The converse technique used in the proof of Theorem 4.8 can also be

used to derive simple bounds for secure rates over WTCs; in fact, the secret-key capacity is always an upper bound for the secrecy capacity since a wiretap code is a special case of key-distillation strategy for a channel model. As an application, we revisit the WTC with confidential rate-limited feedback, for which we computed achievable rates in Section 3.6.2. Following the steps used to establish (4.20), we can show that the secret- key capacity with public discussion of the WTC with confidential rate-limited feedback satisfies 1 nH(K)  1 nI(RXF n ; RYYn|ZnArBr)+ δ().

The only difference from (4.63) is the presence of the term Fn_{representing the messages}

sent over the confidential feedback channel. Nevertheless, we have 1 nI(RXF n ; RYYn|ZnArBr)= 1 nI(F n ; RYYn|ArBrZn)+ 1 nI(RX; RYY n_|Ar BrFnZn)  1 nH(F n )+1 nI(RX; RYY n_|Ar BrFnZn).

The second term on the right-hand side is similar to (4.63), since the messages sent over the secure feedback channel appear along Ar _{and B}r _{and can now be interpreted}

as public messages. Following the same steps and using the fact that (1/n)H(Fn_{) R}

f,

we obtain the upper bound 1 nH(K)  Rf+ n  j₌₁ IXj; Yj|Zj  .

This outer bound coincides with the achievable rate obtained in Proposition 3.9 if the channel is physically degraded.

4.5

Strong secrecy from weak secrecy

In this section, we develop a generic mathematical procedure by which to construct a scheme (wiretap code or key-distillation strategy) that guarantees a strong secrecy condition from a scheme that guarantees a weak secrecy condition. We show that this procedure entails no rate loss, which allows us to prove that CCM

s = CCMs for a channel

model and Cs= Cs for a wiretap channel and justifies a posteriori the use of a weak

secrecy condition in previous chapters.

Proposition 4.9. The strong secret-key capacity CCM

s of a channel model with DMC

nR bits nR bits ALICE BOB m weakly secure keys m weakly secure keys over public channel

reconciliation and privacy amplification

Figure 4.8 From weak to strong secrecy.

Proof. Consider a channel model with DMC (X , pYZX_– , Y, Z) and a (2n R, n) key-

distillation strategySnthat achieves weak secret-key rates. As illustrated in Figure 4.8,

we construct a new strategy by

• using the key-distillation strategy Snm times to generate m weakly secure keys;

• treating the weakly secure keys as the realizations of a DMS and distilling strong secret keys by means of information reconciliation and privacy amplification with extractors.

Note that the post-processing of the weakly secure keys is possible because keys are not meant to carry any information by themselves and do not need to be known ahead of time.

Formally, let > 0. By definition, there exists a (2n R_{, n) key-distillation strategy S} n with rate R CCM s −  such that Pe(Sn) δ() and 1 nL(Sn) δ().

Alice runsSn m times to generate m independent keys. In each run i ∈ 1, m, Alice

obtains a key Ki, Bob obtains a key ˆKi, and Eve obtains the observations Zin together

with public messages Ar

i and Bri. Effectively, the situation is as if Alice, Bob, and Eve

observed m realizations of a DMS (XYZ, pXYZ) with

X K, Y ˆK, and Z ZnArBr.

According to Theorem 4.7, Alice and Bob can distill a strong secret key K of length k m(IX; Y− IX; Z− δ())

and such that

HK|Zm_S

n

 k − δ(m)

by means of a one-way direct reconciliation protocol and privacy amplification with extractors. Note that

IX; Y− IX; Z= IK; ˆK|Sn  − I(K; Zn ArBr|Sn) = H(K) − HK| ˆKSn  − I(K; Zn ArBr|Sn)  nR − nδ(Pe(Sn))− nL(Sn)  nCCM s − nδ().

Therefore, the rate (in bits per use of the channel (X , pYZX_– , Y, Z)) at which the strong secret-key K is generated is k mn  C CM s − δ().

Since can be chosen arbitrarily small, we conclude that CCM

s  CsCM and, therefore,

CCM

s = C

CM

s . 

Proposition 4.10. The strong secrecy capacity CWT

s of a WTC (X , pYZX_– , Y, Z) is equal

to its weak secrecy capacity CWT

s .

Proof. The proof is similar to that of Proposition 4.9 but the objective is now to transmit messages (instead of generating keys) without relying on a public channel. Let > 0. By definition, there exists a (2n R, n) code Cnwith rate R CsWT−  such that

Pe(Cn) δ() and

1

nL(Cn) δ().

Alice uses the code Cn m times to transmit m independent messages. In each run

i∈ 1, m, Alice transmits a message Mi, Bob obtains a message ˆMi, and Eve obtains

the observations Zn

i. Again, the situation is as if Alice, Bob, and Eve observed m

realizations of a DMS (X_Y_Z_{, pXYZ) with}

X M, Y ˆM, and Z Zn.

According to Theorem 4.7, Alice and Bob can distill a strong secret key K of length k m(IX; Y− IX; Z− δ())

and such that

HK|ZmCn

 k − δ(m)

by means of a one-way direct reconciliation protocol and privacy amplification with extractors. The reader can check that

IX; Y− IX; Z nCWT

s − nδ().

However, because there is no public channel, the messages required in order to per- form reconciliation and privacy amplification must be transmitted over the channel; we must also account for these additional channel uses in the calculation of the final key rate.

By Proposition 4.5, there exists a one-way reconciliation protocol that exchanges m(H(X_|Y_{)+ δ()) bits of public messages and that guarantees P}_X_{= ˆX} _{ δ}

(m).

By Theorem 4.6, there exists an extractor that requires the transmission of mδ(m) bits of uniform randomness in order to distill the key K. Alice can transmit these bits to Bob over the main channelX , pY|X, Y

with an error-correcting code of length m. Let Cmdenote the capacity of the channel

X , pY_|X, Y

. From Shannon’s channel coding theorem, we know that there exists a code of rate Cm− δ() that guarantees an average

requires m 1 m(H(X_|Y_{)+ δ()) + mδ(m)} Cm− δ() 2 channel uses. By virtue of Fano’s inequality,

HX|Y= HM| ˆM Hb(Pe(Cn))+ Pe(Cn)nCsWT= nδ(n).

All in all, the strong secret key K can be generated at a rate k mn+ m  m(nCWT s − nδ()) mn+m(nδ(n) + δ()) + mδ(m) Cm− δ() + 1 = CWT s − δ() − δ(n, m).

In other words, for n and m large enough, the transmission of reconciliation and privacy- amplification messages over the channel incurs a negligible rate penalty.

To conclude, it remains to show that the key K can be interpreted as a message so that the key rate is a message rate. Notice that all communications over the channel are one- way; therefore, in principle, Alice could choose the final key K ahead of time, “invert” the privacy-amplification process, and artificially split the transmission over mn channel uses. Hence, the final strong secret-key K can be treated as a message M that satisfies a strong secrecy condition. Since can be arbitrarily small, we obtain CWT

s  C

WT

s and

thus CWT

s = CsWT. 

Remark 4.12. Privacy amplification with extractors is critical to obtaining strong