Secret-Key Sharing Based on Layered Broadcast Coding over Fading Channels Xiaojun Tang WINLAB, Rutgers University Ruoheng Liu Princeton University Predrag Spasojević WINLAB, Rutgers University H. Vincent Poor Princeton University Abstract A secret-key sharing strategy based on layered broadcast coding is introduced for slow fading channels. In the odel considered, Alice wants to share a key with Bob while keeping the key secret fro a passive eavesdropper, Eve. Both Alice-Bob and Alice-Eve channels are assued to undergo slow fading, and perfect channel state inforation CSI is assued to be known only at the receivers during the transission. Layered coding facilitates adapting the reliably decoded rate at Bob to the actual channel state without CSI available at Alice. The index of a reliably decoded layer is sent back to Alice via a public and error-free channel, which is exploited by Alice and Bob to generate the secret key. In this paper, the secrecy key rate is derived. In addition, the optial power distribution over coded layers is characterized. It is shown that layered coding can increase the secrecy key rate significantly copared with single-level coding. I. INTRODUCTION Wireless secrecy has attracted considerable research interest due to the concern that wireless counication is highly vulnerable to security attacks, particularly eavesdropping attacks. Much recent research was otivated by Wyner s wire-tap channel odel [1 where the transission between two legitiate users Alice and Bob is eavesdropped upon by Eve via a degraded channel. The secrecy level in this odel is easured by the equivocation rate at Eve. Wyner showed that secret counication is possible without sharing a secret-key between legitiate users. Later, Csiszár and Körner generalized Wyner s odel to consider general broadcast channels in [2. Interestingly, the wireless ediu provides its own endowents that facilitate defending against eavesdropping. One such endowent is fading [3, whose effects on secret transission has been studied in [4 [6. In these works, assuing that all counicating parties have perfect channel state inforation CSI prior to transission, the ergodic secrecy capacity has been derived. The ergodic scenario in which Alice has no CSI about Eve s channel but knows the channel statistics has also been studied in [4. When Alice does not know any prior CSI except channel statistics, but can receive 1-bit of autoatic repeat request ARQ feedback per channel coherence interval fro Bob reliably, the throughput of several secure hybrid-arq protocols has been derived in [7. The work was supported by the National Science Foundation under Grants CNS-6-25637, CCF-7-2828 and CCF-729142. Arguably, the ost useful application of keyless secret essage transission is secret-key sharing as discussed in [8, [9 and other related works, although there exist soe fundaental differences between these two probles. Roughly speaking, in secret essage transission, the essage is known to Alice before starting the transission; while in secret-key sharing, the key a secret essage to be shared by Alice and Bob can be established and becoe known to Alice after the transission is copleted. In this paper, we consider a key-sharing proble in which Alice wants to share a key with Bob while keeping it secret fro Eve. Alice-Bob and Alice-Eve channels are assued to undergo slow fading, and CSI is assued known only at the receivers during the transission. The key-sharing schee consists of a counication phase and a keygeneration phase. The counication phase is based on Gaussian layered broadcast coding. The index of a reliably decoded layer at Bob is sent back to Alice through a public and error-free channel. The key-generation phase is based on the layer index and follows Wyner s secrecy binning schee [1. We derive the secrecy key rate and also characterize the optial power distribution over coded layers. Interestingly, layered broadcast coding creates interference, where the undecodable layers for Bob play the role of self-interference. We show that the best Eve can do is to treat the interference as noise as Bob does, and therefore cannot benefit fro the structure of the interference either. There are several closely related works. Layered coding over slowly fading single-input single-output SISO channels was originally introduced by Shaai in [1 and discussed in ore detail in [11. The results in this paper are consistent with [1 and [11 if the additional secrecy constraint is disregarded. An ARQ-based secret-key sharing schee was studied in [12, where single-level coding is used. The schee can be viewed as a special case of the proposed layered-coding schee. Finally, the proble of secret counication over a ediu with interference was discussed in [13 for a ore general but non-fading setting. II. SYSTEM MODEL As depicted in Fig. 1, we consider a three-terinal odel, in which Alice and Bob want to share a secret key in the presence of Eve a passive eavesdropper.
Alice W X h 1,, v 1, v 2, Y 1, Y 2, K Bob Wˆ Eve H W { Y 2 },{ K },{ h2,, Fig. 1. Alice and Bob want to agree on a key W = Ŵ, while keeping the key secret fro Eve HW Y 2, H 2, K/n. A. Channel Model The Alice-Bob and Alice-Eve channels undergo block fading, in which the channel gains are constant within a block while varying independently fro block to block [3. We assue that each block is associated with a tie slot of duration T and bandwidth W ; that is, n 1 = 2W T real sybols can be sent in each slot. We also assue that the nuber of channel uses within each slot i.e., n 1 is large enough to allow for the invocation of rando coding arguents. In a certain tie slot indexed by, Alice sends x, which is a vector of n 1 real sybols. Bob receives y 1, through the channel gain h 1, and Eve receives y 2, through the channel gain,. A discrete tie basebandequivalent block-fading channel odel can be expressed as y t, = h t, x + z t, 1 for t = 1, 2, where {z t, } are independent and identically distributed i.i.d. circularly syetric coplex Gaussian N, 1 rando sequences. Without any confusion, we drop the index and denote h t as a rando channel realization. We assue that it is a real rando variables with a probability density function PDF f t and a cuulative distribution function CDF F t, for each t = 1, 2. Furtherore, we assue a short ter power constraint excluding power variation across tie slots such that the average power of the signal x per slot has the constraint that E[ x 2 n 1 P for every. There exists an error-free feedback channel fro Bob to Alice, through which Bob sends back k for tie slot. The feedback channel is assued to be public, and therefore k is obtained by both Alice and Eve without any error. B. Secret Key Sharing Protocol The secret-key sharing protocol consists of two phases: a counication phase and a key-generation phase. 1 Counication Phase: We assue that the transission during the counication phase takes place over M tie slots. That is, Alice sends a sequence of signals x = [x 1, x 2,..., x M to the channel. Accordingly, Bob receives fro his channel a sequence of signals denoted by y 1 = [y 1,1, y 1,2,..., y 1,M and Eve receives y 2 = } [y 2,1, y 2,2,..., y 2,M fro her channel. We let n = Mn 1 denote the nuber of sybols sent by Alice in the counication phase. Let h 1 = [h 1,1,..., h 1,M and = [,1,...,,M denote vectors whose eleents are the power gains of the Alice-Bob and Alice-Eve channels, respectively. We assue that Bob and Eve know their own channel gains perfectly; Alice does not know the CSI before its transission, except for the channel statistics. After the counication, Bob uses the feedback channel to send k = [k 1,..., k M, which is obtained by both Alice and Eve. 2 Key-Generation Phase: The counication phase is followed by a key-generation phase, in which both Alice and Bob generate the key based on the signals sent and received. Let W = {1, 2,..., 2 nrs }, where R s represents the secrecy key rate. Alice generates a secret key w W by using a decoding function f a, i.e., w = f a x, k. Bob generates the secret key ŵ W by using a decoding function f b, i.e., ŵ = f b y 1, h 1, k = f b y 1, h 1, 2 where the second equality holds since we assue that k is a deterinistic function of y 1 and h 1. The secrecy level at Eve is easured by the equivocation rate R e defined as the entropy rate of the key W conditioned upon the observations at Eve, i.e., R e 1 n HW Y 2, H 2, K. 1 3 A secrecy key rate R s is achievable if the conditions Pr W = Ŵ 1 ɛ, 4 and R e R s ɛ, 5 are satisfied for any ɛ > as the nuber of channel uses n. III. KEY SHARING BASED ON LAYERED CODING In this section, we introduce a secret-key sharing schee, in which Gaussian layered broadcast coding is used for the counication phase, and rando secrecy binning is used for the key generation phase. Before presenting the schee, we first introduce Gaussian layered broadcast coding. A. Gaussian Layered Broadcast Coding As an exaple, we consider the Alice-Bob channel given by 1. First, let us assue there are L layers in a layered coding schee. That is, the transitted codeword is a superposition of L codewords, i.e., L x = x [l 6 l=1 where x [l is a codeword fro codebook C [l with a rate r [l and a constant power p [l for l = 1,..., L, and the 1 Capital letters W, Ŵ, X, Y 1, Y 2, H 1, H 2, H 1, H 2, and K represent the rando variables or vectors, while corresponding realizations are represented by lower-case letters.
total power is constrained by L l=1 p[l = P. In general, L depends on the cardinality of the rando channel variable H 1. For a Gaussian fading channel, a continuu of code layers L is required. For a certain fading realization h [l, the receiver can decode up to the l-th layer, i.e., the codewords {x [1,..., x [l } can be decoded reliably, while the codewords {x [l+1,..., x [L } are undecodable. The decoding is based on successive interference cancelation. More specifically, in the decoding process, the receiver first decodes x [1 by treating the reaining codewords {x [i, i > 1} as interference. After decoding x [1, the receiver will subtract x [1 and then decode x [2 by treating the reaining codewords {x [i, i > 2} as interference. This process repeats until the l-th layer x [l is decoded reliably by treating the reaining codewords {x [i, i > l} as interference. Note that this predeterined ordering can be achieved because of the degraded nature of Gaussian SISO channels. When a continuu of layers is used, the transitter sends an infinite nuber of layers of coded inforation. Each layer conveys a fractional rate, denoted by dr, whose value depends on the index of the layer. We refer to s, the realization of the fading power, as a continuous index. The increental differential rate is given by 2 drs = log 1 + sρsds 1 + sis = sρsds 1 + sis, 7 where ρsds is the transit power of a layer paraeterized by s, and also represents the transit power distribution over coded layers. The layers indexed by u > s are undecodable and function as additional interference, whose power is denoted by Is and is given by Is = s ρudu. 8 The total power over all layers is constrained by I = ρudu = P. 9 B. Secret Key Sharing Based on Layered Coding In this section, we discuss the key sharing schee based on Gaussian layered coding. 1 Codebook Construction: We need two types of codebooks, each of which is used for the counication or key-generation phase, respectively. The codebook used for the counication phase consists of a continuu of coded layers represented by {C2 n1drs, n 1 }, where n 1 is the codeword length and drs is the increental differential rate at layer s. The sub-codebook for each layer is generated randoly and independently. That is, for any codebook C2 n1drs, n 1, we generate 2 n1drs codewords x [s w, where w = 1, 2,..., 2 n1drs, by choosing the n 1 2 n1drs Gaussian sybols with power ρsds independently at rando. 2 All logariths are to the natural base, and thus rates are in ters of nats per second per Hertz. The codebook used for the key generation phase is based on Wyner s secrecy coding [1, [4. By letting R = H1 sρsds 1 + sis df 1H 1, 1 we first generate all binary sequences {B} of length nr ɛ, where n = Mn 1. The sequences {B} are then randoly and uniforly grouped into nr s groups each with nr R s ɛ sequences. Each secret key w {1,..., 2 nrs } is then randoly assigned to a group, denoted by Bw. 2 Counication Phase: The counication takes places over M tie slots. At tie slot [1, M, Alice first randoly selects a essage w [s {1,..., 2 n1drs } for coded layer s, independent of the essage chosen for other layers. For convenience, we use w to represent the total essage sent in tie slot through all layers. Then, Alice sends a superposition of all layers to the channel. Bob receives y 1, and tries to decode all his decodable layers, which depends on his channel state h 1,. For convenience, we use w [D1 to denote the set of layers reliably decoded by Bob, and w [ D 1 to denote the set of layers undecodable to Bob in tie slot. After decoding, Bob sends back the index of the highest decodable layer represented by k to Alice. This copletes the transission in tie slot. The counication phase ends when all M independent transissions are copleted. 3 Key-Generation Phase: Once the counication phase is copleted, both Alice and Bob can generate the secret key. Based on the feedback sequence k = {k }, Alice generates a binary sequence v fro all the essages reliably decoded by Bob across all layers and tie slots based on a deterinistic one-to-one apping Φ as v = Φ{w [D 1, = 1,..., M}. 11 Alice then looks up in the key-generation codebook for a w such that v Bw, and outputs w as the secret key generated. Note that all those essages are decoded by Bob, and therefore Bob can generate the sae sequence v and the sae key w as Alice does. IV. SECRECY KEY RATE In this section, we present the secrecy key rate achieved, and the optial distribution of power over coded layers. Due to space liitations, we defer all proofs to an upcoing long version of this paper. A. Layered-Coding Based Key Sharing The following result characterizes the secrecy rate when the power distribution is given. Theore 1: For a given power distribution ρs over layers indexed by s, the secrecy key rate of the layeredcoding based key sharing schee is H1 H 1, H 2 df 2 H 2 df 1 H 1, 12
x [ D1 x [ D1 x a b c [ D 2 x [ D2 x Fig. 2. a Coded layers sent by Alice, b decodable and undecodable layers for Bob, and c decodable and undecodable layers for Eve, in tie slot with the channel gains h 1 >. where H 1, H 2 is given by H1 [ sρs H 1, H 2 = 1 + sis H 2ρs ds 13 1 + H 2 Is and Is = H 2 s ρudu with I = P. 14 We discuss soe insights fro Theore 1. First, except for the rare case in which H 1 is always saller than H 2, R s is positive. Note that this is ipossible without feedback one-way counication. Furtherore, R s can be written as [ E H1,H 2 H1, H 2, 15 where H 1, H 2 = { H1, H 2 if H 1 > H 2 otherwise. 16 The key rate R s is the average of rewards designated by H 1, H 2 collected fro all possible channel realizations. Positive rewards are obtained fro the tie slots in which Bob s channel is better than Eve s channel H 1 > H 2. On the other hand, when H 1 H 2, the reward is zero. We focus on a particular tie slot in which H 1, H 2 = h 1, with h 1 >, and use x to denote all layers sent in the slot. As depicted in Fig. 2, x can be divided as x = x [D 2 x [D 1 x [ D 2 x [ D 1, 17 where x [D 1 and x [ D 1 denote the set of decodable and undecodable layers at Bob, respectively, and x [D2 and x [ D 2 denote the set of decodable and undecodable layers at Eve, respectively. Note that x [D1 x [D2 since h 1 >. Both Alice and Bob can decode x [D 2, and neither of the can decode x [ D 1. Therefore, a nonzero reward h 1, coes fro the set of layers x [D 1 x [ D 2. To show this, we rewrite 13 as h 1, = sρsds 1 + sis ρsds 1 + Is. 18 The first ter at the right hand side of 18 is the surate decoded by Bob fro x [D 1 x [ D 2 by decoding and canceling x [D2 first, and treating the interference ter x [ D 1 as noise. Furtherore, the second ter can be written as ρsds 1 + Is = log 1 + [I Ih 1 1 + Ih 1. 19 By noticing that I Ih 1 is the total power used for the layers x [D1 x [ D 2, and Ih 1 is the total power used for the layers x [ D 1, 19 gives the rate of inforation that Eve can possibly deduce fro x [D 1 x [ D 2 through her channel with power gain. An interesting finding here is that what the best Eve can do is to treat the interference ter x [ D 1 as noise as Bob does, and therefore cannot benefit fro the structure of interference either. Due to the absence of CSI at the transitter before the transission, the layered broadcast coding strategy creates a ediu with interference, where the undecodable layers play the role of self-interference. We reark here that this is a special case of secret counication over a ediu with interference as discussed in [13. B. Single-Level-Coding Based Key Sharing When single-level coding is used, self-interference does not occur. In this case, the following secrecy key rate can be achieved. Lea 1: [12, Theore 1 The secrecy key rate of a single-level-coding based schee is given by Pr [R 1 log1 + H 1 P E H2 [R 1 log 1 + H 2 P +, 2 where R 1 is the rate of single-level coding. Coparing with the layered-coding based schee, the single-level-coding based approach has lower decoding coplexity, and requires less feedback only 1-bit per tie slot. However, it is sub-optial in general. Also, a singlelevel coding schee can be considered as a special case of a layered-coding schee, in which all power is allocated to one layer. This again otivates us to find the power distribution for optiizing the layered-coding schee. C. Secrecy Key Rate Under Optial Power Distribution The secrecy rate given by 12 is hard to evaluate and optiize. After soe tedious steps of derivation ainly integration by parts, we have an alternative for. Lea 2: The secrecy key rate given by 12 is equivalent to ax [ x [1 F 1 x ρx F 2 ydy [1 + y 2 dx, 21 with the constraint I = P, and ρx = d/dx. In certain cases, optiization of R s with respect to the power distribution ρx, or, equivalently, the interference distribution, under the power constraint P can be found by using the calculus of variations. First, we define the functional of 21 as [ x L x,, I x = [1 F 1 x I x F 2 ydy [1 + y 2.
A necessary condition for a axiu of the integral of Lx,, I x over x is a zero variation of the functional. By solving the associated Eüler-Lagrangian equation [14 given as L I d dx L I =, 22 we have the following characterization for the optial. Lea 3: A necessary condition for optiizing in order to axiize the secrecy rate given by 21 is to choose to satisfy x F 2 ydy [1 + y 2 = [1 F 1x F 2 x f 1 x [1 + x 2, 23 where = when x < x or x x 1. Here, x and x 1 can be found by letting Ix = P and Ix 1 = in 23. Finally, we have the following secrecy key rate under the optial power distribution. Theore 2: When the optial power distribution is used, the following secrecy key rate is achieved, x1 x [1 F 1 x 2 F 2 xd f 1 x[1 + x 2, 24 where and x, x 1 are found fro the condition given by 23. V. A RAYLEIGH FADING CHANNEL In this section, we assue Rayleigh fading for Alice- Bob and Alice-Eve channels. We consider a syetric scenario in which both fading power gains H 1 and H 2 are exponentially distributed with unit eans. The secrecy rate with layered coding is coputed by nuerically evaluating x1 e x [e x 1 x [1 + x 2 d, where can be found according to Lea 3 by solving 1 E i E i x + 1 [1 + = [1 + x { 2 exp 1 [ exp x + 1 }, 25 where E i x = [exp t/tdt is the exponential integral function. By letting Ix = P in 25, we can solve x for x. By letting Ix 1 = in 23, we can solve for x 1. Every equation has a unique solution after excluding a trivial solution. Fig. 3 shows the optial power distribution for coded layers. A clear trend is that ore power is allocated to lower layers as the total power P becoes larger. In general, the optial power distribution does not concentrate uch on a certain layer or a short interval, especially when P is large. Fig. 4 copares the secrecy key rates of layered coding and single-level coding based schees both optiized. The secrecy key rate of the layered-coding based schee is significantly higher. Power Distribution Fig. 3. Secrecy Key Rate in nats 3 25 2 15 1 5 P=5 P=1 P=2.2.3.4.5.6.7.8.9 1 1.1 Layer Index.5.45.4.35.3.25.2.15.1.5 Fig. 4. Optial power distribution over coded layers Single level coding Layered coding 5 5 1 15 2 25 3 Average Power in db Secrecy key rate in nats/second/hertz REFERENCES [1 A. D. Wyner, The wire-tap channel, Bell Syst. Tech. J., vol. 54, no. 8, pp. 1355 138, Oct. 1975. [2 I. Csiszár and J. Körner, Broadcast channels with confidential essages, IEEE Trans. Inf. Theory, vol. 24, no. 3, pp. 339 348, May 1978. [3 E. Biglieri, J. Proakis, and S. Shaai Shitz, Fading channels: Inforation-theoretic and counications aspects, IEEE Trans. Inf. Theory, vol. 44, no. 6, pp. 1895 1911, Oct. 1998. [4 P. Gopala, L. Lai, and H. El Gaal, On the secrecy capacity of fading channels, IEEE Trans. Inf. Theory, vol. 54, no. 1, pp. 4687 4698, Oct. 28. [5 Y. Liang, H. V. Poor, and S. Shaai Shitz, Secure counication over fading channels, IEEE Trans. Inf. Theory, vol. 54, no. 6, pp. 247 2492, Jun. 28. [6 Z. Li, R. Yates, and W. Trappe, Secrecy capacity of indepedent parallel channels, in Proc. 44th Annual Allerton Conference on Coun., Cont., and Cop., Monticello, IL, Sep. 26. [7 X. Tang, R. Liu, P. Spasojević, and H. V. Poor, On the throughput of secure hybrid-arq protocols for Gaussian block-fading channels, IEEE Trans. Inf. Theory, vol. 55, no. 4, pp. 1575 1591, Apr. 29. [8 U. Maurer, Secret key agreeent by public discussion fro coon inforation, IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733 742, 1993. [9 R. Ahlswede and I. Csiszár, Coon randoness in inforation theory and cryptography - part I: Secret sharing, IEEE Trans. Inf. Theory, vol. 39, no. 4, pp. 1121 1132, July 1993. [1 S. Shaai Shitz, A broadcast strategy for the Gaussian slowly fading channel, in Proc. IEEE Int. Syp. Inf. Theory, Ul, Gerany, Jun. 29 - Jul. 4 1997. [11 S. Shaai Shitz and A. Steiner, A broadcast approach for a singleuser slowly fading MIMO channel, IEEE Trans. Inf. Theory, vol. 49, no. 1, pp. 2617 2635, Oct. 23. [12 M. A. Ghany, A. Sultan, and H. El Gaal, ARQ based secret key sharing, http://arxiv.org/abs/81.1319, Oct. 28. [13 X. Tang, R. Liu, P. Spasojević, and H. V. Poor, Interference-assisted secret counication, in Proc. IEEE Inf. Theory Workshop ITW, Porto, Portugal, May 28. [14 I. M. Gelfand and S. V. Foin, Calculus of Variations. Englewood Cliffs, NJ: Prentice-Hall, 1963.