This action might not be possible to undo. Are you sure you want to continue?
r
X
i
v
:
1
1
0
2
.
3
1
7
3
v
1
[
c
s
.
C
R
]
1
5
F
e
b
2
0
1
1
1
Coding for Cryptographic Security Enhancement
using Stopping Sets
*Willie K. Harrison, Student Member, IEEE, Jo˜ ao Almeida, Student Member, IEEE,
Steven W. McLaughlin, Fellow, IEEE, and Jo˜ ao Barros, Member, IEEE
Abstract—In this paper we discuss the ability of channel
codes to enhance cryptographic secrecy. Toward that end, we
present the secrecy metric of degrees of freedom in an attacker’s
knowledge of the cryptogram, which is similar to equivocation.
Using this notion of secrecy, we show how a speciﬁc practical
channel coding system can be used to hide information about the
ciphertext, thus increasing the difﬁculty of cryptographic attacks.
The system setup is the wiretap channel model where transmitted
data traverse through independent packet erasure channels
with public feedback for authenticated ARQ (Automatic Repeat
reQuest). The code design relies on puncturing nonsystematic
lowdensity paritycheck codes with the intent of inﬂicting an
eavesdropper with stopping sets in the decoder. Furthermore,
the design ampliﬁes errors when stopping sets occur such that a
receiver must guess all the channelerased bits correctly to avoid
an expected error rate of one half in the ciphertext. We extend
previous results on the coding scheme by giving design criteria
that reduces the effectiveness of a maximumlikelihood attack to
that of a messagepassing attack. We further extend security
analysis to models with multiple receivers and collaborative
attackers. Cryptographic security is enhanced in all these cases
by exploiting properties of the physicallayer. The enhancement
is accurately presented as a function of the degrees of freedom
in the eavesdropper’s knowledge of the ciphertext, and is even
shown to be present when eavesdroppers have better channel
quality than legitimate receivers.
I. INTRODUCTION
A. Cryptography and the Physical Layer
M
Any cryptosystems in place today measure security
computationally. If all known attacks are computation
ally intractable, then the system is deemed to be secure. The
chief failings of this notion of security are the assumptions
placed on the attacker. First, it is assumed that the attacker
has limited resources to confront the problem, even if those
resources are state of the art. Second, it is assumed that the
attacker uses attacks which are publicly known, even though
a better attack may exist. Claude Shannon addressed these
shortcomings by deﬁning the notion of perfect secrecy [1].
If a secret message M is encrypted into a cryptogram E
using a secret key K, then perfect secrecy is achieved if
H(ME) = H(M). Shannon also proved that perfect secrecy
is only attainable if the key is at least as long as M, which is
clearly impractical. However, perfect secrecy also makes the
limiting assumption that an attacker has access to an errorfree
cryptogram, which may not be the case in practice.
Aaron Wyner later introduced the wiretap channel model,
along with a new condition for secrecy [2]. Let a message M
of length k be encoded into a codeword X of length n, and
then transmitted. The rate of the encoder is k/n. A legitimate
receiver obtains Y over the main channel denoted Q
m
, and an
eavesdropper obtains Z over a wiretap channel denoted Q
w
.
The secrecy condition is
lim
k→∞
I(M; Z)
k
= 0. (1)
Wyner showed that for rates up to the secrecy capacity C
s
,
encoders and decoders exist which can satisfy (1) and also
achieve arbitrarily low probability of error for intended parties
when X → Y → Z is a Markov chain. This is known as the
degraded wiretap channel model. Csisz´ ar and K¨ orner [3] later
generalized these results removing the degraded restriction, but
still showing that C
s
> 0, only if Q
m
is less noisy than Q
w
.
Understanding of the theoretically achievable secrecy rates
of communication systems has continued to grow, as outlined
in e.g. [4], [5], and [6]. But another of the main challenges
in this area has been the design of practical systems which
achieve the secrecy rates indicated by the theory. These
systems exploit noise in the channel at the physical layer of
the communications system. Practical designs maximizing the
informationtheoretic secrecy are not trivial. Most currently
suffer from one or more of several drawbacks. For instance,
code designs are oftentimes a function of speciﬁc channel pa
rameters (channel state information or CSI) seen by legitimate
receivers and eavesdroppers. Without accurate CSI, the results
of these systems are not guaranteed; therefore, channels with
varying or unknowable parameters present design issues. Other
codes offer secrecy for only speciﬁc types of channels, or
only when the eavesdropper’s channel is degraded. Still other
designs are impractical in the real world due to design com
plexity, necessary side information for legitimate decoding, or
other limitations. Finally, the most glaring shortcoming of any
scheme which derives security from the physical layer of a
communications system, is that if an eavesdropper has a better
channel than a legitimate receiver, the scheme is likely to fail.
The extreme case is when an eavesdropper has a noisefree
channel and Z = X. Clearly this necessitates any physical
layer security scheme to be coupled with some other protection
in order to maintain secrecy in the worst case.
B. Main Contributions
The intent of this paper is to develop the notion of com
bined security due to cryptography and channel coding, thus
providing a more complete security solution. To accomplish
this goal, we cast coding into a cryptographic enhancement
role, and seek to prevent an attacker from obtaining a noise
free cryptogram using channel coding. We present a new
2
security metric for physicallayer schemes; namely, degrees
of freedom D in an attacker’s knowledge of the cryptogram.
As a comparison, if bits in M are uniformly zero or one
and independent and identically distributed (i.i.d.), then perfect
secrecy implies D = k. In fact we show that H(XZ) = E[D]
for a speciﬁc case. Our notion of physicallayer security using
D addresses the effectiveness of attacks on a cryptographic
layer. To be more precise, our notion of security answers the
practical question, how does the complexity of an attack on
the cryptography change without perfect knowledge of the
cryptogram?
It has been shown previously using correlation attacks on
stream ciphers that certain cryptographic attacks are still pos
sible even on noisy cryptograms, although a threshold on the
noise level exists such that errors beyond the threshold cause
the attack to fail [7], [8], [9], [10]. Practical schemes should
provide enough confusion to exploit even the smallest amount
of noise in an eavesdropper’s received data to cause failure
of these attacks on the cryptographic layer. Such systems
should be robust to varying channel parameters, imperfect
CSI at the encoder, and nondegraded system models. In fact,
good designs still offer security enhancement to cryptography,
even when attackers have an advantage in signal quality over
legitimate receivers. Of course, all of this must be done while
guaranteeing reliable communication between friendly parties.
Therefore, along with the new metric, this paper also
analyzes combined cryptographic and physicallayer security
in a practical coding scheme using degrees of freedom to
characterize security. In [11], this scheme was shown to inﬂict
a passive eavesdropper using a messagepassing decoder with
stopping sets with very high probability when a legitimate
receiver and an eavesdropper view transmitted data through
statistically independent packet erasure channels (PEC). The
scheme relies on a nonsystematic lowdensity paritycheck
(LDPC) code design, with puncturing and interleaving steps
in the encoder. Legitimate receivers are given access to an
authenticated public feedback channel for Automatic Repeat
reQuest (ARQ). In this paper, we broaden the security analysis
of the scheme given in [11] by addressing the following points.
• Degrees of Freedom: The system security is analyzed
using the new metric. Computational secrecy is shown
to grow exponentially with E[D], which is also shown to
be equal to H(XZ) for the prescribed encoder.
• Encoder Description: Endtoend details of the encoder
and decoder are provided, as well as simulation results
which match theoretical expectations.
• Optimization: Design criteria are speciﬁed to maximize
the degrees of freedom in the maximumlikelihood attack
as well as the messagepassing attack. This involves
comparison of irregular LDPC codes with regular LDPC
codes.
• Extensions: Security results are made general so as to
apply to multiple receivers and multiple collaborative
attackers. Ultimately, bounds on the increase in computa
tional secrecy of an underlying cryptosystem are speciﬁed
when the physicallayer encoding system is employed.
Ultimately, this scheme has very few design constraints, offers
enhanced cryptographic secrecy over a wide range of CSI
parameters, and requires no secret key and no rate reduction
in data transmission.
C. Related Works
Our encoder makes use of fundamental practical design
ideas which have been shown to offer secrecy. For example,
our encoder employs nonsystematic LDPC codes in order
to hide information bits and magnify coding errors. Secrecy
properties of these codes have been studied in [12]. We further
employ intentional puncturing of encoded bits, a technique
shown to offer security in [13], [14]. Our scheme punctures
with the goal of inducing stopping sets in an eavesdropper’s
received data. As a result, every transmitted bit is crucial for
decoding. Our intent is to punish an eavesdropper for every
missing piece of information. Finally, in order to distribute
erasures throughout the data set, the encoder interleaves coded
bits among several transmitted packets. Similar ideas of in
terleaving coded symbols have been used in [15], [16] in
conjunction with wiretap codes developed in [17] to offer
secrecy to various systems. The works [18], [19] give results
for ARQ and feedback wiretap systems.
It can be argued that the ﬁrst practical secrecy coding
scheme was presented by Ozarow and Wyner in an extension
of the original wiretap paper [4]. Here the general idea
of partitioning a group code into cosets to achieve secrecy
was ﬁrst presented. This technique was shown to apply to
LDPC codes much more recently in [17], and achieves the
secrecy condition in (1) for noiseless main channels when
the wiretap channel is either a binary erasure channel (BEC)
or a binary symmetric channel (BSC). This work in LDPC
codes for secrecy has been furthered in [20], where large
girth LDPC codes are considered, and shown to meet the
secrecy constraint in (1) for noiseless main channel and BEC
wiretap channel. A stronger notion of secrecy than (1) is also
achieved for these codes in certain cases. Finally, it should
be noted that Arıkan’s polar codes [21] can offer secrecy for
general symmetric channels, although code construction is an
issue for nonerasure channels. Schemes have been presented
in [22] and [23] which achieve the secrecy capacity under the
condition in (1), although these schemes only offer secrecy
for degraded wiretap channels. Furthermore, design of these
codes is heavily contingent on perfect CSI at the encoder.
Although our codes can be shown to achieve (1) only
under certain puncturing criteria, the main contribution of the
coding scheme presented here is the cryptographic security
enhancements shown using degrees of freedom as a security
metric. Our scheme is robust against imperfect CSI, and
for that matter, undetected eavesdroppers. According to our
knowledge, it is also the ﬁrst practical secrecy scheme which
can operate on the general wiretap channel (nondegraded case)
when both Q
m
and Q
w
are erasure channels.
The rest of the paper is outlined as follows. In Section
II, we discuss the system model for which our encoder is
designed, which is an adaptation of the wiretap channel model
from [2]. The precise deﬁnition of degrees of freedom is also
given. Section III addresses background information regarding
3
Alice Encoder PEC(δ)
Q
m
Decoder Bob
PEC(ǫ)
Q
w
Decoder Eve
M X Y
˜
M
Z
ˆ
M
Feedback Channel
Fig. 1. Wiretap channel model with feedback assuming packet erasure
channels for both the main channel Qm and the wiretap channel Qw.
LDPC codes and stopping sets. Our novel encoder and decoder
designs are presented in Sections IV and V, respectively. Anal
ysis of the security inherent in the system is then completed
in Section VI for various scenarios, ultimately culminating
in the most general case which encompasses multiple users
and collaborating eavesdroppers. Finally, bounds regarding
enhancements of cryptographic security are presented in Sec
tion VII along with endtoend simulations of the system.
Conclusions are provided in Section VIII.
II. SYSTEM MODEL AND DEGREES OF FREEDOM
We begin by presenting the wiretap channel model [24]
with the addition of feedback in Fig. 1. A user named
Alice wishes to transmit an encrypted binary message M =
(m
1
, m
2
, . . . , m
L
) to a legitimate receiver named Bob, where
m
i
= (m
i
1
, m
i
2
, . . . , m
i
k
) ∈ M for i = 1, 2, . . . , L. It will be
helpful to think of M as being broken up into L blocks of
length k, where k is the dimension of the encoder to follow.
The ﬁnal block m
L
can be ﬁlled by concatenating random
bits if needed. Let us also deﬁne the blocklength n of the
encoder. Then the coding rate is k/n. To be clear, n is the
length of a codeword after it has been punctured. We will
also assume that M has been compressed, so that all possible
bit combinations are equally likely in the alphabet M. Prior to
transmission, Alice encodes M, resulting in a collection of η
packets X = (x
1
, x
2
, . . . , x
η
) for transmission. Bob receives
the packets as Y through Q
m
, a PEC with probability of
erasure δ. An eavesdropper named Eve obtains the packets Z,
although through Q
w
, an independent PEC with probability of
erasure ǫ. An obvious extension of this model is to consider
correlated erasures in Q
m
and Q
w
; however, in this paper we
always assume erasures are statistically independent. Finally,
˜
M and
ˆ
M are the respective estimates of M by Bob and Eve.
The encoder and decoder exploit the independent nature of
erased packets across Q
m
and Q
w
. Of course, the system must
guarantee that
˜
M = M, while at the same time making Eve
as ignorant as possible. The authenticated feedback channel
available to Bob plays a key role in accomplishing both
of these endeavors. This public noiseless channel is used
to request the retransmission of erased packets. Since it is
authenticated, Alice is able to deduce whether Bob sent the
request, and can detect any tampering with the data [25], which
restricts Eve to passive status [26]. Requests by Bob are public,
and there is no secret key employed at the physical layer. The
sole source of confusion for Eve is her own naturally occurring
erasure pattern across Q
w
.
1
As mentioned in Section I, we deﬁne physicallayer security
for this system with the cryptographic layer in mind. Crypto
graphic attacks often assume an attacker has the luxury of an
errorfree version of M (or even some of the plaintext), but
our design aims to prevent this from occurring, by creating
degrees of freedom in the attacker’s knowledge of M.
Deﬁnition 1. The number of degrees of freedom in a received
codeword is a random variable D which takes on the number
of encoded symbols for which an eavesdropper has no infor
mation. Therefore, the probabilities of all symbol values on
these D symbols are equally likely.
For binary codes with D = d, a codeword of length n can be
any of 2
d
equally likely codewords, each mapping to a unique
kbit message in M. Since we assume that the attacker knows
the encoder, the maximum value of D is k, and can be shown
to have an informationtheoretic deﬁnition. Since an attacker
has no knowledge of these bits, an average of 2
E[D]−1
guesses
must be made to obtain them. Using this reasoning, the goals
of our physicallayer design are: ﬁrst, to ensure that D = 0 for
Bob so that
˜
M = M; second, to make D as large as possible
for Eve; and third, to ensure that attacks on the cryptogram
fail if
ˆ
M = M.
III. LDPC CODES AND STOPPING SETS
We employ LDPC codes [27] and exploit the phenomenon
of stopping sets to obtain security from the physical layer.
This section provides limited background of LDPC codes and
stopping sets in order to establish the foundation upon which
to present our encoder.
Let us deﬁne a general binary LDPC code C with block
length N, and dimension k. Note that this k is identical to
k from section II, but N the blocklength of the LDPC code,
is different from n the blocklength of the encoder because
n is the codeword length after puncturing. The parity check
matrix H fully deﬁnes the code, and is N −k ×N. We will
ﬁnd it helpful to think of H in terms of its corresponding
Tanner graph G
C
[28], [29]. The set of variable nodes is
V = (v
1
, v
2
, . . . , v
N
), while the set of check nodes is
U = (u
1
, u
2
, . . . , u
N−k
). Variable nodes correspond to the N
bits in a codeword. Checks correspond to rows in H, where
the set of bits that participate in the check u
i
is denoted
N
i
= {j : H
i,j
= 1} [28]. Then the ith check is calculated in
GF(2) as u
i
=
¸
j∈Ni
v
j
= 0. The notation N
i,j
signiﬁes all
bits in the ith check except the jth bit. The jth variable node
shares an edge with the ith check node in G
C
if and only if
j ∈ N
i
. The Tanner graph for a simple example is shown in
Fig. 2.
Decoding of an LDPC codeword over a BEC can be
accomplished using maximumlikelihood (ML) decoding [30],
by solving a system of equations. However, the iterative
messagepassing (MP) decoder is commonly used due to its
computational efﬁciency. We brieﬂy explain both decoders.
1
It is noted that results in Section VI are provided for this system, as well
as the more general model which allows an arbitrary number of legitimate
receivers and eavesdroppers.
4
v
1
v
2
v
3
v
4
v
5
v
6
v
7
u
1
u
2
u
3
1
0
e
e
0
e
e
1
1
1
Fig. 2. Tanner graph for MP decoding over the BEC with a highlighted
stopping set due to erasures at variable nodes v
3
and v
5
.
A. MaximumLikelihood Decoding
Let us consider an LDPC codeword x ∈ C transmitted over
a BEC and let y denote the received codeword. Note that
x
i
∈ {0, 1} and y
i
∈ {0, 1, e} where e signiﬁes an erased
bit. We let K denote the set of known bits in y, and
¯
K denote
the set of erased bits in y. Furthermore, H
K
and H¯
K
can
be understood to be matrices formed by the columns of H
indexed by K and
¯
K, respectively. Similarly, x
K
and x¯
K
are
vectors composed of only the bits indexed by the respective
sets K and
¯
K.
Clearly, 0 = Hx
T
= H
K
x
T
K
+ H¯
K
x
T
¯
K
, where x
K
= y
K
,
and thus H
K
x
T
K
= z
T
is known. The maximum likelihood
decoder must then solve for the channelerased bits x¯
K
using
the system of equations given by
H¯
K
x
T
¯
K
= z
T
. (2)
This system has a unique solution when the erased bits are
such that the columns of H¯
K
are linearly independent [31].
We can obtain a bound from this statement which we will use
to analyze security in the worstcase.
Proposition 1. For a linear code C with blocklength N and
dimension k, the ML decoder over the BEC cannot have a
unique solution if the number of erasures exceeds N −k, that
is if 
¯
K > N −k.
Proof: The rank of H¯
K
equals the number of linearly
independent rows or columns of the matrix ([32], pg. 244).
Since N −k is the number of rows in H, the rank of H¯
K
can
never exceed N−k, and thus the ML decoder cannot produce
a unique solution when 
¯
K > N −k.
In fact, when the number of erasures exceeds N − k, the
system in (2) will be such that the degrees of freedom in the
ML decoder D
ML
≥ 
¯
K−(N−k), where we achieve equality
if there are N −k linearly independent columns in H¯
K
[30].
In any case, D
ML
is equal to the difference in the number of
erased bits, and the number of linearly independent columns
of H¯
K
, and is zero if this difference is negative. This deﬁnition
clearly satisﬁes the notion of degrees of freedom from Deﬁni
tion 1 for this decoder. Thus we see that the effectiveness of
the decoder is strictly bounded by the redundancy of the code.
While faster methods have been discovered for solving a linear
system of equations, the straightforward decoder is known to
have complexity ((1 − R)β + γδ)δ
2
N
3
, where R is the rate
of the code, β and γ are constants which are also a function
of the elimination algorithm chosen to solve the system of
equations, δ is the erasure probability in the channel, and N
is the blocklength of the code [30].
B. MessagePassing Decoding
Let C, x, and y hold the same deﬁnitions as for the ML
decoder. The MP decoder is an iterative decoder based on
the Tanner graph representation of C. The decoding process
passes messages between U and V along the edges of G
C
. One
version of the decoder is given as Algorithm 1 (adapted from
[31]). The number of degrees of freedom in the MP decoder
D
MP
is the cardinality of the smallest set of bit values that
must be supplied in order to decode all remaining bits. If the
decoder succeeds, then D
MP
= 0. Clearly, this maintains the
deﬁnition of degrees of freedom given in Deﬁnition 1 when
restricted to this decoder, because any bit combination of these
D
MP
values decodes to a valid codeword, and each is equally
likely without further information. A bound on the correction
capabilities of the MP decoder is given by the following
proposition.
Proposition 2. The MP decoder over the BEC can correct no
more than N −k erasures.
Proof: In Algorithm 1, each check node can correct at
most one variable node, and U = N −k.
The MP decoder is suboptimal compared with the ML
decoder, although the MP decoder has linear complexity in
the blocklength [28]. A more detailed comparison of the two
decoders is offered in [33].
Algorithm 1 MessagePassing Decoder over the BEC [31].
1: Initialize: For y
i
= e, set v
i
= y
i
and declare all such
variable nodes as known.
2: if (No variable nodes are known and no check node has
degree one) then
3: Output the (possibly partial) codeword and stop.
4: else
5: Delete all known variable nodes along with their
adjacent edges.
6: end if
7: For each variable node v
j
connected to a degree one check
node u
i
, declare v
j
as known and set v
j
=
¸
k∈Ni,j
v
k
.
Jump to 2.
C. Stopping Sets
In order to make D as large as possible for our system when
an eavesdropper uses an MP decoder, we would like to design
the encoder block from Fig. 1 so that every bit erased by the
5
channel adds a degree of freedom to the decoder. Stopping
sets provide a means of accomplishing this task.
Deﬁnition 2 (Di, et. al. [34]). A stopping set is a set S ⊆ V
such that all check nodes in N(S) are connected to S by at
least two edges, where N(S) signiﬁes the neighborhood of S
and is deﬁned as the set of all adjacent nodes to any member
of S in G
C
.
Notice that the empty set, by deﬁnition, is a stopping set, as
is any union of stopping sets. Thus, any set of variable nodes
has a unique maximal stopping set in it.
2
See Fig. 2 for a
simple example; clearly the erasures cannot be resolved using
Algorithm 1. This gives way to the following lemma, proved
in [34].
Lemma 1 (Di et. al. [34], Lemma 1.1). Let G be the Tanner
graph deﬁned by the parity check matrix H of a binary linear
block code C, and assume that C is used to transmit over
the BEC. Let A be the set of erased bits in the received
codeword. Then, using Algorithm 1 on G, the set of erasures
which remain after decoding comprise the unique maximal
stopping set in A.
Since stopping sets cause the MP decoder to fail, puncturing
in the encoder will be done with an attempt to inﬂict Eve with
stopping sets. However, the ML decoder will still succeed,
even in the presence of stopping sets, as long as the erased
bits have linearly independent columns in H. We account for
both decoders in our design by using a particular ensemble of
LDPC codes where D
MP
can be made equal to D
ML
, thus
ensuring secrecy regardless of the decoder used by Eve. The
simplicity of MP decoding is also preserved for all legitimate
receivers.
3
IV. ENCODER
The encoder design is based on the fact that I(M; Z) ≤
I(M; X) because processing cannot increase information, and
M → X → Z is a Markov process [37]. The key idea in
the decoder is to reduce X to the decoding threshold. In
other words, X can be used to recover M by design, but
if any erasures remain in Z following transmission, unique
decodability is not possible. Proper design maximizes D for
Eve. The stages of encoding are portrayed in Fig. 3, where
each stage fulﬁlls a speciﬁc purpose within the overall goals
of obtaining secrecy and reliability. The following principles
are addressed in the design of this encoder.
• Bits of M are hidden from immediate access in the
decoded words using nonsystematic LDPC codes.
• Scrambling prior to coding magniﬁes errors due to the
physical layer of the communication system.
• The errorcorrection capabilities of the LDPC code are
restricted by intentional puncturing of encoded bits. (Bob
obtains reliability through ARQ, rather than error correc
tion.)
2
For our purposes, we will sometimes ignore the empty set as a stopping
set and say that a set A contains no stopping sets, meaning that the maximal
stopping set in A is ∅.
3
For further information on stopping sets as they relate to LDPC code
ensembles, see [35] and [36].
LDPC
Encoder
Puncture
Block
Buffer Interleaver
M
L blocks
length k
B
L blocks
length N
P
L blocks
length n
X
η packets
size αL
Fig. 3. Detailed block diagram of the encoder. Number and size of blocks
or packets are indicated at each step.
• Bits from encoded blocks are interleaved amongst several
transmitted packets so that a single erased packet results
in erasures in many encoded blocks of data.
A. Nonsystematic LDPC Codes
Recall from Section II that M = (m
1
, m
2
, . . . , m
L
), where
m
i
= (m
i
1
, m
i
2
, . . . , m
i
k
) ∈ M for i = 1, 2, . . . , L. These L
blocks of encrypted message form the input to the nonsys
tematic LDPC encoder with blocklength N and dimension k.
The output of the LDPC encoder B is given as L codewords
of length N, denoted as B = (b
1
, b
2
, . . . , b
L
) where each
vector b
i
= (b
i
1
, b
i
2
, . . . , b
i
N
). Certainly, if the code C were
systematic, then the bits of m
i
would appear explicitly in the
encoded block b
i
. For secrecy purposes, nonsystematic codes
are employed.
Nonsystematic LDPC coding is typically implemented as a
two stage process to improve encoder complexity [38], [39],
[12]. Let S be an invertible k×k scrambling matrix in GF(2),
and let G be a k ×N systematic generator matrix. Let m be a
lengthk message. Then our LDPC encoding process applies
the scrambling matrix to m as
m
′
= mS. (3)
The data are then encoded using G by b = m
′
G to obtain a
lengthN block of encoded data. Clearly at the decoder the
inverse operation ﬁrst requires the bits of b to be obtained
through either MP or ML decoding. Since G is systematic, the
bits of m
′
are explicit in b. The bits of m can then be found
by applying the inverse of S in the descrambling operation
m = m
′
S
−1
. (4)
This process ampliﬁes errors in the decoding process as a
function of the sparsity of S
−1
. Note that S
−1
can be obtained
through e.g. LU decomposition [32], with modiﬁcations for
GF(2). In our experience, randomly generated scrambling
matrices which are nonsingular are likely to have inverses with
just less than 50% of the entries equal to one on average. If
S matrices are randomly generated until one can be inverted
to obtain S
−1
, the resulting despreading operation is enough
to cause even a single error in m
′
to result in roughly a 50%
error rate in m as shown in Section VII. Although this can
be made more precise, the result is intuitive because a bit in
m is a linear combination of bits in m
′
. Thus, if there are an
odd number of bits in error in a given combination of say m
i
,
then that bit will be in error. On average, the row weight in
S
−1
is approximately k/2, and the expectation of k/2 bits in
error holds for any number of errors in m
′
.
6
Since only one (S, S
−1
) pair need be used by the system,
the matrices can be generated offline, which does not affect
encoding and decoding complexity. However, the complexity
of both the encoder and the decoder is increased due to the
matrix multiplications in (3) and (4). Both of these operations
are O(k
3
). General systematic encoder complexity is O(N
2
)
because G is not sparse by design [28], although improvements
can be made using appropriate preprocessing as outlined in
[31]. The encoding technique speciﬁed in [31] gives encoder
complexity of O(N+g
2
) where g is the gap in an approximate
lower triangular form of the parity check matrix and is less
than N − k. The complexities for the ML and MP decoders
are given in Sections IIIA and IIIB as O(N
3
) and O(N),
respectively.
B. Puncturing
The next step in the encoding process is to apply a punctur
ing pattern to each codeword in B. Let the puncturing pattern
R ∈ V indicate which bits in each b
i
are to be punctured.
Recall that V is the set of variable nodes in the Tanner graph
G
C
. The punctured blocks P = (p
1
, p
2
, . . . , p
L
), where each
p
i
= (p
i
1
, p
i
2
, . . . , p
i
n
) are shown in Fig. 3 to have length n,
which was deﬁned in Section II to be the blocklength of the
encoder. All bits which are not punctured belong to the set Q
so that V = R + Q; therefore, the length of each block in P
is equal to Q = n. The puncturing pattern is chosen in order
to induce stopping sets in an eavesdropper’s received data.
Deﬁnition 3. A puncturing pattern R is deemed acceptable
if and only if there are no stopping sets in R, and R + v
contains some nonempty stopping set S
v
for every variable
node v ∈ Q.
Such a set R can be constructed using the random technique
outlined in Algorithm 2, which also calls Algorithm 3 in
order to check for stopping sets in a computationally tractable
manner [11].
Algorithm 2 Finds an acceptable puncturing pattern R within
the set of all variable nodes V .
1: Initialize: R = v, for a randomly chosen v ∈ V , and
Q = ∅.
2: if (V \(R ∪ Q) = ∅) then
3: Choose another v randomly from V \(R ∪ Q).
4: Run Algorithm 3 with A = R + v to check for
stopping sets.
5: if (R+v has a stopping set, i.e. Algorithm 3 returns
true) then
6: Q = Q+v.
7: else
8: R = R +v.
9: end if
10: Jump to 2.
11: else
12: Terminate.
13: end if
Algorithm 3 Checks for the existence of stopping sets in a
subset of variable nodes, A ⊆ V [11].
1: Initialize: S = A
2: if (S = ∅) then
3: Induce subgraph G
′
in G using (S ∪ N(S)).
4: if (∃ a check node in G
′
with degree 1) then
5: Delete variable nodes from S which are adjacent
to check nodes of degree 1 in G
′
, jump to 2.
6: else
7: Return true. S is the maximal nonempty stop
ping set in A.
8: end if
9: else
10: Return false. There is no nonempty stopping set in
A.
11: end if
Lemma 2. The output of Algorithm 2 is always an acceptable
puncturing pattern R as deﬁned in Deﬁnition 3.
Proof: We must ﬁrst show that upon completion of
Algorithm 2, there are no stopping sets in R. Assume for
a contradiction that R has a stopping set. Then there is a bit
v ∈ R which when added to R during the construction process,
caused a stopping set to ﬁrst appear. Then by Algorithm 2,
v / ∈ R. This provides the contradiction. It remains to be proved
that Algorithm 3 operates as expected.
Proposition 3. Algorithm 3 always returns true when A has
a nonempty stopping set, and always returns false otherwise.
Proof of Proposition: Suppose that the bits in A were
actually erasures over the BEC, and Algorithm 1 was used
to decode. Realize that erasures recovered in the ith iteration
of Algorithm 1 correspond exactly to the nodes deleted in
the ith iteration of Algorithm 3. If all bits can be resolved
using MP decoding then all nodes will be deleted in Algorithm
3, and false is returned. If, however, MP decoding returns a
partial codeword, then Algorithm 3 will return true because
all remaining bits have degree greater than one in the induced
subgraph G
′
. Therefore, by Lemma 1, the remaining nodes
comprise the maximal stopping set of A.
To complete the proof of Lemma 2, we must also show that
for any v ∈ Q, R + v has a nonempty stopping set. Since in
Algorithm 2 every v ∈ Q is such that for some subset R
′
⊆ R,
R
′
+v has a stopping set, therefore R+v has a stopping set
for any v ∈ Q.
Thus, puncturing according to R in each b
i
for i =
1, 2, . . . , L, guarantees that every bit in each p
i
is crucial for
successful MP decoding.
Complexity of Algorithm 2 is linear in the blocklength N,
because it chooses N − 1 bits in a random order, and calls
Algorithm 3 after each choice. The complexity of Algorithm
3 in the worst case, is quadratic in U = N − k the number
of check nodes in G
C
. Line 5 of the algorithm will be
repeated a maximum of
¸
U
i=1
i =
U
2
+U
2
times if a single
node is deleted each time the line is executed. Therefore, the
complexity of ﬁnding an acceptable puncturing pattern R is
7
at most quadratic in U, and linear in N, i.e. has complexity
O(NU
2
). Thus the algorithm can be used in practical system
design to compute R offline.
C. Regular vs. Irregular Codes
The overall rate k/n of the nonsystematic and punctured
code is a function of the rate of the systematic LDPC code,
and R. Simulations have shown that the size of R is very
much a function of the degree distribution on C, although the
exact relationship is still unknown.
Example 1. Let C be a regular rate1/2 code with N = 1000,
w
c
= 4, and w
r
= 8, where w
c
and w
r
are the ﬁxed column
and row weights of the parity check matrix, respectively.
The size of R appears to be Gaussiandistributed for this
family of codes with a mean size of approximately 436, with
variance roughly equal to 15. Let us examine, however, an
irregular ensemble with the same rate and blocklength, but
having the following edge degree distribution pair: η(x) =
0.32660x + 0.11960x
2
+0.18393x
3
+ 0.36988x
4
on variable
node weights, and χ(x) = 0.78555x
5
+ 0.21445x
6
on check
node weights (see [28] pg. 664), where H is formed using the
socket approach given in [30]. Here the distribution on R
is much tighter, ranging from 496 to 500. The size on R is
equal to 500 with probability roughly equal to 0.1, 499 with
probability around 0.56, and 498 with probability near 0.26.
Thus with some degree of conﬁdence, we can claim that for
this rate1/2 irregular code ensemble the random technique
given in Algorithm 2 yields a puncturing pattern with size
nearly equal (and equal in some cases) to N −k.
As a direct result, a puncturing pattern generated for the
irregular code of the example has a unique property. Namely,
that for some patterns D
MP
= D
ML
.
Lemma 3. Let R
c
denote the indices of the channelerased
bits of p
i
, and D
MP
and D
ML
denote the degrees of freedom
using MP decoding and ML decoding, respectively. If an ir
regular LDPC code is employed over the BEC with intentional
puncturing determined by Algorithm 2 in which R = N −k,
then D
ML
= D
MP
= R
c
.
Proof: The ML portion of this lemma follows from
Proposition 1, i.e. that the system of equations in (2) can
resolve a maximum of N − k erasures. Since R = N − k,
any erasure by the channel is guaranteed to give a degree of
freedom in the decoder. The MP case is the same because by
Proposition 2, the MP decoder can correct at most N − k
erasures. Thus any bits erased by the channel (or perhaps
another set of bits of equal size) must be guessed in order
to decode. Therefore, the effectiveness of the ML decoder is
equal to that of the MP decoder when R = N −k.
It should be noted that if the sum of systematic bits in
R + R
c
is less than D, a bruteforce attack on these bits
might be more appealing to an attacker than decoding the
entire codeword. To cover this possibility, D can be thought
of as the minimum between the number of systematic bits
missing to the eavesdropper, and the degrees of freedom in the
decoder. Although, in practice the number of systematic bits
removed through puncturing or erased by the channel usually
exceeds the degrees of freedom in the decoder.
D. Interleaving
The role of the interleaver is to ensure that all packets
must be obtained errorfree for successful decoding in any
and all encoded blocks. To do this, we construct a collection
of η packets to be transmitted X = (x
1
, x
2
, . . . , x
η
) in the
following manner. Alice deﬁnes α a small positive integer
which is assumed to divide n (not necessary but convenient
for notation and analysis) such that η = n/α, and the ith
packet is formed as
x
i
= (x
i
1
, x
i
2
, . . . , x
i
αL
)
= (p
1
(i−1)α+1
, . . . , p
1
iα
, p
2
(i−1)α+1
, . . . , p
2
iα
, . . . ,
p
L
(i−1)α+1
, . . . , p
L
iα
). (5)
for i = 1, 2, . . . , η. In words, we form the packet x
i
by
concatenating α bits from each encoded and punctured block
p
j
for j = 1, 2, . . . , L. Therefore, a single erased packet causes
α erasures in each punctured block at the decoder. Since we
have designed R so that any erasure of a bit in p
j
results in
MP decoding failure, we can be assured that any erased packet
will cause all L blocks to fail in the MP decoder due to this
interleaving. If R can be designed so that R = N −k, then
the same result holds for ML decoding by Lemma 3.
Corollary 1. If R = N − k and packets are formed
according to (5), then the number of degrees of freedom in
the ith codeword is D
i
ML
= D
i
MP
= R
i
c
 = αR
p
 for
i = 1, 2, . . . , L, where R
p
is a list of all erased packets.
Furthermore, D
i
ML
= D
j
MP
∀i, j.
Proof: The ﬁrst part is trivial and follows directly from
Lemma 3 and (5). We see that D
i
ML
= D
j
MP
because a
missing packet means exactly α degrees of freedom in each
block, irrespective of decoder choice.
V. DECODER FOR LEGITIMATE USERS
The decoder for legitimate users is simply the inverse of all
encoder operations. A user can decode all data as long as every
packet is received errorfree. Legitimate users make use of
the authenticated feedback channel to request retransmission
of packets erased in the main channel during transmission.
Time delay and queueing aspects of ARQ protocols are well
addressed in the literature, e.g. [40] and its references. The
decoding process is shown pictorially in Fig. 4. Once all
packets are obtained in Y , the bits are deinterleaved back into
their intentionally punctured codewords
˜
P. The MP decoder
is then guaranteed to decode the puncturing in linear time
with the blocklength to obtain
˜
B [28], and the inverse of
the scrambling matrix is applied to the systematic decoded
bits using (4) to obtain
˜
M. Once all packets are known, this
decoder guarantees that
˜
M = M.
VI. SECURITY AGAINST WIRETAPPERS
An eavesdropper can decode the data using Bob’s decoder in
Fig. 4 if all packets are obtained errorfree. The independence
8
Buffer Deinterleaver
Message
Passing
Map
to M
Y
η packets
size αL
˜
P
L blocks
length n
˜
B
L blocks
length N
˜
M
L blocks
length k
Fig. 4. Detailed block diagram of Bob’s decoder. Number and size of blocks
or packets are indicated at each step.
of Q
m
and Q
w
, however, prevents Eve from receiving packets
as a function of δ and ǫ, the respective probabilities of erasures
in Q
m
and Q
w
. Let R
ef
be the event that a single packet
is received errorfree by at least one eavesdropper after all
retransmissions of the packet requested by any legitimate
receiver have been ﬁlled. This section shows the blanket
security effect of our encoder over nearly the entire region
of possible (δ, ǫ) pairs by completely characterizing D for the
system. We ﬁrst show D to be binomially distributed, and then
provide security results for all scenarios studied as a function
of R
ef
. Expressions for R
ef
follow for the wiretap channel
case, the broadcast scenario with m intended receivers, the
case with l collaborating eavesdroppers, and the most general
case with both m legitimate receivers and l collaborating
eavesdroppers. For cases beyond the simple wiretap scenario,
all m legitimate receivers are given access to the feedback
channel, and all l eavesdroppers are restricted to passive status
through authentication on the channel. Retransmissions in the
ARQ protocol are executed only after requests are received
from all legitimate parties.
Since proper design of the encoder was shown to cause
D to have the same realization for every codeword and be
independent of the decoder in Corollary 1, we understand D to
represent the degrees of freedom in every codeword assuming
either the ML or MP decoder for the rest of the paper.
A. General Security Theorems
Lemma 4. The random variable D which governs the number
of degrees of freedom in a received codeword is a scaled
binomial random variable. Thus, for 1 ≤ β ≤ αη,
Pr(D ≥ β) = 1 −
⌈β/α⌉−1
¸
i=0
η
i
(1 −Pr(R
ef
))
i
Pr(R
ef
)
η−i
.
(6)
Proof: By deﬁnition, packets are erased for eavesdroppers
with probability (1−Pr(R
ef
)). Since there are η independent
Bernoulli trials, each identically distributed, the sum of erased
packets R
p
 is a binomial random variable with parameters
η and (1 − Pr(R
ef
)) [41]. Then, by Corollary 3, D = αR
p

where α bits from every codeword are sorted into each packet.
Thus, D is a scaled binomial random variable; speciﬁcally
D ∼ Bin(η, 1 − Pr(R
ef
))α. Since D = αR
p
, then D ≥ β
implies that αR
p
 ≥ β. Clearly, this requires that R
p
 ≥
⌈β/α⌉. The result in (6) follows directly.
The expected value is therefore known due to the binomial
structure of D. We also prove an important property in regards
to E[D].
Theorem 1. If R = N − k in the encoder, then k/n = 1,
and E[D] = H(XZ) = (1 −Pr(R
ef
))n.
Proof: Since R = N −k, then n = Q = N −R = k.
Let us consider the model for a single codeword (L = 1). We
can then assume η independent uses of a PEC with packets of
length α. Let X be the input to the channel, and Z the output,
where α bits are erased with probability (1 − Pr(R
ef
)) or
received errorfree with probability Pr(R
ef
) with each channel
use. The input distribution on α bits is uniform because the
input distribution on M is uniform, and the encoding function
of rate one forms a bijection on k bits. Thus, H(X) = α.
Clearly H(ZX) = H(1 − Pr(R
ef
)), and H(Z) = H(1 −
Pr(R
ef
)) + Pr(R
ef
)α (see [37], pg. 188). Then,
H(XZ) = H(ZX) −H(Z) +H(X) (7)
= α(1 −Pr(R
ef
)). (8)
Therefore, with η independent uses of the channel (one for
each packet), H(XZ) = (1−Pr(R
ef
))ηα = (1−Pr(R
ef
))n.
Since the mean of a binomial random variable is the product of
its two parameters, E[D/α] = (1 −Pr(R
ef
))η, and therefore
E[D] = (1 −Pr(R
ef
))ηα = (1 −Pr(R
ef
))n. (9)
Thus we see that E[D] is equal to the informationtheoretic
value of equivocation when the puncturing is accomplished so
that R = N−k. Therefore, perfect secrecy is obtained when
E[D] = k. Of course, this occurs when Pr(R
ef
) = 0, which
implies that the eavesdropper obtains zero packets. Thus, this
scheme cannot achieve perfect secrecy. However, it can be
shown using the achievable rates in [4] that E[D] approaches
the maximum achievable equivocation for k/n = 1. These
results now require expressions for Pr(R
ef
) to complete the
security characterization in D.
B. One Receiver and One Wiretapper
The simplest case matches the setup given in Fig. 1, and
was originally proved in [11].
Lemma 5 (Harrison, et. al. [11]). In the wiretap channel
scenario with feedback, the probability that Eve obtains a
single transmitted packet is given as
Pr(R
ef
) =
1 −ǫ
1 −ǫδ
. (10)
Intuition of security for the wiretap channel in terms of D
can be gained by using the expression for Pr(R
ef
) in (10)
to plot (6) for different values of β, α, and η. Fig. 5 shows
Pr(D ≥ 1) for η = 100. Note that when β = 1, α is not
required to evaluate (6). This case is provided to show the
plateau and falloff regions in the (δ, ǫ) grid for Pr(D ≥ β).
Throughout the plateau region, stopping sets occur in the MP
decoder and the ML decoder has linearly dependent columns
in H¯
K
with probability very close to one. The results of
Lemmas 4 and 5 give Pr(D ≥ 1) = 1 −
1−ǫ
1−ǫδ
η
, which can
be examined in the limit as η → ∞. It is immediate that except
for when δ = 1 or ǫ = 0, Pr(D ≥ 1) goes to one for all (δ, ǫ)
pairs as η gets large. From Theorem 1, if R = N − k, then
9
0
0.2
0.4
0.6
0.8
1
0
0.5
1
0
0.2
0.4
0.6
0.8
1
ǫ
δ
Pr(D ≥ 1) with η = 100
Fig. 5. Pr(D ≥ 1) when η = 100, as a function of the respective erasure
probabilities in Qm and Qw, δ and ǫ.
0
0.2
0.4
0.6
0.8
1
0
0.5
1
0
0.2
0.4
0.6
0.8
1
ǫ
δ
Pr(D ≥ 1) with η = 5000
Fig. 6. Pr(D ≥ 1) when η = 5000, as a function of the respective erasure
probabilities in Qm and Qw, δ and ǫ.
η =
n
α
=
k
α
. Clearly η grows with k; therefore, the probability
of security approaches one as k gets large. Since large k
necessitates large n and N, the same holds true for these
blocklength parameters. Codes with blocklength N = 10, 000
are deemed practical by today’s standards. For α = 1 and for
a carefully chosen R with size roughly 5000, then η ≈ 5000.
This case is shown in Fig. 6, where as expected, all nontrivial
(δ, ǫ) pairs show Pr(D ≥ 1) ≈ 1.
But of course, a single degree of freedom is easily guessed
in an attack. Let us examine the effects on security when β
takes on a larger value. This perspective is provided in Fig. 7,
where η = 5000 and β = 50 with α = 1. As can be seen in the
ﬁgure, there exists a cutoff region, where (δ, ǫ) pairs within the
plateau region will experience at least β degrees of freedom
with probability very close to one, while pairs outside the
region will have D < β with probability close to one. Owing
to the severity of the cutoff, the threshold can be approximated
0
0.2
0.4
0.6
0.8
1
0
0.5
1
0
0.2
0.4
0.6
0.8
1
ǫ
δ
Pr(D ≥ 50) with α = 1 and η = 5000
Fig. 7. Pr(D ≥ 50) when α = 1 and η = 5000, as a function of the
respective erasure probabilities in Qm and Qw, δ and ǫ.
by setting Pr(D ≥ β) = 0.5 in (6), and deriving a function of
δ and ǫ. This technique provides a unique threshold for each
speciﬁc set of values for β, α, and η.
Finally, let us inspect the E[D] according to Theorem 1 for
this case.
E[D] =
ǫ(1 −δ)
1 −ǫδ
ηα =
ǫ(1 −δ)
1 −ǫδ
n. (11)
This function grows linearly with n which is equal to k when
R = N −k. Thus, to drive D to a large number in practice,
we simply must use a larger dimension in the encoder. Note
that in the expectation the choice of α does not affect security;
although, α = 1 allows η to be as large as possible, which
provides more conﬁdence that D ≈ E[D] by the law of large
numbers ([41], pg. 193).
C. Multiple Intended Receivers
In this section, we move past the single user case, and ad
dress the more general broadcast channel originally presented
in [42]. There is also a single eavesdropper with probability
of an erased packet equal to ǫ as before. This case allows us
to understand the repercussions on security of having more
than one user for which we allow feedback requests. We can
characterize security using Lemma 4 and Theorem 1 in the
m user case by ﬁnding an expression for Pr(R
ef
). Recall
that R
ef
is the event that Eve receives a single transmitted
packet as before. Let each user have an independent PEC
with probability of erasure in the ith user’s channel as δ
i
for
i = 1, 2, . . . , m. The following lemma is necessary to obtain
Pr(R
ef
).
Lemma 6. If Q
1
, Q
2
, . . . , Q
m
are independent geometri
cally distributed random variables with success parameters
λ
1
, λ
2
, . . . , λ
m
, and T
m
= max(Q
1
, Q
2
, . . . , Q
m
), then the
probability mass function on T
m
is given as
f
m
(t) =
m
¸
i=1
(1 −(1 −λ
i
)
t
) −
m
¸
j=1
(1 −(1 −λ
i
)
t−1
). (12)
10
Proof: The proof is omitted for the sake of brevity, but
follows from an inductive assumption on m.
Armed with this lemma, we can obtain Pr(R
ef
) for the
broadcast channel case.
Lemma 7. Using the broadcast channel with m independent
legitimate receivers and an eavesdropper
Pr(R
ef
) =
m
¸
i=1
1 −ǫ
1 −ǫδ
i
−
¸
i<j
1 −ǫ
1 −ǫδ
i
δ
j
+
¸
i<j<k
1 −ǫ
1 −ǫδ
i
δ
j
δ
k
−· · · +
(−1)
m+1
1 −ǫ
1 −
¸
m
i=1
δ
i
where the notation i < j means the summation traverses over
all pairs (i, j) such that i, j ∈ {1, 2, . . . , m} and i < j, and
similarly for i < j < k, etc.
Proof: Note that if the ith user requests a single packet
until it is received, and in each transmission it is received
with probability δ
i
, then the total number of times the user
must request the packet is governed by a geometric ran
dom variable with success parameter 1 − δ
i
[41]. Deﬁne
W
1
, W
2
, . . . , W
m
as the geometric random variables govern
ing the total number of transmissions necessary for users
1, 2, . . . , m, respectively, to obtain the packet errorfree. Then,
let W = max(W
1
, W
2
, . . . , W
m
). W governs the total number
of transmissions necessary for all legitimate parties to receive
the packet.
By Lemma 6, we know that
Pr(W = w) =
m
¸
i=1
(1 −δ
w
i
) −
m
¸
j=1
(1 −δ
w−1
i
) (13)
because the success parameter for W
i
is 1 − δ
i
for i =
1, 2, . . . , m. Finally, we point out that
m
¸
i=1
(1−δ
i
) = 1−
m
¸
i=1
δ
i
+
¸
i<j
δ
i
δ
j
−
¸
i<j<k
δ
i
δ
j
δ
k
+· · · (−1)
m
m
¸
i=1
δ
i
(14)
which implies that
Pr(W = w) =
¸
1 −
m
¸
i=1
δ
w
i
+
¸
i<j
(δ
i
δ
j
)
w
−· · · +
(−1)
m
(
m
¸
i=1
δ
i
)
w
+
¸
−1 +
m
¸
i=1
δ
w−1
i
−
¸
i<j
(δ
i
δ
j
)
w−1
+· · · +
(−1)
m+1
(
m
¸
i=1
δ
i
)
w−1
=
m
¸
i=1
δ
w−1
i
(1 −δ
i
) −
¸
i<j
(δ
i
δ
j
)
w−1
(1 −δ
i
δ
j
)
+· · · + (−1)
m+1
(
m
¸
i=1
δ
i
)
w−1
(1 −
m
¸
i=1
δ
i
).
With these pieces in place, we commence proving the
lemma.
Pr(R
ef
) =
∞
¸
w=1
Pr(R
ef
W = w) Pr(W = w)
=
∞
¸
w=1
(1 −ǫ
w
)
¸
m
¸
i=1
(1 −δ
w
i
) −
m
¸
j=1
(1 −δ
w−1
i
)
¸
=
∞
¸
w=1
(1 −ǫ
w
)
m
¸
i=1
δ
w−1
i
(1 −δ
i
)−
¸
i<j
(δ
i
δ
j
)
w−1
(1 −δ
i
δ
j
) +· · ·
+ (−1)
m+1
(
m
¸
i=1
δ
i
)
w−1
(1 −
m
¸
i=1
δ
i
)
=
m
¸
i=1
1 −δ
i
δ
i
∞
¸
w=1
(1 −ǫ
w
)δ
w
i
−
¸
i<j
1 −δ
i
δ
j
δ
i
δ
j
∞
¸
w=1
(1 −ǫ
w
)(δ
i
δ
j
)
w
+· · ·
+(−1)
m+1
1 −
¸
m
i=1
δ
i
¸
m
i=1
δ
i
∞
¸
w=1
(1 −ǫ
w
)(
m
¸
i=1
δ
i
)
w
=
m
¸
i=1
1 −δ
i
δ
i
∞
¸
w=0
δ
w
i
−
∞
¸
w=0
(ǫδ
i
)
w
−
m
¸
i<j
1 −δ
i
δ
j
δ
i
δ
j
∞
¸
w=0
(δ
i
δ
j
)
w
−
∞
¸
w=0
(ǫδ
i
δ
j
)
w
+· · · + (−1)
m+1
1 −
¸
m
i=1
δ
i
¸
m
i=1
δ
i
×
∞
¸
w=0
(
m
¸
i=1
δ
i
)
w
−
∞
¸
w=0
(ǫ
m
¸
i=1
δ
i
)
w
=
m
¸
i=1
1 −ǫ
1 −ǫδ
i
−
m
¸
i<j
1 −ǫ
1 −ǫδ
i
δ
j
+· · · +
(−1)
m+1
1 −ǫ
1 −
¸
m
i=1
δ
i
. (15)
D. Collaborating Eavesdroppers
In this section we consider the case with l eavesdrop
pers working together in order to obtain the cryptogram M,
each with a possibly unique probability of packet erasure
ǫ
1
, ǫ
2
, . . . , ǫ
l
. All are assumed to obtain packets through inde
pendent PECs. It is simpler to ﬁrst consider a single legitimate
user Bob with probability of packet erasure δ. Then the general
result which assumes m friendly parties with l collaborating
eavesdroppers comes easily.
Lemma 8. For l eavesdroppers and a single legitimate re
11
ceiver,
Pr(R
ef
) =
1 −
¸
l
i=1
ǫ
i
1 −δ
¸
l
i=1
ǫ
i
. (16)
Proof: The proof is straightforward if we note that
collaborating eavesdroppers receive a single sent packet if at
least one of them obtains the packet errorfree. Let W be
a geometric random variable with success parameter 1 − δ.
This governs the number of transmissions for each packet.
Therefore,
Pr(R
ef
) =
∞
¸
w=1
Pr(R
ef
W = w) Pr(W = w)
=
∞
¸
w=1
(1 −(
l
¸
i=1
ǫ
i
)
w
)(1 − δ)δ
w−1
=
1 −δ
δ
∞
¸
w=0
δ
w
−(δ
l
¸
i=1
ǫ
i
)
w
=
1 −
¸
l
i=1
ǫ
i
1 −δ
¸
l
i=1
ǫ
i
. (17)
This answer provides an easy bridge to an extremely general
result.
Corollary 2. For the scenario with m intended parties and l
eavesdroppers with similar notation as before,
Pr(R
ef
) = (1 −ǫ
′
)
¸
m
¸
i=1
1
1 −ǫ
′
δ
i
−
¸
i<j
1
1 −ǫ
′
δ
i
δ
j
+· · · +
(−1)
m+1
1
1 −ǫ
′
¸
m
i=1
δ
i
, (18)
where ǫ
′
=
¸
l
i=1
ǫ
i
.
Proof: This proof is not included for the sake of brevity,
but is nearly identical to the proof of Lemma 7 with slight
alterations as indicated by the proof of Lemma 8 to allow for
multiple eavesdroppers.
VII. CRYPTOGRAPHIC SECURITY ENHANCEMENTS
The probabilistic security analysis in Section VI assumes
that attacks on the cryptography become more difﬁcult or
completely infeasible as D gets large. It remains to show the
effect of the coding scheme on attacks of the cryptography.
As an example, fast correlation attacks on stream ciphers are
known to be possible, even if the cryptogram is errorprone. It
was noted in [8], [9], [10] that speciﬁc attacks from [7] were
made more difﬁcult, and in some cases impossible due to error
rates in the cryptogram beyond a certain threshold. Certainly
as bit error rates approach 0.5 in the cryptogram, attacks of
the fastcorrelation variety break down completely.
Let
ˆ
P = (ˆ p
1
, ˆ p
2
, . . . , ˆ p
L
) be the collection of punctured
codewords obtained by Eve, where ˆ p
i
= (ˆ p
i
1
, ˆ p
i
2
, . . . , ˆ p
i
n
),
and let
ˆ
B = (
ˆ
b
1
,
ˆ
b
2
, . . . ,
ˆ
b
L
) be the decoded codewords,
where
ˆ
b
i
= (
ˆ
b
i
1
,
ˆ
b
i
2
, . . . ,
ˆ
b
i
N
). Finally, deﬁne the implied block
structure of Eve’s decoder output as
ˆ
M = ( ˆ m
1
, ˆ m
2
, . . . , ˆ m
L
),
where ˆ m
i
= ( ˆ m
i
1
, ˆ m
i
2
, . . . , ˆ m
i
k
). Each channelerased bit in ˆ p
i
10
0
10
1
10
2
10
3
0.4
0.42
0.44
0.46
0.48
0.5
0.52
0.54
0.56
0.58
0.6
ML
MP
γ
Error propagation for incorrect guesses
E
r
r
o
r
r
a
t
e
i
n
ˆ
M
Fig. 8. The simulated error rates in Eve’s decoded cryptogram
ˆ
M when γ
errors are made in guessing bit values for D degrees of freedom in Eve’s
received codewords.
yields a degree of freedom in
ˆ
b
i
, and complete recovery of
ˆ
b
i
requires that D bits in ˆ p
i
be guessed correctly. If a guess
is incorrect, there will be at least as many errors in
ˆ
b
i
as
the minimum distance of the LDPC code. The descrambling
process in (4) magniﬁes any errors in
ˆ
b
i
to an expected bit
error rate of 0.5 in ˆ m
i
. Therefore, since all guesses are equally
likely, a bruteforce attack on D bits must be accomplished to
obtain each ˆ m
i
.
Simulations of the endtoend encoder and decoder clearly
indicate the expected bit error rate in
ˆ
M of 0.5 for an incorrect
guess. Simulations were performed using the irregular LDPC
code of Example 1 with N = 1000 and k = 500. Puncturing
patterns used were such that R ≥ 498 bits. S was formed
randomly by setting roughly half of the k
2
entries equal to one
until such a matrix was invertible using the LU decomposition
in GF(2). Let γ be the number of bits in Eve’s guess which are
incorrect. We offer simulation results for γ = 1, 2, 3, 4, 5, 10,
15, 20, 25, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, and 400 in
Fig. 8. Each γ value was tested 300 times on both the MP and
ML decoder, while a new puncturing pattern R was generated
every 10 experiments, and a new code from the ensemble was
selected every 30 experiments. All tests produced error rates
in between 0.414 and 0.578 in
ˆ
M, while the mean depicted a
0.5002 bit error rate with no noticeable difference between MP
and ML decoders, or between γ values, as Fig. 8 indicates.
These results imply that unless D bits are guessed exactly,
the cryptography must be attacked with an average bit error
rate of 0.5 in
ˆ
M. We can certainly expect such an attack to fail
for fast correlation attacks on stream ciphers, but the notion
that any attack on a cryptosystem could absorb such error rates
and still succeed is obviously shortsighted. However, since an
attack could feasibly be staged using a single block of
ˆ
M, we
will only guarantee failure of the attack if every block in
ˆ
M is
incorrect. Using similar logic, it can be said that if an attack
would succeed using the errorfree ciphertext M, then it may
fail even if a single block in
ˆ
M is in error.
12
Theorem 2. Deﬁne the complexity of a cryptographic attack
to be C
A
. Let D be the degrees of freedom of each of L blocks
in
ˆ
B. Then the expected complexity C
PL
of a successful attack
on the system is bounded as
2
E[D]
(1 −2
−1/L
)C
A
≤ C
PL
≤ 2
E[D]
(2
−1/L
)C
A
. (19)
Proof: By Corollary 1 each codeword in
ˆ
B has the same
number of degrees of freedom. Thus, E[D] is the average
number of bits that must be guessed in each of L punctured
codewords in
ˆ
P. Assume that an attacker guesses bit patterns
on all codewords in
ˆ
P simultaneously. The correct bit patterns
of the channelerased bits in the L codewords
ˆ
P are uniformly
distributed over 2
E[D]
possibilities in each block. The lower
bound is formulated by the expected number of guesses until
at least one of L codewords is found. Model the correct
bit patterns in the L codewords as i.i.d. discrete uniform
random variables on {0, 1, . . . , 2
E[D]
−1}, say U
1
, U
2
, . . . , U
L
.
Without loss of generality, assume that an attacker begins
by guessing zero for each U
i
and proceeds in an orderly
fashion. Then, the expected number of guesses until at least
one is correct is given by E[min(U
1
, U
2
, . . . , U
L
)]. Thus,
we calculate Pr(min(U
1
, U
2
, . . . , U
L
) ≥ z) = Pr(U
1
≥
z, Pr(U
2
≥ z), . . . , U
L
≥ z) = (Pr(U
1
≥ z)(Pr(U
2
≥
z) . . . (Pr(U
L
≥ z) =
2
E[D]
−z
2
E[D]
L
. (20)
Now, solve for z in Pr(min(U
1
, U
2
, . . . , U
L
) ≥ z) = 0.5 for
a close bound on the expectation to get the lower bound.
The upper bound is calculated similarly, but we assume that
all patterns must be guessed in order to guarantee success,
therefore, the bound is given by ﬁnding the z that solves
Pr(max(U
1
, U
2
, . . . , U
L
) < z) = 0.5.
As a check on these bounds, for L = 1 we expect 2
E[D]−1
guesses on average for a successful attack. In this case, both
bounds meet at 2
E[D]−1
C
A
, as expected. Although these
bounds are helpful, when L > 1 the bounds are not as tight,
and thus provide limited insight into the true increase in com
plexity of the attack. More than likely, an attack will require at
least a certain number of consecutive blocks in M to execute
successfully [7]. Clearly a 0.5 bit error rate in any block
would destroy an attack with these requirements. Therefore,
the upper bound in (19) serves as a good approximation to
the expected amount of work necessary to complete the attack,
with L being set by the attack speciﬁcations. Thus we see, that
our system appends a multiplier which is exponential in E[D]
to the complexity of a cryptographic attack through practical
physicallayer security.
VIII. CONCLUSIONS
In conclusion, we have presented the security metric of
degrees of freedom D in an eavesdropper’s received code
words, and applied this metric to a physicallayer coding
scheme to show cryptographic security enhancements due to
channel coding. The coding scheme relies on the nature of
independent packet erasure channels and ARQ to provide
secrecy and reliability, respectively. Endtoend details of the
encoder and decoder were provided. Design criteria were
speciﬁed to maximize D in a maximumlikelihood attack
as well as a messagepassing attack. This involved security
performance comparisons of LDPC codes with varying degree
distributions, where irregular codes were shown to outperform
regular codes in maximizing D. The expected value of D
was also shown to be equal to H(XZ) in our encoder.
Probabilistic security results were obtained and made general
so as to apply to multiple receivers and multiple collaborative
attackers. Simulation results were provided which show that
unless an attacker can guess D symbols in the received data
correctly, the system yields a bit error rate of 0.5 in the
cryptogram, thus necessitating a bruteforce attack on D bits
for each codeword. The end result on the expected increase
in attack complexity on the cryptosystem due to our scheme
is a multiplier which is exponential in E[D]. The system
was shown to provide cryptographic security enhancement,
even when eavesdroppers have an advantage over legitimate
receivers in signal quality.
REFERENCES
[1] C. E. Shannon, “Communication theory of secrecy systems,” Bell Syst.
Tech. J., vol. 28, no. 4, pp. 656–715, 1949.
[2] A. D. Wyner, “The wiretap channel,” Bell Syst. Tech. J., vol. 54, no. 8,
pp. 1355–1387, Oct. 1975.
[3] I. Csisz´ ar and J. K¨ orner, “Broadcast channels with conﬁdential mes
sages,” IEEE Trans. Inf. Theory, vol. 24, no. 3, pp. 339–348, May 1978.
[4] L. H. Ozarow and A. D. Wyner, “Wiretap channel II,” Bell Syst. Tech.
J., vol. 63, no. 10, pp. 2135–2157, Dec. 1984.
[5] M. Bloch, J. Barros, M. R. D. Rodrigues, and S. W. McLaughlin, “Wire
less informationtheoretic security,” IEEE Trans. Inf. Theory, vol. 54,
no. 6, pp. 2515–2534, June 2008.
[6] U. Maurer and S. Wolf, “Informationtheoretic key agreement: From
weak to strong secrecy for free,” in Advances in Cryptology — EURO
CRYPT 2000, ser. Lecture Notes in Computer Science, B. Preneel, Ed.,
vol. 1807. SpringerVerlag, May 2000, pp. 351–368.
[7] W. Meier and O. Staffelbach, “Fast correlation attacks on certain stream
ciphers,” Journal of Cryptology, vol. 1, pp. 159–176, 1989.
[8] W. K. Harrison and S. W. McLaughlin, “Physicallayer security: Com
bining error control coding and cryptography,” in Proc. IEEE Int. Conf.
Communications (ICC), Dresden, Germany, June 2009, pp. 1–5.
[9] ——, “Tandem coding and cryptography on wiretap channels: EXIT
chart analysis,” in Proc. IEEE Int. Symp. Information Theory (ISIT),
Seoul, Korea, JuneJuly 2009, pp. 1939–1943.
[10] ——, “EXIT charts applied to tandem coding and cryptography in
a wiretap scenario,” in Proc. IEEE Information Theory Workshop,
Taormina, Sicily, Oct. 2009, pp. 173–177.
[11] W. K. Harrison, J. Almeida, D. Klinc, S. W. McLaughlin, and J. Barros,
“Stopping sets for physicallayer security,” in Proc. IEEE Information
Theory Workshop (ITW), Dublin, Ireland, Aug.Sept. 2010, pp. 1–5.
[12] M. Baldi, M. Bianchi, and F. Chiaraluce, “Nonsystematic codes for
physicallayer security,” in Proc. IEEE Information Theory Workshop
(ITW), Dublin, Ireland, Aug.Sept. 2010, pp. 1–5.
[13] D. Klinc, J. Ha, S. McLaughlin, J. Barros, and B.J. Kwak, “LDPC codes
for the Gaussian wiretap channel,” in Proc. IEEE Information Theory
Workshop (ITW), Taormina, Sicily, Oct. 2009, pp. 95–99.
[14] D. Klinc, J. Ha, S. W. McLaughlin, J. Barros, and B.J. Kwak, “LDPC
codes for physical layer security,” in Proc. IEEE Global Telecommuni
cations Conf. (GLOBECOM), Honolulu, HI, Nov. 2009.
[15] M. Bloch, R. Narasimha, and S. W. McLaughlin, “Network security
for clientserver architecture using wiretap codes,” IEEE Trans. Inf.
Forensics Security, vol. 3, no. 3, pp. 404–413, Sept. 2008.
[16] Y. Liang, H. V. Poor, and L. Ying, “Secrecy throughput of MANETs
with malicious nodes,” in Proc. IEEE Int. Symp. Information Theory
(ISIT), Seoul, Korea, JuneJuly 2009, pp. 1189–1193.
[17] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, and
J.M. Merolla, “Applications of LDPC codes to the wiretap channel,”
IEEE Trans. Inf. Theory, vol. 53, no. 8, pp. 2933–2945, Aug. 2007.
13
[18] L. Lai, H. El Gamal, and H. Poor, “The wiretap channel with feedback:
Encryption over the channel,” IEEE Trans. Inf. Theory, vol. 54, no. 11,
pp. 5059–5067, Nov. 2008.
[19] M. A. Latif, A. Sultan, and H. El Gamal, “ARQbased secret key
sharing,” in Proc. IEEE Int. Conf. Communications (ICC), June 2009,
pp. 1–6.
[20] A. T. Suresh, A. Subramanian, A. Thangaraj, M. Bloch, and S. W.
McLaughlin, “Strong secrecy for erasure wiretap channels,” in Proc.
IEEE Information Theory Workshop (ITW), Dublin, Ireland, Aug.Sept.
2010, pp. 1–5.
[21] E. Arıkan, “Channel polarization: A method for constructing capacity
achieving codes for symmetric binaryinput memoryless channels,” IEEE
Trans. Inf. Theory, vol. 55, no. 7, pp. 3051–3073, July 2009.
[22] E. Hof and S. Shamai, “Secrecyachieving polarcoding
for binaryinput memoryless symmetric wiretap channels,”
Submitted to IEEE Trans. Inf. Theory, Available online at
http://arxiv.org/PS cache/arxiv/pdf/1005/1005.2759v2.pdf, Aug. 2010.
[23] H. Mahdavifar and A. Vardy, “Achieving the secrecy
capacity of wiretap channels using polar codes,” Sub
mitted to IEEE Trans. Inf. Theory, Available online at
http://arxiv.org/PS cache/arxiv/pdf/1007/1007.3568v1.pdf, July 2010.
[24] M. Bloch and J. Barros, PhysicalLayer Security: From Information
Theory to Security Engineering. To Appear: Cambridge University
Press, 2010.
[25] D. R. Stinson, Cryptography Theory and Practice, 3rd ed., ser. Discrete
Mathematics and Its Applications, K. H. Rosen, Ed. Boca Raton, FL:
Chapman & Hall/CRC Taylor & Francis Group, 2006.
[26] U. Maurer and S. Wolf, “Secretkey agreement over unauthenticated
public channels—Part I: Deﬁnitions and a completeness result,” IEEE
Trans. Inf. Theory, vol. 49, no. 4, pp. 822–831, Apr. 2003.
[27] R. G. Gallager, LowDensity ParityCheck Codes. Cambridge, MA:
MIT Press, 1963.
[28] T. K. Moon, Error Correction Coding: Mathematical Methods and
Algorithms. Hoboken, NJ: John Wiley & Sons, Inc., 2005.
[29] T. Richardson and R. Urbanke, Modern Coding Theory. New York,
NY: Cambridge University Press, 2008.
[30] D. Burshtein and G. Miller, “An efﬁcient maximumlikelihood decoding
of LDPC codes over the binary erasure channel,” IEEE Trans. Inf.
Theory, vol. 50, no. 11, pp. 2837–2844, Nov. 2004.
[31] T. J. Richardson and R. L. Urbanke, “Efﬁcient encoding of lowdensity
paritycheck codes,” IEEE Trans. Inf. Theory, vol. 47, no. 2, pp. 638–
656, Feb. 2001.
[32] T. K. Moon and W. C. Stirling, Mathematical Methods and Algorithms
for Signal Processing. Upper Saddle River, NJ 07458: PrenticeHall,
Inc., 2000.
[33] K.M. Lee and H. Radha, “The design of the maximumlikelihood
decoding algorithm of LDPC codes over BEC,” in Proc. 41st Annu.
Conf. Information Sciences and Systems, Baltimore, MD, Mar. 2007.
[34] C. Di, D. Proietti, I. E. Telatar, T. J. Richardson, and R. L. Urbanke,
“Finitelength analysis of lowdensity paritycheck codes on the binary
erasure channel,” IEEE Trans. Inf. Theory, vol. 48, no. 6, pp. 1570–1579,
June 2002.
[35] E. Rosnes and O. Ytrehus, “An efﬁcient algorithm to ﬁnd all smallsize
stopping sets of lowdensity paritycheck matrices,” IEEE Trans. Inf.
Theory, vol. 55, no. 9, pp. 4167–4178, Sept. 2009.
[36] A. Orlitsky, K. Viswanathan, and J. Zhang, “Stopping set distribution
of LDPC code ensembles,” IEEE Trans. Inf. Theory, vol. 51, no. 3, pp.
929–953, Mar. 2005.
[37] T. M. Cover and J. A. Thomas, Elements of Information Theory.
Hoboken, NJ: John Wiley & Sons, Inc., 2006.
[38] A. Alloum, J. J. Boutros, G. I. Shamir, and L. Wang, “Nonsystematic
LDPC codes via scrambling and splitting,” in Proc. Allerton Conf.,
Monticello, IL, Sept. 2005, pp. 1879–1888.
[39] G. I. Shamir and J. J. Boutros, “Nonsystematic lowdensity paritycheck
codes for nonuniform sources,” Adelaide, South Australia, Sept. 2005,
pp. 1898–1902.
[40] A. Konheim, “A queueing analysis of two ARQ protocols,” IEEE Trans.
Commun., vol. 28, no. 7, pp. 1004–1014, July 1980.
[41] G. Grimmett and D. Stirzaker, Probability and Random Processes,
3rd ed. Oxford, UK: Oxford University Press, 2001.
[42] T. Cover, “Broadcast channels,” IEEE Trans. Inf. Theory, vol. 18, no. 1,
pp. 2–14, Jan. 1972.
our notion of security answers the practical question. design of these codes is heavily contingent on perfect CSI at the encoder. This technique was shown to apply to LDPC codes much more recently in [17]. Extensions: Security results are made general so as to apply to multiple receivers and multiple collaborative attackers. it is also the ﬁrst practical secrecy scheme which can operate on the general wiretap channel (nondegraded case) when both Qm and Qw are erasure channels. Such systems should be robust to varying channel parameters. with puncturing and interleaving steps in the encoder. which is an adaptation of the wiretap channel model from [2]. Related Works Our encoder makes use of fundamental practical design ideas which have been shown to offer secrecy.2 security metric for physicallayer schemes. Our scheme is robust against imperfect CSI. Finally. degrees of freedom D in an attacker’s knowledge of the cryptogram. This work in LDPC codes for secrecy has been furthered in [20]. Ultimately. every transmitted bit is crucial for decoding. how does the complexity of an attack on the cryptography change without perfect knowledge of the cryptogram? It has been shown previously using correlation attacks on stream ciphers that certain cryptographic attacks are still possible even on noisy cryptograms. A stronger notion of secrecy than (1) is also achieved for these codes in certain cases. namely. Although our codes can be shown to achieve (1) only under certain puncturing criteria. Our scheme punctures with the goal of inducing stopping sets in an eavesdropper’s received data. To be more precise. and nondegraded system models. The precise deﬁnition of degrees of freedom is also given. Furthermore. Ultimately. Therefore. where largegirth LDPC codes are considered. a technique shown to offer security in [13]. undetected eavesdroppers. although a threshold on the noise level exists such that errors beyond the threshold cause the attack to fail [7]. and requires no secret key and no rate reduction in data transmission. In [11]. According to our knowledge. In Section II. and achieves the secrecy condition in (1) for noiseless main channels when the wiretap channel is either a binary erasure channel (BEC) or a binary symmetric channel (BSC). in order to distribute erasures throughout the data set. imperfect CSI at the encoder. Legitimate receivers are given access to an authenticated public feedback channel for Automatic RepeatreQuest (ARQ). we discuss the system model for which our encoder is designed. if bits in M are uniformly zero or one and independent and identically distributed (i. For example. this scheme has very few design constraints. Optimization: Design criteria are speciﬁed to maximize the degrees of freedom in the maximumlikelihood attack as well as the messagepassing attack. although code construction is an issue for nonerasure channels. the main contribution of the coding scheme presented here is the cryptographic security enhancements shown using degrees of freedom as a security metric. this scheme was shown to inﬂict a passive eavesdropper using a messagepassing decoder with stopping sets with very high probability when a legitimate receiver and an eavesdropper view transmitted data through statistically independent packet erasure channels (PEC).). [16] in conjunction with wiretap codes developed in [17] to offer secrecy to various systems. Encoder Description: Endtoend details of the encoder and decoder are provided. As a result. Practical schemes should provide enough confusion to exploit even the smallest amount of noise in an eavesdropper’s received data to cause failure of these attacks on the cryptographic layer. Section III addresses background information regarding • • • Degrees of Freedom: The system security is analyzed using the new metric. then perfect secrecy implies D = k. Our notion of physicallayer security using D addresses the effectiveness of attacks on a cryptographic layer.d. In fact. [19] give results for ARQ and feedback wiretap systems. The scheme relies on a nonsystematic lowdensity paritycheck (LDPC) code design. this paper also analyzes combined cryptographic and physicallayer security in a practical coding scheme using degrees of freedom to characterize security. although these schemes only offer secrecy for degraded wiretap channels. [9]. all of this must be done while guaranteeing reliable communication between friendly parties. bounds on the increase in computational secrecy of an underlying cryptosystem are speciﬁed when the physicallayer encoding system is employed. Of course. Here the general idea of partitioning a group code into cosets to achieve secrecy was ﬁrst presented.i. In fact we show that H(XZ) = E[D] for a speciﬁc case. and shown to meet the secrecy constraint in (1) for noiseless main channel and BEC wiretap channel. [10]. our encoder employs nonsystematic LDPC codes in order to hide information bits and magnify coding errors. and for that matter. it should be noted that Arıkan’s polar codes [21] can offer secrecy for general symmetric channels. good designs still offer security enhancement to cryptography. even when attackers have an advantage in signal quality over legitimate receivers. which is also shown to be equal to H(XZ) for the prescribed encoder. Finally. [8]. The works [18]. We further employ intentional puncturing of encoded bits. • enhanced cryptographic secrecy over a wide range of CSI parameters. along with the new metric. It can be argued that the ﬁrst practical secrecy coding scheme was presented by Ozarow and Wyner in an extension of the original wiretap paper [4]. As a comparison. offers . the encoder interleaves coded bits among several transmitted packets. Schemes have been presented in [22] and [23] which achieve the secrecy capacity under the condition in (1). Computational secrecy is shown to grow exponentially with E[D]. This involves comparison of irregular LDPC codes with regular LDPC codes. C. Similar ideas of interleaving coded symbols have been used in [15]. Our intent is to punish an eavesdropper for every missing piece of information. as well as simulation results which match theoretical expectations. In this paper. Secrecy properties of these codes have been studied in [12]. The rest of the paper is outlined as follows. we broaden the security analysis of the scheme given in [11] by addressing the following points. [14].
Decoding of an LDPC codeword over a BEC can be accomplished using maximumlikelihood (ML) decoding [30]. Cryptographic attacks often assume an attacker has the luxury of an errorfree version of M (or even some of the plaintext). For binary codes with D = d. to make D as large as possible for Eve. . to ensure that D = 0 for ˜ Bob so that M = M . The number of degrees of freedom in a received codeword is a random variable D which takes on the number of encoded symbols for which an eavesdropper has no information. an average of 2E[D]−1 guesses must be made to obtain them. Variable nodes correspond to the N bits in a codeword. and dimension k. although through Qw . by solving a system of equations. a codeword of length n can be any of 2d equally likely codewords. second. Checks correspond to rows in H. and is N − k × N . the iterative messagepassing (MP) decoder is commonly used due to its computational efﬁciency. Our novel encoder and decoder designs are presented in Sections IV and V. The ﬁnal block mL can be ﬁlled by concatenating random bits if needed.3 Feedback Channel Qm Alice M Encoder X PEC(δ) Qw PEC(ǫ) Z Y sole source of confusion for Eve is her own naturally occurring erasure pattern across Qw . . each mapping to a unique kbit message in M. Let us deﬁne a general binary LDPC code C with blocklength N . 1. where the set of bits that participate in the check ui is denoted Ni = {j : Hi. 1. L. . . and can be shown to have an informationtheoretic deﬁnition. n is the length of a codeword after it has been punctured. II. Wiretap channel model with feedback assuming packet erasure channels for both the main channel Qm and the wiretap channel Qw . as well as the more general model which allows an arbitrary number of legitimate receivers and eavesdroppers. ˜ ˆ M and M are the respective estimates of M by Bob and Eve. resulting in a collection of η packets X = (x1 . Of course. but our design aims to prevent this from occurring. . uN −k ). The authenticated feedback channel available to Bob plays a key role in accomplishing both of these endeavors. Note that this k is identical to k from section II. . v2 . III. [29]. Then the coding rate is k/n. in this paper we always assume erasures are statistically independent. The notation Ni. Requests by Bob are public.1 As mentioned in Section I. mL ) to a legitimate receiver named Bob. however. we deﬁne physicallayer security ˜ M Decoder Bob for this system with the cryptographic layer in mind. Therefore. and can detect any tampering with the data [25]. vN ). 1 It is noted that results in Section VI are provided for this system. which restricts Eve to passive status [26]. This section provides limited background of LDPC codes and stopping sets in order to establish the foundation upon which to present our encoder. x2 . but N the blocklength of the LDPC code. . mi . . Alice encodes M . and third. The set of variable nodes is V = (v1 . A user named Alice wishes to transmit an encrypted binary message M = (m1 . . .j = 1} [28]. . while at the same time making Eve as ignorant as possible. . Using this reasoning. . We brieﬂy explain both decoders. The encoder and decoder exploit the independent nature of erased packets across Qm and Qw . The jth variable node shares an edge with the ith check node in GC if and only if j ∈ Ni . the probabilities of all symbol values on these D symbols are equally likely. the system must ˜ guarantee that M = M . 2. the goals of our physicallayer design are: ﬁrst. is different from n the blocklength of the encoder because n is the codeword length after puncturing. An eavesdropper named Eve obtains the packets Z. Since an attacker has no knowledge of these bits. . . while the set of check nodes is U = (u1 . LDPC codes and stopping sets. The Tanner graph for a simple example is shown in Fig. an independent PEC with probability of erasure ǫ. Fig. Then the ith check is calculated in GF(2) as ui = j∈Ni vj = 0. We will also assume that M has been compressed. m2 . Finally. respectively. . a PEC with probability of erasure δ. . To be clear. u2 . LDPC C ODES AND S TOPPING S ETS We employ LDPC codes [27] and exploit the phenomenon of stopping sets to obtain security from the physical layer. . Analysis of the security inherent in the system is then completed in Section VI for various scenarios. Prior to transmission. so that all possible bit combinations are equally likely in the alphabet M. . This public noiseless channel is used to request the retransmission of erased packets. to ensure that attacks on the cryptogram ˆ fail if M = M . The parity check matrix H fully deﬁnes the code. Finally. However.j signiﬁes all bits in the ith check except the jth bit. Decoder Deﬁnition 1. Let us also deﬁne the blocklength n of the encoder. An obvious extension of this model is to consider correlated erasures in Qm and Qw . mi ) ∈ M for i = 1. 2. The . S YSTEM M ODEL AND D EGREES OF F REEDOM We begin by presenting the wiretap channel model [24] with the addition of feedback in Fig. . Bob receives the packets as Y through Qm . where mi = (mi . bounds regarding enhancements of cryptographic security are presented in Section VII along with endtoend simulations of the system. We will ﬁnd it helpful to think of H in terms of its corresponding Tanner graph GC [28]. ultimately culminating in the most general case which encompasses multiple users and collaborating eavesdroppers. Since it is authenticated. the maximum value of D is k. . . Alice is able to deduce whether Bob sent the request. Conclusions are provided in Section VIII. and there is no secret key employed at the physical layer. . . where k is the dimension of the encoder to follow. Since we assume that the attacker knows the encoder. by creating ˆ M Eve degrees of freedom in the attacker’s knowledge of M . xη ) for transmission. It will be 1 2 k helpful to think of M as being broken up into L blocks of length k.
Clearly. Clearly. β and γ are constants which are also a function of the elimination algorithm chosen to solve the system of equations. xK and xK are ¯ vectors composed of only the bits indexed by the respective ¯ sets K and K. Similarly. The number of degrees of freedom in the MP decoder DMP is the cardinality of the smallest set of bit values that must be supplied in order to decode all remaining bits. 244). We let K denote the set of known bits in y. the straightforward decoder is known to have complexity ((1 − R)β + γδ)δ 2 N 3 . and N is the blocklength of the code [30]. HK and HK can ¯ be understood to be matrices formed by the columns of H ¯ indexed by K and K. we would like to design the encoder block from Fig.4 v1 v2 v3 v4 v5 v6 v7 1 0 e e 0 e e 1 1 1 u3 u2 u1 clearly satisﬁes the notion of degrees of freedom from Deﬁnition 1 for this decoder. and K denote the set of erased bits in y. Tanner graph for MP decoding over the BEC with a highlighted stopping set due to erasures at variable nodes v3 and v5 . ¯ K ¯ (2) This system has a unique solution when the erased bits are such that the columns of HK are linearly independent [31]. then DMP = 0. set vi = yi and declare all such variable nodes as known. Algorithm 1 MessagePassing Decoder over the BEC [31]. δ is the erasure probability in the channel. Proposition 2. 1} and yi ∈ {0. Proof: The rank of HK equals the number of linearly ¯ independent rows or columns of the matrix ([32]. x. where we achieve equality if there are N − k linearly independent columns in HK [30].j vk . the ML decoder over the BEC cannot have a unique solution if the number of erasures exceeds N − k. 1: Initialize: For yi = e. ¯ K ¯ K and thus HK xT = z T is known. and each is equally likely without further information. 0 = HxT = HK xT + HK xT . The MP decoder over the BEC can correct no more than N − k erasures. declare vj as known and set vj = k∈Ni. While faster methods have been discovered for solving a linear system of equations. In fact. and thus the ML decoder cannot produce ¯ a unique solution when K > N − k. pg. If the decoder succeeds. Thus we see that the effectiveness of the decoder is strictly bounded by the redundancy of the code. the system in (2) will be such that the degrees of freedom in the ¯ ML decoder DML ≥ K−(N −k). Stopping Sets In order to make D as large as possible for our system when an eavesdropper uses an MP decoder. A more detailed comparison of the two decoders is offered in [33]. the rank of HK can ¯ never exceed N − k. B. MessagePassing Decoding Let C. 2: if (No variable nodes are known and no check node has degree one) then 3: Output the (possibly partial) codeword and stop. respectively. because any bit combination of these DMP values decodes to a valid codeword. Since N − k is the number of rows in H. where xK = yK . 4: else 5: Delete all known variable nodes along with their adjacent edges. One version of the decoder is given as Algorithm 1 (adapted from [31]). A bound on the correction capabilities of the MP decoder is given by the following proposition. MaximumLikelihood Decoding Let us consider an LDPC codeword x ∈ C transmitted over a BEC and let y denote the received codeword. Fig. this maintains the deﬁnition of degrees of freedom given in Deﬁnition 1 when restricted to this decoder. This deﬁnition ¯ C. and is zero if this difference is negative. 1 so that every bit erased by the . DML is equal to the difference in the number of erased bits. when the number of erasures exceeds N − k. The decoding process passes messages between U and V along the edges of GC . ¯ We can obtain a bound from this statement which we will use to analyze security in the worstcase. and U  = N − k. Furthermore. although the MP decoder has linear complexity in the blocklength [28]. The MP decoder is an iterative decoder based on the Tanner graph representation of C. Proposition 1. and y hold the same deﬁnitions as for the ML decoder. Jump to 2. 6: end if 7: For each variable node vj connected to a degree one check node ui . 2. The maximum likelihood K decoder must then solve for the channelerased bits xK using ¯ the system of equations given by HK xT = z T . For a linear code C with blocklength N and dimension k. where R is the rate of the code. 1. e} where e signiﬁes an erased ¯ bit. Note that xi ∈ {0. that ¯ is if K > N − k. ¯ In any case. The MP decoder is suboptimal compared with the ML decoder. and the number of linearly independent columns of HK . Proof: In Algorithm 1. A. each check node can correct at most one variable node.
We account for both decoders in our design by using a particular ensemble of LDPC codes where DMP can be made equal to DML . .g. These L 1 2 k blocks of encrypted message form the input to the nonsystematic LDPC encoder with blocklength N and dimension k. (Bob obtains reliability through ARQ. [39]. A. . Then. puncturing in the encoder will be done with an attempt to inﬂict Eve with stopping sets. Lemma 1 (Di et. E NCODER The encoder design is based on the fact that I(M . if the code C were 1 2 N systematic. mL ). The key idea in the decoder is to reduce X to the decoding threshold. . • Bits of M are hidden from immediate access in the decoded words using nonsystematic LDPC codes.3 IV. Then our LDPC encoding process applies the scrambling matrix to m as i m′ = mS. M LDPC B Puncture P Buffer Block Encoder L blocks L blocks L blocks length k length N length n Interleaver X η packets size αL Fig. (3) The data are then encoded using G by b = m′ G to obtain a lengthN block of encoded data. .5 channel adds a degree of freedom to the decoder. . . Proper design maximizes D for Eve. using Algorithm 1 on G. . Deﬁnition 2 (Di. et. X) because processing cannot increase information. This gives way to the following lemma. LU decomposition [32]. m2 . and assume that C is used to transmit over the BEC. bL ) where each vector bi = (bi . Lemma 1. bi . Nonsystematic LDPC Codes Recall from Section II that M = (m1 . al. clearly the erasures cannot be resolved using Algorithm 1. . The following principles are addressed in the design of this encoder. Z) ≤ I(M . . the bits of m′ are explicit in b. Thus. mi ) ∈ M for i = 1. . • Bits from encoded blocks are interleaved amongst several transmitted packets so that a single erased packet results in erasures in many encoded blocks of data. the resulting despreading operation is enough to cause even a single error in m′ to result in roughly a 50% error rate in m as shown in Section VII. and let G be a k × N systematic generator matrix. If S matrices are randomly generated until one can be inverted to obtain S −1 . Let A be the set of erased bits in the received codeword. Note that S −1 can be obtained through e. unique decodability is not possible. . . then the bits of mi would appear explicitly in the encoded block bi . the set of erasures which remain after decoding comprise the unique maximal stopping set in A. In other words.1). as is any union of stopping sets. thus ensuring secrecy regardless of the decoder used by Eve. . Let G be the Tanner graph deﬁned by the parity check matrix H of a binary linear block code C. Let m be a lengthk message. On average. by deﬁnition. . b2 . 3 For further information on stopping sets as they relate to LDPC code ensembles.2 See Fig. as long as the erased bits have linearly independent columns in H. we will sometimes ignore the empty set as a stopping set and say that a set A contains no stopping sets. • The errorcorrection capabilities of the LDPC code are restricted by intentional puncturing of encoded bits. A stopping set is a set S ⊆ V such that all check nodes in N (S) are connected to S by at least two edges. is a stopping set. . For secrecy purposes. and the expectation of k/2 bits in error holds for any number of errors in m′ . the row weight in S −1 is approximately k/2. but if any erasures remain in Z following transmission. . if there are an odd number of bits in error in a given combination of say mi . randomly generated scrambling matrices which are nonsingular are likely to have inverses with just less than 50% of the entries equal to one on average. . . then that bit will be in error. proved in [34]. the result is intuitive because a bit in m is a linear combination of bits in m′ . 3. (4) This process ampliﬁes errors in the decoding process as a function of the sparsity of S −1 . denoted as B = (b1 . where m = (mi . L. Thus. bi ). The stages of encoding are portrayed in Fig. The output of the LDPC encoder B is given as L codewords of length N . 2. 2 for a simple example. rather than error correction. [12]. see [35] and [36]. In our experience. . • Scrambling prior to coding magniﬁes errors due to the physical layer of the communication system. the ML decoder will still succeed. with modiﬁcations for GF(2). Detailed block diagram of the encoder. meaning that the maximal stopping set in A is ∅. Let S be an invertible k × k scrambling matrix in GF(2). Notice that the empty set. where each stage fulﬁlls a speciﬁc purpose within the overall goals of obtaining secrecy and reliability. Although this can be made more precise. Number and size of blocks or packets are indicated at each step.) 2 For our purposes. The simplicity of MP decoding is also preserved for all legitimate receivers. 3. Since G is systematic. Stopping sets provide a means of accomplishing this task. [34]. Certainly. Nonsystematic LDPC coding is typically implemented as a two stage process to improve encoder complexity [38]. [34]). Since stopping sets cause the MP decoder to fail. . even in the presence of stopping sets. al. where N (S) signiﬁes the neighborhood of S and is deﬁned as the set of all adjacent nodes to any member of S in GC . X can be used to recover M by design. Clearly at the decoder the inverse operation ﬁrst requires the bits of b to be obtained through either MP or ML decoding. However. mi . any set of variable nodes has a unique maximal stopping set in it. nonsystematic codes are employed. . and M → X → Z is a Markov process [37]. The bits of m can then be found by applying the inverse of S in the descrambling operation m = m′ S −1 .
4: Run Algorithm 3 with A = R + v to check for stopping sets. The puncturing pattern is chosen in order to induce stopping sets in an eavesdropper’s received data. 4: if (∃ a check node in G′ with degree 1) then 5: Delete variable nodes from S which are adjacent to check nodes of degree 1 in G′ . therefore R + v has a stopping set for any v ∈ Q. by Lemma 1. There is no nonempty stopping set in A. R′ + v has a stopping set. 3 to have length n. however. All bits which are not punctured belong to the set Q so that V = R + Q. Such a set R can be constructed using the random technique outlined in Algorithm 2. and calls Algorithm 3 after each choice. 5: if (R + v has a stopping set. If all bits can be resolved using MP decoding then all nodes will be deleted in Algorithm 3. therefore. which does not affect encoding and decoding complexity.6 Since only one (S. pL ). Deﬁnition 3. for a randomly chosen v ∈ V . Recall that V is the set of variable nodes in the Tanner graph GC . S is the maximal nonempty stopping set in A. puncturing according to R in each bi for i = 1. . which also calls Algorithm 3 in order to check for stopping sets in a computationally tractable manner [11]. Proposition 3. . . A ⊆ V [11]. and false is returned. Algorithm 3 returns true) then 6: Q = Q + v. S −1 ) pair need be used by the system. MP decoding returns a partial codeword. i. Both of these operations are O(k 3 ). Assume for a contradiction that R has a stopping set. 11: else 12: Terminate. the remaining nodes comprise the maximal stopping set of A. there are no stopping sets in R. B. guarantees that every bit in each pi is crucial for successful MP decoding. Proof of Proposition: Suppose that the bits in A were actually erasures over the BEC. Then there is a bit v ∈ R which when added to R during the construction process. jump to 2. and R + v contains some nonempty stopping set Sv for every variable node v ∈ Q. The complexity of Algorithm 3 in the worst case. end if 9: 10: Jump to 2. Then by Algorithm 2. and Q = ∅. . Let the puncturing pattern R ∈ V indicate which bits in each bi are to be punctured. we must also show that for any v ∈ Q. General systematic encoder complexity is O(N 2 ) because G is not sparse by design [28]. Puncturing The next step in the encoding process is to apply a puncturing pattern to each codeword in B. The output of Algorithm 2 is always an acceptable puncturing pattern R as deﬁned in Deﬁnition 3. L. the matrices can be generated offline. because it chooses N − 1 bits in a random order. the complexity of ﬁnding an acceptable puncturing pattern R is . A puncturing pattern R is deemed acceptable if and only if there are no stopping sets in R. . 1 2 n which was deﬁned in Section II to be the blocklength of the encoder. R + v has a nonempty stopping set. . the length of each block in P is equal to Q = n. although improvements can be made using appropriate preprocessing as outlined in [31]. Therefore. pi . . . where each pi = (pi . then Algorithm 3 will return true because all remaining bits have degree greater than one in the induced subgraph G′ . The punctured blocks P = (p1 . the complexity of both the encoder and the decoder is increased due to the matrix multiplications in (3) and (4). 2. 11: end if Lemma 2.e. else 7: 8: R = R + v. Since in Algorithm 2 every v ∈ Q is such that for some subset R′ ⊆ R. Thus. Therefore. p2 . Line 5 of the algorithm will be 2 U +U repeated a maximum of i=1 i = U 2 times if a single node is deleted each time the line is executed. However. respectively. . The encoding technique speciﬁed in [31] gives encoder complexity of O(N +g 2 ) where g is the gap in an approximate lower triangular form of the parity check matrix and is less than N − k. . and always returns false otherwise. It remains to be proved / that Algorithm 3 operates as expected. 6: else 7: Return true. Realize that erasures recovered in the ith iteration of Algorithm 1 correspond exactly to the nodes deleted in the ith iteration of Algorithm 3. and Algorithm 1 was used to decode. 1: Initialize: R = v. If. . To complete the proof of Lemma 2. This provides the contradiction. 2: if (V \(R ∪ Q) = ∅) then 3: Choose another v randomly from V \(R ∪ Q). caused a stopping set to ﬁrst appear. 1: Initialize: S = A 2: if (S = ∅) then 3: Induce subgraph G′ in G using (S ∪ N (S)). . 8: end if 9: else 10: Return false. Algorithm 2 Finds an acceptable puncturing pattern R within the set of all variable nodes V . 13: end if Algorithm 3 Checks for the existence of stopping sets in a subset of variable nodes. Algorithm 3 always returns true when A has a nonempty stopping set. Complexity of Algorithm 2 is linear in the blocklength N . The complexities for the ML and MP decoders are given in Sections IIIA and IIIB as O(N 3 ) and O(N ). v ∈ R. is quadratic in U  = N − k the number of check nodes in GC . pi ) are shown in Fig. Proof: We must ﬁrst show that upon completion of Algorithm 2.
a puncturing pattern generated for the irregular code of the example has a unique property. where wc and wr are the ﬁxed column and row weights of the parity check matrix. . . 2. . . . The MP case is the same because by Proposition 2. Let Rc denote the indices of the channelerased bits of pi . As a direct result. any erasure by the channel is guaranteed to give a degree of freedom in the decoder. Proof: The ﬁrst part is trivial and follows directly from j i Lemma 3 and (5). and χ(x) = 0. . . Since we have designed R so that any erasure of a bit in pj results in MP decoding failure. xη ) in the following manner. The MP decoder is then guaranteed to decode the puncturing in linear time ˜ with the blocklength to obtain B [28]. We see that DML = DMP because a missing packet means exactly α degrees of freedom in each block. . Lemma 3. 499 with probability around 0. the bits are deinterleaved back into ˜ their intentionally punctured codewords P . we can be assured that any erased packet will cause all L blocks to fail in the MP decoder due to this interleaving. D ECODER FOR L EGITIMATE U SERS The decoder for legitimate users is simply the inverse of all encoder operations. . and R. j i Furthermore. .36988x4 on variable node weights. piα ). C. Simulations have shown that the size of R is very much a function of the degree distribution on C. Once all packets are known. then the number of degrees of freedom in i i i the ith codeword is DML = DMP = Rc  = αRp  for i = 1. The independence . Therefore. If R can be designed so that R = N − k. wc = 4. Let us examine. Since R = N − k. a bruteforce attack on these bits might be more appealing to an attacker than decoding the entire codeword. Irregular Codes The overall rate k/n of the nonsystematic and punctured code is a function of the rate of the systematic LDPC code. VI. It should be noted that if the sum of systematic bits in R + Rc is less than D. To do this. V. Alice deﬁnes α a small positive integer which is assumed to divide n (not necessary but convenient for notation and analysis) such that η = n/α. Interleaving The role of the interleaver is to ensure that all packets must be obtained errorfree for successful decoding in any and all encoded blocks. and linear in N . . Example 1. Thus any bits erased by the channel (or perhaps another set of bits of equal size) must be guessed in order to decode. x2 . . j. Time delay and queueing aspects of ARQ protocols are welladdressed in the literature. .e. Therefore. D. and the degrees of freedom in the decoder. we form the packet xi by concatenating α bits from each encoded and punctured block pj for j = 1. and the inverse of the scrambling matrix is applied to the systematic decoded ˜ bits using (4) to obtain M . p1 . . the effectiveness of the ML decoder is equal to that of the MP decoder when R = N − k. . η. 4. Here the distribution on R is much tighter. this ˜ decoder guarantees that M = M . . e. (5) for i = 1. .1. . 664). . iα iα L pL (i−1)α+1 . Legitimate users make use of the authenticated feedback channel to request retransmission of packets erased in the main channel during transmission. that the system of equations in (2) can resolve a maximum of N − k erasures.18393x3 + 0. Let C be a regular rate1/2 code with N = 1000. . with variance roughly equal to 15. that for some patterns DMP = DML . in practice the number of systematic bits removed through puncturing or erased by the channel usually exceeds the degrees of freedom in the decoder. . and 498 with probability near 0. . we can claim that for this rate1/2 irregular code ensemble the random technique given in Algorithm 2 yields a puncturing pattern with size nearly equal (and equal in some cases) to N − k. respectively. 2. In words. where Rp is a list of all erased packets. If R = N − k and packets are formed according to (5). Once all packets are obtained in Y . L. i. L. [40] and its references. then the same result holds for ML decoding by Lemma 3. Thus the algorithm can be used in practical system design to compute R offline. xi ) 2 αL 2 1 = (p(i−1)α+1 . Thus with some degree of conﬁdence.32660x + 0. where H is formed using the socket approach given in [30].11960x2 + 0. the MP decoder can correct at most N − k erasures. then DML = DMP = Rc . Namely. 4 if all packets are obtained errorfree. 2. . has complexity O(N U 2 ).26. however. . irrespective of decoder choice.21445x6 on check node weights (see [28] pg. The decoding process is shown pictorially in Fig. but having the following edge degree distribution pair: η(x) = 0. . . . and DMP and DML denote the degrees of freedom using MP decoding and ML decoding.56. Although. respectively. . we construct a collection of η packets to be transmitted X = (x1 . . p(i−1)α+1 . . . an irregular ensemble with the same rate and blocklength. i.e. although the exact relationship is still unknown. xi . a single erased packet causes α erasures in each punctured block at the decoder. . Corollary 1. Proof: The ML portion of this lemma follows from Proposition 1. The size of R appears to be Gaussiandistributed for this family of codes with a mean size of approximately 436. S ECURITY AGAINST W IRETAPPERS An eavesdropper can decode the data using Bob’s decoder in Fig. p2 . . ranging from 496 to 500. If an irregular LDPC code is employed over the BEC with intentional puncturing determined by Algorithm 2 in which R = N − k.g.7 at most quadratic in U . The size on R is equal to 500 with probability roughly equal to 0. A user can decode all data as long as every packet is received errorfree. DML = DMP ∀i. D can be thought of as the minimum between the number of systematic bits missing to the eavesdropper. . and wr = 8. and the ith packet is formed as xi i = (x1 . .78555x5 + 0. . To cover this possibility. Regular vs.
1 − Pr(Ref ))α. and therefore E[D] = (1 − Pr(Ref ))ηα = (1 − Pr(Ref ))n. the respective probabilities of erasures in Qm and Qw . all m legitimate receivers are given access to the feedback channel. ǫ) pairs as η gets large. A. with η independent uses of the channel (one for each packet). 4. speciﬁcally D ∼ Bin(η. D = αRp  where α bits from every codeword are sorted into each packet. D is a scaled binomial random variable. the case with l collaborating eavesdroppers. then k/n = 1. packets are erased for eavesdroppers with probability (1 − Pr(Ref )). this requires that Rp  ≥ ⌈β/α⌉. 1. Thus. then n = Q = N − R = k. and H(Z) = H(1 − Pr(Ref )) + Pr(Ref )α (see [37]. However. prevents Eve from receiving packets as a function of δ and ǫ. Thus. H(XZ) = (1−Pr(Ref ))ηα = (1−Pr(Ref ))n. α. and Z the output. Of course. by Corollary 3. Clearly. then Pr(Ref ) = Pr(D ≥ β) = 1 − i=0 η (1 − Pr(Ref ))i Pr(Ref )η−i . Then.8 Y Buffer Deinterleaver η packets size αL ˜ ˜ ˜ P Message B Map M Passing to M L blocks L blocks L blocks length n length N length k Theorem 1. Fig. ǫ) pairs by completely characterizing D for the system. Therefore. this occurs when Pr(Ref ) = 0. Number and size of blocks or packets are indicated at each step. where α bits are erased with probability (1 − Pr(Ref )) or received errorfree with probability Pr(Ref ) with each channel use. perfect secrecy is obtained when E[D] = k. The expected value is therefore known due to the binomial structure of D. In the wiretap channel scenario with feedback. Retransmissions in the ARQ protocol are executed only after requests are received from all legitimate parties. This case is provided to show the plateau and falloff regions in the (δ. If R = N − k in the encoder. of Qm and Qw . (9) Thus we see that E[D] is equal to the informationtheoretic value of equivocation when the puncturing is accomplished so that R = N − k. which can be examined in the limit as η → ∞. this scheme cannot achieve perfect secrecy. stopping sets occur in the MP decoder and the ML decoder has linearly dependent columns in HK with probability very close to one. Since proper design of the encoder was shown to cause D to have the same realization for every codeword and be independent of the decoder in Corollary 1. for 1 ≤ β ≤ αη. It is immediate that except for when δ = 1 or ǫ = 0. and the most general case with both m legitimate receivers and l collaborating eavesdroppers. Let X be the input to the channel. et. if R = N − k. Pr(D ≥ 1) goes to one for all (δ. [11]). Clearly H(ZX) = H(1 − Pr(Ref )). Thus. Since there are η independent Bernoulli trials. Note that when β = 1. and the encoding function of rate one forms a bijection on k bits. General Security Theorems Lemma 4. Thus. and E[D] = H(XZ) = (1 − Pr(Ref ))n. These results now require expressions for Pr(Ref ) to complete the security characterization in D. it can be shown using the achievable rates in [4] that E[D] approaches the maximum achievable equivocation for k/n = 1. Detailed block diagram of Bob’s decoder. The result in (6) follows directly. α is not required to evaluate (6). . and η. B. pg. ǫ) grid for Pr(D ≥ β). This section shows the blanket security effect of our encoder over nearly the entire region of possible (δ. H(X) = α. Proof: Since R = N − k. We can then assume η independent uses of a PEC with packets of length α. then D ≥ β implies that αRp  ≥ β. i (6) Proof: By deﬁnition. 188). Let Ref be the event that a single packet is received errorfree by at least one eavesdropper after all retransmissions of the packet requested by any legitimate receiver have been ﬁlled. For cases beyond the simple wiretap scenario. Let us consider the model for a single codeword (L = 1). and all l eavesdroppers are restricted to passive status through authentication on the channel. and was originally proved in [11]. The input distribution on α bits is uniform because the input distribution on M is uniform. each identically distributed. E[D/α] = (1 − Pr(Ref ))η. Expressions for Ref follow for the wiretap channel case. Lemma 5 (Harrison. and then provide security results for all scenarios studied as a function of Ref . Since the mean of a binomial random variable is the product of its two parameters. the sum of erased packets Rp  is a binomial random variable with parameters η and (1 − Pr(Ref )) [41]. The random variable D which governs the number of degrees of freedom in a received codeword is a scaled binomial random variable. the broadcast scenario with m intended receivers. We ﬁrst show D to be binomially distributed. the probability that Eve obtains a single transmitted packet is given as 1−ǫ . From Theorem 1. Since D = αRp . Then. The results of ¯ η 1−ǫ Lemmas 4 and 5 give Pr(D ≥ 1) = 1 − 1−ǫδ . Throughout the plateau region. we understand D to represent the degrees of freedom in every codeword assuming either the ML or MP decoder for the rest of the paper. We also prove an important property in regards to E[D]. (7) (8) Fig. (10) 1 − ǫδ Intuition of security for the wiretap channel in terms of D can be gained by using the expression for Pr(Ref ) in (10) to plot (6) for different values of β. ⌈β/α⌉−1 Therefore. 5 shows Pr(D ≥ 1) for η = 100. H(XZ) = H(ZX) − H(Z) + H(X) = α(1 − Pr(Ref )). however. al. One Receiver and One Wiretapper The simplest case matches the setup given in Fig. which implies that the eavesdropper obtains zero packets.
7. Thus. (12) . 6.5 0.4 0. Since large k necessitates large n and N . the threshold can be approximated fm (t) = (1 − (1 − λi ) ) − i=1 j=1 t (1 − (1 − λi )t−1 ). Pr(D ≥ 1) with η = 5000 1 0. where as expected. and address the more general broadcast channel originally presented in [42]. .8 0. . a single degree of freedom is easily guessed in an attack. Pr(D ≥ 1) when η = 5000. If Q1 . δ and ǫ. the probability of security approaches one as k gets large. Multiple Intended Receivers In this section. then η ≈ 5000. (11) 1 − ǫδ 1 − ǫδ This function grows linearly with n which is equal to k when R = N − k.2 0 1 1 0.2 0 0. . . 000 are deemed practical by today’s standards. Finally. Let each user have an independent PEC with probability of erasure in the ith user’s channel as δi for i = 1. although. . let us inspect the E[D] according to Theorem 1 for this case. 7. Qm ). as a function of the respective erasure probabilities in Qm and Qw . 5.9 Pr(D ≥ 1) with η = 100 Pr(D ≥ 50) with α = 1 and η = 5000 1 0.5 0. α. But of course.2 0 1 1 0. .6 0. we simply must use a larger dimension in the encoder. all nontrivial (δ.8 0. as a function of the respective erasure probabilities in Qm and Qw .6 ǫ δ ǫ δ Fig. as a function of the respective erasure probabilities in Qm and Qw . . and Tm = max(Q1 . This technique provides a unique threshold for each speciﬁc set of values for β.8 0. . Pr(D ≥ 1) when η = 100.4 0 0. . Pr(D ≥ 50) when α = 1 and η = 5000. α = 1 allows η to be as large as possible.4 0 0. Q2 .8 0. C. Owing to the severity of the cutoff. which provides more conﬁdence that D ≈ E[D] by the law of large numbers ([41]. . . where (δ.4 0. we move past the single user case. Fig. This case allows us to understand the repercussions on security of having more than one user for which we allow feedback requests. then the probability mass function on Tm is given as m m Fig.5 0. k n η = α = α . . This perspective is provided in Fig. . and deriving a function of δ and ǫ.6 0. . 193). Let us examine the effects on security when β takes on a larger value. pg. 6. δ and ǫ.6 ǫ δ by setting Pr(D ≥ β) = 0. Qm are independent geometrically distributed random variables with success parameters λ1 . Note that in the expectation the choice of α does not affect security. We can characterize security using Lemma 4 and Theorem 1 in the m user case by ﬁnding an expression for Pr(Ref ).2 0 1 1 0. Lemma 6. Codes with blocklength N = 10. where η = 5000 and β = 50 with α = 1. . the same holds true for these blocklength parameters.2 0 0.4 0. there exists a cutoff region. As can be seen in the ﬁgure.8 0. λ2 . This case is shown in Fig. .6 0.8 0. ǫ(1 − δ) ǫ(1 − δ) E[D] = ηα = n. m. Q2 . ǫ) pairs within the plateau region will experience at least β degrees of freedom with probability very close to one.2 0 0. to drive D to a large number in practice. δ and ǫ.4 0 0. Clearly η grows with k. while pairs outside the region will have D < β with probability close to one. therefore. Recall that Ref is the event that Eve receives a single transmitted packet as before. 2. ǫ) pairs show Pr(D ≥ 1) ≈ 1. For α = 1 and for a carefully chosen R with size roughly 5000. λm . The following lemma is necessary to obtain Pr(Ref ).6 1 0. There is also a single eavesdropper with probability of an erased packet equal to ǫ as before. and η.5 in (6).
W2 . . . . Wm as the geometric random variables governing the total number of transmissions necessary for users 1. . Using the broadcast channel with m independent legitimate receivers and an eavesdropper m + · · · + (−1)m+1 ( i=1 δi )w−1 (1 − i=1 δi ). m. and in each transmission it is received with probability δi . All are assumed to obtain packets through independent PECs. Wm ). By Lemma 6. . we can obtain Pr(Ref ) for the broadcast channel case. . . . Deﬁne W1 . then the total number of times the user must request the packet is governed by a geometric random variable with success parameter 1 − δi [41]. etc. ǫl . m. 2. ∞ Pr(Ref ) = w=1 ∞ Pr(Ref W = w) Pr(W = w) (1 − ǫw ) m w (1 − δi ) − i=1 m j=1 m w−1 (1 − δi ) Pr(Ref ) = i=1 1−ǫ 1 − ǫδi − i<j 1−ǫ 1 − ǫδi δj − ··· + + = ∞ w=1 i<j<k 1−ǫ 1 − ǫδi δj δk = (1 − ǫw ) w=1 w−1 δi (1 − δi )− i=1 (−1) m+1 1−ǫ m 1 − i=1 δi (δi δj )w−1 (1 − δi δj ) + · · · i<j m m where the notation i < j means the summation traverses over all pairs (i. . but follows from an inductive assumption on m. . Armed with this lemma. . . . . With these pieces in place. we commence proving the lemma. to obtain the packet errorfree. Proof: Note that if the ith user requests a single packet until it is received. . j) such that i. each with a possibly unique probability of packet erasure ǫ1 . Then the general result which assumes m friendly parties with l collaborating eavesdroppers comes easily. we know that m m w (1 − δi ) − i=1 j=1 w−1 (1 − δi ) + (−1)m+1 ( m δi )w−1 (1 − i=1 w (1 − ǫw )δi − δi ) = i=1 1 − δi δi i=1 ∞ w=1 ∞ i<j 1 − δi δj δi δj (1 − ǫw )(δi δj )w + · · · w=1 m i=1 δi ∞ w δi − w=0 ∞ w=0 m i=1 δi ∞ m +(−1)m+1 m 1− (1 − ǫw )( w=1 ∞ i=1 δi )w = i=1 m i<j 1 − δi δi 1 − δi δj δi δj (ǫδi )w w=0 ∞ − (ǫδi δj )w (δi δj )w − × Pr(W = w) = (13) 1− + · · · + (−1)m+1 ∞ m m i=1 δi ∞ m w=0 m δi i=1 because the success parameter for Wi is 1 − δi for i = 1. respectively. . Then. Lemma 7. . .10 m m Proof: The proof is omitted for the sake of brevity. W2 . m} and i < j. . Collaborating Eavesdroppers + (δi δj )w−1 + · · · + i<j (−1)m ( i=1 m δi )w −1 + m w−1 δi − i=1 m (−1)m+1 ( i=1 δi )w−1 (δi δj )w−1 (1 − δi δj ) i<j = i=1 w−1 δi (1 − δi ) − In this section we consider the case with l eavesdroppers working together in order to obtain the cryptogram M . . . 2. . 2. we point out that m m m ( w=0 i=1 m δi )w − − i<j (ǫ w=0 m i=1 δi )w 1−ǫ 1 − ǫδi δj . W governs the total number of transmissions necessary for all legitimate parties to receive the packet. It is simpler to ﬁrst consider a single legitimate user Bob with probability of packet erasure δ. Lemma 8. and similarly for i < j < k. + ··· + (15) (1−δi ) = 1− i=1 i=1 δi + i<j δi δj − i<j<k δi δj δk +· · · (−1) m i=1 δi = i=1 1−ǫ 1 − ǫδi (14) which implies that Pr(W = w) = 1 − m w δi + i=1 m i<j (−1)m+1 1−ǫ m 1 − i=1 δi (δi δj )w − · · · + D. Finally. . . ǫ2 . For l eavesdroppers and a single legitimate re . let W = max(W1 . j ∈ {1.
but the notion the fastcorrelation variety break down completely. then it may ˆ ˆ ˆ ˆ where mi = (mi . m2 .414 and 0.11 ceiver. pL ) be the collection of punctured and still succeed is obviously shortsighted. For the scenario with m intended parties and l the minimum distance of the LDPC code. as Fig. Simulations were performed using the irregular LDPC l code of Example 1 with N = 1000 and k = 500. Puncturing where ǫ′ = i=1 ǫi . . made more difﬁcult.42 Pr(Ref ) = w=1 ∞ Pr(Ref W = w) Pr(W = w) l = = = (1 − ( w=1 ǫi ) )(1 − δ)δ l w w−1 0. in between 0. 2. All tests produced error rates ˆ effect of the coding scheme on attacks of the cryptography. 70.6 (16) 0. 300.48 0. If a guess b ˆ is incorrect. patterns used were such that R ≥ 498 bits. 8 indicates. p2 . 90. since all guesses are equally ˆ m 1 1 likely. Let γ be the number of bits in Eve’s guess which are multiple eavesdroppers. 50. We can certainly expect such an attack to fail as bit error rates approach 0. . S was formed Proof: This proof is not included for the sake of brevity.5 for an incorrect (−1)m+1 m 1 − ǫ′ i=1 δi guess.578 in M . . [10] that speciﬁc attacks from [7] were These results imply that unless D bits are guessed exactly. . even if the cryptogram is errorprone.56 ML MP ˆ Error rate in M Proof: The proof is straightforward if we note that collaborating eavesdroppers receive a single sent packet if at least one of them obtains the packet errorfree. since an p ˆ ˆ ˆ codewords obtained by Eve. that any attack on a cryptosystem could absorb such error rates ˆ Let P = (ˆ1 . Each channelerased bit in pi fail even if a single block in M is in error. while a new puncturing pattern R was generated that attacks on the cryptography become more difﬁcult or every 10 experiments.5002 bit error rate with no noticeable difference between MP known to be possible. or between γ values. It remains to show the selected every 30 experiments. . and 400 in VII.44 0. 4. 25. Finally. Certainly rate of 0.4 0 10 10 1 1−δ δ 1− 1−δ i=1 ∞ γ 10 2 10 3 δ w − (δ w=0 l i=1 ǫi . l i=1 ǫi 0. . l i=1 ǫi i=1 ǫi )w (17) ˆ Fig. . (18)indicate the expected bit error rate in M of 0. deﬁne the implied block incorrect.5 in mi . 15. . The descrambling process in (4) magniﬁes any errors in ˆi to an expected bit b eavesdroppers with similar notation as before. . pi ). ˆi .52 0. C RYPTOGRAPHIC S ECURITY E NHANCEMENTS Fig. Therefore. yields a degree of freedom in ˆi . . Let W be a geometric random variable with success parameter 1 − δ. 3. 40. However.54 0. Each γ value was tested 300 times on both the MP and The probabilistic security analysis in Section VI assumes ML decoder. . Using similar logic. ˆL ) be the decoded codewords. . . mi . Therefore. error rate of 0. .58 0. 10. 80. ˆ ˆ1 ˆ2 ˆk ˆ This answer provides an easy bridge to an extremely general result.46 0. Pr(Ref ) = 1− 1−δ Error propagation for incorrect guesses l i=1 ǫi .5 0. pi . . . . while the mean depicted a As an example. there will be at least as many errors in ˆi as b Corollary 2. . will only guarantee failure of the attack if every block in M is ˆ and let B b b b where ˆi = (ˆi . .5 in the cryptogram. . and a new code from the ensemble was completely infeasible as D gets large. . . where pi = (ˆ1 . incorrect. and complete recovery of b ˆi requires that D bits in pi be guessed correctly. was noted in [8]. We offer simulation results for γ = 1. we ˆ pi ˆ2 ˆn ˆ = (ˆ1 . This governs the number of transmissions for each packet. . 200. ˆi ). The simulated error rates in Eve’s decoded cryptogram M when γ errors are made in guessing bit values for D degrees of freedom in Eve’s received codewords. fast correlation attacks on stream ciphers are 0. mi ). would succeed using the errorfree ciphertext M . 5. attacks of for fast correlation attacks on stream ciphers. . ˆ 1 − ǫ′ δi i<j 1 − ǫ′ δi δj i=1 Simulations of the endtoend encoder and decoder clearly 1 ˆ . It and ML decoders.5 in M . 100. attack could feasibly be staged using a single block of M . 8. [9]. and in some cases impossible due to error the cryptography must be attacked with an average bit error ˆ rates in the cryptogram beyond a certain threshold. 20. mL ). it can be said that if an attack b b1 b2 bN ˆ structure of Eve’s decoder output as M = (m1 . randomly by setting roughly half of the k 2 entries equal to one but is nearly identical to the proof of Lemma 7 with slight until such a matrix was invertible using the LU decomposition alterations as indicated by the proof of Lemma 8 to allow for in GF(2). ˆ2 . . 8. ∞ 0. 60. 30. a bruteforce attack on D bits must be accomplished to − + ···+ Pr(Ref ) = (1 − ǫ′ ) obtain each mi .
McLaughlin. and F. McLaughlin. S. Theory. S. 8. “EXIT charts applied to tandem coding and cryptography in a wiretap scenario. Let D be the degrees of freedom of each of L blocks ˆ in B. Ed. McLaughlin. The system was shown to provide cryptographic security enhancement. Baldi. Dec. the expected number of guesses until at least one is correct is given by E[min(U1 . Without loss of generality. [13] D. 2010. Aug. Taormina. M. “Fast correlation attacks on certain stream ciphers. Kwak. . IEEE Information Theory Workshop (ITW). the upper bound in (19) serves as a good approximation to the expected amount of work necessary to complete the attack. Barros. UL ≥ z) = (Pr(U1 ≥ z)(Pr(U2 ≥ z) . E. but we assume that all patterns must be guessed in order to guarantee success. IEEE Global Telecommunications Conf. JuneJuly 2009. and S.. 351–368. UL ) < z) = 0. no.” in Proc. .” in Proc. Tech. Almeida. pp. . 1355–1387. 1–5. 54. J. Theory. Ha. discrete uniform random variables on {0. . 6. Aug. Rodrigues.5 for a close bound on the expectation to get the lower bound. pp. 53. Assume that an attacker guesses bit patterns ˆ on all codewords in P simultaneously. H. “Wireless informationtheoretic security. we calculate Pr(min(U1 . vol. This involved security performance comparisons of LDPC codes with varying degree distributions. Korea. W. vol. and applied this metric to a physicallayer coding scheme to show cryptographic security enhancements due to channel coding.5 bit error rate in any block would destroy an attack with these requirements. no. pp. Deﬁne the complexity of a cryptographic attack to be CA . pp. Klinc. and J. Sept. 2E[D] −1}. . vol.” in Proc. UL )]. and J. pp. Symp. Design criteria were speciﬁed to maximize D in a maximumlikelihood attack as well as a messagepassing attack. Clearly a 0. . . [3] I. 404–413. 1939–1943. Ying. D. and B. Tech. UL ) ≥ z) = 0. B.” in Proc. . Narasimha.12 Theorem 2. D. [12] M. JuneJuly 2009. 63. Calderbank. vol. V. J. Csisz´ r and J. 1984. IEEE Information Theory Workshop. Kwak. (20) Now. Sicily. 1949. 2515–2534. (GLOBECOM). W. [9] ——. and S. “Physicallayer security: Combining error control coding and cryptography. U2 . Information Theory (ISIT). 2008. . K¨ rner. “Communication theory of secrecy systems. 3. Lecture Notes in Computer Science.” Bell Syst. U2 . Then.” in Proc. McLaughlin. Barros. Seoul. Therefore. . Aug. McLaughlin. J. even when eavesdroppers have an advantage over legitimate receivers in signal quality. Endtoend details of the . May 1978. Theory. 173–177. SpringerVerlag. Korea. Communications (ICC). Oct. vol.” Journal of Cryptology. 1. pp. . K. 2007. Dublin. . Staffelbach. 10. Although these bounds are helpful. Wyner.. . no. Symp. pp. 1–5. The upper bound is calculated similarly. UL ) ≥ z) = Pr(U1 ≥ z. 339–348. D. The expected value of D was also shown to be equal to H(XZ) in our encoder. therefore. 4. W. Sicily. Shannon. U2 . no. Maurer and S. no. “Secrecy throughput of MANETs with malicious nodes. . thus necessitating a bruteforce attack on D bits for each codeword. . E[D] is the average number of bits that must be guessed in each of L punctured ˆ codewords in P . . vol. the system yields a bit error rate of 0. U2 . Thus we see. [15] M. Then the expected complexity CP L of a successful attack on the system is bounded as 2E[D] (1 − 2−1/L )CA ≤ CP L ≤ 2E[D] (2−1/L )CA . J. Thus. J. Wyner. pp. [4] L. 95–99. . pp. for L = 1 we expect 2E[D]−1 guesses on average for a successful attack. [17] A. McLaughlin. A. “Broadcast channels with conﬁdential mesa o sages. 1807.” Bell Syst. as expected. and B. . Simulation results were provided which show that unless an attacker can guess D symbols in the received data correctly. . [10] ——. J. “LDPC codes for the Gaussian wiretap channel. Seoul. UL . The lower bound is formulated by the expected number of guesses until at least one of L codewords is found. “Applications of LDPC codes to the wiretap channel. Dresden. . Barros. The correct bit patterns ˆ of the channelerased bits in the L codewords P are uniformly E[D] distributed over 2 possibilities in each block. S. both bounds meet at 2E[D]−1 CA . [16] Y. pp. Preneel. June 2009. H. where irregular codes were shown to outperform regular codes in maximizing D. 2009.” in Proc. 2135–2157. Inf. W. “The wiretap channel. [7] W. Tech. [8] W. In this case. (Pr(UL ≥ z) = 2E[D] − z 2E[D] L encoder and decoder were provided. Information Theory (ISIT). Inf.Sept. “Wiretap channel II. Ireland. R EFERENCES [1] C. More than likely. and thus provide limited insight into the true increase in complexity of the attack.” IEEE Trans. Forensics Security. Bianchi. “LDPC codes for physical layer security. IEEE Int. 2010. an attack will require at least a certain number of consecutive blocks in M to execute successfully [7]. Meier and O. . Nov. “Stopping sets for physicallayer security.” in Proc. that our system appends a multiplier which is exponential in E[D] to the complexity of a cryptographic attack through practical physicallayer security. Probabilistic security results were obtained and made general so as to apply to multiple receivers and multiple collaborative attackers. D. Wolf. J.” IEEE Trans. pp. M. “Tandem coding and cryptography on wiretap channels: EXIT chart analysis. assume that an attacker begins by guessing zero for each Ui and proceeds in an orderly fashion. Pr(U2 ≥ z). May 2000. W. IEEE Information Theory Workshop (ITW). J.5 in the cryptogram. Liang. .J. . 3. June 2008. C ONCLUSIONS In conclusion. the bound is given by ﬁnding the z that solves Pr(max(U1 . vol.J. solve for z in Pr(min(U1 . Dihidar. Inf. Conf. Thus. pp. say U1 . Dublin. Barros. J. . 24. no. [14] D. HI.i. respectively. we have presented the security metric of degrees of freedom D in an eavesdropper’s received codewords. IEEE Int.d. no. “Network security for clientserver architecture using wiretap codes. Bloch. with L being set by the attack speciﬁcations.Sept. “Informationtheoretic key agreement: From weak to strong secrecy for free.M. pp. 54. 28. S. W. 1975. Thangaraj. Oct. Model the correct bit patterns in the L codewords as i.. As a check on these bounds. U2 . Merolla. Klinc. Harrison and S. Germany. R. 1–5. 2009. and L. (19) ˆ Proof: By Corollary 1 each codeword in B has the same number of degrees of freedom. 1189–1193. 656–715. 2933–2945. Harrison. Ozarow and A.5. 1989. Chiaraluce. [5] M. R. 2009. Klinc. “Nonsystematic codes for physicallayer security. IEEE Int. [6] U. . . [11] W. IEEE Information Theory Workshop (ITW). 3. vol. Inf. R. pp.” in Advances in Cryptology — EUROCRYPT 2000. . K. 159–176. . ser. Bloch. pp. . vol.” Bell Syst. Oct. The coding scheme relies on the nature of independent packet erasure channels and ARQ to provide secrecy and reliability. Ireland.” in Proc. Taormina. McLaughlin. S. pp. when L > 1 the bounds are not as tight..” IEEE Trans. 8. [2] A. Ha. . The end result on the expected increase in attack complexity on the cryptosystem due to our scheme is a multiplier which is exponential in E[D]. . Poor. VIII. 1. Honolulu.” IEEE Trans.
Modern Coding Theory. [23] H. Theory. 54. 2–14. vol. [40] A.pdf. vol. Information Sciences and Systems. Theory. “Broadcast channels. Boutros. 7. Jan. no. MA: MIT Press. Radha. Stirling. Alloum. and R. 1972. 2. “Efﬁcient encoding of lowdensity paritycheck codes.” IEEE Trans. 2006. July 2009. Poor. Urbanke. [19] M. Shamir. 47. L. 2001. 51. “Secrecyachieving polarcoding for binaryinput memoryless symmetric wiretap channels. [26] U. Zhang. 49. Available online at http://arxiv. Available online at http://arxiv. “An efﬁcient algorithm to ﬁnd all smallsize stopping sets of lowdensity paritycheck matrices. 2009. [42] T. [31] T. Bloch. Elements of Information Theory. Communications (ICC). vol. no. pp. 11. Inf. Miller. 4. pp. A. pp. G. IL. Cover and J. J. 822–831. pp. J. NJ: John Wiley & Sons. Thomas. pp. Nov. Inf.” Submitted to IEEE Trans. and H. vol.” in Proc. [32] T. Subramanian.” IEEE Trans. vol. [41] G. Theory. New York. 1898–1902. Theory. Stinson. Ireland. Inc. Sept. 18. Dublin. 3051–3073. no. Maurer and S. [27] R. pp. Grimmett and D. Urbanke. vol. Sept.” IEEE Trans. Inc. A. “Nonsystematic lowdensity paritycheck codes for nonuniform sources. M. Theory. “Channel polarization: A method for constructing capacityachieving codes for symmetric binaryinput memoryless channels. 41st Annu. 28. [37] T. Boutros. Shamir and J. 4167–4178.” in Proc. [39] G. vol. ser. 2003. Wang. Aug. 1879–1888. “Nonsystematic LDPC codes via scrambling and splitting. Conf. Probability and Random Processes. Allerton Conf. J. Konheim. “Strong secrecy for erasure wiretap channels.2759v2.” IEEE Trans.” IEEE Trans. [34] C. 48.13 [18] L. pp. South Australia. Mahdavifar and A. 6. Nov. pp. Arıkan. “Finitelength analysis of lowdensity paritycheck codes on the binary erasure channel. E. “ARQbased secret key sharing. Conf. [21] E. Inf.” Adelaide. no. June 2009. pp. pp. “Stopping set distribution of LDPC code ensembles.org/PS cache/arxiv/pdf/1007/1007. “Secretkey agreement over unauthenticated public channels—Part I: Deﬁnitions and a completeness result. Cryptography Theory and Practice. vol.. “An efﬁcient maximumlikelihood decoding of LDPC codes over the binary erasure channel..” Submitted to IEEE Trans. [36] A. C. IEEE Information Theory Workshop (ITW). A. July 2010. 1963. 1–6. Gallager. Thangaraj. K. 55. . Inf.” IEEE Trans. Telatar. Inf. Rosnes and O. no. A. Theory. 50. K. Inf. NJ: John Wiley & Sons. PhysicalLayer Security: From Information Theory to Security Engineering. [24] M. no.” IEEE Trans. 2005. Theory. T.” in Proc. no. Bloch and J. 2010. Oxford. Hoboken. [30] D. Cambridge. FL: Chapman & Hall/CRC Taylor & Francis Group. pp. 2005.. NJ 07458: PrenticeHall. “A queueing analysis of two ARQ protocols. Shamai. [28] T. Barros. NY: Cambridge University Press. Upper Saddle River. Proietti. D. El Gamal. R. 2010.. Inf. Inf. Error Correction Coding: Mathematical Methods and Algorithms. 2008. Moon.. 3rd ed. L. 3. I.” IEEE Trans. Baltimore. 11. Mathematical Methods and Algorithms for Signal Processing. W. no. Lee and H. pp. Rosen.. M. Stirzaker. 9. 3rd ed. Aug. 1–5. and J. MD. Ed. Suresh.” IEEE Trans. Inc. [35] E. [29] T.org/PS cache/arxiv/pdf/1005/1005. K. Vardy. “The design of the maximumlikelihood decoding algorithm of LDPC codes over BEC. 2000. [38] A. Viswanathan. [20] A. Richardson. Burshtein and G. Monticello. Wolf. LowDensity ParityCheck Codes. 2837–2844.pdf. 1. J. [25] D. McLaughlin. 2005. To Appear: Cambridge University Press. 1570–1579. Hof and S. Richardson and R. IEEE Int. 2007. Theory. Theory. 2001. “The wiretap channel with feedback: Encryption over the channel. Commun. H.M. 2008. June 2002. Inf. Sultan. Boca Raton. Mar. Discrete Mathematics and Its Applications. 5059–5067. J. 638– 656. no. [33] K. UK: Oxford University Press. I. G. Theory.3568v1. A. Theory. Latif. Hoboken. Mar. Richardson and R. Ytrehus. 2010. 2004. vol. [22] E. Cover. 55. 2006. no. and L. “Achieving the secrecy capacity of wiretap channels using polar codes.” IEEE Trans. Orlitsky. T. 929–953. Feb. Inf. H. vol. pp. July 1980. Urbanke. K. 2005. Lai.Sept. 7. I. Di. and H. pp. 1004–1014. El Gamal. Apr.” in Proc. Inf. and S. Sept. Moon and W.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.