Wiretap Channel with Latent Variable Secrecy

—The classic wiretap channel (WTC) problem is concerned with a transmitter (Alice) that wants to send a message W to the intended receiver (Bob) while keeping it secret from a passive eavesdropper (Eve). However, under certain communication scenarios, the user may not be interested in hiding the entire message from the eavesdropper, but rather in hiding its most sensitive attributes. While classic wiretap coding is capable of hiding these salient message attributes, it may be too stringent and better communication rates may be achievable. Motivated by the above, in this paper, we introduce and study the latent variable wiretap channel (LV-WTC) problem. Under this setting, the transmitter is interested in sending the message W to the intended receiver while keeping a correlated latent variable S (which models privacy sensitive attributes) secret from the eavesdropper. We present a message splitting based achievable scheme for the LV-WTC problem, which adapts to the structure of the conditional distribution P S | W to achieve higher rates compared to the classical WTC. Several open problems and future directions that originate from this new communication problem are also discussed.


I. INTRODUCTION
The problem proposed herein is based on the observation that, in certain communication scenarios, the user may be interested in transmitting the information message while only keeping its sensitive attributes secret from the eavesdropper (rather than hiding the entire message). Under the communication theory paradigm, a naive solution to this problem is to use the classic wiretap channel (WTC) coding [1], [2] or its variants, e.g., [3]- [12]. In the classic WTC problem, the transmitter is interested in sending the message to its intended receiver while keeping it secret from a passive eavesdropper. However, keeping the entire message (modeled by W ) hidden from the eavesdropper, rather than just hiding its sensitive attributes (modeled by a correlated latent variable S), may be costly in terms of achievable transmission rates.
The framework of relaxed notions of privacy (including latent-variable privacy) has been explored in various other problems. For instance, within the context of privacy preserving data release, several works [13], [14] have proposed new privacy definitions and mechanisms with bounded leakage for latent (secret) attributes. The problem of latent-variable private information retrieval (PIR) was recently introduced in [15], where the goal is to retrieve content while satisfying perfect  privacy for latent attributes. This can allow a reduction in the download cost compared to conventional PIR protocols (such as [16]- [18]) which hide the identity of the desired content.
Motivated by the above, in this paper, we introduce and study a variant of the WTC that we name the latent variable wiretap channel (LV-WTC) problem. Under LV-WTC, the transmitter (Alice) wants to send the message W to its intended receiver (Bob) while keeping the latent variable S secret from the eavesdropper (Eve). That is, we are no longer interested in hiding the entire message as is done in the classic WTC setting, but rather its sensitive attributes. Due to the relaxed secrecy requirements, solutions to the LV-WTC problem can lead to transmission rate gains compared to classic WTC solutions. Another related problem is the socalled privacy funnel [19], where there is no eavesdropper and non-privacy-sensitive data attributes are revealed to a third party cooperative analyst. This set up also differs from LV-WTC in that it does not consider a communication problem with a need to bound the rates and its performance is measured in terms of both utility and privacy through a non-asymptotic mapping from data to its disclosed attributes.
In this work, we propose a coding scheme for the LV-WTC that can achieve higher secure transmission rates compared to classic wiretap coding. The scheme employs rate splitting that adapts to the structure of the conditional distribution P S|W , which captures the correlation between S and W . Based on the properties of P S|W , the rate splitting interpolates between the capacity of the classic WTC and the (nonsecure) point-topoint channel [20]. We further show that our LV-WTC scheme is related to the WTC with partial secrecy (PS-WTC) problem, a relaxed secrecy variant of the classic WTC, where only a portion of the transmitted message needs to be kept secret from the eavesdropper. Examples that highlight the key ideas behind the scheme are also provided.

II. LV-WTC PROBLEM FORMULATION
The latent variable wiretap channel (LV-WTC) problem is depicted in Fig. 1. Under this setting, the transmitter (Alice) wishes to send a message W , uniformly selected from the alphabet W = {1, 2, . . . , |W| = 2 nR }, to the intended receiver (Bob) while keeping a latent variable S, selected from the alphabet S = {s 1 , s 2 , . . . , s |S| }, secret from the eavesdropper (Eve). The conditional distribution P S|W is described by an |S| × |W| matrix, denoted as H n whose entries are given as h ij = Pr(S = s i |W = j), for i ∈ {1, 2, . . . , |S|} and j ∈ {1, 2, . . . , |W|}. We focus on the case that the conditional distribution P S|W is fixed, and known to all parties.
The transmitter uses an encoding function f (n) E : W → X n which maps the message W into an n-length signal vector X n belonging to the alphabet X n . She then transmits X n over the discrete memoryless channel channel (DMC) described by the transition probability P Y |X . Upon transmission, Bob receives the signal Y n belonging to the alphabet Y n , on which he applies a decoding function f (n) D : Y n → W to recover W . Eve receives the signal vector Z n which takes value in Z n . The eavesdropper's DMC channel is described by P Z|X . A rate R is achievable for the LV-WTC, if there exists a sequence of encoding/decoding functions (f ∞ n=1 such that, as n → ∞, the following constraints are satisfied: Decodability Constraint: W T C and defined as: Remark 1. In this paper, we focus on weak secrecy as defined in (2). Other notions of secrecy such as strong secrecy (defined as lim n→∞ I(S; Z n )) or semantic security (max P S I(S; Z n )) are left as candidates for future work. We also note that when |S| grows sub-exponentially with n, then the LV-secrecy constraint as defined in (2) is always trivially satisfied for any P S|W because 1 n I(S; Z n ) ≤ H(S)/n ≤ log(|S|)/n. Thus, in this paper, we restrict our attention to the case where |S| grows exponentially with n. To account for slower growth rates or when |S| does not depend on n, a different constraint should be investigated. We leave that exploration for future work.

A. Extreme Cases and Motivating Example
Before presenting our main results, we discuss special cases of the LV-WTC problem. On one extreme, consider the scenario if S is independent of W (in other words, the columns of the matrix H n describing P S|W are identical), then the latent-variable secrecy constraint is trivially satisfied for any encoder/decoder. In this case, C (LV ) i.e., capacity of LV-WTC reduces to the conventional (Shannon) capacity of the channel between Alice and Bob. On the other extreme, consider the scenario when S and W are in oneto-one correspondence. In this case, I(S; Z n ) = I(W ; Z n ), and the latent-variable secrecy constraint is equivalent to the message secrecy constraint. For this extreme, LV-WTC is equivalent to the conventional WTC, and thus C (LV ) , capacity of LV-WTC is same as the capacity of the general WTC between Alice, Bob and Eve [2]. For an arbitrary P S|W , a trivial scheme is to use a conventional capacity achieving wiretap code (which satisfies I(W ; Z n )/n → 0) for the latent-variable WTC. Due to the Markov chain S → W → X n → (Y n , Z n ), the latent-variable secrecy constraint I(S; Z n )/n → 0 is also satisfied. Hence, from the above arguments, we obtain the following bounds on the capacity of the LV-WTC: Example 1. We next present an illustrative example to highlight the main idea behind our scheme. Consider a scenario where a message W is uniformly distributed over W = {1, 2, . . . , 8}, and the conditional distribution P S|W is described by the 4 × 8 matrix H shown in Fig. 2. Here, the latent variable S takes four possible values (i.e., |S| = 4). Our main idea is the following: We take the message W and split it into two independent messages, W = W is independent of the latent variable S, while W (P) 2 may or may not be independent of S. Since W (P ) 2 is the only part of the message W that can be correlated with S, one can use wiretap coding to conceal W In order to achieve this message splitting, we take the set of messages and create a partition (denoted by P). For this example, we choose the partition of W = {1, 2, . . . , 8} as P = {P 1 , P 2 }, where P 1 = {1, 2, 3, 4} and P 2 = {5, 6, 7, 8}. Any message W ∈ W is then represented as follows: W represents the partition subset in which the message W falls. W (P) 2 represents the index of the message within the partition subset P . As an example, the message W = 7 is represented as W = 7 = (2, 3). The main constraint in choosing the partition P is that the resulting submessage W (P ) 1 should be independent of the latent variable S. For this example, the proposed partition P = {P 1 , P 2 } satisfies this constraint, which can be readily checked by verifying that P (S = s i |W (P) 1 = ) = P (S = s i ) for all i = 1, . . . , 4, and all = 1, 2. One can then optimize over all such partitions (such that the message W (P) 1 is independent of S) to yield the largest achievable rate for the LV-WTC. Building upon this intuition, we present our main result in the next section.

B. General Scheme for LV-WTC
In this section, we present an achievable scheme satisfying the reliability (1) and secrecy (2) for the general LV-WTC problem. To this end, we first define the capacity region of the WTC with partial secrecy (PS-WTC) as depicted in Fig. 3. For this problem, Alice wishes to transmit two messages (W 1 , W 2 ) to an intended receiver (Bob), while ensuring secrecy constraint only on W 2 at Eve, i.e., we require I(W 2 ; Z n )/n → 0 as n → ∞. The capacity region of PS-WTC is given next.
where U → V → X → (Y, Z) and R 1 and R 2 are respective transmission rates for the public and secret message components W 1 and W 2 .
Here, we summarize the achievability of Proposition 1. Detailed achievability and converse proofs can be obtained from a direct generalization of the conventional wiretap coding, e.g., [2], [10]- [12]. Consider a superposition coding using the auxiliary random variables U (distributed as P U ) and V (generated from U according to transition probability P V |U ), which respectively represent the public and secret components of the source message, with an outer layer wiretap coding with a randomizer of rateR (which corresponds to the introduction of a dummy messageW to confuse Eve about W 2 ). This leads to the stated below rate bounds, from which we can directly deduce the region in (4) through elimination of the dummy message rateR: where (5) follows from the fact that, by design of wiretap code, Bob is able to decode W 1 , (6) is due to the fact that, given U , Bob should be able to decode W 2 andW , (7) is the sum of (5) and (6), and (8) follows from the coding design requirement that, given U , Eve should not be able to decode anything beyond the dummy messageW .
The following definition provides sufficient conditions for a partition P to satisfy LV-WTC secrecy and decodability.

Definition 2. (Feasible Partition Set):
A partition set P of W is said to be feasible if it belongs to the set P LV of all feasible partitions that is defined as follows: where the |W| × 1 vector B is defined as B (j) = 1, if j ∈ P and B (j) = 0, otherwise, and 1 W is the all-one column vector of size |W|.
Our main result is a lower bound on the capacity of the general LV-WTC. Theorem 1. The following rate is achievable for LV-WTC: where, for a given partition P ∈ P LV , From this Theorem, we remark the following. are nontrivial if r and max ∈{1,2,...,r} |P | grow exponentially with n, respectively. In this case, we have C W T C < C (LV ) W T C < C.

C. Proof of Theorem 1
Consider any P ∈ P LV . In order to prove Theorem 1, it suffices to show that if R is achievable for LV-WTC. We take the message W and split it into W = W (P) 1 , W (P) 2 as follows: where ∈ {1, 2, . . . , r}, m ∈ {1, 2, . . . , |P |}, and P (m) denotes the mth element of P . We now show that for any P ∈ P LV , the first sub-message W ∈ P , where P ∈ P and P ∈ P LV . By Definition 2 of P LV , the following condition holds: Thus, to prove (13), it suffices to show that the right hand side of (14) is equivalent to the prior of S and the left hand side is equivalent to the posterior of S. Let P j = Pr(W = j) = 1 |W| , j ∈ {1, 2, . . . , |W|}, be the probability of randomly picking the message W from W. Hence, since all messages in W are equiprobable, we have P W = [P 1 , P 2 , . . . , P |W| ] = 1 We derive the prior distribution of S from H n and P W as: = H n (i, :)P W (16) where H n (i, :) is the ith row of H n . Moreover, (17) equates to stating that P S = 1 |W| H n 1 W . Define a random variable L such that L = , if W ∈ P , and L = 0, otherwise. We use P W |L to denote the probability of identifying W inside P after W (P) 1 has been revealed to the receiver, and define it as P W |L = 1 |P | , if j ∈ P and 0, otherwise. We can thus deduce the posterior of S from (15) as follows: where (18) follows from the definitions of H n , B , and P W |L . Furthermore, (18) equates to stating that P S|W (P) 1 = 1 |P | H n B . Therefore, the equivalence (13) directly follows.
Next, we need to show that the latent variable secrecy constraint (2) holds. This can be inferred from the construction of our scheme by making use of constraint (13) and invoking the capacity region of the PS-WTC as follows: I(S; Z n ) ≤ I S; Z n , W where (19) follows from the fact that introducing a new random variable Z n cannot reduce the mutual information, (20) is due to the chain rule of mutual information, and (21) is due to the fact that S is independent of W (P) 1 as proven in (13). Equation (22) follows from the fact that introducing a new random variable W (P) 2 cannot reduce the mutual information, (23) follows from the the chain rule of mutual information, whereas (24) follows from the fact that S is independent of Z n given W is achievable for partition P ∈ P LV . Optimizing over all partitions in P LV leads to Theorem 1.

D. Achievable Rate for a Special Class of H n
In this section, we provide an example to further highlight key ideas behind Theorem 1. First, we consider the case where the columns of H n can be partitioned into exclusive groups with equal cardinality along with specified linear independence properties. Then, we evaluate the corresponding numerical rate when the channels P Y |X and P Z|X are binary symmetric channels (BSCs) with specified crossover probabilities.
Example 2. Consider the |S| × |W| matrix H n relating the latent variable S ∈ S = {s 1 , s 2 , . . . , s |S| } to the message W ∈ W = {1, 2, . . . , 2 nR }. For the current example, we focus on the class of matrices H n satisfying the following properties: (i) The |W| columns of H n can be partitioned into |G| exclusive groups G 1 , G 2 , . . . , G |G| with equal cardinality. That is G q=1 |G q | = ∅, |G| q=1 |G q | = |W|, and |G 1 | = |G 2 | = · · · = |G |G| |. (ii) All |G q | columns in G q , for q ∈ {1, 2, . . . , |G|}, are equal to an |S| × 1 unique vector V q , for q ∈ {1, 2, . . . , |G|} such that |G| ≤ |S| and the vectors V 1 , V 2 , . . . , V |G| are linearly independent. Here, we assume that |G| = 2 nRg such that |W| Fig. 4. Achievable rate R ach as a function of Rg under the proposed LV-WTC scheme for an Hn whose columns are partitioned into |G| = 2 nRg exclusive groups with equal cardinality. When Hn is full column rank, Rg increases and R ach approaches C W T C , whereas when it is of rank one, Rg decreases and R ach approaches C.
is divisible by |G|. Our goal is to characterize the achievable rate under the proposed scheme for partition P ∈ P LV .
Since there are |G| independent columns in the considered matrix H n , we get that the largest partition subset P ∈ P, ∈ {1, 2, . . . , r}, is of cardinality |G|. This is done by picking a single column vector (or its corresponding message thereof) from each of the |G| groups in order to satisfy the latent variable constraint (13). Thus, by Theorem 1, we obtain: An example matrix satisfying the above structure can be obtained from the following. Consider the case when the latent variable S is a deterministic function of the message W and denote this as S = µ(W Since there are |S| independent columns in this new matrix, then the largest subset P ∈ P, for P ∈ P LV is of size |S|, which, by Theorem 1, leads to the following rates:  belongs to the capacity region C (P S) W T C of the PS-WTC as given by Proposition 1. Thus, by substitution into (4): Assume that X = Y = Z = {0, 1} and that P Y |X and P Z|X are BSCs with crossover probabilities 1 and 2 , where 1 < 2 (hence the channel is degraded in Alice's favor). Moreover, let U be Bernoulli distributed and V = X. Hence, by applying (27), we write the achievable rate R ach for the BSC model as  Fig. 4 depicts the achievable rate R ach (in bits per second) as a function of R g (in bits per second) for the crossover probabilities 1 = 0.3 and 2 = 0.4. It also shows that the achievable rate approaches the capacity C of the (nonsecure) point-topoint channel as R g gets closer to zero, which occurs when all the columns of H n are linearly dependent (hence S and W are independent). Moreover, it shows that R ach approaches the capacity C W T C of the WTC as R g increases, which occurs when all columns of H n are linearly independent.

IV. CONCLUSION
In this paper, we introduced and studied the LV-WTC problem, where the transmitter wants to send the information message W to the intended receiver while keeping the latent variable S (which contains its salient attributes) secret from the eavesdropper. We proposed an achievable scheme which is based on message set partition and seeks to exploit the structure of the conditional distribution P S|W . We focused on the case where the alphabet of S grows with the transmission blocklength n. Various interesting research trajectories arise from the LV-WTC problem-including finding the exact secrecy capacity of the proposed model and its extension to multi-antenna and multi-user networks. In our future work, we also intend to look at the case when |S| grows subexponentially with n or does not depend on n at all.