Secure Polar Coding for the Two-Way Wiretap ... - Semantic Scholar

1

Secure Polar Coding for the Two-Way Wiretap Channel

arXiv:1612.00130v1 [cs.IT] 1 Dec 2016

Mengfan Zheng, Meixia Tao, Wen Chen and Cong Ling

Abstract This paper studies polar coding for secure communications over the general two-way wiretap channel, where two legitimate users communicate with each other simultaneously while a passive eavesdropper overhears a combination of their exchanged signals. The legitimate users wish to design a coding scheme such that the interference between their codewords can be leveraged to jam the eavesdropper. This security method is called coded cooperative jamming. In this model, the eavesdropper observes a two-user multiple access channel (MAC). Inspired by recent studies on polar coding for asymmetric channels, Slepian-Wolf coding, MACs and general wiretap channels, we design a polar code-based cooperative jamming code that achieves the whole secrecy rate region of the general twoway wiretap channel under the strong secrecy criterion. To make proper alignment of polar indices, a multi-block strategy is used. For the special case when the eavesdropper channel is degraded with respect to both legitimate channels, a simplified scheme is proposed which can simultaneously ensure reliability and weak secrecy within a single transmission block. An example of the binary erasure channel case is given to demonstrate the performance of our scheme.

Index Terms Polar codes, two-way wiretap channel, coded cooperative jamming, physical-layer security, universal polar coding.

M. Zheng, M. Tao and W. Chen are with the Department of Electronic Engineering at Shanghai Jiao Tong University, Shanghai, China. Emails: {zhengmengfan, mxtao, wenchen}@sjtu.edu.cn. C. Ling is with the Department of Electrical and Electronic Engineering at Imperial College London, United Kingdom. Email: [email protected]. The corresponding author is Meixia Tao.

2

I. I NTRODUCTION Wyner proved in [1] that it is possible to communicate both reliably and securely over a wiretap channel, on the premise that the eavesdropper channel is degraded with respect to the legitimate channel. Since then, numerous works have been done on showing the existence of secure coding schemes for different kinds of channels. However, few of these results provide guidance for designing a specific polynomial-time coding scheme, except for some special cases [2]–[4]. Polar codes, proposed by Arıkan [5], have demonstrated capacity-achieving property in both source and channel coding [5]–[9]. The principle that lies behind polar codes is that one can generate a series of extremal channels (noiseless or purely noisy) from repeated uses of a single-user channel. The structure of polar codes makes them also suitable for designing secrecy codes. Polar coding has been studied for wiretap channels [10]–[17], broadcast channels with confidential messages [16], [17], bidirectional broadcast channels with common and confidential messages [18], relay-eavesdropper channels [19], fading wiretap channels [20], [21], multiple access wiretap channels [22], [23], and secret key generation [13], [24]. It has been proved that polar codes can achieve the secrecy capacity of the symmetric and degraded wiretap channel under the weak secrecy criterion [12] and also the strong secrecy criterion [14]. For the general wiretap channel, polar codes also have the same performance [15]–[17]. The two-way wiretap channel models the situation when two legitimate users communicate with each other simultaneously in the presence of a passive eavesdropper. In this model, signals overheard by the eavesdropper are combinations of the exchanged signals between two legitimate users. This motivates the idea of leveraging interference between two users’ transmitted codewords to degrade the eavesdropper channel, known as coded cooperative jamming. This problem was first investigated in [25], and the achievable rate region for the two-way wiretap channel was derived in [26], [27]. A practical scheme based on low-density parity-check (LDPC) code was presented in [28], which can guarantee weak secrecy for the special case of binary-input Gaussian two-way wiretap channel with equal-gained interference. In this paper, we investigate the design of polar codes for cooperative jamming in the general two-way wiretap channel. Note that the eavesdropper sees a two-user multiple access channel (MAC) in the two-way wiretap channel. Polar coding for MACs has been studied in [29]–[33]. There are two types of MAC polarization method in literature, either synthesizing N uses of the

3

original MAC into N new extremal MACs [31], [32], or 2N extremal point-to-point channels [29], [30], [33]. In our scheme, we adopt Arıkan’s monotone chain rule expansion method [29] which belongs to the first type, because it can achieve all points on the dominant face of the achievable rate region of a MAC with similar encoding/decoding complexity to the point-to-point case, and has simple structure. Although [29] mainly deals with the Slepian-Wolf problem in source coding, its method can be readily applied to the problem of coding for the 2-user MAC since they are dual problems, which has been studied in [30]. Reference [30] only considered uniform channel inputs. In [34] this method was generalized to the non-uniform case and used in the 2-user interference channel. In our method, by applying polarization on two legitimate channels and MAC polarization on the eavesdropper channel, we can partition two legitimate users’ uncoded bits into five group: 1) the deterministic bits, which are calculated after their previous bits are determined, and only exist in non-uniform channel input cases, 2) the reliable and secure bits, which will be used to transmit secret information, 3) the reliable but insecure bits, which should be filled with random bits, 4) the unreliable but secure bits, which will be carrying frozen bits, and 5) the unreliable and insecure bits, which pose a challenge to our code design. To handle bits of the last type, we utilize a multi-block strategy in this paper, which has been adopted in several other areas to deal with unaligned polar indices [14]–[17]. The main contributions of this paper are summarized as follows. •

A polar code-based cooperative jamming scheme for the general two-way wiretap channel is proposed, without any constraint on input distribution or channel symmetry. Self interference at each legitimate user is considered in the code design, making our proposed scheme suitable for a large variety of channels rather than additive ones. For additive channels, one may assume that each user’s self interference can be perfectly canceled. However, under a general channel setting, this assumption is inappropriate. In this paper, we deal with self interference by modeling two legitimate channels as point-to-point channels with additional side information. Since each user knows its own transmitted messages, they can be treated as side information when decoding.

•

Information theoretical analysis on reliability, secrecy and achievable rate region is performed. By applying MAC polarization on the eavesdropper channel using different types of monotone chain rule expansions, we can achieve different secrecy rate pairs. We prove

4

that our proposed scheme can achieve all points on the dominant face of the secrecy rate region of a two-way wiretap channel under the strong secrecy criterion. We can then claim that the whole region is achievable by time sharing. Note that we do not assume how the eavesdropper decodes by using MAC polarization. Different types of expansions used in the code design only determine the secrecy rate allocation between two legitimate users. •

A single-block scheme for the special case of degraded two-way wiretap channel is provided. In some special cases, such as when the eavesdropper channel is degraded with respect to both legitimate channels, secrecy and reliability can be simultaneously obtained within a single transmission block. We show that in the degraded case, with a slight modification our proposed scheme can achieve the secrecy rate region under the weak secrecy criterion within a single transmission block.

•

An example of binary erasure channels is presented to evaluate the performance of our proposed scheme for different code lengths. The information leakage, block error rate and secrecy sum rate are estimated for code length 28 to 227 . The results confirm the secrecy rate-achieving property of our proposed scheme.

The rest of this paper is organized as follows. In Section II we introduce the definition of the two-way wiretap channel and state the problem we investigate. Section III provides some necessary background on polarization and polar codes. In Section IV we describe details of our proposed polar coding scheme and analyze its performance. Section V shows a special case when weak secrecy can be obtained within a single transmission block. Section VI gives an example of the binary erasure channel case. We conclude this paper in Section VII. Notation: [N ] denotes the index set of {1, 2, ..., N }. Random variables are denoted by capital letters X, Y , U , V , ... with values x, y, u, v, ... respectively. For a vector y = (y 1 , y 2 , ...y N ), y i:j denotes the subvector (y i , ..., y j ) of y, and y A denote the subvector {y i : i ∈ A} of y for A ⊂ [N ]. F⊗n denotes the nth Kronecker power of F. GN = BN F⊗n is the generator matrix of polar codes, where N = 2n is the code length with n beingan arbitrary integer, BN is a 1 0 . permutation matrix known as bit-reversal matrix, and F =  1 1

5

Fig. 1.

The two-way wiretap channel.

II. P ROBLEM S TATEMENT A. Channel Model We consider the secure communication problem in the two-way wiretap channel as illustrated in Fig. 1. In this model, each of the two legitimate users, Alice and Bob, is equipped with a transmitter and a receiver. The channel is assumed to be full-duplex, and the two users communicate with each other simultaneously under the existence of a passive eavesdropper, Eve. Details of the communications are as follows: •

Alice wants to send a message M1 to Bob at rate R1 over N channel uses, she encodes M1 into a codeword X1 and transmits it through the channel;

•

Bob wants to send a message M2 to Alice at rate R2 also over N channel uses, he encodes

•

M2 into a codeword X2 and transmits it through the channel; ˆ 2; Alice observes Y2 from the channel and recovers M

•

ˆ 1; Bob observes Y1 from the channel and recovers M

•

Eve observes Ye .


Definition 1: A memoryless two-way wiretap channel X1 , X2 , Y1 , Y2 , Ye , PY1 Y2 Ye |X1 X2 consists of two input alphabets X1 and X2 , three output alphabets Y1 , Y2 and Ye , and transition probability PY1 Y2 Ye |X1 X2 such that ∀(x1 , x2 ) ∈ X1 × X2 ,

X X X y1 ∈Y1 y2 ∈Y2 ye ∈Ye

PY1 Y2 Ye |X1 X2 (y1 , y2 , ye |x1 , x2 ) = 1.

(1)

6

B. Coded Cooperative Jamming The multiple access nature of the eavesdropper channel renders Alice and Bob an advantage over Eve, since the combination of their signals may have a detrimental effect on her. In the multi-user communication scenario, a natural approach to enhance security is to use cooperative jamming [25]. While one user is transmitting secret messages, the other user transmits artificial noise to reduce the eavesdropper’s signal-to-noise ratio. In such a scheme, only one user can transmit useful information at a time. Another approach which overcomes this limitation is to utilize interference between codewords to jam the eavesdropper. In this case, both users transmit secret messages simultaneously, and their codewords are elaborately designed so that the interference between them can confuse the eavesdropper. This scheme is called coded cooperative jamming [25]. In this paper, we use polar codes to design such a code. The goal of designing a secure coding scheme for the two-way wiretap channel is to make sure Eve obtain no (or vanishing) information about M1 and M2 from Ye , while Alice and Bob can estimate their received massages correctly. The performance of a coding scheme is assessed by its reliability and secrecy. For a coding scheme of code length N , reliability is measured by the probability of error  ˆ 1, M ˆ 2 ) 6= (M1 , M2 ) . Pe (N ) = Pr (M

(2)

Secrecy can be measured by the information leakage (strong secrecy) or the information leakage rate (weak secrecy) according to different security requirements. The information leakage is defined as L(N ) = I(Ye ; M1 , M2 ),

(3)

and the information leakage rate is defined as the information leaked per bit: LR (N ) =

1 L(N ). N

(4)

The objective of a secure coding scheme is then: lim Pe (N ) = 0;

(5)

lim L(N ) = 0 (strong secrecy), or

(6)

lim LR (N ) = 0 (weak secrecy).

(7)

N →∞

N →∞

N →∞

7

Criterion (7) is called weak secrecy because it does not guarantee vanishing information leakage. For some strict situations this is unacceptable. In Section IV we will introduce the general strong secrecy scheme. In Section V we discuss a special case when weak secrecy can be achieved within a single transmission block. C. Achievable Rate Region A rate pair (R1 , R2 ) is said to be achievable for a two-way wiretap channel under the strong/weak secrecy criterion if there exists a coding scheme such that (5) and (6)/(7) can be satisfied. The achievable rate region of this channel is the closure of all achievable rate pairs. For a two-way wiretap channel with transition probability PY1 Y2 Ye |X1 X2 (y1 , y2 , ye |x1 , x2 ), the secrecy rate region under the strong (as well as         [  R1   RS (PY1 Y2 Ye |X1 X2 ) =   R 2 P ∈P    

weak) secrecy criterion is [26] R1 ≤ I(Y1 ; C1 |X2 ) − I(C1 ; Ye ) R2 ≤ I(Y2 ; C2 |X1 ) − I(C2 ; Ye ) R1 + R2 ≤ I(Y1 ; C1 |X2 ) + I(Y2 ; C2 |X1 ) − I(C1 , C2 ; Ye )

      

,

(8)

     

where P = {PX1 X2 C1 C2 Y1 Y2 Ye factorizing as: PY1 Y2 Ye |X1 X2 PX1 |C1 PC1 PX2 |C2 PC2 }. III. R EVIEW OF P OLAR C ODING A. Polar Coding for Asymmetric Channels Polar codes are originally designed for the symmetric channels. To apply polar codes to asymmetric channels, one way is to use Gallager’s alphabet extension method by mapping uniformly distributed auxiliary symbols to the actual ones [35, p. 208]. However, the complexity of such an approach will increase drastically when the optimal distribution cannot be approximated by simple rational numbers. Reference [9] proposed a simple and direct method to extend polar codes to arbitrary input distributions, by invoking results on polar coding for lossless compression. In this subsection, we briefly review their method. First, consider compression of a discrete memoryless source. Let X 1:N be N independent copies of a binary random variable X with arbitrary distribution, and U 1:N = X 1:N GN . As N goes to infinity, the components of U 1:N polarize in the sense that U i (i ∈ [N ]) are either almost

8

independent of U 1:i−1 and uniformly distributed, or almost determined by U 1:i−1 [7]. Based on this phenomenon, we can define the following two polarized sets: (N )

(9)

(N )

(10)

HX = {i ∈ [N ] : Z(U i |U 1:i−1 ) ≥ 1 − δN }, LX = {i ∈ [N ] : Z(U i |U 1:i−1 ) ≤ δN }, β

where δN = 2−N with β ∈ (0, 1/2), and Z(X|Y ) is the Bhattacharyya parameter defined for a random variable pair (X, Y ) with X being binary and Y being defined on arbitrary countable alphabet. Definition 2 (Bhattacharyya parameter): q X Z(X|Y ) = 2 PY (y) PX|Y (0|y)PX|Y (1|y).

(11)

y∈Y

It is shown that

1 (N ) |HX | = H(X), N →∞ N (12) 1 (N ) lim |LX | = 1 − H(X). N →∞ N Next, consider compression of two correlated sources. Let (X, Y ) ∼ pX,Y be a random variable lim

pair, with X being binary and Y being defined on arbitrary countable alphabet. Consider X as the memoryless source to be compressed and Y as side information of X. Let U 1:N = X 1:N GN . Similar to the single source case, as N goes to infinity, U i (i ∈ [N ]) becomes either almost independent of (Y 1:N , U 1:i−1 ) and uniformly distributed, or almost determined by (Y 1:N , U 1:i−1 ) β

[29]. For δN = 2−N with β ∈ (0, 1/2), define the following polarized sets: (N )

(13)

(N )

(14)

HX|Y = {i ∈ [N ] : Z(U i |Y 1:N , U 1:i−1 ) ≥ 1 − δN }, LX|Y = {i ∈ [N ] : Z(U i |Y 1:N , U 1:i−1 ) ≤ δN }, which satisfy

1 (N ) |HX|Y | = H(X|Y ), N →∞ N 1 (N ) lim |LX|Y | = 1 − H(X|Y ). N →∞ N Obviously, the following inclusion relations holds: lim

(N )

(N )

(N ) LX|Y

(N ) LX .

HX|Y ⊆ HX , ⊇

(15)

(16)

9

Now we can design polar codes for a binary-input discrete memoryless channel (B-DMC) W (Y |X) with arbitrary input distribution. Let U 1:N = X 1:N GN and consider Y as side infor(N )

mation about X. Define HX

(N )

(N )

(N )

and LX as in (9) and (10), and HX|Y and LX|Y as in (13) and

(14). Then we can construct a polar code for W as follows. Let I , HX ∩ LX|Y ,

(17)

F , HX ∩ LcX|Y ,

(18)

c D , HX .

(19)

The encoding procedure goes as follows: •

{ui }i∈I carry information,

•

{ui }i∈F are filled with uniformly distributed frozen bits (shared between the sender and the receiver),

•

{ui }i∈D will be calculated as ui = arg max PU i |U 1:i−1 (u|u1:i−1 ). u={0,1}

Upon receiving y 1:N , the receiver decodes u1:N using a successive cancellation (SC) decoder:    ui , if i ∈ F    u¯i = arg maxu∈{0,1} PU i |U 1:i−1 (u|u1:i−1 ), if i ∈ D .     arg max 1:N , u1:i−1 ), if i ∈ I u∈{0,1} PU i |Y 1:N U 1:i−1 (u|y The rate of such a scheme, R =

1 |I|, N

satisfies

lim R = I(X; Y ),

N →∞

and the block error probability of such a polar code can be upper bounded by X β Pe ≤ Z(U i |Y 1:N , U 1:i−1 ) = O(2−N ).

(20)

(21)

i∈I

B. Polar Coding for Multiple Access Channels In this subsection we recap the MAC polarization method introduced in [29] and generalized to asymmetric channels in [34]. The achievable rate region of a binary-input discrete memoryless

10

2-user MAC PY |X1 X2 (y|x1 , x2 ) is given by [36]      0 ≤ R1 ≤ I(X1 ; Y |X2 )   R 1   R(PY |X1 X2 ) = 0 ≤ R2 ≤ I(X2 ; Y |X1 )   R 2   R1 + R2 ≤ I(X1 , X2 ; Y )

    

.

(22)

   

Define U11:N = X11:N GN , U21:N = X21:N GN ,

(23)

and let S 1:2N = (S 1 , ..., S 2N ) be a permutation of U11:N U21:N such that it preserves the relative order of elements of both U11:N and U21:N , called a monotone chain rule expansion. For i ∈ [2N ], let bi = 0 represent that S i ∈ U11:N , and bi = 1 represent that S i ∈ U21:N . Then a monotone chain rule expansion can be represented by a string b2N = b1 b2 ...b2N , called the path of the expansion. The mutual information between the receiver and two users can be expanded as I(Y 1:N ; U11:N , U21:N ) = H(U11:N , U21:N ) − H(U11:N , U21:N |Y 1:N ) = N H(X1 ) + N H(X2 ) −

2N X

H(S i |Y 1:N , S 1:i−1 ).

i=1

The rate of user j (j = 1, 2) is can be defined as 1 X RUj = H(Xj ) − H(S i |Y 1:N , S 1:i−1 ), N i∈S

(24)

Uj

where SUj , {i ∈ [2N ] : S i ∈ Uj1:N }. It is can be shown by duality from [29] that the rate pair (RU1 , RU2 ) lies on the dominant face of R(PY |X1 X2 ) as N goes to infinity, and arbitrary points on the dominant face of R(PY |X1 X2 ) can be achieved with expansions of type 0i 1N 0N −i (0 ≤ i ≤ N ) given sufficiently large N . It is also shown that H(S i |Y 1:N , S 1:i−1 ) (i ∈ [2N ]) polarizes to 0 or 1 as N goes to infinity. Having selected a specific expansion for a target rate pair, we still need enough code length to polarize the MAC sufficiently. In order to do so, we need to scale the path. For any integer l = 2m , let lb2N denote b1 · · · b1 b2 · · · b2 · · · · · · b2N · · · b2N , | {z } | {z } | {z } l

l

l

which is a monotone chain rule for U11:lN U21:lN . It is shown in [29] that b2N and lb2N have the same rate pair.

11

Now we can construct a polar code for the 2-user MAC as follows. Let fj (i) : [N ] → SUj (j = 1, 2) be the mapping from indices of Uj1:N to indices of {S i : i ∈ SUj }. For δN = 2−N

β

with β ∈ (0, 1/2), define (N )

HSU , {i ∈ [N ] : Z(S fj (i) |S 1:fj (i)−1 ) ≥ 1 − δN }, j

(N ) LSU |Y j

, {i ∈ [N ] : Z(S

fj (i)

|Y

1:N

,S

1:fj (i)−1

(25)

) ≤ δN }.

Since X1 and X2 are independent, we have (N )

(N )

HSU = HXj , {i ∈ [N ] : Z(Uji |Uj1:i−1 ) ≥ 1 − δN }. j

(26)

Then user j’s (j = 1, 2) indices can be partitioned as (N )

(N )

j

j

Ij , HSU ∩ LSU

|Y ,

(N )

(N )

j

j

Fj , HSU ∩ (LSU

|Y )

C

(27)

,

(N )

Dj , (HSU )C . j

The encoding procedure of each user is similar to the single-user case. Upon receiving y 1:N , the receiver jointly decodes u1:N and u1:N as 1 2    ui1 ,    u¯i1 = arg maxu∈{0,1} PU i |U 1:i−1 (u|u1:i−1 ), 1  1 1     arg maxu∈{0,1} PS f1 (i) |Y 1:N S 1:f1 (i)−1 (u|y 1:N , s1:f1 (i)−1 ),    ui2 ,    u¯i2 = arg maxu∈{0,1} PU i |U 1:i−1 (u|u1:i−1 ), 2  2 2    arg max 1:N , s1:f2 (i)−1 ), u∈{0,1} PS f2 (i) |Y 1:N S 1:f2 (i)−1 (u|y The error performance of such a scheme is upper bounded by X β Pe ≤ Z(S i |Y 1:N , S 1:i−1 ) = O(2−N ),

if i ∈ F1 if i ∈ D1 , if i ∈ I1 if i ∈ F2 if i ∈ D2 . if i ∈ I2

(28)

i∈I

where I ⊂ [2N ] is the set of information indices with respect to S 1:2N . Proposition 1 ( [29]): Let PY |X1 X2 (y|x1 , x2 ) be the transition probability of a binary-input memoryless 2-user MAC. Consider the transformation defined in (23). Let N0 = 2n0 for some n0 ≥ 1 and fix a path b2N0 for U11:N0 U21:N0 . The rate pair for b2N0 is denoted by (RU1 , RU2 ).

12

Let N = 2l N0 for l ≥ 1 and let S 1:2N be the expansion represented by 2l b2N0 . Then, for any given δ > 0, as l goes to infinity, we have 1 {i ∈ [2N ] : δ < Z(S i |Y 1:N , S 1:i−1 ) < 1 − δ} → 0, 2N |I1 | |I2 | → RU1 and → R U2 . N N

(29)

IV. P OLAR C ODING FOR THE T WO -WAY W IRETAP C HANNEL A. The Proposed Scheme 1) Polarization of Legitimate Channels: For a given PX1 X2 C1 C2 Y1 Y2 Ye ∈ P, define Bob’s effective channel as W1 (y1 |c1 , x2 ) ,

X

PY1 |X1 X2 (y1 |x1 , x2 )PX1 |C1 (x1 |c1 ),

x1

and Alice’s effective channel as W2 (y2 |x1 , c2 ) ,

X

PY2 |X1 X2 (y2 |x1 , x2 )PX2 |C2 (x2 |c2 ).

x2

Since each legitimate user knows its own transmitted signal, he/she will treat it as side information while decoding the other user’s message. Let Uj1:N = Cj1:N GN and Vj1:N = Xj1:N GN β

for j = 1, 2. For a given δN = 2−N with β ∈ (0, 1/2), define (N )

HC1 |X2 , {i ∈ [N ] : Z(U1i |X21:N , U11:i−1 ) ≥ 1 − δN },

(30)

(N )

(31)

LC1 |Y1 X2 , {i ∈ [N ] : Z(U1i |Y11:N , X21:N , U11:i−1 ) ≤ δN }, (N )

HC2 |X1 , {i ∈ [N ] : Z(U2i |X11:N , U21:i−1 ) ≥ 1 − δN },

(32)

(N )

(33)

LC2 |Y2 X1 , {i ∈ [N ] : Z(U2i |Y21:N , X11:N , U21:i−1 ) ≤ δN }, (N )

(34)

(N )

(35)

LX1 |C1 , {i ∈ [N ] : Z(V1i |C11:N , V11:i−1 ) ≤ δN }, LX2 |C2 , {i ∈ [N ] : Z(V2i |C21:N , V21:i−1 ) ≤ δN }. Since two users’ messages are independent, we have (N )

(N )

(N )

(N )

HC1 |X2 = HC1 , {i ∈ [N ] : Z(U1i |U11:i−1 ) ≥ 1 − δN }, HC2 |X1 = HC2 , {i ∈ [N ] : Z(U2i |U21:i−1 ) ≥ 1 − δN }.

13

For conventional two-way communication without secrecy requirement, the reliable bit sets for two users are defined as (N )

(N )

(N )

(N )

G1 = HC1 |X2 ∩ LC1 |Y1 X2 ,

(36)

G2 = HC2 |X1 ∩ LC2 |Y2 X1 , the rates of which are

1 |G1 | = I(Y1 ; C1 |X2 ), N →∞ N (37) 1 lim |G2 | = I(Y2 ; C2 |X1 ). N →∞ N To generate the final codeword, consider Xj and Cj (j = 1, 2) as two correlated sources. Once lim

Cj1:N is determined, Vj1:N can be computed as follows: •

{vji }i∈(L(N )

)c

{vji }i∈L(N )

will be calculated as

Xj |Cj

•

are filled with uniformly distributed random bits,

Xj |Cj

1:i−1 vji = arg max PV i |C 1:N V 1:i−1 (v|c1:N ). j , vj v={0,1}

j

j

(38)

j

1:N Since GN = G−1 = Vj1:N GN . One can also transmit Cj1:N through a virtual N , we have Xj

channel PXj |Cj (xj |cj ) to generate the final codeword. 2) Polarization of the Eavesdropper Channel: Eve’s effective channel is defined as XX We (ye |c1 , c2 ) , PYe |X1 X2 (ye |x1 , x2 )PX1 |C1 (x1 |c1 )PX2 |C2 (x2 |c2 ), x1

x2

the achievable rate region of which is given by      0 ≤ R1 ≤ I(C1 ; Ye )   R 1  R(We ) =  0 ≤ R2 ≤ I(C2 ; Ye )   R 2   R1 + R2 ≤ I(C1 , C2 ; Ye )

    

.

(39)

   

Let PS = (RS1 , RS2 ) be any point on the dominant face of RS (PY1 Y2 Ye |X1 X2 ). To achieve PS , the rates for random bits in Alice’s and Bob’s transmitted signals are Re1 = I(Y1 ; C1 |X2 ) − RS1

(40)

Re2 = I(Y2 ; C2 |X1 ) − RS2

(41)

and

respectively. Obviously PE , (Re1 , Re2 ) is on the dominant face of R(We ). Let S 2N be the permutation of U11:N U21:N that achieves PE in We . Define SUj , {i ∈ [2N ] : S i ∈ Uj1:N } for

14

j = 1, 2, and let fj (i) : [N ] → SUj be the mapping from indices of Uj1:N to indices of S SUj . Then we can define the following polarized sets from Eve’s point of view:  (N ) HSU , i ∈ [N ] : Z(S f1 (i) |S 1:f1 (i)−1 ) ≥ 1 − δN , 1  (N ) HSU , i ∈ [N ] : Z(S f2 (i) |S 1:f2 (i)−1 ) ≥ 1 − δN , 2  (N ) HSU |Ye , i ∈ [N ] : Z(S f1 (i) |Ye1:N , S 1:f1 (i)−1 ) ≥ 1 − δN , 1  (N ) HSU |Ye , i ∈ [N ] : Z(S f2 (i) |Ye1:N , S 1:f2 (i)−1 ) ≥ 1 − δN , 2  (N ) LSU |Ye , i ∈ [N ] : Z(S f1 (i) |Ye1:N , S 1:f1 (i)−1 ) ≤ δN , 1  (N ) LSU |Ye , i ∈ [N ] : Z(S f2 (i) |Ye1:N , S 1:f2 (i)−1 ) ≤ δN .

(42) (43) (44) (45) (46) (47)

2

Since two users’ messages are independent from each other, we have (N )

(N )

(N )

(N )

HSU = HC1 , HSU = HC2 . 2

1

Note that we do not assume how Eve decodes by using a specific permutation of S 2N . S 2N only determines the secrecy rate allocation between two users. We will show in the next subsection that our scheme satisfies the strong secrecy criterion whichever permutation we use. 3) Polar Coding for the Two-Way Wiretap Channel: Now we can partition the uncoded bit indices of each user into five sets. For Alice, the five sets are (N )

(N )

(N )

I1 = HC1 ∩ LC1 |Y1 X2 ∩ HSU |Ye , 1
c (N ) (N ) (N ) F1 = HC1 ∩ LC1 |Y1 X2 ∩ HSU |Ye , 1
c (N ) (N ) (N ) a R1 = HC1 ∩ LC1 |Y1 X2 ∩ HSU |Ye , 1

c c (N ) (N ) (N ) Rb1 = HC1 ∩ LC1 |Y1 X2 ∩ HSU |Ye , 1
c (N ) D1 = HC1 ,

(48)

as illustrated in Fig. 2. For Bob, I2 , F2 , Ra2 , Rb2 and D2 can be similarly defined. We take Alice’s codeword as an example to show the code design. D1 are deterministic bits that should be calculated according to their previous bits. I1 are bits that are both reliable and secure (i.e. unreliable for Eve), therefore can be used to carry secret information. F1 are bits that are unreliable but secure, thus should carry frozen bits. Ra1 are bits that are reliable but insecure, hence should be filled with random bits to confuse Eve. The existence of Rb1 makes the code design challenging since they are neither reliable nor secure. If one assigns them to random bits,

15

Fig. 2.

Code construction for Alice.

reliability can not be guaranteed, and if to frozen bits, secrecy is sacrificed. Because of this, it is unlikely to achieve both reliability and secrecy within a single transmission block for the general channel case. To solve this, we use the chaining strategy. Since Rb1 and Rb2 are the main cause for the fact that reliability and secrecy can not simultaneously be satisfied, the key point is to find a way to ensure their randomness with respect to the eavesdropper and definiteness to legitimate users simultaneously. If |I1 | > |Rb1 | and |I2 | > |Rb2 | (corresponding to the positive secrecy rate case), this is possible through a multi-block strategy. Choose a subset I1b of I1 such that |I1b | = |Rb1 |, and a subset I2b of I2 such that |I2b | = |Rb2 |. Denote I1a = I1 \ I1b and I2a = I2 \ I2b . Consider a series of m transmission blocks. The set I1b in the kth (1 ≤ k < m) block is chained to Rb1 in the (k + 1)th block (meaning they have the same value), and I2b in the kth (1 ≤ k < m) block is chained to Rb2 in the (k + 1)th block. In the kth block, Alice and Bob can decode I1b and I2b respectively while Eve can not. In the (k + 1)th block, the decoding result of I1b and I2b in the previous block will provide the bit values at Rb1 and Rb2 , which will serve as frozen bits. To initiate the transmission, Alice and Bob should have two secret seed sequences of length |Rb1 | and |Rb2 | respectively. The seed rate |Rb1 |/mN and |Rb2 |/mN can be made arbitrarily small by

16

Fig. 3.

The multi-block coding scheme.

choosing sufficiently large m. Details of the encoding and decoding procedures are as follows. Encoding: In the 1st block, Alice encodes it message as follows: •

{ui1 }i∈I1a carry secret information,

•

{ui1 }i∈Ra1 ∪I1b are filled with uniformly distributed random bits,

•

{ui1 }i∈Rb1 carry uniformly distributed secret seed shared only between two users,

•

{ui1 }i∈F1 are filled with uniformly distributed frozen bits,

•

{ui1 }i∈D1 will be calculated as ui1 = arg max PU1i |U11:i−1 (u|u1:i−1 ), 1 u={0,1}

•

(49)

then the actually transmitted codeword is computed as described in Section IV-A1.

Bob encodes its message similarly by replacing subscript 1 by 2. In the kth (1 < k ≤ m) block, Rb1 and Rb2 are respectively assigned to the same value of I1b and I2b in the (k − 1)th block, and the rest bits are encoded in the same way as in the 1st block. Decoding: Bob decodes Alice’s message as follows:

17

In the 1st block,    if i ∈ F1 ∪ Rb1 ui1 ,    . u¯i1 = arg maxu∈{0,1} PU i |U 1:i−1 (u|u1:i−1 ), if i ∈ D1 1  1 1    1:i−1 arg max 1:N 1:N ), if i ∈ Ra1 ∪ I1a ∪ I1b u∈{0,1} PU i |Y 1:N X 1:N U 1:i−1 (u|y1 , x2 , u1 1 1 1 2 In the kth (1 < k ≤ m) block,    ui1 ,       u¯i0 in the (k − 1)th block, 1 i u¯1 =   arg maxu∈{0,1} PU1i |U11:i−1 (u|u11:i−1 ),       1:i−1 arg maxu∈{0,1} P i 1:N 1:N 1:i−1 (u|y11:N , x1:N ), 2 , u1 U1 |Y1 X2 U1 0

(50)

if i ∈ F1 if i ∈ Rb1

,

(51)

if i ∈ D1 if i ∈ Ra1 ∪ I1a ∪ I1b

0

0

where ui1 for i0 ∈ I1b is the counterpart of ui1 for i ∈ Rb1 , and u¯i1 is the estimate of ui1 . Alice decodes Bob’s message similarly by swapping subscripts 1 and 2. B. Performance In the kth (1 ≤ k ≤ m) block, for Alice’s encoder, message bits at I1a are denoted by M1,k , random bits at Ra1 by N1,k , random bits at I1b by E1,k , frozen bits at F1 as F1,k , and deterministic bits at D1 as D1,k . Bits at Rb1 are equal to E1,k−1 , with E1,0 being the secret seed. The transmitted codeword of Alice is denoted by X1,k . For Bob, M2,k , N2,k , E2,k , F2,k , D2,k and X2,k are similarly defined. Eve’s channel output is denoted by Ye,k . Denote Mkj , {Mj,1 , ..., Mj,k }, Ekj , {Ej,1 , ..., Ej,k } and Fkj , {Fj,1 , ..., Fj,k } for j = 1, 2, and let Yek , {Ye,1 , ..., Ye,k }. (k)

(k)

1) Reliability: Let Pe1 and Pe2 be the block error probability of Bob’s and Alice’s decoder in the kth block respectively. Since each user decodes their received blocks successively, the block error probability is identical to that of a genie-aided decoder which uses the exact values (k)

of frozen bits rather than their estimates [5]. Thus under the SC decoding algorithm, Pe1 and (k)

Pe2 are upper bounded by (k)

Pe1 ≤

X

β

Z(U1i |Y11:N , X21:N , U11:i−1 ) = O(2−N ),

i∈I1 ∪Ra 1 (k)

Pe2 ≤

X i∈I2 ∪Ra 2

β

Z(U2i |Y21:N , X11:N , U21:i−1 ) = O(2−N ).

18

Then the error probability of m transmission blocks is upper bounded by Pe =

m X

(k)

Pe1 +

k=1

m X

(k)

β

Pe2 ≤ 2mO(2−N ).

(52)

k=1

2) Secrecy: We will show that our scheme satisfies the strong secrecy criterion. For this purpose we will need the following lemma. Lemma 1: For any k ∈ [m], we have β

I(M1,k , M2,k , E1,k , E2,k ; Ye,k ) = O(N 2−N ).

(53)

Proof: Let t = |I1 | + |I2 | and {a1 , a2 , ..., at } ⊂ [2N ] denote the set of indices such that f (i1 )

{S a1 , ..., S at } = {U1 1

f (i2 )

, U2 2

: i1 ∈ I1 , i2 ∈ I2 }. Then we have

I(M1,k , M2,k , E1,k , E2,k ; Ye,k ) = H(M1,k , M2,k , E1,k , E2,k ) − H(M1,k , M2,k , E1,k , E2,k |Ye,k ) =

t X


H(S ai |S a1 , ..., S ai−1 ) − H(S ai |Ye,k , S a1 , ..., S ai−1 )

i=1

≤

t X

H(S ai |S a1 , ..., S ai−1 ) − H(S ai |Ye,k , S 1:ai −1 )




(54)

i=1

≤

t X

1 − Z(S ai |Ye,k , S 1:ai −1 )2




(55)

i=1

≤

t X

1 − (1 − δN )2




i=1 β

= O(N 2−N ), where (54) holds because H(S ai |Ye,k , S a1 , ..., S ai−1 ) ≥ H(S ai |Ye,k , S 1:ai −1 ), and (55) holds because H(S ai |Ye,k , S 1:ai −1 ) ≥ Z(S ai |Ye,k , S 1:ai −1 )2 from [6, Proposition 2]. Suppose Eve has the knowledge of all frozen bits, the information leakage of our scheme is m m m m L(N ) = I(Mm 1 , M2 ; Ye |F1 , F2 ) m m m m m m m = I(Mm 1 , M2 , F1 , F2 ; Ye ) − I(F1 , F2 ; Ye ) m m m m m m m m m m = I(Mm 1 , M2 ; Ye ) + I(F1 , F2 ; Ye |M1 , M2 ) − I(F1 , F2 ; Ye ).

Since the frozen bits are already known, we have m m L(N ) = I(Mm 1 , M2 ; Ye ).

(56)

19

By letting Mk , (M1,k , M2,k ) and Ek , (E1,k , E2,k ), we can perform a similar analysis to the one-way wiretap channel in [14] on the information leakage of our scheme, which is given by m m I(Mm 1 , M 2 ; Ye ) m m ≤ I(Mm 1 , M2 , E1,m , E2,m ; Ye )

≤ I(Mm−1 , Mm−1 , E1,m−1 , E2,m−1 ; Yem−1 ) + I(M1,m , M2,m E1,m , E2,m ; Ye,m ). 1 2 By induction hypothesis we have m X m m m I(M1,k , M2,k , E1,k , E2,k ; Ye,k ) + I(E1,0 , E2,0 ; Ye,0 ), I(M1 , M2 ; Ye ) ≤

(57)

k=1

where I(E1,0 , E2,0 ; Ye,0 ) is Eve’s knowledge about the secret seeds, which should be 0 in a secure coding scheme. From Lemma 1 we have β

m m −N I(Mm ). 1 , M2 ; Ye ) ≤ mO(N 2

(58)

This means that limN →∞ L(N ) = 0. 3) Achievable Rate Region: Theorem 1: The coding scheme described in the previous subsection achieves the whole secrecy rate region of the two-way wiretap channel defined in (8) under the strong secrecy criterion. Proof: From the previous subsection we can see that the achievable rate pair of our scheme is given by

1 a |I | N 1
1 = |I1 | − |Rb1 | N
1 = |I1 ∪ Ra1 | − |Rb1 ∪ Ra1 | N
c  1  (N ) (N ) (N ) (N ) |HC1 ∩ LC1 |Y1 X2 | − |HC1 ∩ HSU |Ye | = 1 N

R1 =

and R2 = From (37) we have


c  1  (N ) (N ) (N ) (N ) |HC2 ∩ LC2 |Y2 X1 | − |HC2 ∩ HSU |Ye | . 2 N 1 (N ) (N ) |HC1 ∩ LC1 |Y1 X2 | = I(Y1 ; C1 |X2 ), N →∞ N 1 (N ) (N ) lim |HC2 ∩ LC2 |Y2 X1 | = I(Y2 ; C2 |X1 ). N →∞ N lim

20

From (29) we have

1 (N ) (N ) |HSU ∩ LSU |Ye | = Re1 , 1 1 N →∞ N 1 (N ) (N ) |HSU ∩ LSU |Ye | = Re2 . lim 2 2 N →∞ N
c (N ) (N ) and lim N1 | HSU |Ye ∪ LSU |Ye | = 0 for j = 1, 2, we have lim

(N )

(N )

Since HSU = HCj j

N →∞

j

j


c 1 (N ) (N ) |HC1 ∩ HSU |Ye | = Re1 , 1 N →∞ N
c 1 (N ) (N ) |HC2 ∩ HSU |Ye | = Re2 . lim 2 N →∞ N lim

Thus, lim R1 = I(Y1 ; C1 |X2 ) − Re1 = RS1 ,

N →∞

(59)

lim R2 = I(Y2 ; C2 |X1 ) − Re2 = RS2 .

N →∞

Since (RS1 , RS2 ) is an arbitrary point on the dominant face of RS (PY1 Y2 Ye |X1 X2 ), including two corner points, we can say that the whole secrecy rate region is achievable. V. S PECIAL C ASE : ACHIEVING W EAK S ECRECY WITHIN A S INGLE T RANSMISSION B LOCK In the traditional one-way wiretap channel, as has been shown in [12], [13], if the eavesdropper channel is degraded with respect to the main channel, the reliable bit set of a polar code designed for the eavesdropper channel will be a subset of that for the main channel [7], and the secrecy capacity can be achieved under the weak secrecy criterion within a single transmission block. In the two-way wiretap channel, similar cases also exist. Definition 3: Let P1 : X1 ×X2 → Y1 and P2 : X1 ×X2 → Y2 be two discrete memoryless multiple access channels, then we say P2 is degraded with respect to P1 (denoted by P1  P2 ) if there P exists a third channel P3 : Y1 → Y2 such that P2 (y2 |x1 , x2 ) = y1 ∈Y1 P1 (y1 |x1 , x2 )P3 (y2 |y1 ) for all (x1 , x2 ) ∈ X1 × X2 and y2 ∈ Y2 . Lemma 2: If PY1 |C1 ,C2  PYe |C1 ,C2 and PY2 |C1 ,C2  PYe |C1 ,C2 , then we have (N )

LSU

1

(N )

|Ye

⊆ LC1 |Y1 X2 ,

|Ye

⊆ LC2 |Y2 X1 ,

(N )

LSU (N )

where LSU

|Y 1 e

(N )

and LSU

in (31) and (33).

|Y 2 e

2

(60)

(N )

(N )

(N )

are defined in (46) and (47), and LC1 |Y1 X2 and LC2 |Y2 X1 are defined

21

Proof: Since S 1:2N is a permutation of U11:N U21:N , we have Z(S f1 (i) |Ye1:N , S 1:f1 (i)−1 ) ≥ Z(U1i |Ye1:N , U21:N , U11:i−1 ). And since (C1 , C2 ) → (C1 , X2 ) → Y1 forms a Markov chain, we have Z(U1i |Y11:N , U21:N , U11:i−1 ) ≥ Z(U1i |Y11:N , X21:N , U11:i−1 ). If PY1 |C1 ,C2  PYe |C1 ,C2 , then [7, Lemma 4.7] Z(U1i |Y11:N , U21:N , U11:i−1 ) ≤ Z(U1i |Ye1:N , U21:N , U11:i−1 ). Thus, Z(U1i |Y11:N , X21:N , U11:i−1 ) ≤ Z(S f1 (i) |Ye1:N , S 1:f1 (i)−1 ). (N )

(N )

From the definitions of the polarized sets we can see that LSU

1

2

⊆ LC1 |Y1 X2 . Similarly we can

(N )

(N )

show that LSU

|Ye

|Ye

⊆ LC2 |Y2 X1 .

In this special case, we partition indices of U11:N into four sets:
c (N ) (N ) (N ) I1 = HC1 ∩ LC1 |Y1 X2 ∩ LSU |Ye , 1

c c (N ) (N ) (N ) F1 = HC1 ∩ LC1 |Y1 X2 ∩ LSU |Ye , 1

R1 =

(N ) HC1

(N ) LC1 |Y1 X2

∩ (N )
c

D1 = HC1

∩

(61)

(N ) LSU |Ye , 1

,

as illustrated in Fig. 4. Similarly, indices of U21:N are partitioned into I2 , F2 , R2 and D2 . The coding scheme is then simple. I1 and I2 carry information bits, R1 and R2 are filled with random bits, F1 and F2 carry frozen bits, and D1 and D2 are deterministic bits. Theorem 2: If the eavesdropper channel is degraded with respect to both legitimate channels, the coding scheme described in this section guarantees both reliability and weak secrecy within a single transmission block, while being able to achieve all points on the dominant face of the secrecy rate region of the two-way wiretap channel defined in (8). Proof: Reliability: The block error probability of this scheme under SC decoding is bounded by X X Pe (N ) ≤ Z(U1i |Y11:N , X21:N , U11:i−1 ) + Z(U2i |Y21:N , X11:N , U21:i−1 ) i∈I1 ∪R1 i∈I2 ∪R2 (62) β

= O(2−N ).

22

Fig. 4.

Code construction for Alice in the degraded case.

Secrecy: Since in this section we only consider single-block transmission, the subscripts and superscripts for block numbers in notations used in Section IV-B2 are omitted. The average information leakage of a length-N codeword given the value of frozen bits can be bounded by L(N ) = I(M1 , M2 ; Ye |F1 , F2 ) = I(M1 , M2 , N1 , N2 ; Ye |F1 , F2 ) − I(N1 , N2 ; Ye |F1 , F2 , M1 , M2 ) = I(X1 , X2 ; Ye ) − H(N1 , N2 ) + H(N1 , N2 |M1 , M2 , F1 , F2 , Ye )

(63)

≤ N Csum − (|R1 | + |R2 |) + H(N1 , N2 |M1 , M2 , F1 , F2 , Ye ),

(64)

where Csum , I(C1 , C2 ; Ye ) is the maximum achievable sum rate of the eavesdropper channel We . (63) holds because I(X1 , X2 ; Ye ) = I(M1 , M2 , N1 , N2 , F1 , F2 ; Ye ) = I(M1 , M2 , N1 , N2 ; Ye |F1 , F2 ) + I(F1 , F2 ; Ye ) and N1 and N2 are independent of M1 , M2 , F1 and F2 . The information leakage rate is then LR (N ) =

1 L(N ) N

1 1 (|R1 | + |R2 |) + H(N1 , N2 |M1 , M2 , F1 , F2 , Ye ). (65) N N 1 (|R1 | + |R2 |) = Csum , H(N1 , N2 |M1 , M2 , F1 , F2 , Ye )/N should vanish as N ≤ Csum −

Since limN →∞

N increases in order to guarantee secrecy. Assume Eve has already obtained the value of M1 and M2 and tries to decode N1 and N2 , by Fano’s inequality we have H(N1 , N2 |M1 , M2 , F1 , F2 , Ye ) ≤ H(Pe0 ) + Pe0 (|N1 | + |N2 |),

(66)

23

where Pe0 is the block error probability of Eve’s virtual decoder. Under the SC decoding algorithm (which is not optimal), Pe0 is upper bounded by X X Pe0 ≤ Z(S f1 (i) |Ye1:N , S 1:f1 (i)−1 ) + Z(S f2 (i) |Ye1:N , S 1:f2 (i)−1 ) i∈R1

i∈R2 −N β

= O(2

(67)

).

Thus, lim H(N1 , N2 |M1 , M2 , F1 , F2 , Ye ) = 0.

(68)

lim LR (N ) = 0.

(69)

N →∞

Then we can claim that N →∞

(N )

(N )

Achievable rate region: Since LSU

1

|Ye

(N )

(N )

⊆ LC1 |Y1 X2 and LSU

2

|Ye

⊆ LC2 |Y2 X1 , we have

1 |I1 | N
c 1 (N ) (N ) (N ) = |HC1 ∩ LC1 |Y1 X2 ∩ LSU |Ye | 1 N 1 (N ) 1 (N ) (N ) (N ) = |HC1 ∩ LC1 |Y1 X2 | − |HC1 ∩ LSU |Ye |, 1 N N

(70)

1 (N ) 1 (N ) (N ) (N ) |HC2 ∩ LC2 |Y2 X1 | − |HC2 ∩ LSU |Ye |. 2 N N

(71)

R1 =

and R2 =

Similar to the strong secrecy case, we can show that all points on the dominant face of RS (PY1 Y2 Ye |X1 X2 ) can be achieved using this scheme. Now we have finished the proof for Theorem 2.

VI. E XAMPLE : B INARY E RASURE C HANNELS In this section, we present an example to show the performance of our scheme. For simplicity, all channels are assumed to be binary erasure MACs, and the channel inputs are assumed to be uniformly distributed. For Bob, the observed channel W1 (Y1 |X1 X2 ) is   X1 + X2 with probability 1 − 1 Y1 = ,  ? with probability 1

(72)

24

with 1 = 0.2. For Alice, the observed channel W2 (Y2 |X1 X2 ) is   X1 + X2 with probability 1 − 2 , Y2 =  ? with probability 2 with 2 = 0.3. And for Eve, the observed channel We (Ye |X1 X2 ) is   X1 + X2 with probability 1 − e , Ye =  ? with probability e

(73)

(74)

with e = 0.4. For the auxiliary random variables in (8), we consider the simplest case when C1 = X1 and C2 = X2 . In this case, the achievable rate region of the eavesdropper MAC is    0 ≤ Re1 ≤ RU    , 0 ≤ Re2 ≤ RV      R +R ≤C e1 e2 sum

(75)

where RU = RV = 1 − e = 0.6 and Csum = 1.5(1 − e ) = 0.9. Since each user knows its own transmitted message, two legitimate channels can be simplified to two BECs with erasure probabilities 1 and 2 respectively. Then the secrecy rate region of the two-way wiretap channel is

   0 ≤ R1 ≤ (1 − 1 ) − (Csum − RV ) = 0.5    . 0 ≤ R2 ≤ (1 − 2 ) − (Csum − RU ) = 0.4      R + R ≤ R , (1 −  ) + (1 −  ) − C 1 2 s 1 2 sum = 0.6 (i)

(i)

For BECs, the Bhattacharyya parameters Z(W1,N ) and Z(W2,N ) can be easily calculated by [5] (2i−1)

Z(Wj,N

(i)

(i)

) = 2Z(Wj,N/2 ) − Z(Wj,N/2 )2

(2i)

(i)

Z(Wj,N ) = Z(Wj,N/2 )2 (1)

(i)

with Z(Wj,1 ) = j for j = 1, 2, where Z(Wj,N ) is short for Z(Uji |Yj1:N , Uj1:i−1 ). For the eavesdropper MAC, we take a corner point on the dominant face of its achievable rate region, (0.6, 0.3), as an example. The Bhattacharyya parameters in the corner point case can be easily calculated since the MAC can be split into two single-user channels. For middle points between two corner points, the Bhattacharyya parameters can be estimated by the method

25

Fig. 5.

Information leakage of our proposed scheme.

of [37] or a Monte Carlo approach [5]. Let We1 (Ye |X1 ) be the channel from Alice to Eve when X2 is known to Eve, and We2 (Ye |X2 ) the channel from Bob to Eve when X1 is treated as noise. We can see that We1 and We2 are binary erasure channels with erasure probability
e1 = e = 0.4 and e2 = 0.5 + 0.5e = 0.7 respectively, and I(We1 ), I(We2 ) = (0.6, 0.3) is just the rate pair we consider, where I(W ) denotes the symmetric capacity of channel W . Then the Bhattacharyya parameters for the MAC can be obtained by calculating those for We1 and We2 . The corresponding secrecy rate pair in this case is (0.5, 0.1). The upper bound for information leakage can be deduced from (55) and (57) that X
m m I(Mm 1 − Z(S i |Ye1:N , S 1:i−1 )2 , 1 , M2 ; Y e ) ≤ m

(76)

i∈I

where I ⊂ [2N ] is the information bit set with respect to indices of S 1:2N . Once we are able to obtain the Bhattacharyya parameters for all synthesized channels, the block error rate can be evaluated by (52), and the information leakage can be estimated using (76). Since the number of transmission blocks m is only a multiplier when estimating the information leakage and block error rate, we choose m = 1 in this example to show the average information leakage per

26

Fig. 6.

Block error rate of our proposed scheme.

transmission block. The parameter δN = 2−N

β

(0 < β < 0.5) in the definitions of polarized sets plays an

important role in the code design. The larger β is, the smaller L(N ) and Pe (N ) will be for a given N . However, the secret sum rate will be smaller correspondingly. In this example, we choose β = 0.16, 0.17, 0.18, 0.19, 0.20, 0.21 and compare their differences in performance. Fig. 5, 6 and 7 respectively show the information leakage, block error rate and secrecy sum rate of our proposed scheme, and different markers stand for different β values. The result meets our theoretical analysis that, as the code length increases, the information leakage and block error rate vanish while the secrecy sum rate approaches Rs = 0.6. VII. C ONCLUSION AND D ISCUSSION In this paper, we have introduced polar codes into the problem of coded cooperative jamming in the general two-way wiretap channel. For the general case, it is difficult to guarantee secrecy and reliability simultaneously within a single transmission bock, and we use a multi-block scheme to solve this problem. It is shown that our proposed scheme achieves all points on the dominant face

27

Fig. 7.

Secrecy sum rate of our proposed scheme.

of the secrecy rate region under the strong secrecy criterion. An example is presented to verify the performance of our proposed scheme. For the special case when the eavesdropper channel is degraded with respect to both legitimate channels, if we loosen the security requirement to weak secrecy, with a little modification our scheme can guarantee reliability and secrecy simultaneously within a single transmission block. Although we have only considered binary-input case in this paper, the result can be readily extended to non-binary cases since non-binary polar codes have already been well studied. R EFERENCES [1] A. D. Wyner, “The wire-tap channel,” The Bell System Technical Journal, vol. 54, no. 8, pp. 1355–1387, 1975. [2] A. T. Suresh, A. Subramanian, A. Thangaraj, M. Bloch, and S. W. McLaughlin, “Strong secrecy for erasure wiretap channels,” in IEEE Information Theory Workshop (ITW), 2010, pp. 1–5. [3] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, and J. M. Merolla, “Applications of LDPC codes to the wiretap channel,” IEEE Transactions on Information Theory, vol. 53, no. 8, pp. 2933–2945, 2007. [4] M. Cheraghchi, F. Didier, and A. Shokrollahi, “Invertible extractors and wiretap protocols,” IEEE Transactions on Information Theory, vol. 58, no. 2, pp. 1254–1274, 2012.

28

[5] E. Arıkan, “Channel polarization: A method for constructing capacity-achieving codes for symmetric binary-input memoryless channels,” IEEE Transactions on Information Theory, vol. 55, no. 7, pp. 3051–3073, 2009. [6] ——, “Source polarization,” in IEEE International Symposium on Information Theory (ISIT), 2010, pp. 899–903. ´ ´ ERALE ´ [7] S. B. Korada, “Polar codes for channel and source coding,” Ph.D. dissertation, ECOLE POLYTECHNIQUE FED DE LAUSANNE, 2009. [8] S. B. Korada and R. L. Urbanke, “Polar codes are optimal for lossy source coding,” IEEE Transactions on Information Theory, vol. 56, no. 4, pp. 1751–1768, 2010. [9] J. Honda and H. Yamamoto, “Polar coding without alphabet extension for asymmetric models,” IEEE Transactions on Information Theory, vol. 59, no. 12, pp. 7829–7838, 2013. [10] E. Hof and S. Shamai, “Secrecy-achieving polar-coding,” in IEEE Information Theory Workshop (ITW), 2010, pp. 1–5. [11] M. Andersson, V. Rathi, R. Thobaben, J. Kliewer, and M. Skoglund, “Nested polar codes for wiretap and relay channels,” IEEE Communications Letters, vol. 14, no. 8, pp. 752–754, 2010. [12] H. Mahdavifar and A. Vardy, “Achieving the secrecy capacity of wiretap channels using polar codes,” IEEE Transactions on Information Theory, vol. 57, no. 10, pp. 6428–6443, 2011. [13] O. O. Koyluoglu and H. El Gamal, “Polar coding for secure transmission and key agreement,” IEEE Transactions on Information Forensics and Security, vol. 7, no. 5, pp. 1472–1483, 2012. [14] E. S¸as¸o˘glu and A. Vardy, “A new polar coding scheme for strong security on wiretap channels,” in IEEE International Symposium on Information Theory Proceedings (ISIT), July 2013, pp. 1117–1121. [15] Y. P. Wei and S. Ulukus, “Polar coding for the general wiretap channel with extensions to multiuser scenarios,” IEEE Journal on Selected Areas in Communications, vol. 34, no. 2, pp. 278–291, 2016. [16] T. Gulcu and A. Barg, “Achieving secrecy capacity of the wiretap channel and broadcast channel with a confidential component,” in IEEE Information Theory Workshop (ITW), April 2015, pp. 1–5. [17] R. A. Chou and M. R. Bloch, “Polar coding for the broadcast channel with confidential messages: A random binning analogy,” IEEE Transactions on Information Theory, vol. 62, no. 5, pp. 2410–2429, 2016. [18] M. Andersson, R. Schaefer, T. Oechtering, and M. Skoglund, “Polar coding for bidirectional broadcast channels with common and confidential messages,” IEEE Journal on Selected Areas in Communications, vol. 31, no. 9, pp. 1901–1908, September 2013. [19] B. Duo, P. Wang, Y. Li, and B. Vucetic, “Secure transmission for relay-eavesdropper channels using polar coding,” in IEEE International Conference on Communications (ICC).

IEEE, 2014, pp. 2197–2202.

[20] M. Zheng, M. Tao, and W. Chen, “Polar coding for secure transmission in MISO fading wiretap channels,” CoRR, vol. abs/1411.2463, 2014. [Online]. Available: http://arxiv.org/abs/1411.2463 [21] H. Si, O. O. Koyluoglu, and S. Vishwanath, “Hierarchical polar coding for achieving secrecy over state-dependent wiretap channels without any instantaneous CSI,” IEEE Transactions on Communications, vol. 64, no. 9, pp. 3609–3623, 2016. [22] R. A. Chou and A. Yener, “Polar coding for the multiple access wiretap channel via rate-splitting and cooperative jamming,” in IEEE International Symposium on Information Theory (ISIT), 2016, pp. 983–987. [23] M. Hajimomeni, H. Aghaeinia, I. M. Kim, and K. Kim, “Cooperative jamming polar codes for multiple-access wiretap channels,” IET Communications, vol. 10, no. 4, pp. 407–415, 2016. [24] R. A. Chou, M. R. Bloch, and E. Abbe, “Polar coding for secret-key generation,” IEEE Transactions on Information Theory, vol. 61, no. 11, pp. 6213–6237, 2015.

29

[25] E. Tekin and A. Yener, “The general Gaussian multiple-access and two-way wiretap channels: Achievable rates and cooperative jamming,” IEEE Transactions on Information Theory, vol. 54, no. 6, pp. 2735–2751, June 2008. [26] A. Pierrot and M. Bloch, “Strongly secure communications over the two-way wiretap channel,” IEEE Transactions on Information Forensics and Security, vol. 6, no. 3, pp. 595–605, Sept 2011. [27] A. El Gamal, O. Koyluoglu, M. Youssef, and H. El Gamal, “Achievable secrecy rate regions for the two-way wiretap channel,” IEEE Transactions on Information Theory, vol. 59, no. 12, pp. 8099–8114, Dec 2013. [28] A. Pierrot and M. Bloch, “LDPC-based coded cooperative jamming codes,” in IEEE Information Theory Workshop (ITW), Sept 2012, pp. 462–466. [29] E. Arıkan, “Polar coding for the Slepian-Wolf problem based on monotone chain rules,” in IEEE International Symposium on Information Theory Proceedings (ISIT), July 2012, pp. 566–570. [30] S. Onay, “Successive cancellation decoding of polar codes for the two-user binary-input MAC,” in IEEE International Symposium on Information Theory Proceedings (ISIT), July 2013, pp. 1122–1126. [31] E. S¸as¸o˘glu, E. Telatar, and E. Yeh, “Polar codes for the two-user multiple-access channel,” IEEE Transactions on Information Theory, vol. 59, no. 10, pp. 6583–6592, Oct 2013. [32] E. Abbe and I. Telatar, “Polar codes for the m-user multiple access channel,” IEEE Transactions on Information Theory, vol. 58, no. 8, pp. 5437–5448, Aug 2012. [33] H. Mahdavifar, M. El-Khamy, J. Lee, and I. Kang, “Achieving the uniform rate region of general multiple access channels by polar coding,” IEEE Transactions on Communications, vol. 64, no. 2, pp. 467–478, 2016. [34] M. Zheng, C. Ling, W. Chen, and M. Tao, “A New Polar Coding Scheme for the Interference Channel,” ArXiv e-prints, Aug. 2016. [Online]. Available: http://arxiv.org/abs/1608.08742 [35] R. G. Gallager, Information theory and reliable communication.

Wiley: New York, 1968.

[36] T. M. Cover and J. A. Thomas, Elements of information theory.

John Wiley & Sons, 2012.

[37] I. Tal and A. Vardy, “How to construct polar codes,” IEEE Transactions on Information Theory, vol. 59, no. 10, pp. 6562–6582, Oct 2013.