#### DMCA

## MAHDAVIFAR AND VARDY: ACHIEVING THE SECRECY CAPACITY OF WIRETAP CHANNELS USING POLAR CODES 1 Achieving the Secrecy Capacity of Wiretap Channels Using Polar Codes

### Citations

2097 |
Information Theory and Reliable Communication
- Gallager
- 1968
(Show Context)
Citation Context ...mmetric if the rows of M are permutations of each other and the columns of M are permutations of each other. A channel 〈X , Y , W〉 is strongly symmetric if W is a strongly symmetric matrix. Following =-=[3,4,14,19]-=-, we will say that 〈X , Y , W〉 is symmetric (often called outputsymmetric) if the columns of W can be partitioned into subsets such that each subset forms a strongly symmetric matrix. The capacity of ... |

1390 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... place any constraints on the a priori distribution of U. Assuming that messages are a priori uniform is common in information theory, but such assumptions are completely unacceptable in cryptography =-=[6,15]-=-. Even more importantly, we show how polar coding should be used to provide strong security, whereas the work of [1,17,21] provides weak security only. Again, in cryptographic applications, convention... |

753 |
Broadcast channels with confidential messages
- Csiszár, Körner
- 1978
(Show Context)
Citation Context ...) and (2) at rates greater than Cs. Since 1975, Wyner’s results have been extended to a variety of contexts, most notably Gaussian channels [23], general broadcast channels with confidential messages =-=[12]-=-, and channels that impose a combinatorial (rather than probabilistic) constraint on the adversary [8,33]. In fact, the literature on wiretap channels encompasses, by now, hundreds of papers. However,... |

580 |
The wire-tap channel
- Wyner
- 1975
(Show Context)
Citation Context ...exts, most notably Gaussian channels [23], general broadcast channels with confidential messages [12], and channels that impose a combinatorial (rather than probabilistic) constraint on the adversary =-=[8,33]-=-. In fact, the literature on wiretap channels encompasses, by now, hundreds of papers. However, the vast majority of this work relies on nonconstructive random-coding arguments to establish the main r... |

496 | Elements of Information Theory, 2nd ed - Cover, Thomas - 2006 |

365 |
The Gaussian wiretap channel
- Leung-Yan-Cheong, Hellman
- 1978
(Show Context)
Citation Context ...) and (2); conversely, it is not possible to satisfy both (1) and (2) at rates greater than Cs. Since 1975, Wyner’s results have been extended to a variety of contexts, most notably Gaussian channels =-=[23]-=-, general broadcast channels with confidential messages [12], and channels that impose a combinatorial (rather than probabilistic) constraint on the adversary [8,33]. In fact, the literature on wireta... |

325 | Generalized privacy amplification.
- Bennett, Brassard, et al.
- 1995
(Show Context)
Citation Context ...ty condition (2) can be converted into a coding scheme that satisfies the stronger condition (3). This is accomplished using an ingenious information reconciliation and privacy amplification protocol =-=[7]-=-. Although, in principle, the rate overhead necessary for privacy amplification can be made arbitrarily small, this is unlikely to be the case in practice. In Section VI, we show how to modify the cod... |

254 |
Polarization: A Method for Constructing Capacity-achieving Codes for Symmetric Binary-Input Memoryless Channels
- Arıkan, “Channel
- 2009
(Show Context)
Citation Context ...thms. In fact, the number of operations required for encoding and decoding is only O(n log n). Our construction is based upon key results in the literature on polar codes, recently invented by Arıkan =-=[3]-=-. It is proved in [3] that polar codes achieve the capacity of arbitrary binary-input symmetric DMCs, with low encoding and decoding complexity. The proof of this result is based on a phenomenon calle... |

239 | Channel coding rate in the finite blocklength regime
- Polyanskiy, Poor, et al.
- 2010
(Show Context)
Citation Context ...or the mutual information I(U; Z) to vanish asymptotically. Given a BSM channel W, is it true that limn→∞ nǫn = 0 for this channel? Unfortunately, the answer to this question is negative. It is known =-=[34,36]-=- that for any discrete memoryless channel W and any code of length n and rate R that achieves errorprobability Pe on W, we have C(W)− R > const(Pe, W)√ n − O ( log n n ) where the constant (which is g... |

134 |
Generalized Hamming weights for linear codes,
- Wei
- 1991
(Show Context)
Citation Context ...his situation, studied by Ozarow and Wyner in [33], may be regarded as a combinatorial variation of an erasure channel. Provably optimal coding schemes for this case can be constructed from MDS codes =-=[41]-=-, or using extractors [8]. We observe, however, that even for the simple situation where C1 is noiseless and C2 is a binary symmetric channel, it is not known how to explicitly construct codes that ac... |

125 | Information-Theoretic key agreement: From weak to strong secrecy for free,” ser
- Maurer, Wolf
- 2000
(Show Context)
Citation Context ...tional entropy H(U|Z). Thus, intuitively, (2) means that observing Z does not provide much information about U beyond what is available a priori, as compared to the message length k. Maurer argued in =-=[28,29]-=- that the conventional notion of security (2) is much too weak. Indeed, it is easy to construct examples where k1−ε out of the k message bits are disclosed to Eve, while still satisfying (2). This is ... |

92 |
Achieving the secrecy capacity of wiretap channels using polar codes,”
- Mahdavifar, Vardy
- 2011
(Show Context)
Citation Context ...capacity” can be achieved. A few open problems that stem from our results herein are also discussed in Section VII. C. Related Work Following the publication of a preliminary version of this paper in =-=[25]-=- and [26], several related papers have appeared [1,17,21]. Most notably, the work of Hof and Shamai [17] on polar coding for wiretap channels is independent and contemporaneous to ours. While some of ... |

80 |
Asymptotische abschätzungen in Shannons informationstheorie
- Strassen
- 1962
(Show Context)
Citation Context ...or the mutual information I(U; Z) to vanish asymptotically. Given a BSM channel W, is it true that limn→∞ nǫn = 0 for this channel? Unfortunately, the answer to this question is negative. It is known =-=[34,36]-=- that for any discrete memoryless channel W and any code of length n and rate R that achieves errorprobability Pe on W, we have C(W)− R > const(Pe, W)√ n − O ( log n n ) where the constant (which is g... |

73 |
Polarization for arbitrary discrete memoryless channels,” in
- Sasoglu, Telatar, et al.
- 2009
(Show Context)
Citation Context ... the results of Arıkan in [3], exactly the same proof as before (Lemma 6 and Lemma 7) applies. Our results also extend to discrete memoryless channels with non-binary input. It was recently proved in =-=[35]-=- that channels with an input alphabet of prime size q are polarized by the same transformation (5), and the corresponding versions of Theorem 1 and Theorem 2 hold. The probability of error under succe... |

72 | Polar codes for channel and source coding”,
- Korada
- 2009
(Show Context)
Citation Context ...formance. We have limited our consideration herein to successive cancellation decoding, or variants thereof. It is also possible that other methods of decoding polar codes (such as belief propagation =-=[18]-=- or recursive-list decoding [13]) may be relatively robust to not fixing a small set X of bad channels. Analysis of such decoders is a research problem of independent interest. VII. DISCUSSION AND OPE... |

72 | Applications of LDPC codes to the wiretap channel,”
- Thangaraj, Dihidar, et al.
- 2007
(Show Context)
Citation Context ...The first special case is when the main channel is noiseless and the wiretap channel is the binary erasure channel (BEC). A coding scheme for this case, using LDPC codes for the BEC, was presented in =-=[37,39]-=- and proved to achieve secrecy capacity. The other special case is when the adversary is constrained combinatorially: Eve can select to observe some t out of the n transmitted symbols, while the remai... |

43 | The Strong Secret Key Rate of Discrete Random Triples”, Communication and Cryptography – Two Sides of One Tapestry
- Maurer
- 1994
(Show Context)
Citation Context ...tional entropy H(U|Z). Thus, intuitively, (2) means that observing Z does not provide much information about U beyond what is available a priori, as compared to the message length k. Maurer argued in =-=[28,29]-=- that the conventional notion of security (2) is much too weak. Indeed, it is easy to construct examples where k1−ε out of the k message bits are disclosed to Eve, while still satisfying (2). This is ... |

42 | Polar codes: characterization of exponent, bounds, and constructions,”
- Korada, oglu, et al.
- 2010
(Show Context)
Citation Context ...secrecy capacity is given by h2(p2) − h2(p1), where h2(·) is the binary entropy function. III. POLAR CODES This section provides a concise overview of the groundbreaking work of Arıkan [3] and others =-=[4,19,20]-=- on polar codes and channel polarization. We establish only those results that are essential for the coding schemes presented in this paper. As in [16,20], we consider exclusively binary-input symmetr... |

30 | Gamal, “Polar coding for secure transmission and key agreement
- Koyluoglu, El
- 2012
(Show Context)
Citation Context ...stem from our results herein are also discussed in Section VII. C. Related Work Following the publication of a preliminary version of this paper in [25] and [26], several related papers have appeared =-=[1,17,21]-=-. Most notably, the work of Hof and Shamai [17] on polar coding for wiretap channels is independent and contemporaneous to ours. While some of the main results in [17] and in this paper are similar, t... |

28 | A performance comparison of polar codes and reedmuller codes,”
- Arikan
- 2008
(Show Context)
Citation Context ...s given by Arıkan in [3]. However, this algorithm requires time and memory that grow exponentially with the code length n. Since then, several heuristic algorithms for this problem have been proposed =-=[2,30,31]-=-. However, these algorithms do not provide useful guarantees on the quality of their output. Such guarantees are clearly essential to establish the security of our coding scheme. Fortunately, the prob... |

28 |
On a special class of broadcast channels with confidential messages
- Dijk
- 1997
(Show Context)
Citation Context ...imization is often difficult to evaluate, and there is no simpler expression for the secrecy capacity even when C1 and C2 are both strongly symmetric, unless additional constraints are satisfied. See =-=[24,40]-=- for more details on this. However, when C1 = 〈X , Y , W∗〉 and C2 = 〈X , Z , W〉 are symmetric and C2 is degraded with respect to C1, a simple expression for Cs was given by Leung-Yan-Cheong in [22]. I... |

22 |
Nested polar codes for wiretap and relay channels,”
- Andersson, Rathi, et al.
- 2010
(Show Context)
Citation Context ...stem from our results herein are also discussed in Section VII. C. Related Work Following the publication of a preliminary version of this paper in [25] and [26], several related papers have appeared =-=[1,17,21]-=-. Most notably, the work of Hof and Shamai [17] on polar coding for wiretap channels is independent and contemporaneous to ours. While some of the main results in [17] and in this paper are similar, t... |

21 | Performance and construction of polar codes on symmetric binary-input memoryless channels
- Mori, Tanaka
(Show Context)
Citation Context ...s given by Arıkan in [3]. However, this algorithm requires time and memory that grow exponentially with the code length n. Since then, several heuristic algorithms for this problem have been proposed =-=[2,30,31]-=-. However, these algorithms do not provide useful guarantees on the quality of their output. Such guarantees are clearly essential to establish the security of our coding scheme. Fortunately, the prob... |

21 |
Performance of polar codes with the construction using density evolution,”
- Mori, Tanaka
- 2009
(Show Context)
Citation Context ...s given by Arıkan in [3]. However, this algorithm requires time and memory that grow exponentially with the code length n. Since then, several heuristic algorithms for this problem have been proposed =-=[2,30,31]-=-. However, these algorithms do not provide useful guarantees on the quality of their output. Such guarantees are clearly essential to establish the security of our coding scheme. Fortunately, the prob... |

13 | Invertible extractors and wiretap protocols
- Cheraghchi, Didier, et al.
(Show Context)
Citation Context ...exts, most notably Gaussian channels [23], general broadcast channels with confidential messages [12], and channels that impose a combinatorial (rather than probabilistic) constraint on the adversary =-=[8,33]-=-. In fact, the literature on wiretap channels encompasses, by now, hundreds of papers. However, the vast majority of this work relies on nonconstructive random-coding arguments to establish the main r... |

12 |
On a special class of wire-tap channels
- Leung-Yan-Cheong
- 1977
(Show Context)
Citation Context ...ryptographic applications, conventional weak security is usually unacceptable. II. SECRECY CAPACITY In this section, we first establish some relevant terminology. We then briefly recap the results of =-=[12,22]-=- to provide a simple expression for the secrecy capacity Cs in the case where C1 and C2 are symmetric DMCs and C2 is degraded with respect to C1. We will limit our consideration to finite-input and fi... |

12 |
Strong secrecy for erasure wiretap channels
- Suresh, Subramanian, et al.
- 2010
(Show Context)
Citation Context ...The first special case is when the main channel is noiseless and the wiretap channel is the binary erasure channel (BEC). A coding scheme for this case, using LDPC codes for the BEC, was presented in =-=[37,39]-=- and proved to achieve secrecy capacity. The other special case is when the adversary is constrained combinatorially: Eve can select to observe some t out of the n transmitted symbols, while the remai... |

12 |
Joint Equalization and Coding for Intersymbol Interference Channels
- YELLIN, VARDY, et al.
- 1997
(Show Context)
Citation Context ...it dictated by the decoder complexity considerations. The situation is quite similar to decisionfeedback equalization on ISI channels using a bank of M zeroforcing DFEs. That scenario was analyzed in =-=[43]-=-, where it is shown that error-propagation caused by incorrect decisions can be used to discard erroneous decision-feedback paths. It is also shown in [43] that, in practice, small values of M often s... |

11 | A cryptographic treatment of the wiretap channel
- Bellare, Tessaro, et al.
- 2012
(Show Context)
Citation Context ...eed Q(z|x) = Pr{Z= z ∣∣V = x} (55) Our main goal in this subsection is to show that the induced channel Qn(W,R) in Figure 3 is symmetric. This follows as a special case of the more general results in =-=[5]-=-. Although [5] precedes this paper chronologically, it is not yet publicly available. Therefore, we include a complete proof for completeness. Recall that a group action of an abelian group A on a set... |

9 |
The wiretap channel applied to biometrics
- Cohen, Zémor
- 2004
(Show Context)
Citation Context ...he wiretap channel, often referred to as coset-coding or syndrome-coding, is well known. This method goes back to the work of Wyner [33, 42], although it was significantly extended and generalized in =-=[9,10]-=- and other papers. Assume, for simplicity, that the input alphabet of both C1 and C2 is binary. In this case, the cosetcoding method utilizes two binary linear codes: an “outer” code C∗ and an “inner”... |

9 |
On the scaling of polar codes: I. the behavior of polarized channels
- Hassani, Urbanke
- 2010
(Show Context)
Citation Context ...roundbreaking work of Arıkan [3] and others [4,19,20] on polar codes and channel polarization. We establish only those results that are essential for the coding schemes presented in this paper. As in =-=[16,20]-=-, we consider exclusively binary-input symmetric memoryless (BSM) discrete channels. Such a channel is a symmetric DMC, as defined in the previous section, with input alphabet X = {0, 1}. With a sligh... |

9 | Secrecy-achieving polar-coding for binary-input memoryless symmetric wire-tap channels,” [online] Available: arXiv:1005.2759v2 [cs.IT - Hof, Shamai |

7 |
Syndrome-Coding for the Wiretap Channel Revisited
- Cohen, Zemor
- 2006
(Show Context)
Citation Context ...he wiretap channel, often referred to as coset-coding or syndrome-coding, is well known. This method goes back to the work of Wyner [33, 42], although it was significantly extended and generalized in =-=[9,10]-=- and other papers. Assume, for simplicity, that the input alphabet of both C1 and C2 is binary. In this case, the cosetcoding method utilizes two binary linear codes: an “outer” code C∗ and an “inner”... |

7 |
Fiber-optic communications technology
- Mynbaev, Scheiner
- 2001
(Show Context)
Citation Context ...C(p1) and C2 = BSC(p2). Let us further assume that p1 = 10−3 and that the error-rate required at the output of the main-channel decoder is 10−9. This is often the case in optical fiber communications =-=[32]-=-. We will use the polar transformation (5) of length n = 220. Indeed, codes of this length are already in use today in proprietary 100 GbE fiber-optic systems. We also adopt the following stringent se... |

6 |
Soft-decision decoding of reed-muller codes: recursive lists
- Dumer, Shabunov
- 2006
(Show Context)
Citation Context ...nsideration herein to successive cancellation decoding, or variants thereof. It is also possible that other methods of decoding polar codes (such as belief propagation [18] or recursive-list decoding =-=[13]-=-) may be relatively robust to not fixing a small set X of bad channels. Analysis of such decoders is a research problem of independent interest. VII. DISCUSSION AND OPEN PROBLEMS We briefly mention ce... |

5 |
On the rate of channel polarization,” preprint of July 24
- Arikan, Telatar
(Show Context)
Citation Context ...secrecy capacity is given by h2(p2) − h2(p1), where h2(·) is the binary entropy function. III. POLAR CODES This section provides a concise overview of the groundbreaking work of Arıkan [3] and others =-=[4,19,20]-=- on polar codes and channel polarization. We establish only those results that are essential for the coding schemes presented in this paper. As in [16,20], we consider exclusively binary-input symmetr... |

5 |
The Wiretap channel, Bell System Tech
- Wyner
- 1975
(Show Context)
Citation Context ...erms— channel polarization, information-theoretic security, polar codes, secrecy capacity, strong security, wiretap channel I. INTRODUCTION THE notion of wiretap channels was introduced by AaronWyner =-=[42]-=- in 1975. In this setting, Alice wishes to send messages to Bob through a communication channel C1, called the main channel, but her transmissions also reach an adversary Eve through another channel C... |

2 |
A concrete security treatment of symmetric encryption
- Rogaway
- 1997
(Show Context)
Citation Context ... place any constraints on the a priori distribution of U. Assuming that messages are a priori uniform is common in information theory, but such assumptions are completely unacceptable in cryptography =-=[6,15]-=-. Even more importantly, we show how polar coding should be used to provide strong security, whereas the work of [1,17,21] provides weak security only. Again, in cryptographic applications, convention... |

1 |
Shamai,“Information theoretic security,”Foundations and Trends
- Liang, Poor, et al.
- 2008
(Show Context)
Citation Context ...e also significant differences between the results established in [1,17,21] and in this paper. In particular, it is shown in [1,17] that polar coding achieves the entire rate-equivocation region (see =-=[24]-=- for a definition), whereas we are interested only in the extreme point of this region that corresponds to secrecy capacity. On the other hand, in several other respects, our results are stronger than... |

1 |
On the randomness in the encoder,” private communication
- Matsumoto
- 2010
(Show Context)
Citation Context ...al result. It is known that (2) cannot be satisfied unless the encoder makes use of at least I(X; Z) random bits, where I(X; Z) is the mutual information between the input and output of Eve’s channel =-=[27]-=-. V. WEAK SECURITY In this section, we prove that the coding scheme of the previous section satisfies the reliability and security conditions (1) and (2) while its rate k/n approaches the secrecy capa... |

1 |
How to construct polar codes,” presented at the
- Tal, Vardy
- 2010
(Show Context)
Citation Context ... “as is,” and Bob’s probability of error is at most 2−nβ . The following example illustrates this situation. In order to obtain the numerical values given in this example, we have used the methods of =-=[38]-=- to evaluate the polar bit-channels. Example. Suppose that both the main channel and the wiretap channel are binary symmetric channels, say C1 = BSC(p1) and C2 = BSC(p2). Let us further assume that p1... |