbeviewedasgeneratedfromcorrelatedsources;thusreducingourmodeltotheoneconsideredin[ 16 ]2,exceptthatthewiretapperalphabetiscontinuousinourcase.Asinourscheme,theschemein[ 16 ]hasthesyndromeSn)]TJ /F5 7.97 Tf 6.59 0 Td[(lof~Ynsenttothesource.Ontheotherhand,thekeyin[ 16 ]isobtainedbycalculatingthesyndromeof~YnwithrespecttoanotherindependentlyselectedLDPCcode.Theschemein[ 16 ]isshowntoachievekeycapacityviaasimilarapproachasours.First,theconsiderationofleakageinformationisconvertedtothatoftheerrorprobabilitiesachievedbydecodersatthesourceandwiretapperbyanupperboundsimilarto( 3 )forapairofxedLDPCcodes(cf.Eqn.( 3 )).Then,theexistenceofaxedcodepairwithvanishingerrorprobabilitiesisshownviaaMLdecodingerroranalysisofthecodeensemblebasedonthemethodoftypes[ 40 ].Becauseofthecontinuouswiretapperalphabet,theMLdecodingerroranalysisin[ 16 ]doesnotdirectlyapplytoourcase.Hence,wehaveoptedforthecombinedunionandShulman-Federboundingtechniquein[ 39 ],whichdoes,however,requiretheBISOnatureofthechannelfromthe(quantized)destinationtothewiretapper.Obviously,Lemma 1 alsoimpliestheexistenceofaxed(C,W)fromthesecret-sharingregularLDPCensemblewithvanishingdecodingerrorsinourdesign,andhencetheuseofthisxed(C,W)isalsosufcienttoachievetherelaxedkeycapacityinourcase. 2Ourdestinationandsourcecorrespondtothesenderandreceiverin[ 16 ],respectively.Forconvenience,weemployourterminologyherewhenreferringtotheschemein[ 16 ]. 38

PAGE 39

Expressedinournotation,elementsintheLDPCcodeensembleof[ 16 ]arealsooftheform(C,W).Forourensemble,Wis(conditionally)uniformlydistributedoverthesetofallsubspacesofagivenC.Fortheensembleof[ 16 ],Wis(conditionally)uniformlydistributedoverthesetofsubspacesofCspeciedbytheconcatenationoftheparitymatricesofCandanotherproperlychosenregularLDPCcode.Whileeachelementintheensembleof[ 16 ]isalsoanelementofourensemble,thetwoensemblesaredifferentsincetherespective(conditional)uniformdistributionsforWaredenedovertwodifferentsetsofsubspaces.Inasense,theensembleof[ 16 ]ismorerestrictivesinceWalsoneedstobeanLDPCcode.ThediscussioninthissectionshowsthattheLDPCstructureneedstobeimposedonlyonCbutnotonW.ThisbearssignicanceinthedesignofpracticalcodesbecausethedesignbasedononeLDPCstructurederivedfromourensembleismuchsimpler,aswillbeillustratedinthefollowingsection. 3.3Secret-SharingSchemeEmployingFixedPracticalLDPCCodesInpractice,itisnotrealistictoemploythesecret-sharingregularLDPCcodeensembleandMLdecodingatthesourceassuggestedinSection 3.2 ,forevenmoderatevaluesofn.Inthissection,weinvestigatethesecrecyperformanceofasecret-sharingschemesimilartotheonesuggestedinSection 3.2 ,butwithxedchoicesof(C,W)fromthesecret-sharingregularLDPCcodeensembleandmorepracticalBPdecoding.Inaddition,fromtheproofofLemma 1 inAppendixB,thevaluesofdvanddcneedtobelargeinorderfortheensembleaverageerrorprobabilitieswandstodecreasewithn,andhencetoachievetherelaxedkeycapacity.AslargevaluesofdvanddcincreasethegraphcomplexityofaLDPCcode,andhencethecomplexityofBPdecoding,wehavetolimitourselvestosmallvaluesofdvanddc.ToalleviatetheshortcomingofregularLDPCcodeswithsmalldvanddc,wealsoconsidertheuseofmore-efcientirregularLDPCcodesintheproposedsecret-sharingscheme.Weconsiderthesecret-sharingschemedescribedinSection 3.2 ,exceptthatthesecret-sharingcode(C,W)isxedandisknowntothesourceanddestination 39

PAGE 40

(andalsothewiretapper)beforehand.Here,weconsiderthe(xed)codeCchosenfromensemblesofregularandirregularLDPCcodes.Thedetailswillbediscussedlater.Forconvenienceinthekeygenerationstep(andlaterinthesearchofgoodirregularLDPCcodes),thesubspaceWischosenasfollows.ReferringbacktoStep2)ofthescheme,choosealowertriangularversion3ofH,forexamplebyperformingGaussianeliminationontheconnectionmatrixofthebipartitegraphofCasdiscussedin[ 41 ].Hence,H=[A,B]whereBisan(n)]TJ /F4 11.955 Tf 12.98 0 Td[(l)(n)]TJ /F4 11.955 Tf 12.98 0 Td[(l)lowertriangularmatrix.Write~Yn=[dl,en)]TJ /F5 7.97 Tf 6.59 0 Td[(l]wheredlanden)]TJ /F5 7.97 Tf 6.58 0 Td[(larerowvectorscontaininglandn)]TJ /F4 11.955 Tf 12.16 0 Td[(lelements,respectively.ThenthesyndromeSn)]TJ /F5 7.97 Tf 6.58 0 Td[(l=dlAT+en)]TJ /F5 7.97 Tf 6.58 0 Td[(lBT,codewordXn0=[dl,dlAT(B)]TJ /F7 7.97 Tf 6.59 0 Td[(1)T]andcosetleaderEnS=[0T,Sn)]TJ /F5 7.97 Tf 6.59 0 Td[(l(B)]TJ /F7 7.97 Tf 6.59 0 Td[(1)T].NotethatdlcontainsthesystematicbitsofthecodewordXn0whiledlAT(B)]TJ /F7 7.97 Tf 6.59 -.01 Td[(1)Tcontainstheparitybits.ThesubspaceWischosentobethesetofcodewordsobtainedbysettingtherstkbits4inthevectordlabovetozero.ThequotientspaceKisisomorphictothesetofcodewordsobtainedbysettingthelastl)]TJ /F4 11.955 Tf 12.36 0 Td[(kbitsinthevectordltozero.Hencewecanusetherstkbitsindlasthekey.Since(C,W)isknowntothesourcebeforehand,thereisnoneedtofeeditbacktothesourceviathepublicchannelinStep2)ofthesecret-sharingscheme.Step3)oftheschemeismodiedtoreplaceMLdecodingbythepracticalBPdecoding.First,itisunlikelythattheabovexedchoiceofWresultsinanLDPCcode.Hence,thexedcodingschemesuggestedhereisdifferentfromthatof[ 16 ].Second,thesecrecyanalysisofSection 3.2 canbeeasilymodiedtoreecttheuseofthexedsecret-sharingcode(C,W)mentionedabove.Inparticular,theupperboundonthe 3Wecan,withoutlossofgenerality,assumeHtobeoffullrankasdiscussedbefore.Alternatively,anapproximatelowertriangularversionofHasdescribedin[ 41 ]canalsobeusedifefcientencodingisneeded.4ItiseasytoseethatthesecrecyperformanceisthesameforanychoiceofkbitsindlfortheBPdecodersdescribedbelow. 40

PAGE 41

leakageratein( 3 )becomes1 nI(K;ZnjEnS)Cw(~))]TJ /F3 11.955 Tf 11.96 0 Td[((Rc)]TJ /F4 11.955 Tf 11.95 0 Td[(Rk)+Rks+(Rc)]TJ /F4 11.955 Tf 11.96 0 Td[(Rk)w+2 n, (3)wheresandwarenowtheerrorprobabilitiesachievedbytheBPdecodersatthesourceandwiretapper,respectively.SincetheboundaboveisderivedfromFano'sinequality,itappliesforanydecoder(ML,BP,etc.),andthevalueofthebounddependsonthechoicesofdecodersonlythroughsandw.Below,weperformcomputersimulationtoestimatesandwandthenemploy( 3 )toboundtheleakageratesachievedby(C,W)constructedfromdifferentchoicesofniteblocklengthLDPCcodesasdescribedabove.Morespecically,supposethatthekeyrateofasecret-sharingLDPCcode(C,W)isRkandsobtainedfromsimulationissmall.BysettingRltobethevalueofthebound( 3 )obtainedasdescribed,then(Rk,Rl)willbeconsideredakey-leakageratepairachievableby(C,W). 3.3.1Secret-SharingRegularLDPCCodesWestartbyevaluatingthesecrecyperformanceofusingregularLDPCcodeswithsmalldvanddcinthesecret-sharingschemedescribedabove.First,wepickCfromtherate-0.25(3,4)-regularLDPCcodeensemblebyrealizingtherandombipartitegraphexperimentdescribedin[ 29 ]andthenremovealllength-4loopsintherealization.TheblocklengthnoftheLDPCcodeissetto105.Asmentionedabove,weneedtoestimatethevaluesofsandwfromcomputersimulation.Togets,BPdecodingisimplementedatthesource.Similarly,aBPdecoderisimplementedforthectitiousreceiveratthewiretappertoobtainw.InordertoprovideinformationaboutLtothelatterdecoder,theintrinsiclog-likelihoodratios(LLRs)oftherstkelementsindl,whichareassociatedwithL,areexplicitlysettoaccordingtothetruebitvalues.WhilethismethodmaynotbetheoptimalwaytofeedinformationofLtotheBPdecoder,wechoosetoemployitbecauseofitssimplicityandthefactthatthismethodalsoallows 41

PAGE 42

Figure3-2. Plotofthe(Rk,Rl)-trajectoriesachievedbytheproposedsecret-sharingschemeemployingsecret-sharingregularLDPCcodes(C,W). simpledensityevolutionanalysis,whichwillbeusedtosearchforgoodirregularLDPCcodesinSection 3.3.2 below. Figure3-2 showsthetrajectoryof(Rk,Rl)achievablebytherate-0.25secret-sharing(3,4)-regularLDPCcode(C,W)whenthemaximumallowableSNRP=2islimitedto)]TJ /F3 11.955 Tf 9.3 0 Td[(0.15dBand2=0dB.DifferentvaluesofRkonthetrajectoryshownareobtainedbyvaryingthevalueofk(i.e.,thedimensionofWalsochanges).Whenobtainingeachshownpair(Rk,Rl),wechoose~2,uptoP=2,suchthats0.01,w0.01andtheboundin( 3 )isminimized.Foranyso-obtainedpair(Rk,Rl)locatedtotherightofthe45linein Figure3-2 ,thebound( 3 )becomestooloose,andthepairisnotplotted.From Figure3-2 ,weobservethatthepair(Rk,Rl)=(0.2,0.139)givesthesmallest 42

PAGE 43

(boundon)leakageratethatisachievablebytherate-0.25secret-sharing(3,4)-regularLDPCcodeintheproposedscheme.Next,wetrytocomparethesecrecyperformanceofoursecret-sharingschemetothatof[ 16 ].AsdiscussedneartheendofSection 3.2 ,theschemeof[ 16 ]requiresapairofindependentlychosenregularLDPCcodes.Sincenopracticalcodedesignsorexamplesareprovidedin[ 16 ],wechooseanLDPCcodepairfortheschemeof[ 16 ]thatissimilartothechoiceofoursecret-sharingcodeaboveforcomparison.Fortheschemeof[ 16 ],therstLDPCcodeissettobeCabove(i.e.,therate-0.25(3,4)-regularLDPCcode).TheothercodeC0(fromwhichthesecretkeyisgenerated)ischosenindependentlyfromanotherregularLDPCcodeensemblesuchthattheresultachievesadesiredkeyrateRk(cf.[ 7 ]).NotethatonlyafewvaluesofRkarepossibleifdvanddcarerestrictedtohavesmallvalues.Again,asdiscussedneartheendofSection 3.2 ,thepair(C,C0)canbeexpressedinour(C,W)notation.Assuch,theLDPCsubcodeWisobtainedfromconcatenatingparity-checkmatricesofCandC0.NotethatWisingeneralanirregularLDPCcode.Toclearlydistinguishbetweenourschemeandtheoneof[ 16 ]inthediscussionbelow,wewillemploythenotation(C,C0)whenreferringtothelatter.Thebound( 3 )isemployedtodeterminetheratepairs(Rk,Rl)thatcanbeachievedby(C,C0),asdescribedpreviously.Undertheparametersettingabove(P=2=)]TJ /F3 11.955 Tf 9.3 0 Td[(0.15dB,2=0dB,andn=105),wearenotabletondachoiceofC0(withsmalldvanddc)thatsatisestherequirementw0.01.Inordertoillustratethecomparisonbetweenthetwoschemes,weincreasethevalueofP=2to2.0dB.Forthiscase,wepickCtobearate-0.4(3,5)-regularLDPCcode.The(Rk,Rl)-trajectoryachievedbyoursecret-sharingschemewith(C,W)isoverlaidin Figure3-2 .Weseethatthelowestleakagerateachievedbythischoiceof(C,W)isatthepair(Rk,Rl)=(0.22,0.173).Fortheschemeof[ 16 ],pickingC0tobean(1,3)-regularLDPCcode,thepair(C,C0)achievesthekey-leakageratepair 43

PAGE 44

(Rk,Rl)=(0.333,0.286)asshownbythesquaresymbolin Figure3-2 .ThisvalueofRlisthelowestthatwecanobtainfrompickingmanydifferentC0withsmalldvanddc.Summarizingtheaboveresults,oursecret-sharingschemeoutperformstheschemeof[ 16 ]whentherespectivecodeemployedineachschemeisrestrictedamongthechoicesofregularLDPCcodeswithsmallnodedegreesandniteblocklengths.However,wecanobservethatthereisasignicantgapbetweenthe(Rk,Rl)pairsachievedbytheproposedschemeandthemaximallyachievable(Cbq,Rl)key-leakagepairboundary.ThisillustratesthatregularLDPCcodeswithsmalldvanddcandniteblocklengthdonotprovidegoodsecret-sharingperformance. 3.3.2Secret-SharingIrregularLDPCCodesToimprovesecret-sharingperformance,wesearchforgoodirregularLDPCcodestobeusedasCintheproposedscheme.Thestructureofasecret-sharingcode(C,W)describedinthebeginningofthissectionfacilitatesthecodesearchprocessbecauseonlytheLDPCstructureofCneedstobeoptimized.Suchoptimizationcanbeperformedbyemployingthedensity-evolutionbasedlinearprogrammingtechniquesuggestedin[ 31 ].ThesearchobjectiveistondanirregularLDPCsecret-sharingcode(C,W)withmaximumRc,givenaxedRk,suchthatboththedecodingerrorprobabilitiessandwin( 3 )arevanishingastheBPdecodersiterate.By( 3 ),thisresultsinminimizationoftheboundonRlforthexedRk.RecallfromSection 2.3 thatthevariable-andcheck-nodedegreedistributionpolynomialsofanirregularLDPCcodeensembleare,respectively,(x)=Pdvi=2ixi)]TJ /F7 7.97 Tf 6.59 0 Td[(1and(x)=Pdci=2ixi)]TJ /F7 7.97 Tf 6.59 0 Td[(1.WearetodesignanirregularLDPCcodeCanditssubcodeWthatworkwellforthechannelfromthe(quantized)destinationtosourceandthechannelfromthe(quantized)destinationtowiretapper,correspondingtotheerrorprobabilitiessandw,respectively.Fix(x),andletes(`)andew(`)denotethebiterrorprobabilitiesobtainedbytheBPdecodersatthesourceandwiretapper,respectively,atthe`thdensityevolutioniteration[ 29 31 ]whenaninitial~(x)=Pdvi=2~ixi)]TJ /F7 7.97 Tf 6.59 0 Td[(1is 44

PAGE 45

used.Now,letA`,jdenotethebiterrorprobabilityobtainedatthesourcebyrunningthedensityevolutionfor`iterations,inwhich~(x)isusedasthevariable-nodedegreedistributionfortherst`)]TJ /F3 11.955 Tf 12.63 0 Td[(1iterationsandthevariable-nodedegreedistributionwithasingletonofunitmassatdegreejisusedforthenaliteration.LetB`,jdenotethesimilarquantityforbiterrorprobabilityobtainedatthewiretapper.Then,wehavees(`)=Pdvj=2A`,j~jandew(`)=Pdvj=2B`,j~j.NotethatthevaluesofA`,jandB`,jareobtainedvia(discretized)densityevolution,whichisdiscussedindetailin[ 31 ,Chapter5].Toaccountfortheavailabilityofperfectinformationofthekbitscorrespondingtothekeyatthewiretapper'sBPdecoder,theintrinsicLLRdistributionenteredintothedensityevolutionanalysisforthewiretapper'sdecoderissettobeamixtureofthedistributionofthechanneloutputsatthewiretapper(withthequantizeddestinationsymbolsasthechannelinput)andanimpulseat+1.TheweightsofthetwocomponentsinthemixturearedeterminedbythevalueofRk.Let>0beasmallprescribederrortolerance.Supposethat~(x)satisesthepropertythates(Ms)andew(Mw),forsomeintegersMsandMw.Then,wecanframetheRc-maximizingcodedesignproblemasthefollowinglinearprogram:max(x)dvXj=2j jsubjecttodvXj=2j=1,i0for2idv,dvXj=2A`,jj)]TJ /F4 11.955 Tf 11.96 0 Td[(es(`)max[0,(es(`)]TJ /F3 11.955 Tf 11.95 0 Td[(1))]TJ /F4 11.955 Tf 11.95 0 Td[(es(`))],anddvXj=2A`,jjes(`)]TJ /F3 11.955 Tf 11.96 0 Td[(1),for1`MsdvXj=2B`,jj)]TJ /F4 11.955 Tf 11.96 0 Td[(ew(`)max[0,(ew(`)]TJ /F3 11.955 Tf 11.96 0 Td[(1))]TJ /F4 11.955 Tf 11.96 0 Td[(ew(`))],anddvXj=2B`,jjew(`)]TJ /F3 11.955 Tf 11.96 0 Td[(1),for1`Mw, 45

PAGE 46

wheredvhereisthemaximumallowabledegreeof(x)andisasmallpositivenumber.Thesolution(x)oftheabovelinearprogramisthenemployedastheinitial~(x)forthenextsearchround.Thesearchprocesscontinuesthiswayuntiles(Ms)orew(Mw)becomeslargerthan,oruntil(x)converges.Wecanalsox(x)andobtainasimilarlinearprogrammingproblemfor(x).Theiterativesearchcanthenalternatebetweenthelinearprogramsfor(x)and(x),respectively.Thesecret-sharingirregularLDPCcodespresentedbelowareobtainedfromthecodesearchproceduredescribedabovestartingwithBSC-optimizedLDPCcodes,whichareavailablefromUrbanke'swebsite[ 42 ]. Figure3-3 showsthe(Rk,Rl)-trajectoryachievedbyarate-0.25secret-sharingirregularLDPCcodeobtainedbyperformingtheabovesearchwithRksetto0.155fortheBPSK-constrainedGaussianwiretapchannelwhenP=2=)]TJ /F3 11.955 Tf 9.3 0 Td[(1.5dBand2=0dB.Thedegreedistributionpairofthissecret-sharingirregularLDPCcodeisshownin Table3-1 .Weobtainaninstanceoftheirregularcodebyrandomlygeneratingabipartitegraphwhichsatisesthetwogivendegreedistributionconstraints.Similartothecaseofregularcodes,theblocklengthn=105,andalllength-4loopsareremoved.Eachshown(Rk,Rl)pairisobtainedinthesamemannerasdescribedinSection 3.3.1 byusing( 3 ).From Figure3-3 ,weobservethatthepair(Rk,Rl)=(0.155,0.025)givesthelowestleakagerateachievablebythissecret-sharingirregularLDPCcode.Forcomparison,wealsoplotin Figure3-3 the(Rk,Rl)-trajectoryachievedbytheproposedsecret-sharingschemeusingarate-0.25BSC-optimizedirregularLDPCcodeinplaceofthesecret-sharingirregularLDPCcodeobtainedfromthecodesearchdescribedabove.Notethatsincethechannelfromthe(quantized)destinationtothesourceisaBSC,theuseoftheBSC-optimizedLDPCcodeisessentiallythesameasthereconciliationmethodproposedin[ 19 ].FortheBSC-optimizedcode,thepair(Rk,Rl)=(0.2,0.071)givesthelowestachievableleakagerate. 46

PAGE 47

Figure3-3. Plotofthe(Rk,Rl)-trajectoryachievedbytheproposedsecret-sharingschemeemployingtherate-0.25secret-sharingirregularLDPCcode. Similarly, Figure3-4 showsthesecrecyperformanceoftheproposedschemewhenP=2=)]TJ /F3 11.955 Tf 9.29 0 Td[(4.9dBand2=5dB.Arate-0.12secret-sharingirregularLDPCcodeisobtainedbyxingRkto0.06inthecodesearch.Thedegreedistributionpairofthissecret-sharingirregularLDPCcodeisalsoshowninTable 3-1 .Weobservethatthelowestleakagerateachievedbythiscodeisgivenbythepair(Rk,Rl)=(0.062,0.019).Again,forcomparison,the(Rk,Rl)-trajectoryachievedbyreplacingthesecret-sharingirregularLDPCcodeobtainedfromthecodesearchwitharate-0.12BSC-optimizedirregularLDPCcodeisalsoshownin Figure3-4 .FortheBSC-optimizedirregularLDPCcode,thepair(Rk,Rl)=(0.095,0.052)givesthelowestachievableleakagerate.Inconclusion,thesecret-sharingirregularLDPCcodesobtainedfromtheproposedcodesearchproceduresignicantlyoutperform,intermsofsecrecyperformance, 47

PAGE 48

Table3-1. Degreedistributionpairsoftherate-0.25andrate-0.12secret-sharingirregularLDPCcodes. rate-0.25 rate-0.12 2 0.2807 0.3651 3 0.1490 0.1610 4 0.0725 5 0.1081 6 0.0540 7 0.0599 8 0.1343 11 0.1123 12 0.0057 21 0.0697 22 0.0872 28 0.0650 29 0.0403 70 0.0006 71 0.0264 72 0.1197 87 0.0806 88 0.0079 4 0.9705 5 0.4637 0.0295 6 0.5363 secret-sharingregularLDPCcodeswithsmallnodedegreesaswellasirregularLDPCcodesthatareoptimizedjustforinformationreconciliation. 3.4SummaryInthischapter,wedevelopedschemesbasedonLDPCcodestoallowasourceandadestinationtosharesecretinformationoveraBPSK-constrainedGaussianwiretapchannel.Intheproposedsecret-sharingschemes,thesourcerstsendsarandomBPSKsymbolsequencetothedestinationthroughtheGaussianwiretapchannel.Then,thedestinationgeneratesasyndromeofitsquantizedreceivedsequenceusinganLDPCcodeandsendsthissyndromebacktothesourceviathepublicchannel.Finally,thesourceperformsdecodingtorecoverthequantizeddestinationsequencebasedon 48

PAGE 49

Figure3-4. Plotofthe(Rk,Rl)-trajectoryachievedbytheproposedsecret-sharingschemeemployingtherate-0.12secret-sharingirregularLDPCcode. itstransmittedsequence,aswellasthesyndromethatitreceivesfromthedestination.ThesecretkeyisobtainedastheindexofacosetinaquotientspaceoftheLDPCcode.Toevaluatetheperformanceoftheproposedsecret-sharingscheme,weemployedanupperboundontheleakageinformationratethatdependsonthedecodingerrorprobabilitiesofthedecoderatthesourceandofactitiousdecoderatthewiretapper,whichobservesthewiretapperreceivedsequence,thesyndromeinthepublicchannel,aswellasthesecretkey.Thedesignwasthenconvertedtomakingtheseerrorprobabilitiessmall.ForasuitablychosenensembleofregularLDPCcodes,weshowedthattheseerrorprobabilitiescanindeedbemadevanishing,astheblocklengthincreases,byMLdecoding.Asaresult,thisestablishedthatthekeycapacity 49

PAGE 50

oftheBPSK-constrainedGaussianwiretapchannelcanbeachievedbyemployingthesecret-sharingregularLDPCcodeensembleintheproposedscheme.ConsideringthepracticalconstraintsofniteblocklengthandusingBPdecodinginsteadofMLdecoding,weemployedadensity-evolutionbasedlinearprogramtosearchforgoodirregularLDPCcodesthatcanbeusedinthesecret-sharingscheme.Simulationresultsshowedthatthesecret-sharingirregularLDPCcodesobtainedfromoursearchcangetrelativelyclosetotherelaxedkeycapacityoftheBPSK-constrainedGaussianwiretapchannel,signicantlyoutperformingregularLDPCcodesaswellasirregularLDPCcodesthatareoptimizedjustforinformationreconciliation. 50

PAGE 51

CHAPTER4ANLDPC-BASEDSECRET-SHARINGSCHEMEOVERGAUSSIANWIRETAPCHANNELWITHPAMSYMBOLSToachievehigherkeyrate,high-ordermodulationcouldbeemployedatthesource.Inthischapter,weextendthesecret-sharingschemeproposedinChapter 3 tothecasewhenthesourceareallowedtotransmitequiprobableM-aryPAMsymbols.First,multilevelcoding(MLC)andmultistagedecoding(MSD)areemployedtotransformtheM-arytransmissionintoMbinary-inputchannels.Second,themodiedsecret-sharingschemeforPAMsourcesymbolsemployingirregularLDPCcodesispresented,anditisshownthatthekey-agreementproblemcanbetranslatedintotheproblemofdesigningMirregularLDPCcodessuchthateachofthemworkswellforthecorrespondingbinary-inputwiretapchannels.Moreover,puncturingisappliedtothesecret-sharingschemetoimproveitssecrecyperformance. 4.1GaussianwiretapchannelwithPAMsymbolsThemodelconsideredinthischapteristhesameasdescribedinSection 3.1 exceptthatthesourceisallowedtosendequiprobableM-aryPAMsymbols,i.e.,Xi2S=fs1,s2,,sMgwheresm=2m)]TJ /F7 7.97 Tf 6.59 0 Td[(1)]TJ /F5 7.97 Tf 6.59 0 Td[(M p AandA=PMm=1(2m)]TJ /F7 7.97 Tf 6.59 0 Td[(1)]TJ /F5 7.97 Tf 6.59 0 Td[(M)2 M.Thereasontoconsideronlyequiprobablesignallingwillbejustiedlaterinthissection.Moreover,GraymappingisemployedinthesourcetomapabinaryvectorbtoasignalpointinS1. Figure4-1 showstheexamplesofGray-mapped4-and8-PAMconstellation. 1Tosimplifynotations,weuseXjitodenotethecorrespondingjthelementoftheGray-mappedvectorofXi. 51

PAGE 52

AGray-mapped4-PAMconstellation. BGray-mapped8-PAMconstellation.Figure4-1. ExamplesofM-aryGray-mappedPAMconstellation. SpecializingTheorem 2.1 totheGaussianwiretapchannelwithequiprobablePAMsourcesymbols,thecorrespondingRl-relaxed(symmetric)keyrate2Rp(Rl)isgivenby, Rp(Rl)=max0~q P 21 M"min()]TJ /F14 11.955 Tf 11.95 16.27 Td[(Z1Z1log2 PMm=1fm(z)qm(y) PMm=1fm(z)! MXm=1fm(z)qm(y)!dydz+MRl,)]TJ /F14 11.955 Tf 11.29 16.27 Td[(Z1log2 MXm=1qm(y) M! MXm=1qm(y)!dy)+Z1MXm=1log2(qm(y))qm(y)dy#, (4) 2ThetermsymmetrickeyrateisusedtoreecttheassumptionofequiprobablePAMsignalling. 52

PAGE 53

whereqm(y)=1 p 2exp")]TJ /F3 11.955 Tf 10.5 8.09 Td[((y)]TJ /F3 11.955 Tf 13.43 2.66 Td[(~sm)2 2#andfm(z)=1 p 2exp")]TJ /F3 11.955 Tf 10.5 8.09 Td[((z)]TJ /F6 11.955 Tf 11.95 0 Td[(~sm)2 2#denotetheconditionaldensitiesp(yjX=sm)andp(zjX=sm)form2f1,2,,Mgthatspecifythedestinationandwiretapperchannels,respectively.AsmentionedinSection 3.1 ,itisneededtoquantizethereceivedsymbolssuchthattheresultingquantizedsequencesareuniformlydistributed.Toachievethis,weadoptsymbolbysymbol,multilevelquantizationatthedestinationinwhichtheithquantizeddestinationsymbol^Yi=Q(Yi),whereQisaquantizerwhichgeneratesoutputfromthesetS3andisdescribedbythesetofdecisionlevelsT=fT1,T2,,TM+1g.Morespecically,theindexoftheoutputatthequantizerQismifitsinputUliesinsidethepartitioncellJm:fTm
PAGE 54

corresponding(symmetric)keyrateRpq(Rl)isthengivenby Rpq(Rl)=max0~q P 2hminfCs(~))]TJ /F4 11.955 Tf 11.95 0 Td[(Cw(~)+Rl,Cs(~)gi (4) whereCs(~)=M+1 MMXn=1MXm=1log2(qn,m)qn,m,andCw(~)=Cs(~))]TJ /F4 11.955 Tf 11.95 0 Td[(M)]TJ /F3 11.955 Tf 15.76 8.09 Td[(1 MZ1 MXm=1fm(z)qn,m!MXn=1log2 PMm=1fm(z)qn,m PMm=1fm(z)!dzare,respectively,the(symmetric)capacitiesofthequantized-source-to-destinationandthequantized-source-to-wiretapperchannelsatthenormalizedgain~andqn,m=Q(Tn)]TJ /F3 11.955 Tf 13.99 2.66 Td[(~sm))]TJ /F4 11.955 Tf 12.51 0 Td[(Q(Tn+1)]TJ /F3 11.955 Tf 13.98 2.66 Td[(~sm)isthetransitionprobabilityfromsmtosnofthequantized-source-to-destinationchannel.WenotethatwhenM=2,whichcorrespondstoBPSKsignalling,Eqn.( 4 )and( 4 )degenerateto( 3 )and( 3 ),respectively(cf.Section 3.1 ).Tovisualizethelossinkeyrate,Figure 4-3 showstheplotofRp(Rl)andRpq(Rl)versusmaximumallowableSNRP=2fordifferentvaluesofMand2.Wecanseethatthelossin(symmetric)keyrateduetothequantizerQisnomorethan0.07bpcuforthecasesshown.Moreover,letCpk(Rl)betheRl-relaxedkeycapacityoftheGaussianwiretapchannelwithPAMsymbolsandmultilevelquantization,itisnothardtoseethatCpk(Rl)isgenerallyachievedwhentheinputsymbolsarenotequallylikelybecauseofthenon-symmetricpropertiesofI(X;Y)andI(Y;Z)involvedinthecapacitycalculation.Hence,therestrictionofequiprobablePAMsignallingresultsinanadditionallossinkeyrate,i.e.,Rpq(Rl)Cpk(Rl).Fortunately,thedifferencebetweenCpk(Rl)andRpq(Rl)isusuallynegligible.Forexample,asshowninFigure 4-4 ,thedifferenceislessthan0.003bpcuforthetwocasesshownwhenM=4.Finally,wecomparethe(symmetric)keyrateRpqtothe(unconstrained)relaxedkeycapacityCkinFigure 4-2 fordifferentvaluesofMwhenRl=0and2=0dB.UsingTheorem 2.1 ,itisnothardtoseethatthe 54

PAGE 55

(unconstrained)Rl-relaxedkeycapacityofGaussianwiretapchannelisachievedwhenXisGaussiandistributedandisgivenbyCk(Rl)=min"1 2log2 1+P 2 1+2P 2!+Rl,1 2log21+P 2#.FromFigure 4-2 ,wecanseethatthe(symmetric)keyrateRpqgetsclosertothe(unconstrained)relaxedkeycapacityCkwhenMbecomesbigger. Figure4-2. ComparisonbetweentheRl-relaxed(symmetric)keyrateRpqandtherelaxedkeycapacityCkoftheGaussianwiretapchannelwhen2=0dBandRl=0. 4.2LDPC-basedKey-AgreementSchemeInthissection,wemodifyourproposedkey-agreementschemefortheGaussianwiretapchanneltothecasewhenthesourcecantransmitM-aryPAMsymbols.Themodiedkey-agreementschemeemploys(punctured)irregularLDPCcodes,andits 55

PAGE 56

Figure4-3. ComparisonbetweentheRl-relaxed(symmetric)keyrateRpandRpqoftheGaussianwiretapchannelwhnRl=0. secrecyperformancewillstillbeevaluatedbymeasuringtherateofinformationaboutthesecretkeyleakedtothewiretapper.Themodiedkey-agreementschemeemploysthe(n,l,k)secret-sharingbinarylinearblockcode(C,W)describedinSection 3.2 .However,thepair(C,W)ischoseninaslightlydifferentway.Thischangeisinspiredbytheobservationthatthekey-agreementproposedinChapter 3 allowsthewiretappertohavedirectchannelobservationsofthesecretkeyusedbythedestination.Wenotethatsuchadirecttransmissionisundesirable[ 20 ]andhasanegativeeffecttothekey-agreementschemeintermsofsecrecyperformance.Hence,wemodifytheproposedkey-agreementschemetousepuncturingtoavoidanydirecttransmission.Morespecically,werstchoosean(m,l)linearblockcodeC0fromanensembleofirregularLDPCcodes,wherem=n+k. 56

PAGE 57

Figure4-4. ComparisonbetweentheRl-relaxedkeycapacityCpkandRl-relaxed(symmetric)keyrateRpqoftheGaussianwiretapchannelwhenRl=0. SimilartoSection 3.2 ,letHbetheparity-checkmatrixassociatedwithC0andassumeH=[A,B]whereBisan(m)]TJ /F4 11.955 Tf 12.54 0 Td[(l)(m)]TJ /F4 11.955 Tf 12.55 0 Td[(l)lowertriangularmatrix.Letum=[ck,dn]denoteagenericcodewordofC0whereckanddnarerowvectorscontainingkandnbits,respectively.Then,the(n,l)linearblockcodeCischosentobesetofcodewordsobtainedbyremovingckfromum.Thatis,CisapuncturedversionofC0.ThesubspaceWischosentobethesubsetofpuncturedcodewordsobtainedbysettingcktozero.Thebitvectorckservesasacomponentofthesecretkeyinthekey-agreementschemedescribedbelow: 1. Randomsourcetransmissionanddestinationquantization:ThesourcerstrandomlygeneratesasequenceXnofni.i.d.equallylikelyM-aryPAMsymbolsandsendsthemconsecutivelythroughtheGaussianwiretapchannel.Thedestinationthenobtainsthequantizedsequence^Ynbyperformingsymbol-by-symbol, 57

PAGE 58

multilevelquantizationusingthequantizerQonthereceivesequenceYn.WenotethatthewiretapperobservesZn. 2. SyndromegenerationthroughLDPCencodingatdestination:Forj=f1,2,,Mg,thedestinationrstrandomlychoosesakj-bitsequenceLkjjwithi.i.d.equallylikelybits.NotethatallMsequencesarechosenindependently.ItthengeneratesthesyndromesequenceSmj)]TJ /F5 7.97 Tf 6.59 0 Td[(ljj=[Lkjj,^Ynj]HTj,whereHjisthecorrespondingparity-checkmatrixofanLDPCcodeC0j.Again,wenotethateachSmj)]TJ /F5 7.97 Tf 6.58 0 Td[(ljjuniquelycorrespondstoacosetEmjj+C0j,whereEmjj=[0lj,Smj)]TJ /F5 7.97 Tf 6.58 0 Td[(ljj(B)]TJ /F7 7.97 Tf 6.59 0 Td[(1j)T]isthecosetleader.Finally,thedestinationsendsfEmjjgMj=14backtothesourceviathepublicchannel.Wenotethattheabovedescriptioncorrespondstothewell-knowncodedmodulationscheme,namelymultilevelcoding,whichisproposedtoachievebothpowerandbandwidthefciencyforcommunicationsoveraGaussianchannel[ 43 44 ]. 3. Decodingatsource:Multistagebeliefpropagation(BP)decodingisperformedatthesource.Morespecically,forj=f1,2,,Mg,thesourcetriestodecodeforthecodewordUmjj=[Lkjj,^Ynj]+Emjj(2C0j)fromobservingXnj,Emjjandf^Umiigj)]TJ /F7 7.97 Tf 6.59 0 Td[(1i=1,where^UmiidenotethedecodedcodewordforUmii. 4. Keygenerationatsourceanddestination:Thedestinationuses[Lk11,Lk22,,LkMM]asitskey.Thesourcesetsitskeytobe[Kk11,Kk22,,KkMM],whereKkjjcontainstherespectiverstkjbitsof^Umjjforj=1,2,,M.Wenotethattheaboveschemeispermissiblewitht=n+1,K=[Kk11,Kk22,,KkMM],L=[Lk11,Lk22,,LkMM],andn+1=fEmjjgMj=1istheonlymessagesentviathepublicchannelatlasttimeinstantn+1,asdescribedinSection 2.2 .Thus,wecanevaluatethesecrecyperformanceoftheschemeinthecontextofachievablekey-leakageratepair.Inotherwords,wederiveanupperboundoftheamountoftheinformationaboutthesecretkeyleakedtothewiretapper.First,basedonthechosendistributionsoffLkjjgMj=1andXn,thememorylessnatureoftheGaussianwiretapchannel,andthequantizerQemployedtoobtain^Ynatthedestination,itiseasytocheckthatH(Lkjj)=kj,H(Lkjj,^Ynj)=mj,andH(Emjj)=mj)]TJ /F4 11.955 Tf 12.2 0 Td[(ljforj=1,2,,M.Supposethatthemultistage 4Tosimplifynotations,weusefEmjjgMj=1torepresentthesequenceofvectorfEm11,Em22,,EmMMg. 58

PAGE 59

decodingprocessatthesourceachievestheerrorprobabilitysateachstage,thenwehavePrfK6=LgMs.Hence,Condition1inSection 2.2 issatised.Moreover,wealsohaveH(KjL)M+(PMj=1kj)s,H(LjK)M+(PMj=1kj)sbyFano'sinequality.Thatinturnimplies1 nH(K)PMj=1Rkj)]TJ /F14 11.955 Tf 12.64 8.97 Td[(PMj=1Rkjs)]TJ /F5 7.97 Tf 13.83 4.71 Td[(M n.FurtherusingthefactthatI(L;fEmjjgMj=1)=0,wehave1 nI(K;fEmjjgMj=1)PMj=1Rkjs+M n.Thus,Conditions2,4,and5inSection 2.2 aresatisedwhennissufcientlylargeandsissmallenough.Next,consider I(K;Zn,fEmjjgMj=1)I(L;Zn,fEmjjgMj=1)+I(K;Zn,fEmjjgMj=1jL)I(L;Zn,fEmjjgMj=1)+H(KjL)I(L;Zn,fEmjjgMj=1)+MXj=1Rkjs+M. (4) Further, I(L;Zn,fEmjjgMj=1)=H(L)+H(fEmjjgMj=1jZn))]TJ /F4 11.955 Tf 11.95 0 Td[(H(L,fEmjjgMj=1jZn)=H(L)+H(fEmjjgMj=1jZn))]TJ /F4 11.955 Tf 11.95 0 Td[(H(L,^Yn,fEmjjgMj=1jZn)+H(^YnjZn,L,fEmjjgMj=1)H(L)+H(fEmjjgMj=1))]TJ /F4 11.955 Tf 11.96 0 Td[(H(^YnjZn)+H(f^YnjgMj=1jZn,L,fEmjjgMj=1)=H(L)+H(fEmjjgMj=1))]TJ /F4 11.955 Tf 11.96 0 Td[(H(^YnjZn)+MXj=1H(^YnjjZn,L,fEmiigMi=1,f^Ynigj)]TJ /F7 7.97 Tf 6.58 0 Td[(1i=1)MXj=1H(Lkjj)+MXj=1H(Emjj))]TJ /F4 11.955 Tf 11.95 0 Td[(H(^Yn)+I(^Yn;Zn)+MXj=1H(^YnjjZn,Lkjj,Emjj,f^Ynigj)]TJ /F7 7.97 Tf 6.59 0 Td[(1i=1), (4) wherethesecondtolastequalityisduetothechainruleforentropy.Now,becausethechannelfrom^YntoZnismemoryless,wehaveI(^Yn;Zn)nCw(~).Inaddition,let'sconsideramultistagectitiousdecoderatthewiretappertryingtodecodefor^Ynjfromobserving(Zn,Emjj,Lkjj,f^Ynigj)]TJ /F7 7.97 Tf 6.59 0 Td[(1i=1)forj=1,2,,M.Supposethatthedecoderachieves 59

PAGE 60

theerrorprobabilitywateachstage.ThenwehaveH(^YnjjZn,Lkjj,Emjj,f^Ynigj)]TJ /F7 7.97 Tf 6.59 0 Td[(1i=1)1+(lj)]TJ /F4 11.955 Tf 12.3 0 Td[(kj)wforj=1,2,,MbyFano'sinequality.Puttingalltheseand( 4 )backinto( 4 ),weobtain 1 nI(K;ZnjfEmjjgMj=1)1 nI(K;Zn,fEmjjgMj=1)Cw(~))]TJ /F5 7.97 Tf 16.56 14.94 Td[(MXj=1(Rcj)]TJ /F4 11.955 Tf 11.95 0 Td[(Rkj)+MXj=1Rkjs+MXj=1(Rcj)]TJ /F4 11.955 Tf 11.96 0 Td[(Rkj)w+2M n. (4) LetRl=Cw(~))]TJ /F14 11.955 Tf 12.37 8.97 Td[(PMj=1(Rcj)]TJ /F4 11.955 Tf 12.37 0 Td[(Rkj),Condition3inSection 2.2 isthensatisedifsandwissmallenoughandnislargeenough,showingthat(PMj=1Rkj,Rl)isanachievablekey-leakageratepairasaresult.Moreover,wenotethattheaboveupperboundappliesforanydecoderbothatthesourceandatthectitiousreceiversincethevalueofthebounddependsonthechoiceofdecoderonlythroughsandw.Inthenextsection,weperformcomputersimulationtoestimate(upperboundson)sandw.Togets,amultistageBPdecoderdescribedaboveisimplementedatthesource.Notethatforthejthleveldecoder,theestimatesoff^Ynigj)]TJ /F7 7.97 Tf 6.59 0 Td[(1i=1obtainedfromthepreviousleveldecodersareusedincalculatingtheLLRsofthevariablenodes.Similarly,togetw,amultistageBPdecoderisimplementedforthectitiousreceiveratthewiretapper.InordertoprovideinformationaboutthesecretkeyLkjjtotheBPdecoder,forexample,for^Ynj,theintrinsicLLRsofthevariablenodescorrespondingtoLkjjareexplicitlysettoaccordingtothetruebitvalues.Moreover,f^Ynigj)]TJ /F7 7.97 Tf 6.59 0 Td[(1i=1areassumedavailabletothejthstagedecoderforcalculatingtheLLRsofthevariablenodes.WenotethatasimilarMLC/MSDreconciliationmethodwasproposedin[ 18 ]toreconcileandcorrectthedifferencesbetweennonbinaryrandomvariablesXnandrandomvariablesYnbysendingXnthroughaquasi-staticRayleighfadingchannel.In[ 18 ],MLCandMSDareemployedtotransformtheM-arytransmissionintoMparallelbinary-inputchannelssothatbinaryLDPCcodescanbeusedforreconciliation. 60

PAGE 61

However,therearetwofundamentaldifferencesbetweenourproposedschemeandthereconciliationmethoddiscussedin[ 18 ].First,asmentionedabove,theproposedkey-agreementschemeconsidersboththe(quantized)channelfromthedestinationtothesourceandthe(quantized)channelfromthedestinationtothewiretapper(giventhekey),whilethemethodin[ 18 ]onlyfocusesonthechannelfromthesourcetothedestination5.Reference[ 18 ]usesirregularLDPCcodesoptimizedforantipodalsignallingovertheAWGNchannelascomponentcodes,whileweproposetodesignLDPCcodeswhichworkwellforboththequantizeddestination-to-sourcechannelandthequantizeddestination-to-wiretapperchannelgiventhesecretkey.AsrevealedinSection 3.3.2 ,codesdesignedsolelyforinformationreconciliationdonotnecessaryworkwellinthecaseofkeyagreementwhenthesecrecyperformanceisevaluatedbymeasuringtheleakagerate.Moreseriously,reference[ 18 ]failstoconsiderthefactthattheMbinary-inputchannelshavetotallydifferentchannelcharacteristics.Hencethedesignin[ 18 ]doesnotreadilytranslateintoourcontextofinterestandmostlikelythoseirregularLDPCcodeswillprovidepoorsecrecyperformanceintermsofachievableleakage-ratepair.Second,themethodproposedin[ 18 ]alsoneglectsthefactthattheMbinary-inputchannelsdonotpossessthesymmetrypropertiesrequiredforemployingdensityevolutiontopredicttheactualdecoderbehavior.Instead,reference[ 18 ]usesExtrinsicInformationTransfer(EXIT)chartstoperformanalysisofthedecodingprocessdespitethefactthatthetheoreticalresultsustainingEXITchartsdoesnotexistforGaussianchannel.Ontheotherhand,asmentionedinthenextsection,weadoptananalyticaltool,namelyi.i.d.channeladapters,totheproposedkey-agreementschemetoforcetherequiredsymmetrypropertiesoftheMbinary-inputchannelsforvalid 5In[ 18 ],theauthorsconsideronlyforwardreconciliation,thusthedestinationdoesnotquantizeitsreceivedsymbolsandthedecodingisperformedatthedestinationinstead. 61

PAGE 62

density-evolutionanalysis.Tosummarize,althoughMLCandMSDareemployedin[ 18 ]toconstructareconciliationmethodforcorrelatedrandomvariables,nodesignrulesareofferedtondirregularLDPCcodeswhicharesuitableforuseintheproposedkey-agreementscheme. 4.3LDPCCodesDesignandPerformanceInthissection,wedesignirregularLDPCcodesforuseinthemodiedkey-agreementschemetoachievegoodsecrecyperformance.Asrevealedlaterinthissection,ourtaskistodesignMirregularLDPCcodessuchthatthejthpair(Cj,Wj),whichisgeneratedfromthejthLDPCcodesC0j,workswellforthechannelfrom^YnjtoXnjandthechannelfrom^YnjtoZngivenLkjjandf^Ynigj)]TJ /F7 7.97 Tf 6.58 0 Td[(1i=1.LetR0cj=lj mj=1)]TJ /F18 7.97 Tf 14.08 12.56 Td[(Rj(x)dx Rj(x)dxbethecoderateofC0j,wherej(x)andj(x)denotethevariable-andcheck-nodedegreedistributionpolynomialsofC0j,respectively.Inthisdissertation,weconsiderapplyinguniformpuncturingtoC0jwithpjdenotingthecorrespondingfractionofpuncturedvariablenodes,whichcorrespondtoLkjj.NotethatRkj=pj 1)]TJ /F5 7.97 Tf 6.58 0 Td[(pjandRcj=R0cj 1)]TJ /F5 7.97 Tf 6.58 0 Td[(pj.Fromthemutualinformationchainrule[ 38 ],weknow I(X;^Y))]TJ /F4 11.955 Tf 11.95 0 Td[(I(^Y;Z)=I(X;^Y1,^Y2,,^YM))]TJ /F4 11.955 Tf 11.96 0 Td[(I(^Y1,^Y2,,^YM;Z)=MXj=1I(X;^Yjj^Y1,^Y2,,^Yj)]TJ /F7 7.97 Tf 6.59 0 Td[(1))]TJ /F5 7.97 Tf 16.56 14.95 Td[(MXj=1I(^Yj;Zj^Y1,^Y2,,^Yj)]TJ /F7 7.97 Tf 6.59 0 Td[(1)=MXj=1hI(X;^Yjj^Y1,^Y2,,^Yj)]TJ /F7 7.97 Tf 6.58 0 Td[(1))]TJ /F4 11.955 Tf 11.96 0 Td[(I(^Yj;Zj^Y1,^Y2,,^Yj)]TJ /F7 7.97 Tf 6.58 0 Td[(1)i. (4) Compare( 4 )totheexpressionofRl-relaxedkeycapacityinTheorem 2.1 ,itimpliesthatthewiretapchannelcanbeseparatedintoMparallelbinary-inputwiretapchannels,providedthatf^Yigj)]TJ /F7 7.97 Tf 6.59 0 Td[(1i=1areknowntothejthchannel.Accordingly,foraxedvalueofRk=PMj=1Rkj,wecanuse( 4 ),whichdenestheoptimal(key)rateassignmentamongtheMbinary-inputwiretapchannelstobethecorrespondingmutualinformation 62

PAGE 63

difference,todistributethetargetkeyratesfRkjgMj=1amongtheMirregularLDPCcodes.Forexample,forM=2,weassignthekeyratesRk1andRk2amongthetwoirregularLDPCcodesC01andC02usingtheratioRk1=Rk2=(I(X;^Y1))]TJ /F4 11.955 Tf 12.45 0 Td[(I(^Y1;Z))=(I(X;^Y2j^Y1))]TJ /F4 11.955 Tf -441.32 -23.91 Td[(I(^Y2;Zj^Y1)).AfterxingeachRkj(whichinturnxespj),ifwewanttominimizetheachievableleakagerateRl,Eqn.( 4 )suggeststhatweshouldmaximizePMj=1Rcj,orequivalentlyPMj=1R0cj.Infact,themaximizationofPMj=1R0cjcanbebrokenintomaximizingeachR0cjindividually,againbytheimplicationof( 4 ).Morespecically,givenRkjforj=1,2,,M,wearetond(j(x),j(x))suchthatR0cjismaximizedsubjecttotheconstraintthatsjandwjvanishasthemultistageBPdecodersatthesourceandthewiretapperiterate,wheresjandwjaretheerrorprobabilityofthejthstagedecoderatthesourceandwiretapper,respectively.Trivially,theaboveconditionscombinetoguaranteethevanishingofsandwdenedinSection 4.2 .TodesigngoodirregularLDPCcodes,weemploythedensity-evolutionbasedcodesearchprocessproposedinSection 3.3.2 here,buttwomajorchangesaremade.First,toaccountforthepuncturingofLkjjatthesource'sjthstageBPdecoder,theintrinsicLLRdistributionenteredintothedensityevolutionanalysisissettobeamixtureoftheoriginalLLRdistributionandanimpulseat0withweightsdeterminedbythevalueofpj.Second,wenotethatusingdensityevolutiontopredicttheaveragedecoderbehaviorimplicitlyrequirestheunderlyingchannelstohaveappropriatesymmetricproperties[ 29 ].However,theMbinary-inputchannelsmentionedabovearenotnecessarilysymmetric.Asaresult,itisnotsufcienttoconsideronlytheperformanceoftheallzeros-codewordtopredicttheaveragedecoderbehaviorandtheapplicationofdensityevolutioninsuchascenariobecomesverycomplicated.Fortunately,ananalyticaltool:i.i.d.channeladapters,whichwereproposedin[ 45 ]totackletheproblemofLDPCcodedesignforcodedmodulationschemes,canbeeasilyadoptedintothemodiedkey-agreementschemetoforcethesymmetryofthosebinary-inputchannels.Let'sconsiderthechannelfrom^YnjtoXnj,thejthi.i.d. 63

PAGE 64

channeladapterworksonjthbinary-inputchannelasfollows.Eachi.i.d.channeladapterhasthreemodules.Therstoneisani.i.d.sourcewhichgeneratesbinarysymbolsWjiforalli,accordingtoani.i.d.equiprobabledistribution.Thesecondoneisamod-2adderatthedestinationsuchthatVji=Wji^Yji.Thethirdmoduleisamod-2adjusteratthesourcetoperformUji=(1)]TJ /F3 11.955 Tf 12.92 0 Td[(2Wji)Gji,whereGjiisthelogaposterioriprobabilityratio(LAPPR)of^Yji(givenXji).Thenby[ 45 ,Theorem1],thenewlyaugmentedchannelfromVjitoUjiissymmetric.Next,considerthechannelfrom^YnjtoZnandlet~Uji=(1)]TJ /F3 11.955 Tf 10.38 0 Td[(2Wji)Jji,whereJjiisLAPPRof^Yji(givenZi).Againby[ 45 ,Theorem1],thenewlyaugmentedchannelfromVjito~Ujialsosatisesthesymmetriccondition.Thus,theanalysisanddesignoftheMirregularLDPCcodesaregreatlysimplied.Furthermore,by[ 45 ,Theorem2],thecapacityofthenewaugmentedbinary-inputchannelisequaltothemutualinformationoftheoriginalbinary-inputchannelwithi.i.dequiprobableinputdistribution.Hence,ifwecandesigngoodirregularLDPCcodes,whichworkwellforboththechannelVnjtoUnjandVnjto~Unj,theirregularLDPCcodesalsoworkwellforboththechannelfrom^YnjtoXnjand^YnjtoZn.Fromnowon,thedescriptionofthemodiedcodesearchprocessfocusesonthejthbinary-inputwiretapchannel,andthecodesearchprocessonallotherbinary-inputwiretapchannelsfollowsexactlythesameprocedure.SimilartoSection 3.3.2 ,foraxj(x)andatargetvalueofRkj,thecodesearchprocesscanbeformulatedtooptimizej(x)usingdensity-evolutionbasedlinearprograming.Again,let>0beasmallprescribederrortoleranceandsupposethataninitialj(x)(callit~j(x))satisesthepropertythates(Ms)andew(Mw).forsomeintegersMsandMw,wherees(`)andew(`)denotethebiterrorprobabilitiesobtainedbytheBPdecoders(withi.i.d.channeladapters)atthesourceandwiretapper,respectively,atthe`thdensityevolutioniteration.ThecodesearchproceedstomaximizethecoderateR0cjoftheirregularLDPCcodebyupdatingj(x)whilemaintainingthefollowingconstraintsusinglinearprogramming(RefertoSection 3.3.2 formathematicaldescription): 64

PAGE 65

Table4-1. Degreedistributionpairsoftherate-0.195andrate-0.538irregularLDPCcodes. rate-0.195 rate-0.538 2 0.3583 0.1910 3 0.1739 0.1373 4 0.0202 0.0334 5 0.1205 6 0.1226 7 0.0270 9 0.1573 10 0.0086 12 0.1229 13 0.0091 28 0.1242 29 0.1423 0.0394 30 0.0189 89 0.1491 90 0.0440 4 0.6747 5 0.3253 11 0.7570 12 0.2430 1. Pdvi=2ji=1andji0for2idv; 2. j(x)isnotsignicantlydifferentfrom~j(x); 3. j(x)producessmallererrorprobabilitythan~j(x),wherejirepresentsthefractionofedgesemanatingfromthevariablenodesofdegreeianddvisthemaximumallowabledegreeofj(x).Thecodesearchprocesscontinuesuntiles(Ms)orew(Mw)becomeslargerthan,oruntilj(x)converges.AsmentionedinSection 3.3.2 ,wecanalsoxj(x)andobtainasimilarlinearprogrammingproblemforj(x)anditerativesearchcanthenalternatebetweenthelinearprogramsforj(x)andj(x),respectively.Toillustratethesecrecyperformanceofthemodiedkey-agreementscheme,weconsiderthecodedesignfor4-PAMand8-PAMmodulation.Forthecaseof4-PAMmodulation,weconsidertwodifferentchannelsettings:(a)P=2=5dBand2=0dB 65

PAGE 66

Figure4-5. Plotof(Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.195andrate-0.538irregularLDPCcodes. and(b)P=2=1.8dBand2=5dB,whichcorrespondstosituationswherethewiretapper'sSNRismoderateandstrongrelativetothedestination'sSNR.WeapplytheaforementionedcodesearchprocesstoobtaintheirregularLDPCcodesshownbelow.Forchannelsetting(a), Figure4-5 showstherate-leakagepair(Rk,Rl)achievedbytheirregularLDPCcodesobtainedbysettingRk=0.29inthecodesearchprocess.By( 4 ),wehaveRk1=0.15andRk2=0.14.ThecoderatesoftheLDPCcodes,whosedegreedistributionpairsareshownin Table4-1 ,areR0c1=0.195andR0c2=0.538,respectively.Asusual,weobtainaninstanceoftheirregularLDPCcodesbyrandomlygeneratedabipartitegraphwhichsatisesthecorrespondingdegreedistributions.TheblocklengthoftheLDPCcodesism=106,andalllength-4loopsareremoved.Computersimulationisperformedtoobtainanestimateofsandw,whicharethen 66

PAGE 67

employedtocalculateanachievableleakagerateasin( 4 ),providedthats0.01andw0.01.Theresultingachievablekey-leakageratepair(Rk,Rl)areplottedagainstthecorrespondingboundaryofthe(Rpq,Rl)region,whichisshownbythesolidcurveinthegure.From Figure4-5 ,wecanseethatthepair(Rk,Rl)=(0.29,0.03)isachievedbyusingtherate-0.195andrate-0.538irregularLDPCcodes.Next,weconsiderthemorechallengingchannelsetting(b)inwhichthewiretapper'sSNRis5dBmorethanthatofthedestination. Figure4-6 showstherate-leakagepair(Rk,Rl)achievedbytheirregularLDPCcodesobtainedbyperformingthecodesearchprocesswithRk=0.12.Using( 4 ),wegetRk1=0.05andRk2=0.07.ThecoderatesoftheLDPCcodes,whosedegreedistributionpairsareshownin Table4-2 ,areR0c1=0.096andR0c2=0.436,respectively.From Figure4-5 ,wecanseethatthepair(Rk,Rl)=(0.12,0.015)isachievedbyusingtherate-0.096andrate-0.436irregularLDPCcodes.Forthecaseof8-PAMmodulation,wealsoconsidertwodifferentchannelsettings:(c)P=2=9dBand2=0dBand(d)P=2=8dBand2=3dB.Forchannelsetting(c), Figure4-7 showstherate-leakagepair(Rk,Rl)achievedbytheirregularLDPCcodesobtainedbysettingRk=0.365inthecodesearchprocess.By( 4 ),wehaveRk1=0.1,Rk2=0.176andRk3=0.689.ThecoderatesoftheLDPCcodes,whosedegreedistributionpairsareshownin Table4-3 ,areR0c1=0.108,R0c2=0.432andR0c3=0.689,respectively.From Figure4-7 ,wecanseethatthepair(Rk,Rl)=(0.365,0.033)isachievedbyusingtherate-0.108,rate-0.432andrate-0.689irregularLDPCcodes.Forchannelsetting(d), Figure4-8 showstherate-leakagepair(Rk,Rl)achievedbytheirregularLDPCcodesobtainedbysettingRk=0.22inthecodesearchprocess.By( 4 ),wehaveRk1=0.057,Rk2=0.109andRk3=0.054.ThecoderatesoftheLDPCcodes,whosedegreedistributionpairsareshownin Table4-4 ,areR0c1=0.078,R0c2=0.415andR0c3=0.687,respectively.From Figure4-8 ,wecansee 67

PAGE 68

Table4-2. Degreedistributionpairsoftherate-0.096andrate-0.436irregularLDPCcodes. rate-0.096 rate-0.436 2 0.3718 0.2702 3 0.1547 0.1570 4 0.0222 0.0705 5 0.0787 0.0638 6 0.0584 7 0.0120 8 0.0469 9 0.1628 11 0.0906 12 0.0267 26 0.0512 27 0.1776 29 0.0526 30 0.0518 89 0.0805 3 0.0944 4 0.9031 5 0.0025 7 0.9185 8 0.0589 9 0.0226 thatthepair(Rk,Rl)=(0.22,0.026)isachievedbyusingtherate-0.078,rate-0.415andrate-0.687irregularLDPCcodes. 4.4SummaryInthischapter,weextendandfurtherimproveourproposedkey-agreementschemetothecasewhenthesourceisallowedtosendM-aryequiprobablePAMsymbols.Themodiedkey-agreementschemeemployspuncturedirregularLDPCcodestoavoiddirectlyexposingthe(secret)keytothewiretapper.ByinvokingtheideaofMLCandMSD,weshowthatthedesignofLDPCcodesovertheoriginalwiretapchannelcanbetransformedintothedesignofLDPCcodesfortheMbinary-inputwiretapchannels.Hence,theproposedcodesearchprocesscanbeadoptedtodesigngoodirregular 68

PAGE 69

Figure4-6. Plotof(Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.096andrate-0.436irregularLDPCcodes. LDPCcodestogivesecrecyperformanceclosetothe(symmetric)relaxedkeyrate,asdemonstratedbythesimulationresults. 69

PAGE 70

Table4-3. Degreedistributionpairsoftherate-0.108,rate-0.432andrate-0.689irregularLDPCcodes. rate-0.108 rate-0.432 rate-0.689 2 0.3626 0.2852 0.2219 3 0.1599 0.1608 0.1211 4 0.0892 0.1338 5 0.1063 6 0.0436 7 0.1637 8 0.0587 0.1114 9 0.1398 10 0.1073 20 0.0492 21 0.1932 26 0.1176 0.0764 27 0.0019 0.19546 100 0.1008 4 0.9881 5 0.0119 6 0.2382 7 0.7589 14 0.6828 15 0.3172 20 0.0029 70

PAGE 71

Figure4-7. Plotof(Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.108,rate-0.432andrate-0.689irregularLDPCcodes. 71

PAGE 72

Table4-4. Degreedistributionpairsoftherate-0.078,rate-0.415andrate-0.687irregularLDPCcodes. rate-0.078 rate-0.415 rate-0.687 2 0.4081 0.2644 0.2208 3 0.1677 0.1729 0.1254 4 0.1256 5 0.1342 0.1397 6 0.0181 0.0195 8 0.1542 9 0.0291 0.0943 10 0.0787 0.0888 11 0.1042 21 0.0695 22 0.0157 26 0.2541 27 0.0256 31 0.1374 32 0.0731 54 0.0293 55 0.0496 3 0.3915 4 0.6085 6 0.0668 7 0.9093 8 0.0210 9 0.0010 14 0.7449 15 0.2551 20 0.0019 72

PAGE 73

Figure4-8. Plotof(Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.078,rate-0.415andrate-0.687irregularLDPCcodes. 73

PAGE 74

CHAPTER5ANLDPC-BASEDSECRET-SHARINGSCHEMEOVERFAST-FADINGWIRETAPCHANNELInthischapter,wefurtherextendoursecret-sharingdesigntodevelopapracticalkey-agreementschemeforthefastRayleighfadingwiretapchannel.Weimposetwoconstraintsonthechannelbetweenthesourceanddestination.First,thesourceislimitedtotransmitquadraturephase-shift-keyed(QPSK)symbols.Second,symbolbysymbol,component-by-componenthard-decisionquantizationisappliedtothereceivedsymbolsatthedestination.Weshowthatthein-phaseandquadrature-phasecomponentsofthefast-fadingwiretapchannelcanbeconsideredseparately.Thesecrecyperformanceoftheproposedschemeisagainmeasuredintermsoftherateofsecretkeyagreedbetweenthesourceanddestinationagainsttherateofinformationaboutthesecretkeyleakedtothewiretapper. 5.1Fast-FadingWiretapChannelInthischapter,weconsiderthewiretapchannelinwhichthedestinationandwiretapperchannelarebothfastRayleighfadingchannels.Here,Xidenotestheithcomplex-valuedsymboltransmittedbythesource,i.e.,Xi=XIi+jXQiwhereXIiandXQiarethein-phase(I)andquadrature-phase(Q)components,respectively.Thebaseband-equivalentfastRayleighfadingwiretapchannelcanthenbemodeledas Yi=GiXi+NiZi=~GiXi+~Ni,(5)wherethechannelnoisesarenowmodeledrespectivelybyNiand~Ni,whicharei.i.d.zero-mean,complex-symmetriccomplexGaussian-distributed(ZMCSCGD)randomvariableswithvariance2,andthefadingcoefcientsarerepresentedbyGiand~Gi,whicharei.i.d.ZMCSCGDrandomvariableswithunitvariance.ItisassumedthatperfectCSIoftherespectivechannelsisavailabletothedestinationandwiretapper,i.e.,thedestinationknowsGiandthewiretapperknows~Gi.Werestrictthesourcetotransmit 74

PAGE 75

onlyQPSKsymbols,i.e.fXIi,XQig2q 1 2,withbeingthegain.Similarly,wealsoimposethesourcepowerconstraint( 2 )suchthat2P,wherePisthemaximumpoweravailabletothesource.Thechannelgaindifferencebetweenthedestinationandwiretapperisagainmodeledbythepositiveconstant.SimilartoChapter 3 ,itisassumedthatthereisaninteractive,authenticatedandpublicchannelwithunlimitedcapacitybetweenthesourceandthedestination.AswillbedescribedinSection 5.2 ,weperformsymbol-by-symbol,componentbycomponenthard-decisionquantizationatthedestinationinwhichtheithquantizeddestinationsymbol^Yi=^YIi+j^YQiisgivenby^YIi=sgn(<(YiGi))and^YQi=sgn(=(YiGi)).Sincethereceivedsymbolsatthedestinationandwiretapperareconditionallyindependentgiventhesourcesymbols,itcanbeshown1thattheRl-relaxedkeycapacityisgivenby Cq(Rl)=max0~q P 2hminfCs(~))]TJ /F4 11.955 Tf 11.96 0 Td[(Cw(~)+Rl,Cs(~)gi,(5)whereCs(~)=2)]TJ /F14 11.955 Tf 11.96 16.28 Td[(Z10H2(Q(~h))4he)]TJ /F5 7.97 Tf 6.59 0 Td[(h2dhandCw(~)=2)]TJ /F3 11.955 Tf 21.67 8.08 Td[(1 p 2Z10Z10Z10[1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~gz]e)]TJ /F15 5.978 Tf 7.79 3.86 Td[((z)]TJ /F20 5.978 Tf 5.75 0 Td[(~g)2 2H2 Q(~h)+[1)]TJ /F4 11.955 Tf 11.96 0 Td[(Q(~h)]e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~gz 1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~gz!8hge)]TJ /F7 7.97 Tf 6.59 0 Td[((h2+g2)dgdhdzare,respectively,thecapacitiesofthequantizeddestination-to-sourceandquantizeddestination-to-wiretapperchannelsatthenormalizedgain~.WeagainnotethatCq(Rl)isachievedwhenXiisequiprobable,butitisnotnecessarilyachievedby 1Theproofof( 5 )canbeeasily,thoughrathertediously,extendedfromtheproofof( 3 )bycheckingtheconcavityandsymmetryofI(X;Y))]TJ /F4 11.955 Tf 19.21 0 Td[(I(Y;Z)asafunctionoftheQPSKsourcedistribution. 75

PAGE 76

Figure5-1. TheRl-relaxedkeycapacityCqofthefastRayleighfadingwiretapchannelfordifferentvalueof2,whereRl=0. transmittingatthemaximumallowablepowerP.TheequiprobabledistributionandsymmetryoftheQPSKsymbolsimplythatwecanconsiderinsteadthetransmissionofBPSKsymbolswithequalratesseparatelyovertheI-andQ-components.Forillustration, Figure5-1 showstheplotofCq(Rl),inunitsofbpcu,versusthemaximumallowableSNRP=2for2=)]TJ /F3 11.955 Tf 9.3 0 Td[(5,0,and5dB,respectively.Notethatforeachvalueof,weshoulddesignthekey-agreementsystemtooperatenearthecornerpointwherethekeycapacityisjustabouttoleveloff. 76

PAGE 77

5.2LDPC-basedKey-AgreementSchemeTheproposedkey-agreementschemeisamodicationoftheonepresentedinChapter 4 .UnderthenotationsdevelopedinSection 4.2 ,wedescribetheproposedkey-agreementschemeasfollows, 1. Randomsourcetransmissionanddestinationquantization:ThesourcerstrandomlygeneratesasequenceXnofni.i.d.equallylikelyQPSKsymbolsandsendsthemconsecutivelythroughthefast-fadingwiretapchannel.Thedestinationthenobtainsthequantizedsequence^Ynbyperformingsymbol-by-symbol,component-by-componenthard-decisionquantizationonthereceivesequenceYn.WenotethatthisquantizationseparatesthereceivedsymbolYiintothequantizedI-component^YIi=sgn(<(YiGi))andQ-component^YQi=sgn(=(YiGi)).WealsonotethatthewiretapperobservesZnand~Gn. 2. SyndromegenerationthroughLDPCencodingatdestination:Thedestinationrstrandomlychoosesthek-bitsequenceLkIwithi.i.d.equal-likelybits.ItthengeneratesthesyndromesequenceSm)]TJ /F5 7.97 Tf 6.59 0 Td[(lI=[LkI,^YnI]HT.WenotethateachSm)]TJ /F5 7.97 Tf 6.59 0 Td[(lIuniquelycorrespondstoacosetEmI+C0,whereEmI=[0l,Sm)]TJ /F5 7.97 Tf 6.59 0 Td[(lI(B)]TJ /F7 7.97 Tf 6.59 0 Td[(1)T]isthecosetleader.Asimilarencodingprocessisperformedon[LkQ,^YnQ]toobtainSm)]TJ /F5 7.97 Tf 6.59 0 Td[(lQandEmQ,whereLkQisanotherrandomsequenceofi.i.d.equal-likelybits,chosenindependentofLkI.Finally,thedestinationsendsEmI,EmQ,andGnbacktothesourceviathepublicchannel. 3. Decodingatsource:Thesourceperformsbeliefpropagation(BP)decodingtodecodeforthecodewordUmI=[LkI,^YnI]+EmI(2C0)fromobservingXnI,EmIandGn.Similar,italsoseparatelydecodeforthecodewordUmQ=[LkQ,^YnQ]+EmQfromobservingXnQ,EmQandGn.Let^UmIand^UmQdenotethedecodedcodewordsforUmIandUmQ,respectively. 4. Keygenerationatsourceanddestination:Thedestinationuses[LkI,LkQ]asitskey.Thesourcesetsitskeytobe[KkI,KkQ],whereKkIandKkQcontaintherespectiverstkbitsof^UmIand^UmQ.Wenotethattheaboveschemeispermissiblewitht=n+1,K=[KkI,KkQ],L=[LkI,LkQ],andn+1=(EmI,EmQ,Gn)istheonlymessagesentviathepublicchannelatthelasttimeinstantn+1,asdescribedinSection 2.2 .SimilartoSection 4.2 ,weevaluatethesecrecyperformanceoftheschemeintermsoftheachievablekey-leakageratepairdenedinSection 2.2 .First,basedonthechosendistributionsofLkI,LkQ,andXn,thememorylessnatureofthefast-fading 77

PAGE 78

wiretapchannel,andthesymbol-by-symbol,component-by-componentharddecisionperformedtoobtain^Ynatthedestination,itiseasytocheckthatH(LkI)=H(LkQ)=k,H(LkI,^YnIjGn)=H(LkQ,^YnQjGn)=m,andI(LkI,LkQ;Gn)=0.TogetherwiththelinearityofLDPCcodes,wecanalsoconcludethatH(EmIjGn)=H(EmQjGn)=m)]TJ /F4 11.955 Tf 13 0 Td[(landI(LkI,LkQ;EmI,EmQ,Gn)=I(LkI,LkQ;Gn)+I(LkI,LkQ;EmI,EmQjGn)=0,since(EmI,EmQ)areconditionallyuniformdistributedandindependentof(LkI,LkQ)givenGn.Next,consider I(KkI,KkQ;Zn,~Gn,EmI,EmQ,Gn)I(LkI,LkQ;Zn,~Gn,EmI,EmQ,Gn)+I(KkI,KkQ;Zn,~Gn,EmI,EmQ,GnjLkI,LkQ)I(LkI,LkQ;Zn,~Gn,EmI,EmQ,Gn)+H(KkI,KkQjLkI,LkQ)I(LkI,LkQ;Zn,~Gn,EmI,EmQjGn)+2ks+2, (5) wherethelastlineisduetoFano'sinequalityandtheresultthatI(LkI,LkQ;Gn)=0.Further,deneZIi=
PAGE 79

wherethesecondlastinequalityisduetothefactsthat(LkI,^YnI)and(LkQ,^YnQ)areconditionallyindependentgivenGn,andthatI(LkI,LkQ;Znj^YnI,^YnQ,Gn,~Gn)=0asLkIandLkQareindependentofallchannelobservationsmadebythedestinationandwiretapper.SupposethatthedecodingprocessatthesourceachievestheerrorprobabilitysforboththeI-andQ-channels.ThenwehavePrfKkI6=LkIgsandPrfKkQ6=LkQgs,whichimpliesPrf[KkI,KkQ]6=[LkI,LkQ]g2s.Hence,Condition1inSection 2.2 issatised.Moreover,wealsohaveH(KkIjLkI)1+ks,H(LkIjKkI)1+ks,H(KkQjLkQ)1+ksandH(LkQjKkQ)1+ksbyFano'sinequality.Thatinturnimpliesthat1 nH(KkI,KkQ)2Rk)]TJ /F3 11.955 Tf 13.11 0 Td[(2Rks)]TJ /F7 7.97 Tf 14.37 4.71 Td[(2 n.FurtherusingtheaboveresultthatI(LkI,LkQ;EmI,EmQ,Gn)=0,weget1 nI(KkI,KkQ;EmI,EmQ,Gn)2Rks+2 n.Thus,Conditions2,4,and5inSection 2.2 aresatisedwhennissufcientlylargeandsissmallenough.Now,becausethechannelfrom^YntoZnismemoryless,wehaveI(^Yn;ZnjGn,~Gn)nCw(~).Inaddition,let'sconsiderapairofctitiousdecodersatthewiretappertryingtodecode1)for^YnIfromobserving(ZnI,EmI,LkI,Gn,~Gn),and2)for^YnQfromobserving(ZnQ,EmQ,LkQ,Gn,~Gn).Supposethatbothdecodersachievetheerrorprobabilityw.ThenwehaveH(^YnIjZnI,LkI,EmI,Gn,~Gn)1+(l)]TJ /F4 11.955 Tf 13.62 0 Td[(k)wandH(^YnQjZnQ,LkQ,EmQ,Gn,~Gn)1+(l)]TJ /F4 11.955 Tf 13.07 0 Td[(k)wbyFano'sinequality.Puttingalltheseand( 5 )backinto( 5 ),weobtain 1 nI(KkI,KkQ;Zn,~GnjEmI,EmQ,Gn)1 nI(KkI,KkQ;Zn,~Gn,EmI,EmQ,Gn)Cw(~))]TJ /F3 11.955 Tf 11.96 0 Td[(2(Rc)]TJ /F4 11.955 Tf 11.96 0 Td[(Rk)+2Rks+2(Rc)]TJ /F4 11.955 Tf 11.96 0 Td[(Rk)w+4 n. (5) LettingRl=Cw(~))]TJ /F3 11.955 Tf 11.09 0 Td[(2(Rc)]TJ /F4 11.955 Tf 11.09 0 Td[(Rk),Condition3inSection 2.2 isthensatisedifsandwissmallenoughandnislargeenough,showingthat(2Rk,Rl)isanachievablekey-leakageratepairasaresult. 79

PAGE 80

Table5-1. Degreedistributionpairsoftherate-0.426,rate-0.362,rate-0.276irregularLDPCcodes. rate-0.426 rate-0.362 rate-0.276 2 0.2613 0.2427 0.2543 3 0.1803 0.1769 0.1534 4 0.0247 5 0.1342 0.0977 6 0.0355 0.1238 0.0484 7 0.0614 9 0.0401 10 0.0900 11 0.1144 12 0.0707 15 0.1066 16 0.0718 25 0.1031 26 0.0600 32 0.2036 48 0.0814 49 0.1107 89 0.1179 90 0.0351 6 0.0009 0.2849 0.9143 7 0.9704 0.6085 0.0857 8 0.1066 11 0.0287 5.3LDPCCodesDesignandPerformanceInthissection,wedesignirregularLDPCcodesforuseintheproposedkeyagreementschemetoachievegoodsecrecyperformance.AsdescribedinSection 5.2 ,wecandesigngoodLDPCcodesfortheI-componentandtheresultingcodeswillalsoworkwellfortheQ-component.Tothatend,weapplythecodesearchprocedureasdescribedinSection 4.3 .Again,ourgoalistodesignirregularLDPCcodeC0sothatthepair(C,W)workswellforthechannelfrom^YnItoXnIandthechannelfrom^YnItoZnIgivenLkI.ForatargetRk,inordertominimizetheachievableleakagerateRl,Eqn.( 5 )suggeststhatweshouldmaximizeRcsubjecttotheconstraintthatbothsandwvanishastheBPdecodersatthesourceandwiretapperiterate. 80

PAGE 81

Toillustratethesecrecyperformancefortheproposedkey-agreementschemeoverthefastfadingwiretapchannel,weconsiderthreedifferentchannelscenarios:(a)P=2=5dBand2=)]TJ /F3 11.955 Tf 9.3 0 Td[(5dB,(b)P=2=2.5dBand2=0dB,and(c)P=2=0dBand2=5dB.Thethreescenarioscorrespondtocasesinwhichthewiretapper'saverageSNRisweak,moderateandstrongrelativetothedestination'saverageSNR.WeapplythecodesearchprocessdescribedaboveinthesethreescenariostoobtaintheirregularLDPCcodespresentedbelow.Forscenario(a), Figure5-2 showsthekey-leakageratepair(2Rk,Rl)achievedbyanirregularLDPCcodeobtainedbysettingRk=0.34inthecodesearchprocess.ThecoderateR0cofthisirregularLPDCcodeis0.426andthecorrespondingdegreedistributionpairisshownin Table5-1 .TheblocklengthoftheLDPCcodeism=106,andalllength-4loopsareremoved.Similarly,computersimulationisperformedtoobtainanestimateofsandw,whicharethenemployedtocalculateanachievableleakagerateasin( 5 ),providedthats0.01andw0.01.Theresultingachievablekey-leakageratepair(2Rk,Rl)areplottedagainstthecorrespondingboundaryofthe(Cq,Rl)region,whichisshownbythesolidcurveinthegure.From Figure5-2 ,weseethatthepair(2Rk,Rl)=(0.68,0.036)isachievedbyusingthisrate-0.426irregularLDPCcode.Next,weconsiderthemorechallengingscenario(b)inwhichthewiretapper'saverageSNRisasstrongasthatofthedestination. Figure5-3 showsthesecrecyperformanceofarate-0.362irregularLDPCcodeobtainedbyperformingthecodesearchprocesswithRk=0.193.ThedegreedistributionpairofthisirregularLDPCcodecanalsobefoundin Table5-1 .From Figure5-3 ,weobservethatthepair(2Rk,Rl)=(0.386,0.03)isachievablebythiscode.Finally,weconsiderthehardestscenario(c)inwhichthewiretapper'saverageSNRismuchstrongerthanthatofthedestination. Figure5-4 showstheachievable(2Rk,Rl)pairofarate-0.276irregularLDPCcodeobtainedbyperformingthecodesearchprocesswithRk=0.095.ThedegreedistributionpairofthisirregularLDPCcodeis 81

PAGE 82

Figure5-2. Plotofthe(2Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.426irregularLDPCcode. againshownin Table5-1 .From Figure5-4 ,weseethatthepair(2Rk,Rl)=(0.19,0.024)isachievedusingthiscode.Inconclusion,wecandesigngoodirregularLDPCcodesforuseinthemodiedkey-agreementschemetoachievegoodsecrecyperformancebyperformingthecodeprocessdescribedaboveunderdifferentchannelscenarios. 5.4SummaryInthischapter,weextendandmodifytheproposedLDPC-basedkey-agreementschemeforGaussianwiretapchanneltoworkinthefastRayleighfadingwiretapperchannel.Themodiedkey-agreementschemeemploysirregularpuncturedLDPCcodesseparatelyfortheI-andQ-componentsofthewiretapchannel.Adensity-evolutionbasedlinearprogramisalsousedtosystematicallydesigngoodirregularLDPCcodes 82

PAGE 83

Figure5-3. Plotofthe(2Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.362irregularLDPCcode. foruseintheproposedscheme.SimulationresultsdemonstratethattheirregularLDPCcodesobtainedfromthecodesearchprocessachievesecrecyperformanceclosetotherelaxedkeycapacityofthefastRayleighfadingwiretapchannelundervariouschannelsettings. 83

PAGE 84

Figure5-4. Plotofthe(2Rk,Rl)pairachievedbythemodiedkey-agreementschemeemployingtherate-0.276irregularLDPCcode. 84

PAGE 85

CHAPTER6CONCLUSIONSInthisdissertationresearch,wedesignedpracticalsecret-sharingschemestoallowasourceanddestinationtosharesecretinformation(akey)overanoisychannelinthepresenceofaneavesdropper,orwiretapper.Chapter 2 ofthisdissertationintroducedtheconceptofrelaxedkeycapacity,whichwasdenedasthemaximumachievablekeyratewhentheleakageratewasboundedbelowaxedvalue.Therelaxedkeycapacitywasemployedinthisdissertationasabetterbenchmarkthanthestraightkeycapacitytoevaluatethesecrecyperformanceofpracticalsecret-sharingschemessincetheyadmitnon-zeroleakageratebecauseofvariouspracticalimplementationconstraints.InChapter 3 ,wepresentedtheproposedkey-agreementschemefortheBPSKconstrainedGaussianwiretapchannelwithhard-decisionquantizationatthedestination.TheproposedschemeemploysanensembleofregularLDPCcodestosupportkeyagreement.Weprovedthattheproposedkey-agreementschemeachievestherelaxedkeycapacitywithasymptoticallylargeblocklength.Thisasymptoticresultmotivatedustodeveloppracticalimplementationsoftheproposedkey-agreementschemeusingxedirregularLDPCcodeswithniteblocklengthandthemorepracticalBPdecoders.Underthesepracticalconstraints,weobtainedanupperboundontheamountofinformationaboutthekeyleakedtothewiretappertoevaluatethesecrecyperformanceofthepracticalkey-agreementschemes.WenoticedthatasimilarLDPC-basedkey-agreementschemewasproposedin[ 16 ],andacarefulcomparisontoourproposedschemewasalsogiveninChapter 3 .Weshowthattheschemediscussedin[ 16 ]ismorerestrictivethanourproposedkey-agreementscheme.Simulationresultsconrmedthattheproposedschemeoutperformstheschemeof[ 16 ]whenrestrictingourattentiontoxedregularLDPCcodeswithsmallnodedegreeandniteblocklength.However,simulationresultsalsoshowthatxedregularLDPCcodeswithsmallnodedegreeand 85

PAGE 86

niteblocklengthdonotprovidegoodenoughsecrecyperformance.Tocompensate,wethusproposedtheuseofirregularLDPCcodesintheproposedkey-agreementschemetoachievebettersecrecyperformance.Moreover,adensity-evolutionbasedlinearprogramwasalsoproposedtosystematicallyandefcientlydesigngoodirregularLDPCcodestoachieveatargetkeyratesothatthattheamountofinformationleakedtothewiretapperisminimized.Simulationresultsshowthatthesecret-sharingirregularLDPCcodesobtainedfromoursearchperformrelativelyclosetotherelaxedkeycapacityoftheBPSK-constrainedGaussianwiretapchannel,signicantlyoutperformedregularLDPCcodesaswellasirregularLDPCcodesthatwereoptimizedjustforinformationreconciliation.InChapter 4 ,theproposedkey-agreementschemeswereextendedtothecasewhenthesourcetransmitsM-aryPAMsymbols,asameanstoachievehigherkeyrate.MultilevelcodingandmultistagedecodingwereemployedtotransformtheM-arytransmissionintoMbinary-inputwiretapchannels.Weusedthedensity-evolutionbasedlinearprogramtodesignMirregularLDPCcodessuchthateachofthemworkedwellforthecorrespondingbinary-inputwiretapchannel.Moreover,puncturedirregularLDPCcodeswereadoptedtotheproposedkey-agreementschemetoprotectthesecretkeyfromdirectexposuretothewiretapper.Chapter 5 appliedtheproposedkey-agreementschemetothefast-fadingwiretapchannel.WeshowedthattheI-andQ-componentsofthefastRayleighfadingwiretapchannelwereconsideredseparatelyinthekey-agreementscheme.WealsodesignedgoodLDPCcodesforuseinthefastfadingRayleighwiretapchannelbyusingthedensity-evolutionbasedlinearprogram.Tosummarize,wedemonstratedinChapter 4 andChapter 5 thattheproposedkey-agreementschemeandcodesearchprocesswereexibleenoughtotakeintoaccountthecaseswhenthesourcetransmittedPAMsymbolsandwhenthedestinationandwiretapperchannelswerebothfastRayleighfadingchannels.Simulationresultsshowthattheproposedkey-agreementschemeachievesaleakage 86

PAGE 87

rateofonly10%oftheassociatedkeyrateinmostofthechannelsettingsconsidered,evenifthewiretapperchannelwasmuchstrongerthanthedestinationchannel.Finally,wepointoutthattheargumentsintheproofof Theorem2.1 canbemodiedtoshowtheexistenceofanLDPCcode(fromthesameregularLDPCcodeensembleconsideredinSection 3.2 )thatachievesthesecrecycapacity[ 2 5 ]oftheGaussianwiretapchannelwiththeBPSKsource-symbolconstraint.InAppendixD,wedevelopacodingschemeforsendingsecretmessagesovertheBPSK-constrainedGaussianwiretapchannel.Moreover,wedemonstratethatthedensity-evolutionbasedlinearprogramusedextensivelyinthisdissertationcanbeemployedtondirregularLDPCcodesthatgivesecrecyperformanceclosetotheboundaryofthesecrecy-equivocationrateregionoftheBPSK-constrainedGaussianwiretapchannel. 87

PAGE 88

APPENDIXAPROOFOFTHEOREM2.1Thecasewithdiscretechannelalphabetsisestablishedin[ 4 ,Corollary2ofTheorem2].Theconverseproofin[ 4 ]isdirectlyapplicabletocontinuouschannelalphabets,providedtheaveragepowerconstraint( 2 )canbeincorporatedintotheargumentsin[ 4 ,pp.1129].Thislatterrequirementissimpliedbytheadditiveandsymmetricnatureoftheaveragepowerconstraint[ 46 ,Section3.6].Toavoidtoomuchrepetition,weoutlinebelowonlythestepsoftheproofthatarenotdirectlyavailablein[ 4 ,pp.1129].ForeverypermissiblestrategywithachievablekeyrateR,wehave1 nI(K;L)=1 nH(K))]TJ /F3 11.955 Tf 13.25 8.09 Td[(1 nH(KjL)1 nH(K))]TJ /F3 11.955 Tf 13.25 8.09 Td[(1 n[1+PrfK6=LglogjKj]>1 nH(K))]TJ /F3 11.955 Tf 13.25 8.09 Td[(1 n)]TJ /F6 11.955 Tf 11.96 0 Td[("1 nH(K)+">(1)]TJ /F6 11.955 Tf 11.96 0 Td[(")(R)]TJ /F6 11.955 Tf 11.96 0 Td[("))]TJ /F3 11.955 Tf 13.26 8.09 Td[(1 n)]TJ /F6 11.955 Tf 11.95 0 Td[("2,wherethesecondlinefollowsfromFano'sinequality,thethirdlineresultsfromConditions1and5inthedenitionofachievablekey-leakageratepair,andthelastlineisduetoCondition4.Inotherwords,everypermissiblesecret-sharingstrategythatachievesthekey-leakageratepair(R,Rl)mustsatisfy R<1 1)]TJ /F6 11.955 Tf 11.96 0 Td[("1 nI(K;L)+1 n+"2+".(A)ThusitsufcestoupperboundI(K;L).FromConditions2,3andthechainrule,wehave1 nI(K;L)1 nI(K;LjZn,t,t)+1 nI(K;Znjt,t)+1 nI(K;t,t)1 nI(K;LjZn,t,t)+Rl+2"1 nnXj=1I(Xj;YjjZj)+Rl+2", 88

PAGE 89

wherethelastinequalityisduetotheboundI(K;LjZn,t,t)Pnj=1I(Xj;YjjZj)whichisshownin[ 4 ,pp.1129].Similarly,usingthechainruleandCondition2,wealsohave1 nI(K;L)1 nI(K;Ljt,t)+1 nI(K;t,t)1 nI(K;Ljt,t)+"1 nnXj=1I(Xj;Yj)+",wherethelastinequalityisduetotheboundI(K;Ljt,t)Pnj=1I(Xj;Yj),whichagaincanbeshownbyasimplemodicationto[ 4 ,pp.1129].NowletQbeauniformrandomvariablethattakesvaluefromf1,2,...,ngandisindependentofallotherrandomquantities.Dene(X,Y,Z)=(Xj,Yj,Zj)ifQ=j.ThenpY,ZjX(y,zjx)=pY,ZjX(y,zjx).Combiningthetwoupperboundson1 nI(K;L)above,wehave 1 nI(K;L)minnI(X;YjZ,Q)+Rl,I(X;YjQ)o+2"minnI(X;YjZ)+Rl,I(X;Y)o+2", (A) wherethelastinequalityisduetothefactthatQ!X!(Y,Z)formsaMarkovchain.Thepowerconstraint( 2 )impliesthatE[jXj2]P.Combining( A )and( A ),weobtain R<1 1)]TJ /F6 11.955 Tf 11.95 0 Td[("minnI(X;YjZ)+Rl,I(X;Y)o+2"+1 n.(A)Since"canbearbitrarilysmall,( A )impliestheconverseresult,i.e.,RminnI(X;YjZ)+Rl,I(X;Y)omaxX:E[jXj2]P]minfI(X;YjZ)+Rl,I(X;Y)g=maxX:E[jXj2]P]minfI(X;Y))]TJ /F4 11.955 Tf 11.96 0 Td[(I(Y;Z)+Rl,I(X;Y)g,wherethelastlineisduetothefactthatp(y,zjx)=p(yjx)p(zjx). 89

PAGE 90

Theachievabilityproofprovidedin[ 4 ](alsotheonesin[ 47 48 ])fordiscretechannelalphabetsdoesnotreadilyextendtocontinuouschannelalphabets.Neverthelessthesamesinglebackwardmessagestrategysuggestedin[ 4 ]isstillapplicableforcontinuousalphabets.Thatstrategyusesk=n+1timeinstantswithij=jforj=1,2,...,n.Thatis,thesourcerstsendsnsymbolsthroughthe(X,Y,Z)channel;afterreceivingthesensymbols,thedestinationfeedsbackasinglemessageatthelasttimeinstanttothesourceoverthepublicchannel.WeprovideacarefullystructuredWyner-Zivcodetosupportthissecret-sharingstrategy.Themainstepsofthekeyagreementprocedurearethefollowing: 1. Thesourcesendsasequenceofi.i.d.symbolsXn; 2. ThedestinationquantizesitsreceivedsequenceYninto^YnwithaWyner-Zivcompressionscheme; 3. Thedestinationusesabinningschemewiththequantizedsymbolsequencestodeterminethesecretkeyandtheinformationtofeedbacktothesourceoverthepublicchannel; 4. Thesourceexploitstheinformationsentbythedestinationtoreconstructthedestination'squantizedsequence^Ynandusesthesamebinningschemetogenerateitssecretkey.Forthememorylesswiretapchannel(X,Y,Z)speciedbythejointpdfp(yjx)p(zjx)p(x),considerthequadruple(X,Y,^Y,Z)denedbythejointpdfp(x,y,^y,z)=p(^yjy)p(yjx)p(zjx)p(x)withp(^yjy)tobespeciedlater.Givenasequenceofnelementsxn=(x1,x2,...,xn),p(xn)=Qnj=1p(xj)unlessotherwisespecied.Similarnotationandconventionapplytoallothersequencesaswellastheircorrespondingpdfsandconditionalpdfsconsideredhereafter. A.1RandomCodeGenerationFixthesourcedistributionp(x)toachievethemaximumintheRl-relaxedkeycapacityexpression,choosep(^yjy)suchthatI(X;^Y))]TJ /F4 11.955 Tf 12.36 0 Td[(I(^Y;Z)>0andI(^Y;Z)>0,andletp(^y)denotethecorrespondingmarginal.Notethattheexistenceofsuchp(^yjy)canbeassumedwithoutlossofgeneralityifI(X;Y))]TJ /F4 11.955 Tf 12.29 0 Td[(I(Y;Z)>0andI(Y;Z)>0.If 90

PAGE 91

I(X;Y))]TJ /F4 11.955 Tf 10.77 0 Td[(I(Y;Z)=0,thereisnothingtoprove.Similarly,ifI(Y;Z)=0,theconstructionbelowcanbetriviallymodiedtoshowthatI(X;Y)isanachievablekeyrate.Fixasmall(smallenoughsothatthevariousratedenitionsandboundsonprobabilitiesbelowmakesenseandarenon-trivial)">0.IfRl<>:1ifPrfT"(Xn,yn,^yn,Zn)=1g1)]TJ /F6 11.955 Tf 11.96 0 Td[("0otherwise 91

PAGE 92

where(Xn,Zn)isdistributedaccordingtop(xn,znjyn,^yn)inthedenitionabove.ThesourcegeneratesarandomsequenceXndistributedaccordingtop(xn).IfXnsatisestheaveragepowerconstraint( 2 ),thesourcesendsXnthroughthe(X,Y,Z)channel.Otherwise,itendsthesecret-sharingprocess.Sincep(x)satisesE[jXj2]P,thelawoflargenumbersimpliesthattheprobabilityofthelattereventcanbemadearbitrarilysmallbyincreasingn.Hencewecanassumebelow,withnolossofgenerality,thatXnsatises( 2 )andissentbythesource.Thisassumptionhelpstomaketheprobabilitycalculationsinlatersectionslesstedious.UponreceptionofthesequenceYn,thedestinationtriestoquantizethereceivedsequence.LetMbetheoutputofitsquantizer.Specically,ifthereisauniquesequence^Yn(m)2Cforsomem2f1,2,...,2nR1gsuchthatS"(Yn,^Yn(m))=1,thenitsetstheoutputofthequantizertoM=m.Ifthereismorethanonesuchsequence,Missettobethesmallestsequenceindexm.Ifthereisnosuchsequence,itsetsM=0.LetLandJbetheuniqueindicessuchthat^Yn(M)2C(J,L).TheindexLwillbeusedasthekeywhiletheindexJisfedbacktothesourceoverthepublicchannel,i.e.k=J.IfM=0,setJ=0andchooseLrandomlyoverf1,2,...,2nR3gwithuniformprobabilities.AfterreceivingthefeedbackinformationJviathepublicchannel,thesourceattemptstondaunique^Yn(m)2CsuchthatT"(Xn,^Yn(m))=1andm2^C(J).Ifthereissuchaunique^Yn(m),thesourcedecodes^M=m.Ifthereisnosuchsequenceormorethanonesuchsequence,thesourcesets^M=0.IfJ=0,itsets^M=0.Finally,if^M>0,thesourcegeneratesitskeyK=k,suchthat^M2C(J,k).If^M=0,itsetsK=0.WealsoconsideractitiousreceiverwhoobservesthesequenceZnandobtainsbothindicesJandLviathepublicchannel.Thisreceiversets~M=0ifJ=0.Otherwise,itattemptstondaunique^Yn(m)2CsuchthatT"(^Yn(m),Zn)=1and 92

PAGE 93

m2C(J,L).Ifthereissuchaunique^Yn(m),thesourcedecodes~M=m.Ifthereisnosuchsequenceormorethanonesuchsequence,thesourcesets~M=0. A.3AnalysisofProbabilityofErrorWeusearandomcodingargumenttoestablishtheexistenceofacodewithratesgivenby( A )suchthatPrfK6=LgandPrfM6=~Mgvanishinthelimitoflargeblocklengthn.Withoutfurtherclarication,wenotethattheprobabilitiesoftheeventsbelow,exceptotherwisestated,areoverthejointdistributionofthecodebookC,codewords,andallotherrandomquantitiesinvolved.Beforeweproceed,weintroducethefollowinglemmaregardingtheindicatorfunctionS". Lemma2. 1. If(Yn,^Yn)distributesaccordingtop(yn,^yn),thenPrfS"(Yn,^Yn)=1g>1)]TJ /F6 11.955 Tf 11.95 0 Td[("forsufcientlylargen. 2. If^Yndistributesaccordingtop(^yn),thenPrfS"(yn,^Yn)=1g2)]TJ /F13 5.978 Tf 5.76 0 Td[(n(R1)]TJ /F15 5.978 Tf 5.76 0 Td[(7") 1)]TJ /F19 7.97 Tf 6.58 0 Td[("forallyn. 3. IfYndistributesaccordingtop(yn),thenPrfS"(Yn,^yn)=1g2)]TJ /F13 5.978 Tf 5.76 0 Td[(n(R1)]TJ /F15 5.978 Tf 5.76 0 Td[(7") 1)]TJ /F19 7.97 Tf 6.58 0 Td[("forall^yn. 4. If(Yn,^Yn)distributesaccordingtop(yn)p(^yn),thenPrfS"(Yn,^Yn)=1g>(1)]TJ /F6 11.955 Tf 11.95 0 Td[(")2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R1)]TJ /F19 7.97 Tf 6.59 0 Td[(")forsufcientlylargen. Proof. 1. Thisclaimisactuallyshownin[ 49 ].Webrieysketchtheproofhereusingournotationforcompletenessandeasyreference.BythereverseMarkovinequality[ 49 ],PrfS"(Yn,^Yn)=1g1)]TJ /F3 11.955 Tf 13.15 8.09 Td[(1)]TJ /F3 11.955 Tf 11.95 0 Td[(PrfT"(Xn,Yn,^Yn,Zn)=1g 1)]TJ /F3 11.955 Tf 11.95 0 Td[((1)]TJ /F6 11.955 Tf 11.95 0 Td[(")>1)]TJ /F6 11.955 Tf 11.95 0 Td[("wherethesecondinequalityisduetothatfactthatPrfT"(Xn,Yn,^Yn,Zn)=1g>1)]TJ /F6 11.955 Tf 11.95 0 Td[("2forsufcientlylargen. 93

PAGE 94

2. First,weonlyneedtoconsidertypicalynsincetheboundistrivialwhenynisnottypical.Noticethatforanysuchyn,1ZT"(xn,yn,^yn,zn)p(xn,^yn,znjyn)dxndznd^yn=ZPrfT"(Xn,yn,^yn,Zn)=1gp(yn,^yn) p(yn)d^ynZPrfT"(Xn,yn,^yn,Zn)=1g2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(h(Y,^Y)+") 2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(h(Y))]TJ /F19 7.97 Tf 6.59 0 Td[(")d^yn=2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(h(^YjY)+2")ZPrfT"(Xn,yn,^yn,Zn)=1gd^yn.Hence 2n(h(^YjY)+2")ZPrfT"(Xn,yn,^yn,Zn)=1gd^ynZS"(yn,^yn)PrfT"(Xn,yn,^yn,Zn)=1gd^yn(1)]TJ /F6 11.955 Tf 11.96 0 Td[(")ZS"(yn,^yn)d^yn. (A) NowPrfS"(yn,^Yn)=1g=ZS"(yn,^yn)p(^yn)d^ynZS"(yn,^yn)2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(h(^Y))]TJ /F19 7.97 Tf 6.58 0 Td[(")d^yn2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(I(Y;^Y))]TJ /F7 7.97 Tf 6.59 0 Td[(3") 1)]TJ /F6 11.955 Tf 11.96 0 Td[(",wherethelastinequalityisdueto( A ). 3. SameasPart2),interchangingtherolesofynand^yn. 4. FromPart1),weget1)]TJ /F6 11.955 Tf 11.96 0 Td[("
PAGE 95

MoreoverweneedtoboundtheprobabilitiesofthefollowingeventspertainingtoM. Lemma3. 1. PrfM=0g<2"forsufcientlylargen. 2. Form=1,2,...,2nR1,PrfM=mg2)]TJ /F13 5.978 Tf 5.76 0 Td[(n(R1)]TJ /F15 5.978 Tf 5.76 0 Td[(7") 1)]TJ /F19 7.97 Tf 6.59 0 Td[(". 3. Whennissufcientlylarge,PrfM=mgh1)]TJ /F7 7.97 Tf 13.15 4.71 Td[(2)]TJ /F13 5.978 Tf 5.76 0 Td[(n(R1)]TJ /F15 5.978 Tf 5.76 0 Td[(7") 1)]TJ /F19 7.97 Tf 6.59 0 Td[("im)]TJ /F7 7.97 Tf 6.58 0 Td[(1(1)]TJ /F6 11.955 Tf 12.29 0 Td[(")2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F19 7.97 Tf 6.58 0 Td[(")uniformlyforallm=1,2,...,2nR1. 4. Whennissufcientlylarge,PrfJ=j,L=`g>(1)]TJ /F6 11.955 Tf 12.14 0 Td[(")42)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R1)]TJ /F5 7.97 Tf 6.59 0 Td[(R4+6")uniformlyforallj=1,2,...,2nR2and`=1,2,...,2nR3. Proof. 1. Wewilluseanargumentsimilartotheoneintheachievabilityproofoftheratedistortionfunctionin[ 38 ,Section10.5]toboundPrfM=0g.FirstnotethatfM=0gistheeventthatS"(Yn,^Yn(m))=0forallm2f1,2,...,R1g,andhence PrfM=0g=Pr8<:2nR1\m=1fS"(Yn,^Yn(m))=0g9=;=ZhPrfS"(yn,^Yn(1))=0gi2nR1p(yn)dyn, (A) wherethesecondequalityisduetothefactthat^Yn(1),...,^Yn(2nR1)arei.i.d.giveneachxedyn.But hPrfS"(yn,^Yn(1))=0gi2nR1=1)]TJ /F14 11.955 Tf 11.96 16.27 Td[(ZS"(yn,^yn)p(^yn)d^yn2nR1=1)]TJ /F14 11.955 Tf 11.96 16.27 Td[(ZS"(yn,^yn)p(^ynjyn)p(yn)p(^yn) p(yn,^yn)d^yn2nR1"1)]TJ /F14 11.955 Tf 11.95 16.27 Td[(ZS"(yn,^yn)p(^ynjyn)2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(h(Y)+"))]TJ /F5 7.97 Tf 6.58 0 Td[(n(h(^Y)+") 2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(h(Y,^Y))]TJ /F19 7.97 Tf 6.58 0 Td[(")d^yn#2nR1=1)]TJ /F3 11.955 Tf 11.96 0 Td[(2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(I(Y;^Y)+3")ZS"(yn,^yn)p(^ynjyn)d^yn2nR11)]TJ /F14 11.955 Tf 11.96 16.27 Td[(ZS"(yn,^yn)p(^ynjyn)d^yn+exp()]TJ /F3 11.955 Tf 9.3 0 Td[(2n"), (A) wheretheinequalityonthethirdlineisduetothefactthatS"(yn,^yn)=1impliesT"(yn,^yn)=1,andthelastlineresultsfromtheinequality(1)]TJ /F4 11.955 Tf 12 0 Td[(xy)k1)]TJ /F4 11.955 Tf 12 0 Td[(x+e)]TJ /F5 7.97 Tf 6.58 0 Td[(kyforall0x,y1andpositiveintegerk[ 38 ,Lemma10.5.3].Substituting( A ) 95

PAGE 96

backinto( A )andusingLemma 2 Part1),wegetPrfM=0g1)]TJ /F3 11.955 Tf 11.96 0 Td[(PrfS"(Yn,^Yn)=1g+exp()]TJ /F3 11.955 Tf 9.3 0 Td[(2n")<"+"=2"forsufcientlylargen. 2. Noticethatform=1,2,...,2nR1, PrfM=mg=PrfS"(Yn,^Yn(m))=1,S"(Yn,^Yn(m)]TJ /F3 11.955 Tf 11.96 0 Td[(1))=0,...,S"(Yn,^Yn(1))=0g=ZPrfS"(yn,^Yn(1))=1ghPrfS"(yn,^Yn(1))=0gim)]TJ /F7 7.97 Tf 6.59 0 Td[(1p(yn)dyn (A) wherethesecondequalityresultsfromthei.i.d.natureof^Yn(1),...,^Yn(m).ThuswehavePrfM=mgPrfS"(Yn,^Yn(1))=1g2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.58 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.95 0 Td[(",wherethelastinequalityisduetoPart2)ofLemma 2 sinceYnand^Yn(1)areindependent. 3. From( A ),wehavethelowerboundPrfM=mg1)]TJ /F3 11.955 Tf 13.15 8.09 Td[(2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.59 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.95 0 Td[("m)]TJ /F7 7.97 Tf 6.58 0 Td[(1PrfS"(Yn,^Yn(1))=1g1)]TJ /F3 11.955 Tf 13.15 8.09 Td[(2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.59 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.95 0 Td[("m)]TJ /F7 7.97 Tf 6.58 0 Td[(1(1)]TJ /F6 11.955 Tf 11.96 0 Td[(")2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F19 7.97 Tf 6.59 0 Td[("),wheretherstinequalityisduetoPart2)ofLemma 2 ,andthesecondinequalityisfromPart4)ofLemma 2 whennissufcientlylarge.Notethatthesamesufcientlylargenisenoughtoguaranteethevalidityofthelowerboundaboveforallm=1,2,...,2nR1. 4. Firstnotethat,forj=1,2,...,2nR2and`=1,2,...,2nR3,PrfJ=j,L=`g=Xm2C(j,`)PrfM=mg=2nR4Xw=1PrM=j+(`)]TJ /F3 11.955 Tf 11.95 0 Td[(1)2nR2+(w)]TJ /F3 11.955 Tf 11.95 0 Td[(1)2n(R2+R3). 96

PAGE 97

ThusapplyingPart3)ofthelemma,weget PrfJ=j,L=`g(1)]TJ /F6 11.955 Tf 11.95 0 Td[(")2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F19 7.97 Tf 6.58 0 Td[(")2nR4Xw=11)]TJ /F3 11.955 Tf 13.15 8.08 Td[(2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.58 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.95 0 Td[("j)]TJ /F7 7.97 Tf 6.59 0 Td[(1+(`)]TJ /F7 7.97 Tf 6.58 0 Td[(1)2nR2+(w)]TJ /F7 7.97 Tf 6.58 0 Td[(1)2n(R2+R3)(1)]TJ /F6 11.955 Tf 11.95 0 Td[(")2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F19 7.97 Tf 6.58 0 Td[(")1)]TJ /F3 11.955 Tf 13.15 8.08 Td[(2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.58 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.95 0 Td[("2n(R2+R3)1)]TJ /F14 11.955 Tf 11.95 9.69 Td[(1)]TJ /F3 11.955 Tf 11.95 0 Td[(2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.59 0 Td[(7")=(1)]TJ /F6 11.955 Tf 11.95 0 Td[(")2nR1 1)]TJ /F3 11.955 Tf 11.96 -.17 Td[([1)]TJ /F3 11.955 Tf 11.96 0 Td[(2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.59 0 Td[(7")=(1)]TJ /F6 11.955 Tf 11.96 0 Td[(")]2n(R2+R3)(1)]TJ /F6 11.955 Tf 11.95 0 Td[(")2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F19 7.97 Tf 6.58 0 Td[(")1)]TJ /F3 11.955 Tf 13.15 8.09 Td[(2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R4)]TJ /F7 7.97 Tf 6.58 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.95 0 Td[("1)]TJ /F14 11.955 Tf 11.96 9.68 Td[(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.59 0 Td[(7")=(1)]TJ /F6 11.955 Tf 11.96 0 Td[(")2nR1 1)]TJ /F3 11.955 Tf 11.96 -.16 Td[([1)]TJ /F3 11.955 Tf 11.96 0 Td[(2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R4)]TJ /F7 7.97 Tf 6.59 0 Td[(7")=(1)]TJ /F6 11.955 Tf 11.95 0 Td[(")](1)]TJ /F6 11.955 Tf 11.95 0 Td[(")22)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F5 7.97 Tf 6.59 0 Td[(R4+6")1)]TJ /F3 11.955 Tf 13.15 8.09 Td[(2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R4)]TJ /F7 7.97 Tf 6.59 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.96 0 Td[("1)]TJ /F3 11.955 Tf 13.15 8.09 Td[(exp()]TJ /F3 11.955 Tf 9.3 0 Td[(27n") 1)]TJ /F6 11.955 Tf 11.95 0 Td[(">(1)]TJ /F6 11.955 Tf 11.95 0 Td[(")42)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F5 7.97 Tf 6.59 0 Td[(R4+6") (A) uniformlyforallj=1,2,...,2nR2andl=1,2,...,2nR3,whennissufcientlylarge.Thelowerboundonthefourthlineof( A )aboveisobtainedfromtheinequality(1)]TJ /F4 11.955 Tf 12.02 0 Td[(x)k1)]TJ /F4 11.955 Tf 12.02 0 Td[(kxforany0x1andpositiveintegerk.Thelowerboundonthefthlineisinturnbasedontheinequality(1)]TJ /F4 11.955 Tf 11.96 0 Td[(x)ke)]TJ /F5 7.97 Tf 6.59 0 Td[(kxfor0x1andpositiveintegerk. WerstconsidertheerroreventfK6=Lg.Notethat PrfK6=Lg=PrfM=0g+PrfM>0,K6=Lg=PrfM=0g+2nR1Xm=1Pr~Em[Em,M=mPrfM=0g+2nR1Xm=1Pr~Em,M=m+2nR1Xm=1PrfEm,M=mg, (A) 97

PAGE 98

where~EmistheeventfT"(Xn,^Yn(m))=0g,andEmistheeventthatthereisanm02^C(j)suchthatm2^C(j),m06=m,andT"(Xn,^Yn(m0))=1.From( A ),wehave Pr~Em,M=m=PrnT"(Xn,^Yn(m))=0,S"(Yn,^Yn(m))=1,S"(Yn,^Yn(m)]TJ /F3 11.955 Tf 11.95 0 Td[(1))=0,...,S"(Yn,^Yn(1))=0oPrnT"(Xn,Yn,^Yn(m),Zn)=0,S"(Yn,^Yn(m))=1,S"(Yn,^Yn(m)]TJ /F3 11.955 Tf 11.96 0 Td[(1))=0,...,S"(Yn,^Yn(1))=0o=ZZPrnT"(xn,yn,^Yn(m),zn)=0,S"(yn,^Yn(m))=1op(xn,znjyn)dxndznm)]TJ /F7 7.97 Tf 6.58 0 Td[(1Ym0=1PrfS"(yn,^Yn(m0))=0gp(yn)dyn=ZZ[1)]TJ /F4 11.955 Tf 11.96 0 Td[(T"(xn,yn,^yn,zn)]p(xn,znjyn,^yn)dxndznS"(yn,^yn)p(^yn)d^ynm)]TJ /F7 7.97 Tf 6.58 0 Td[(1Ym0=1PrfS"(yn,^Yn(m0))=0gp(yn)dyn"PrnS"(Yn,^Yn(m))=1,S"(Yn,^Yn(m)]TJ /F3 11.955 Tf 11.95 0 Td[(1))=0,...,S"(Yn,^Yn(1))=0o="PrfM=mg, (A) wheretheequalityonthefourthlineisduetothei.i.d.natureof^Yn(1),...,^Yn(2nR1),theequalityonthefthlineresultsfromthefactthatp(xn,znjyn)=p(xn,znjyn,^yn)(since(X,Z)!Y!^Y),andtheinequalityonthesecondlastlineisfromthedenitionoftheindicatorfunctionS". 98

PAGE 99

Similarlyassumingm2^C(j),wehavefrom( A ) PrfEm,M=mgXm02^C(j)m06=mPrnT"(Xn,^Yn(m0))=1,S"(Yn,^Yn(m))=1o=Xm02^C(j)m06=mZPrfT"(xn,^Yn(m0))=1gPrfS"(yn,^Yn(m))=1gp(xn,yn)dxndyn2n(R1)]TJ /F5 7.97 Tf 6.58 0 Td[(R2)2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(I(X;^Y))]TJ /F7 7.97 Tf 6.59 0 Td[(3")2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.59 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.96 0 Td[("=2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R1+8") 1)]TJ /F6 11.955 Tf 11.96 0 Td[(", (A) wheretheequalityonthesecondlineisduetotheindependencebetween^Yn(m0)and^Yn(m),andthelastinequalityresultsfromPart2)ofLemma 2 andtheboundPrfT"(xn,^Yn(m0))=1g2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(I(X;^Y))]TJ /F7 7.97 Tf 6.59 0 Td[(3"),whichisadirectresultof[ 38 ,Theorem15.2.2].Hence,substitutingtheboundsin( A )and( A )backinto( A )andusingPart1)ofLemma 3 ,weobtain PrfK6=Lg2"+"2nR1Xm=1PrfM=mg+2nR1Xm=12)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1+8") 1)]TJ /F6 11.955 Tf 11.95 0 Td[("=2"+"+2)]TJ /F7 7.97 Tf 6.59 0 Td[(8n" 1)]TJ /F6 11.955 Tf 11.96 0 Td[("<4"(A)fornissufcientlylarge.NextweconsidertheeventfM6=~Mg.Dene~FmastheeventfT"(^Yn(m),Zn)=0gandFmastheeventthatthereisanm02C(`,j)suchthatm2C(`,j),m06=m,andT"(^Yn(m0),Zn)=1.Thenwehave,whennissufcientlylarge,uniformlyforall 99

PAGE 100

j=1,2,...,2nR2andl=1,2,...,2nR3, Prf~M6=MjJ=j,L=`gXm2C(j,`)Pr~Fm,M=mjJ=j,L=`+Xm2C(j,`)PrfFm,M=mjJ=j,L=`gXm2C(j,`)"PrfM=mjJ=j,L=`g+Xm2C(j,`)2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R1+7") 1)]TJ /F6 11.955 Tf 11.95 0 Td[("1 PrfJ=j,L=`g"+2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R1+7") 1)]TJ /F6 11.955 Tf 11.95 0 Td[("2nR4 (1)]TJ /F6 11.955 Tf 11.96 0 Td[(")42)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R1)]TJ /F5 7.97 Tf 6.59 0 Td[(R4+6")="+2)]TJ /F5 7.97 Tf 6.59 0 Td[(n" (1)]TJ /F6 11.955 Tf 11.95 0 Td[(")5<2". (A) Notethattheinequalityonthethirdlineof( A )resultsfromupperboundsofPrf~Fm,M=mgandPrfFm,M=mg,whichcanbeobtainedinwaysalmostidenticaltothederivationsin( A )and( A )respectively.Theinequalityonthefourthlineis,ontheotherhand,duetoPart4)ofLemma 3 .Byexpurgatingtherandomcodeensemble,weobtainthefollowinglemma. Lemma4. Forany>0andnsufcientlylarge,thereexistsacodeCnwiththeratesR1,R2,R3,andR4givenby( A )suchthat 1. PrfK6=LjC=Cng<8", 2. PrfM6=~MjC=Cng<8", 3. PrfM=mjC=Cng2)]TJ /F13 5.978 Tf 5.76 0 Td[(n(R1)]TJ /F15 5.978 Tf 5.75 0 Td[(7") 1)]TJ /F19 7.97 Tf 6.58 0 Td[("forallm=1,2,...,2nR1,and 4. PrfL=`jC=Cng<2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R3)]TJ /F7 7.97 Tf 6.59 0 Td[(8")forall`=1,2,...,2nR3. Proof. CombiningPart1)ofLemma 3 ,( A ),and( A ),wehavePrfM=0g+PrfK6=Lg+PrfM6=~Mg<8"forsufcientlylargen.ThisimpliesthattheremustexistaCnsatisfyingPrfK6=LjC=Cng<8",PrfM6=~MjC=Cng<8",andPrfM=0jC=Cng<8".Thus,Parts1)and2)areproved. 100

PAGE 101

Now,xthisCn.Form=1,2,...,2nR1,let^yn(m)bethemthcodewordofCn.Then,byPart3)ofLemma 2 ,PrfM=mjC=CngPrfS"(Yn,^yn(m))=1g2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.58 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.95 0 Td[(";hence,Part3)results.Notethat,for`=1,2,...,2nR3, PrfL=`jC=Cng=PrfL=`jM=0,C=CngPrfM=0jC=Cng+PrfL=`,M>0jC=Cng.(A)WeknowfromthediscussionabovethatPrfL=`jM=0,C=CngPrfM=0jC=Cng<2)]TJ /F5 7.97 Tf 6.58 0 Td[(nR38".AlsofromPart3)ofthelemma,PrfL=`,M>0jC=Cng=Xm2~Cn(`)PrfM=mjC=Cng2n(R1)]TJ /F5 7.97 Tf 6.58 0 Td[(R3)2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R1)]TJ /F7 7.97 Tf 6.59 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.96 0 Td[("=2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R3)]TJ /F7 7.97 Tf 6.59 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.96 0 Td[(".Puttingthesebackinto( A ),wegetPrfL=`jC=Cng<2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R3)]TJ /F7 7.97 Tf 6.59 0 Td[(7")8"2)]TJ /F7 7.97 Tf 6.59 0 Td[(7n"+1 1)]TJ /F6 11.955 Tf 11.95 0 Td[("<2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R3)]TJ /F7 7.97 Tf 6.58 0 Td[(8")forsufcientlylargen.Thus,Part4)isproved. Intheremainderofthepaper,weuseaxedcodeCnidentiedbyLemma 4 .Forconvenience,wedroptheconditioningonCn. A.4SecrecyAnalysisFirstweproceedtoboundH(K).Notethat H(K)=H(L)+H(KjL))]TJ /F4 11.955 Tf 11.95 0 Td[(H(LjK)H(L))]TJ /F4 11.955 Tf 11.96 0 Td[(H(LjK). (A) UsingPart1)ofLemma 4 togetherwithFano'sinequalitygivesH(LjK)1+8n"R3.MoreoverPart4)ofLemma 4 impliesthatH(L)>n(R3)]TJ /F3 11.955 Tf 11.91 0 Td[(8").Puttingtheseboundsback 101

PAGE 102

into( A ),wehave R3)]TJ /F3 11.955 Tf 11.95 0 Td[((8R3+8)")]TJ /F3 11.955 Tf 13.25 8.08 Td[(1 n<1 nH(K)R3.(A)NextweboundI(K;Zn,J).Notethat I(K;Zn,J)=I(L;Zn,J)+I(K;Zn,JjL))]TJ /F4 11.955 Tf 11.95 0 Td[(I(L;Zn,JjK)I(L;Zn,J)+I(K;Zn,JjL)I(L;Zn,J)+H(KjL)I(L;Zn,J)+8n"R3+1, (A) wherethelastinequalityisobtainedfromPart1)ofLemma 4 andFano'sinequalitylikebefore.Inaddition,itholdsthatI(L;Zn,J)=H(L))]TJ /F4 11.955 Tf 11.95 0 Td[(H(LjZn,J)=H(L))]TJ /F4 11.955 Tf 11.95 0 Td[(H(L,JjZn)+H(JjZn)=H(L)+H(JjZn))]TJ /F4 11.955 Tf 11.96 0 Td[(H(L,J,MjZn)+H(MjZn,L,J)H(L)+H(J))]TJ /F4 11.955 Tf 11.96 0 Td[(H(MjZn))]TJ /F4 11.955 Tf 11.95 0 Td[(H(L,JjM,Zn)+H(MjZn,L,J)H(L)+H(J)+I(M;Zn))]TJ /F4 11.955 Tf 11.95 0 Td[(H(M)+8nR1"+1,wherethesecondlastinequalityfollowsfromH(JjZn)H(J),andthelastinequalityfollowsfromH(L,JjM,Zn)=0(bydenitionofJandL)andH(MjZn,L,J)1+8nR1"(byFano'sinequalityappliedtothectitiousreceiver).ByconstructionofthecodeCn,itholdsthatH(L)nR2andH(J)nR3.Inaddition,Part3)ofLemma 4 impliesH(M)n(R1)]TJ /F3 11.955 Tf 13.12 0 Td[(8").Finally,notethatI(M;Zn)I(Yn;Zn)=nI(Y;Z)bythedata-processinginequalityappliedtotheMarkovchain^Yn!Yn!ZnandthememorylesspropertyofthechannelbetweenYnandZn.Combiningtheseobservations 102

PAGE 103

andsubstitutingthevaluesofR1,R2,andR3givenby( A )backinto( A ),weobtain1 nI(K;Zn,J)R2+R3)]TJ /F4 11.955 Tf 11.95 0 Td[(R1+I(Y;Z)+(8R1+8R3+8)"+2 nRl+I(Y;Z))]TJ /F4 11.955 Tf 11.95 0 Td[(I(^Y;Z)+(8R1+8R3+9)",whennissufcientlylarge.Withoutanyratelimitationonthepublicchannel,wecanchoosethetransitionprobabilityp(^yjy)suchthatI(Y;Z))]TJ /F4 11.955 Tf 11.95 0 Td[(I(^Y;Z)";therefore, 1 nI(K;Zn,J)Rl+n(8R1+8R3+9)".(A)Nextweconsidertheasymptoticnegligibilityof1 nI(K;J)conditionedonthecodeCn.Similarto( A )wehave I(K;J)I(L;J)+8n"R3+1.(A)Thenforj=1,2,...,2nR2andl=1,2,...,2nR3,wehavePrfJ=j,L=lg=2nR4Xw=1PrM=j+(l)]TJ /F3 11.955 Tf 11.95 0 Td[(1)2nR2+(w)]TJ /F3 11.955 Tf 11.95 0 Td[(1)2n(R2+R3)2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(R2+R3)]TJ /F7 7.97 Tf 6.59 0 Td[(7") 1)]TJ /F6 11.955 Tf 11.96 0 Td[("<2)]TJ /F5 7.97 Tf 6.58 0 Td[(n(R2+R3)]TJ /F7 7.97 Tf 6.58 0 Td[(8")forsufcientlylargen,wheretherstinequalityisfromPart3)ofLemma 4 .Inotherwords,H(J,L)>n(R2+R3)]TJ /F3 11.955 Tf 12.22 0 Td[(8")forsufcientlylargen.Hence,togetherwiththefactsH(L)
PAGE 104

APPENDIXBPROOFOFLEMMA1Asmentionedintheproofof Theorem3.1 ,weadapttheproofof[ 39 ,Theorem3]toprovethislemma.Themainargumentistoestablishthatthereisasecret-sharing(dv,dc)-regularLDPCcodeensemble(C,W)forwhichtheensembleaverageerrorprobabilitiessandwsimultaneouslyvanishasnincreasesundertheassumptionsstatedinthelemma.Tothatend,werstexaminetheaverageweightspectraofthecodeCandsubspaceWintheLDPCcodeensemble: Lemma5. Considertheensembleof(n,l,k)secret-sharingcode(C,W)describedinSection 3.2 .For0
PAGE 105

inC0.Ontheotherhand,supposethatW0isan(l)]TJ /F4 11.955 Tf 12.17 0 Td[(k)]TJ /F3 11.955 Tf 12.17 0 Td[(1)-dimensionalsubspaceinC0.ThenW=[wn+X02W0wn+X0isan(l)]TJ /F4 11.955 Tf 11.25 0 Td[(k)-dimensionalsubspaceinCthatcontainsxn0.ItisalsoeasytoseethatthecorrespondencebetweenW0andWaboveisone-to-one.Asaresult,thenumberof(l)]TJ /F4 11.955 Tf 12.31 0 Td[(k)-dimensionalsubspacesinCthatcontainxn0mustbethesameasthenumberof(l)]TJ /F4 11.955 Tf 11.67 0 Td[(k)]TJ /F3 11.955 Tf 11.68 0 Td[(1)-dimensionalsubspacesinC0,i.e.,l)]TJ /F5 7.97 Tf 6.59 0 Td[(k)]TJ /F7 7.97 Tf 6.59 0 Td[(1Yu=12l)]TJ /F5 7.97 Tf 6.59 0 Td[(u)]TJ /F3 11.955 Tf 11.95 0 Td[(1 2l)]TJ /F5 7.97 Tf 6.58 0 Td[(k)]TJ /F5 7.97 Tf 6.59 0 Td[(u)]TJ /F3 11.955 Tf 11.95 0 Td[(1.SowehavePr(xn02Wjxn02C)=2l)]TJ /F5 7.97 Tf 6.58 0 Td[(k)]TJ /F3 11.955 Tf 11.95 0 Td[(1 2l)]TJ /F3 11.955 Tf 11.95 0 Td[(1forallxn06=02C.ThisimpliesPr(xn2Wjxn2C,w(xn)=m)=2l)]TJ /F5 7.97 Tf 6.59 0 Td[(k)]TJ /F3 11.955 Tf 11.96 0 Td[(1 2l)]TJ /F3 11.955 Tf 11.95 0 Td[(12)]TJ /F5 7.97 Tf 6.58 0 Td[(kfor0<>:)]TJ /F5 7.97 Tf 6.02 -4.12 Td[(n)]TJ /F5 7.97 Tf 6.58 0 Td[(lmdv 2hmdv 2(n)]TJ /F5 7.97 Tf 6.59 0 Td[(l)imdvformdv2(n)]TJ /F4 11.955 Tf 11.96 0 Td[(l)[(n)]TJ /F4 11.955 Tf 11.96 0 Td[(l)dc+1]1+(1)]TJ /F15 5.978 Tf 7.78 3.26 Td[(2m n)dc 2n)]TJ /F5 7.97 Tf 6.59 0 Td[(lotherwise.Inaddition,Pr(xn2Cjw(xn)=m)=Pr(xn2Cjw(xn)=n)]TJ /F4 11.955 Tf 11.98 0 Td[(m)(andhenceSn)]TJ /F5 7.97 Tf 6.59 0 Td[(m=Sm)ifdciseven.Next,weemployLemma 5 andthecombinedunionandShulman-Federboundin[ 39 ,Theorem1]toboundsandw.Toboundw,considerthechannelwith~YnasinputandZnasoutput.First,notethat~Yncontainsi.i.d.equallylikelybinaryelements.Hence,thischannelisamemorylessBISOchannel,andisspeciedbytheconditionalpdfpZj~Y(zj~y)=pZjX(zj1)pXj~Y(1j~y)+pZjX(zj)]TJ /F3 11.955 Tf 19.04 0 Td[(1)pXj~Y()]TJ /F3 11.955 Tf 9.3 0 Td[(1j~y).SinceEnS+^Xn0+Wis 105

PAGE 106

acosetandthechannelismemorylessBISO,itsufcestoassume~Yn=~Xn02W.Inaddition,notethatallpossible~Xn0sequencesareequallylikely.Now,let~K=6 dvlndv 1)]TJ /F5 7.97 Tf 6.59 0 Td[(Rcand=2(1)]TJ /F5 7.97 Tf 6.59 0 Td[(Rc) dve)]TJ /F7 7.97 Tf 6.59 0 Td[(12)]TJ /F7 7.97 Tf 7.83 1.77 Td[(~K.Forany<<1 2,applyingtheboundin[ 39 ,Theorem1]tothesubcodeW,theensembleaveragedecodingerrorprobabilityoftheMLdecoderatthewiretappercanbeupper-boundedas w8>><>>:1+2+2)]TJ /F5 7.97 Tf 6.59 0 Td[(nEwr(Rc)]TJ /F5 7.97 Tf 6.59 0 Td[(Rk+1 nlog2w)forodddcP5i=1i+2)]TJ /F5 7.97 Tf 6.59 0 Td[(nEwr(Rc)]TJ /F5 7.97 Tf 6.59 0 Td[(Rk+1 nlog2w)forevendc,(B)where1=Pnm=1TmDmw,2=Pnm=n+1TmDmw,3=Pn)]TJ /F7 7.97 Tf 7.65 1.77 Td[(n)]TJ /F7 7.97 Tf 6.59 0 Td[(1m=n)]TJ /F19 7.97 Tf 6.59 0 Td[(nTmDmw,4=Pn)]TJ /F7 7.97 Tf 6.58 0 Td[(1m=n)]TJ /F7 7.97 Tf 7.66 1.78 Td[(nTmDmw,5=TnDnw,Dw=Rq pZj~Y(zj1)pZj~Y(zj)]TJ /F3 11.955 Tf 17.93 0 Td[(1)dz,w=8>><>>:maxm2fn+1,...,ngTm 2l)]TJ /F13 5.978 Tf 5.75 0 Td[(k)]TJ /F7 7.97 Tf 6.59 0 Td[(12n (nm)forodddcmaxm2fn+1,...,n)]TJ /F19 7.97 Tf 6.59 0 Td[(n)]TJ /F7 7.97 Tf 6.59 0 Td[(1gTm 2l)]TJ /F13 5.978 Tf 5.76 0 Td[(k)]TJ /F7 7.97 Tf 6.59 0 Td[(12n (nm)forevendc,andEwr(R)=maxqmax01fEw0(,q))]TJ /F6 11.955 Tf 11.96 0 Td[(RgistherandomcodingerrorexponentwithEw0(,q)=)]TJ /F3 11.955 Tf 11.3 0 Td[(log2Zhq(1)pZj~Y(zj1)1=(1+)+q()]TJ /F3 11.955 Tf 9.3 0 Td[(1)pZj~Y(zj)]TJ /F3 11.955 Tf 17.93 0 Td[(1)1=(1+)i1+dz,andqistheprobabilitymassfunction(pmf)ofthechannelinput~Y.Itisknownthattheoptimalqisq(1)=q()]TJ /F3 11.955 Tf 9.3 0 Td[(1)=0.5.EmployingLemma 5 andtheboundonPr(xn2Cjw(xn)=m)thatfollows(seealso[ 39 ,Lemma2]),itisnothardtofurtherboundthevarioustermsin( B ):18>><>>:2)]TJ /F5 7.97 Tf 6.59 0 Td[(nRkn1)]TJ /F5 7.97 Tf 6.58 0 Td[(dv=2(1)]TJ /F4 11.955 Tf 11.95 0 Td[(Rc))]TJ /F5 7.97 Tf 6.58 0 Td[(dv=2Dw 1)]TJ /F5 7.97 Tf 6.59 0 Td[(Dw(dv=2)dv (dv=2)!forevendv2)]TJ /F5 7.97 Tf 6.59 0 Td[(nRkn2)]TJ /F5 7.97 Tf 6.58 0 Td[(dv(1)]TJ /F4 11.955 Tf 11.96 0 Td[(Rc))]TJ /F5 7.97 Tf 6.58 0 Td[(dvD2w 2(1)]TJ /F5 7.97 Tf 6.58 0 Td[(D2w)(dv)2dv dv!forodddv,log22 n1 nflog2n+log2[(n)]TJ /F4 11.955 Tf 11.96 0 Td[(k)dc+1]g)]TJ /F4 11.955 Tf 20.59 0 Td[(Rk+maxxfxlog2Dw+H2(x)+(1)]TJ /F4 11.955 Tf 11.95 0 Td[(Rc))]TJ /F3 11.955 Tf 5.48 -9.69 Td[(log2[1+(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2x)dc])]TJ /F3 11.955 Tf 11.95 0 Td[(1g, 106

PAGE 107

andforevendc,4=nXm=1TmDmwDn)]TJ /F7 7.97 Tf 6.59 0 Td[(2mw1Dn(1)]TJ /F7 7.97 Tf 6.58 0 Td[(2)w,log23 nlog22 n+(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2)log2Dw,and62)]TJ /F5 7.97 Tf 6.59 0 Td[(nRkDnw=2)]TJ /F5 7.97 Tf 6.59 0 Td[(n(Rk)]TJ /F7 7.97 Tf 6.58 0 Td[(log2Dw).Also,log2w n8>><>>:(1)]TJ /F4 11.955 Tf 11.95 0 Td[(Rc)maxx1log2[1+(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2x)dc]+1 nf1+log2[(n)]TJ /F4 11.955 Tf 11.95 0 Td[(l)dc+1]gforodddc(1)]TJ /F4 11.955 Tf 11.95 0 Td[(Rc)maxx1)]TJ /F19 7.97 Tf 6.59 0 Td[(log2[1+(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2x)dc]+1 nf1+log2[(n)]TJ /F4 11.955 Tf 11.96 0 Td[(l)dc+1]gforevendc(1)]TJ /F4 11.955 Tf 11.96 0 Td[(Rc)log2[1+(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2)dc]+1 nf1+log2[(n)]TJ /F4 11.955 Tf 11.96 0 Td[(l)dc+1]g.Forboundings,notethatthechannelwith~YnasinputandXnasoutputisamemorylessBSCandisspeciedbytheconditionalpmfpXj~Y(xj~y)=p~YjX(~yjx).Again,sinceEnS+CisacosetandthechannelismemorylessBISO,itsufcestoassume~Yn=Xn02C.Withthisidentication,theresultingboundonsfollowsthesamelineofargumentsasabove,andisessentiallygivenin[ 39 ].Wesummarizetheboundbelowforlaterreference: s8>><>>:1+2+2)]TJ /F5 7.97 Tf 6.58 0 Td[(nEsr(Rc+1 nlog2s)forodddc1+2+3+4+5+2)]TJ /F5 7.97 Tf 6.58 0 Td[(nEsr(Rc+1 nlog2s)forevendc,(B)where18>><>>:n1)]TJ /F5 7.97 Tf 6.59 0 Td[(dv=2(1)]TJ /F4 11.955 Tf 11.95 0 Td[(Rc))]TJ /F5 7.97 Tf 6.59 0 Td[(dv=2Ds 1)]TJ /F5 7.97 Tf 6.59 0 Td[(Ds(dv=2)dv (dv=2)!forevendvn2)]TJ /F5 7.97 Tf 6.59 0 Td[(dv(1)]TJ /F4 11.955 Tf 11.95 0 Td[(Rc))]TJ /F5 7.97 Tf 6.59 0 Td[(dvD2s 2(1)]TJ /F5 7.97 Tf 6.58 0 Td[(D2s)(dv)2dv dv!forodddv, 107

PAGE 108

log22 n1 nflog2n+log2[(n)]TJ /F4 11.955 Tf 11.96 0 Td[(l)dc+1]g+maxxfxlog2Ds+H2(x)+(1)]TJ /F4 11.955 Tf 11.95 0 Td[(Rc))]TJ /F3 11.955 Tf 5.48 -9.69 Td[(log2[1+(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2x)dc])]TJ /F3 11.955 Tf 11.95 0 Td[(1g,andforevendc,4=nXm=1TmDmsDn)]TJ /F7 7.97 Tf 6.59 0 Td[(2ms1Dn(1)]TJ /F7 7.97 Tf 6.58 0 Td[(2)s,log23 nlog22 n+(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2)log2Ds,5Dns=2nlog2Ds,andlog2s n1 nf1+log2[(n)]TJ /F4 11.955 Tf 11.95 0 Td[(l)dc+1]g+(1)]TJ /F4 11.955 Tf 11.96 0 Td[(Rc)log2[1+(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2)dc],withDs=2q pXj~Y(1j1)pXj~Y(1j)]TJ /F3 11.955 Tf 17.94 0 Td[(1),andEsr(R)=maxqmax01fEs0(,q))]TJ /F6 11.955 Tf 12.09 0 Td[(RgistherandomcodingerrorexponentofthechannelofinterestbasedonEs0(,q)=)]TJ /F3 11.955 Tf 11.29 0 Td[(log2[q(1)pXj~Y(1j1)1=(1+)+q()]TJ /F3 11.955 Tf 9.3 0 Td[(1)pXj~Y(1j)]TJ /F3 11.955 Tf 17.93 0 Td[(1)1=(1+)]1++[q(1)pXj~Y()]TJ /F3 11.955 Tf 9.3 0 Td[(1j1)1=(1+)+q()]TJ /F3 11.955 Tf 9.3 0 Td[(1)pXj~Y()]TJ /F3 11.955 Tf 9.3 0 Td[(1j)]TJ /F3 11.955 Tf 17.94 0 Td[(1)1=(1+)]1+.RecallthatRc0smallenoughsuchthatRc+2"
PAGE 109

Withthischoiceof(dv,dc),wehavemaxxH2(x)+(1)]TJ /F4 11.955 Tf 11.95 0 Td[(Rc))]TJ /F3 11.955 Tf 5.48 -9.69 Td[(log2[1+(1)]TJ /F3 11.955 Tf 11.95 0 Td[(2x)dc])]TJ /F3 11.955 Tf 11.96 0 Td[(1H2()+(1)]TJ /F4 11.955 Tf 11.96 0 Td[(Rc)log2[1+(1)]TJ /F3 11.955 Tf 11.96 0 Td[(2)dc])]TJ /F3 11.955 Tf 11.95 0 Td[(1H2()+(1)]TJ /F4 11.955 Tf 11.96 0 Td[(Rc)hlog21+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2dc)]TJ /F3 11.955 Tf 11.95 0 Td[(1iH2()+(1)]TJ /F4 11.955 Tf 11.96 0 Td[(Rc)hlog21+e)]TJ /F7 7.97 Tf 6.58 0 Td[(4e)]TJ /F15 5.978 Tf 5.76 0 Td[(12)]TJ /F20 5.978 Tf 5.75 0 Td[(")]TJ /F3 11.955 Tf 11.96 0 Td[(1iforany0<<0.5,wherethesecondinequalityfollowsfromtheinequality1)]TJ /F3 11.955 Tf 10.74 0 Td[(2x
PAGE 110

APPENDIXCPROOFSOF(3-2)AND(3-3)Theproofsof( 3 )and( 3 )areestablishedbycheckingtheconcavityandsymmetryofI(X;Y))]TJ /F4 11.955 Tf 12.81 0 Td[(I(Y;Z)asafunctionofthebinarysourcedistributionintherespectivecases. C.1Proofof(3-2)Thechannelmodeldescribedin( 3 )restrictsallBPSKsourcesymbolstohavethexedpower2.However,canbechosentobeanyvalueaslongasitislessthanp P.Thismeansthatthesourcedistributionischaracterizedbys=PrfX=)]TJ /F3 11.955 Tf 9.3 0 Td[(1gand.Forconvenience,writes=1)]TJ /F4 11.955 Tf 10.93 0 Td[(s.Let'sfurtherdenetheconditionaldensitiesp(yjX=1)andp(yjX=)]TJ /F3 11.955 Tf 9.3 0 Td[(1)thatspecifythedestinationchannel,respectively,asq+(y)=1 p 2exp)]TJ /F3 11.955 Tf 10.5 8.09 Td[((y)]TJ /F6 11.955 Tf 11.95 0 Td[()2 22q)]TJ /F3 11.955 Tf 7.09 1.79 Td[((y)=1 p 2exp)]TJ /F3 11.955 Tf 10.5 8.09 Td[((y+)2 22.ThenwehaveI(X;Y)=H(Y))]TJ /F4 11.955 Tf 11.96 0 Td[(H(YjX)=Z1)]TJ /F3 11.955 Tf 11.29 0 Td[(log2(sq+(y)+sq)]TJ /F3 11.955 Tf 7.08 1.79 Td[((y))[sq+(y)+sq)]TJ /F3 11.955 Tf 7.08 1.79 Td[((y)]dy)]TJ /F3 11.955 Tf 13.15 8.09 Td[(1 2log22e2.Foraxedvalueof,letg(s)=)]TJ /F14 11.955 Tf 11.29 9.63 Td[(R1log2[sq+(y)+sq)]TJ /F3 11.955 Tf 7.08 1.8 Td[((y)][sq+(y)+sq)]TJ /F3 11.955 Tf 7.08 1.8 Td[((y)]dybeafunctionofs.Itiseasytocheckthatg(s)issymmetricinthesensethatg(s)=g(s).Moreover,itcanbeshownthatthesecondderivativeofg(s)withrespectto(w.r.t.)sisnon-positiveover[0,1]foranyy.Thisimpliesthatg(s)isconcaveover[0,1].Hence,g(s)isSchur-concave[ 51 ]andismaximizedbychoosings=s=0.5.Asaresult,we 110

PAGE 111

havemax0s1I(X;Y)=g(0.5))]TJ /F3 11.955 Tf 13.15 8.09 Td[(1 2log22e2=[H(X))]TJ /F4 11.955 Tf 11.96 0 Td[(H(XjY)]s=0.5=1)]TJ /F14 11.955 Tf 11.96 16.27 Td[(Z1H2q+(y) q+(y)+q)]TJ /F3 11.955 Tf 7.08 1.8 Td[((y)q+(y)+q)]TJ /F3 11.955 Tf 7.09 1.8 Td[((y) 2dy=1)]TJ /F3 11.955 Tf 21.67 8.09 Td[(1 p 2Z10H21 1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~y1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~yexp")]TJ /F3 11.955 Tf 10.5 8.09 Td[((y)]TJ /F3 11.955 Tf 13.43 2.65 Td[(~)2 2#dy,where~= .Similarily,I(X;Y))]TJ /F4 11.955 Tf 11.95 0 Td[(I(Y;Z)=H(YjZ))]TJ /F4 11.955 Tf 11.95 0 Td[(H(YjX)=Z1Z1)]TJ /F3 11.955 Tf 11.29 0 Td[(log2sq+(y)p+(z)+sq)]TJ /F3 11.955 Tf 7.09 1.8 Td[((y)p)]TJ /F3 11.955 Tf 7.09 1.8 Td[((z) sp+(z)+sp)]TJ /F3 11.955 Tf 7.09 1.8 Td[((z)[sq+(y)p+(z)+sq)]TJ /F3 11.955 Tf 7.09 1.79 Td[((y)p)]TJ /F3 11.955 Tf 7.09 1.79 Td[((z)]dydz)]TJ /F3 11.955 Tf 13.15 8.09 Td[(1 2log22e2.Foraxedvalueof,letf(s)=Z1Z1)]TJ /F3 11.955 Tf 11.29 0 Td[(log2sq+(y)p+(z)+sq)]TJ /F3 11.955 Tf 7.09 1.8 Td[((y)p)]TJ /F3 11.955 Tf 7.09 1.8 Td[((z) sp+(z)+sp)]TJ /F3 11.955 Tf 7.09 1.8 Td[((z)[sq+(y)p+(z)+sq)]TJ /F3 11.955 Tf 7.09 1.79 Td[((y)p)]TJ /F3 11.955 Tf 7.09 1.79 Td[((z)]dydz. 111

PAGE 112

Byasimilarargumentasabove,weconcludethatf(s)isSchur-concaveandmaximizedbychoosings=s=0.5,andwehavemax0s1[I(X;Y))]TJ /F4 11.955 Tf 11.95 0 Td[(I(Y;Z)]=f(0.5))]TJ /F3 11.955 Tf 13.15 8.09 Td[(1 2log22e2=Z1Z1)]TJ /F3 11.955 Tf 11.29 0 Td[(log2q+(y)p+(z)+q)]TJ /F3 11.955 Tf 7.08 1.79 Td[((y)p)]TJ /F3 11.955 Tf 7.08 1.79 Td[((z) [q+(y)+q)]TJ /F3 11.955 Tf 7.08 1.79 Td[((y)][p+(z)+p)]TJ /F3 11.955 Tf 7.09 1.79 Td[((z)]q+(y)p+(z)+q)]TJ /F3 11.955 Tf 7.08 1.79 Td[((y)p)]TJ /F3 11.955 Tf 7.08 1.79 Td[((z) 2dydz+g(0.5))]TJ /F3 11.955 Tf 13.15 8.09 Td[(1 2log22e2)]TJ /F3 11.955 Tf 11.95 0 Td[(1=Z10Z10H2q+(y)p+(z)+q)]TJ /F3 11.955 Tf 7.08 1.8 Td[((y)p)]TJ /F3 11.955 Tf 7.08 1.8 Td[((z) [q+(y)+q)]TJ /F3 11.955 Tf 7.08 1.8 Td[((y)][p+(z)+p)]TJ /F3 11.955 Tf 7.09 1.8 Td[((z)][q+(y)+q)]TJ /F3 11.955 Tf 7.08 1.8 Td[((y)][p+(z)+p)]TJ /F3 11.955 Tf 7.09 1.8 Td[((z)]dydz)]TJ /F3 11.955 Tf 21.67 8.09 Td[(1 p 2Z10H21 1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~y1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~yexp")]TJ /F3 11.955 Tf 10.49 8.09 Td[((y)]TJ /F3 11.955 Tf 13.43 2.66 Td[(~)2 2#dy=1 2Z10Z10H2 1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~ye)]TJ /F7 7.97 Tf 6.58 0 Td[(2~z [1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~y][1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~z]!exp")]TJ /F3 11.955 Tf 10.49 8.09 Td[((y)]TJ /F3 11.955 Tf 13.42 2.66 Td[(~)2 2)]TJ /F3 11.955 Tf 13.15 8.09 Td[((z)]TJ /F6 11.955 Tf 11.95 0 Td[(~)2 2#h1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~yih1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~zidydz)]TJ /F3 11.955 Tf 21.67 8.09 Td[(1 p 2Z10H21 1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~y1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~yexp")]TJ /F3 11.955 Tf 10.49 8.09 Td[((y)]TJ /F3 11.955 Tf 13.43 2.66 Td[(~)2 2#dy.Puttingallthesebackto Theorem2.1 ,theRl-relaxedkeycapacityoftheBPSK-constrainedwiretapchannelisthusgivenbyCb(Rl)=max0~p Pmax0s1minfI(X;Y))]TJ /F4 11.955 Tf 11.95 0 Td[(I(Y;Z)+Rl,I(X;Y)g=max0~q P 2"min1 2Z10Z10H2 1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~ye)]TJ /F7 7.97 Tf 6.58 0 Td[(2~z [1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~y][1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~z]!h1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~yih1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~ziexp")]TJ /F3 11.955 Tf 10.49 8.09 Td[((y)]TJ /F3 11.955 Tf 13.42 2.66 Td[(~)2 2)]TJ /F3 11.955 Tf 13.15 8.09 Td[((z)]TJ /F6 11.955 Tf 11.95 0 Td[(~)2 2#dydz+Rl,1)]TJ /F3 11.955 Tf 21.67 8.09 Td[(1 p 2Z10H21 1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~y1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~yexp")]TJ /F3 11.955 Tf 10.5 8.09 Td[((y)]TJ /F3 11.955 Tf 13.43 2.66 Td[(~)2 2#dy#,wherethethirdlineisduetothefactthats=s=0.5simultaneouslymaximizesbothtermsinsidetheminoperator.Notethatthemaximumabovemayoccurataninterior 112

PAGE 113

pointoftheintervalh0,q P 2i.Thatmeansthekeycapacitymaybeachievedbynottransmittingatthemaximumallowablesourcepower. C.2Proofof(3-3)TondtheRl-relaxedkeycapacityoftheBPSK-constrainedGaussianwiretapchannelwithdestinationhard-decisionquantization,rstnotethatthedestinationchannelisaBSCwithcross-overprobabilityq=Q)]TJ /F19 7.97 Tf 6.68 -4.42 Td[( .Similarly,writeq=1)]TJ /F4 11.955 Tf 12.33 0 Td[(qanddenetheconditionaldensitiesp(ZjX=1)andp(ZjX=)]TJ /F3 11.955 Tf 9.29 0 Td[(1)thatspecifythewiretapperchannel,respectively,asp+(z)=1 p 2exp)]TJ /F3 11.955 Tf 10.5 8.09 Td[((z)]TJ /F6 11.955 Tf 11.96 0 Td[()2 22p)]TJ /F3 11.955 Tf 7.08 1.79 Td[((z)=1 p 2exp)]TJ /F3 11.955 Tf 10.5 8.09 Td[((z+)2 22.ThenwehaveI(X;~Y))]TJ /F4 11.955 Tf 11.96 0 Td[(I(~Y;Z)=H(~YjZ))]TJ /F4 11.955 Tf 11.96 0 Td[(H(~YjX)=Z1H2sqp+(z)+sqp)]TJ /F3 11.955 Tf 7.08 1.8 Td[((z) sp+(z)+sp)]TJ /F3 11.955 Tf 7.09 1.79 Td[((z)[sp+(z)+sp)]TJ /F3 11.955 Tf 7.09 1.79 Td[((z)]dz)]TJ /F4 11.955 Tf 11.95 0 Td[(H2(q).Again,letf(s)=R1H2sqp+(z)+sqp)]TJ /F7 7.97 Tf 6.25 1.08 Td[((z) sp+(z)+sp)]TJ /F7 7.97 Tf 6.25 1.07 Td[((z)[sp+(z)+sp)]TJ /F3 11.955 Tf 7.08 1.8 Td[((z)]dzbeafunctionofs.Notethatf(s)isagainSchur-concaveandismaximizedbychoosings=s=0.5.Hence,max0s1I(X;~Y))]TJ /F4 11.955 Tf 11.95 0 Td[(I(~Y;Z)=f(0.5))]TJ /F4 11.955 Tf 11.96 0 Td[(H2(q).Moreover,itiswellknownthatI(X;~Y)=H2(sq+sq))]TJ /F4 11.955 Tf 11.96 0 Td[(H2(q),whichachievesitsmaximum1)]TJ /F4 11.955 Tf 12.47 0 Td[(H2(q),foranyxedvalueof,bychoosings=s=0.5.Finally,puttingtheaboveinto Theorem2.1 ,theRl-relaxedkeycapacityoftheBPSK-constrainedwiretapchannelwithhard-decisionquantizationatdestinationisthus 113

PAGE 114

givenbyCbq(Rl)=max0~p Pmax0s1minfI(X;~Y))]TJ /F4 11.955 Tf 11.95 0 Td[(I(~Y;Z)+Rl,I(X;~Y)g=max0~p Pminff(0.5))]TJ /F4 11.955 Tf 11.96 0 Td[(H2(q)+Rl,1)]TJ /F4 11.955 Tf 11.96 0 Td[(H2(q)g=max0~p PminZ1H2qp+(z)+qp)]TJ /F3 11.955 Tf 7.08 1.79 Td[((z) p+(z)+p)]TJ /F3 11.955 Tf 7.08 1.8 Td[((z)p+(z)+p)]TJ /F3 11.955 Tf 7.09 1.79 Td[((z) 2dz+Rl,1)]TJ /F4 11.955 Tf 11.96 0 Td[(H2(q)=max0~p P=2"min1 p 2Z10H2 Q(~)+[1)]TJ /F4 11.955 Tf 11.96 0 Td[(Q(~)]e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~z 1+e)]TJ /F7 7.97 Tf 6.58 0 Td[(2~z!1+e)]TJ /F7 7.97 Tf 6.59 0 Td[(2~~zexp")]TJ /F3 11.955 Tf 10.5 8.09 Td[((z)]TJ /F6 11.955 Tf 11.95 0 Td[(~)2 2#dz+Rl,1)]TJ /F4 11.955 Tf 11.96 0 Td[(H2(Q(~))#,wherethethirdlineisduetothefactthats=s=0.5simultaneouslymaximizesbothtermsinsidetheminoperator.Notethatagainthemaximumabovemayoccurataninteriorpointoftheintervalh0,q P 2i,andthekeycapacitymaybeachievedbynottransmittingatthemaximumallowablesourcepower. 114

PAGE 115

APPENDIXDLDPCCODEDESIGNFORTHEBPSK-CONSTRAINEDGAUSSIANWIRETAPCHANNELInthisappendix,wedesignLDPCcodesforsendingsecretmessagesovertheGaussianwiretapchannelwithBPSKsourcesymbols.AsmentionedinSection??, Theorem2.1 canbemodiedtoshowtheexistenceofregularLDPCcodeensembleswithincreasingblocklengthsthatachievethesecrecycapacity[ 2 5 ]oftheBPSKconstrainedGaussianwiretapchannel.Basedonthisobservation,weproposeacodingschemewhichemploysirregularLDPCcodeswithniteblocklengthstosupportpracticalsecrettransmissionovertheGaussianwiretapchannel.TheproposedcodingstructureallowsefcientdesignofirregularLDPCcodesthatgivegoodsecrecyperformanceasmeasuredintermsofequivocationaboutthesecretmessageatthewiretapper. D.1BPSK-constrainedGaussianwiretapchannelThemodelofBPSK-constrainedGaussianwiretapchannelusedhereisthesameasthatofSection 3.1 exceptthatthereisnofeedbackchannelbetweenthesourceanddestination.Moreover,theobjectiveofsecretsharingconsideredhereisforthesourcetosendsecretinformationtothedestination.Assumingauniformmessagedistribution,therateofthesecretmessageisRs=k n.Let^Mdenotetheestimateofthemessageatthedestination.Thelevelofknowledgeofthewiretapperpossessesaboutthesecretmessagecanbequantiedbytheequivocationrate1 nH(MjZn).Arate-equivocationpair(Rs,Re)isachievableifforall>0,thereexistsarate-Rscodesequencesuchthat 1. PrfM6=^Mg<,and 2. Re<1 nH(MjZn)+forsufcientlylargen.Whentheequivocationrateatthewiretapperisaslargeasthesecretmessagerate,i.e.Rs=Re,wesaythattheequivocation-ratepairisachievablewithperfectsecrecy[ 2 ].Thecapacity-equivocationregionofawiretapchannelcontains 115

PAGE 116

allachievablerate-equivocationpairs(Rs,Re).When1,specializingtheresultin[ 3 ]totheBPSK-constrainedGaussianwiretapchannelshowsthatthecorrespondingcapacity-equivocationregionisgivenby 0ReCbReRsC r P 2!, (D) where Cb=max0~q P 2(C(~))]TJ /F4 11.955 Tf 11.96 0 Td[(C(~)),(D)andC(t)=1)]TJ /F3 11.955 Tf 21.66 8.09 Td[(1 p 2Z1e)]TJ /F15 5.978 Tf 7.78 3.86 Td[((y)]TJ /F13 5.978 Tf 5.75 0 Td[(t)2 2log2)]TJ /F4 11.955 Tf 5.48 -9.68 Td[(e)]TJ /F7 7.97 Tf 6.59 0 Td[(2ytdyisthechannelcapacityofAWGNchannelwithBPSKinput.Thesecrecycapacityofthewiretapchannelisdenedasthemaximumsecretmessageratesuchthattheconditionofperfectsecrecyissatised.FortheBPSK-constrainedGaussianwiretapchannel,thesecrecycapacityisgivenbyCbif1.WenotethatCbisachievedwhenXiisequiprobable;butitisnotnecessarilyachievedbytransmittingatthemaximumallowablepowerP. FigureD-1 showstheplotofCb,inunitsofbitsper(wiretap)channeluse(bpcu),versusthemaximumallowableSNRP=2for2=)]TJ /F3 11.955 Tf 9.29 0 Td[(1.0,)]TJ /F3 11.955 Tf 9.3 0 Td[(2.5and)]TJ /F3 11.955 Tf 9.3 0 Td[(4.4dB,respectively. D.2SecretLDPCcodingschemeInthissection,wedescribetheproposedcodingschemefortheBPSK-constrainedGaussianwiretapchannel.Theproposedcodingschemeemploysthepair(C,W),whichischosenasdescribedinSection 4.2 ,anditssecrecyperformancewillbeevaluatedbymeasuringtheequivocationrateofthesecretmessageatthewiretapper.Theproposedcodingschemeisdescribedasfollows, 1. Encoding:Thesourcesetscktobethek-bitsecretmessageMandchoosesdl)]TJ /F5 7.97 Tf 6.59 0 Td[(krandomlyaccordingtoauniformdistribution.LetH=[AB]betheassociatedparity-checkmatrixofanLDPCcode.Thenitcalculatesem)]TJ /F5 7.97 Tf 6.58 0 Td[(l=[ck,dl)]TJ /F5 7.97 Tf 6.59 0 Td[(k]AT(B)]TJ /F7 7.97 Tf 6.59 0 Td[(1)T 116

PAGE 117

FigureD-1. ThesecrecycapacityCboftheBPSK-constrainedGaussianwiretapchannelfordifferentvalueof2. andsendsXn=[dl)]TJ /F5 7.97 Tf 6.59 0 Td[(k,em)]TJ /F5 7.97 Tf 6.58 0 Td[(l]tothedestinationthroughtheGaussianwiretapchannel. 2. Decoding:Thedestinationperformsbeliefpropagation(BP)decodingtodecode~XmusingitschannelobservationYn.Therstkbitsofthedecodedcodewordgivetheestimate^Mofthesecretmessage.Weevaluatethesecrecyperformanceoftheproposedcodingschemeinthecontextofachievablerate-equivocationpairdenedinSection D.1 .First,iftheBPdecoderatthedestinationachievesblockerrorprobabilityd,thenwehavePrfM6=^Mgd.Hence,Condition1inSection D.1 issatisedifdissmallenough.Second,the 117

PAGE 118

uncertaintyaboutthemessageMatthewiretappergivenhisreceivedsequenceZnis H(MjZn)=H(XnjZn)+H(MjZn,Xn))]TJ /F4 11.955 Tf 11.95 0 Td[(H(XnjM,Zn)=H(Xn))]TJ /F4 11.955 Tf 11.96 0 Td[(I(Xn;Zn)+H(MjZn,Xn))]TJ /F4 11.955 Tf 11.96 0 Td[(H(XnjM,Zn). (D) Basedonthememorylessnatureofthesource-to-wiretapperchannelandtheencodingprocess,wehaveI(Xn;Zn)nC(~),H(Xn)=l1andH(MjZn,Xn)H(MjXn)=0,respectively.Moreover,consideractitiousreceiveratthewiretappertryingtodecodeforXnfromobservingZnandM.Supposethattheblockerrorprobabilityachievedbythisreceiverisw.ThenwehaveH(XnjM,Zn)1+(l)]TJ /F4 11.955 Tf 12.62 0 Td[(k)wbyFano'sinequality.Puttingallthesebackto( D ),weobtain 1 nH(MjZn)Rc)]TJ /F4 11.955 Tf 11.95 0 Td[(C(~))]TJ /F3 11.955 Tf 11.95 0 Td[((Rc)]TJ /F4 11.955 Tf 11.96 0 Td[(Rs)w)]TJ /F3 11.955 Tf 13.26 8.09 Td[(1 n.(D)LetRe=Rc)]TJ /F4 11.955 Tf 12.24 0 Td[(C(~).ThenCondition2inSection D.1 issatisedifwissmallenoughandnislargeenough.Hence,(Rs,Re)isanachievablerate-equivocationpairthroughtheBPSK-constrainedGaussianwiretapchannel.Moreover,wenotethattheabovelowerboundisderivedfromtheFano'sinequality;thusitappliestoanydecoderatthectitiousreceiver.Infact,thevalueofthebounddependsonthechoiceofdecodersonlythroughw.Inthenextsection,weperformcomputersimulationtoestimatewandthenemploy( D )toboundtheequivocationrateachievedbytheproposedcodingschemeasdescribedabove.Togetw,aBPdecoderisimplementedforthectitiousreceiveratthewiretapper.InordertoprovideinformationaboutthesecretmessageMtotheBPdecoder,theintrinsicLLRsofckareexplicitlysettoaccordingtothetruebitvalues. 1ThisisvalidwhenCcontains2ldistinctcodewords,whichisinturnthecasewithveryhighprobabilityifC0ischosenrandomlyintheusualmannerdescribedin[ 30 ]. 118

PAGE 119

D.3CodesdesignandperformanceIn[ 20 ],theauthorsuseasystematicirregularLDPCcodetoencodethesecretmessageM(alongwithsomerandombits)andthenpuncturethesecretmessagebitsinthecodewordpriortotransmissioninordertohidethesecretmessagefromthewiretapper.Thepuncturingpatternisdesignedtominimizethesecuritygap.SuchacodingschemecanbeviewedasanunoptimizedspecialcaseofourschemeproposedinSection D.2 .WeshowinthissectionthatthegeneralizationinSection D.2 allowsustosystematicallyoptimizetheirregularLDPCcodeforgoodsecrecyperformance.Tothatend,letusapplythecodesearchprocessproposedinSection 4.3 tothepresentcase.Again,ourobjectiveistodesigntheirregularLDPCcodeC0sothatthesecretLDPCcode(C,W)workswellforboththechannelfromthesourcetothedestinationandthechannelfromthesourcetothewiretapper(giventhesecretmessage).Similarly,weconsideruniformpuncturingofthesystematicbitsofC0,withpdenotingthecorrespondingfractionofpuncturedvariablenodes.NotethatthesecretrateRs=p 1)]TJ /F5 7.97 Tf 6.58 0 Td[(p.Also,writetherateofC0asR0c=l m.ThenR0c=Rc 1+Rs.ForanyxedRs,thediscussionjustbelow( D )attheendoftheprevioussectionsuggeststhatweshouldmaximizeRc,orequivalentlyR0c,inordertomaximizetheachievableequivocationrate.Forillustration,weapplytheabovecodesearchproceduretotwodifferentwiretapchannelsettings:(i)P=2=3.55dBand2=)]TJ /F3 11.955 Tf 9.3 0 Td[(4.4dB,and(ii)P=2=1.0dBand2=)]TJ /F3 11.955 Tf 9.29 0 Td[(1.0dB.Inbothcases,thecodesearchprocessstartswiththeAWGN-optimizedLDPCcodesreportedin[ 30 ]. FigureD-2 showsthesecrecyperformanceofarate-0.541irregularLDPCcodeobtainedbyperformingthecodesearchprocesswithRs=0.33undertherstchannelsetting.ThedegreedistributionpairofthisirregularLDPCcodeisshownin TableD-1 .WeobtainaninstanceoftheirregularLDPCcodebyrandomlygeneratingabipartitegraphthatsatisesthetwogivendegreedistributions.TheblocklengthoftheLDPCcodeism=106,andalllength-4loopsareremoved.Computersimulationisperformedonthiscodetoestimatedandwasdescribedbefore.The 119

PAGE 120

TableD-1. Degreedistributionpairsoftherate-0.541,rate-0.508,rate-0.505irregularLDPCcodes. rate-0.541 rate-0.508 rate-0.505 2 0.3013 0.2762 0.2599 3 0.1846 0.2804 0.2837 4 0.1510 0.0281 9 0.0614 10 0.3017 0.4434 0.4283 7 0.3892 0.6086 0.6315 8 0.6054 0.3914 0.3532 10 0.0054 0.0153 FigureD-2. Plotof(Rs,~Re)pairsachievedbytheproposedcodingschemeandbythecodingschemein[20]whenP=2=3.55dBand2=)]TJ /F3 11.955 Tf 9.3 0 Td[(4.4dB. 120

PAGE 121

estimatedvalueofwisemployedtocalculateanachievableequivocationrateasin( D ),providedthatd0.01andw0.01.Theresultingachievablepair(Rs,~Re)(where~Re=Re Rsisthefractionalequivocation)isplottedagainstthecapacity-(fractional)equivocationregion,whoseboundaryisshownbythesolidcurveinthegure.From FigureD-2 ,weseethatthepair(Rs,~Re)=(0.33,0.89)(shownbythesquaremarker)isachievedbythisrate-0.541LDPCcode.Next,weconsiderthemorechallengingcaseunderthesecondchannelsetting,inwhichthewiretapper'sSNRisnotmuchweakerthanthatofthedestination. FigureD-3 showsthesecrecyperformanceofarate-0.505irregularLDPCcodeobtainedbyperformingthecodesearchprocessdescribedabovewithRs=0.076.ThedegreedistributionpairofthisirregularLDPCcodecanbefoundin TableD-1 .Weobservethatthepair(Rs,~Re)=(0.076,0.76)(denotedbythesquaremarker)isachievedbythiscode.Inconclusion,thecodesearchprocessdescribedabovegivesirregularLDPCcodeswithrelativelygoodsecrecyperformancefordifferentvaluesof2.Wenotethatasimilarcodesearchprocesscanalsobeformulatedtoincludeoptimizationofthepuncturingpattern.However,wehavenotbeenabletoobtainsignicantlybettercodeswiththemodiedsearch.Onepossiblereasonforthisresultisthattheoptimizationofdegreedistributionsimplicitlytakestheuniformpuncturingpatternintoaccount,andthuslimitingthegainwhenincludingtheoptimizationofthepuncturingpatterninthelinearprogram.Asmentionedbefore,thecodessuggestedin[ 20 ]areunoptimizedspecialcasesofthecodingschemedescribedhere.Inparticular,arate-0.5irregularLDPCcodewithp=0.3isemployedin[ 20 ],resultinginsecretrateRs=0.43.Thesecrecyperformanceofthecodingschemein[ 20 ]isevaluatedbythesecuritygap.Inournotation,thatistondthevalues~andsuchthatthedecoding(bit)errorprobabilityofthesecretmessageatthedestinationissmallerthanaprescribedvalue,andthedecoding(bit)errorprobabilityofthesecretmessageatthewiretapperiscloseto0.5.Thesecurity 121

PAGE 122

FigureD-3. Plotofthe(Rs,~Re)pairachievedbytheproposedcodingschemewhenP=2=1.0dBand2=)]TJ /F3 11.955 Tf 9.3 0 Td[(1.0dB. gapisthendenedastheratiooftheSNRofthedestinationtothatofthewiretapper,i.e.1 2.Asreportedin[ 20 ],thesecuritygap,withuniformpuncturingoverallvariablenodesofdifferentdegreeforp=0.3isabout4.4dB.Tocomparewithouroptimizedcodes, FigureD-2 showsthesecrecyperformanceoftherate-0.5codein[ 20 ]withp=0.3evaluatedbyusing( D )asbeforeunderchannelsetting(i).Thepair(Rs,~Re)=(0.43,0.68)(denotedbythecirclemarker)isachievedbythiscode.WealsoperformacodesearchunderthischannelsettingwithRs=0.43forcomparison.Thepair(Rs,~Re)=(0.43,0.70)(denotedbythediamondmarker)isachievedusingtheresultingrate-0.508irregularLDPCcode.Weseethat 122

PAGE 123

theirregularLDPCcodeobtainedfromtheproposedcodesearchprocessalsoslightlyoutperformstheunoptimizedoneusedin[ 20 ]intermsofequivocationrate.Consultingbackto FigureD-1 ,weseethatfor2=)]TJ /F3 11.955 Tf 9.3 0 Td[(4.4dB,thesecrecycapacityoftheBPSK-constrainedGaussianwiretapchannelneverexceeds0.34bpcu.Hence,thefractionalequivocation~Reisstrictlybelow1atRs=0.43.Infact,thehighestachievable~ReatRs=0.43underthischannelsettingisonly0.78(cf. FigureD-2 ).Thatmeansthatweshouldnotoperateatthisrateifthetargetistoachieveperfectsecrecy.Insummary,theproposedcodingschemeandcodesearchprocessprovideamuchmoresystematicandexiblemeanstodesigningirregularLDPCcodesfortheBPSK-constrainedwiretapchannelthantheapproachin[ 20 ]. D.4SummaryInthisappendix,wedevelopedacodingschemeforsendingsecretmessagesovertheBPSK-constrainedGaussianwiretapchannel.TheproposedcodingschemeemployspuncturedsystematicirregularLDPCcodesinwhichsecretmessagebitsarepunctured.Tosystematicallyaddressthesecretcodedesignproblem,wepresentedadensity-evolutionbasedlinearprogramtosearchforgoodirregularLDPCcodestobeusedintheproposedcodingscheme.SimulationresultsshowedthattheirregularLDPCcodesobtainedfromoursearchcanachievesecrecyperformancerelativelyclosetotheboundaryofthecapacity-equivocationregionoftheBPSK-constrainedGaussianwiretapchannel. 123

PAGE 124

REFERENCES [1] C.Shannon,Communicationtheoryofsecrecysystems,BellSystemsTechnicalJournal,vol.28,pp.656,1949. [2] A.Wyner,Thewire-tapchannel,BellSyst.Tech.J.,vol.54,pp.1355,Oct.1975. [3] I.CsiszarandJ.Korner,Broadcastchannelswithcondentialmessages,IEEETrans.Inform.Theory,vol.24,no.3,pp.339,May1978. [4] R.AhlswedeandI.Csiszar,Commonrandomnessininformationtheoryandcryptography.I.Secretsharing,IEEETrans.Inform.Theory,vol.39,no.4,pp.1121,July1993. [5] S.K.Leung-Yan-CheongandM.E.Hellman,TheGaussianwire-tapchannel,IEEETrans.Inform.Theory,vol.24,no.4,pp.451,Jul1978. [6] L.OzarowandA.D.Wyner,Wire-tapchannelII,BellSyst.Tech.J.,vol.63,no.10,pp.2135,Dec.1984. [7] A.Thangaraj,S.Dihidar,A.R.Calderbank,S.McLaughlin,andJ.M.Merolla,ApplicationsofLDPCcodestothewiretapchannel,IEEETrans.Inform.Theory,vol.53,no.8,pp.2933,Aug.2007. [8] R.Liu,Y.Liang,H.Poor,andP.Spasojevic,SecurenestedcodesfortypeIIwiretapchannels,Proc.IEEE2007Inform.TheoryWorkshop,pp.337,Sept.2007. [9] H.MahdavifarandV.Vardy,Achievingthesecrecycapacityofwiretapchannelsusingpolarcodes,Proc.IEEEInt.Symp.Inform.Theory(ISIT2010),pp.913,June2010. [10] O.O.KoyluogluandH.E.Gamal,Polarcodingforsecuretransmissionandkeyagreement,Proc.IEEEInt.Symp.Personal,IndoorandMobileRadioCommun.,pp.2698,Sept2010. [11] E.Arikan,Channelpolarization:Amethodforcontructingcapacity-achievingcodesforsymmetricbinary-inputmemorylesschannels,IEEETrans.Inform.Theory,vol.55,pp.3051,Jul.2009. [12] U.M.Maurer,Secretkeyagreementbypublicdiscussionfromcommoninformation,IEEETrans.Inform.Theory,vol.39,no.3,pp.733,May1993. [13] G.BrassardandL.Salvail,Secret-keyreconciliationbypublicdiscussion,Ad-vancesinCrypotology-Eurocrypt'93,pp.410,1994. 124

PAGE 125

[14] K.C.Nguyen,G.VanAssche,andN.J.Cerf,Side-informationcodingwithturbocodesanditsapplicationtoquantumkeydistribution,inProc.2004IEEEInt.Symp.Inform.TheoryandApplicat.,Param,Italy,Oct.2004. [15] G.VanAssche,J.Cardinal,andN.J.Cerf,Reconciliationofaquantum-distributedGaussiankey,IEEETrans.Inform.Theory,vol.50,no.2,pp.394,Feb.2004. [16] J.Muramatsu,Secretkeyagreementfromcorrelatedsourceoutputsusinglowdensityparitycheckmatrices,IEICETransactionsonFundamentalsofElectronics,CommunicationsandComputerSciences,vol.E89-A,pp.2036,July2006. [17] C.Ye,A.Reznik,andY.Shah,ExtractingsecrecyfromjointlyGaussianrandomvariables,inProc.IEEEInt.Symp.Inform.Theory(ISIT2006),July2006,pp.2593. [18] M.Bloch,J.Barros,M.Rodrigues,andS.McLaughlin,Wirelessinformation-theoreticsecurity,IEEETrans.Inform.Theory,vol.54,no.6,pp.2515,June2008. [19] D.Elkouss,A.Leverrier,R.Alleaume,andJ.Boutros,Efcientreconciliationprotocolfordiscrete-variablequantumkeydistribution,Proc.IEEEInt.Symp.Inform.Theory(ISIT2009),pp.1879,July2009. [20] D.Klinc,J.Ha,S.M.McLaughlin,J.Barros,andB.J.Kwak,LDPCcodesfortheGaussianwiretapchannel,Proc.IEEE2009Inform.TheoryWorkshop,pp.95,Oct.2009. [21] M.Baldi,M.Bianchi,andF.Chiaraluce,Non-systematiccodesforphysicallayersecurity,Proc.IEEE2010Inform.TheoryWorkshop,pp.1,Sept.2010. [22] R.Gallager,Low-densityparity-checkcodes,IEEETrans.Inform.Theory,vol.8,no.1,pp.21,Jan1962. [23] D.MacKayandR.Neal,NearShannonlimitperformanceoflowdensityparitycheckcodes,IEEElectron.Lett.,vol.33,no.6,pp.457,Mar.1997. [24] R.G.Gallager,Low-DensityParity-CheckCodes.Cambridge,MA:MITPress,1963. [25] R.Tanner,Arecursiveapproachtolowcomplexitycodes,IEEETrans.Inform.Theory,vol.27,no.5,pp.533,Sept.1981. [26] M.G.Luby,M.Mitzenmacher,M.A.Shokrollahi,D.A.Spielman,andV.Stemann,Practicalloss-resilientcodes,inProc.ACMSymp.TheoryComputing,ElPaso,TX,May1997,pp.150. [27] M.G.Luby,M.Mitzenmacher,M.A.Shokrollahi,andD.A.Spielman,Analysisoflowdensitycodesandimproveddesignsusingirregulargraphs,inProc.ACMSymp.TheoryComputing,Dallas,TX,May1998,pp.249. 125

PAGE 126

[28] ,Efcienterasurecorrectingcodes,IEEETrans.Inform.Theory,vol.47,no.2,pp.569,Feb.2001. [29] T.RichardsonandR.Urbanke,Thecapacityoflow-densityparity-checkcodesundermessage-passingdecoding,IEEETrans.Inform.Theory,vol.47,no.2,pp.599,Feb.2001. [30] T.Richardson,M.Shokrollahi,andR.Urbanke,Designofcapacity-approachingirregularlow-densityparity-checkcodes,IEEETrans.Inform.Theory,vol.47,no.2,pp.619,Feb.2001. [31] S.Chung,G.D.Forney,Jr.,T.J.Richardson,andR.Urbanke,Onthedesignoflow-densityparity-checkcodeswithin0.0045dBoftheShannonlimit,IEEECommun.Lett.,vol.5,no.2,pp.58,Feb.2001. [32] C.Berrou,A.Glavieux,andP.Thitimajshima,NearShannonlimiterror-correctingcodinganddecoding,inProc.IEEEInt.Conf.Commun.,vol.2,Geneva,Switzerland,May1993,pp.1064. [33] F.R.Kschischang,B.J.Frey,andH.A.Loeliger,Factorgraphsandthesum-productalgorithm,IEEETrans.Inform.Theory,vol.47,no.2,pp.498,Feb2001. [34] J.Hagenauer,E.Offer,andL.Papke,Iterativedecodingofbinaryblockandconvolutionalcodes,IEEETrans.Inform.Theory,vol.42,no.2,pp.429,Mar.1996. [35] A.J.Viterbi,Errorboundsforconvolutionalcodesandanasymptoticallyoptimumdecodingalgorithm,IEEETrans.Inform.Theory,vol.13,no.2,pp.260,April1967. [36] L.R.Bahl,J.Cocke,F.Jelinek,andJ.Raviv,Optimaldecodingoflinearcodesforminimizingsymbolerrorrates,IEEETrans.Inform.Theory,vol.20,no.2,pp.284,Mar.1974. [37] A.Liveris,Z.Xiong,andC.Georghiades,CompressionofbinarysourceswithsideinformationatthedecoderusingLDPCcodes,IEEECommun.Lett.,vol.6,no.10,pp.440,Oct.2002. [38] T.CoverandJ.Thomas,ElementsofInformationTheory,2nded.NewYork:Wiley-Interscience,2006. [39] G.MillerandD.Burshtein,Boundsonthemaximum-likelihooddecodingerrorprobabilityoflow-densityparity-checkcodes,IEEETrans.Inform.Theory,vol.47,no.7,pp.2696,Nov.2001. [40] A.BennatanandD.Burshtein,OntheapplicationofLDPCcodestoarbitrarydiscrete-memorylesschannels,IEEETrans.Inform.Theory,vol.50,no.3,pp.417,Mar.2004. 126

PAGE 127

[41] T.RichardsonandR.Urbanke,Efcientencodingoflow-densityparity-checkcodes,IEEETrans.Inform.Theory,vol.47,no.2,pp.638,Feb.2001. [42] R.Urbanke,DegreedistributionoptimizerforLDPCcodeensembles,2001.[Online].Available: http://ipgdemos.ep.ch/ldpcopt/ [43] H.ImaiandS.Hirakawa,Anewmultilevelcodingmethodusingerrorcorrectingcodes,IEEETrans.Inform.Theory,vol.23,pp.371,May1977. [44] U.Wachsmann,R.F.H.Fischer,andJ.B.Huber,Multilevelcodes:Theoreticalconceptsandpracticaldesignrules,IEEETrans.Inform.Theory,vol.45,pp.1361,July1999. [45] J.Hou,P.H.Siegel,L.B.Milstein,andH.D.Pster,Capacity-approachingbandwidth-efcientcodedmodulationschemesbasedonlow-densityparity-checkcodes,IEEETrans.Inform.Theory,vol.49,no.9,pp.2141,Sept.2003. [46] T.Han,Information-Spectrummethodsininformationtheory.Berlin:Springer-Verlag,2003. [47] I.CsiszarandP.Narayan,Secrecycapacitiesformultipleterminals,IEEETrans.Inform.Theory,vol.50,no.12,pp.3047,Dec.2004. [48] ,Secrecycapacitiesformultiterminalchannelmodels,IEEETrans.Inform.Theory,vol.54,no.6,pp.2437,June2008. [49] Y.Oohama,Gaussianmultiterminalsourcecoding,IEEETrans.Inform.Theory,vol.43,no.6,pp.1912,Nov.1997. [50] V.KacandP.Cheung,QuantumCalculus.NewYork:Springer-Verlag,2002. [51] A.MarshallandI.Olkin,Inequalities:theoryofmajorizationanditsapplications.AcademicPress,1979. 127

PAGE 128

BIOGRAPHICALSKETCH ChanWongWongreceivedtheB.S.andM.S.degreesinelectricalengineeringfromNationalTaiwanUniversity(NTU),Taipei,Taiwanin2002and2004,respectively.From2002to2004,hewasateachingandresearchassistantattheGraduateInstituteofCommunicationsEngineering(GICE),NTU.During2003to2006hewaswithAfaTechnologies,Inc.,Taipei,Taiwan,asaDSPsystemengineerindevelopingdemodulatorsforvariousdigitalvideobroadcastingstandards.HehasbeenateachingandgraduateassistantinUniversityofFlorida,Gainesville,FLsince2007.Hisresearchinterestslieintheareaofcommunicationtheoryappliedtoequalization,codingandsecurityforwirelesscommunication.ChanWongisamemberofthePhiTauPhiScholasticHonorSocietyoftheRepublicofChina. 128