148

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Security Embedding Codes

Hung D. Ly, Student Member, IEEE, Tie Liu, Member, IEEE, and Yufei Blankenship, Member, IEEE
AbstractThis paper considers the problem of simultaneously communicating two messages, a high-security message and a lowsecurity message, to a legitimate receiver, referred to as the security embedding problem. An information-theoretic formulation of the problem is presented. A coding scheme that combines rate splitting, superposition coding, nested binning, and channel prexing is considered and is shown to achieve the secrecy capacity region of the channel in several scenarios. Specifying these results to both scalar and independent parallel Gaussian channels (under an average individual per-subchannel power constraint), it is shown that the high-security message can be embedded into the low-security message at full rate (as if the low-security message does not exist) without incurring any loss on the overall rate of communication (as if both messages are low-security messages). Extensions to the wiretap channel II setting of Ozarow and Wyner are also considered, where it is shown that perfect security embedding can be achieved by an encoder that uses a two-level coset code. Index TermsChannel uncertainty, multilevel security, physical-layer security, secrecy capacity, security embedding, wiretap channel.

I. INTRODUCTION HYSICAL-LAYER security has been a very active area of research in information theory. See [1] and [2] for overviews of recent progress in this eld. A basic model of physical-layer security is a wiretap/broadcast channel [6], [7] with two receivers, a legitimate receiver and an eavesdropper. Both the legitimate receiver and the eavesdropper channels are assumed to be known at the transmitter. By exploring the statistical difference between the legitimate receiver and the eavesdropper channel, one may design coding schemes that can deliver a message reliably to the legitimate receiver while keeping it asymptotically perfectly secret from the eavesdropper. While assuming the transmitters knowledge of the legitimate receiver channel might be reasonable (particularly when a feedback link is available), assuming that the transmitter knows the eavesdropper channel is unrealistic in most scenarios. This is mainly because the eavesdropper is an adversary, who usually

Manuscript received February 08, 2011; revised June 01, 2011; accepted July 18, 2011. Date of publication August 04, 2011; date of current version January 13, 2012. This work was supported in part by the National Science Foundation under Grant CCF-09-16867 and in part by a gift grant from the Huawei Technologies USA. The material in this paper was presented in part at the 2010 IEEE International Symposium on Information Theory, Austin, TX, June 2010. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Z. Jane Wang. H. D. Ly and T. Liu are with the Department of Electrical and Computer Engineering, Texas A&M University, College Station, TX 77843 USA (e-mail: hungly@tamu.edu; tieliu@tamu.edu). Y. Blankenship was with Huawei Technologies USA. She is now with Research In Motion, Rolling Meadows, IL 60008 USA (e-mail: yufeiblankenship@gmail.com). Color versions of one or more of the gures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identier 10.1109/TIFS.2011.2163713

has no incentive to help the transmitter to acquire its channel state information. Hence, it is critical that physical-layer security techniques are designed to withstand the uncertainty of the eavesdropper channel. In this paper, we consider a communication scenario where there are multiple possible realizations for the eavesdropper channel. Which realization will actually occur is unknown to the transmitter. Our goal is to design coding schemes such that the number of secure bits delivered to the legitimate receiver depends on the actual realization of the eavesdropper channel. More specically, when the eavesdropper channel realization is weak, all bits delivered to the legitimate receiver need to be secure. In addition, when the eavesdropper channel realization is strong, a prescribed part of the bits needs to remain secure. We call such codes security embedding codes, referring to the fact that high-security bits are now embedded into the low-security ones. We envision that such codes are naturally useful for the secrecy communication scenarios where information bits are not created equal: some of them have more security priorities than others and hence require stronger security protection during communication. For example, in real wireless communication systems, control plane signals have higher secrecy requirements than data plane transmissions, and signals that carry users identities and cryptographic keys require stronger security protections than the other signals. A key question that we consider is at what expense one may allow part of the bits to enjoy additional security protections. Note that a naive security embedding scheme is to design two separate secrecy codes to provide two different levels of security protections, and apply them to two separate parts of the information bits via time sharing. In this scheme, the high-security bits are protected using a stronger secrecy code and hence are communicated at a lower rate. The overall communication rate is a convex combination of the low-security bit rate and the high-security bit rate and hence is lower than the low-security bit rate. Another simple scheme for security embedding is power sharing [3], where the transmitted signal is given by the superposition of two secrecy codes separately designed to protect the low-security and high-security bits. Though generally better than the time-sharing scheme, the overall rate of communication for the power-sharing scheme is still lower than that when all bits delivered are lower-security ones. The main result of this paper is to show that it is possible to have a signicant portion of the information bits enjoying additional security protections without sacricing the overall rate of communication. This further justies the name security embedding, as now having part of the information bits enjoying additional security protections is only an added bonus. More specically, in this paper, we call a secrecy communication scenario embeddable if a nonzero fraction of the information bits can enjoy additional security protections without sacricing the overall communication rate, and we call it perfectly

1556-6013/$26.00 2011 IEEE

LY et al.: SECURITY EMBEDDING CODES

149

asymptotically perfectly secret from the eavesdropper. Mathematically, this secrecy constraint can be written as (1) in the limit as , where is the collection of the channel outputs at the eavesdropper during communication. A communication rate is said to be achievable if there exists a sequence of codes of rate such that the message can be reliably delivered to the legitimate receiver while satisfying the asymptotic perfect secrecy constraint (1). The largest achievable rate is termed as the secrecy capacity of the channel. A discrete memoryless wiretap channel is said to be degraded if forms a Markov chain in that order. The secrecy capacity of a degraded wiretap channel was characterized by Wyner [6] and can be written as (2) where the maximization is over all possible input distributions .1 The scheme proposed in [6] to achieve the secrecy capacity (2) is random binning, which can be described as follows. Consider a codebook of codewords, each of length . The codewords are partitioned into bins, each containing codewords. Given a message (which is uniformly drawn from ), the encoder randomly and uniformly chooses a codeword in the th bin and sends it through the channel. The legitimate receiver needs to decode the entire codebook (and hence recover the transmitted message ), so the overall rate cannot be too high. On the other hand, the rate of the subcodebooks in each bin represents the amount of external randomness injected by the transmitter (transmitter randomness) into the channel and hence needs to be sufciently large to confuse the eavesdropper. With an appropriate choice of the codebooks and the partitions of bins, it was shown in [6] that any communication rate less than the secrecy capacity (2) is achievable by the aforementioned random binning scheme. For a general discrete memoryless wiretap channel where the channel outputs and are not necessarily ordered, the random binning scheme of [6] is not necessarily optimal. In this case, the secrecy capacity of the channel was characterized by Csiszr and Krner [7] and can be written as (3) where is an auxiliary random variable satisfying the Markov chain . The scheme proposed in [7] is to rst prex the channel input by and view as the input of the induced wiretap channel . Applying the random binning scheme of [6] to the induced wiretap channel proves the achievability of rate for any given joint auxiliary-input distribution . In communication engineering, communication channels are usually modeled as discrete-time channels with real input and additive white Gaussian noise. Consider a (scalar) Gaussian
1Later in [7], it was shown that the degradation requirement can be replaced by a weaker more capable condition.

Fig. 1. Wiretap channel.

embeddable if the high-security bits can be communicated at full rate (as if the low-security bits do not exist) without sacricing the overall communication rate. Key to achieving efcient security embedding is to jointly encode the low-security and high-security bits (as opposed to separate encoding as in the time- and power-sharing schemes). In particular, the low-security bits can be used as (part of) the transmitter randomness to protect the high-security bits (when the eavesdropper channel realization is strong); this is the key feature of our proposed security embedding codes. Our denition of security embedding and proposed coding schemes are mainly motivated by the special case where there are no secrecy constraints on the low-security bits. In this case, the problem of security embedding reduces to the problem of simultaneously communicating a private message and a condential message, for which the secrecy capacity region was established in [4, p. 411] and [5]. Our main technical contribution in this paper is to extend the setting of [4, p. 411] and [5] to the general case where both low-security and high-security bits are subject to (different) asymptotic perfect secrecy constraints. The rest of the paper is organized as follows. In Section II, we briey review some basic results on the secrecy capacity and optimal encoding scheme for several classical wiretap channel settings. These results provide performance and structural benchmarks for the proposed security embedding codes. In Section III, an information-theoretic formulation of the security embedding problem is presented, which we term as two-level security wiretap channel. A coding scheme that combines rate splitting, superposition coding, nested binning, and channel prexing is proposed and is shown to achieve the secrecy capacity region of the channel in several scenarios. Based on the results of Section III, in Section IV we study the engineering communication models with real channel input and additive white Gaussian noise, and show that both scalar and independent parallel Gaussian (under an individual per-subchannel average power constraint) two-level security wiretap channels are perfectly embeddable. In Section V, we extend the results of Section III to the wiretap channel II setting of Ozarow and Wyner [8], and show that two-level security wiretap channels II are also pefectly embeddable. Finally, in Section VI, we conclude the paper with some remarks. II. WIRETAP CHANNEL: A REVIEW Consider a discrete memoryless wiretap channel with transition probability , where is the channel input, and and are the channel outputs at the legitimate receiver and the eavesdropper, respectively (see Fig. 1). The transmitter has a message , uniformly drawn from where is the block length and is the rate of communication. The message is intended for the legitimate receiver, but needs to be kept

150

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

wiretap channel where the channel outputs at the legitimate receiver and the eavesdropper are given by

Under the average individual per-subchannel power constraint (8), the secrecy capacity of the independent parallel Gaussian wiretap channel (7) is given by [10]

(4) Here, is the channel input which is subject to the average power constraint (5) and are the channel gains for the legitimate receiver and the eavesdropper channel, respectively, and and are additive white Gaussian noise with zero means and unit variances. The secrecy capacity of the channel was characterized in [9] and can be written as

(10) is dened as in (6). Clearly, any communiwhere cation rate less than the secrecy capacity (10) can be achieved by using separate scalar Gaussian wiretap codes, each for one of the subchannels. The secrecy capacity, , under the average total power constraint (9) is given by (11) where the maximization is over all possible power allocations such that . A waterlling-like solution for the optimal power allocation was derived in [10, Th. 1], which provides an efcient way to numerically calculate the secrecy capacity . III. TWO-LEVEL SECURITY WIRETAP CHANNEL A. Channel Model Consider a discrete memoryless broadcast channel with three receivers and transition probability . The receiver that receives the channel output is a legitimate receiver. The receivers that receive the channel outputs and represent two possible realizations of an eavesdropper. Assume that the channel output is degraded with respect to the channel output , i.e., forms a Markov chain in that order, so represents a stronger realization of the eavesdropper than . The transmitter has two independent messages: a high-security message uniformly drawn from and a low-security message uniformly drawn from , where is the block length, and and are the corresponding rates of communication. Both messages and are intended for the legitimate receiver, and need to be kept asymptotically perfectly secure when the eavesdropper realization is weak, i.e., (12) . In addition, when the eavesdropper realin the limit as ization is strong, the high-security message needs to remain asymptotically perfectly secure, i.e., (13) . A rate pair is said to be achievin the limit as able if there is a sequence of codes of rate pair such that both messages and can be reliably delivered to the legitimate receiver while satisfying the asymptotic perfect secrecy constraints (12) and(13). The collection of all possible

(6) . Note from (6) that if where and only if . That is, for the Gaussian wiretap channel (4), asymptotic perfect secrecy communication is possible if and only if the legitimate receiver has a larger channel gain than the eavesdropper. In this case, we can equivalently write the channel output at the eavesdropper as a degraded version of the channel output at the legitimate receiver, and the random binning scheme of [6] with Gaussian codebooks and full transmit power achieves the secrecy capacity of the channel. A closely related engineering scenario consists of a bank of independent parallel scalar Gaussian wiretap channels [10]. In this scenario, the channel outputs at the legitimate receiver and the eavesdropper are given by and , where

(7) Here, is the channel input for the th subchannel, and are the channel gains for the legitimate receiver and the eavesdropper channel, respectively, in the th subchannel, and and are additive white Gaussian noise with zero means and unit variances. Furthermore, are independent for so all subchannels are independent of each other. Two different types of power constraints have been considered: the average individual per-subchannel power constraint (8) and the average total power constraint (9)

LY et al.: SECURITY EMBEDDING CODES

151

Fig. 2. Two-level security wiretap channel.

achievable rate pairs is termed as the secrecy capacity region of the channel. Fig. 2 illustrates this communication scenario, which we term as two-level security wiretap channel. The above setting of two-level security wiretap channel is closely related to the traditional wiretap channel setting of [6] and [7]. More specically, without the additional secrecy constraint (13) on the high-security message , we can simply view the messages and as a single (low-security) message with rate . In this case, the problem reduces to communicating the message over the traditional wiretap channel with transition probability , and the maximum achievable is given by . Similarly, without needing to communicate the low-security message (i.e., ), the basic secrecy constraint (12) reduces to , which is implied by the additional secrecy constraint (13) due to the assumption that is degraded with respect to . In this case, the problem reduces to communicating the high-security message over the traditional wiretap channel with transition probability , and the maximum achievable is given by . We thus have the following simple observation. Fact 1: A two-level security wiretap channel where is degraded with respect to is embeddable if there exists a sequence of codes with rate pair such that and , and it is perfectly embeddable if there exists a sequence of codes with rate pair such that and . An important special case of the two-level security wiretap channel problem considered here is when the channel output is a constant signal. In this case, the secrecy constraint (12) becomes obsolete, and the low-security message becomes a private message without being subject to any secrecy constraints. The problem of simultaneously communicating a private message and a condential message over a discrete memoryless wiretap channel was considered in [4, p. 411] and [5], where a single-letter characterization of the secrecy capacity region was established. For the general two-level security wiretap channel problem that we consider here, both high-security message and the low-security message are subject to asymptotic perfect secrecy constraints, which makes the problem much more involved.

B. Main Results The following theorem provides a sufcient condition for establishing the achievability of a rate pair for the discrete memoryless two-level security wiretap channel. Theorem 1: Consider a discrete memoryless two-level security wiretap channel with transition probability where is degraded with respect to . A nonnegative pair is an achievable rate pair of the channel if it satises and (14) for some joint distribution , where , , and are auxiliary random variables satisfying the Markov chain . A proof of the theorem is provided in Section III-C. Note that to show that every rate pair that satises (14) is achievable, we only need to consider the case where . This can be seen as follows. Assuming that , we have

It follows that every rate pair that satises (14) must satisfy and (15) which is a special case of (14) by setting so that . To show that every rate pair that satises (14) for which is achievable, we shall consider a coding scheme that combines rate splitting, superposition coding, nested binning, and channel prexing. In particular, (part of) the low-security message will be used as (part of) the transmitter randomness to protect the high-security message (when the eavesdropper channel realization is strong). See Section III-C for the details of the proof.

152

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Combining Theorem 1 with Fact 1, we have the following sufcient conditions for establishing that a two-level security wiretap channel is (perfectly) embeddable. The conditions are stated in terms of the existence of a joint auxiliary-input distribution. Corollary 2: A two-level security wiretap channel , where is degraded with respect to is embeddable if there exists a joint distribution satisfying the Markov chain and such that

(21) (22) and (23) (24) where (20) and (22) are due to the fact that is less noisy than , and (24) is due to the fact that is less noisy than . Thus, without loss of generality, we may set and to be constant in (18), which leads to a simpler characterization of the secrecy capacity region that does not involve any auxiliary random variables. We summarize this result in the following theorem. Theorem 4: Consider a discrete memoryless two-level security wiretap channel with transition probability , where is degraded with respect to and is less noisy than . The secrecy capacity region of the channel is given by the set of all nonnegative pairs that satisfy and (25) for some input distribution C. Proof of Theorem 1 As mentioned previously in Section III-B, to prove Theorem 1, we only need to consider the case where . To show that every rate pair that satises (14) for which is achievable, we shall consider a coding scheme that combines rate splitting, superposition coding, (nested) binning, and prex coding. Our code construction relies on a random-coding argument, which can be described as follows. Fix a joint auxiliary-input distribution with and . Split the low-security message into two independent submessages and with rates and , respectively. Codebook generation. Our entire codebook consists of three layers: the -codebook as the bottom layer, the -codebook as the middle layer, and the -codebook as the top layer. The -codebook consists of a single length- sequence , generated according to an -product of . Given , randomly and independently generate codewords of length according to an -product of . Randomly partition the codewords into bins so each bin contains codewords. Label the codewords as , where denotes the bin number, and denotes the codeword number within each bin. We shall refer to the codeword collection as the -codebook. For each codeword in the -codebook, randomly and incodewords of length acdependently generate cording to an -product of . Randomly partition the codewords into bins so each bin contains codewords. .

and (16) and it is perfectly embeddable if there exists a joint satisfying the Markov chain distribution and such that and (17) is less noisy than , i.e., Assume that for any random variable satisfying the Markov chain . In this case, we have a precise characterization of the secrecy capacity region as summarized in the following theorem. Theorem 3: Consider a discrete memoryless two-level security wiretap channel with transition probability where is degraded with respect to and is less noisy than . The secrecy capacity region of the channel is given by the set of all nonnegative pairs that satisfy and (18) , where and are for some joint distribution auxiliary random variables satisfying the Markov chain . The forward part of the theorem follows directly from Theorem 1 by setting to be constant. The converse part of the theorem is proved in Appendix A, which mainly involves identifying a choice for the auxiliary random variables and . Note that when the channel output is constant, the conditions that is degraded with respect to and is less noisy than are trivially met by any channel outputs . In this case, Theorem 3 recovers the results of [4, p. 411] and [5] on simultaneously communicating a private message and a condential message over a discrete memoryless wiretap channel. Assume, instead, that is less noisy than . Given that is degraded with respect to , this implies that is also less noisy than . In this case, we have (19) (20)

LY et al.: SECURITY EMBEDDING CODES

153

Fig. 3. Codebook structure for a coding scheme that combines rate splitting, superposition coding, (nested) binning, and prex coding.

Further partition each bin into subbins so each subbin contains codewords. Label the codewords as , where indicates the base codeword from which was generated, denotes the bin number, denotes the subbin number within each bin, and denotes the codeword number within each subbin. We shall refer to the codeword collection as the -subcodebook corresponding to the base codeword and as the -codebook. Once all three codebooks are chosen, they are revealed to all terminals. Fig. 3 illustrates the structure of the entire codebook. Encoding. To send a message triple , the transmitter randomly (according a uniform distribution) chooses a codeword from the th bin in the -codebook. Once a is chosen, the transmitter looks into the corresponding -subcodebook and randomly chooses a codeword from the subbin identied by . Once a is chosen, an input sequence is generated according to an -product of and is then sent through the channel. Note that the sole codeword in the -codebook simply serves as an averaging base for the and -codebooks and does not play any role in the encoding. Decoding at the legitimate receiver. Given the channel outputs , the legitimate receiver looks into the -codebook and its -subcodebooks and searches for a pair of codewords such that is jointly typical [11] with . In the case when (26) and (27)

with

high

probability

the codeword pair selection is the only one that is jointly typical

[11] with . Security at the eavesdropper. To analyze the security of the high-security message and the submessage at the eavesdropper, we shall assume (for now) that both the submessage and the codeword selection are known at the eavesdropper. Note that such an assumption can only strengthen our security analysis. For any given codeword , the high security message and the submessage are encoded using the corresponding -subcodebook . In particular, each bin in the -subcodebook corresponds to a message and contains codewords, each randomly and independently generated according to an -product of . For a given message , the transmitted codeword is randomly and uniformly chosen from the corresponding bin (where the randomness is from both the submessage and the transmitters choice of ). Following [7], in the case when (28) we have (29) . From (29), we conclude that in the limit as . Furthermore, each subbin in the -subcodebook corresponds to a message pair and contains codewords, each randomly and independently generated according to an -product of . For a given message pair , the transmitted codeword is randomly and uniformly chosen from the corresponding in the limit as

154

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

subbin (where the randomness is from the transmitters choice of ). Again, following [7], in the case when (30) we have (31) . in the limit as To analyze the security of the submessage , note that each bin in the -codebook corresponds to a submessage and contains codewords, each randomly and independently generated according to an -product of . For a given submessage , the codeword is randomly and uniformly chosen from the corresponding bin (where the randomness is from the transmitters choice of ). Note from (30) that the rate of each -subcodebook is greater than . Following [12, Lemma 1], we have (32) in the limit as the fact that . Putting together (31) and (32) and using and are independent, we have (33)

where , , and are the corresponding channel gains, and , , and are additive white Gaussian noise with zero means and unit variances. Assume that so the channel output is (stochastically) degraded with respect to . The channel input is subject to the average power constraint (5). We term the above communication scenario as (scalar) Gaussian two-level security wiretap channel. The following theorem provides an explicit characterization of the secrecy capacity region. Theorem 5: Consider the (scalar) Gaussian two-level security wiretap channel (37) where , and the channel input is subject to the average power constraint (5). The secrecy capacity region of the channel is given by the collection of all nonnegative pairs that satisfy and (38) is dened as in (6). where Proof: Following the same argument as that for Fact 1, any achievable secrecy rate pair must satisfy (38). We may thus focus on the forward part of the theorem. To show that any nonnegative pair that satises (38) is achievable, let us rst consider two simple cases. First, when , both and are equal to zero [cf., denition (6)]. So (38) does not include any positive rate pairs and hence there is nothing to prove. Next, when , and (38) reduces to and (39) Since the high-security message does not need to be transmitted, any rate pair in this region can be achieved by using a scalar Gaussian wiretap code to encode the low-security message . This has left us with the only case with . For the case where , the channel output is less noisy than . Thus, the achievability of any rate pair in (38) follows from that of (25) by choosing to be Gaussian with zero mean and variance .2 This completes the proof of the theorem. The following corollary follows directly from the achievability of the corner point (40) of (38) and Fact 1. (Alternatively, it can also be proved from Theorem 1 by letting be Gaussian with zero mean and variance , , and , where denotes the indicator function for event .) Corollary 6: Scalar Gaussian two-level security wiretap channels under an average power constraint are perfectly embeddable. Fig. 4 illustrates the secrecy capacity region (38) for the case where . Also illustrated in the gure are the rate
2Although the results of Section III were proved for discrete memoryless channels, by the standard quantization argument, those results can be readily extended to continuous-alphabet problems under an average input cost constraint.

(34) (35) . which tends to zero in the limit as Finally, note that the overall communicate rate security message is given by of the low(36) Eliminating , , and from (26)(28), (30), (36), and using FourierMotzkin elimination, simplifying the results using the facts that 1) by the assumption, 2) due to the Markov chain , and 3) and due to the Markov chain , and letting , we conclude that any rate pair satisfying (14) for which is achievable. This completes the proof of Theorem 1. IV. GAUSSIAN TWO-LEVEL SECURITY WIRETAP CHANNELS A. Scalar Channel Consider a discrete-time two-level security wiretap channel with real input and outputs , and given by

(37)

LY et al.: SECURITY EMBEDDING CODES

155

secrecy capacity region of the channel is given by the collection of all nonnegative pairs that satisfy

and (43) where is dened as in (6). Proof: We rst prove the converse part of the theorem. Following the same argument as that for Fact 1, we have and (44) . By the secrecy for any achievable secrecy rate pair capacity expression (10) for the independent parallel Gaussian wiretap channel under an average individual per-subchannel power constraint, we have

Fig. 4. Secrecy capacity region of the scalar Gaussian two-level security . For comparison, the dashed line and the wiretap channel dotted line are the boundary of the time-sharing and power-sharing rate regions, respectively.

regions that can be achieved by time-sharing and power-sharing between two secrecy codes that are separately designed for the low-security and high-security messages. The time-sharing rate region includes all nonnegative pairs below the straight line connecting the corner points and . The power-sharing rate region [3] includes all nonnegative pairs such that (41) for some . Note that the corner point (40) is strictly outside the time-sharing and power-sharing rate regions, illustrating the superiority of nested binning over the separate coding schemes. B. Independent Parallel Channel Consider a discrete-time two-level security wiretap channel which consists of a bank of independent parallel scalar Gaussian two-level security wiretap channels. In this model, the channel outputs are given by , and , where

and (45) Substituting (45) into (44) proves the converse part of the theorem. To show that any nonnegative pair that satises (43) is achievable, let us consider independent coding over each of the subchannels. Note that each subchannel is a scalar Gaussian two-level security wiretap channel with average power constraint and channel gains . Thus, by Theorem 5, any nonnegative pair that satises and

(42) Here, is the channel input for the th subchannel, , , and are the corresponding channel gains in the th subchannel, and , , and are additive white Gaussian noise with zero means and unit variances. We assume that for all , so the channel output is (stochastically) degraded with respect to . Furthermore, , are independent so all subchannels are independent of each other. We term the above communication scenario as independent parallel Gaussian two-level security wiretap channel. The following theorem provides an explicit characterization of the secrecy capacity region under an average individual per-subchannel power constraint. Theorem 7: Consider the independent parallel Gaussian two-level security wiretap channel (42), where for all , and the channel input is subject to the average individual per-subchannel power constraint (8). The

(46) is achievable for the th subchannel. The overall communication rates are given by

and (47) Substituting (46) into (47) proves that any nonnegative pair that satises (43) is achievable. This completes the proof of the theorem. Similar to the scalar case, the following corollary is an immediate consequence of Theorem 7. Corollary 8: Independent parallel Gaussian two-level security wiretap channels under an average individual per-subchannel power constraint are perfectly embeddable.

156

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

constraint (8), the power allocated to each of the subchannels is xed so the channel is always perfectly embeddable. V. TWO-LEVEL SECURITY WIRETAP CHANNEL II In Section II, we briey summarized the known results on a classical secrecy communication setting known as wiretap channel. A closely related classical secrecy communication scenario is wiretap channel II, which was rst studied by Ozarow and Wyner [8]. In the wiretap channel II setting, the transmitter sends a binary sequence of length noiselessly to a legitimate receiver. The signal received at the eavesdropper is given by otherwise where (49)

Fig. 5. Secrecy capacity region of the independent parallel Gaussian two-level security wiretap channel under an average total power constraint. The intersection of the dashed lines are outside the secrecy capacity region, indicating that the channel is not perfectly embeddable.

The secrecy capacity region of the channel under an average total power constraint is summarized in the following corollary. The results follow from the well-known fact that an average total power constraint can be written as the union of average individual per-subchannel power constraints, where the union is over all possible power allocations among the subchannels. Corollary 9: Consider the independent parallel Gaussian two-level security wiretap channel (42), where for all , and the channel input is subject to the average total power constraint (9). The secrecy capacity region of the channel is given by the collection of all nonnegative pairs that satisfy

and (48) for some power allocation such that . Fig. 5 illustrates the secrecy capacity region with channels where

sub-

As we can see, under the average total power constraint (9), the independent parallel Gaussian two-level security wiretap channel is embeddable but not perfectly embeddable. The reason is that the optimal power allocation that maximizes is suboptimal in maximizing . By comparison, under the average individual per-subchannel power

represents an erasure output, and is a subset of of size representing the locations of the transmitted bits that can be accessed by the eavesdropper. If the subset is known at the transmitter, a message of bits can be noiselessly communicated to the legitimate receiver through . Since the eavesdropper has no information regarding to , perfectly secure communication is achieved without any coding. It is easy to see that in this scenario, is also the maximum number of bits that can be reliably and perfectly securely communicated through transmitted bits. An interesting result of [8] is that for any , a total of bits can be reliably and asymptotically perfectly securely communicated to the legitimate receiver even when the subset is unknown (but with a xed size ) a priori at the transmitter. Here, by asymptotically perfectly securely we mean in the limit as . Unlike the case where the subset is known a priori, coding is necessary when is unknown at the transmitter. In particular, [8] considered a random binning scheme that partitions the collection of all length- binary sequences into an appropriately chosen group code and its cosets. For the wiretap channel setting, as shown in Section III, a random binning scheme can be easily modied into a nested binning scheme to efciently embed high-security bits into low-security ones. The main goal of this section is to extend this result from the classical setting of wiretap channel to wiretap channel II. More specically, assume that a realization of the subset has two possible sizes, and , where . The transmitter has two independent messages, the high-security message and the low-security message , uniformly drawn from and , respectively. When the size of the realization is , both messages and need to be secure, i.e., in the limit as . In addition, when the size of the realization of is , the high-security message needs to remain secure, i.e., in the limit as . We term this communication scenario as two-level security wiretap channel II, in line with our previous terminology in Section III. By the results of [8], without needing to communicate the low-security message , the maximum achievable is . Without the additional secrecy constraint on the high-security message , the

LY et al.: SECURITY EMBEDDING CODES

157

messages can be viewed as a single message with rate , and the maximum achievable is . The main result of this section is to show that the rate pair is indeed achievable, from which we may conclude that two-level security wiretap channels II are perfectly embeddable. Moreover, perfect embedding can be achieved by a nested binning scheme that uses a two-level coset code. The results are summarized in the following theorem. Theorem 10: Two-level security wiretap channels II are perfectly embeddable. Moreover, perfect embedding can be achieved by a nested binning scheme that uses a two-level coset code. Proof: Fix . Consider a binary parity-check matrix

and let otherwise. By using a randomized argument that generates the entries of independently according to a uniform distribution in , we can show that there exists an with for sufciently large (see Appendix B for details). For such an , we have from (52) and (54) that when the size of the realization of is , and when the size of the realization of is . Letting and (in that order) proves the achievability of the rate pair and hence completes the proof of the theorem. VI. CONCLUDING REMARKS In this paper, we considered the problem of simultaneously communicating two messages, a high-security message and a low-security message, to a legitimate receiver, referred to as the security embedding problem. An information-theoretic formulation of the problem was presented. With appropriate coding architectures, it was shown that a signicant portion of the information bits can receive additional security protections without sacricing the overall rate of communication. Key to achieve efcient embedding was to use the low-security message as part of the transmitter randomness to protect the high-security message when the eavesdropper channel realization is strong. For the engineering communication scenarios with real channel input and additive white Gaussian noise, it was shown that the high-security message can be embedded into the low-security message at full rate without incurring any loss on the overall rate of communication for both scalar and independent parallel Gaussian channels (under an average individual per-subchannel power constraint). The scenarios with multiple transmit and receive antennas are considerably more complex and hence require further investigations. Finally, note that even though in this paper we have only considered providing two levels of security protections to the information bits, most of the results extend to multiple-level security in the most straightforward fashion. In the limit scenario when the security levels change continuously, the number of secure bits delivered to the legitimate receiver would depend on the realization of the eavesdropper channel even though such realizations are unknown a priori at the transmitter. APPENDIX A PROOF OF THEOREM 3 Assume that the channel output is less noisy than . To show that in this case the sufcient condition (18) is also necessary, let be an achievable rate pair. By Fanos inequality [11] and the asymptotic perfect secrecy constraints (12) and (13), there exists a sequence of codes (indexed by the block length ) of rate pair such that (55)

where the size of is and the size of is . Let be a one-on-one mapping between and the binary vectors of length , and let be a one-on-one mapping between and the binary vectors of length . For a given message pair , the transmitter randomly (according to a uniform distribution) chooses a solution to the linear equations (50) and sends it to the legitimate receiver. When the parity-check matrix has full (row) rank, the above encoding procedure is equivalent of a nested binning scheme that partitions the collection of all length- binary sequences into bins and subbins using a two-level coset code with parity-check matrices . Moreover, let be the columns of and let . Dene as the dimension of the subspace spanned by and (51) When the size of the realization of we have is , by [8, Lemma 4] (52) Note that the low-security message is uniformly drawn from . So by (50), for a given high-security message , the transmitted sequence is randomly chosen (according to a uniform distribution) as a solution to the linear equations . If we let be the columns of and dene (53) where is the dimension of the subspace spanned by , we have again from [8, Lemma 4] (54) when the size of the realization of is Let when we have either rank, or , or . does not have full ,

(56) and (57) where in the limit as .

158

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Let

, , and . By (55) and (56), we have

and and have

(71)

is

due

to

the

Markov so

chain we

(58) (59) (60) (61) (62) (63) (64) Dene can rewrite (65) and (73) as (65) where (65) follows from the well-known CsiszrKrner sum equality [7]. Similarly, by (55), (57), and the CsiszrKrner sum equality [7], we may also obtain (74) and , and (73) . We Substituting (71) into (66), we have (72)

(66) Further note that Let be a standard time-sharing variable [11], and let , , , , , . We have from (74) and (75)

(75)

(67)

(76) (77) (78) and

(68) (79) (69) (80) (81) (82) (70) (71) where (69) is due to the fact that have is less noisy than so we (83) Divide both sides of (78) and (82) by and then let . The proof is complete by noting that the channel is memoryless, so we have for all . where (81) is due to the fact that have is less noisy than so we

LY et al.: SECURITY EMBEDDING CODES

159

APPENDIX B EXISTENCE OF AN WITH To show that there exists a parity-check matrix such that , it is sufcient to show that , where denotes the expectation of a random variable . Let otherwise and otherwise, By the union bound (86) (84)

[8] L. H. Ozarow and A. D. Wyner, Wire-tap channel II, Bell Syst. Tech. J., vol. 63, no. 10, pp. 21352157, Dec. 1984. [9] S. K. Leung-Yan-Cheong and M. Hellman, The Gaussian wire-tap channel, IEEE Trans. Inf. Theory, vol. IT-24, no. 4, pp. 451456, Jul. 1978. [10] Z. Li, R. Yates, and W. Trappe, Secrecy capacity of independent parallel channels, in Proc. 44th Annu. Allerton Conf. Communication, Control and Computing, Monticello, IL, Sep. 2006. [11] T. M. Cover and J. A. Thomas, Elements of Information Theory. New York: Wiley, 1991. [12] Y. K. Chia and A. E. Gamal, 3-receiver broadcast channels with common and condential messages, IEEE Trans. Inf. Theory [Online]. Available: http://arxiv.org/abs/0910.1407, submitted for publication Hung D. Ly (S07) received the B.S. degree in electronics and telecommunications engineering from Posts and Telecommunications Institute of Technology (PTIT), Hanoi, Vietnam, in 2002, and the M.S. degree in electrical engineering from the University of Texas at Arlington in 2007. Since August 2007, he has been pursuing the Ph.D. degree in electrical and computer engineering at Texas A&M University, College Station. From June 2002 to July 2005, he was a Lecturer with the Faculty of Telecommunications Engineering, PTIT. His research interests include information theory, wireless communication, and statistical signal processing.

(85)

Following [8, Lemma 6], we have (87) for sufciently large . Furthermore, by [8, Lemma 5], for any such that , we have (88) Since the total number of different subsets of we have is ,

(89)

for any

. Substituting (87) and (89) into (86) proves that for sufciently large , and hence the existence of a parity-check matrix such that . REFERENCES
[1] Y. Liang, H. V. Poor, and S. Shamai (Shitz), Information Theoretic Security. Dordrecht, The Netherlands: Now Publisher, 2009. [2] , R. Liu and W. Trappe, Eds., Securing Wireless Communications at the Physical Layer. New York: Springer Verlag, 2010. [3] Y. Liang, L. Lai, H. V. Poor, and S. Shamai (Shitz), The broadcast approach to fading wiretap channels, in Proc. IEEE Inf. Theory Workshop, Taormina, Sicily, Italy, Oct. 2009. [4] I. Csiszr and J. Krner, Information Theory: Coding Theorems for Discrete Memoryless Systems. Budapest, Hungary: Academic, 1982. [5] R. Liu, T. Liu, H. V. Poor, and S. Shamai (Shitz), New results on multiple-input multiple-output Gaussian broadcast channels with condential messages, IEEE Trans. Inf. Theory [Online]. Available: http:// arxiv.org/abs/1101.2007, submitted for publication [6] A. D. Wyner, The wire-tap channel, Bell Syst. Tech. J., vol. 54, no. 8, pp. 13551387, Oct. 1975. [7] I. Csiszr and J. Krner, Broadcast channels with condential messages, IEEE Trans. Inf. Theory, vol. IT-24, no. 3, pp. 339348, May 1978.

Tie Liu (S99M06) received the B.S. and M.S. degrees, both in electrical engineering, from Tsinghua University, Beijing, China, in 1998 and 2000, respectively, and a second M.S. degree in mathematics and the Ph.D. degree in electrical and computer engineering from the University of Illinois at Urbana-Champaign, in 2004 and 2006, respectively. Since August 2006 he has been with Texas A&M University, College Station, where he is currently an Assistant Professor with the Department of Electrical and Computer Engineering. His research interests are in the eld of information theory, wireless communication, and statistical signal processing. Dr. Liu is a recipient of the M. E. Van Valkenburg Graduate Research Award (2006) from the University of Illinois at Urbana-Champaign and the Faculty Early Career Development (CAREER) Award (2009) from the National Science Foundation.

Yufei Blankenship (S98M00) received the B.S. and M.S. degrees from Northwestern Polytechnical University, Xian, Shaanxi, China in 1993 and 1996, respectively, and the Ph.D. degree from Virginia Polytechnic Institute and State University, Blacksburg, VA, in 2000, all in electrical engineering. From June 2000 to October 2008, she was with Motorola Inc. working on communication systems research and intellectual property asset management. From November 2008 to February 2011, she was with the Wireless R&D Department of Huawei Technologies (USA). Since February 2011, she has been with the Advanced Technology Department, Research In Motion, Rolling Meadows, IL. Her research interests include information theory, wireless communication, and wireless standards. She holds 23 issued U.S. patents, and is a registered patent agent with USPTO.