Key-Message Security over State-Dependent Wiretap Channels

The state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) available at the encoder is considered. An inner bound on the trade-off region between admissible secret key (SK) and secret message (SM) rates is provided. The result is derived under the stringent semantic-security metric. Our inner bound recovers the best-known achievability results for either SK generation, SM transmission, or simultaneous execution of both. Since some of these past benchmarks were derived under weaker security metrics, our results imply that an upgrade to semantic-security is possible without inflicting any rate loss. It is shown that for certain instances of the considered SD-WTC, the derived region is strictly larger than the previously best-known SK-SM trade-off region reported by Prabhakaran et al., and that a recently reported SK rate for this setup cannot be achieved.


I. INTRODUCTION
Two fundamental questions in Physical layer security (PLS) concern the best achievable transmission rate of a secret message (SM) over a noisy channel, and the highest attainable SK rate that distributed parties can agree upon. The base model for SM transmission is Wyner's WTC [1]. The study of SK agreement was pioneered by Maurer [2], and, independently, by Ahlswede and Csiszár [3], who studied the achievable SK rates based on correlated observations at the terminals that can communicate via a noiseless public link.
A more general framework is the state-dependent (SD) WTC with non-causal encoder channel state information (CSI). This model combines the WTC and the Gelfand and Pinsker (GP) channel [4], and is, therefore, sometimes referred to as the GP-WTC. The dependence of the channel's transition probability on the state sequence accounts for the possible availability of correlated sources at the terminals. The similarity between the SM transmission and the SK agreement tasks makes their integration in a single model natural. Adhering to the most general framework, we study the SM-SK rate pairs that are simultaneously achievable over the GP-WTC.
The scenario with a SM only was first studied in [5], where an achievable formula was established. This result was improved upon in [6] based on a novel superposition coding scheme. SK agreement over the GP-WTC was the focus of  [7], and, more recently, of [8] (see also references therein). The combined model was considered by Prabhakaran et al. [9], who derived the best inner bound on the SM-SK capacity region known until this work. The result from [9] is optimal for several classes of GP-WTCs. We extend the superposition coding scheme from [6] to generate a SK, which gives rise to a novel inner bound on the SM-SK capacity region of the GP-WTC. To the best of our knowledge, all existing inner bounds on SM transmission, SK agreement or both, for this setup, are captured by our result. Furthermore, we demonstrate our region can achieve strictly higher rates than [9], for certain instances of the GP-WTC. The key observation here is that the scheme from [9] does not allow GP coding in the inner code layer. Exploiting this fact, we propose an example for which GP coding in the inner layer is necessary to achieve capacity. For that example, the scheme from [9] is strictly sub-optimal, while our result attains optimality. In addition, we show that a recently reported achievability bound on the SK capacity for this setup [10], that seemingly achieves higher rates than the result herein, is missing a condition to be correct. The amended result (with the missing condition) is a special case of our inner bound.
Our coding scheme uses an over-populated superposition codebook that encodes the entire confidential message in its outer layer. Using the redundancies in the inner and outer layers, the transmission is correlated with the state via the likelihood encoder [11]. Although the redundancy indices are chosen as part of the encoding process, their distribution turns out to be approximately uniform. Consequently, as long as a certain redundancy index is kept secret, it may be declared as a SK. The security analysis is based on constructing the inner codebook such that it is better observable by the eavesdropper, making the inner layer index decodable by him/her. This enhances the secrecy resources that the legitimate parties can extract from the outer layer, which they use to secure the SM and part of the redundancy index of the outer layer, which is declared as the SK.
Our results are derived under the strict metric of semanticsecurity (SS), i.e., negligible mutual information (MI) between the confidential data (in our case, the SM-SK pair) and the eavesdropper's observations, when maximized over all possible message distributions. Since many of the past secrecy results were derived under the weak secrecy metric (i.e., a vanishing normalized MI with respect to a uniformly distributed message-key pair), our achievability outperforms those schemes, not only in terms of the achievable rate pairs, but also in the upgraded sense of security.

II. SETUP AND DEFINITIONS
We use notations from [12,Section 2]. Let S, X , Y and Z be finite sets. The S, X , Y, Z, W S , W Y,Z|S,X GP-WTC is shown in Fig. 1. A state sequence s ∈ S n is sampled from the product distribution W n S and non-causally revealed to the encoder. The sender chooses a message m from the set 1 : 2 nRM and maps (s, m) onto a channel input sequence x ∈ X n and a key index k ∈ 1 : 2 nRK (the mapping may be random). The sequence x is transmitted over the SD-WTC W Y,Z|S,X . The channel's outputs y ∈ Y n and z ∈ Z n are observed by the receiver and the eavesdropper, respectively. Based on y, the receiver produces its estimates of (m, k). The eavesdropper tries to glean whatever it can about the messagekey pair from z.

Remark 1 The considered model is the most general instance of a SD-WTC with non-causal CSI known at some or all of the terminals. Receiver and/or eavesdropper CSI may be incorporated in their channel outputs. Our model also supports the existence of a public (or private) bit-pipe from the transmitter to the receiver and the eavesdropper (or to the receiver only).
The bit-pipe may replace or coexist with the noisy channel.
Definition 1 (Code) An (n, R M , R K )-code c n for the GP-WTC with a message set M n 1 : 2 nRM and a key set K n 1 : 2 nRK is a pair of maps: For any message distribution p M and an (n, R M , R K )-code c n , the induced joint distribution is The probability measure induced by p (cn) is P. MI terms taken with respect to p (cn) are denoted by I p .
Definition 2 (Achievability) A pair (R M , R K ) ∈ R 2 + is an achievable SS message-key rate pair for the GP-WTC, if for every ǫ > 0 and sufficiently large n there exists an are respectively, the error probability when m is transmitted, the key uniformity and independence metric for message m, and the information leakage given message distribution p M .
Here ||p − q|| TV is the TV between p and q, while p (U ) A is the uniform distribution over a set A.

Remark 2
The maximization in Definition 2 is over the message distribution only (rather than the distribution of the SM-SK pair) because, while the choice of M ∼ p M is independent of the code, the distribution of K is induced by the code.

Definition 3 (SS-Capacity)
The SS message-key capacity region C Sem of the GP-WTC is the convex closure of the set of achievable SS rate pairs.

III. MAIN RESULT
We give a novel inner bound on the SS message-key capacity region of the GP-WTC. To the best of our knowledge, our achievable region recovers all the best-known achievability results for the considered problem (or any of its special cases).
To state the result, let U and V be finite sets with cardinalities |U | ≤ |X ||S| + 5 and |V| ≤ |X where |x| + max{x, 0} and the MI terms are taken with respect to W S q U,V,X|S W Y,Z|S,X , i.e., such that (U, V ) − (S, X) − (Y, Z) forms a Markov chain.
Theorem 1 (Inner Bound) The following inclusion holds: Due to space limitation, the proof of Theorem 1 is omitted (see [13]). A high-level description of the code construction is as follows. We use secured superposition coding scheme. An over-populated two-layered superposition codebook is constructed (independently of the state sequence), in which the entire secret message is encoded in the outer layer. The likelihood encoder [11] uses the redundancies in the inner and outer codebooks to correlate the transmission with the state. Upon doing so, part of the correlation index from the outer layer is declared by the encoder as the key. The inner layer is designed to utilize the part of the channel which is better observable by the eavesdropper. This saturates the eavesdropper with redundant information, leaving him/her with insufficient resources to extract any information on the SM-SK pair from the outer layer. The legitimate decoder, on the other hand, decodes both layers and declares the appropriate indices as the decoded message-key pair.

Remark 3 (Interpretation of Theorem 1)
We interpret the terms in (1) as follows. The right-hand side (RHS) of (1a) is the total rate of reliable (secured and unsecured) communication that our superposition codebook supports, which restricts R M . For (1b), the term I(V ; Y |U )−I(V ; Z|U ) is the total rate of secrecy resources that are produced by the outer layer of the codebook. Since the security of the SM-SK pair comes entirely from the outer layer, this MI difference is an upper bound on the sum of rates. To interpret the penalty term |I(U ; S) − I(U ; Y )| + , we note that I(U ; S) is approximately the rate of the inner codebook. Thus, I(U ; Y ) < I(U ; S) means that looking solely at the inner layer, the decoder lacks the resolution to decode it. However, the success of our communication protocol relies on the decoder reliably decoding both layers. Therefore, in this case, some of the rate from the outer layer is allocated to convey the inner layer index. As our security analysis is based on revealing the inner layer to the eavesdropper, this rate allocation effectively results in a loss of |I(U ; S) − I(U ; Y )| + in the secrecy rate.

IV. TIGHT SECRECY CAPACITY RESULTS
An interesting special case of the considered GP-WTC is as follows. Assume that W Y,Z|S,X is such that the eavesdropper's channel is less noisy than the main channel, but that the legitimate parties share noiseless observations of a source L ∼ W n L , independent of the channel and its state sequence S ∼ W n S . Using L the legitimate parties may extract a SK and secure the confidential data. forms a Markov chain. We refer to this instance as the SD less-noisy-eavesdropper WTC with a key.

Corollary 1 (SM-SK Capacity Region) The SS messagekey capacity region of the SD less-noisy-eavesdropper WTC with a key is the set of all
where the joint distribution in (3a) is W S q U,X|S W Y |S,X .
The achievability of (3) follows by setting V = (L, U ) into Theorem 1, with (U, X) that are independent of L. The converse relies on two observations. First, the SM rate of the channel cannot exceed the total reliable rate for this channel. Second, since the channel is less noisy in favor of the eavesdropper, all the secrecy comes from the external source L. For the full proof see [13,Appendix A]. A direct consequence of Corollary 1 is that when no SK is to be established (i.e., R K = 0) the best attainable SM rate is Instead of employing Theorem 1, (4) can be achieved via a simple separation-based coding scheme. Roughly speaking, a capacity achieving error correction code transforms the channel into a noiseless bit-pipe. The legitimate parties then compresses L to produce a shared uniformly distributed key of entropy H(L). The key is used to encrypt the SM via a one-time pad and the encrypted message is transmitted. The achievable SM rate equals the minimum between the channel's capacity and the key's rate. While this scheme is very natural, to the best of our knowledge, none of the past achievability results for the GP-WTC prior to [6] attain its performance.
In Section V-B, a special case of this setup is used to demonstrate the improvement of our result over the previous benchmark achievable SM-SK region for the GP-WTC [9].

V. COMPARISON TO SM-SK TRADE-OFF BENCHMARK
We show R A contains the previously best-known achievable SK-SM trade-off region from [9]. Then, it is demonstrated that, for certain GP-WTCs, Theorem 1 strictly outperforms [9].

A. SM-SK Trade-off Region
In [9, Theorem 1] the following region was established: where, for any q U and q V,X|U,S , R PER q U q V,X|U,S is the set of all (R M , R K ) ∈ R 2 + satisfying, with the MI terms taken with respect to W S q U q V,X|U,S W Y,Z|S,X , i.e., U and S are independent and (U, V ) − (S, X) − (Y, Z) forms a Markov chain. Theorem 1 recovers R PER by restricting U and S to be independent.

B. Achieving Strictly Higher Rates
Since [9, Theorem 1] restricts the inner layer coding random variables U to be independent of S, Gelfand-Pinsker coding [4] (which generally requires correlating U with S), is not supported in the inner layer. Instead, only Shannon's Strategies coding [14], that operates with independent U and S, is allowed. The latter is optimal if the encoder observes the state causally, but is generally sub-optimal when non-causal encoder CSI is available.
To show that Theorem 1 can improve upon [9], we exploit the aforementioned limitation of the scheme therein, along with the observation that it is beneficial to exploit any part  Fig. 2, whose transition probability W Y,Z|S,X , key L ∼ W L and state S ∼ W S are defined by the three parameters λ, ǫ, σ ∈ (0, 0.5) as follows: • Let X and G be, respectively, the input and the output of the Memory with Stuck-at-Faults (MSAF) [15] channel, driven by a ternary state S. The relation between G and (X, S) is described through the deterministic function • The output G of the MSAF channel is fed into a Binary Erasure Channel with erasure probability ǫ (abbreviated as a BEC(ǫ)). Thus, G and Y are related by means of the erasure random variable E through the function: y(e, g) = g, e = 0 ?, e = 1 .
We next outline the proof of Proposition 1 (see [13,Appendix C] for details).
Combining V −U −(S, X) with the independence of U and S in [9, Theorem 1], we have that (U, V ) and S are independent too. Interestingly, this means that the inability of the scheme from [9, Theorem 1] to support GP coding in the inner layer implies, for the considered example, that GP coding is not supported at all. We next focus on the remaining rate bound (6a). Using the above derived properties, it can be shown that Note that the RHS above is the capacity of the MSAF channel with causal CSI, which equals 1 − h σ 2 [16]. Thus, Recalling that R A (λ, ǫ, σ) = H(L) and noticing that H(L) > 1 − h σ 2 concludes the proof.

Remark 4
This example actually demonstrates that [6,Theorem 1] (which is a special case of Theorem 1, when R K = 0) achieves strictly higher SM rates than [9,Theorem 1].

VI. A MISSING CONDITION IN A RECENTLY REPORTED SK ACHIEVABILITY RESULT
In [10], a lower bound on the SK capacity of the GP-WTC was reported. In our notation, [10, Theorem 1] states the following lower bound on the GP-WTC's SK capacity C SK where the maximization is over all q U |V and q V,X|S satisfying forms a Markov chain. R Zib suggests that no secrecy rate-loss is inflicted when the inner layer is not decodable on its own by the legitimate receiver, i.e., when I(U ; S) > I(U ; Y ). Consequently, R Zib seemingly attains higher SK rates than Theorem 1. However, following the steps of the proof of [10, Theorem 1], it appears that another condition was assumed without being explicitly stated. Namely, the missing condition is I(U ; Y ) ≥ I(U ; S), which would assure decodability of the inner code layer by the legitimate receiver without relying on the outer layer. Taking this additional constraint into consideration, our inner bound recovers the amended Theorem 1 from [10] by setting R M = 0, V = (U, V ), and maximizing only over distributions that satisfy I(U ; Y ) − I(U ; S) > 0.
To verify that (8) is not achievable without the additional constraint, consider the following setup. • Let A, B and Q be three i.i.d. Ber( 1 2 ) random variables.
• Let Ψ be a private (i.e., unobserved by the eavesdropper) bib-pipe of rate 1. Setting S = (A, B), X = Ψ, Y = (T, Q, Ψ) and Z = A ⊕ B, gives rise to the following operational problem. Consider n rounds such that at each round i ∈ [1 : n], the encoder observes two memoryless fair coin tosses, A i and B i (i.i.d. copies of A and B). The decoder observes only one of them, namely T i , chosen at random, using a third memoryless fair coin Q i . The decoder also observes Q i , which informs it if T i = A i or T i = B i ; the encoder does not know which coin the decoder observed. The eavesdropper observes only the modulo 2 addition of the two coins. After n coin tossing rounds (recall that CSI is non-causal in our setup), the encoder transmits n bits to the decoder using the private bit-pipe. This transmission is inaccessible to the eavesdropper. The legitimate parties wish to agree upon a key that is kept secret from the eavesdropper.
A valid choice of random variables for (8) is 1) Ψ ∼ Ber( 1 2 ) independent of (A, B, Q), 2) U = Z = A ⊕ B, 3) V = (A, B, Ψ), which achieves R Zib = 2. Hence, by showing that the SK capacity of the proposed setup is strictly less than 2, we contradict the achievability of R Zib . We do so by showing that the vanishing average error probability and the weak secrecy of the SK, used in the definition of achievability in [10], cannot coexist in this setup while a SK rate of 2 is attained.
A formulation of the subsequently outlined ideas is found in [13,Appendix B]. Assume a SK rate of 2 bits per channel use is attainable. Thus, there exists a sequence of codes {c n } n , inducing a sequence of SKs {K n } n . The sequence of keys approaches the rate of 2 bits, as n grows, while the decoding error and the information leakage rate vanish. All subsequent multi-letter entropy terms are taken with respect to the distribution induced by the corresponding c n .
As stated in [13,Lemma 8], the rate assumption along with the vanishing decoding error requirement imply This is proven in Appendix E of [13]; the proof utilizes the statistical relations between the random variables in play, as well as standard information identities. The meaning of (10) is that, asymptotically, the coin realizations can be reconstructed from the SK. Then, we notice that the common randomness (CR) rate of this setup [17], which upper-bounds the SK rate 1 n H(K n ), is 2. Combining this observation with (10), it follows that 1 n H(K n |A n , B n ) − −−− → n→∞ 0.
Thus, K n and (A n , B n ) are asymptotically recoverable from one another, which means that the only way the encoder and decoder can achieve a CR rate of 2, is by using the coin realizations as their CR. Finally, since, in each round, the eavesdropper observes Z i A i + B i , we have 1 n I(K n ; Z n ) ≈ 1 n I(A n , B n ; Z n ) = 1. This contradicts security.