Strong Secrecy on a Class of Degraded Broadcast Channels Using Polar Codes

Asymptotic secrecy-capacity achieving polar coding schemes are proposed for the memoryless degraded broadcast channel under different reliability and secrecy requirements: layered decoding or layered secrecy. In these settings, the transmitter wishes to send multiple messages to a set of legitimate receivers keeping them masked from a set of eavesdroppers. The layered decoding structure requires receivers with better channel quality to reliably decode more messages, while the layered secrecy structure requires eavesdroppers with worse channel quality to be kept ignorant of more messages. Practical constructions for the proposed polar coding schemes are discussed and their performance evaluated by means of simulations.


Introduction
Information-theoretic security over noisy channels was introduced by Wyner in [1], which characterized the (secrecy-)capacity of the degraded wiretap channel. Later, Csiszár and Körner in [2] generalized Wyner's results to the general wiretap channel. In these settings, one transmitter wishes to reliably send one message to a legitimate receiver, while keeping it secret from an eavesdropper, where secrecy is defined based on a condition on some information-theoretic measure that is fully quantifiable. One of these measures is the information leakage, defined as the mutual information I(W; Z n ) between a uniformly-distributed random message W and the channel observations Z n at the eavesdropper, n being the number of uses of the channel. Based on this measure, the most common secrecy conditions required to be satisfied by channel codes are the weak secrecy, which requires lim n→∞ 1 n I(W; Z n ) = 0, and the strong secrecy, requiring lim n→∞ I(W; Z n ) = 0. Although the second notion of security is stronger, surprisingly, both secrecy conditions result in the same secrecy-capacity region [3].
In the last decade, information-theoretic security has been extended to a large variety of contexts, and this paper focuses on two different classes of discrete memoryless Degraded Broadcast Channels (DBC) surveyed in [4]: (a) with Non-Layered Decoding and Layered Secrecy (DBC-NLD-LS) and (b) with Layered Decoding and Non-Layered Secrecy (DBC-LD-NLS). In these models, the transmitter wishes to send a set of messages through the DBC, and each message must be reliably decoded by a particular set of receivers and kept masked from a particular set of eavesdroppers. The degradedness condition of the channel implies that individual channels can be ordered based on the quality of their received signals. The layered decoding structure requires receivers with better channel quality to reliably decode more messages, while the layered secrecy requires eavesdroppers with worse channel quality to be kept ignorant of more messages.
The capacity region of these models was first characterized in [4][5][6]. However, the achievable schemes used by these works rely on random coding arguments that are nonconstructive in practice.
In this sense, the purpose of this paper is to provide coding schemes based on polar codes, which were originally proposed by Arikan [7] to achieve the capacity of binary-input, symmetric, point-to-point channels under Successive Cancellation (SC) decoding. Capacity achieving polar codes for the binary symmetric degraded wiretap channel were introduced in [8,9], satisfying the weak and the strong secrecy condition, respectively. Recently, polar coding has been extended to the general wiretap channel in [10][11][12][13]. Indeed, [12,13] generalize their results providing polar coding schemes for the broadcast channel with confidential messages, and [11] also proposes polar coding strategies to achieve the best-known inner bounds on the secrecy-capacity region of some multi-user settings.
Although recent literature has proven the existence of different secrecy-capacity achieving polar coding schemes for multi-user scenarios (for instance, see [11][12][13][14][15][16][17][18]), polar codes for the two models on which this paper is focused have, as far as we know, not been analyzed yet. As mentioned in [4], these settings capture practical scenarios in wireless systems, in which channels can be ordered based on the quality of the received signals (for example, Gaussian channels are degraded). Hence, the ultimate goal of this work is not only to prove the existence of two asymptotic secrecy-capacity achieving polar coding schemes for these models under the strong secrecy condition, but also to discuss their practical construction and evaluate their performance for a finite blocklength by means of simulations.

Relation to Prior Work
A good overview of the similarities and differences between the polar codes proposed in [10][11][12][13] for the general wiretap channel can be found in [13] (Figure 1). The polar coding schemes proposed in this paper are based mainly on those introduced by [13] because of the following reasons: • To provide strong secrecy. Despite both weak and strong secrecy conditions resulting in the same secrecy-capacity region, the weak secrecy requirement in practical applications can result in important system vulnerabilities [19] (Section 3.3).

•
To provide polar coding schemes that are implementable in practice. Notice in [13] (Figure 1) that the coding scheme presented in [10] relies on a construction for which no efficient code is presently known. Moreover, the polar coding scheme in [12] relies on the existence, through averaging, of certain deterministic mappings for the encoding/decoding process.
As in [13], our polar coding schemes are totally explicit. However, to provide strong secrecy and reliability simultaneously, the transmitter and the legitimate receivers need to share a secret key of negligible size in terms of rate, and the distribution induced by the encoder must be close in terms of statistical distance to the original one considered for the code construction. Moreover, we adapt the deterministic SC encoder of [20] to our channel models, and we show that it can perform well in practice. As concluded in [20], this deterministic SC encoder will avoid the need to draw large sequences according to specific distributions at the encoder, which can be useful in communication systems requiring low complexity at the transmitter.
In [13] (Remark 3), the authors highlight the connection between polar code constructions and random binning proofs that allows them to apply their designs to different problems in network information theory. Nevertheless, in our polar coding schemes, the chaining construction used in [13] is not needed because of the degradedness condition of the channels, and consequently, we can introduce small changes in the design in order to make our proposed coding schemes more practical. In this sense, we assume that a source of common randomness is accessible to all parties, which allows the transmitter to send secret information in just one block of size n by only using a secret key with negligible size in terms of rate. Despite this common randomness being available to the eavesdroppers, no information will be leaked about the messages. Moreover, if we consider a communication system requiring transmissions over several blocks of size n, the same realization of this source of common randomness can be used at each block without compromising the strong secrecy condition.

Degraded Broadcast Channel with Non-Layered Decoding and Layered Secrecy
In this model (see Figure 1), the transmitter wishes to send M messages {W m } M m=1 to the K legitimate receivers. The non-layered decoding structure requires the legitimate receiver k ∈ [1, K] to reliably decode all M messages, and the layered secrecy structure requires the eavesdropper m ∈ [1, M] to be kept ignorant about messages {W i } M i=m . Consider a ( 2 nR 1 , . . . , 2 nR M , n) code for the DBC-NLD-LS, where W m ∈ [ 2 nR m ] for any m ∈ [1, M]. The reliability condition to be satisfied by this code is measured in terms of the average probability of error at each legitimate receiver and is given by: lim n→∞ P (Ŵ 1 , . . . ,Ŵ M ) = (W 1 , . . . , W M ) = 0, for any legitimate receiver k ∈ [1, K]. ( On the other hand, the strong secrecy condition to be satisfied by the code is measured in terms of the information leakage at each eavesdropper and is given by: A tuple of rates (R 1 , . . . , R M ) ∈ R M + is achievable for the DBC-NLD-LS if there exists a sequence of ( 2 nR 1 , . . . , 2 nR M , n) codes satisfying Equations (2)  Proposition 1 (Adapted from [4,5]). The achievable region of the DBC-NLD-LS is the union of all M-tuples of rates (R 1 , . . . , R M ) ∈ R M + satisfying the following inequalities, where the union is taken over all distributions p X .
The proof for the case of only one legitimate receiver in the context of the fading wiretap channel is provided in [5], where the information-theoretic achievable scheme is based on embedded coding, stochastic encoding and rate sharing. Due to the degradedness condition of Equation (1), by applying the data processing inequality and Fano's inequality, an achievable scheme ensuring the reliability condition in Equation (2) for the legitimate Receiver 1 will satisfy it for any legitimate receiver k ∈ [2, K].
Corollary 1. The achievable subregion of the DBC-NLD-LS without considering rate sharing is a K-orthotope defined by the closure of all K-tuples of rates (R 1 , . . . , R M ) ∈ R M + satisfying:

Degraded Broadcast Channel with Layered Decoding and Non-Layered Secrecy
In this model (see Figure 2), the transmitter wishes to send K messages {W } K =1 to the K legitimate receivers. The layered decoding structure requires the legitimate receiver k ∈ [1, K] to reliably decode the messages {W } k =1 , and the non-layered secrecy structure requires the eavesdropper m ∈ [1, M] to be kept ignorant of all K messages. Consider a ( 2 nR 1 , . . . , 2 nR K , n) code for the DBC-LD-NLS, where W ∈ [ 2 nR ] for any ∈ [1, K]. The reliability condition to be satisfied by this code is: lim n→∞ P (Ŵ 1 , . . . ,Ŵ k−1 ,Ŵ k ) = (W 1 , . . . , W k−1 , W k ) = 0, for the legitimate receiver k ∈ [1, K], (4) and the strong secrecy condition is given by: A tuple of rates (R 1 , . . . , R K ) ∈ R K + is achievable for the DBC-LD-NLS if there exists a sequence of ( 2 nR 1 , . . . , 2 nR K , n) codes such that they satisfy Equations (4)   Proposition 2 ( Adapted from [4,6]). The achievable region of the DBC-LD-NLS is the union of all K-tuples of rates (R 1 , . . . , R K ) ∈ R K + satisfying the following inequalities, where V 0 ∅ and V K X, and the union is taken over all distributions p V 1 ..
The proof for the case of only one eavesdropper is provided in [6], where the information-theoretic achievable scheme is based on superposition coding, stochastic encoding and rate sharing. Due to the degradedness condition of Equation (1), note that any achievable scheme ensuring the strong secrecy condition in Equation (5) for the eavesdropper M will also satisfy it for any eavesdropper m ∈ [1, M − 1].

Corollary 2.
The achievable subregion of the DBC-LD-NLS without considering rate sharing is a K-orthotope defined by the closure of all K-tuples of rates (R 1 , . . . , R K ) ∈ R K + satisfying:

Review of Polar Codes
Let (X × Y, p XY ) be a Discrete Memoryless Source (DMS), where X ∈ {0, 1} (see Endnote [24]-which refers to References [25,26]) and Y ∈ Y. The polar transform over the n-sequence X n , n being any power of two, is defined as U n X n G n , where G n 1 1 1 0 ⊗n is the source polarization matrix [27]. Since G n = G −1 n , then X n = U n G n . The polarization theorem for source coding with side information [27] (Theorem 1) states that the polar transform extracts the randomness of X n in the sense that, as n → ∞, the set of indices j ∈ [n] can be divided practically into two disjoint sets, namely H (n) is practically independent of (U 1:j−1 , Y n ) and uniformly distributed, i.e., H(U(j)|U 1:j−1 , Y n ) → 1, and U(j) for j ∈ L (n) X|Y is almost determined by (U 1:j−1 , Y n ), i.e., H(U(j)|U 1:j−1 , Y n ) → 0. Formally, let: where δ n 2 −n β for some β ∈ (0, 1 2 ). Then, by [27] (Theorem 1), we have lim n→∞ , the number of elements that have not been polarized is asymptotically negligible in terms of rate. Furthermore, [27] (Theorem 2) states that given U[(L (n) X|Y ] can be reconstructed using SC decoding with error probability in O(nδ n ). Alternatively, the previous sets can be defined based on the Bhattacharyya parameters {Z(U(j) U 1:j−1 , Y n )} n j=1 because both parameters polarize simultaneously [27] (Proposition 2). It is worth mentioning that both the entropy terms and the Bhattacharyya parameters required to define these sets can be obtained deterministically from p XY and the algebraic properties of G n [21][22][23].
Similarly to H X can be defined by considering that observations Y n are absent. A discrete memoryless channel (X , p Y|X , Y) with some arbitrary p X can be seen as a DMS (X × Y, p X p Y|X ). In channel polar coding, first, we define H X from the target distribution p X p Y|X (polar construction). Then, based on the previous sets, the encoder somehow constructsŨ n and applies the inverse polar transformX n =Ũ n G n , with distributioñ q X n (since the polar-based encoder will construct random variables that must approach the target distribution of the DMS, throughout this paper, we use a tilde above the random variables to emphasize this purpose). Afterwards, the transmitter sendsX n over the channel, which inducesỸ n ∼q Y n . If V(q X n Y n , p X n Y n ) → 0, then the receiver can reliably reconstructŨ[L (n) X|Y ] fromỸ n andŨ[(L (n) X|Y ) C ] by using SC decoding [28].
To conclude this part, the following lemma provides a useful property of polar codes for the DBC.
Lemma 1 ( Subset property, adapted from [14] (Lemma 4)). Let (X, Y 2 , Y 1 ) be random variables such that X − Y 2 − Y 1 forms a Markov chain. Then, the following property holds for the polar transform U n = X n G n , Remark 1. The subset property also holds if the sets are defined based on the Bhattacharyya parameters because, under the previous Markov chain condition, Z U(j) U 1:j−1 ≥ Z U(j) U 1:j−1 , Y n 1 ≥ Z U(j) U 1:j−1 , Y n 2 .

Remark 2.
According to [14] (Lemma 4), the subset property also holds if the channels are stochastically degraded. Therefore, since the construction of the polar codes proposed in the following sections is based basically on Lemma 1, the polar coding schemes are suitable for physically-and stochastically-degraded channels.

Polar Coding Scheme For the DBC-NLD-LS
The polar coding scheme provided in this section is designed to achieve the supremum of the achievable rates given in Corollary 1 (secrecy-capacity without rate sharing). Thus, consider the DMS X × Y K × · · · × Y 1 × Z M × · · · × Z 1 , p XY K ...Y 1 Z M ...Z 1 that represents the input and output random variables involved in the achievable subregion of Corollary 1, where X = {0, 1}. Let (X n , Y n K , . . . , Y n 1 , Z n M , . . . , Z n 1 ) be an i.i.d. n-sequence of this source. We define the polar transform U n X n G n , whose distribution is p U n (u n ) = p X n (u n G n ) (due to the invertibility of G n ), and we write:

Polar Code Construction
Let δ n 2 −n β , where β ∈ (0, 1 2 ). Based on p XY K ...Y 1 Z M ...Z 1 , we define: Then, based on the previous sets, we define the following partition of the universal set [n], which is graphically represented in Figure 3. Roughly speaking, in order to ensure reliability and strong secrecy, the distribution ofŨ n after the encoding process must be close in terms of statistical distance to the distribution given in Equation (6) corresponding to the original DMS. Hence, the elements U(j) such that j ∈ H (n) X will be suitable for storing uniformly-distributed random sequences. On the other hand, U[T (n) ] will not, and the elements U(j) such that j ∈ T (n) will be constructed somehow from U 1:j−1 and the distribution p U(j)|U 1:j−1 . The set I ) C for any m ∈ [1, M], the sequence U C (n) cannot contain information to be secured from any eavesdropper, and it will be used to store the local randomness [8] required to confuse the eavesdroppers (the local randomness in polar codes plays the same role as the stochastic encoding used in [1,2]). According to [27] (Theorem 2), the legitimate Receiver 1 will be able to reliably infer U[L ) C (hatched areas in Figure 3) available to the legitimate Receiver 1, this receiver will be able to reliably infer the entire sequence U n . In this sense, U[F (n) ] will be used to store the uniformly-distributed random sequence provided by a source of common randomness that will be available to all parties.
Since F (n) ⊆ H ) C ] will contain secret information or elements that cannot be known directly by all the eavesdroppers. Therefore, the transmitter somehow will secretly send it to the legitimate receivers. Nevertheless, as will be seen, this additional transmission will incur an asymptotically negligible rate penalty. Finally, by Lemma 1, ) C ], all the legitimate receivers will be able to reliably infer the entire sequence U n from their own channel observations.

Remark 3.
The goal of the polar code construction is to obtain the entropy terms {H(U(j) U 1:j−1 )} n j=1 , {H(U(j) U 1:j−1 , Y n 1 )} n j=1 and {H(U(j) U 1:j−1 , Z n m )} n j=1 for all m ∈ [1, M] required to define the sets in Equations (7)- (11) and, consequently, to obtain the partition of [n] given in Equations (12)- (16). In Section 6, we discuss further how to construct polar codes under both reliability and secrecy constraints.

Polar Encoding
The polarization-based encoder aims to construct the sequenceŨ n and, consequently,X n =Ũ n G n . Let W m for all m ∈ [1, M] and C be uniformly-distributed random vectors of size |I (n) m | and |C (n) |, respectively, where C represents the local randomness required to confuse the eavesdroppers, and recall that W m represents the message m that is intended for all legitimate receivers. Let F be a given uniformly-distributed random |F (n) |-sequence, which represents the source of common randomness that is available to all parties. The encoder constructs the sequenceũ n as follows. Consider the realizations w m for all m ∈ [1, M], c and f , whose elements have been indexed by the set of indices I (n) m , C (n) and F (n) , respectively. The encoder drawsũ n from the distribution: where: p U(j)|U 1:j−1 being the distribution induced by the original DMS. Note that T (n) = ((H (n) X , and according to Equation (17),Ũ[L (n) X ] is constructed deterministically by adapting the SC encoding algorithm in [20], whileŨ[(H (n) X ) C ∩ (L (n) X ) C ] is constructed randomly. By [27] (Theorem 1), we have that the amount of randomness for SC encoding will be asymptotically negligible in terms of rate. Then, the encoder computesX n =Ũ n G n and transmits it over the DBC, inducing (Ỹ K , . . . ,Ỹ 1 ,Z M , . . . ,Z 1 ).
Finally, besides the sequenceX n , the encoder outputs the following additional secret sequence, This sequence Φ must be additionally transmitted to all legitimate receivers keeping it masked from the eavesdroppers. To do so, the transmitter can perform a modulo-two addition between Φ and a uniformly-distributed secret key that is privately shared with the legitimate receivers and somehow additionally send it to them. Nevertheless, by [27] (Theorem 1), we know that this additional transmission is asymptotically negligible in terms of rate.
) C ], which will be uniformly distributed according to Equation (17), and the remaining part that will not. The transmitter could make the uniformly-distributed part available to the legitimate receivers by using a chaining structure as the one presented in [9]. However, such a scheme requires the transmission to take place over several blocks of size n. Moreover, it requires having a large memory capacity on either the transmitter or the legitimate receivers, which can make the polar coding scheme unpractical in communication systems.

Polar Decoding
Before the decoding process, consider that the realization of the source of common randomness F is available to all parties and the sequence Φ has been successfully received by the legitimate receivers.
The legitimate receiver k ∈ [1, K] forms an estimateÛ n of the sequenceŨ n as follows. Given that Φ and F are available, notice that it knowsŨ[(L ) C for any k > 1. Thus, the k-th legitimate receiver performs SC decoding for source coding with side information [27] to constructŨ n fromŨ[(L (n) X|Y 1 ) C ] and its channel output observationsỸ k . In Section 4.5.3, we show formally that the reliability condition in Equation (2) is satisfied at each legitimate receiver k ∈ [1, K].

Information Leakage
Besides the observationsZ n m , the eavesdropper m ∈ [1, M] has access to the common randomness F =Ũ[F (n) ]. Thus, the information about the messages {W i } M i=m leaked to this eavesdropper is: In Section 4.5.4, we prove that (W m , W m+1 , . . . , W M ) is asymptotically statistically independent of (F,Z n m ).

Performance of the Polar Coding Scheme
The analysis of the polar coding scheme described previously leads to the following theorem.

Theorem 1. Consider an arbitrary DBC
The polar coding scheme described in Sections 4.1-4.4 achieves any rate tuple of the region defined in Corollary 1, satisfying the reliability and strong secrecy conditions given in Equations (2) and (3), respectively.

Corollary 4.
If we consider a communication scenario requiring transmissions over several blocks of size n, the same realization of the source of common randomness F that is known by all parties could be used at each block, and the reliability and the strong secrecy conditions would still be ensured.
The proof of Theorem 1 follows in four steps with similar reasoning as in [13] and is provided in Sections 4.5.1-4.5.4. The proof of Corollary 3 is immediate, and the proof of Corollary 4 is provided in Section 4.5.5.

Transmission Rates
In this step, we prove that the polar coding scheme approaches the corner point of the subregion defined in Corollary 1. For any m ∈ [1, M − 1], the rate R m corresponding to the message W m satisfies: where (a) follows from the definition of the set I (n) m in Equation (13) , and (c) follows from [27] (Theorem 1). Similarly, according to Equation (12), we obtain:

Distribution of the DMS after the Polar Encoding
Letq U n be the distribution ofŨ n after the encoding in Section 4.2. The following lemma shows thatq U n and the distribution p U n in Equation (6) of the original DMS are nearly statistically indistinguishable for sufficiently large n and, consequently, so are the overall distributions q XY K ...Y 1 Z M ...Z 1 and p XY K ...Y 1 Z M ...Z 1 .
Proof. See Appendix A, setting L = 1.

Remark 5. The first term of δ (n)
nld-ls bounds the impact on the total variation distance of using the deterministic SC encoding in Equation (18) for the entriesŨ[L (n) X ], while the second term bounds the impact of storing uniformly-distributed random sequences (messages, local randomness and common randomness) into the As will be seen in the following subsections, an encoding process satisfying Lemma 2 is crucial for the reliability and the secrecy performance of the polar code.

Reliability Performance
Consider the probability of incorrectly decoding all messages {W m } M m=1 at the legitimate receiver k ∈ [1, K]. Letq X n Y n k and p X n Y n k be the marginal distributions ofq X n Y n K ...Y n 1 Z n M ...Z n 1 and p X n Y n K ...Y n 1 Z n M ...Z n 1 , respectively. Consider an optimal coupling [29] (Proposition 4.7) betweenq X n Y n k and p X n Y n k such that: Thus, for the legitimate receiver k ∈ [1, K], we obtain: where (a) holds by [27] in Equation (9) and [27] (Proposition 2), that is Z(U(j)|U 1:j−1 , Y n 1 ) ≤ (H(U(j)|U 1:j−1 , Y n 1 )) 1/2 , and (c) holds by the optimal coupling and Lemma 2 because . Therefore, the polar coding scheme satisfies the reliability condition given in Equation (2).

Secrecy Performance
Consider the information leakage at the eavesdropper m ∈ [1, M] given in Equation (20). We obtain: Now, we provide a lower-bound for the conditional entropy term of Equation (22). First, for large enough n, where (a) holds by the chain rule of entropy and the triangle inequality, (b) holds by [30] (Lemma 2.9) and (c) holds because the function x → x log x is decreasing for x > 0 small enough and by . Hence, we have: where (a) holds because conditioning does not increase the entropy and (b) holds because, according to Equations (12)- (14) and Lemma 1, , as well as by the definition of H (n) X|Z m in Equation (11). Finally, by substituting Equation (24) into Equation (22), for n sufficiently large, we obtain: Hence, the polar code satisfies the strong secrecy condition in Equation (3), and the proof of Theorem 1 is concluded.

Reuse of the Source of Common Randomness
Consider that the transmission takes place over B blocks of size n. We use the subscript b ∈ [1, B] between parentheses to denote random variables associated with the block b. From Lemma 2, we have nld-ls for any b ∈ [1, B] because we use the same encoding of Equation (17) at each block. Hence, by the union bound, the polar code satisfies the reliability condition given in Equation (2) because: where the last inequality follows from the fact that, since F and Φ (b) are perfectly known, only depends on the decoding at block b and, consequently, can be bounded as in Equation (21). With a slight abuse of notation, let W m: . It remains to show that W m:M,(1:B) is asymptotically statistically independent of (F,Z n m,(1:B) ). Since F is reused at each block, we have to consider the dependencies between the random variables of different blocks that are involved in the secrecy analysis. According to these dependencies, which are represented in the Bayesian graph of Figure nld-ls log δ where (a) holds because the messages at blocks b + 2-B are independent of F and all the random variables of the previous blocks, (b) follows from Equation (25)  ) and (W m:M,(b+1) ,Z n m,(b+1) ) are independent given F.

Polar Coding Scheme for the DBC-LD-NLS
The polar coding scheme provided in this section is designed to achieve the supremum of the achievable rates given in Corollary 2 (secrecy-capacity without rate sharing). In this model, ..Z 1 that represents the input and output random variables involved in the achievable subregion of . . , Z n 1 ) be an i.i.d. n-sequence of this source. Then, we define the K polar transforms U n V n G n , where ∈ [1, K]. Since V 1 − V 2 − · · · − V K and, consequently, U 1 − U 2 − · · · − U K (by the invertibility of G n ) form a Markov chain, the joint distribution of (U n 1 , . . . , U n K ) satisfies"

Polar Code Construction
Based on p V 1 ...V K Y K ...Y 1 Z M ...Z 1 , the construction is carried out similarly at each superposition layer.
Consider the polar construction at layer ∈ [1, K]. Let δ n 2 −n β , where β ∈ (0, 1 2 ). For the polar transform U n = V n G n associated with the -th layer, we define the sets: where we recall that V 0 = ∅ when = 1 and V K X when = K. At each layer ∈ [1, K], based on these previous sets, we define the following partition of the universal set [n], which is graphically represented in Figure 5. The way we define this partition at the -th layer follows similar reasoning as the one to define the partition in Section 4.1 for the DBC-NLD-LS. In this sense, ] will be suitable for storing uniformly-distributed random sequences. Otherwise, U [T (n) ] will not and U (j) such that j ∈ T (n) will be constructed somehow from (U 1:j−1 , V −1 ) and the distribution p U (j)|U 1:j−1 V n −1 . Now, U [I (n) ] will be suitable for storing information to be secured from all eavesdroppers because I (n) belongs to H will be used to store the local randomness required to confuse all eavesdroppers about the secret information carried on this layer. According to [27] (Theorem 2), the legitimate receiver k ∈ [1, K] will be able to reliably infer , the legitimate receivers -K will be able to reliably reconstruct U n from its own channel observations. In this sense, U [F (n) ] will be used to store the random sequence provided by the source of common randomness. Since , the strong secrecy condition will not be compromised. On the other hand, Figure 5) will contain secret information or elements that cannot be known directly by the eavesdroppers. Therefore, the transmitter somehow will make those elements available to the legitimate receivers -K keeping them masked from all eavesdroppers by incurring an asymptotically-negligible rate penalty.
As mentioned in Remark 3, the goal of the polar construction is to obtain the entropy terms associated with the sets in Equations (27) Figure 5. Polar code construction for the DBC-LD-NLS at the -th layer. The hatched area represents

Polar Encoding
The superposition-based polar encoder will consist of K encoding blocks operating sequentially at each superposition layer, the block at layer ∈ [1, K] being responsible for the construction ofŨ n . In order to constructŨ n for some ∈ [2, K], the encoder block needsṼ n −1 =Ũ n −1 G n , which have been constructed previously by the encoding block operating at the ( − 1)-th layer.
Consider the encoding procedure at layer ∈ [1, K]. Let W and C be uniformly-distributed random vectors of size |I (n) | and |C (n) |, respectively, where W represents the message intended for receivers -K and C the local randomness required at the -th layer to confuse all eavesdroppers about this message. Let F be a given uniformly-distributed random |F (n) |-sequence, which represents the source of common randomness that is available to all parties. The -th encoding block constructs the sequenceũ n as follows. Given the realizations w , c and f , whose elements have been indexed by the set of indices I (n) , C (n) and F (n) , respectively, and givenṽ n −1 =ũ n −1 G n provided by the previous encoding block (recall thatṽ n 0 ∅ at the first layer), the -th encoding block drawsũ n from: where: , and similarly to the previous model, ] is constructed in a deterministic way by adapting the SC encoding algorithm in [20]; andŨ[(H ) C ] is constructed randomly. By [27] (Theorem 1), the rate of the amount of randomness for SC encoding will be asymptotically negligible. After constructingŨ n , the -th encoding block computes the sequencẽ V n =Ũ n G n and delivers it to the next encoding block. If = K, thenṼ n K X n , and the encoder transmits it over the DBC, which induces the channel outputs (Ỹ n K , . . . ,Ỹ n 1 ,Z n M , . . . ,Z n 1 ). Finally, besides the sequenceX n , the encoder outputs the following additional secret sequences, The sequence Φ corresponding to the layer ∈ [1, K] must be additionally transmitted to the legitimate receivers -K keeping it masked from the eavesdroppers. To do so, the transmitter can perform a modulo-two addition between {Φ } K =1 and a uniformly-distributed secret key privately shared with the legitimate receivers and somehow additionally send it to them. If K n, by [27] (Theorem 1), we have that the overall rate required to transmit these additional secret sequences is asymptotically negligible, i.e., lim n→∞ ∑ K =1 |Φ | n = 0. As for the previous model, the uniformly-distributed part of any Φ could be made available to the corresponding legitimate receivers by using a chaining structure as in [9]. However, this approach will present the same disadvantages as those mentioned in Remark 4.

Polar Decoding
Consider that the realizations of {F } K =1 are available to all parties, and the sequences {Φ } K

=1
have been successfully received by the corresponding legitimate receivers before the decoding process.
Consider the decoding at the legitimate receiver k ∈ [1, K]. This receiver forms the estimates {Û n } k =1 of the sequences {Ũ n } k =1 in a successive manner fromÛ n 1 -Û n k , and the procedure to estimatẽ U n for some ∈ [1, k] is as follows. First, given that Φ and F are available, the receiver knows , the k-th legitimate receiver performs SC decoding for source coding with side information [27] to constructÛ [L (n) V |V −1 Y ] fromỸ n k , and fromV n −1 =Û n −1 G n estimated previously. In Section 5.5.3, we show formally that the polar coding scheme satisfies the reliability condition in Equation (4).

Information Leakage
Besides the observationsZ n m , the eavesdropper m ∈ [1, M] has access to the common randomness {F } K =1 . Therefore, the information about all messages leaked to the m-th eavesdropper is: In Section 5.5.4, we prove that (W 1 , . . . , W K ) is asymptotically statistically independent of (F 1 , . . . , F K ,Z n m ).

Performance of the Polar Coding Scheme
The analysis of the polar coding scheme leads to the following theorem.

Theorem 2. Consider an arbitrary DBC
The polar coding scheme described in Sections 5.1-5.4 achieves any rate tuple of the achievable region defined in Corollary 2, satisfying the reliability and strong secrecy conditions in Equations (4) and (5), respectively. Corollary 6. If we consider a communication scenario requiring transmissions over several blocks of size n, the same realization of the source of common randomness (F 1 , . . . , F K ) that is known by all parties could be used at each block, and the reliability and the strong secrecy conditions would still be ensured.
As in Theorem 1, the proof of Theorem 2 follows in four steps and is provided in Sections 4.5.1-4.5.4. The proof of Corollary 5 is immediate. The proof of Corollary 6 is omitted because it follows similar reasoning as in Corollary 4. Despite that in this model, we have different superposition layers, the dependencies between the random variables at different blocks have the same structure of those graphically represented in Figure 4.

Transmission Rates
We prove that the polar coding scheme approaches the corner point of the subregion defined in Corollary 2. For any ∈ [1, K], the transmission rate R corresponding to the message W satisfies: where (a) follows from the definition of the set I (n) in Equation (32), (b) holds because, by Lemma 1, V |V −1 Y , and (c) holds by [27] (Theorem 1).

Distribution of the DMS after the Polar Encoding
Letq U n 1 ...U n K be the distribution of (Ũ n 1 , . . . ,Ũ n K ) after the encoding in Section 5.2. The following lemma shows thatq U n 1 ...U n K and p U n 1 ...U n K of the DMS are nearly statistically indistinguishable for sufficiently large n and, consequently, so are the overall distributionsq V n Lemma 3. Let δ n = 2 −n β for some β ∈ (0, 1 2 ). Then, where δ (n) ld-nls Kn 4 √ nδ n ln 2 2n − log 2 √ nδ n ln 2 + δ n + √ K2nδ n ln 2.
Proof. See Appendix A setting L = K.

Reliability Performance
Consider the probability of incorrectly decoding {W } k =1 at the legitimate receiver k ∈ [1, K]. Letq V n Y n k and p V n Y n k for any ≤ k be marginals ofq V n ..Z n 1 , respectively. Consider an optimal coupling [29] (Proposition 4.7) betweenq V n Y n k and p V n Y n k such that: where (a) holds by [27] (Theorem 2) becauseŨ [(L (n) V |V −1 Y ) C ] for any ≤ k is available to the k-th receiver, (b) holds by Lemma 1, by the definition of the set L (n) V |V −1 Y 1 in Equation (29) and by applying [27] (Proposition 2) and (c) holds by the optimal coupling and Lemma 3 because Consequently, if K n, the polar coding scheme satisfies the reliability condition in Equation (4).

Secrecy Performance
Consider the leakage at the eavesdropper m ∈ [1, M] given in Equation (39). As in Equation (22), we obtain: Following similar reasoning as in Equation (23), for n large enough, we have: where (a) holds by defining V † V(q and [30] (Lemma 2.9) and (b) follows from Lemma 2 by using similar reasoning as in Equation (23) and because the function x → x log x is decreasing for x > 0 small enough. Hence, we obtain: where (a) holds because conditioning does not increase the entropy and because U n 1 − · · · − U n K−1 − U n K forms a Markov chain and the invertibility of G n and (b) holds because, according to Equations (32)

Polar Construction and Performance Evaluation
In this section, we discuss further how to construct the polar codes for the DBC-NLD-LS and DBC-LD-NLS proposed in Sections 4 and 5, respectively. Moreover, we evaluate the reliability and the secrecy performance of both polar coding schemes according to different parameters involved in the polar code construction. Although the construction of polar codes has been covered in a large number of references (see, for instance, [21][22][23]), they only focus on polar codes under reliability constraints.
For the DBC-NLD-LS, we consider the Binary Erasure Broadcast Channel (BE-BC), where each individual channel of the DBC is a Binary Erasure Channel (BEC). For this model, we propose a construction of the polar code that is based on the Bhattacharyya parameters instead of the corresponding entropy terms. The reason is that, for the BE-BC, the Bhattacharyya parameters associated with the sets in Equations (7)-(11) can be computed exactly [7] (Proposition 5). Then, we evaluate the reliability and the secrecy performance of the code, and we focus on how different parameters involved in the proposed polar code construction impact its performance.
On the other hand, for the DBC-LD-NLS, we consider the Binary Symmetric Broadcast Channel (BS-BC), where each individual channel is a Binary Symmetric Channel (BSC). From [7] (Proposition 5), we know that the method to compute the exact values of the Bhattacharyya parameters for a BEC provides an upper-bound on the Bhattacharyya parameters of the BSC. Although this method can be useful to construct polar codes under reliability constraints [21][22][23], it fails when the code must guarantee some secrecy condition based on the information leakage. Indeed, in order to upper-bound the information leakage in Equation (39), according to Equation (45), notice that we need a lower-bound on the entropy terms (or Bhattacharyya parameters). Hence, for this model, we focus more on proposing a new polar code construction that is based directly on the entropy terms associated with the sets in Equations (27)- (31).
Throughout this section, as in [7], we say that a channel or a conditional distribution p Y|X (y|x) with x ∈ X {0, 1} and y ∈ Y {0, . . . , |Y | − 1} is symmetric if the columns of the probability transition matrix P Y|X can be grouped into sub-matrices such that for each sub-matrix, each row is a permutation of each other row and each column is a permutation of each other column. Therefore, the individual channels of both BE-BC and the BS-BC are symmetric. Due to the symmetry of BE-BC, we will see that the distribution induced by the encoding described in Section 4.2 for the DBC-NLD-LS will approach exactly the optimum distribution of the original DMS used in the polar code construction. Consequently, the performance of the polar code will depend only on the parameters involved in the construction. On the other hand, despite the symmetry of the BS-BC, due to its superposition-based structure, the encoding described in Section 5.2 for the DBC-NLD-LS only approaches the target distribution asymptotically. Hence, this encoding will impact the reliability and secrecy performance of the polar code when we consider a finite blocklength.

DBC-NLD-LS
For this model, we consider BE-BC with two legitimate receivers (K = 2) and two eavesdroppers (M = 2). Therefore, each individual channel is a BEC with X {0, 1} and Y k = Z m {0, 1, E}, E being the erasure symbol and k, m ∈ {1, 2}. The individual channels are defined simply by their erasure probability, which is denoted by Y k for the corresponding legitimate receiver k (P[Y k = E] = Y k ) and Z m for the eavesdropper m (P[Z m = E] = Z m ). Due to the degradedness condition of the broadcast channel given in Equation (1), we have Y 2 < Y 1 < Z 2 < Z 1 . By properly applying [19] (Proposition 3.2), it is easy to shown that the secrecy-capacity achieving distribution p X for this model is the uniform, i.e., p X (x) = 1 2 ∀x ∈ {0, 1}. For the simulations, we consider a BE-BC such that Y 2 = 0.01, Y 1 = 0.04, Z 2 = 0.2 and Z 1 = 0.35. According to Corollary 1 and since p X (x) is uniform, we obtain that the capacity without considering rate sharing is R 1 = 0.15 and R 2 = 0.16.
In order to compare the performance of the polar coding scheme according to different parameters and to provide more flexibility in the design, instead of using only δ n to define the sets in Equations (7)-(11), we introduce the pair (δ (r) and δ (s) n 2 −n β (s) for some β (r) , β (s) ∈ (0, 1 2 ). Let R 1 ∈ [0, R 1 ] and R 2 ∈ [0, R 2 ] denote the target rates that the polar coding scheme must approach. We obtain the partition defined in Equations (12) n must be small enough to guarantee that H (n) X|Y 1 C ≥ R 1 + R 2 .

Performance Evaluation
First, notice that the encoding of Section 4.2 will induce a distributionq X n Y n 2 Y n 1 Z n 2 Z n 1 = p X n Y n 2 Y n 1 Z n 2 Z n 1 because T (n) = ∅ (we do not use SC encoding), and the encoder will store uniformly-distributed sequences into the entries U(j) that satisfy H(U(j)|U 1:j−1 ) = 1 for all j ∈ H (n) X = [n]. Hence, V(q X n Y n 2 Y n 1 Z n 2 Z n 1 , p X n Y n 2 Y n 1 Z n 2 Z n 1 ) = 0, and the performance will only depend on the code construction.
To evaluate the reliability performance, we obtain an upper-bound P ub(1) b on the average bit error probability at the legitimate Receiver 1. Since V(q X n Y n 2 Y n 1 Z n 2 Z n 1 , p X n Y n 2 Y n 1 Z n 2 Z n 1 ) = 0, from Equation (21), we have: Due to the degradedness condition of the BE-BC and, consequently, by Lemma 1, the average bit error probability at the legitimate Receiver 2 will be always less than the one at the legitimate Receiver 1. Since the legitimate receivers must estimate the entries belonging to L (n) X|Y 1 regardless of H (n) X|Y 1 C and the target rates (R 1 , R 2 ), the reliability performance only depends on the pair (n, δ (r) n ). In order to evaluate the secrecy performance, we compute an upper-bound on the information leakage I(W 1 , W 2 ; F,Z n 1 ) and an upper-bound on the information leakage I(W 2 ; F,Z n 2 ). (22) and (24), we obtain: where we have used [27] (Proposition 2) to express the information leakage in terms of the Bhattacharyya parameters because H(U(j)|U 1:j−1 , Z n m ) ≥ Z(U(j)|U 1:j−1 , Z n m ) 2 . According to the proposed polar code construction, the secrecy performance will depend on (n, δ (s) n ) and the rates (R 1 , R 2 ), but not on δ (r) n . Additionally, we evaluate the rate of the additional sequence Φ simply by computing: which will depend on the triple (n, δ (r) n , δ (s) n ), but not on (R 1 , R 2 ). Let ρ R be the normalized target rate in which the polar coding scheme operates, that is Figure 6A,B, we evaluate the upper-bounds on the information leakage defined in Equations (48) and (49), respectively, as a function of the blocklength n for different values of ρ R . To do so, we set β (r) = 0.16 and β (s) = 0.30, which defines a particular pair (δ (r) n , δ (s) n ) for each value of n (recall that δ (r) n does not impact on the secrecy performance of the polar code). As we proved in Section 4.5.4, for large enough n, the secrecy performance improves as n increases. Moreover, to achieve a particular secrecy performance level, the polar code will require a larger blocklength n as the rates approach the capacity. This happens because, given (n, δ (s) n ) and, consequently, H (n) X|Y 1 C , the parameter ρ R only determines the amount of indices that will belong to I (n) Since, by construction, we take those indices corresponding to the highest Bhattacharyya parameters associated with the eavesdroppers, taking more elements always increases the corresponding leakage. For rates approaching the capacity and small values of n, notice that we obtain a secrecy performance that is getting worse as n increases (for instance, for ρ R = 0.94, we obtain that the information leakage is increasing from n = 2 9 to n = 2 12 ). This behavior is mainly explained because the elements of U n have not been polarized enough for small values of n. Consequently, for a given value of β (s) , not all the Bhattacharyya parameters associated with the eavesdroppers corresponding to the sets I The impact of δ (s) n on the secrecy performance is graphically represented in Figure 7A,B, where the former plots the upper-bound defined in Equation (48) and the latter the upper-bound in Equation (49) as a function of the blocklength n for different values of β (s) . Now, we set β (r) = 0.16 and ρ R = 0.90. As can be seen in Figure 7, the secrecy performance improves as the value of β (s) increases (or equivalently, as δ (s) n decreases). This behavior is as expected because notice that δ (s) n defines the value of the highest Bhattacharyya parameter Z U(j) U 1:j−1 , Y n 1 that will belong to H by taking the ones corresponding to the highest Bhattacharyya parameters associated with the eavesdroppers and since, by Lemma 1, Z U(j) U 1:j−1 , Z n 1 ≥ Z U(j) U 1:j−1 , Z n 2 ≥ Z U(j) U 1:j−1 , Y n 1 for any j ∈ [n], the sums in Equations (48) and (49) over the indices j ∈ I (n) 1 ∪ I (n) 2 will be larger as β (s) increases (as δ (s) n decreases), while their cardinality remains the same for a given ρ R . Furthermore, notice that δ n }. Thus, the larger is the value of β (s) (the lower is δ (s) n ), the smaller is the cardinality of F (n) and the higher are the Bhattacharyya parameters associated with the eavesdroppers that belong to this set.  n for each n). For this figure, we set β (s) = 0.30 and ρ R = 0.90. As can be seen in Figure 8, the higher is the value of β (r) (the smaller is the value of δ (r) n ), the better is the reliability performance of the polar code. This is because δ (r) n defines the higher Bhattacharyya parameter associated with the legitimate Receiver 1 whose corresponding index will belong to the set L (n) X|Y 1 (recall that this set contains the indices of those entries that the legitimate receivers have to estimate). Hence, it is clear that the upper-bound in Equation (47) is decreasing as δ (r) n decreases (as β (r) increases). Moreover, as we have proven in Section 4.5.3, we can see that the reliability performance is always improving as n increases.
Finally, how the values of the pair (β (r) , β (s) ), or equivalently, the values of (δ (r) n , δ (s) n ), impact the rate of the additional secret sequence Φ given in Equation (50) is represented graphically in Figure 9. In Figure 9A, we set ρ R = 0.90 and β (r) = 0.16, and we represent the rate of Φ as a function of the blocklength n for different values of β (s) . Otherwise, in Figure 9B, we evaluate the rate of Φ as a function of n for different values of β (r) when ρ R = 0.90 and β (s) = 0.30. As mentioned in Section 4.2, this rate tends to be negligible for sufficiently large n. Moreover, according to the polar code construction proposed previously, for a fixed n, the cardinality of the set H (n) X|Y 1 C ∩ L (n) X|Y 1 C will be higher for larger values of (β (r) , β (s) ), or equivalently, smaller values of (δ (r) n , δ (s) n ). Therefore, as can be seen in Figure 9, it is clear that higher values of (β (r) , β (s) ) mean also higher rate of the additional secret sequence.  In conclusion, Figures 6-9 show that, for a particular value of the blocklength n, there is a trade-off between the reliability or the secrecy performance of the polar code and the length of the additional secret sequence Φ, which can be controlled by the value of β (r) or β (s) , respectively, in the polar code construction. Moreover, for sufficiently large n, the performance of the polar coding scheme always is improving as n increases. Indeed, these figures show that we can transmit at rates very close to the capacity, providing good reliability and secrecy performance levels.

DBC-LD-NLS
For this model, we consider BS-BC with two legitimate receivers (K = 2) and two eavesdroppers (M = 2). Hence, each individual channel is a BSC where X = Y k = Z m = {0, 1}, and k, m ∈ {1, 2}. The individual channels are defined simply by their crossover probability, which is denoted by α Y k for the corresponding legitimate receiver k (P[Y k = 0|X = 1] = P[Y k = 1|X = 0] = α Y k ) and α Z m for the corresponding eavesdropper m (P[Z m = 0|X = 1] = P[Z m = 0|X = 1] = α Z m ). Due to the degradedness condition of the broadcast channel given in Equation (1) Due to the symmetry of the channel, it is easy to prove by using similar reasoning as in [33] (Ex. 15.6.5) and by properly applying [19] (Proposition 3.2) that the secrecy-capacity achieving distribution p VX satisfies p V (v) = p X (x) = 1 2 ∀v, x ∈ {0, 1}, and consequently, p X|V is symmetric. Thus, the distribution p X|V can be characterized simply by the crossover probability α X|V p X|V (0|1) = p X|V (1|0), where α X|V ∈ [0, 1 2 ]. Indeed, the overall rate in Proposition 2 is maximized when α X|V = 1 2 , which implies that R 1 = 0. Then, by taking α X|V < 1 2 , we can transfer part of the rate associated with the message W 2 to the rate R 1 , R 2 = 0 and R 1 being maximum if α X|V = 0. For the simulations, we consider a BS-BC with α Y 2 = 0.01, α Y 1 = 0.04, α Z 2 = 0.2 and α Z 1 = 0.35. We set α X|V = 0.1084, which corresponds to the distribution that maximizes ln(R 1 ) + ln(R 2 ) for this particular channel (proportional fair allocation). Thus, according to Corollary 2, the maximum achievable rates are R 1 = 0.2507 and R 2 = 0.3254.

Practical Polar Code Construction
Given the blocklength n and the distribution p VXY 2 Y 1 Z 2 Z 1 = p VX p Y 2 Y 1 Z 2 Z 1 |X , the goal of the polar code construction is to obtain the partition of the universal set [n] defined in Equations (32)-(35) and graphically represented in Figure 5. Hence, we need to define first the sets in Equations (27) , V n , Z n 2 )} n j=1 associated with the polar transform U n 2 = X n G n for the second layer. In the following, we propose an adaptation of the Monte Carlo method [22] (PCC-1), which is based on the butterfly algorithm described in [7] for SC decoding, to directly estimate these entropy terms.
Monte-Carlo method to estimate the entropy terms. First, consider the entropy terms associated with to the first layer. As for the previous model, since p V (v) = 1 2 , we have H(U 1 (j)|U , Z n m )} n j=1 for some k, m ∈ {1, 2}, we run the Monte Carlo simulation as follows. First, due to the symmetry of the channel and the symmetry of p X|V , as in [22] (PCC-1), we can set v n = u n 1 = 0 n at each iteration. For the realization τ ∈ [1, N τ ], N τ being the number of realizations, we randomly generate y n(τ) k and z n(τ) m from p Y n k |V n and p Z n m |V n , respectively (by abuse of notation, we use (τ) in any sequence a n(τ) to emphasize that it is generated at the iteration τ ∈ [1, N τ ]). Next, we obtain the log-likelihood ratios {L , the algorithm recursively computes: , V n , Z n m )} n j=1 for any k, m ∈ {1, 2} associated with the second layer. To obtain {H(U 2 (j)|U 1:j−1 2 , V n )} n j=1 , we can see X and V as the input and output random variables, respectively, of a symmetric channel with distribution p V|X . Now, although p X is uniform and, consequently, H(U 2 (j)|U , V n , Z n m )} n j=1 , we can see (V, Y k ) or (V, Z m ) as the output of a symmetric channel with distribution p VY k |X or p VZ m |X , respectively, where notice that p VY k |X = p V|X p Y k |X and p VZ m |X = p V|X p Z m |X because V − X − Y k − Z m forms a Markov chain. Hence, due to the symmetry of the previous distributions, we can set x n = u n 2 = 0 n at each iteration. Then, for the realization τ ∈ [1, N τ ], we draw v n(τ) , y n(τ) k and z n(τ) m from the distributions p V n |X n , p Y n k |X n and p Z n m |X n , respectively. Next, we obtain the log-likelihood ratios {L (τ) VZ m |X (j)} n j=1 by using [22] (PCC-1). Since H(U 2 (j)|U m ) from the corresponding log-likelihood ratios. Finally, after N τ realizations, we can estimate the corresponding entropy terms by computing the empirical mean.
Partition of the universal set [n]. In order to provide more flexibility on the design, now we introduce

Performance Evaluation
First, notice that the encoding at the first layer induces a distributionq V n = p V n . For the second layer, the entries U[H X|V ]. Therefore, according to Lemma 3 and Remark 6, we will have V(q V n X n Y n 2 Y n 1 Z n 2 Z n 1 , p V n X n Y n 2 Y n 1 Z n 2 Z n 1 ) = 0 for finite n. Since, as seen in Section 5.5, this total variation distance impacts the performance, we obtain first an upper-bound d ub TV on V(q V n X n Y n ), which is defined as:  ,v n(τ ) ). Due to the symmetry of p V|X , the probabilities p U 2 (j)|U 1:j−1 2 V n can be obtained with low complexity using the butterfly algorithm described in [7]. Consider now d ub(H) TV , which corresponds to the analytic bound found in Lemma A1. We can compute exactly the Kullback-Leibler divergence as in Equation (A3) by using the corresponding entropy terms obtained in the polar code construction. Thus, by applying Pinsker's inequality, we have: According to the polar code construction, |L , respectively, for a particular n. Hence, the value of d ub TV can be controlled by adjusting (β (2,L) , β (2,H) ). It is clear that higher values of (β (2,L) , β (2,H) ) mean lower cardinalities of the sets L  [27] (Proposition 2) to upper-bound the Bhattacharyya parameters from the entropy terms, we have: To evaluate the secrecy performance, we compute an upper-bound I ub (W 1 , W 2 ; F 1 , F 2 ,Z n 2 ) on the information leakage I(W 1 , W 2 ; F 1 , F 2 ,Z n 2 ) for Eavesdropper 2. From Equation (45) we obtain: Due to the degradedness condition of BS-BC and, consequently, by Lemma 1, the information leakage at Eavesdropper 1 will be always less than the one at Eavesdropper 2.
Finally, we evaluate the overall rate of the additional sequences {Φ 1 , Φ 2 } by computing: The performance of the polar coding scheme is graphically shown in Figure 10. As for the previous model, let ρ R be the normalized target rate in which the polar coding scheme operates, that is In Figure 10A, we evaluate the upper-bound I ub 0 (W 1 , W 2 ; F 1 , F 2 , Z n 2 ), which corresponds to the upper-bound on the information leakage defined in Equation (55) when we consider d ub TV = 0, as a function of the blocklength n for different values of ρ R . For this plot, we set β (1,s) = 0.30 and β (2,s) = 0.36. Notice that (β (1,r) , β (2,r) ) and (β (2,L) , β (2,H) ) if we set d ub TV = 0 will not impact the information leakage. As we have proven in Section 5.5.4, the secrecy performance is improving as n increases. Moreover, to satisfy a particular secrecy performance level, the polar code will need higher values of n as the target rates approach the capacity.
In Figure 10B, we evaluate the upper-bounds P ub(1) b,0 and P ub (2) b,0 , which correspond to the bounds on the average bit error probability at the legitimate Receivers 1 and 2, respectively, when we set d ub TV = 0, as a function of the blocklength n. For this plot, we set β (1,r) = β (2,r) = 0.24 and notice that the reliability performance will not depend on the values of (β (1,s) , β (2,s) ) and ρ R . If we set d ub TV = 0, then it is clear that it will not depend on (β (2,L) , β (2,H) ) either. As shown theoretically in Section 5.5.3, the error probability becomes lower as the blocklength n increases. Figure 10C plots the overall rate of the additional secret sequences computed as in Equation (56) when we set β (1,r) = β (2,r) = 0.24, β (1,s) = 0.30 and β (2,s) = 0.36. As mentioned in Section 5.2, we can see that this rate tends to be negligible for n sufficiently large.  Finally, Figure 10D (52) can be too loose for n not sufficiently large. Consider the impact of d ub TV on the reliability performance of the code. The average error probability bounds in Equations (53) and (54) are modeled as the sum of two terms, one depending directly on d ub TV and the other depending on the polar construction (which has been plotted in Figure 10B). Since d ub(H) TV is too loose, what we obtain is that the reliability performance of the code will be governed practically by the bound d ub TV for small values of the blocklength n. Now, consider the impact of d ub TV on the secrecy performance of the code. The bound on the information leakage in Equation (55) is modeled as the sum of two terms, one also depending only on the polar code construction (which has been plotted in Figure 10A) and the other depending on d ub TV . However, in this situation, d ub TV impacts the information leakage approximately as n · d ub TV , which means that this term will totally govern the secrecy performance. Recall that this term follows from Equation (44), which bounds the impact of the encoding in Equation (36) on the conditional entropy term of the information leakage as a function of the total variation distance. Hence, we can conclude that this bound, which follows from applying [30] (Lemma 2.9), can be too loose for n not sufficiently large.

Conclusions
We have described two polar coding schemes for two different models over the degraded broadcast channel: DBC-NLD-LS and DBC-LD-NLS. For both models, we have proven that the proposed polar coding schemes are asymptotically secrecy-capacity achieving, providing reliability and strong secrecy simultaneously. Then, we have discussed how to construct these polar codes in practice, and we have evaluated their performance for a finite blocklength by means of simulations. Although several polar code constructions methods have been proposed in the literature, this paper, as far as we know, is the first to discuss practical constructions when the polar code must satisfy both reliability and secrecy constraints. In addition, we have evaluated the secrecy performance of the polar code in terms of the strong secrecy performance, which has been possible by obtaining an upper-bound on the corresponding information leakage at the eavesdroppers. Indeed, we have shown that the proposed polar coding schemes can perform well in practice for a finite blocklength.
The criteria we have chosen for designing the polar codes are: to provide reliability and strong secrecy in one block of size n by using only a secret key that is negligible in terms of rate and to minimize the amount of random decisions for the SC encoding. For the first purpose, we have introduced the source of common randomness, and we have avoided the use of the chaining construction given in [9] (which is possible due to the degraded nature of the broadcast channel); for the second one, we have adapted the deterministic SC encoding given in [20]. These two types of randomness have different implications on the practical design: while the common randomness is uniformly distributed and can be provided by the communication system, the randomness for SC encoding is not and must be drawn by the encoder. In communication scenarios requiring several transmissions of size n, we have shown that one realization of the common randomness can be reused without worsening the performance.
Despite the good performance of the polar coding schemes, some issues still persist. How to avoid the transmissions of the additional secret sequences is a problem that remains open. Despite the length of the required secret key being asymptotically negligible in terms of rate, these additional transmissions can be problematic in practical scenarios. As pointed out in Remark 4, one can adopt the chaining construction in [9] to further reduce the length of these sequences, but this requires the transmission to take place over several blocks of size n and a very large memory capacity at the transmitter or receiver side. Furthermore, despite the rate of the amount of randomness required for SC encoding being negligible, how to replace the random decisions entirely by deterministic ones is a problem that still remains unsolved. Another problem that remains open is how to avoid the use of the common randomness, which allows keyless secret communication over a single block of size n (keyless in the sense that the rate of the required secret key is negligible). Finally, to design polar codes based on the proposed performance evaluation, it seems necessary to find tighter upper-bounds on the total variation distance between the distribution induced by the encoder and the original distribution used in the code construction, particularly for the term that models the impact of storing uniformly-distributed sequences. Also, for the secrecy performance, it would be interesting to find a tighter upper-bound to evaluate the impact of the total variation distance on the information leakage.
Lastly, it is worth mentioning that having to know the statistics of the eavesdropper channels for the polar code construction may seem problematic. Nevertheless, for the polar code construction, one can consider virtual eavesdroppers with some target channel qualities. For DBC-LD-NLS, we can design a polar code according to the statistics of this virtual eavesdropper, and due to the degradedness condition of the channel, this code will perform well if the real eavesdroppers have worse channel quality (worst-case design). On the other hand, for the DBC-NLD-LS, one can simply consider different levels of secrecy depending on different target channel qualities. Depending on the channel quality of the real eavesdropper with respect to the virtual ones considered for the design, the polar coding scheme will provide a particular secrecy performance level.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript: Consider a DMS (V 1 × · · · × V L × Y K × · · · × Y 1 × Z M × · · · × Z 1 , p V 1 ...V L Y K ...Y 1 Z M ...Z 1 ), the joint distribution of which satisfies the Markov chain condition V 1 − · · · − V L − Y K − · · · − Y 1 − Z M − · · · − Z 1 . Consider an i.i.d. n-sequence (V n 1 , . . . , V n L , Y n K , . . . , Y n 1 , Z n M , . . . , Z n 1 ) of this DMS, n being any power of two. We define the polar transforms (U n 1 , . . . , U n L ), where U n V n G n for each ∈ [1, L],  (27) and (28), where V 0 = U 0 ∅. Let V L X; if L 1, notice that this DMS is the one considered for the code construction of DBC-NLD-LS. Otherwise, if L K, it is the one considered for DBC-LD-NLS. Now, consider the polar encoding procedures described for both models in Sections 4.2 and 5.2. Letq U n 1 ...U n L be the joint distribution of (Ũ n 1 , . . . ,Ũ n L ) after the encoding. For both models, we have: Additionally, consider another encoding process that constructs (Ǔ n 1 , . . . ,Ǔ n L ) by omitting the use of the deterministic arg max function, but samplesǓ 1 (j) from the distribution: First, the following lemma shows that the joint distributions p U n 1 ...U n L andq U n 1 ...U n L are nearly statistically indistinguishable for sufficiently large n.
Hence, by Lemma A1, Lemma A2 and by applying the triangle inequality, we obtain: