How Can We Fully Use Noiseless Feedback to Enhance the Security of the Broadcast Channel with Confidential Messages

Abstract

The model for a broadcast channel with confidential messages (BC-CM) plays an important role in the physical layer security of modern communication systems. In recent years, it has been shown that a noiseless feedback channel from the legitimate receiver to the transmitter increases the secrecy capacity region of the BC-CM. However, at present, the feedback coding scheme for the BC-CM only focuses on producing secret keys via noiseless feedback, and other usages of the feedback need to be further explored. In this paper, we propose a new feedback coding scheme for the BC-CM. The noiseless feedback in this new scheme is not only used to produce secret keys for the legitimate receiver and the transmitter but is also used to generate update information that allows both receivers (the legitimate receiver and the wiretapper) to improve their channel outputs. From a binary example, we show that this full utilization of noiseless feedback helps to increase the secrecy level of the previous feedback scheme for the BC-CM.

1. Introduction

Wyner, in his outstanding paper on the degraded wiretap channel [1], first studied secure transmission over a physically degraded broadcast channel in the presence of an additional wiretapper. Wyner showed that the secrecy capacity (the maximum transmission rate with perfect secrecy constraint) of the degraded wiretap channel model was given by

$$\begin{array}{c}{C}_s^d=\underset{P\left(x\right)}{max}(I(X;Y)-I(X;Z)),\hfill \end{array}$$

(1)

where X, Y and Z are the channel input, channel output for the legitimate receiver and channel output for the wiretapper, respectively, and they satisfy the Markov chain $X\to Y\to Z$. Note here that the secrecy capacity defined in (1) can be viewed as the difference between the main channel capacity $I(X;Y)$ (the channel for the transmitter and the legitimate receiver) and the wiretap channel capacity $I(X;Z)$ (the channel for the transmitter and the wiretapper). Later, Csiszar and Korner [2] extended Wyner’s work [1] to a more general case: the broadcast channel with confidential messages (BC-CM), where common and confidential messages were transmitted through a discrete memoryless general broadcast channel (without the degradedness assumption $X\to Y\to Z$), and the common message was intended to be decoded by both the legitimate receiver and the wiretapper, while the confidential message was only allowed to be decoded by the legitimate receiver. The secrecy capacity region (the capacity region with the perfect secrecy constraint) of this generalized model is determined in [2], and it is given by

$$\begin{array}{c}{\mathcal{C}}_s=\{(R_0,R_1):0\le R_0\le min\{I(U;Y),I(U;Z)\}\hfill \\ 0\le R_1\le I(V;Y|U)-I(V;Z|U)\},\hfill \end{array}$$

(2)

where U and V respectively represent the common message and the confidential message, and $R_0$ and $R_1$ are the transmission rates of the common message and the confidential message, respectively. Here note that from (2), it is not difficult to show that the secrecy capacity $C_s$ (the maximum transmission rate of the confidential message with the perfect secrecy constraint) of the BC-CM is given by

$$\begin{array}{c}{C}_s=\underset{P(v,x)}{max}{[I(V;Y)-I(V;Z)]}^{+},\hfill \end{array}$$

(3)

where the function ${\left[x\right]}^{+}=x$ if $x\ge 0$, else ${\left[x\right]}^{+}=0$, and $C_s$ is also called the secrecy capacity of the general wiretap channel. The work of [1] and [2] lays the foundation of the physical layer security in modern communication systems.

Recently, Ahlswede and Cai [3] found that if the legitimate receiver sent his own channel output Y back to the transmitter through a noiseless feedback channel, the secrecy capacity region ${\mathcal{C}}_s$ of the BC-CM could be expanded to an achievable secrecy rate region

$$\begin{array}{c}{\mathcal{C}}_s^{f-cai}=\{(R_0,R_1):0\le R_0\le min\{I(U;Y),I(U;Z)\}\hfill \\ 0\le R_1\le min\{{[I(V;Y|U)-I(V;Z|U)]}^{+}+H\left(Y\right|Z,U,V),I(V;Y|U)\}\},\hfill \end{array}$$

(4)

where the auxiliary random variables U and V are defined similarly as those in (2). The coding scheme of the region ${\mathcal{C}}_s^{f-cai}$ combines Csiszar and Korner’s coding scheme for the BC-CM [2] with the idea of using a secret key to encrypt the transmitted message, where the secret key is generated from the noiseless feedback. Note here that the region ${\mathcal{C}}_s^{f-cai}$ is an inner bound on the secrecy capacity ${\mathcal{C}}_s^f$ of the BC-CM with noiseless feedback, and to the best of the authors’ knowledge, $C_s^f$ remains unknown. Similar to the work of [2], using (4), Ahlswede and Cai also provided an achievable secrecy rate $R_s^{f-cai}$ (lower bound on the secrecy capacity) of the general wiretap channel with noiseless feedback, and it is given by

$$\begin{array}{c}{R}_s^{f-cai}=\underset{P(v,x)}{max}min\{{[I(V;Y)-I(V;Z)]}^{+}+H\left(Y\right|V,Z),I(V;Y)\},\hfill \end{array}$$

(5)

where V is defined in the same way as in (2). In [3], Ahlswede and Cai further pointed out that for the degraded wiretap channel with noiseless feedback (the Markov chain $X\to Y\to Z$ holds), the secrecy capacity $C_s^{df}$ was given by

$$\begin{array}{c}{C}_s^{df}=\underset{P\left(x\right)}{max}min\{I(X;Y)-I(X;Z)+H\left(Y\right|X,Z),I(X;Y)\}.\hfill \end{array}$$

(6)

Here, note that the secrecy capacities in (5) and (6) can be viewed as a combination of two parts: the first part is the difference between the main channel capacity ($I(V;Y)$ or $I(X;Y)$) and the wiretap channel capacity ($I(V;Z)$ or $I(X;Z)$), and the second part is the rate $H\left(Y\right|V,Z)$ ($H\left(Y\right|X,Z)$) of a secret key generated by the noiseless feedback and shared between the legitimate receiver and the transmitter. Comparing (6) with (1) and (5) with (3), it is easy to see that by using the noiseless feedback to generate a secret key encrypting the transmitted message, the secrecy capacity of the wiretap channel can be enhanced. Besides the work of [3], other related works on the BC-CM or wiretap channel in the presence of noiseless feedback are in [4,5,6,7].

In this paper, we re-visit the BC-CM with noiseless feedback investigated by Ahlswede and Cai [3] (see Figure 1), and we propose a new achievable secrecy rate region for this feedback model. The coding scheme for this achievable region combines the previous Ahlswede and Cai’s scheme [3] with the Wyner-Ziv scheme for lossy source coding with side information [8], i.e., compared with Ahlswede and Cai’s scheme, in our new scheme, the noiseless feedback is not only used to produce the secret key but also used to generate an update information that allows the legitimate receiver to improve his channel output. From a binary example, we show that this full utilization of noiseless feedback helps to obtain a larger achievable secrecy rate of the confidential message.

Figure 1. Broadcast channel with confidential messages and noiseless feedback.

Now the remainder of this paper is organized as follows. Section 2 is about the problem formulation and the main result of this paper. A binary example is provided in Section 3. Final conclusions are presented in Section 4.

2. Problem Formulation and New Result

Notations: In this paper, random variables are written in upper case letters (e.g. V), real values are written in lower case letters (e.g. v), and members of the alphabet are written in calligraphic letters (e.g. $\mathcal{V}$). Random vectors and their values are written in a similar way. The probability $Pr\{V=v\}$ is shortened to $P\left(v\right)$. In addition, for the remainder of this paper, the base of the logarithm is 2.

Model description: Suppose that the common message $W_0$ is chosen to be transmitted, and it is uniformly distributed over its alphabet ${\mathcal{W}}_0=\{1,2,\dots ,M_0\}$. Analogously, the confidential message $W_1$ is chosen to be transmitted, and it is uniformly distributed over its alphabet ${\mathcal{W}}_1=\{1,2,\dots ,M_1\}$. The channel is discrete and memoryless with input $X^N$, outputs $Y^N$, $Z^N$, and has transition probability $P(y,z|x)$. At time i ($1\le i\le N$), the legitimate receiver receives the channel output $Y_i$, and he sends the previous channel outputs $Y_1$,...,$Y_{i-1}$ back to the transmitter via a noiseless feedback channel. Hence at time i, the channel encoder $f_i$ is denoted by

$$X_i=\left\{\begin{array}{cc}{f}_i(W_0,W_1),\hfill & i=1\hfill \\ f_i(W_0,W_1,Y^{i-1}),\hfill & 2\le i\le N.\hfill \end{array}\right.$$

(7)

Here we should note that $f_i$ does not need to be deterministic and stochastic encoding is also allowed. For the legitimate receiver, after receiving $Y^N$, he uses a decoding mapping ${\psi }_1:{\mathcal{Y}}^N\to {\mathcal{W}}_0\times {\mathcal{W}}_1,$ to obtain ${\widehat{W}}_0$ and ${\widehat{W}}_1$, which are estimations of the transmitted messages $W_0$ and $W_1$, respectively. The legitimate receiver’s decoding error probability $P_{e1}$ is defined by

$$P_{e1}=\frac{1}{M_0{M}_1}\sum _{i=1}^{M_0}\sum _{j=1}^{M_1}Pr\{{\psi }_1\left(y^N\right)\ne (i,j)|(i,j)\mathrm{sent}\}.$$

(8)

For the wiretapper, after receiving $Z^N$, he uses a decoding mapping ${\psi }_2:{\mathcal{Z}}^N\to {\mathcal{W}}_0,$ to obtain ${\check{W}}_0$, which is an estimation of the transmitted message $W_0$. Moreover, the wiretapper also tries to decode the transmitted message $W_1$ via his own channel output $Z^N$, and his equivocation (uncertainty) about $W_1$ is denoted by

$$\Delta =\frac{1}{N}H\left(W_1\right|Z^N).$$

(9)

The wiretapper’s decoding error probability $P_{e2}$ is defined by

$$P_{e2}=\frac{1}{M_0}\sum _{i=1}^{M_0}Pr\{{\psi }_2\left(z^N\right)\ne i|i\mathrm{sent}\}.$$

(10)

Finally, using similar criteria in [1] and [2], if for any small positive number $ϵ$, there exists an encoding-decoding scheme with parameters $M_0$, $M_1$, N, $P_{e1}$ and $P_{e2}$ such that

$$\begin{array}{c}\frac{log{M}_0}{N}\ge R_0-ϵ,\frac{log{M}_1}{N}\ge R_1-ϵ,\Delta \ge R_1-ϵ,P_{e1}\le ϵ,P_{e2}\le ϵ,\hfill \end{array}$$

(11)

we say that the rate pair $(R_0,R_1)$ is achievable with perfect secrecy. The secrecy capacity region $C_s^f$ is composed of all achievable secrecy rate pairs satisfying (5), and the following Theorem 1 provides an inner bound on $C_s^f$.

Theorem 1.

The secrecy capacity region $C_s^f$ of the discrete memoryless BC-CM with noiseless feedback satisfies

$$\begin{array}{c}{C}_s^f\supseteq C_s^{f-new},\hfill \end{array}$$

(12)

where

$$\begin{array}{c}{C}_s^{f-new}=\{(R_0,R_1):0\le R_0\le min\{I(U;Y,V_1),I(U;Z,V_2)\}-I(U,V,Y;V_0,V_2|Z)\hfill \\ 0\le R_1\le min\{{[I(V;Y,V_1|U)-I(V;Z,V_2|U)]}^{+}+H\left(Y\right|Z,U,V,V_2),I(V;Y,V_1|U)\}\hfill \\ 0\le R_0+R_1\le min\{I(U;Y,V_1),I(U;Z,V_2)\}+I(V;Y,V_1|U)-I(V_1;U,V,Y|V_0,Y)\hfill \\ -I(V_2;U,V,Y|V_0,Z)-max\{I(V_0;U,V,Y|Y),I(V_0;U,V,Y|Z)\}\},\hfill \end{array}$$

the joint probability mass function $P(v_0,v_1,v_2,u,v,x,y,z)$ is denoted by

$$\begin{array}{c}P(v_0,v_1,v_2,u,v,x,y,z)=P(v_0,v_1,v_2|u,v,y)P(y,z|x)P\left(x\right|u,v)P\left(v\right|u)P\left(u\right),\hfill \end{array}$$

(13)

and the auxiliary random variables $V_0$, $V_1$, $V_2$, V, U take values in finite alphabets.

Proof. 

The coding scheme for the inner bound $C_s^{f-new}$ combines the previous Ahlswede and Cai’s scheme of the model of Figure 1 with a “generalized” Wyner-Ziv scheme for lossy source coding with side information [8], and the details of the proof of Theorem 1 are in Appendix A. ☐

Remark 1.

There are some notes on Theorem 1; see the following.

• Comparing our new inner bound $C_s^{f-new}$ with the previous Ahlswede and Cai’s inner bound ${\mathcal{C}}_s^{f-cai}$, in general, we do not know which one is larger. In the next section, we consider a binary case of the BC-CM with noiseless feedback, and compute these inner bounds for this binary case. From this binary example, we show that the maximum achievable $R_1$ (the transmission rate of the confidential message with perfect secrecy constraint) in $C_s^{f-new}$ is larger than that in ${\mathcal{C}}_s^{f-cai}$, however, the enhancement of $R_1$ is at the cost of reducing the transmission rate of the common message $R_0$.
• Note here that in $C_s^{f-new}$, the auxiliary random variable U represents the encoded sequence for the common message and V represents the encoded sequence for both the common and confidential messages. The auxiliary random variable $V_0$ is both the legitimate receiver and the wiretapper’s estimation of U, and the index of $V_0$ is related to the update information generated by the noiseless feedback. The auxiliary random variable $V_1$ is the legitimate receiver’s estimation of V, and $V_2$ is the wiretapper’s estimation of V. Both the indexes of $V_1$ and $V_2$ are with respect to the update information. The inner bound $C_s^{f-new}$ is constructed by using the feedback to generate a secret key shared between the legitimate receiver and the wiretapper, and generate update information used to construct estimation of the transmitted sequences U and V. The estimation of U and V helps both the legitimate receiver and the wiretapper to improve their own received symbols Y and Z.

3. Binary Example of the BC-CM with Noiseless Feedback

Now we consider a binary case of the model of Figure 1. In this case, the channel input is X and output Y, Z takes values in $\{0,1\}$, and they satisfy

$$\begin{array}{c}Y=X+Z_1,Z=X+Z_2,\hfill \end{array}$$

(14)

where $Z_1\sim Bern\left(p\right)$ ($p<0.5$) and $Z_2\sim Bern\left(q\right)$ ($q<0.5$) are the channel noises for the transmitter-legitimate receiver’s channel and transmitter-wiretapper’s channel, respectively, and they are independent of each other and the channel input X.

Without noiseless feedback, letting $P(U=0)=\alpha$, $P(U=1)=1-\alpha$, $P(V=0)=\beta$, $P(V=1)=1-\beta$, $U+V=X$, using the fact that U is independent of V, and substituting (14) into (2), it is not difficult to calculate the secrecy capacity region ${\mathcal{C}}_s^b$ of the binary BC-CM, and it is given by

$$\begin{array}{c}{\mathcal{C}}_s^b=\{(R_0,R_1):0\le R_0\le min\{1-h(\beta \star p),1-h(\beta \star q)\}\hfill \\ 0\le R_1\le h(\beta \star p)-h\left(p\right)-h(\beta \star q)+h\left(q\right)\},\hfill \end{array}$$

(15)

where $h\left(x\right)=-xlog\left(x\right)-(1-x)log(1-x)$ and $a\star b=a+b-2ab$. Here, note that the region (15) is achieved when $\alpha =0.5$.

With noiseless feedback, first, we compute Ahlswede and Cai’s achievable secrecy rate region for this binary case. Letting $P(U=0)=\alpha$, $P(U=1)=1-\alpha$, $P(V=0)=\beta$, $P(V=1)=1-\beta$, $U+V=X$, using the fact that U is independent of V, and substituting (14) into (4), it is not difficult to calculate Ahlswede and Cai’s achievable secrecy rate region ${\mathcal{C}}_s^{bf*}$ for this binary case, and it is given by

$$\begin{array}{c}{\mathcal{C}}_s^{bf*}=\{(R_0,R_1):0\le R_0\le min\{1-h(\beta \star p),1-h(\beta \star q)\}\hfill \\ 0\le R_1\le min\{h(\beta \star p)-h\left(p\right),{[h(\beta \star p)-h\left(p\right)-h(\beta \star q)+h\left(q\right)]}^{+}+h\left(p\right)\}\},\hfill \end{array}$$

(16)

where ${[x]}^{+}=x$ if $x\ge 0$, else ${[x]}^{+}=0$. Comparing (16) with (15), it is easy to see that the noiseless feedback enhances the secrecy capacity region of the binary BC-CM. Here the region (16) is achieved when $\alpha =0.5$.

Then, it remains to compute our new achievable secrecy rate region for this binary case. Letting $V_1=(U,V)$, $V_2=U$, $V_0=Z_1$, $P(U=0)=\alpha$, $P(U=1)=1-\alpha$, $P(V=0)=\beta$, $P(V=1)=1-\beta$, $U+V=X$, using the fact that U is independent of V, and substituting (14) into $C_s^{f-new}$ of Theorem 1, it is not difficult to show that the achievable secrecy rate region ${\mathcal{C}}_s^{bf}$ of our new feedback scheme is given by

$$\begin{array}{c}{\mathcal{C}}_s^{bf}=\{(R_0,R_1):0\le R_0\le min\{1-h(\beta \star p)-h\left(p\right),1-h\left(\beta \right)-h\left(q\right)\}\hfill \\ 0\le R_1\le min\{h\left(\beta \right),h\left(\beta \right)-h(\beta \star q)+h\left(p\right)+h\left(q\right)\}\hfill \\ 0\le R_1+R_2\le min\{1-h\left(\beta \right)-h\left(p\right)-h\left(q\right),1-h(\beta \star q)-h\left(p\right)\}\}.\hfill \end{array}$$

(17)

The achievability of ${\mathcal{C}}_s^{bf}$ can be explained by the following simple block length-(n) scheme.

• First note that in the following explanation, the channel input $x^N$ for the i-th block ($1\le i\le n$) is denoted by ${\tilde{x}}_i$, and similar conventions are applied to $u^N$, $v^N$, $v_0^N$, $v_1^N$, $v_2^N$, $y^N$, $z^N$, $z_1^N$ and $z_2^N$. For each block, the transmitted message is composed of a common message, a confidential message, a dummy message and update information.
• (Encoding): In the i-th block ($2\le i\le n$), after the transmitter receives the feedback channel output ${\tilde{y}}_{i-1}$, he generates a secret key from ${\tilde{y}}_{i-1}$ and uses this key to encrypt the confidential message of the i-th block. In addition, since ${\tilde{y}}_{i-1}={\tilde{x}}_{i-1}\oplus {\tilde{z}}_{1,i-1}$, the transmitter also knows the legitimate receiver’s channel noise ${\tilde{z}}_{1,i-1}$ at the i-th block, and thus he chooses ${\tilde{v}}_{0,i}={\tilde{y}}_{i-1}\oplus {\tilde{x}}_{i-1}={\tilde{z}}_{1,i-1}$ as an estimation of ${\tilde{u}}_{i-1}$, ${\tilde{v}}_{1,i}=({\tilde{u}}_{i-1},{\tilde{v}}_{i-1})$ as the legitimate receiver’s estimation of ${\tilde{x}}_{i-1}$, and ${\tilde{v}}_{2,i}={\tilde{u}}_{i-1}$ as the wiretapper’s estimation of ${\tilde{x}}_{i-1}$. Note that ${\tilde{x}}_{i-1}={\tilde{u}}_{i-1}\oplus {\tilde{v}}_{i-1}$ and the update information is part of the indexes of ${\tilde{v}}_{0,i}$, ${\tilde{v}}_{1,i}$ and ${\tilde{v}}_{2,i}$.
• (Decoding at the legitimate receiver): The legitimate receiver does backward decoding, i.e., the decoding starts from the last block. In block n, the legitimate receiver applies Ahlswede and Cai’s decoding scheme [3] to obtain his update information for block n. Then using the channel output ${\tilde{y}}_n$ as side information, the legitimate receiver applies Wyner-Ziv’s decoding scheme [8] to obtain ${\tilde{v}}_{0,n}$ and ${\tilde{v}}_{1,n}$. Since ${\tilde{v}}_{0,n}={\tilde{z}}_{1,n-1}$, the legitimate receiver knows the legitimate receiver’s channel noise for block $n-1$, and thus he computes ${\tilde{y}}_{n-1}\oplus {\tilde{z}}_{1,n-1}$ to obtain ${\tilde{x}}_{n-1}$ and the corresponding transmitted message for block $n-1$. Repeating the above decoding scheme, the legitimate receiver obtains the entire transmitted messages (including both confidential and common messages) for all blocks, and since he also knows the secret keys, the real messages are decrypted by him.
• (Decoding at the wiretapper): The wiretapper also does backward decoding. In block n, the wiretapper receives ${\tilde{z}}_n$, and he applies Ahlswede and Cai’s decoding scheme [3] to obtain his update information for block n. Then using the channel output ${\tilde{z}}_n$ as side information, the wiretapper applies Wyner-Ziv’s decoding scheme [8] to obtain ${\tilde{v}}_{0,n}$ and ${\tilde{v}}_{2,n}$. Since ${\tilde{v}}_{2,n}={\tilde{u}}_{n-1}$, the wiretapper knows the common message for block $n-1$. Repeating the above decoding scheme, finally, the wiretapper obtains the entire common messages for all blocks.

The following Figure 2 shows the achievable secrecy rate region ${\mathcal{C}}_s^{bf}$ of our new scheme, Ahlswede and Cai’s achievable secrecy rate region ${\mathcal{C}}_s^{bf*}$ and the secrecy capacity region ${\mathcal{C}}_s^b$ of the binary BC-CM without feedback for $p=0.05$ and $q=0.01$, which implies that the wiretapper’s channel noise is smaller than the legitimate receiver’s. From Figure 2, it is easy to see that when the wiretapper’s channel noise is smaller than the legitimate receiver’s, the secrecy rate $R_1$ of the binary BC-CM without feedback is 0, which implies that perfect secrecy can not be achieved, and the secrecy rate $R_1$ is enhanced by using noiseless feedback. Moreover, we see that our new scheme performs better than Ahlswede and Cai’s in enhancing the secrecy rate $R_1$, however, we should notice that the boosting of the secrecy rate $R_1$ is at the cost of reducing the rate $R_0$ of the common message.

Figure 2. The comparison of our new scheme with Ahlswede-Cai’s scheme and Csiszar-Korner’s scheme of the BC-CM without feedback for $p=0.05$ and $q=0.01$.

The following Figure 3 shows the achievable secrecy rate region ${\mathcal{C}}_s^{bf}$ of our new scheme, Ahlswede and Cai’s achievable secrecy rate region ${\mathcal{C}}_s^{bf*}$, and the secrecy capacity region ${\mathcal{C}}_s^b$ of the binary BC-CM without feedback for $p=0.05$ and $q=0.1$, which implies that the wiretapper’s channel noise is larger than the legitimate receiver’s. From Figure 3, it is easy to see that noiseless feedback enhances the secrecy rate of the BC-CM without feedback. However, we also should notice that the enhancement of the secrecy rate $R_1$ is at the cost of reducing the rate $R_0$ of the common message.

Figure 3. The comparison of our new scheme with Ahlswede-Cai’s scheme and Csiszar-Korner’s scheme of the BC-CM without feedback for $p=0.05$ and $q=0.1$.

4. Conclusions

In this paper, we propose a new coding scheme for the BC-CM with noiseless feedback. From a binary example, we show that our new feedback scheme performs better than the existing feedback scheme in enhancing the secrecy level of the BC-CM. However, we should notice that this enhancement of the secrecy level is at the cost of reducing the rate of the common message.

Appendix A.1. Preliminary

For a given probability $P\left(x\right)$, the identical independent distributed (i.i.d.) generated sequence $x^N$ is called $ϵ$-typical if

$$|\frac{N_{x^N}\left(x\right)}{N}-P\left(x\right)|\le ϵP\left(x\right),$$

where $\frac{N_{x^N}\left(x\right)}{N}$ is the frequency of symbol x appearing in the sequence $x^N$. The set, which is composed of all $ϵ$-typical $x^N$, is denoted by $T_{ϵ}^N\left(P\left(x\right)\right)$, and it is called the typical set. The following four lemmas about the typical set are extensively used in information theory.

Lemma A1. (Covering Lemma [9]):

Let $X^N$ satisfy $P(X^N\in T_{{ϵ}^{{}^{\prime }}}^N\left(P\left(x\right)\right))\to \to 1$ as $N\to \infty$. Also let M be an integer larger than $2^{Nr}$ for some $r\ge 0$, and let ${\{Y^N\left(m\right)\}}_{m=1}^M$ be a set composed of i.i.d. generated sequences $Y^N$ (according to the probability $P(y)$) such that $\{X^N,{\{Y^N(m)\}}_{m=1}^M\}$ are mutually independent. Then, for any probability $P(x,y)$ with marginal probabilities $P(x)$ and $P(y)$, there exists a $ϵ>0$ such that

$$\begin{array}{c}\hfill \underset{N\to \infty }{lim}P(\forall m\in \{1,2,\dots ,M\},(X^N,Y^N\left(m\right))\notin T_{ϵ}^N\left(P(x,y)\right))=0\end{array}$$

if $r>I(X;Y)+\delta \left(ϵ\right)$, where $\delta \left(ϵ\right)\to 0$ as $ϵ\to 0$.

Lemma A2. (Packing Lemma [9]):

Let $X^N$ be an i.i.d. generated random vector with distribution $P\left(x\right)$. Also let M be an integer smaller than $2^{Nr}$ for some $r\ge 0$, and let ${\left\{Y^N\left(m\right)\right\}}_{m=1}^M$ be a set composed of i.i.d. generated sequences $Y^N$ according to the probability $P\left(y\right)$, and each $Y^N\left(m\right)$ in the set is independent of $X^N$. Then for any probability $P(x,y)$ with marginal probabilities $P\left(x\right)$ and $P\left(y\right)$, there exists a $ϵ>0$ such that

$$\begin{array}{c}\hfill \underset{N\to \infty }{lim}P(\exists m\in \{1,2,\dots ,M\}s.t.(X^N,Y^N\left(m\right))\in T_{ϵ}^N\left(P(x,y)\right))=0\end{array}$$

if $r<I(X;Y)-\delta \left(ϵ\right)$, where $\delta \left(ϵ\right)\to 0$ as $ϵ\to 0$.

Lemma A3. (Generalized Packing Lemma [9]):

For some $r_1,r_2,r_3\ge 0$, let $M_1$, $M_2$, $M_3$ be integers satisfying $M_1\le 2^{N{r}_1}$, $M_2\le 2^{N{r}_2}$ and $M_3\le 2^{N{r}_3}$, respectively. Also let ${\left\{U_i^N\left(m\right)\right\}}_{m=1}^{M_i}$ ($i=1,2,3$) be a set composed of i.i.d. generated sequences $U_i^N$ (with respect to the distribution $P\left(u_i\right)$) such that $(U_1^N\left(m_1\right),U_2^N\left(m_2\right),U_3^N\left(m_3\right))$ are mutually independent for any $m_1$, $m_2$, $m_3$. Then for any probability $P(u_1,u_2,u_3)$ with marginal probabilities $P\left(u_1\right)$, $P\left(u_2\right)$ and $P\left(u_3\right)$, there exists a $ϵ>0$ such that

$$\begin{array}{c}\hfill \underset{N\to \infty }{lim}P\left(\exists m_i\in \{1,2,\dots ,M_i\}s.t.(U_1^N\left(m_1\right),U_2^N\left(m_2\right),U_3^N\left(m_3\right))\in T_{ϵ}^N\left(P(u_1,u_2,u_3)\right)\right)=0\end{array}$$

if $r_1+r_2+r_3<I(U_1;U_2)+I(U_3;U_1,U_2)-\delta \left(ϵ\right)$, where $\delta \left(ϵ\right)\to 0$ as $ϵ\to 0$.

Lemma A4. (Balanced coloring lemma [3]):

For any ${ϵ}_1,{ϵ}_2,{ϵ}_3,\delta >0$, sufficiently large N and all i.i.d. generated $Y^N$ according to the distribution $P\left(y\right)$, there exists a γ- coloring

$$c:T_{{ϵ}_1}^N\left(P\left(y\right)\right)\to \{1,2,..,\gamma \}$$

of $T_{{ϵ}_1}^N\left(P\left(y\right)\right)$ such that for all joint distribution $P(u,v,v_2,y,z)$ with marginal distribution $P(u,v,v_2,z)$ and $\frac{|T_{P\left(y\right|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)|}{\gamma }>2^{N{ϵ}_2}$, $(z^N,u^N,v^N,v_2^N)\in T_{{ϵ}_3}^N\left(P(z,u,v,v_2)\right)$,

$$|c^{-1}\left(k\right)|\le \frac{|T_{P\left(y\right|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)|(1+\delta )}{\gamma },$$

(A1)

for $k=1,2,\dots ,\gamma$, where $c^{-1}$ is the inverse image of c.

Lemma A4 implies that if $y^N$, $z^N$, $u^N$, $v^N$ and $v_2^N$ are jointly typical, for given $z^N$, $u^N$, $v^N$ and $v_2^N$, the number of $y^N\in T_{P\left(y\right|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)$ for a certain color k ($k=1,2,\dots ,\gamma$), which is denoted by $|c^{-1}\left(k\right)|$, is upper bounded by $\frac{|T_{P\left(y\right|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)|(1+\delta )}{\gamma }$. By using Lemma A1, it is easy to see that the typical set $T_{P\left(y\right|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)$ maps into at least

$$\frac{|T_{P\left(y\right|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)|}{\frac{|T_{P\left(y\right|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)|(1+\delta )}{\gamma }}=\frac{\gamma }{1+\delta }$$

(A2)

colors. On the other hand, the typical set $T_{P\left(y\right|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)$ maps into at most $\gamma$ colors.

Appendix A.2. Code Construction

Definitions:

• Transmission takes place over n blocks, and each block is of length N. Define the confidential message $W_1$ by $W_1=(W_{1,1},...,W_{1,n})$, where $W_{1,i}$ ($1\le i\le n$) is for block i and takes values in $\{1,2,\dots ,2^{N{R}_1}\}$. Further divide $W_{1,i}$ into $W_{1,i}=(W_{1,1,i},W_{1,2,i})$, where $W_{1,j,i}$ ($j=1,2$) takes values in $\{1,2,\dots ,2^{N{R}_{1,j}}\}$, and $R_{1,1}+R_{1,2}=R_1$.
• Define the common message $W_0$ by $W_0=(W_{0,1},\dots ,W_{0,n})$, where $W_{0,i}$ ($1\le i\le n$) is for block i and takes values in $\{1,2,\dots ,2^{N{R}_0}\}$.
• Let $W^{{}^{\prime }}$ be a randomly generated dummy message transmitted over all blocks, and it is denoted by $W^{{}^{\prime }}=(W_1^{{}^{\prime }},\dots ,W_n^{{}^{\prime }})$, where $W_i^{{}^{\prime }}$ ($1\le i\le n$) is for block i and it takes values in $\{1,2,\dots ,2^{N{R}^{{}^{\prime }}}\}$.
• Let $W_0^{\ast }$ and $W_1^{\ast }$ be update information transmitted over all blocks, and they are respectively denoted by $W_0^{\ast }=(W_{0,1}^{\ast },\dots ,W_{0,n}^{\ast })$ and $W_1^{\ast }=(W_{1,1}^{\ast },\dots ,W_{1,n}^{\ast })$, where $W_{0,i}^{\ast }$ and $W_{1,i}^{\ast }$ ($1\le i\le n$) are for block i and take values in $\{1,2,\dots ,2^{N{\tilde{R}}_0}\}$ and $\{1,2,\dots ,2^{N{\tilde{R}}_1}\}$, respectively. Further divide $W_{0,i}^{\ast }$ into $W_{0,i}^{\ast }=(W_{0,0,i}^{\ast },W_{0,1,i}^{\ast },W_{0,2,i}^{\ast })$, where $W_{0,j,i}^{\ast }$ ($j=0,1,2$) takes values in $\{1,2,\dots ,2^{N{\tilde{R}}_{0,j}}\}$, and ${\tilde{R}}_{0,0}+{\tilde{R}}_{0,1}+{\tilde{R}}_{0,2}={\tilde{R}}_0$. Moreover, further divide $W_{1,i}^{\ast }$ into $W_{1,i}^{\ast }=(W_{1,0,i}^{\ast },W_{1,1,i}^{\ast })$, where $W_{1,j,i}^{\ast }$ ($j=0,1$) takes values in $\{1,2,\dots ,2^{N{\tilde{R}}_{1,j}}\}$, and ${\tilde{R}}_{1,0}+{\tilde{R}}_{1,1}={\tilde{R}}_1$.
• Let ${\tilde{X}}_i$, ${\tilde{Y}}_i$, ${\tilde{Z}}_i$, ${\tilde{U}}_i$, ${\tilde{V}}_i$, ${\tilde{V}}_{0,i}$, ${\tilde{V}}_{1,i}$ and ${\tilde{V}}_{2,i}$ be the random vectors for block i ($1\le i\le n$). Define $X^n=({\tilde{X}}_1,\dots ,{\tilde{X}}_n)$, and similar convention is applied to $Y^n$, $Z^n$, $U^n$, $V^n$, $V_0^n$, $V_1^n$ and $V_2^n$. The specific values of the above random vectors are denoted by lower case letters.

Code construction:

• In each block i ($1\le i\le n$), randomly produce $2^{N(R_0+{\tilde{R}}_0)}$ i.i.d. sequences ${\tilde{u}}_i$ according to the probability $P(u)$, and index them as ${\tilde{u}}_i(w_{0,i},w_{0,0,i}^{\ast },w_{0,1,i}^{\ast },w_{0,2,i}^{\ast })$, where $w_{0,i}\in \{1,2,\dots ,2^{N{R}_0}\}$, $w_{0,0,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{0,0}}\}$, $w_{0,1,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{0,1}}\}$ and $w_{0,2,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{0,2}}\}$. Here note that ${\tilde{R}}_{0,0}+{\tilde{R}}_{0,1}+{\tilde{R}}_{0,2}={\tilde{R}}_0$.
• For a given ${\tilde{u}}_i(w_{0,i},w_{0,0,i}^{\ast },w_{0,1,i}^{\ast },w_{0,2,i}^{\ast })$, randomly produce $2^{N(R_1+R^{{}^{\prime }}+{\tilde{R}}_1)}$ i.i.d. sequences ${\tilde{v}}_i$ according to the conditional probability $P(v|u)$, and index them as ${\tilde{v}}_i(w_{1,1,i},w_{1,2,i},w_i^{{}^{\prime }},w_{1,0,i}^{\ast },w_{1,1,i}^{\ast })$, where $w_{1,1,i}\in \{1,2,\dots ,2^{N{R}_{1,1}}\}$, $w_{1,2,i}\in \{1,2,\dots ,2^{N{R}_{1,2}}\}$, $w_i^{{}^{\prime }}\in \{1,2,\dots ,2^{N{R}^{{}^{\prime }}}\}$, $w_{1,0,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{1,0}}\}$ and $w_{1,1,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{1,1}}\}$. Here note that $R_{1,1}+R_{1,2}=R_1$ and ${\tilde{R}}_{1,0}+{\tilde{R}}_{1,1}={\tilde{R}}_1$.
• The sequence ${\tilde{x}}_i$ is i.i.d. produced according to a new discrete memoryless channel (DMC) with transition probability $P(x|u,v)$. The inputs and output of this new DMC are ${\tilde{u}}_i$, ${\tilde{v}}_i$ and ${\tilde{x}}_i$, respectively.
• In each block i ($1\le i\le n$), generate ${\tilde{v}}_{0,i}$ in two ways: the first way is to produce $2^{N({\tilde{R}}_{0,0}+{\tilde{R}}_0^{{}^{\prime }})}$ i.i.d. sequences ${\tilde{v}}_{0,i}$ according to the probability $P(v_0|u,v,y)$, and index them as ${\tilde{v}}_{0,i}(1;w_{0,0,i}^{\ast },w_{1,0,i}^{\ast },l_{1,0,i})$, where 1 represents the first way to define ${\tilde{v}}_{0,i}$, $w_{0,0,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{0,0}}\}$, $w_{1,0,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{1,0}}\}$ and $l_{1,0,i}\in \{1,2,\dots ,2^{N({\tilde{R}}_0^{{}^{\prime }}-{\tilde{R}}_{1,0})}\}$; the second way is to produce $2^{N({\tilde{R}}_{0,0}+{\tilde{R}}_0^{{}^{\prime }})}$ i.i.d. sequences ${\tilde{v}}_{0,i}$ according to the probability $P(v_0|u,v,y)$, and index them as ${\tilde{v}}_{0,i}(2;w_{0,0,i}^{\ast },l_{2,0,i})$, where 2 represents the second way to define ${\tilde{v}}_{0,i}$, $w_{0,0,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{0,0}}\}$, and $l_{2,0,i}\in \{1,2,\dots ,2^{N{\tilde{R}}_0^{{}^{\prime }}}\}$.
• In each block i ($1\le i\le n$), produce $2^{N({\tilde{R}}_{0,1}+{\tilde{R}}_{1,1}+{\tilde{R}}_1^{{}^{\prime }})}$ i.i.d. sequences ${\tilde{v}}_{1,i}$ according to the probability $P(v_1|u,v,y)$, and index them as ${\tilde{v}}_{1,i}(w_{0,1,i}^{\ast },w_{1,1,i}^{\ast },l_{1,i})$, where $w_{0,1,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{0,1}}\}$, $w_{1,1,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{1,1}}\}$ and $l_{1,i}\in \{1,2,\dots ,2^{N{\tilde{R}}_1^{{}^{\prime }}}\}$.
• In each block i ($1\le i\le n$), produce $2^{N({\tilde{R}}_{0,2}+{\tilde{R}}_2^{{}^{\prime }})}$ i.i.d. sequences ${\tilde{v}}_{2,i}$ according to the probability $P(v_2|u,v,y)$, and index them as ${\tilde{v}}_{2,i}(w_{0,2,i}^{\ast },l_{2,i})$, where $w_{0,2,i}^{\ast }\in \{1,2,\dots ,2^{N{\tilde{R}}_{0,2}}\}$ and $l_{2,i}\in \{1,2,\dots ,2^{N{\tilde{R}}_2^{{}^{\prime }}}\}$.

Encoding scheme:

• In block 1, the transmitter chooses ${\tilde{u}}_1(w_{0,1},1,1,1)$ and ${\tilde{v}}_1(w_{1,1,1},w_{1,2,1}=1,w_1^{{}^{\prime }},1,1)$ to transmit.
• In block i ($2\le i\le n-1$), the transmitter receives the feedback ${\tilde{y}}_{i-1}$, and he tries to select a pair of sequences $({\tilde{v}}_{0,i-1},{\tilde{v}}_{1,i-1})$ such that $({\tilde{v}}_{0,i-1}(1;w_{0,0,i-1}^{\ast },w_{1,0,i-1}^{\ast },l_{1,0,i-1}),{\tilde{v}}_{1,i-1}(w_{0,1,i-1}^{\ast },w_{1,1,i-1}^{\ast },l_{1,i-1}),{\tilde{u}}_{i-1},{\tilde{v}}_{i-1},{\tilde{y}}_{i-1})$ are jointly typical sequences. If there are more than one pair $({\tilde{v}}_{0,i-1},{\tilde{v}}_{1,i-1})$, randomly choose one; if there is no such pair, an error is declared. Based on Lemma A1, it is easy to see that the error probability goes to 0 if

  $$\begin{array}{c}{\tilde{R}}_{0,0}+{\tilde{R}}_0^{{}^{\prime }}\ge I(V_0;U,V,Y),\hfill \end{array}$$

  (A3)

  $$\begin{array}{c}{\tilde{R}}_{0,1}+{\tilde{R}}_{1,1}+{\tilde{R}}_1^{{}^{\prime }}\ge I(V_1;U,V,Y,V_0).\hfill \end{array}$$

  (A4)
  Moreover, the transmitter also tries to select a pair of sequences $({\tilde{v}}_{0,i-1},{\tilde{v}}_{2,i-1})$ such that $({\tilde{v}}_{0,i-1}(2;w_{0,0,i-1}^{\ast },l_{2,0,i-1}),{\tilde{v}}_{2,i-1}(w_{0,2,i-1}^{\ast },l_{2,i-1}),{\tilde{u}}_{i-1},{\tilde{v}}_{i-1},{\tilde{y}}_{i-1})$ are jointly typical sequences. If there are more than one pair $({\tilde{v}}_{0,i-1},{\tilde{v}}_{2,i-1})$, randomly choose one; if there is no such pair, an error is declared. Based on Lemma A1, it is easy to see that the error probability goes to 0 if (A3) and

  $$\begin{array}{c}{\tilde{R}}_{0,2}+{\tilde{R}}_2^{{}^{\prime }}\ge I(V_2;U,V,Y,V_0)\hfill \end{array}$$

  (A5)

  hold. Once the transmitter selects such pairs $({\tilde{v}}_{0,i-1},{\tilde{v}}_{1,i-1})$ and $({\tilde{v}}_{0,i-1},{\tilde{v}}_{2,i-1})$, he chooses ${\tilde{u}}_i(w_{0,i},w_{0,0,i-1}^{\ast },w_{0,1,i-1}^{\ast },w_{0,2,i-1}^{\ast })$ to transmit.
  Before choosing the transmitted codeword ${\tilde{v}}_i$, produce a mapping $g_i:{\tilde{y}}_{i-1}\to \{1,2,\dots ,2^{N{R}_{1,2}}\}$. Furthermore, we define $K_i=g_i({\tilde{Y}}_{i-1})$ as a random variable uniformly distributed over $\{1,2,\dots ,2^{N{R}_{1,2}}\}$, and it is independent of all the random vectors and messages of block i. Here note that $K_i$ is the secret key known by the transmitter and the legitimate receiver, and $k_i=g_i({\tilde{y}}_{i-1})\in \{1,2,\dots ,2^{N{R}_2}\}$ is a specific value of $K_i$. Reveal the mapping $g_i$ to the transmitters, legitimate receiver and the wiretapper. Once the transmitter finds a pair $({\tilde{v}}_{0,i-1},{\tilde{v}}_{1,i-1})$ such that $({\tilde{v}}_{0,i-1}(1;w_{0,0,i-1}^{\ast },w_{1,0,i-1}^{\ast },l_{1,0,i-1}),{\tilde{v}}_{1,i-1}(w_{0,1,i-1}^{\ast },w_{1,1,i-1}^{\ast },l_{1,i-1}),{\tilde{u}}_{i-1},{\tilde{v}}_{i-1},{\tilde{y}}_{i-1})$ are jointly typical sequences, and finds a pair $({\tilde{v}}_{0,i-1},{\tilde{v}}_{2,i-1})$ such that $({\tilde{v}}_{0,i-1}(2;w_{0,0,i-1}^{\ast },l_{2,0,i-1}),{\tilde{v}}_{2,i-1}(w_{0,2,i-1}^{\ast },l_{2,i-1}),{\tilde{u}}_{i-1},{\tilde{v}}_{i-1},{\tilde{y}}_{i-1})$ are jointly typical sequences, he chooses ${\tilde{v}}_i(w_{1,1,i},w_{1,2,i}\oplus k_i,w_i^{{}^{\prime }},w_{1,0,i-1}^{\ast },w_{1,1,i-1}^{\ast })$ to transmit.
• In block n, the transmitter receives ${\tilde{y}}_{n-1}$, and he finds a pair $({\tilde{v}}_{0,n-1},{\tilde{v}}_{1,n-1})$ such that $({\tilde{v}}_{0,n-1}(1;w_{0,0,n-1}^{\ast },w_{1,0,n-1}^{\ast },l_{1,0,n-1}),{\tilde{v}}_{1,n-1}(w_{0,1,n-1}^{\ast },w_{1,1,n-1}^{\ast },l_{1,n-1}),{\tilde{u}}_{n-1},{\tilde{v}}_{n-1},{\tilde{y}}_{n-1})$ are jointly typical sequences. Moreover, he also finds a pair $({\tilde{v}}_{0,n-1},{\tilde{v}}_{2,n-1})$ such that $({\tilde{v}}_{0,n-1}(2;w_{0,0,n-1}^{\ast },l_{2,0,n-1}),{\tilde{v}}_{2,n-1}(w_{0,2,n-1}^{\ast },l_{2,n-1}),{\tilde{u}}_{n-1},{\tilde{v}}_{n-1},{\tilde{y}}_{n-1})$ are jointly typical sequences. Then he chooses ${\tilde{u}}_n(1,w_{0,0,n-1}^{\ast },w_{0,1,n-1}^{\ast },w_{0,2,n-1}^{\ast })$ and ${\tilde{v}}_n(1,1,1,w_{1,0,n-1}^{\ast },w_{1,1,n-1}^{\ast })$ to transmit.

Decoding scheme for the legitimate receiver: The legitimate receiver does backward decoding after the transmission of all n blocks is finished. For block n, first, he tries to select a unique ${\tilde{u}}_n$ such that $({\tilde{u}}_n,{\tilde{y}}_n)$ are jointly typical. If there is no ${\tilde{u}}_n$ or multiple ones exist, an decoding error is declared. Using Lemma A2, the error probability goes to 0 if

$$\begin{array}{c}{\tilde{R}}_{0,0}+{\tilde{R}}_{0,1}+{\tilde{R}}_{0,2}\le I(U;Y).\hfill \end{array}$$

(A6)

Then, he tries to select a unique ${\tilde{v}}_n$ such that $({\tilde{u}}_n,{\tilde{v}}_n,{\tilde{y}}_n)$ are jointly typical. If there is no ${\tilde{v}}_n$ or multiple ones exist, an decoding error is declared. Using Lemma A2, the error probability goes to 0 if

$$\begin{array}{c}{\tilde{R}}_{1,0}+{\tilde{R}}_{1,1}\le I(V;Y|U).\hfill \end{array}$$

(A7)

When ${\tilde{u}}_n$ and ${\tilde{v}}_n$ are successfully decoded, the legitimate receiver extracts $w_{0,0,n-1}^{\ast }$, $w_{0,1,n-1}^{\ast }$, $w_{0,2,n-1}^{\ast }$, $w_{1,0,n-1}^{\ast }$, $w_{1,1,n-1}^{\ast }$ from them. Then using Wyner-Ziv’s decoding scheme [8] for the source coding with side information, the legitimate receiver tries to find unique ${\tilde{v}}_{0,n-1}$ and ${\tilde{v}}_{1,n-1}$ such that given $w_{0,0,n-1}^{\ast }$, $w_{0,1,n-1}^{\ast }$, $w_{0,2,n-1}^{\ast }$, $w_{1,0,n-1}^{\ast }$ and $w_{1,1,n-1}^{\ast }$, $({\tilde{v}}_{0,n-1},{\tilde{v}}_{1,n-1},{\tilde{y}}_{n-1})$ are jointly typical sequences. If there is no ${\tilde{v}}_{1,n-1}$ or multiple ones exist, an decoding error is declared. Based on Lemma A2 and Lemma A3, the error probability goes to 0 if

$$\begin{array}{c}{\tilde{R}}_1^{{}^{\prime }}\le I(V_1;V_0,Y),\hfill \end{array}$$

(A8)

$$\begin{array}{c}{\tilde{R}}_1^{{}^{\prime }}+{\tilde{R}}_0^{{}^{\prime }}-{\tilde{R}}_{1,0}\le I(V_0;Y)+I(V_1;V_0,Y).\hfill \end{array}$$

(A9)

For block $n-1$, after ${\tilde{v}}_{1,n-1}$ is successfully decoded, the legitimate receiver tries to select a unique ${\tilde{u}}_{n-1}$ such that $({\tilde{u}}_{n-1},{\tilde{y}}_{n-1},{\tilde{v}}_{1,n-1})$ are jointly typical. Based on Lemma A2, the error probability goes to 0 if

$$\begin{array}{c}{R}_0+{\tilde{R}}_0\le I(U;Y,V_1).\hfill \end{array}$$

(A10)

Then he tries to select a unique ${\tilde{v}}_{n-1}$ such that $({\tilde{u}}_{n-1},{\tilde{v}}_{n-1},{\tilde{y}}_{n-1},{\tilde{v}}_{1,n-1})$ are jointly typical. If there is no ${\tilde{v}}_{n-1}$ or multiple ones exist, an decoding error is declared. Using Lemma A2, the error probability goes to 0 if

$$\begin{array}{c}{R}_{1,1}+R_{1,2}+R^{{}^{\prime }}+{\tilde{R}}_{1,0}+{\tilde{R}}_{1,1}\le I(V;Y,V_1|U).\hfill \end{array}$$

(A11)

When ${\tilde{u}}_{n-1}$ and ${\tilde{v}}_{n-1}$ are successfully decoded, the legitimate receiver extracts $w_{0,n-1}$, $w_{1,1,n-1}$, $w_{1,2,n-1}\oplus k_{n-1}$, $w_{n-1}^{{}^{\prime }}$, $w_{0,0,n-2}^{\ast }$, $w_{0,1,n-2}^{\ast }$, $w_{0,2,n-2}^{\ast }$, $w_{1,0,n-2}^{\ast }$ and $w_{1,1,n-2}^{\ast }$ from it. Since the legitimate receiver knows the key $k_{n-1}=g_{n-1}({\tilde{y}}_{n-2})$, the transmitted messages $w_{0,n-1}$, $w_{1,1,n-1}$ and $w_{1,2,n-1}$ for block $n-1$ are obtained. Repeat the above decoding scheme, the entire transmitted messages for all blocks are obtained by the legitimate receiver.

Decoding scheme for the wiretapper: The wiretapper also does backward decoding after the transmission of all n blocks is finished. For block n, first, he tries to select a unique ${\tilde{u}}_n$ such that $({\tilde{u}}_n,{\tilde{z}}_n)$ are jointly typical. If there is no ${\tilde{u}}_n$ or multiple ones exist, an decoding error is declared. Using Lemma A2, the error probability goes to 0 if

$$\begin{array}{c}{\tilde{R}}_{0,0}+{\tilde{R}}_{0,1}+{\tilde{R}}_{0,2}\le I(U;Z).\hfill \end{array}$$

(A12)

When ${\tilde{u}}_n$ is successfully decoded, the wiretapper extracts $w_{0,0,n-1}^{\ast }$, $w_{0,1,n-1}^{\ast }$ and $w_{0,2,n-1}^{\ast }$ from them. Then using Wyner-Ziv’s decoding scheme [8] for the source coding with side information, the wiretapper tries to find unique ${\tilde{v}}_{0,n-1}$ and ${\tilde{v}}_{2,n-1}$ such that given $w_{0,0,n-1}^{\ast }$, $w_{0,1,n-1}^{\ast }$ and $w_{0,2,n-1}^{\ast }$, $({\tilde{v}}_{0,n-1},{\tilde{v}}_{2,n-1},{\tilde{z}}_{n-1})$ are jointly typical sequences. If there is no ${\tilde{v}}_{2,n-1}$ or multiple ones exist, an decoding error is declared. Based on Lemma A2 and Lemma A3, the error probability goes to 0 if

$$\begin{array}{c}{\tilde{R}}_2^{{}^{\prime }}\le I(V_2;V_0,Z),\hfill \end{array}$$

(A13)

$$\begin{array}{c}{\tilde{R}}_2^{{}^{\prime }}+{\tilde{R}}_0^{{}^{\prime }}\le I(V_0;Z)+I(V_2;V_0,Z).\hfill \end{array}$$

(A14)

For block $n-1$, after ${\tilde{v}}_{2,n-1}$ is successfully decoded, the wiretapper tries to select a unique ${\tilde{u}}_{n-1}$ such that $({\tilde{u}}_{n-1},{\tilde{z}}_{n-1},{\tilde{v}}_{2,n-1})$ are jointly typical. Based on Lemma A2, the error probability goes to 0 if

$$\begin{array}{c}{R}_0+{\tilde{R}}_0\le I(U;Z,V_2).\hfill \end{array}$$

(A15)

When ${\tilde{u}}_{n-1}$ is successfully decoded, the legitimate receiver extracts $w_{0,n-1}$, $w_{0,0,n-2}^{\ast }$, $w_{0,1,n-2}^{\ast }$ and $w_{0,2,n-2}^{\ast }$ from it. Repeat the above decoding scheme, the entire common messages for all blocks are obtained by the wiretapper.

Appendix A.3. Equivocation Analysis

For all blocks, the equivocation $\Delta$ is bounded by

$$\begin{array}{c}\Delta =\frac{1}{nN}H(W_0,W_1|Z^n)\ge \frac{1}{nN}H(W_1|Z^n,W_0)\hfill \\ \stackrel{(a)}{=}\frac{1}{nN}(H(W_{11}|Z^n,W_0)+H(W_{12}|Z^n,W_0,W_{11})),\hfill \end{array}$$

(A16)

where (a) is from the definitions $W_{11}=(W_{1,1,1},\dots ,W_{1,1,n})$ and $W_{12}=(W_{1,2,1},\dots ,W_{1,2,n})$.

The first part $H(W_{11}|Z^n,W_0)$ of (A16) can be lower bounded by

$$\begin{array}{c}H(W_{11}|Z^n,W_0)\ge H(W_{11}|Z^n,W_0,U^n,V_2^n)\hfill \\ \stackrel{(b)}{=}H(W_{11}|Z^n,U^n,V_2^n)\hfill \\ =H(W_{11},Z^n,U^n,V_2^n)-H(Z^n,U^n,V_2^n)\hfill \\ =H(W_{11},Z^n,U^n,V_2^n,V^n)-H(V^n|W_{11},Z^n,U^n,V_2^n)-H(Z^n,U^n,V_2^n)\hfill \\ \stackrel{(c)}{=}H(Z^n,V_2^n|U^n,V^n)+H(U^n,V^n)-H(V^n|W_{11},Z^n,U^n,V_2^n)-H(Z^n,V_2^n|U^n)-H(U^n)\hfill \\ =H(V^n|U^n)-H(V^n|W_{11},Z^n,U^n,V_2^n)-I(Z^n,V_2^n;V^n|U^n)\hfill \\ \stackrel{(d)}{=}(n-1)N{R}_{1,1}+(n-2)N{R}_{1,2}+(n-1)N{R}^{{}^{\prime }}+(n-1)N({\tilde{R}}_{1,0}+{\tilde{R}}_{1,1})\hfill \\ -H(V^n|W_{11},Z^n,U^n,V_2^n)-I(Z^n,V_2^n;V^n|U^n)\hfill \\ \stackrel{(e)}{\ge }(n-1)N{R}_{1,1}+(n-2)N{R}_{1,2}+(n-1)N{R}^{{}^{\prime }}+(n-1)N({\tilde{R}}_{1,0}+{\tilde{R}}_{1,1})\hfill \\ -nNI(V;Z,V_2|U)-H(V^n|W_{11},Z^n,U^n,V_2^n)\hfill \\ \stackrel{(f)}{\ge }(n-1)N{R}_{1,1}+(n-2)N{R}_{1,2}+(n-1)N{R}^{{}^{\prime }}+(n-1)N({\tilde{R}}_{1,0}+{\tilde{R}}_{1,1})\hfill \\ -nNII(V;Z,V_2|U)-nN{ϵ}^{{}^{\prime }},\hfill \end{array}$$

(A17)

where (b) is from $H(W_0|U^n)=0$, (c) is from $H(W_{11}|V^n)=0$, (d) is from the construction of $U^n$ and $V^n$, (e) is from the fact that the channel is memoryless, and (f) is from the fact that given $w_{11}$, $u^n$, $v_2^n$ and $z^n$, the wiretapper tries to select unique $v^n$ such that $(v^n,z^n,v_2^n,u^n)$ are jointly typical, and based on Lemma A2, the wiretapper’s decoding error probability tends to 0 if

$$\begin{array}{c}{R}_{1,2}+R^{{}^{\prime }}+{\tilde{R}}_{1,0}+{\tilde{R}}_{1,1}\le I(V;Z,V_2|U),\hfill \end{array}$$

(A18)

then using Fano’s inequality, we have $\frac{1}{nN}H(V^n|W_{11},Z^n,U^n,V_2^n)\le {ϵ}^{{}^{\prime }}$, where ${ϵ}^{{}^{\prime }}\to 0$ as $n,N\to \infty$.

Moreover, the second part $H(W_{12}|Z^n,W_0,W_{11})$ of (A16) can be lower bounded by

$$\begin{array}{c}H(W_{12}|Z^n,W_0,W_{11})\hfill \\ \ge \sum _{i=2}^{n-1}H(W_{1,2,i}|Z^n,W_0,W_{11},W_{1,2,1}=1,\dots ,W_{1,2,i-1},W_{1,2,i}\oplus K_i)\hfill \\ \stackrel{(g)}{=}\sum _{i=2}^{n-1}H(W_{1,2,i}|{\tilde{Z}}_{i-1},W_{1,2,i}\oplus K_i)\hfill \\ \ge \sum _{i=2}^{n-1}H(W_{1,2,i}|{\tilde{Z}}_{i-1},{\tilde{U}}_{i-1},W_{1,2,i}\oplus K_i)\hfill \\ =\sum _{i=2}^{n-1}H(K_i|{\tilde{Z}}_{i-1},{\tilde{U}}_{i-1},W_{1,2,i}\oplus K_i)\hfill \\ \stackrel{(f)}{=}\sum _{i=2}^{n-1}H(K_i|{\tilde{Z}}_{i-1},{\tilde{U}}_{i-1})\hfill \\ \ge \sum _{i=2}^{n-1}H(K_i|{\tilde{Z}}_{i-1},{\tilde{U}}_{i-1},{\tilde{V}}_{i-1},{\tilde{V}}_{2,i-1}),\hfill \end{array}$$

(A19)

where (e) is from the Markov chain $W_{1,2,i}\to ({\tilde{Z}}_{i-1},W_{1,2,i}\oplus K_i)\to (W_0,W_{11},W_{1,2,1},\dots ,W_{1,2,i-1},{\tilde{Z}}_1,\dots ,{\tilde{Z}}_{i-2},{\tilde{Z}}_i,\dots ,{\tilde{Z}}_n)$, (f) is from $K_i\to ({\tilde{Z}}_{i-1},{\tilde{U}}_{i-1})\to W_{1,2,i}\oplus K_i$. Now it remains to bound $H(K_i|{\tilde{Z}}_{i-1},{\tilde{U}}_{i-1},{\tilde{V}}_{i-1},{\tilde{V}}_{2,i-1})$ in (A19), see the followings.

From Lemma A4 and (A2), we know that the typical set $T_{P(y|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)$ maps into at least $\frac{\gamma }{1+\delta }$ colors. Choosing $\gamma =|T_{P(y|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)|$ and notice that

$$\begin{array}{c}|T_{P(y|z,u,v,v_2)}^N(z^N,u^N,v^N,v_2^N)|\hfill \\ \ge (1-{ϵ}_1)2^{N(1-{ϵ}_2)H(Y|U,V,V_2,Z)},\hfill \end{array}$$

(A20)

where ${ϵ}_1,{ϵ}_2\to 0$ as $N\to \infty$, thus we can conclude that

$$\begin{array}{ccc}\hfill H(K_i|{\tilde{Z}}_{i-1},{\tilde{U}}_{i-1},{\tilde{V}}_{i-1},{\tilde{V}}_{2,i-1})& \ge & log\frac{\gamma }{1+\delta }\hfill \\ & \ge & log\frac{1-{ϵ}_1}{1+\delta }+N(1-{ϵ}_2)H(Y|U,V,V_2,Z).\hfill \end{array}$$

(A21)

Substituting (A21) into (A19), we have

$$\begin{array}{c}H(W_{12}|Z^n,W_0,W_{11})\ge (n-2)log\frac{1-{ϵ}_1}{1+\delta }+(n-2)N(1-{ϵ}_2)H(Y|U,V,V_2,Z).\hfill \end{array}$$

(A22)

Finally, substituting (A17) and (A22) into (A16), we have

$$\begin{array}{c}\Delta \ge \frac{n-1}{n}(R_{1,1}+R^{{}^{\prime }}+{\tilde{R}}_{1,0}+{\tilde{R}}_{1,1})+\frac{n-2}{n}{R}_{1,2}-I(V;Z,V_2|U)-{ϵ}^{{}^{\prime }}\hfill \\ +\frac{n-2}{nN}log\frac{1-{ϵ}_1}{1+\delta }+\frac{n-2}{n}(1-{ϵ}_2)H(Y|U,V,V_2,Z).\hfill \end{array}$$

(A23)

The bound (A23) implies that if

$$\begin{array}{c}{R}^{{}^{\prime }}+{\tilde{R}}_{1,0}+{\tilde{R}}_{1,1}\ge I(V;Z,V_2|U)-H(Y|U,V,V_2,Z)\hfill \end{array}$$

(A24)

we can prove that $\Delta \ge R_{1,1}+R_{1,2}-ϵ$ by choosing sufficiently large n and N.

The achievable secrecy rate region can be obtained from (A3), (A4), (A5), (A6), (A7), (A8), (A9), (A10), (A11), (A12), (A13), (A14), (A15), (A18) and (A24). To be specific, first, using ${\tilde{R}}_0={\tilde{R}}_{0,0}+{\tilde{R}}_{0,1}+{\tilde{R}}_{0,2}$, ${\tilde{R}}_1={\tilde{R}}_{1,0}+{\tilde{R}}_{1,1}$, the Markov chain $(V_0,V_1,V_2)\to (U,V,Y)\to (Y,Z)$, and applying Fourier-Motzkin elimination to eliminate ${\tilde{R}}_{0,0}$, ${\tilde{R}}_{0,1}$, ${\tilde{R}}_{0,2}$, ${\tilde{R}}_{1,0}$, ${\tilde{R}}_{1,1}$, ${\tilde{R}}_0^{{}^{\prime }}$, ${\tilde{R}}_1^{{}^{\prime }}$ and ${\tilde{R}}_2^{{}^{\prime }}$ from (A3), (A4), (A5), (A6), (A7), (A8), (A9), (A12), (A13) and (A14), we have

$$\begin{array}{c}{\tilde{R}}_0\ge I(U,V,Y;V_0,V_2|Z),\hfill \end{array}$$

(A25)

$$\begin{array}{ccc}\hfill {\tilde{R}}_0+{\tilde{R}}_1& \ge & I(U,V,Y;V_1|V_0,Y)+I(U,V,Y;V_2|V_0,Z)\hfill \\ & +& max\{I(V_0;U,V,Y|Y),I(V_0;U,V,Y|Z)\}.\hfill \end{array}$$

(A26)

Then, using $R_1=R_{1,1}+R_{1,2}$, ${\tilde{R}}_1={\tilde{R}}_{1,0}+{\tilde{R}}_{1,1}$, and applying Fourier-Motzkin elimination to eliminate $R_{1,1}$, $R_{1,2}$, ${\tilde{R}}_{1,0}$, ${\tilde{R}}_{1,1}$, $R^{{}^{\prime }}$ from (A10), (A11), (A15), (A18), (A24), (A25) and (A26), the achievable secrecy rate region $C_s^{f-new}$ in Theorem 1 is obtained. The proof of Theorem 1 is completed.