Exercises

$C_s = \max_{P_X}[I(X;Y) - I(X;Z)].$$

$I(X;Y)$ is the rate at which the legitimate receiver can reliably decode. $I(X;Z)$ is the rate of information leakage to the eavesdropper. The difference represents the "secrecy advantage" — the rate at which we can communicate reliably to the receiver while keeping the eavesdropper ignorant. The maximization is over the input distribution, which controls the tradeoff.

$C_s = h(q) - h(p) = h(0.2) - h(0.05).KATEXPLACEHOLDER0ENDC_s \approx 0.722 - 0.286 = 0.436 \text{ bits/use}.$$

The main channel capacity is $1 - 0.286 = 0.714$ bits/use, and the secrecy capacity is $0.436$ bits/use — about 61% of the main channel capacity is available for secret communication.

$C_{\text{main}} = \frac{1}{2}\log_2(1 + 10) = \frac{1}{2}\log_2(11) \approx 1.73$ bits/use.

$C_s = \frac{1}{2}\log_2\frac{11}{1 + 10/4} = \frac{1}{2}\log_2\frac{11}{3.5} = \frac{1}{2}\log_2(3.14) \approx 0.83$ bits/use.

$C_s / C_{\text{main}} \approx 0.83/1.73 \approx 48\%$. About half the main channel capacity is available for secret communication.

Weak secrecy: $\frac{1}{n}I(M; Z^n) \to 0$. The leakage rate (bits per channel use) vanishes.

Strong secrecy: $I(M; Z^n) \to 0$. The total leakage (bits) vanishes.

Under weak secrecy, $I(M; Z^n)$ can grow as $o(n)$ — for example, $\sqrt{n}$ bits could leak. Over a long transmission ($n = 10^6$), the eavesdropper could learn $\sqrt{10^6} = 1000$ bits, which might be enough to compromise a 128-bit encryption key.

Under strong secrecy, the total leakage goes to zero regardless of $n$. This is the appropriate notion for practical security.

The good news: both notions yield the same secrecy capacity, so there is no rate penalty for requiring the stronger guarantee.

Since Eve is independent: $C_K = I(X; Y)$.

$(X, Y)$ are jointly Gaussian with $\text{Var}(X) = \text{Var}(Y) = 11$ and $\text{Cov}(X, Y) = 10$. Correlation: $\rho = 10/11$.

$$C_K = -\frac{1}{2}\log_2(1 - \rho^2) = -\frac{1}{2}\log_2\left(1 - \frac{100}{121}\right) = -\frac{1}{2}\log_2\left(\frac{21}{121}\right) = \frac{1}{2}\log_2\left(\frac{121}{21}\right) \approx 1.26 \text{ bits/observation}.$$

$\lim_{P \to \infty} C_s(P) = \lim_{P \to \infty} \frac{1}{2}\log\frac{1 + P/\sigma^2_{Y}}{1 + P/\sigma^2_{Z}} = \frac{1}{2}\log\frac{P/\sigma^2_{Y}}{P/\sigma^2_{Z}} = \frac{1}{2}\log\frac{\sigma^2_{Z}}{\sigma^2_{Y}}.$$

The secrecy capacity saturates at $\frac{1}{2}\log(\sigma^2_{Z}/\sigma^2_{Y})$, determined solely by the noise ratio. Increasing power benefits both channels equally, so the gap — which is what determines secrecy — converges to a constant.

This is fundamentally different from the main channel capacity $\frac{1}{2}\log(1 + P/\sigma^2_{Y}) \to \infty$. The implication for system design: at high SNR, additional power is wasted for secrecy purposes. Better to invest in more antennas (for spatial secrecy) than more power.

The output of BEC($\epsilon_1$) is either the input $X$ or an erasure $?$. We can construct BEC($\epsilon_2$) from BEC($\epsilon_1$) by further erasing the non-erased outputs with probability $\delta = (\epsilon_2 - \epsilon_1)/(1-\epsilon_1)$. This gives $\epsilon_2 = \epsilon_1 + (1-\epsilon_1)\delta$, confirming $X \to Y \to Z$ is a Markov chain.

$I(X;Y) = 1 - \epsilon_1$ and $I(X;Z) = 1 - \epsilon_2$ with uniform input.

$$C_s = (1-\epsilon_1) - (1-\epsilon_2) = \epsilon_2 - \epsilon_1.$$

$C_s = \frac{1}{2}C_{\text{main}} \Rightarrow \epsilon_2 - \epsilon_1 = \frac{1}{2}(1-\epsilon_1) \Rightarrow \epsilon_2 = \frac{1+\epsilon_1}{2}.$

For $\epsilon_1 = 0.1$: $\epsilon_2 = 0.55$.

Generate $2^{n(R + \tilde{R}_l)}$ codewords i.i.d. $\sim P_X^*$, organized into $2^{nR}$ bins (one per message), each containing $2^{n\tilde{R}_l}$ codewords. Set $R + \tilde{R}_l < I(X;Y)$ and $\tilde{R}_l > I(X;Z)$.

To send message $m$, the encoder uniformly selects one of the $2^{n\tilde{R}_l}$ codewords in bin $m$ and transmits it. The selection is random and independent of the message — this is the stochastic encoder.

The total rate $R + \tilde{R}_l < I(X;Y)$, so the receiver can decode the specific codeword (both $m$ and the randomization index $l$) using joint typicality decoding. Reliability follows from the standard random coding argument.

The eavesdropper sees $Z^n$, which has mutual information $\leq I(X;Z)$ with the transmitted codeword. Since the randomization rate $\tilde{R}_l > I(X;Z)$, the eavesdropper cannot distinguish which codeword within a bin was sent. Since knowing the codeword within the bin is necessary to determine the bin (message), the message remains hidden. Formally, $\frac{1}{n}H(M|Z^n) \geq R - \epsilon_n$.

By the Markov chain $X \to Y \to Z$: $$I(X; Z) = I(X; Y) - I(X; Y|Z).$$ Wait, that's not quite right. Let us use: $$I(X; Y, Z) = I(X; Y) + I(X; Z|Y) = I(X;Y)$$ since $X \to Y \to Z$ gives $I(X; Z|Y) = 0$.

Also $I(X; Y, Z) = I(X; Z) + I(X; Y|Z)$.

Therefore: $I(X; Y) = I(X; Z) + I(X; Y|Z)$.

$C_K^{\to} = I(X;Y) - I(X;Z) = I(X; Y|Z).KATEXPLACEHOLDER0ENDC_s = \max_{P_X}[I(X;Y) - I(X;Z)] = \max_{P_X} I(X; Y|Z).$$The duality is exact: secret key generation with one-way communication achieves the same rate as direct wiretap coding.$\blacksquare$

$P = 100$ (linear). $\mathbf{v}_s = [1,0,0,0]^T$. $\text{SNR}_B = \alpha P |\mathbf{h}_B^H \mathbf{v}_s|^2 = 100\alpha \cdot 1 = 100\alpha$.

$|\mathbf{h}_E^H \mathbf{v}_s|^2 = |0.5|^2 = 0.25$.

AN power per dimension: $(1-\alpha)P/3 = 100(1-\alpha)/3$. $\|\mathbf{h}_E^H \mathbf{V}_{\text{AN}}\|^2 = |0.5|^2 + |0.5|^2 + |0.5|^2 = 0.75$.

$$\text{SINR}_E = \frac{100\alpha \cdot 0.25}{1 + \frac{100(1-\alpha)}{3} \cdot 0.75} = \frac{25\alpha}{1 + 25(1-\alpha)}.$$

$R_s(\alpha) = \left[\log_2(1 + 100\alpha) - \log_2\left(1 + \frac{25\alpha}{1 + 25(1-\alpha)}\right)\right]^+.$$At$\alpha = 0.5$:$\text{SNR}_B = 50$,$\text{SINR}_E = 12.5/(1+12.5) = 0.926$.$R_s(0.5) = \log_2(51) - \log_2(1.926) \approx 5.67 - 0.95 = 4.72$bits/use. At$\alpha = 1$(no AN):$\text{SINR}_E = 25$.$R_s(1) = \log_2(101) - \log_2(26) \approx 6.66 - 4.70 = 1.96$ bits/use.

AN more than doubles the secrecy rate at this operating point.

Let Bob apply a unit-norm receive beamforming vector $\mathbf{u}^H$. The effective channel becomes MISO: $\tilde{y} = \mathbf{u}^H \mathbf{H} \mathbf{x} + \mathbf{u}^H \mathbf{w}_B$, $\mathbf{z} = \mathbf{H}_{E} \mathbf{x} + \mathbf{w}_E$.

The effective Bob channel is $\tilde{\mathbf{h}}_B^H = \mathbf{u}^H \mathbf{H}$ with noise variance $\|\mathbf{u}\|^2 = 1$.

The MISO secrecy capacity with artificial noise is: $$C_s^{\text{MISO}} = \max_{\alpha, \mathbf{v}_s} R_s(\alpha, \mathbf{v}_s).$$

This is achievable for the MIMO channel by having Bob use $\mathbf{u}$ and the transmitter use the corresponding MISO strategy. Since the MIMO secrecy capacity optimizes over all input covariances (a larger set that includes rank-1 + AN strategies as special cases): $$C_s^{\text{MIMO}} \geq C_s^{\text{MISO}} \text{ for any } \mathbf{u}.$$

The MIMO capacity is at least as large as the best MISO sub-channel. $\blacksquare$

$nR = H(M) \leq I(M; Y^n) + n\epsilon_n$ by Fano's inequality.

$nR \leq I(M; Y^n) - I(M; Z^n) + I(M; Z^n) + n\epsilon_n$ $\leq I(M; Y^n) - I(M; Z^n) + n\delta_n + n\epsilon_n$ by the secrecy constraint $\frac{1}{n}I(M; Z^n) \leq \delta_n \to 0$.

$I(M; Y^n) - I(M; Z^n) = \sum_{i=1}^n [I(M; Y_i | Y^{i-1}) - I(M; Z_i | Z_{i+1}^n)]KATEXPLACEHOLDER0END\leq \sum_{i=1}^n [I(X_i; Y_i) - I(X_i; Z_i)] \leq n \max_{P_X}[I(X;Y) - I(X;Z)].$$

$R \leq \max_{P_X}[I(X;Y) - I(X;Z)] + \delta_n + \epsilon_n.$$Taking$n \to \infty$:$R \leq C_s$.$\blacksquare$

The AN occupies the $(n_t - 1)$-dimensional null space of $\mathbf{h}_B^H$. With power fraction $(1-\alpha)$, the AN power per direction is $\sigma_{\text{AN}}^2 = (1-\alpha)P/(n_t - 1)$.

Eve's interference from AN: $\text{AN}_E = \sigma_{\text{AN}}^2 \|\mathbf{h}_E^H \mathbf{V}_{\text{AN}}\|^2$.

For generic $\mathbf{h}_E$, $\|\mathbf{h}_E^H \mathbf{V}_{\text{AN}}\|^2 \sim \chi^2_{2(n_t-1)} \cdot \frac{\|\mathbf{h}_E\|^2}{2n_t}$ in expectation, giving $\mathbb{E}[\text{AN}_E] \approx (1-\alpha)P \cdot \frac{n_t-1}{n_t} \cdot \frac{\|\mathbf{h}_E\|^2}{n_t}$.

As $n_t$ grows: $\mathbb{E}[\text{AN}_E] \to (1-\alpha)P \|\mathbf{h}_E\|^2 / n_t$ concentrates (by the law of large numbers applied to $\|\mathbf{h}_E^H \mathbf{V}_{\text{AN}}\|^2$).

Bob's rate: $R_B = \log(1 + \alpha P \|\mathbf{h}_B\|^2)$ (independent of $n_t$).

Eve's SINR: $\text{SINR}_E \approx \frac{\alpha P |\mathbf{h}_E^H \mathbf{v}_s|^2}{1 + (1-\alpha)P(n_t-1)/(n_t) \cdot \|\mathbf{h}_E\|^2/(n_t-1)} \to \frac{\alpha P |\mathbf{h}_E^H \mathbf{v}_s|^2}{1 + (1-\alpha)P\|\mathbf{h}_E\|^2/n_t}$.

The secrecy rate $R_s = R_B - \log(1 + \text{SINR}_E)$ is maximized by choosing $\alpha$ to balance Bob's SNR against Eve's SINR. As $n_t$ increases, the AN becomes more effective per unit power (more null space directions), so the optimal $\alpha^*$ decreases — more power goes to AN.

In the limit $n_t \to \infty$: $\text{SINR}_E \to 0$ for any $\alpha < 1$, and $\alpha^* \to P\|\mathbf{h}_B\|^2 / (1 + P\|\mathbf{h}_B\|^2)$, allocating just enough power to the message to achieve the interference-free capacity.

At high SNR ($P \to \infty$), with optimal $\boldsymbol{\Sigma}_{X} = (P/n_t)\mathbf{I}$: $$C_s \leq \log\det(\mathbf{I} + (P/n_t)\mathbf{H}\mathbf{H}^{H}) - \log\det(\mathbf{I} + (P/n_t)\mathbf{H}_{E}\mathbf{H}_{E}^{H}).$$

The first term scales as $\min(n_t, n_r) \log(P/n_t) + O(1)$ and the second as $\min(n_t, n_e) \log(P/n_t) + O(1)$.

Therefore $d_s \leq \min(n_t, n_r) - \min(n_t, n_e)$.

Use the GSVD of $(\mathbf{H}, \mathbf{H}_{E})$: there exist unitary matrices and a common right precoder that simultaneously diagonalize both channels. The GSVD creates parallel sub-channels indexed by $i$, where the $i$-th sub-channel has gains $(\alpha_i, \beta_i)$ to Bob and Eve respectively.

There are $\min(n_t, n_r) - \min(n_t, n_e)$ sub-channels where $\alpha_i > 0$ and $\beta_i = 0$ (visible to Bob, invisible to Eve). Sending data on these sub-channels achieves $d_s = \min(n_t, n_r) - \min(n_t, n_e)$. $\blacksquare$

When $n_t > n_r + n_e$, we can find $n_r$ beamforming directions that are simultaneously in the range of $\mathbf{H}^{H}$ and the null space of $\mathbf{H}_{E}$. This gives $d_s = n_r = \min(n_t, n_r)$ — the full non-secrecy DoF.

$C_K = I(X;Y) = -\frac{1}{2}\log_2(1 - 0.95^2) = -\frac{1}{2}\log_2(0.0975) \approx 1.68 \text{ bits/obs}.$$

With 4-bit uniform quantization of $X \in [-3, 3]$ (covering 99.7% of the Gaussian), the quantization noise variance is approximately $\sigma_q^2 \approx (6/16)^2/12 \approx 0.0117$.

The effective correlation after quantization: $\rho_{\text{eff}} \approx \rho \cdot \sigma_X / \sqrt{\sigma_X^2 + \sigma_q^2} \approx 0.95 \cdot 1/\sqrt{1.0117} \approx 0.9445$.

$C_K^{\text{quant}} \approx -\frac{1}{2}\log_2(1 - 0.9445^2) \approx 1.55$ bits/obs.

Loss: $(1.68 - 1.55)/1.68 \approx 7.7\%$.

The syndrome of the rate-0.2 LDPC code leaks $0.2 \times 4 = 0.8$ bits/obs to Eve over the public channel.

After privacy amplification, the extractable key rate is: $$R_K \leq C_K^{\text{quant}} - R_{\text{leak}} = 1.55 - 0.8 = 0.75 \text{ bits/obs}.$$

This is a conservative estimate; tighter reconciliation codes would leak less.

$I(X;Y) = h(Y) - h(Y|X) = h(Y) - h(N_Y) = h(X + N_Y) - \frac{1}{2}\log(2\pi e \sigma^2_{Y})$.

Since $Z = X + N_Z$ where $N_Z = N_Y + N'$ (degraded): $I(X;Z) = h(Z) - h(Z|X) = h(X + N_Z) - \frac{1}{2}\log(2\pi e \sigma^2_{Z})$.

$I(X;Y) - I(X;Z) = h(X + N_Y) - h(X + N_Z) + \frac{1}{2}\log\frac{\sigma^2_{Z}}{\sigma^2_{Y}}.$$The last term is constant. We need to show that$h(X + N_Y) - h(X + N_Z)$is maximized by Gaussian$X$.

By the entropy power inequality (EPI), for independent $X$ and $N$: $2^{2h(X+N)} \geq 2^{2h(X)} + 2^{2h(N)}$.

A direct proof: define $f(t) = h(X + \sqrt{t}G)$ where $G \sim \mathcal{N}(0,1)$ independent of $X$. Then $h(X + N_Y) = f(\sigma^2_{Y})$ and $h(X + N_Z) = f(\sigma^2_{Z})$.

By de Bruijn's identity, $f'(t) = \frac{1}{2}J(X + \sqrt{t}G)$ where $J$ is the Fisher information. Fisher information is convex, so $f$ is concave.

$h(X+N_Y) - h(X+N_Z) = f(\sigma^2_{Y}) - f(\sigma^2_{Z}) = \int_{\sigma^2_{Y}}^{\sigma^2_{Z}} f'(t)dt$.

This integral is maximized when $f'$ is as large as possible on $[\sigma^2_{Y}, \sigma^2_{Z}]$, which happens when $X$ is Gaussian (since the Gaussian maximizes Fisher information among distributions with the same variance). $\blacksquare$

With ZF beamforming, each user $k$ achieves rate $R_k = \log(1 + \alpha P_k \|\mathbf{h}_k\|^2)$. Eve's SINR for user $k$: $$\text{SINR}_{E,k} = \frac{\alpha P_k |\mathbf{h}_{E}^H \mathbf{v}_k|^2}{n_e + \frac{(1-\alpha)P}{n_t - K} \|\mathbf{H}_{E} \mathbf{V}_{\text{AN}}\|_F^2}.$$

As $n_t \to \infty$, $\|\mathbf{H}_{E} \mathbf{V}_{\text{AN}}\|_F^2 \sim n_e(n_t - K)$, so the AN power at Eve grows as $(1-\alpha)P n_e$. Meanwhile, $|\mathbf{h}_{E}^H \mathbf{v}_k|^2 = O(1)$.

Therefore $\text{SINR}_{E,k} \to 0$ and the secrecy rate $R_{s,k} \to R_k$.

(b) The secrecy penalty is $\Delta R_k \approx \log(1 + \text{SINR}_{E,k})$. Setting $\Delta R_k < 0.1$ bits/use at $\text{SNR} = 10$ dB requires $\text{SINR}_{E,k} < 2^{0.1} - 1 \approx 0.072$. Working through the random matrix expressions, this requires $n_t \gtrsim K + 10 n_e$, so for $n_e = 4$: $n_t \gtrsim 48$.

(c) When $n_e > n_t - K$, the AN subspace is smaller than Eve's observation space. Eve can partially resolve the AN and extract some information about the data signals. The secrecy rate degrades but remains positive as long as $n_t > K$ (some AN is still possible). The worst case is $n_e \geq n_t$, where Eve can potentially invert all spatial processing.

(a) Threat model:

• IT secrecy: assumes eavesdropper has unbounded computation but bounded channel quality. Broken if Eve gets a better channel.
• AES-256: assumes eavesdropper has bounded computation (~$2^{256}$ operations infeasible). Broken by a sufficiently powerful computer (quantum or classical).

(b) Key management:

• IT secrecy: no pre-shared key needed (wiretap coding) or generates keys from channel (key agreement).
• AES: requires pre-shared or Diffie-Hellman-established keys. Key distribution is the hard problem in practice.

(c) Performance overhead:

• IT secrecy: costs rate (secrecy rate < main channel rate) and may require extra antennas/power for AN.
• AES: negligible throughput overhead (AES-NI hardware acceleration), but key establishment has latency.

(d) Deployment:

• IT secrecy: research prototypes for key generation; no deployed wiretap codes.
• AES: deployed universally in all commercial systems.

Argument for complementarity: IT secrecy is most valuable where key management is hardest: IoT devices without PKI, machine-type communication, and ad-hoc networks. Channel-based key generation can bootstrap encryption keys without infrastructure, while AES handles the bulk data encryption. In 6G, the combination — PLS for key generation, AES for encryption — offers defense in depth: even if quantum computing breaks AES, the PLS-generated keys provide an unconditional fallback.