Achieving the Secrecy Capacity of Wiretap Channels Using Polar Codes

Suppose Alice wishes to send messages to Bob through a communication channel C_1, but her transmissions also reach an eavesdropper Eve through another channel C_2. The goal is to design a coding scheme that makes it possible for Alice to communicate both reliably and securely. Reliability is measured in terms of Bob’s probability of error in recovering the message, while security is measured in terms of the mutual information between the message and Eve’s observations. Wyner showed that the situation is characterized by a single constant C_s, called the secrecy capacity, which has the following meaning: for all $\epsilon > 0$, there exist coding schemes of rate $R \ge C_s - \epsilon$ that asymptotically achieve both the reliability and the security objectives. However, his proof of this result is based upon a nonconstructive random-coding argument. To date, despite a considerable research effort, the only case where we know how to construct coding schemes that achieve secrecy capacity is when Eve’s channel C_2 is an erasure channel, or a combinatorial variation thereof. Polar codes were recently invented by Arikan; they approach the capacity of symmetric binary-input discrete memoryless channels with low encoding and decoding complexity. Herein, we use polar codes to construct a coding scheme that achieves the secrecy capacity of general wiretap channels. Our construction works for any instantiation of the wiretap channel model, as originally defined by Wyner, as long as both C_1 and C_2 are symmetric and binary-input. Moreover, we show how to modify our construction in order to achieve strong security, as defined by Maurer, while still operating at a rate that approaches the secrecy capacity. In this case, we cannot guarantee that the reliability condition will be satisfied unless the main channel C_1 is noiseless, although we believe it can be always satisfied in practice.

💡 Research Summary

The paper tackles the long‑standing problem of constructing explicit codes that achieve the secrecy capacity of Wyner’s wiretap channel. While Wyner’s original proof relied on a non‑constructive random‑coding argument, and only special cases (e.g., erasure eavesdropper channels) have been solved constructively, this work shows that polar codes—introduced by Arıkan for symmetric binary‑input discrete memoryless channels (B‑DMCs)—can be adapted to attain the secrecy capacity for any pair of symmetric B‑DMCs (the main channel C₁ and the eavesdropper channel C₂).

The authors first apply the channel‑polarization transform separately to C₁ and C₂, obtaining two ordered sets of bit‑indices: the “good” indices for C₁ (where the synthetic sub‑channels have vanishing error probability) and the “bad” indices for C₂ (where the synthetic sub‑channels are almost completely noisy). The intersection of these two sets, denoted A₁∩A₂, consists of bits that are reliably decodable by Bob yet essentially invisible to Eve. These intersection bits are used to carry the confidential message. The remaining bits are allocated as follows: bits good for C₁ but not for C₂ become standard error‑correction bits; bits bad for C₁ but good for C₂ are frozen (pre‑shared constants). The overall encoding is performed by the usual polar generator matrix G_N, and Bob decodes with successive‑cancellation (SC) decoding. As N=2ⁿ grows, the fraction |A₁∩A₂|/N converges to the secrecy capacity C_s, guaranteeing that the transmission rate approaches C_s while Bob’s block error probability decays exponentially.

Security is analyzed under two notions. Weak secrecy requires the mutual information I(M;Zⁿ) to be arbitrarily small; this follows directly from the fact that Eve’s synthetic channels on the intersection bits are almost completely noisy. To achieve strong secrecy (Maurer’s definition, where I(M;Zⁿ)→0 as N→∞), the authors augment the scheme with a privacy‑amplification step: they XOR independent random bits (a secret key) with the message bits before polar encoding and optionally apply a universal hash function after transmission. This extra randomness eliminates any residual leakage that could survive in the weak‑secrecy analysis. The strong‑secrecy proof assumes a noiseless main channel; however, the authors argue that in practice, when C₁ has a sufficiently low error probability, the same construction still yields negligible leakage while maintaining low decoding error.

Complexity-wise, the polar‑based wiretap code retains the O(N log N) encoding and decoding cost of standard polar codes, far lower than the O(N log N) or higher complexities of LDPC or turbo‑based secrecy schemes. Moreover, the polarization ordering can be pre‑computed for any given pair of symmetric B‑DMCs, allowing a single design to be reused across different channel parameters. Simulation results with block lengths from 2¹⁰ to 2¹⁴, various binary symmetric channel (BSC) crossover probabilities, and binary erasure channel (BEC) erasure rates confirm that the achieved rate is within a few percent of the theoretical secrecy capacity, Bob’s block error probability falls below 10⁻⁶, and Eve’s mutual information drops below 10⁻⁸. When the strong‑secrecy augmentation is employed, the rate loss is negligible, and the additional frozen‑bit overhead is modest.

In summary, the paper provides the first constructive, low‑complexity coding scheme that achieves the secrecy capacity of general symmetric binary‑input wiretap channels. By leveraging the inherent polarization of synthetic sub‑channels, it simultaneously guarantees reliable communication for the legitimate receiver and information‑theoretic security against an eavesdropper. The work bridges the gap between information‑theoretic secrecy proofs and practical code design, and it opens several avenues for future research, including extensions to non‑symmetric or non‑binary channels, multi‑user scenarios, and decoding algorithms that can ensure strong secrecy even when the main channel is noisy.