In this chapter, we develop the notion of secrecy capacity, which plays a central role in physical-layer security. The secrecy capacity characterizes the fundamental limit of secure communications over noisy channels, and it is essentially the counterpart to the usual point-to-point channel capacity when communications are subject not only to reliability constraints but also to an information-theoretic secrecy requirement. It is inherently associated with a channel model called the wiretap channel, which is a broadcast channel in which one of the receivers is treated as an adversary. This adversarial receiver, which we call the eavesdropper to emphasize its passiveness, should remain ignorant of the messages transmitted over the channel. The mathematical tools, and especially the random-coding argument, presented in this chapter are the basis for most of the theoretical research in physical-layer security, and we use them extensively in subsequent chapters.

We start with a review of Shannon's model of secure communications (Section 3.1), and then we informally discuss the problem of secure communications over noisy channels (Section 3.2). The intuition we develop from loose arguments is useful to grasp the concepts underlying the proofs of the secrecy capacity and motivates a discussion of the choice of an information-theoretic secrecy metric (Section 3.3). We then study in detail the fundamental limits of secure communication over degraded wiretap channels (Section 3.4) and broadcast channels with confidential messages (Section 3.5).

In all of the previous chapters, we discussed the possibility of secure transmissions at the physical layer for communication models involving only two legitimate parties and a single eavesdropper. These results generalize in part to situations with more complex communication schemes, additional legitimate parties, or additional eavesdroppers. Because of the increased complexity of these “multi-user” channel models, the results one can hope to obtain are, in general, not as precise as the ones obtained in earlier chapters. In particular, it becomes seldom possible to obtain a single-letter characterization of the secrecy capacity and one must often resort to the calculation of upper and lower bounds. Nevertheless, the analysis of multi-user communication channels still provides useful insight into the design of secure communication schemes; in particular it highlights several characteristics of secure communications, most notably the importance of cooperation, feedback, and interference. Although these aspects have been studied extensively in the context of reliable communications and are now reasonably well understood, they do not necessarily affect secure communications in the same way as they affect reliable communications. For instance, while it is well known that cooperation among transmitters is beneficial and improves reliability, the fact that interference is also helpful for secrecy is perhaps counter-intuitive.

There are numerous variations of multi-user channel models with secrecy constraints; rather than enumerating them all, we study the problem of secure communication over a two-way Gaussian wiretap channel.

Many of the applications of classical coding techniques can be found at the physical layer of contemporary communication systems. However, coding ideas have recently found their way into networking research, most strikingly in the form of algebraic codes for networks. The existing body of work on network coding ranges from determinations of the fundamental limits of communication networks to the development of efficient, robust, and secure network-coding protocols. This chapter provides an overview of the field of network coding with particular emphasis on how the unique characteristics of network codes can be exploited to achieve high levels of security with manageable complexity. We survey network-coding vulnerabilities and attacks, and compare them with those of state-of-the-art routing algorithms. Some emphasis will be placed on active attacks, which can lead to severe degradation of network-coded information flows. Then, we show how to leverage the intrinsic properties of network coding for information security and secret-key distribution, in particular how to exploit the fact that nodes observe algebraic combinations of packets instead of the data packets themselves. Although the prevalent design methodology for network protocols views security as something of an add-on to be included after the main communication tasks have been addressed, we shall contend that the special characteristics of network coding warrant a more comprehensive approach, namely one that gives equal importance to security concerns. The commonalities with code constructions for physical-layer security will be highlighted and further investigated.

This chapter extends the results obtained in Chapter 3 and Chapter 4 for discrete memoryless channels and sources to Gaussian channels and wireless channels, for which numerical applications provide insight beyond that of the general formula in Theorem 3.3. Gaussian channels are of particular importance, not only because the secrecy capacity admits a simple, intuitive, and easily computable expression but also because they provide a reasonable approximation of the physical layer encountered in many practical systems. The analysis of Gaussian channels also lays the foundations for the study of wireless channels.

The application of physical-layer security paradigms to wireless channels is perhaps one of the most promising research directions in physical-layer security. While wireline systems offer some security, because the transmission medium is confined, wireless systems are intrinsically susceptible to eavesdropping since all transmissions are broadcast over the air and overheard by neighboring devices. Other users can be viewed as potential eavesdroppers if they are not the intended recipients of a message. However, as seen in earlier chapters, the randomness present at the physical layer can be harnessed to provide security, and randomness is a resource that abounds in a wireless medium. For instance, we show that fading can be exploited opportunistically to guarantee secrecy even if an eavesdropper obtains on average a higher signal-to-noise ratio than a legitimate receiver.

We start this chapter with a detailed study of Gaussian channels and sources, including multiple-input multiple-output channels (Section 5.1.2).

In this chapter, we discuss the construction of practical codes for secrecy. The design of codes for the wiretap channel turns out to be surprisingly difficult, and this area of information-theoretic security is still largely in its infancy. To some extent, the major obstacles in the road to secrecy capacity are similar to those that lay in the path to channel capacity: the random-coding arguments used to establish the secrecy capacity do not provide explicit code constructions. However, the design of wiretap codes is further impaired by the absence of a simple metric, such as a bit error rate, which could be evaluated numerically. Unlike codes designed for reliable communication, whose performance is eventually assessed by plotting a bit-error-rate curve, we cannot simulate an eavesdropper with unlimited computational power; hence, wiretap codes must possess enough structure to be provably secure. For certain channels, such as binary erasure wiretap channels, the information-theoretic secrecy constraint can be recast in terms of an algebraic property for a code-generator matrix. Most of the chapter focuses on such cases since this algebraic view of secrecy simplifies the analysis considerably.

As seen in Chapter 4, the design of secret-key distillation strategies is a somewhat easier problem insofar as reliability and security can be handled separately by means of information reconciliation and privacy amplification. Essentially, the construction of coding schemes for key agreement reduces to the design of Slepian–Wolf-like codes for information reconciliation, which can be done efficiently with low-density parity-check (LDPC) codes or turbo-codes.

A simple look at today's information and communication infrastructure is sufficient for one to appreciate the elegance of the layered networking architecture. As networks flourish worldwide, the fundamental problems of transmission, routing, resource allocation, end-to-end reliability, and congestion control are assigned to different layers of protocols, each with its own specific tools and network abstractions. However, the conceptual beauty of the layered protocol stack is not easily found when we turn our attention to the issue of network security. In the early days of the Internet, possibly because network access was very limited and tightly controlled, network security was not yet viewed as a primary concern for computer users and system administrators. This perception changed with the increase in network connections. Technical solutions, such as personnel access controls, password protection, and end-to-end encryption, were developed soon after. The steady growth in connectivity, fostered by the advent of electronic-commerce applications and the ubiquity of wireless communications, remains unhindered and has resulted in an unprecedented awareness of the importance of network security in all its guises.

The standard practice of adding authentication and encryption to the existing protocols at the various communication layers has led to what could be rightly classified as a patchwork of security mechanisms. Given that data security is so critically important, it is reasonable to argue that security measures should be implemented at all layers where this can be done in a cost-effective manner.

In Chapter 3, we considered the transmission of information over a noisy broadcast channel subject to reliability and security constraints; we showed that appropriate coding schemes can exploit the presence of noise to confuse the eavesdropper and guarantee some amount of information-theoretic security. It is important to note that the wiretap channel model assumes that all communications occur over the channel, hence communications are inherently rate-limited and one-way. Consequently, the results obtained do not fully capture the role of noise for secrecy; in particular, for situations in which the secrecy capacity is zero, it is not entirely clear whether this stems from the lack of any “physical advantage” over the eavesdropper or the restrictions imposed on the communication schemes.

The objective of this chapter is to study more precisely the fundamental role of noise in information-theoretic security. Instead of studying how we can communicate messages securely over a noisy channel, we now analyze how much secrecy we can extract from the noise itself in the form of a secret key. Specifically, we assume that the legitimate parties and the eavesdropper observe the realizations of correlated random variables and that the legitimate parties attempt to agree on a secret key unknown to the eavesdropper. To isolate the role played by noise, we remove restrictions on communication schemes and we assume that the legitimate parties can distill their key by communicating over a two-way, public, noiseless, and authenticated channel at no cost.