A Broadcast Approach To Secret Key Generation Over Slow Fading Channels

1 A Broadcast Approach T o Secre t K e y Generat ion Ov er Slo w Fa ding Channels Xiaojun T ang, Ruoheng Liu, Predrag Spasojevi ´ c and H. V incent Poor Abstract A secr et-key generation scheme based on a layered b roadcasting strategy is introdu ced for slow-fading channels. In the model considered , Alice wants to share a key with Bob while keeping the key secret from Eve, who is a passiv e ea vesdropper . Both Alice-Bob and Alice-Eve cha nnels are assumed to und ergo slow fading, and perfect channel state infor mation (CSI) is assumed to be known only at the receivers during the transmission. In each fadin g slot, Alice bro adcasts a continuu m o f coded layers and , hence, a llows Bob to decode at the r ate correspo nding to the fading state (unknown to Alice). The index of a r eliably decoded laye r is sent back from Bob to Alice via a pu blic and er ror-free chann el and used to gener ate a common secret key . In th is paper, th e a chiev ab le secrecy ke y rate is ﬁrst de riv ed for a given p ower distribution over code d layer s. The optimal p ower distribution is then charac terized. It is shown that layered broadc ast co ding can in crease the secrecy key rate signiﬁcantly compare d to single-level coding . Index T erms Secret-key agreemen t, wiretap ch annel, layered bro adcast codin g, su perposition coding , feedb ack, interf er- ence, fading channel I . I N T R O D U C T I O N W ireless secrecy ha s attracted conside rable rese arch interest due to the con cern that wireless communication is highly vulnerable to sec urity attacks, particularly eavesdropping attacks. Muc h rece nt resea rch was mo ti vated This research was supported by t he National Science Foundation under Grants CNS-09-05398, CCF-07-28208 and CCF-0729142 , and in part by the Air Force Ofﬁce of Scientiﬁc Research under Grant F A9550-0 8-1-0480. The material in this paper was presented in part at the IEEE International Symposium on Information Theory (IS IT), S eoul, Korea, June 24 - 29, 2009. Xiaojun T ang i s wi th A T &T Labs, San Ramon, CA 94583 USA (e-mail: xiaojun.tang@att.com). Ruoheng Liu i s wi th Alcatel-Lucent, Murray H ill, NJ 07974 USA. ( email: ruohe ng.liu@alcatel-lucent.com). Predrag Spasoje vi ´ c is with the W i reless Information Network Laboratory (WINLAB), Department of Electrical and Computer Engineering, Rutgers Uni versity , North Brunswick, NJ 08902, USA (e- mail: spasoje v@winlab .rutgers.edu). H. Vin cent Poor is wi th the Department of Electrical Engineering, Princeton Univ ersity , Princeton, NJ 08544, USA (email: poor@princeton.edu). 2 by W yner’ s wire-tap cha nnel mod el [1], in which the transmission betwee n two legitimate us ers (Alice a nd Bob) is eavesdropped upon by Eve via a degraded c hannel. In this model, to cha racterize the leakage of information to the eavesdropper , equ i vocation rate is used to de note the level o f ignorance of the eavesdropper with res pect to the conﬁden tial messages . Perfect secrecy requires that the eq ui vocation rate is asymptotically equal to the mes sage rate, and the max imal achiev a ble rate with perfect secrecy is called the sec recy capa city . W yner showed that secret communication is pos sible without a secret-key shared by legitimate users. Later , Csisz ´ ar and K ¨ orner gene ralized W yner’ s model to c onsider gen eral broadc ast chan nels in [2]. The Gauss ian wire-tap chann el was c onsidered in [3]. Rec ent rese arch has a ddressed the information-theoretic se crecy for multi-user channe l models [4]–[9]. W e refer the reader to [10] for a recent survey of the res earch progress in this area. Interestingly , the wireless medium provides its o wn endowments tha t facili tate defending against eavesdrop- ping. One such endowment is fading [11]. The effect of fading on sec ret transmiss ion has been studied in [12]–[14]. In the se works, assuming that all communica ting parties ha ve perfect channe l state information (CSI), the e r g odic sec recy cap acity has been de ri ved. Th e sce nario in which Alice h as no CSI about Eve’ s channe l (but knows the channe l statistics) has a lso be en studied in [12]. The throughput of se veral sec ure hybrid automatic repe at request (ARQ) protocols has be en ana lyzed in [15]. In this work, Alice is no t assu med to have prior C SI (exce pt chann el statistics), but ca n receive a 1-bit ARQ feedback p er channe l coherenc e interval from Bob reliably . Ar guably , the most u seful application of (keyless) secret message transmission is s ecret-key ge neration. For instance, a key can be sent from Alice to Bo b as a secret mes sage (which is s elected by A lice in a dvance). More gen erally , as c onsidered here, the key can be established after a commun ication session completes . T his relaxation in the protocol can lead to a h igher key rate. The se cret-key generation prob lem in [16] and [17] assume s an interacti ve, authenticated public c hannel with unlimited capacity . In [17], the “chan nel mode l with wiretapper” (CW) is similar to the wiretap channe l model, while in the “source model w ith wiretapper” (SW), Alice and Bob exploit correlated source obs ervations to genera te the key . Both SW and CW mode ls have b een subseq uently extended to multiple terminals [18]–[20] and to non-authenticated public channels [21]–[23 ]. Secret-key gene ration using both c orrelated sources an d channe ls ha s been con sidered more rece ntly in [24] and [25]. In this p aper , we c onsider a key-generation problem in which Alice wants to s hare a key with Bob while keeping it secret from Eve. The Alice-Bob and Alice-Eve cha nnels (forward cha nnels) und ergo slow fading, and CSI is known on ly at the receivers. Furthermore, we assume a pub lic and e rror -free feedbac k cha nnel. The key gene ration sch eme und er co nsideration consists of a commun ication and a key-generation phase. In the commun ication pha se, via the forward chan nel, Alice s ends to Bob co ded sequenc es, which are observed 3 at Bob a nd Eve after indep endent d istortions due to po we r attenuation and n oise. Subseq uently , Alice and Bob agree on the s ame secret-key in the key-generation phase. Th e problem setting resembles an SW model but dif fers in that the sha red “c orrelated sources ” are coded sequenc es (fr om a public codeboo k and distorted by the channel). W e ass ume tha t the feedback c hannel from Bo b to Alice is very limited. For each block transmission from Alice to Bob, Bob is required to s end bac k one or more bits to Alice, where the one-bit feedback corresponds to a n ARQ ACK/ N A CK sche me. An example a pplication is where Alice sends a v ideo clip to Bob , which is a non -secret transmission. Bob re sponds with a few bits and thus enables a greeing on a secret-key , which can then be us ed in key-based cryptograph ic protocols. The co mmunication phase is based on laye red broadc ast co ding, which effecti vely adap ts the decod ed rate at Bob to the actual channel state without requiring CSI to be avail able at Alice. The transmiss ion takes p lace over s ev eral time slots. In each time slot, Alice trans mits a con tinuum of layers. Depen ding on the realization of the channel state, Bob decod es a subse t o f laye rs reliably . The index of the highes t reliably decode d laye r at Bob is s ent ba ck to Alice, and us ed in the key-generation p hase that follows W yne r’ s sec recy b inning sche me [1]. For a gi ven po wer distributi on over co ded layers, we deri ve the ac hiev ab le sec recy key rate, which permits a simple interpretation as the average reward collected from all pos sible cha nnel realizations. Furthermore, we ch aracterize the optimal power distrib ution over co ded layers to maximize the ac hiev able secrecy key rate under the broadca st app roach. Layered broadcas t c oding c reates artiﬁcial no ise so that the unde codable layers at B ob play the role of self- interference. W e show that, by prop erly c hoosing the coding rate for each laye r , it is en sured tha t Eve cannot beneﬁt from the layered c oding structure and is forced to treat the la yers un decoda ble at Bob as interference. Secret communications with i nterference was studied i n [26] and [27] in a more general (b ut no n-fading) setting. Layered broadca st cod ing for a slow-fading single -input single-output (SISO) ch annel mo del was originally introduced by Shama i in [28 ] and discus sed in grea ter details in [29]. Th e results in this pape r are consistent with [28] a nd [29] when the ad ditional s ecrecy key generation requirement p hase is not conside red. In a closely related work, a similar ARQ-based sec ret-key gene ration s cheme e mploying s ingle-lev e l c oding was s tudied in [30]. T his sc heme can be viewed as a spec ial case of the proposed lay ered-coding base d sche me as all power is allocated to a single co ded lay er . W e show tha t layered broadca st coding c an increase the secrecy key rate signiﬁcantly compared to sing le-le vel coding. The remainder of the p aper is organized as follows. Section II d escribes the s ystem model. S ection III states the broadca st approach for key g eneration. Section IV gi ves the achiev able secrecy rate for a gi ven power distrib ution. Section V charac terizes the optimal power distributi on. A n umerical examp le in volving a Rayleigh fading channe l is given in Section VI. Conc lusions a re gi ven in Sec tion V II. 4 Alice Bob K K Ö m X E ve authentic ated feedb ack K   m h 2 m , 1 Y m , 2 Y m 1 Z m 2 Z   M m , , 1  m h 1 } { m X } { 1 m Y } { 2 m Y } { m < Fig. 1. Alice and Bob want t o agree on a key ( K = ˆ K ), while keeping t he key secret from Eve ( H ( K | Y 2 , h 2 , Ψ ) /n → 0 ). I I . S Y S T E M M O D E L As d epicted in F ig. 1, we c onsider a three-terminal mo del, in which Alice and Bob want to sh are a se cret key in the p resence of Eve, who is a passive e avesdropper . That is, Eve is interested in stealing the key but does not attempt to interfere with the key gen eration proc esses. A. Channel Model The Alice-Bob and A lice-Eve ch annels (forward ch annels) un dergo block f ading, in which the c hannel gains are cons tant within a block while varying independen tly from block to block [11]. W e assume that each block is as sociated with a time slot of duration T and ban dwidth B ; that is, N = ⌊ 2 B T ⌋ rea l symbols can be sent in each s lot. W e also a ssume tha t the number of ch annel uses within eac h slot (i.e., N ) is lar g e enough to allow for in voking random coding arguments. Let us assume that the transmissions in the forward cha nnels take place over M time slots. In a time slot indexed b y m ∈ [1 , . . . , M ] , Alice sends X m , which is a vector o f N rea l symbo ls. Bob recei ves Y 1 m through the chan nel gain h 1 m and Eve rece i ves Y 2 m through the c hannel gain h 2 m . A disc rete time bas eband-eq uiv alent block-fading channe l model can be express ed as Y tm = p h tm X m + Z tm (1) for t = 1 , 2 , wh ere { Z tm } are sequence s of independe nt and identically distributed (i.i.d.) circularly symmetric complex Gaussian N (0 , 1) ran dom variables. W e de note by h 1 m and h 2 m the sta tes of the Alice-Bob a nd Alice- Eve channe ls, resp ectiv e ly , in time s lot m . W ithout loss of generality , we drop the index m and denote rando m 5 channe l realizations by h t . W e a ssume that h t is a real ran dom v ariable with a p robability density f unction (PDF) f t and a c umulativ e dis trib ution func tion (CDF) F t , for eac h t = 1 , 2 . W e also let h 1 = [ h 1 , 1 , . . . , h 1 ,M ] and h 2 = [ h 2 , 1 , . . . , h 2 ,M ] denote the power ga in vectors for the Alice-Bob and Alice-Eve chan nels, respectively . W e ass ume tha t Bob and Eve kn ow their own c hannel gains perfectly; Alice does not know the CSI be fore its transmission, except for the channe l statistics. In a ddition, we assume a s hort term power co nstraint (excluding power variation across time slots) such that the av erage power of the s ignal X m per slot sa tisﬁes the constraint 1 N E [ k X m k 2 ] ≤ P (2) for all m = 1 , . . . , M . Finally , we as sume that there exists a n error -free feedbac k ch annel from Bo b to Alice, through which Bob can feed back Ψ m for time slot m , where Ψ m is a de terministic function of Y 1 m and h 1 ,m . The feedback channe l is ass umed to be p ublic, and therefore Ψ m is received by both Alice and Eve without any error . B. Secret K ey Gen eration Pr otocol The secret key gen eration protocol cons ists of two phas es: a communica tion phas e and a key-gene ration phase. 1) Communica tion Phas e: W e as sume tha t the transmiss ion d uring t he communication phase takes place o ver M time slots. That is, Alice s ends a sequence of sign als X = ( X 1 , X 2 , . . . , X M ) to the channel. Accordingly , Bob receives f rom his chan nel a sequence of signals den oted by Y 1 = ( Y 1 , 1 , Y 1 , 2 , . . . , Y 1 ,M ) and Eve receives Y 2 = ( Y 2 , 1 , Y 2 , 2 , . . . , Y 2 ,M ) from her chan nel. W e let n = M N den ote the numbe r o f symbols s ent by Alice in the communica tion ph ase. After the transmiss ion, Bob uses the feedback cha nnel to send Ψ = (Ψ 1 , . . . , Ψ M ) , wh ich is received b y both Alice and Eve since the feedb ack cha nnel is public and error- free. 2) K e y -Generation Phas e: The co mmunication p hase is followed by a key-generation pha se, in wh ich both Alice an d Bob g enerate the key bas ed on the forward and backward signals. A ge neral key-generation phase can be des cribed as in the follo wing. Let K = { 1 , 2 , . . . , 2 nR s } , wh ere R s represents the secrecy key rate. Alice gene rates a sec ret key k ∈ K by using a decod ing function K , i.e., k = K ( X , Ψ ) . (3) Bob generates the secret key ˆ k ∈ K by us ing a d ecoding function ˆ K , i.e., ˆ k = ˆ K ( Y 1 , h 1 , Ψ ) = ˆ K ( Y 1 , h 1 ) , (4) where the sec ond equ ality ho lds since we assu me that Ψ is a deterministic function of Y 1 and h 1 . 6 The secrecy level at Eve is measured by the equiv oca tion rate R e deﬁned as the en tropy rate of the key K conditioned upon the obse rvati ons at Eve, i.e., R e , 1 n H ( K | Y 2 , h 2 , Ψ ) . (5) Deﬁnition 1. A secrecy key rate R s is achievable if the c onditions Pr  K = ˆ K  ≥ 1 − ǫ, (6) and R e ≥ R s − ǫ, (7) are satisﬁed for any ǫ > 0 as the number of cha nnel us es n → ∞ . I I I . A L A Y E R E D B RO A D C A S T A P P R O AC H T O K E Y G E N E R A T I O N In this section, we introduce a broadcast approac h for sec ret-key gene ration, in which Gaussian layered broadcas t coding is use d for the communication phase , and random se crecy binning is use d for the key generation phase. Before presenting the sche me, we brieﬂy introduc e Gau ssian layered b roadcast coding. Finite-le vel layered broadcas t c oding (supe rposition coding) was introduced b y Cover in [31] for gene ral b roadcast ch annels. In [28], Shamai studie d a Ga ussian fading chan nel with no CS I at the transmitter a nd cons idered the limi ting case when there is a con tinuum of code d laye rs. In this s ection, we ﬁrst take a look a t a fading wiretap c hannel with a ﬁnite number of fading states, for which ﬁnite le vel laye red broadca st coding is applicable. The c hannel will be used to derive the res ult for the limiti ng case of con tinuous fading, which is the focus of this pape r . A. F inite-Level Layered Br oadca st Coding for L -State F ading Ch annel Let u s ﬁrst con sider a typ e of channel called “the L -state fading wiretap chan nel, ” in wh ich there a re L dif ferent fading s tates possibly obs erved on the Alice-Bob or Alice-Eve chann el. Deﬁnition 2. In an L -state fading wiretap chann el, a t any time slot, the rea lization of the p ower gain of the Alice-Bob or Alice-Eve channe l takes one value from { h [1] , h [2] , . . . , h [ L ] } inde penden tly and randomly , and is charac terized by probability function Pr { h 1 = h [ l 1 ] , h 2 = h [ l 2 ] } . W ithout los s of ge nerality , we as sume that { h [ l ] } are ordered in a scending order . Here, let us focus on the Alice-Bob c hannel. As shown in Fig. 2, in a laye red broad cast c oding s cheme, the point-to-point fading channe l is viewed as a broadcast c hannel with L virtual receiv ers each correspon ding to a fading state. By applying the s uperposition cod ing in [31], the en coding and decoding procedures can be described as follows. 7 No CSIT } , , , { ] [ ] 2 [ ] 1 [ L h h h h   CSIR  ] 1 [ h ] 2 [ h ] [ L h  L virtual receiv ers decodable layers undecodable layers L L fading states Fig. 2. A point-to-point fading channel with L possible fading stat es is viewed as a broadcast channel with L virt ual receivers each correspondin g to a fading state. During the enco ding, we assume tha t L layers a re use d. That is, the transmitted c odeword is a superposition of L co dew ords, i.e., P L l =1 X [ l ] , where X [ l ] is a cod ew o rd from a G aussian c odebook C [ l ] with a rate r [ l ] and a co nstant power p [ l ] , l = 1 , . . . , L . For a giv en power allocation { p [ l ] } , the rate of the l -th layer is given b y 1 r [ l ] = log 1 + h [ l ] p [ l ] 1 + h [ l ] P L i = l +1 p [ i ] ! , (8) and the total power satisﬁes P L l =1 p [ l ] = P . During the decoding, for a given fading realization h [ l ] , the recei ver can successfully de code the ﬁrst l layers by us ing the s uccess i ve d ecoding strategy [31]. i.e., the codewords { X [1] , . . . , X [ l ] } ca n be dec oded reliably , while the codewords { X [ l +1] , . . . , X [ L ] } are undec odable. More s peciﬁcally , in the dec oding process, the receiver ﬁ rst decode s X [1] by treating the rema ining cod ew o rds ( { X [ i ] , i > 1 } ) as interference. After decoding X [1] , the receiv er will subtract X [1] and the n deco de X [2] by treating the remaining codewor ds ( { X [ i ] , i > 2 } ) as interference . This proces s repeats until the l -th laye r X [ l ] is dec oded reliably by treating the remaining codewords ( { X [ i ] , i > l } ) as interferenc e. As shown in (8), P L i = l +1 p [ i ] is the total power of coded layers treate d a s inferenc e du ring the deco ding of the l -th layer . No te tha t this prede termined ordering can be achieved because of the degraded nature of Gauss ian single-inpu t sing le-output (SISO) chann els. B. Layered Br oadc ast Coding for Ga ussian F ading Chan nels In general, L d epends on the cardina lity of the random chann el variable. For a Gauss ian fading chan nel, a continuum of c ode layers ( L → ∞ ) is req uired for achieving the best performance . Whe n a continuum of layers is used, the trans mitter se nds an inﬁnite n umber of layers of cod ed information. Each lay er con veys a fractional rate, deno ted by dR , whose value dep ends on the index of the layer . W e refer to s , the realization 1 All logarithms are to the natural base, and thus r ates are in terms of nats per second per Hertz. 8 of the fading power , as a continuou s index. For a given transmit power distrib ution ρ ( s ) over coded laye r s , ρ ( s ) ds is the transmit power used by laye r s . Any laye r indexed by u sa tisfying u > s is undec odable a nd functions as a dditional interference. The total power o f undeco dable layers (for a realization of fading power s ) is den oted by I ( s ) and is expressed b y I ( s ) = Z ∞ s ρ ( u ) du. (9) The incremental diff erential rate of layer s is given by dR ( s ) = log  1 + sρ ( s ) ds 1 + sI ( s )  = sρ ( s ) ds 1 + sI ( s ) , (10) where the seco nd equa lity in (10) is due to the fact that lim x → 0 log(1 + x ) = x for any x ≥ 0 . The total power over all layers is c onstrained by I (0) = Z ∞ 0 ρ ( u ) du = P . (11) Gi ven a rea lization of the fading power (or laye r index) s , the de codable rate at the rece i ver is R ( s ) = Z s 0 uρ ( u ) du 1 + uI ( u ) . (12) Hence, for a giv en CDF of the random fading power s den oted by F ( s ) , the average de codable ra te at the receiv er is R = Z ∞ 0 Z s 0 uρ ( u ) du 1 + uI ( u ) dF ( s ) . (13) C. Secret-K e y Generation Ba sed on Laye r e d Br oadca st Coding In this section, we discus s key generation based on Ga ussian layered broadcas t coding . W e outline the scheme for the co ntinuous case when L → ∞ , which is the focus of this paper . For an L -state fading wiretap channe l when L is ﬁnite, the corresponding sche me is d iscussed in Appendix A. 1) Codeb ook Con struction: W e need tw o types of codebooks use d for the commun ication a nd ke y -generation phases , respec ti vely . The c odeboo k us ed for the commun ication phase consists of a continuum of c oded layers represen ted by {C [ s ] (2 N dR ( s ) , N ) } , where N is the co dew ord length and dR ( s ) is the (increme ntal differential) rate at layer s . The (sub -)codebook for each layer is generated randomly a nd ind epende ntly . That is, for any co debook C [ s ] (2 N dR ( s ) , N ) , we ge nerate 2 N dR ( s ) codewords X [ s ] ( w ) , where w = 1 , 2 , . . . , 2 N dR ( s ) , by cho osing the N 2 N dR ( s ) Gaussian symbols (with power ρ ( s ) ds ) independe ntly at rand om. The cod ebook use d for the key ge neration phase is bas ed on W yner’ s s ecrecy coding [1], [12 ]. As shown in Fig. 3, we use R = Z ∞ 0 Z h 1 0 sρ ( s ) ds 1 + sI ( s ) dF 1 ( h 1 ) (14) 9 to represent the a verage d ecodab le rate at Bob. W e ﬁrst generate all binary sequen ces of length n ( R − ǫ ) , denoted by B , where n = M N . The se quence s B are the n randomly and uniformly grouped into K = 2 nR s bins each with n ( R − R s − ǫ ) sequen ces, where R s is the a chiev a ble secrecy rate giv en later . W e denote b y v ( k , j ) the j -th cod ew o rd in the k -th bin, where 1 ≤ k ≤ K and 1 ≤ j ≤ J = 2 n ( R − R s − ǫ ) . Each s ecret key k ∈ { 1 , . . . , K } is then ran domly assigned to a bin, d enoted by B ( k ) = { v ( k , j ) , j = 1 , . . . , J } . 2) Communica tion Phas e: The c ommunication takes places over M time slots. In time slot m ∈ [1 , . . . , M ] , Alice ﬁrst rando mly s elects a mes sage W [ s ] m ∈ { 1 , . . . , 2 N dR ( s ) } for coded layer s , indepen dent of the mess age chosen for other layers. For conv enience, we us e W m to represent the total message sent in time slot m (through all layers), i.e., W m = × s W [ s ] m . Then, Alice sen ds a s uperposition of all layers to the ch annel. Bob receives Y 1 m and tries to d ecode all his decoda ble layers, which d epends on his chann el state h 1 m . For conv enience, we use W [ D 1 ] m to denote the se t of laye rs reliably decode d by Bob, and W [ U 1 ] m to denote the set of layers undec odable to Bob in time slot m . 2 After decoding, Bob send s back the index of the highe st decoda ble layer to Alice via the fee dback cha nnel, so tha t b oth Alice and Bo b ge t to k now W m . This comp letes the transmission in time s lot m . The communica tion ph ase en ds when all M (independe nt) transmissions a re completed. Note that the feedba ck o f a layer index doe s not need to be completed right after eac h transmission in the forward channe l. It is required only before the follo wing key ge neration phase. Also no te that the feed back of the index of a decoda ble layer is a special type of c hannel feed back. In p articular , when c onsidering the case when the nu mber of fading states L → ∞ , the index of the highest dec odable layer in time slot m is equa l to the fading power gain h 1 m (i.e., the pu blic feedbac k Ψ m = h 1 m ). For a ﬁnite level laye red coding ap proach, the feed back of the layer index is an L -bit quantized version of the rea lization of the fading power gain. When L = 1 , it is the ARQ feedbac k of A CK or NA CK. 3) K e y -Generation Phase : Once the co mmunication p hase (including feedb ack) is completed, both Alice and Bob can generate the secret ke y . Ba sed on the fee dback s equenc e Ψ = h 1 , Alice generates a binary sequen ce v from all the mes sages reliably d ecoded by Bob base d on a ny deterministic one-to-one mapping g as v = g ( W [ D 1 ] ) , (15) where W [ D 1 ] = ( W [ D 1 ] 1 , W [ D 1 ] 2 , . . . , W [ D 1 ] 2 ) represe nts the set of mes sages succe ssfully de coded by Bo b ac ross all layers and time slots. 2 T o be more accurate, D 1 in W [ D 1 ] m should be inde xed by m , howe ver , we choose to use D 1 to simplify our notation. T hroughou t the paper , W [ D 1 ] m is shorthand for W [ D 1 m ] m . If the subscript of W is a set, then D 1 is also indexed by the set. For example, for a set of time slots M + ⊆ { 1 , . . . , M } , we use W [ D 1 ] M + instead of W [ D 1 M + ] M + to represent all the messages decoded by Bob in M + . The rule is also applied to D 2 , U 1 and U 2 . In addition, it is applied to codew ord X and codebook C besides message W . 10 v (1 , 1) v (1 , j ) v (1 , J) v ( k , 1) v (k , j ) v ( k , J) v (K , 1) v (K , j ) v (K , J) M ) ( ⋅ = g v L ] [ 1  W k K =        K     s nR 2 K = ) ( 2 J s R R n − = ] [ 1  W Fig. 3. Alice and Bob generate a sequence v from all the messages reliably decoded (across L layers and M time slots), look up in the key-generation codebook for a k such that v ∈ B ( k ) , and output k as t he key . Alice then loo ks up in the key-genera tion c odebook for a k such that v ∈ B ( k ) , and outpu ts k as the s ecret key generated . Note that all tho se messag es are decode d by Bob, and Bo b can g enerate the s ame s equenc e v and the same key k as Alice does . T his completes the key gene ration. I V . S E C R E C Y K E Y R A T E In this section, we p resent the s ecrecy key rate achieved by the broad cast approac h and co mpare it to that achieved by us ing a single-level coding a pproach. For both approac hes, we ass ume tha t the number of time slots used in the trans mission over the forward cha nnel is sufﬁciently lar g e (i.e., M → ∞ ), so that we can obtain an ergodic key rate. A. Layered-Br oadca st-Coding Base d Ke y Generation The follo wing result ch aracterizes the secrecy rate whe n a power distributi on ρ ( s ) is giv en. Theorem 1. For a gi ven p ower distribution ρ ( s ) over co ded layers indexed by s , the secrecy key rate achieved by the layered -broadcast-cod ing based key generation sche me is R s = Z ∞ 0 Z h 1 0 ∆( h 1 , h 2 ) dF 2 ( h 2 ) dF 1 ( h 1 ) , (16) where ∆( h 1 , h 2 ) is given by ∆( h 1 , h 2 ) = Z h 1 h 2  sρ ( s ) 1 + sI ( s ) − h 2 ρ ( s ) 1 + h 2 I ( s )  ds (17) and I ( s ) = Z ∞ s ρ ( u ) du with I (0) = P . (18) Pr oof: The proof ca n be foun d in Appe ndix A. 11 Now we disc uss some ins ights from Theorem 1. First, R s can be written as R s = E h 1 ,h 2 h ˜ ∆( h 1 , h 2 ) i , (19) where ˜ ∆( h 1 , h 2 ) =    ∆( h 1 , h 2 ) if h 1 > h 2 0 otherwise. (20) The key rate R s is the average of rewards (designated by ˜ ∆( h 1 , h 2 ) ) collected from a ll possible chann el realizations. Positiv e rewards are obtained from the time slots in which Bo b’ s cha nnel is be tter than Eve’ s channe l ( h 1 > h 2 ). On the other ha nd, wh en h 1 ≤ h 2 , the rew a rd is zero. W e ca n se e that except for the rare cas e in which h 1 is always smaller than h 2 , R s is positiv e. Now we foc us on a particular time slot m in which h 1 > h 2 , an d use X m to de note all layers s ent in the slot. 3 As depicted in Fig. 4, X m can be divided a s X m = X [ D 2 ] m ∪  X [ D 1 ] m ∩ X [ U 2 ] m  ∪ X [ U 1 ] m , (21) where X [ D 1 ] m and X [ U 1 ] m denote the s ets of de codable and u ndecod able layers at B ob, respec ti vely , an d X [ D 2 ] m and X [ U 2 ] m denote the s ets of dec odable and un decoda ble layers at E ve, res pectiv ely . Note that X [ D 1 ] m ⊃ X [ D 2 ] m since h 1 > h 2 . Both Alice and Bob can dec ode X [ D 2 ] m , and neither of them ca n decode X [ U 1 ] m . Therefore, a nonz ero rew a rd ∆( h 1 , h 2 ) comes from the s et of layers X [ D 1 ] m ∩ X [ U 2 ] m . T o sh ow this, we rewrit e (17) as ∆( h 1 , h 2 ) = Z h 1 h 2 sρ ( s ) ds 1 + sI ( s ) − Z h 1 h 2 h 2 ρ ( s ) ds 1 + h 2 I ( s ) . (22) The ﬁrst term on the right hand side of (22) is the su m-rate decoded by Bob from X [ D 1 ] m ∩ X [ U 2 ] m (by decod ing and cance ling X [ D 2 ] m ﬁrst, and treating the interference term X [ U 1 ] m as noise). Furthermore, the sec ond term c an be written as Z h 1 h 2 h 2 ρ ( s ) ds 1 + h 2 I ( s ) = log  1 + h 2 [ I ( h 2 ) − I ( h 1 )] 1 + h 2 I ( h 1 )  . (23) By noticing that I ( h 2 ) − I ( h 1 ) is the total power used for the layers X [ D 1 ] m ∩ X [ U 2 ] m , and I ( h 1 ) is the total po wer used for the layers X [ U 1 ] m , (23) gi ves the rate of information that Eve c an possibly de duce from X [ D 1 ] m ∩ X [ U 2 ] m through her cha nnel with p ower gain h 2 . An interesting ﬁnding here is that wha t the best Eve ca n do is to treat the interference term X [ U 1 ] m as noise (as Bob d oes) with the total noise po wer 1 + h 2 I ( h 1 ) , and the refore c annot b eneﬁt from the structure of interference either . Due to the ab sence of C SI at the transmitter during the transmission in the forward ch annel 3 X m represents the set of L layers in time slot m , and also the signal tr ansmitted by Alice in time slot m , which is the superposition of all layers. 1 2 (a) (b) (c) m X m X ] [ 1  m X ] [ 2  m X ] [ 1  m X ] [ 2  Fig. 4. (a) Coded layers sent by Alice, (b) decodable and undecodab le layers for Bob, and (c) decodable and undecodable layers for Eve, in time slot m with the channel gains h 1 > h 2 . , the laye red b roadcast coding strategy creates a me dium with interference, in which the und ecodab le lay ers play the role of self-interfer e nce . W e remark that this is a s pecial cas e o f se cret communication over a medium with interference as discus sed in [27]. B. Single-Level-Coding Based K ey Gen eration When single-le vel c oding is used, se lf-interference does not occur . Alice uses a codebook wit h a single coding rate in the forward transmiss ion. Bob uses ARQ feed back to tell Alice wh ether the decod ing is s uccess ful or has failed. In this case , the following secrecy key rate can be achieved. Lemma 1. [30, Theo rem 1 ] The s ecrecy key rate of a single-level-coding based sche me is given by R [1] s = Pr h R [1] ≤ log (1 + h 1 P ) i E h 2 h R [1] − log (1 + h 2 P ) i + , (24) where R [1] is the co ding rate o f the single-level codeboo k. This key rate R [1] s still has the interpretation of the average of rewards (design ated b y ˜ ∆ 1 ( h 1 , h 2 ) ) collected from all pos sible cha nnel rea lizations. That is, R [1] s can be written as R [1] s = E h 1 ,h 2 h ˜ ∆ 1 ( h 1 , h 2 ) i , (25) 13 where ˜ ∆ 1 ( h 1 , h 2 ) =    R [1] − log (1 + h 2 P ) if h 1 ≥ exp( R [1] ) − 1 P > h 2 0 otherwise. (26) C. Comparison s and Discus sions The advantage of the laye red-broadcas t-coding (LBC) based ap proach over the sing le-le vel-coding bas ed approach (SLC) can be readily obse rved by comparing the rew ard functions given by (20) and (26). F irst, in LBC, a p ositi ve re ward is obtained from the s et of c hannel pairs P = { ( h 1 , h 2 ) : h 1 > h 2 } ; while in SLC, it is obtained from the chan nel se t P ′ = { ( h 1 , h 2 ) : h 1 ≥ 1 P ( e R [1] − 1) > h 2 } . It is obvious that P ⊃ P ′ , which means the re a re mo re time slots that contribute to the s ecrecy key generation for LBC than for SLC. Se cond, the coding rate R [1] for SLC h as to be ca refully chosen in o rder to balance betwee n obtaining a larger value of reward in a time slot (by increa sing R [1] ) and making more time slots contribute to the key g eneration (by decreas ing R [1] ); while in LBC, the reward is gained in each time slot adap ti vely base d on the rand om chann el realizations. Finally an d importantly , in SLC, Eve can d educe the information at the rate of log (1 + h 2 P ) with a cha nnel gain h 2 . This is the loss of rate in order to keep the key se cret from E ve. In L BC, however , Eve d educes less information as given by (23) due to the interference power (the total power of unde codable layers). The self-interference plays an important role for decrea sing Eve’ s capability of eavesdropping. Hence, although the s ingle-le vel-coding base d app roach has lower dec oding complexity , a nd requires le ss feedback (only 1 -bit per time slot), it is s ub-optimal in general (when feedbac k of multiple bits is allowed). By all means , the single-level coding sc heme can be c onsidered as a special ca se o f a la yered-broadca st-coding based sc heme, in which all power is allocated to a s ingle laye r . It s erves as a b aseline sche me and further moti vates us to ﬁnd the be st power distrib ution for o ptimizing the layered-broadc ast-coding scheme . V . O P T I M A L P O W E R D I S T R I B U T I O N In this s ection, we deriv e the optimal distribution of power over c oded layers for o ur broadcas t approa ch. The se crecy rate given by (16) is hard to evaluate an d optimize due to the three-dimens ional integrals. After some steps of deriv a tions, we hav e a n alternati ve form given as follows: Lemma 2. The s ecrecy key rate giv e n by (16) is equiv alent to R s = max I ( x ) Z ∞ 0 [1 − F 1 ( x )] ρ ( x )  Z x 0 F 2 ( y ) dy [1 + y I ( x )] 2  dx, (27) with the cons traint I (0) = P , and ρ ( x ) = − dI ( x ) /dx . Pr oof: The proof ca n be foun d in Appe ndix E. 14 A. Optimal Interference Distribut ion In certain case s, optimization of R s with re spect to the power distributi on ρ ( x ) , or eq ui valently , the inter- ference distrib ution I ( x ) , under the power con straint P can be found by using the ca lculus o f variations. First, we deﬁne the functional of (27) a s L  x, I ( x ) , I ′ ( x )  = − [1 − F 1 ( x )] I ′ ( x )  Z x 0 F 2 ( y ) dy [1 + y I ( x )] 2  . A nece ssary condition for a maximum o f the integral of L ( x, I ( x ) , I ′ ( x )) over x is a zero variation of the functional. By solving the as sociated E ¨ uler-Lagrangian equation [32] giv e n as ∂ L ∂ I − d dx  ∂ L ∂ I ′  = 0 , (28) we have the follo wing cha racterization for the optimal I ( x ) . Theorem 2. A nec essary condition for op timizing I ( x ) in o rder to ma ximize the sec recy rate g i ven by (27) is to choo se I ( x ) to sa tisfy Z x 0 F 2 ( y ) dy [1 + y I ( x )] 2 = [1 − F 1 ( x )] F 2 ( x ) f 1 ( x ) [1 + xI ( x )] 2 , (29) where I ( x ) = 0 when x < x 0 or x ≥ x 1 . Here, x 0 and x 1 can be found by setting I ( x 0 ) = P and I ( x 1 ) = 0 in (29). Pr oof: The proof ca n be foun d in Appe ndix F. In gene ral, nu merical computation is neede d for so lving (29) in order to obtain the op timal interference distrib ution I ( x ) . For some special CDFs F 2 ( x ) , an an alytical form o f I ( x ) is poss ible if the integral in (29) can be ev aluated in a closed form. In the following, we consider two o f such spec ial cas es: 1) Non-F a ding Alice-Eve Channel: If the Alice-Eve chann el is constant with chann el power gain x ∗ , the CDF F 2 ( x ) is F 2 ( x ) = µ ( x − x ∗ ) , where µ ( x ) repres ents a unit step func tion. In this cas e, the optimal interference distribut ion is given by I ( x ) = 1 − F 1 ( x ) − ( x − x ∗ ) f 1 ( x ) x ( x − x ∗ ) f 1 ( x ) − x ∗ [1 − F 1 ( x )] , (30) which can be eas ily s hown from (29). 2) Non-Sec r e t Layer ed T ransmission: If key-generation is not c onsidered a nd it is de sired to ﬁnd the optimal I ( x ) to maximize the average reliably de codable rate at Bob in the non-se cret layered transmission , this c an be done by as suming x ∗ = 0 in (30). In this c ase, we hav e I ( x ) = 1 − F 1 ( x ) x 2 f 1 ( x ) − 1 x , (31) which is cons istent with the result giv e n in [29]. 15 B. Secrecy K ey Ra te W ith Optimal P ower Distribution Finally , we have the followi ng se crecy key rate un der the optimal power distributi on. Corollary 1. When the optimal power distrib u tion is used , the following s ecrecy key rate is achieved: R s = Z x 1 x 0 − [1 − F 1 ( x )] 2 F 2 ( x ) dI ( x ) f 1 ( x )[1 + xI ( x )] 2 , (32) where I ( x ) and ( x 0 , x 1 ) are found from the condition giv e n by The orem 2. Pr oof: The proof is straightforward by co mbining Le mma 2 and Theo rem 2. V I . A R AY L E I G H F A D I N G C H A N N E L In this section, we ass ume Rayleigh fading for both Ali ve-Bob a nd Alice-Eve cha nnels. The fading gains h t are exponentially d istrib uted with means λ t for t = 1 , 2 . That is, the PDFs of the fading ga in h t are f t ( s ) =    1 λ t exp  − s λ t  if s ≥ 0 , 0 otherwise, (33) for t = 1 , 2 and the CDFs are F t ( s ) =    1 − exp  − s λ t  if s ≥ 0 , 0 otherwise. (34) A. Single-Level-Coding Appr oa ch For comparison, we ﬁrst calculate the se crecy ke y rate when sing le-le vel cod ing is used . As shown in Appendix G, the sec recy rate is R [1] s = max R [1] ≥ 0 exp − e R [1] − 1 λ 1 P ! ( R [1] − exp  1 λ 2 P  " E i e R [1] λ 2 P ! − E i  1 λ 2 P  #) , (35) where E i ( x ) = R ∞ x [exp( − t ) /t ] dt is the exponential integral func tion. It can be veriﬁed tha t the above function is conc av e with respect to R [1] and thus has a uniqu e maximum, which can be sea rched nume rically . B. Layered-Coding Appr oach According to (32), the secrecy rate with layered coding under the optimal power control is co mputed numerically by ev alua ting R s = λ 1 Z x 1 x 0 exp( − x/λ 1 ) [exp( − x/λ 2 ) − 1] [1 + xI ( x )] 2 dI ( x ) , where the optimal interference dis trib ution I ( x ) and bo undary points x 0 and x 1 can be fou nd acc ording to Lemma 2 as follows. Interference Distrib ution I ( x ) 16 As shown in Ap pendix H, we have Z x 0 F 2 ( y ) dy [1 + y I ( x )] 2 = exp ( − x/λ 2 ) − 1 I ( x ) [ 1 + xI ( x )] + exp (1 /λ 2 I ( x ) ) λ 2 I 2 ( x )  E i  1 λ 2 I ( x )  − E i  1 + xI ( x ) λ 2 I ( x )  . (36) W e also have [1 − F 1 ( x )] F 2 ( x ) f 1 ( x ) [1 + xI ( x )] 2 = λ 1 [1 − exp( − x/λ 2 )] [1 + xI ( x )] 2 . (37) Therefore, we can show after some steps of arrangeme nts that I ( x ) is found by solving E i  1 λ 2 I ( x )  − E i  1 + xI ( x ) λ 2 I ( x )  (38) = λ 2 I ( x )[1 + λ 1 I ( x )] [1 + xI ( x )] 2  exp  − 1 λ 2 I ( x )  − exp  − 1 + xI ( x ) λ 2 I ( x )  . Boundar y P oints x 0 and x 1 W e ne eds to ﬁnd the bounda ry points x 0 and x 1 to meet the con straints tha t I ( x 0 ) = P and I ( x 1 ) = 0 . By letting I ( x 0 ) = P in (38), we c an s olve the eq uation for x 0 . Howe ver , x 1 cannot be solved by this mea ns since we cann ot let I ( x 1 ) = 0 in (38). Instea d, we let I ( x 1 ) = 0 in (29) a nd ﬁnd that Z x 1 0 F 2 ( y ) dy = x 1 + λ 2 [exp( − x 1 /λ 2 ) − 1] , and [1 − F 1 ( x 1 )] F 2 ( x 1 ) f 1 ( x 1 ) = λ 1 [1 − exp ( − x 1 /λ 2 )] . Therefore, x 1 can be found by so lving the follo wing equ ation: x 1 + ( λ 1 + λ 2 )  exp  − x 1 λ 2  − 1  = 0 . Interestingly , x 1 depend s on ly on the chann el s tatistics (characterized b y λ 1 and λ 2 for the Ra yleigh fading channe ls) and not on the power constraint P . Note tha t no power will be alloca ted to a layer with its index higher than x 1 (howe ver , it is possible that some layers lower than x 1 still have zero power alloca tion, as shown in the numerical example). Fina lly , we remark tha t every equation discus sed in this se ction ha s a unique solution after excluding a tri v ial solution 0 . C. Numerical Examp les Now we show some n umerical examples o n the achievable secrecy-key rates and the o ptimal power distri- buti on ρ ( s ) . W e co nsider the symmetric Rayleigh fading chan nel de ﬁned by (33) with λ 1 = λ 2 = 1 . Fig. 5 compa res the secrecy key rates achieved by the layered-coding a nd s ingle-lev e l-coding b ased sche mes (both optimized). W e a lso compare them with the secrecy rate wh en perfect and no ncausa l CSI of the Alice- Bob chan nel is av ailable to Alice. In this cas e, Alice is able to adapt its transmiss ion rate based on the CSI at 17 −5 0 5 10 15 20 25 30 35 40 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Average Power (in dB) Secrecy Key Rate (in nats) perfect CSIT layered coding single−level coding Fig. 5. Secrecy key rates achiev able for the layered-coding-based approach, the si ngle-le vel-coding-based approach, and when perfect CSIT is av ailable at Alice noncausually . each time slot. W e still as sume a s hort-term power c onstraint and thus Alice d oes not adapt power in contrast to the sc heme gi ven by [12]. W ithout CSI a t Alice, the se crecy key rate achieved by the layered-coding based scheme is s igniﬁcantly highe r . This s hows the bene ﬁt of the b roadcas t ap proach due to the introduc tion of self-interference in transmission. Fig. 6 shows the op timal power d istrib ution over cod ed layers. A trend is that more p ower is distributed to lower layers as the total transmit power P beco mes larger . In ge neral, the optimal power d istrib ution does not concen trate mu ch on a c ertain laye r (or a small s et of layers ), e specially whe n P is lar ge. W e also comp are the optimal power distrib u tion for maximizing the secrecy key rate in key-generation and that for max imizing the av erage reliably decod able rate at Bob in non-secret transmission. W ith dif ferent power constraints, the power distrib utions for non-se cret transmission are on the same c urve but have dif ferent b oundary points, which is dif ferent from the cas e for key g eneration. Also, whe n the total transmit p ower exce eds a ce rtain threshold, the p ower distrib u tion for key generation is more c oncentrated over h igher laye rs (as s hown for the cas es of P = 5 and P = 20 ); while the opposite ca n be observed w hen P is small (as shown for the c ase of P = 1 in 18 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 0 50 10 0 15 0 20 0 25 0 30 0 la y e r in d e x p o w e r d is tr ib u ti o n k e y- g e n, P=2 0 k e y- g e n, P=5 n o n - s e c r e t P =2 0 n o n - s e c r e t P =5 0. 4 0. 6 0. 8 1 0 1 2 3 4 5 6 n o n -s e c ret k e y- g e n P=1 Fig. 6. Optimal po wer distributions for maximizing the secrecy key rate in key-gene ration (“ke y-gen”) and for maximizing the average reliably decodable rate at Bob i n non-secret transmission (“non-secret”) when the normalized transmit power is P = 1 , 5 , 20 . Fig. 6.) V I I . C O N C L U S I O N S In this p aper , we have introduce d a broadc ast approach for se cret-key gene ration over s lo w-fading channels based on l ayered broadcas t coding . W e ha ve considered a mode l in which Alice attempts to share a ke y with Bo b while keeping the key sec ret from Eve. Both Alice-Bob and Alice-Eve chan nels are as sumed to undergo slow fading, and perfect CSI is as sumed to be known only at the receivers during the transmission . Layered coding facilitates adapting the reliably d ecoded rate at Bob to the a ctual chan nel state without CSI av a ilable at Alice. The index of a reliably de coded layer is s ent ba ck to Alice via an authenticated , public and e rror -free ch annel, which is exploited by Alice and Bo b to gene rate the se cret key . W e have deri ved the a chiev a ble secrecy key rate and characterized the optimal power distributi on over code d laye rs. Our theoretical and n umerical results hav e shown tha t the broadcas t approa ch outperforms the single-level-coding bas ed approach s igniﬁcantly , which establishes the important role of introducing self-interference in facilitating secret-key g eneration over slow- fading c hannels when transmit CSI is no t available. 19 A P P E N D I X A P R O O F O F T H E O R E M 1 Let us ﬁrst co nsider the L -state fading wiretap cha nnel deﬁn ed by De ﬁnition 2. W e h av e the follo wing resu lt. Lemma A.1. For the L -state fading wiretap c hannel d eﬁned by Deﬁnition 2, the follo wing key-rate is achiev able: R s = X l 1 X l 2

Original Paper

Loading high-quality paper...

Comments & Academic Discussion

Loading comments...

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment