Lattices for Physical-layer Secrecy: A Computational Perspective

In this paper, we use the hardness of quantization over general lattices as the basis of developing a physical layer secrecy system. Assuming that the channel state observed by the legitimate receiver and the eavesdropper are distinct, this asymmetry is used to develop a cryptosystem that resembles the McEliece cryptosystem, designed to be implemented at the physical layer. We ensure that the legitimate receiver observes a specific lattice over which decoding is known to be possible in polynomial-time. while the eavesdropper observes a lattice over which decoding will prove to have the complexity of lattice quantization over a general lattice

💡 Research Summary

The paper proposes a novel physical‑layer cryptographic scheme that leverages the computational hardness of lattice quantization (the Closest Vector Problem, CVP) to achieve secrecy without any key exchange. The authors assume that the legitimate transmitter‑receiver pair (Alice and Bob) share a channel matrix H that is known to both parties, while an eavesdropper (Eve) experiences a different, independent channel matrix G. This asymmetry is the cornerstone of the design: Bob observes a lattice that can be decoded in polynomial time, whereas Eve observes a “general” lattice for which decoding is NP‑hard.

Two concrete constructions are presented.

1. Channel Inversion – When H is invertible, Alice maps a message m to a lattice point λ in a specially chosen lattice Λ (e.g., a block‑lower‑triangular Construction‑A lattice or a low‑density lattice code). She then transmits X = C·H⁻¹·λ, where C normalizes the transmit power. Bob receives Y_B = C·λ + N_B, directly recovers λ, and thus m, using the low‑complexity decoder for Λ. Eve receives Y_E = C·G·H⁻¹·λ + N_E. Because G·H⁻¹ is almost surely a non‑unitary matrix, the transformed lattice G·H⁻¹·Λ loses the special structure and becomes a generic lattice. Decoding this lattice under colored noise is equivalent to solving CVP on a random lattice, which is computationally infeasible.

2. SVD‑Based Truncated Inverse Water‑Filling – When H is not invertible or has widely varying singular values, the authors apply singular‑value decomposition H = U D Vᵗ. Only the k largest singular values (above a threshold t) are retained, forming a diagonal matrix D₁. Alice selects a k‑dimensional lattice point λ_k from a low‑complexity lattice, pads it with zeros to obtain an n‑dimensional vector ˜λ, and transmits X = C·V·D₁⁻¹·˜λ. Bob first multiplies the received vector by Uᵗ, isolates the first k coordinates, and decodes λ_k using the same efficient lattice decoder. Eve, however, observes Y_E = C·G·V·D₁⁻¹·˜λ + N_E, which again corresponds to a generic lattice with colored noise, making CVP hard.

The paper also details a specific lattice construction suitable for the scheme. It builds on Construction‑A, where the parity‑check matrix F is block‑lower‑triangular. The upper blocks K provide shaping gain (e.g., derived from the Leech lattice), while the lower blocks A_ij are chosen to give good coding gain and to enable belief‑propagation decoding. Because of the triangular structure, encoding reduces to solving a sequence of small‑scale CVP instances, which can be done efficiently, and decoding can be performed with standard LDPC‑style message passing.

Overall, the contribution is a physical‑layer cryptosystem that achieves computational secrecy by exploiting channel asymmetry rather than relying on traditional public‑key infrastructure. The legitimate parties need only know their own channel matrix H; Eve’s channel G is assumed unknown and statistically independent. Security holds as long as H is not a scaled identity (i.e., the channel is not static and identical for both parties). The authors discuss extensions to multiple‑antenna (MIMO) settings and note that the approach naturally accommodates time‑varying or inter‑symbol‑interference channels. Limitations include the reliance on sufficient disparity between H and G and the need for accurate channel state information at the transmitter. Future work is suggested on robustness to channel estimation errors, practical modulation schemes, and experimental validation in realistic wireless environments.