Secrecy Gain: a Wiretap Lattice Code Design

The wiretap channel was introduced by Wyner [10] as a discrete memoryless broadcast channel where the sender, Alice, transmits confidential messages to a legal receiver Bob, in the presence of an eavesdropper Eve. Wyner defined the perfect secrecy capacity as the maximum amount of information that Alice can send to Bob while insuring that Eve gets a negligeable amount of information. He also described a generic coding strategy known as coset coding. While coset coding has been used in many coding scenarios (for ex. [11], [8]), Wyner used it to encode both data and random bits to confuse the eavesdropper. A more precise coset coding technique, called wiretap II codes, was presented in [7], where Alice enjoys a noiseless channel while Eve has to deal with a channel with erasures. The question of determining the secrecy capacity of many classes of channels has been addressed extensively recently, yielding a plethora of information theoretical results on secrecy capacity. There is a sharp contrast with the situation of wiretap code designs, where very little is known. The most exploited approach to get practical codes so far has been to use LDPC codes (for example [9] for binary erasure and symmetric channels, [5] for Gaussian channels). We also note that wiretap II codes have been extended to more general settings such as network coding in [3]. Finally, lattice codes for Gaussian channels have been considered from an information theoretical point of view in [4]. The problem that we address in this paper is to propose a design criterion for constructing explicit lattice codes (of possibly small length) to be used over additive white Gaussian noise channels. Assuming that Eve's channel is worse than the one of Alice, we analyse the probability of both users to make a correct decision, and exhibit geometrical lattice properties that maximize Alice's probability of making the right decision, while minimizing Eve's probability of decoding successfully. These properties are captured by the theta series of the lattice used for encoding, which in turn is used to define the notion of secrecy gain as a measure of secrecy brough by the lattice wiretap codes. Note that we do not consider a binary input as proposed in [5]. The paper is organized as follows. In Section II, we first describe a coset coding strategy suitable for lattices, namely using coset lattice codes. The corresponding decoding strategy is described in Section III. The chore results are given in Section IV: Bob's and Eve's probability of decoding coset lattice codes are computed, and we show that the behaviour of its theta series captures what makes a lattice good for being a wiretap code, motivating the introduction of the notion of secrecy gain. We consider a Gaussian wiretap channel, namely a broadcast channel where the source (Alice) sends a signal to a legitimate receiver (Bob), while an illegitimate eavesdropper (Eve) can listen to the transmission. It is modeled by where x is the transmitted signal, v b and v e denote the Gaussian noise at Bob, respectively Eve's side, both with zero mean, and respective variance σ 2 b and σ 2 e . We assume that Bob has a good SNR, but that σ 2 b = N 0 << N 1 = σ 2 e , so that Eve has a poor SNR, in particular with respect to Bob. Alice's encoder maps k information symbols s 1 , . . . , s k from S = {0, 1} to a codeword x = (x 1 , . . . , x n ) ∈ R n , and over a transmission of n symbols, we get Alice uses lattice coding, that is the codeword x = (x 1 , . . . , x n ) is actually a lattice point. A lattice Λ is a discrete set of points in R n , which can be described in terms of its generator matrix M by ( [6], [1]) are a linearly independent set of vectors in R n (so that m ≤ n) which form a basis of the lattice. Alice chooses a lattice Λ b (we use the subscript b to refer to the intended legimitate receiver Bob) and then encodes her k bits of information into a point x ∈ Λ b : In a practical scenario, a finite subset of Λ b must be chosen as a function of the available power at the receiver, though for the analysis, we will often consider the infinite lattice, which is simpler to understand since we do not need to take into account the boundary effect. In order to get confusion at the eavesdropper, we use coset coding, as proposed in [10], [7]. The idea (which has been used ever since, whenever there is wiretap coding) is that instead of having a one-to-one correspondence between s ∈ {0, 1} k ↔ x ∈ Λ b , the vector of information symbols is mapped to a set of codewords, namely a coset (that is, a set of points obtained by translation of a lattice), after which a random point to be actually transmitted is chosen randomly inside the coset. More precisely, we partition the lattice Λ b into a union of disjoint cosets of the form with Λ e a sublattice of Λ b and c an n-dimensional vector not in Λ e . We need 2 k cosets to be labelled by s ∈ {0, 1} k : Since every coset contains the same number of elements, we have that Once the mapping is done, Alice randomly chooses a point x ∈ Λ e + c j(s) and sends it over the wiretap channel. This is equivalent to choose a random vector r ∈ Λ e . The transmitted lattice point x ∈ Λ b is finally of the form We have denoted the sublattice Λ e , since it encodes the random bits that are there to increase Eve's confusion, and is then the lattice intended for Eve. Example 1: Take Λ b = Z 2 in R 2 and Λ e = 2Z 2 , for which we have The lattice Z 2 is thus partionned into 2 k = 4 cosets, allowing to transmit k = 2 bits of information. Alice can then label any of the above 4 cosets, say To transmit the two bits 01, she then randomly picks a point in the coset 2Z 2 + (0, 1), say x = (2, 3), that is and sends this point over the wiretap channel. By using lattice coset encoding, we notice that two lattices play a role: • the lattice Λ b , that Alice uses to communicate reliably with Bob, • the lattice Λ e , which is a sublattice of Λ b , that appears in the process of coset coding for encoding random bits. Our goal is to study how the properties of these two lattices are related to the design of good wiretap codes. After transmission over the Gaussian wiretap channel, Bob and Eve receive respectively (see ( 1) and ( 3)) where we recall that r ∈ Λ e encodes the random bits, and c is the coset representative of minimum energy labelled by the information bits. Both Bob and Eve are interested in decoding the information bits, namely in finding the correct coset that was sent. To do so, they need to find the closest lattice point in Λ b to their respective received signal y or z, from which they deduce the coset to which it corresponds. Recall that for any lattice point P i of a lattice Λ ⊂ R n , its Voronoi cell is defined by Since all lattice points have the same Voronoi cell, we will speak of the Voronoi cell of the lattice Λ and denote it by V(Λ). Now when transmitting a codeword x k in R n with Voronoi cell V(x k ) over an additive white Gaussian noise channel with noise variance σ 2 , the decoder makes the correct decision if and only if the noise vector is in V(x k ), an event of probability In our scenario, the probability P c of correct decision concerns not just one point but a coset, and thus it is the probability that the received signal lies in the union of the Voronoi regions of Λ b , translated by points of Λ e . Suppose that the lattice point x k = r k +c k ∈ Λ b has been transmitted. The probability P c of finding the correct coset is thus, assuming no boundary effect If we take M codewords x 1 , . . . , x M from Λ b , then as already noticed, all Voronoi cells are the same, namely V(x k ) = V(Λ), k = 1, . . . , M , and thus we get We now study the probability of Bob and Eve to make a correct decoding decision, and try to maximize Bob's probability while minimizing the one of Eve. This leads us to study the theta series of the lattices involved. Considering the wiretap channel (1) where Alice transmits lattice codewords from an n-dimensional lattice Λ b , we thus get from (4) that the probability P c,b of Bob's (resp. P c,e of Eve's) correct decision is: Since by assumption Bob has a good SNR, its received vector y is most likely to lie in the Voronoi region around the origin, and thus the terms corresponding to r = 0 in (4) are negligeable, which yields: This is now the familiar case of transmitting lattice points over the Gaussian channel, for which it is known that Λ b should have a good Hermite parameter, to get a good coding gain. We are on the contrary under a low SNR assumption for Eve, namely σ e is large, and thus a Taylor expansion at order 0 gives where the volume V(Λ b ) of the lattice is The probability of making a correct decision for Eve is then from which we get that We know how to design good codes for Bob's channel, and have his probability of making a correct decision arbitrarily close to 1. Our aim is thus to minimize the probability P c,e of Eve making a correct decision, while keeping P c,b unchanged. This is equivalent to minimize (7), that is to find a lattice Λ b which is as good as possible for the Gaussian channel [1], and minimize r∈Λe e -r 2 /2σ 2 e under the constraint The constraint on the cardinality of cosets (or rate) is equivalent to set the fundamental volume of Λ e equal to a constant. It is natural to start by approximating the sum of exponentials by its terms of higher order, namely r∈Λe e -r 2 /2σ after which we should minimize its kissing number. This approximation however assumes high SNR, which typically Eve does not have. We thus cannot be content with this approximation, and have to obtain a more precise analysis. Let us get back to the code design criterion (8) and rewrite it in terms of the theta serie of the lattice considered. Recall that given a lattice Λ ⊂ R n , its theta serie Θ Λ is defined by ( [1]) Exceptional lattices have theta series that can be expressed as functions of the Jacobi theta functions ϑ i (q), i = 2, 3, 4, themselves defined by Example 2: Here are a few examples of theta series for some exceptional lattices. 1) The cubic lattice Z n : 2) D n : 3) The Gosset lattice E 8 : 4) The Leech lattice Λ 24 : -45 16 ϑ 2 (q) 8 ϑ 3 (q) 8 ϑ 4 (q) 8 . From (8), we need to minimize Thus to minimize Eve's probability of correct decision is equivalent to minimize Θ Λe (z) in z = i/2πσ 2 e . To approach this problem, let us set y = -iz and restrict to real positive values of y. We are now interested in minimizing Θ Λe (y) = r∈Λe q r 2 , q = e -πy , y > 0, in the particular value of y corresponding to z = i/2πσ 2 e , namely y = 1 2πσ 2 e . This is actually a problem that classically arises in the study of theta series [2]: given the lattice dimension n, find the lattice Λ ⋆ that minimizes Θ Λ (y) for a given value of y. Note that if Λ e is not chosen to be a particular lattice, we can assume that Λ e = Z n . We consequently define the secrecy function of a given lattice Λ as the ratio of its theta series and the theta series of Z n , in a chosen point y. Definition 1: Let Λ be an n-dimensional lattice. The secrecy function of Λ is given by defined for y > 0. As we want to minimize the expression of Eve's probability of correct decision in (8), we are interested in the maximum value of the secrecy function. This yields the notion of secrecy gain. Definition 2: The secrecy gain χ Λ of an n-dimensional lattice Λ is defined by Examples of the secrecy function for the lattices E 8 and D 8 are shown in Figures 1 and2, respectively. Both lattices clearly have a maximum, happening in y = 1 for E 8 but not for D 8 (which is conjectured to have this maximum in It is worth emphasizing that the value at which the secrecy function gets its maximum is important for the code design, since it tells us what is the SNR at which the wiretap lattice code is providing most confusion to Eve. The two examples suggest that this value depends on the chosen lattice. Conjectures on the behaviour of the secrecy gain are currently being investigated. It is expected that an asymptotic analysis will give a first insight, and that a finer study should reveal how the secrecy gain is connected to the equivocation rate. Let us conclude by giving a small example of code construction. Example 3: Consider the case of an 8-dimensional (real) construction. Suppose we want to transmit at a secrecy rate of 2 bits per complex symbol. We choose Λ b = E 8 , since this lattice has the best coding gain and the best shaping gain in dimension 8. For Λ e , we choose as sublattice of E 8 the lattice 2E 8 , a scaled version of Λ b . We then have which gives as rate per complex symbol which is the requested rate. To construct E 8 while preserving the overall shaping, we choose a construction A [1]: (8,4,4) where (8,4,4) Then, the random bits label 2E 8 , which means that 4 of these bits serve as information bits for 2 • (8, 4, 4) and the other ones label points of 4Z 8 . It has been proved [2], and this is the best result known up to date, that some lattices, including E 8 , reach a local minimum of their theta series for some constant y > 0 close to 1. Thus using Λ e = 2E 8 indeed helps in optimizing the secrecy gain. In this paper, we provided a practical wiretap coding scheme using coset lattice codes. We exhibited geometric properties that a lattice and its sublattice should satisfy to provide good wiretap codes for transmission over additive white Gaussian noise channels, in terms of the theta series of the involved lattices. This yielded the notion of secrecy gain. Our analysis focuses on error probabilities of both users rather than on equivocation rate, though we expect that further work will enlighten the connection between the two concepts. We are currently studying different conjectures on the behaviour of the secrecy gain, as well as the design of lattice codes that fullfil the code design criteria. Having explicit constructions of families of wiretap codes to compare will give us a further understanding of what is a good wiretap lattice code. It is also a natural work to address the achievability of such codes with respect to the secrecy capacity of Gaussian channels. Finally, lattice codes have also been useful to design modulation schemes for fading channels. It is a natural generalization to consider a similar analysis of what makes a good wiretap code in the context of fading channels. ∤which gives an alphabet with 256 codewords. ∤