Optimizing Finite-Blocklength Nested Linear Secrecy Codes: Using the Worst Code to Find the Best Code

Abstract

Nested linear coding is a widely used technique in wireless communication systems for improving both security and reliability. Some parameters, such as the relative generalized Hamming weight and the relative dimension/length profile, can be used to characterize the performance of nested linear codes. In addition, the rank properties of generator and parity-check matrices can also precisely characterize their security performance. Despite this, finding optimal nested linear secrecy codes remains a challenge in the finite-blocklength regime, often requiring brute-force search methods. This paper investigates the properties of nested linear codes, introduces a new representation of the relative generalized Hamming weight, and proposes a novel method for finding the best nested linear secrecy code for the binary erasure wiretap channel by working from the worst nested linear secrecy code in the dual space. We demonstrate that our algorithm significantly outperforms the brute-force technique in terms of speed and efficiency.

1. Introduction

The wiretap channel introduced by Wyner in [1] and later generalized by Csiszár and Körner in [2] is the most fundamental channel model that has been used to study broadcast security problems in the context of information theory. One version of this channel model is depicted in Figure 1, where the confidential communication occurring over a discrete memoryless main channel is observed by an eavesdropper who has access to a noisy version of the channel input. Later, in [3], Ozarow and Wyner introduced the wiretap channel type II, wherein the eavesdropper is able to select the positions of revealed bits, and they provided a secure coding technique based on coset codes. These channel models have been studied by many authors from the perspectives of security, reliability, and coding construction [4,5,6].

In recent years, coset coding has emerged as an important coding technique in the context of the finite-blocklength regime [7,8,9]. In this regime, the design of the code plays a critical role in achieving high communication rates while balancing the tradeoff between complexity and performance. The effectiveness of coset coding in the finite-blocklength regime has been demonstrated in a wide range of applications, including wiretap channels, broadcast channels, and multiple-access channels [10,11,12,13,14].

The nested linear code construction was first presented in [15] to generate a diluted version of the original coset code. Later, in [16,17], the authors proposed a secure error-correcting code based on the nested code construction for the wiretap channel type II, and in [18] the authors considered nested codes based on low-density parity-check (LDPC) codes for the original wiretap channel when both the eavesdropper and main channels are binary erasure channels (BECs).

Generalized Hamming weights (GHW) and the dimension/length profile (DLP), which were first introduced in [19,20], respectively, were two of the first parameters of linear block codes that could be used to characterize the performance of the original linear coset codes, especially over a wiretap channel of type II. Numerous papers have investigated these parameters on various linear codes [21,22,23,24,25,26]. Later, the authors of [16,27] extended these two parameters to nested coding constructions and defined two new formats for them: the relative generalized Hamming weight (RGHW) and relative dimension/length profile (RDLP), which can be used to characterize the security and error-correction performance of nested linear codes. Further studies have shown that with the rank properties of generator and parity-check matrices, the performance of linear codes can also be precisely characterized [28,29,30]. In [29], we utilized rank properties to create and develop a tool for analyzing finite-blocklength wiretap codes based on coset coding over erasure channels, known as an equivocation matrix.

Designing the most secure nested linear codes, referred to as nested linear secrecy codes, to achieve optimal performance in the-finite blocklength regime is still a challenging task, and there is currently no single solution for creating the best codes in this scenario. Identifying these optimal codes would facilitate a comparison of the tradeoffs between complexity and performance for different codes, providing a benchmark for the optimality of other wiretap code designs.

1.1. Our Contributions

This paper explores the characteristics of nested linear codes in a wiretap channel model where both the main and eavesdropper channels are BECs. A novel approach is proposed to find the optimal nested linear secrecy codes by using a dual relationship between nested linear codes and their dual codes. Essentially, we demonstrate that instead of searching for the best code directly, it can be found by starting with the worst nested linear secrecy code from the dual space, which is easy to identify. The results demonstrate an efficient and fast technique for finding optimal nested linear secrecy codes.

The main contributions of this work can be summarized as follows:

• New representation of RGHW: We introduce a new representation of the relative generalized Hamming weight (RGHW) by analyzing the rank properties of parity-check matrices. This innovative approach enables us to accurately predict the security performance of nested linear codes based on rank properties.
• Equivalence condition evaluation: A comprehensive evaluation of the equivalence codes for nested linear codes is conducted, along with an exploration of its associated properties.
• Exploration of equivocation curves: We explore and evaluate the equivocation curves of nested linear codes. Notably, we discover that these curves can exhibit both convex and concave characteristics simultaneously, a novel observation in the field. This discovery presents an exciting opportunity to concentrate on codes that effectively balance both secrecy and reliability constraints.
• Efficient algorithm for best code identification: The main contribution of this paper lies in the development of an algorithm that efficiently identifies the best nested linear secrecy codes. This algorithm surpasses conventional methods in terms of speed and effectiveness.

These contributions not only enrich our understanding of nested linear codes but also enhance their design and deployment for diverse applications.

1.2. Organization of the Paper

The rest of the paper is organized as follows. Section 2 consists of preliminary details about the channel model and nested linear coding structure. Section 3 introduces a new expression of the generalized Hamming weight that can be used to quantify the performance of nested linear codes. We also present some properties of nested linear codes in this section. Section 4 describes the behavior of equivocation curves of the nested linear codes. The novel algorithm for finding the best nested linear secrecy codes is explained in Section 5. Section 6 presents a numerical example. In Section 7, we evaluate the complexity of our proposed algorithm. Finally, in Section 8, we present our conclusion.

2. Preliminaries

2.1. Notation

In this paper, capital letters represent random variables and matrices, lowercase letters represent realizations of these random variables, and calligraphic letters indicate the discrete alphabets associated with the random variables. The distributions $p\left(x\right)$ and $p\left(y\right|x)$ are probability mass functions. The length of vectors is denoted by superscripts, and sets used as subscripts on matrices specify sub-matrices that include only the columns indexed in the set, i.e., ${\left(H_1\right)}_U$ is the sub-matrix of $H_1$ made up of only the columns with indices in the set U. All vectors are row vectors, and all codes are binary. The notation $〚1,\gamma 〛$ represents a series of integers ranging from 1 to $\gamma$, where $\gamma \ge 1$. The set ${\mathcal{R}}^n$ represents all possible revealed-bit patterns over n transmitted bits by containing all subsets of $〚1,n〛$, whereas the set $J\setminus r$ indicates the set difference operation and is often read as J delete r.

2.2. Channel Models

Consider the wiretap channel model in Figure 1. The channels between Alice and Bob and Alice and Eve can be any discrete memoryless channels, but for the purposes of this work, we assume that both channels are BECs, with erasure probabilities of ${ϵ}_m$ and ${ϵ}_e$ for the main and eavesdropper channels, respectively. In this model, Alice wants to transmit a secret message $M^k$, which is assumed to be chosen uniformly at random from the alphabet $\mathcal{M}={\mathbb{F}}_2^k$, to Bob through the main channel and wishes to keep it secret as much as possible from a passive eavesdropper (Eve). To achieve this, Alice converts $M^k$ into an n-bit binary codeword $X^n$. The encoding is an invertible one-to-many mapping. This means that no more than one message can be mapped into the same codeword, but each message can be encoded to one of several possible codewords. Bob and Eve observe a noisy version of the transmitted codeword $X^n$ through each of their channels, which are denoted by $Y^n$ and $Z^n$, respectively. Thus, ${\mathcal{Y}}^n={\mathcal{Z}}^n={\{0,1,?\}}^n$.

There are two main constraints when utilizing coding over this type of wiretap channel.

• Reliability constraint for Bob: $Pr(M\ne \widehat{M})<{\delta }_r$;
• Security constraint for Eve: $\mathbb{I}(M;Z^n)<{\delta }_s$.

Here, ${\delta }_r$ and ${\delta }_s$ are the desired secrecy and reliability levels, respectively, which can be defined by the system designer. Concisely, the encoding function that maps secret message $M^k$ to codeword $X^n$ should be such that Bob can decode $M^k$ from $Y^n$ reliably, and at the same time, Eve receives as little information as possible about $M^k$ from $Z^n$. The level of secrecy achieved by a code can be quantified by either the average equivocation

$$\mathbb{H}\left(M^k\right|Z^n)=\sum _{z\in \mathcal{Z}}p\left(z^n\right)\mathbb{H}\left(M^k\right|Z^n=z^n),$$

(1)

or the average leakage

$$\mathbb{I}(M^k;Z^n)=\mathbb{H}\left(M^k\right)-\mathbb{H}\left(M^k\right|Z^n).$$

(2)

Both of these information-theoretic functions are used to evaluate the performance of a wiretap code in terms of its secrecy. As a result, in this scenario, it is preferable to minimize the average leakage $\mathbb{I}(M^k;Z^n)$ or maximize the average equivocation $\mathbb{H}\left(M^k\right|Z^n)$, while also enhancing Bob’s error-correction capabilities, which can be achieved by reducing $\mathbb{H}\left(M^k\right|Y^n)$.

2.3. Nested Linear Codes

The fundamental concept behind the nested linear coding approach is to partition the main code into sub-codes and employ $n-k$ overhead bits to aid in secrecy or reliability as desired. The information rate between Alice and Bob is $R=k/n$. Let the number of overhead bits assigned to reliability and secrecy be $\alpha$ and l, respectively, and let

$$n=k+\alpha +l.$$

(3)

Let ${\mathcal{C}}_0$ be an $(n,k+l)$ linear block code and ${\mathcal{C}}_1$ be an $(n,l)$ linear block code. Then, the nested linear code (${\mathcal{C}}_0$, ${\mathcal{C}}_1$) is defined, where ${\mathcal{C}}_0$ is a fine code with rate $R_0$ and ${\mathcal{C}}_1$ is a coarse code with rate $R_1$, where $R_1\le R_0$, satisfying

$${\mathcal{C}}_1\subseteq {\mathcal{C}}_0,$$

(4)

which means that each codeword of ${\mathcal{C}}_1$ is also a codeword of ${\mathcal{C}}_0$. Let the $l\times n$ matrix $G_1$ be the generator matrix, and the $(n-l)\times n$ matrix $H_1$ be the parity-check matrix for ${\mathcal{C}}_1$. The generator matrix $G_0$ is defined as follows:

$$G_0=\left[\begin{array}{c}{G}^{\prime }\\ G_1\end{array}\right],$$

(5)

where $G^{\prime }$ is comprised of k linearly independent rows from ${\mathbb{F}}_2^n$ that are not in ${\mathcal{C}}_1$ and make $G_0$ a full-rank matrix. The parity-check matrix $H_1$ also consists of two sub-matrices such that

$$H_1=\left[\begin{array}{c}{H}^{\prime }\\ H_0\end{array}\right],$$

(6)

where $H_0$ is $\alpha \times n$ and forms a basis for the dual space of the rowspace of $G_0$. The dimension of the sub-matrix $H^{\prime }$ is $k\times n$. It is important to note that according to the algebraic properties of nested linear codes, $G_0{\left(H_0\right)}^T=0$ and $G_1{\left(H_1\right)}^T=0$.

The encoding process begins by selecting an auxiliary message $m^{\prime }$ uniformly at random from ${\mathbb{F}}_2^l$ and then computing

$$\begin{array}{cc}\hfill x^n& =\left[\begin{array}{cc}m& m^{\prime }\end{array}\right]G_0=\left[\begin{array}{cc}m& m^{\prime }\end{array}\right]\left[\begin{array}{c}{G}^{\prime }\\ G_1\end{array}\right]\hfill \end{array}$$

(7)

$$\begin{array}{cc}\hfill & =m{G}^{\prime }\oplus m^{\prime }{G}_1,\hfill \end{array}$$

(8)

where m is a k-bit secret message. Now, the fine code ${\mathcal{C}}_0$ is randomly partitioned into $2^k$ disjoint subsets (cosets). The term $m{G}^{\prime }$ selects the coset, and the term $m^{\prime }{G}_1$ selects the specific codeword from the corresponding coset at random.

Bob uses the following decoding approach to retrieve $M^k$ from $Y^n$. First, Bob recovers as many erased bits as possible using the parity-check matrix $H^{\prime }$ and obtains an estimated version ${\widehat{X}}^n$ of $X^n$ [31]. Assuming ${\widehat{X}}^n=X^n$, then Bob’s decoder computes the syndrome S of ${\widehat{X}}^n$ as

$$\begin{array}{cc}\hfill s& =\widehat{x}{\left(H_0\right)}^T=m{G}^{\prime }{\left(H_0\right)}^T\oplus m^{\prime }{G}_1{\left(H_0\right)}^T\hfill \end{array}$$

(9)

$$\begin{array}{cc}\hfill & =m{G}^{\prime }{\left(H_0\right)}^T.\hfill \end{array}$$

(10)

It is possible to choose matrices such that $G^{\prime }{\left(H_0\right)}^T$ is the $k\times k$ identity; therefore, $s=m$ [32].

To achieve reliability and/or security, both codes ${\mathcal{C}}_0$ and ${\mathcal{C}}_1$ need to meet specific requirements. In this case, the fine code is primarily responsible for ensuring reliability, while the coarse code is utilized for security purposes. The following section will explore different properties of nested linear codes and examine several parameters that measure the performance of such codes.

3. Performance Parameters

This section explores practical metrics to measure the performance of nested linear codes and examines their properties. Consider the $(n,n-l)$ and $(n,n-k-l)$ dual codes of ${\mathcal{C}}_1$ and ${\mathcal{C}}_0$ and call them ${\mathcal{C}}_1^{\perp }$ and ${\mathcal{C}}_0^{\perp }$, respectively. ${\mathcal{C}}_1^{\perp }$ uses $H_1$ as the generator matrix and $G_1$ as the parity-check matrix. Hence, the nested linear code $({\mathcal{C}}_1^{\perp }$, ${\mathcal{C}}_0^{\perp })$ is the dual code of $({\mathcal{C}}_0$, ${\mathcal{C}}_1)$. In the dual space, ${\mathcal{C}}_1^{\perp }$ serves as the fine code, and ${\mathcal{C}}_0^{\perp }$ is the coarse code. The information rate of the nested linear code in both spaces will not change and remains $k/n$. However, the secrecy and reliability overhead bits will change in the different spaces. In the dual space, $\alpha$ and l represent the number of security and reliability bits, respectively [30].

3.1. RGHW and RDLP

As previously stated, RGHW and RDLP are extended versions of the GHW and DLP, which can be utilized to characterize the security performance of nested linear codes over the wiretap channel of type II. Let J be a subset of $〚1,n〛$. A new representation for the RGHW of the nested linear codes can be given as follows.

Proposition 1.

The $\tau$th relative generalized Hamming weight of the nested code $({\mathcal{C}}_0,{\mathcal{C}}_1)$ can be written as

$$\begin{array}{cc}\hfill & M_{\tau }=\underset{1\le \tau \le R_0-R_1}{min}\left\{\right|J|:\mathrm{rank}\left({\left(H_1\right)}_J\right)-\mathrm{rank}\left({\left(H_0\right)}_J\right)\ge \tau \}\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill & =n-max\left\{\right|r\left(z^n\right)|:{\log }_2{N}_0\left[r\left(z^n\right)\right]-{\log }_2{N}_1\left[r\left(z^n\right)\right]\ge \tau \},\hfill \end{array}$$

(12)

where $r\left(z^n\right)$ is a revealed-bit pattern over the erasure channel and $N_0\left[r\left(z^n\right)\right]$ and $N_1\left[r\left(z^n\right)\right]$ are the number of codewords in ${\mathcal{C}}_0$ and ${\mathcal{C}}_1$, respectively, that have zeros for all bit locations in the indexed set $r\left(z^n\right)$.

Proof. 

In [33], we showed that

$$\mathbb{H}\left(M\right|Z^n=z^n)={\log }_2{N}_0\left[r\left(z^n\right)\right]-{\log }_2{N}_1\left[r\left(z^n\right)\right],$$

(13)

Since $\left|r\right(z^n\left)\right|$ represents the maximum number of bits that can be revealed while still maintaining at least $\tau$ bits of equivocation, the total number of bits minus the maximum revealed bits must equal the minimum number of bits that must be leaked to reveal at least $\tau$ bits of information, and the expression (12) is valid. Thus, Equations (11) and (12) represent two equivalent expressions for the $\tau$th relative generalized Hamming weight of the nested linear code. □

3.2. Rank Properties and the Equivocation Matrix

Let $r\left(z^n\right)=\{i:z_i\ne ?\}$, where $z_i$ is the observation of the ith bit of the codeword x over the eavesdropper’s BEC and $“?”$ denotes an erased bit. Also, let $I=〚1,n〛$. According to the results of [30,33], we showed that the exact equivocation for the observation $z^n$ over a binary erasure channel (BEC), given the coding scheme presented in Section 2.3, is

$$\begin{array}{cc}\hfill \mathbb{H}\left(M\right|Z^n=z^n)& =k-\mathrm{rank}\left[{\left(G_0\right)}_{r\left(z^n\right)}\right]+\mathrm{rank}\left[{\left(G_1\right)}_{r\left(z^n\right)}\right]\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill & =\mathrm{rank}\left[{\left(H_1\right)}_{I\setminus r\left(z^n\right)}\right]-\mathrm{rank}\left[{\left(H_0\right)}_{I\setminus r\left(z^n\right)}\right].\hfill \end{array}$$

(15)

Thus, in terms of code design for security and reliability, a revealed-bit pattern $r\left(z^n\right)$ is secure if and only if $\mathrm{rank}\left({\left(G_0\right)}_{r\left(z^n\right)}\right)=\mathrm{rank}\left({\left(G_1\right)}_{r\left(z^n\right)}\right)$. Furthermore, for reliability, the message information is obtained if and only if $\mathrm{rank}\left({\left(G_0\right)}_{r\left(z^n\right)}\right)-\mathrm{rank}\left({\left(G_1\right)}_{r\left(z^n\right)}\right)=k$. The following definition is from [30].

Definition 1.

The $(k+1)\times (n+1)$ equivocation matrix A for the linear block code $\mathcal{C}$ is a matrix where each entry ($a_{e,\mu }$) counts the number of revealed-bit patterns of size μ that maintain e bits of equivocation.

There are $\left(\genfrac{}{}{0pt}{}{n}{\mu }\right)$ different patterns that can be used to reveal $\mu$ bits of n transmitted codeword bits over the erasure channel, and the bottom left entry of A is $a_{0,0}$.

3.3. Equivalence of Nested Linear Codes

Lemma 1.

Let $({\mathcal{C}}_0^{*},{\mathcal{C}}_1^{*})$ and $({\mathcal{C}}_0^{⊛},{\mathcal{C}}_1^{⊛})$ be two nested linear codes with generator matrices $G_0^{*}$ and $G_0^{⊛}$, respectively. These two nested linear codes are equivalent if there exist two invertible scrambling matrices $F_1$ and $F_2$ and permutation matrix P, such that

$$G_0^{⊛}=\left[\begin{array}{cc}{F}_1& \underset{¯}{0}\\ \underset{¯}{0}& F_2\end{array}\right]\times G_0^{*}\times P,$$

(16)

where $F_1$ and $F_2$ are $k\times k$ and $l\times l$ full-rank matrices, respectively, and $\underset{¯}{0}$ is a zero matrix.

Note that, in general, codes are equivalent if the sets of codewords are the same up to the permutation of bit order in the codewords.

Proof. 

We know that the space spanned by the rows of $G_1^{*}$ is the same as the space spanned by the rows of $F_2{G}_1^{*}$ (and similarly for the space spanned by the rows of ${G^{\prime }}^{*}$ and $F_1{G^{\prime }}^{*}$). The multiplication by P changes only the order of bits in codewords and the mapping of specific messages to specific codewords but achieves equivalence. □

Lemma 2.

If generator matrices $G_0^{*}$ and $G_0^{⊛}$ correspond to respective equivalent nested codes $({\mathcal{C}}_0^{*},{\mathcal{C}}_1^{*})$ and $({\mathcal{C}}_0^{⊛},{\mathcal{C}}_1^{⊛})$, then the RGHW, RDLP, and equivocation matrices for the two codes are identical.

Proof. 

According to Lemma 1, two nested linear codes $({\mathcal{C}}_0^{*},{\mathcal{C}}_1^{*})$ and $({\mathcal{C}}_0^{⊛},{\mathcal{C}}_1^{⊛})$ are equivalent if $G_0^{*}$ can be converted into $G_0^{⊛}$ using simple linear operations over rows and/or column pivots. These basic operations produce the same set of codewords from the new generator matrices up to a consistent bit permutation in the codeword sets. Thus, (11) and (12) are the same for both codes for all $\tau$, and the equivalence for the RDLP is similarly trivial. For the equivalence of equivocation matrices, every $r\left(z^n\right)$ for code $({\mathcal{C}}_0^{*},{\mathcal{C}}_1^{*})$ maps to a unique revealed-bit pattern for $({\mathcal{C}}_0^{⊛},{\mathcal{C}}_1^{⊛})$ of the same size such that (14) is equivalent. □

Previous research, including [16,17], has analyzed the bounds on the RGHW and RDLP of nested linear codes $({\mathcal{C}}_0,{\mathcal{C}}_1)$ to aid in constructing nested linear secrecy codes. Furthermore, studies such as [29,30] enable comparisons between the performance of nested linear codes on specific sizes. Even with these results, the challenge of finding optimal nested linear secrecy codes remains unsolved and requires a brute-force search.

4. Concavity and Convexity of Equivocation Curves

The equivocation quantifies Bob and Eves’ uncertainty about the secret message $M^k$ after observing $Y^n$ and $Z^n$, respectively. We may want to maximize the equivocation for security constraints or minimize it for reliability limitations, depending on the system requirements. In the noiseless main channel model where reliability constraints are not considered and all overhead bits are allocated for security purposes, the equivocation of the nested linear code $({\mathcal{C}}_0,{\mathcal{C}}_1)$ is always a concave function of $ϵ$ [32]. However, when both reliability and security are important, such as in the case of a noisy main channel, our simulation results indicate a different behavior compared to the noiseless main channel case.

Lemma 3.

Consider the nested linear code $({\mathcal{C}}_0,{\mathcal{C}}_1)$ of rate $R_0$ and $R_1$, respectively. Assume that this pair of linear codes is used to transmit a k-bit message m over the binary erasure wiretap channel. The equivocation curve that can be achieved by nested coding construction can be concave, convex, or both as a function of ϵ.

The proof follows directly from Theorem 2.7.4 [34] and is included here for completeness.

Proof. 

$\mathbb{H}\left(M\right)$ is a concave function of $p\left(m\right)$, and

$$\begin{array}{cc}\hfill \mathbb{I}(M^k;Z^n)=\mathbb{I}(Z^n;M^k)& =\mathbb{H}\left(Z^n\right)-\mathbb{H}\left(Z^n\right|M^k)\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill & =\mathbb{H}\left(Z^n\right)-\sum _{m}p\left(m\right)\mathbb{H}\left(Z^n\right|M^k=m).\hfill \end{array}$$

(18)

If $p\left(z\right|m)$ is fixed, then $p\left(z\right)$ is a linear function of $p\left(m\right)$; hence, $\mathbb{H}\left(Z^n\right)$ is also a concave function of $p\left(m\right)$, and the second term of (17) is a linear function of $p\left(m\right)$. The difference is then a concave function of $p\left(m\right)$. Moreover, the conditional entropy $\mathbb{H}\left(Z^n\right|M^k)$ of $p\left(z\right|m)$ for a fixed $p\left(m\right)$ will be concave, and the difference of two concave functions can either be concave, convex, or both. □

Simulation results show that there are indeed three distinct equivocation curve behaviors for nested linear codes $({\mathcal{C}}_0,{\mathcal{C}}_1)$, as follows:

• Convex equivocation curve: These codes are appropriate for situations when ${\delta }_r$ is small; thus, Alice may purposefully use a nested linear code of this nature to improve Bob’s ability to correct errors.
• Concave equivocation curve: If ${\delta }_s$ is small, these codes give Alice the ability to keep data as secure as possible from the eavesdropper.
• Convex/concave equivocation curve: The more desirable and interesting codes are those that provide both reliability for Bob and confusion for Eve, in scenarios where Bob and Eve experience erasure with different rates. These codes can effectively balance both constraints as required, resulting in a convex/concave equivocation curve.

Simulations of (1) were completed using (14) and considering all possible erasure patterns $r\left(z^n\right)$. Curves were plotted as a function of the erasure probability $ϵ$, noting that $p\left(z^n\right)={ϵ}^{n-\left|r\right(z^n\left)\right|}{(1-ϵ)}^{\left|r\right(z^n\left)\right|}$. This examination of the behavior of equivocation curves enhanced our comprehension of nested linear codes, unveiling the dual relationship between error correction capabilities and security attributes. Furthermore, our simulations demonstrated that the number of overhead bits allocated to security or reliability can have a significant impact on the shape and number of the equivocation curves. In particular, increasing the number of overhead bits allocated to security (l) can lead to an increase in the number of concave curves. This observation is consistent with the fact that adding more security overhead bits to the code will result in a higher level of confusion for the eavesdropper. Similarly, increasing the number of overhead bits allocated to reliability ($\alpha$) can lead to an increase in the number of convex curves and affect their shape, as more reliability overhead bits will provide Bob with better error correction capabilities. Overall, our results highlight the importance of carefully balancing the allocation of overhead bits between security and reliability to achieve the desired level of secrecy and reliability for the system. Additionally, we showed that there exist codes that can balance both restrictions effectively (codes with convex/concave equivocation curves).

These types of codes are represented, respectively, with red, green, and blue equivocation curves in Figure 2 for the $n=5$, $k=2$, $l=2$, and $\alpha =1$ case, and in Figure 3 for the corresponding dual case, where l and $\alpha$ change their responsibilities, which means that the number of overhead bits allocated to security will be $\alpha =2$, and the number of overhead bits allocated to reliability will be $l=1$. This change in the allocation of overhead bits results in a different set of equivocation curves. The probability of erasure, $ϵ$, refers to both ${ϵ}_m$ and ${ϵ}_e$ to show performance for all users on the same plot.

5. Finding the Best Nested Linear Secrecy Codes

In this section, we propose a coding construction algorithm to generate the best nested linear secrecy code according to the equivocation by taking advantage of the dual relationship between nested linear codes. In essence, we show that the difficult search for the best code can be computed instead by the easy search for the worst nested linear secrecy code in the dual space. The concept of the worst and best refers to nested linear codes with the lowest and highest security level, respectively, among all possible nested linear codes for a particular size. The general algorithm is provided here, and an example is given in Section 6.

Algorithm 1.

This algorithm demonstrates how to construct the best nested linear secrecy codes $({\mathcal{C}}_0,{\mathcal{C}}_1)$ through the construction of the worst nested linear secrecy codes $({\mathcal{C}}_1^{\perp },{\mathcal{C}}_0^{\perp })$ using the subsequent steps:

• The first phase:

  -

  Generate the worst secrecy code $\left({\mathcal{C}}_0^{\perp }(n,\alpha )\right)$ with generator matrix $H_0$. The general schematic of the worst $H_0$ can be found in (30) in Section 6.

  -

  Generate $H^{\prime }$ by searching k random vectors from ${\mathbb{F}}_2^n$ with the following considerations:

  ∗

  For most patterns of revealed bits $r\left(z^n\right)$, the rank of ${\left(H_1\right)}_{r\left(z^n\right)}$ should be as large as possible compared to the rank of ${\left(H_0\right)}_{r\left(z^n\right)}$.

  ∗

  $H_1$ should remain a full-rank matrix.

• The second phase:

  -

  The best generator matrix $G_1$ for security code ${\mathcal{C}}_1(n,l)$ is equal to the basis of the dual space of the rowspace of $H_1$.

  -

  Choose k rows from a basis of the dual space of $H_0$ as $G^{\prime }$, with a consideration of the following:

  ∗

  For most patterns of $r\left(z^n\right)$, the rank of ${\left(G_0\right)}_{r\left(z^n\right)}$ should be equal to the rank of ${\left(G_1\right)}_{r\left(z^n\right)}$.

  ∗

  $G_0$ remains a full-rank matrix.

Proof. 

According to our result in [30], it can be deduced that minimizing the equivocation in the dual space of the nested linear codes leads to the maximization of equivocation in the original space of the nested linear code.

In particular, we have:

$$\begin{array}{cc}\hfill \mathbb{H}\left(M\right)& =\underset{\mathbb{I}(M^k;Z^n=r\left(z^n\right))}{\underbrace{\mathrm{rank}\left[{\left(G_0\right)}_{r\left(z^n\right)}\right]+\mathrm{rank}\left[{\left(G_1\right)}_{r\left(z^n\right)}\right]}}+\hfill \end{array}$$

(19)

$$\begin{array}{cc}\hfill & \underset{\mathbb{H}\left(M^k\right|Z^n=r\left(z^n\right))}{\underbrace{\mathrm{rank}\left[{\left(H_1\right)}_{I\setminus r\left(z^n\right)}\right]+\mathrm{rank}\left[{\left(H_0\right)}_{I\setminus r\left(z^n\right)}\right]}},\hfill \end{array}$$

(20)

or, equivalently,

$$\begin{array}{cc}\hfill \mathbb{H}\left(M\right)& =\underset{\mathbb{H}\left(M^k\right|Z^n=I\setminus r\left(z^n\right))}{\underbrace{\mathrm{rank}\left[{\left(G_0\right)}_{r\left(z^n\right)}\right]+\mathrm{rank}\left[{\left(G_1\right)}_{r\left(z^n\right)}\right]}}+\hfill \end{array}$$

(21)

$$\begin{array}{cc}\hfill & \underset{\mathbb{I}(M^k;Z^n=I\setminus r\left(z^n\right))}{\underbrace{\mathrm{rank}\left[{\left(H_1\right)}_{I\setminus r\left(z^n\right)}\right]+\mathrm{rank}\left[{\left(H_0\right)}_{I\setminus r\left(z^n\right)}\right]}}.\hfill \end{array}$$

(22)

Therefore, by constructing the nested linear code that minimizes the equivocation in the dual space, we can generate the best nested linear secrecy code within the code space. □

This algorithm can be better understood with reference to an example; hence, the results of this algorithm for a specific size are shown in Figure 4, and the details of this example are given in the next section.

6. Numerical Example

Consider the nested code $({\mathcal{C}}_0,{\mathcal{C}}_1)$ with the rate $R_0=4/5$ and $R_1=2/5$, respectively. In other words, $n=5$, $k=2$, $l=2$, and $\alpha =1$. In this example, the information rate is equal to $R=2/5$. Let

$$G_0=\left[\begin{array}{c}{G}^{\prime }\\ G_1\end{array}\right]=\left[\begin{array}{ccccc}0& 1& 0& 1& 0\\ 1& 0& 0& 1& 1\\ 1& 0& 0& 0& 1\\ 0& 1& 0& 1& 1\end{array}\right],$$

(23)

and

$$H_1=\left[\begin{array}{c}{H}^{\prime }\\ H_0\end{array}\right]=\left[\begin{array}{ccccc}0& 1& 0& 1& 0\\ 1& 1& 0& 0& 1\\ 0& 0& 1& 0& 0\end{array}\right].$$

(24)

The RGHW and equivocation matrix for this nested code are equal to

$$\begin{array}{cc}\hfill & M_{\tau }({\mathcal{C}}_0,{\mathcal{C}}_1)=\{1,2\}\hfill \end{array}$$

(25)

$$\begin{array}{cc}\hfill & A=\left[\begin{array}{cccccc}1& 5& 9& 5& 0& 0\\ 0& 0& 1& 5& 4& 0\\ 0& 0& 0& 0& 1& 1\end{array}\right],\hfill \end{array}$$

(26)

and for the dual nested code are equal to

$$\begin{array}{cc}\hfill & M_{\tau }({\mathcal{C}}_1^{\perp },{\mathcal{C}}_0^{\perp })=\{2,4\}\hfill \end{array}$$

(27)

$$\begin{array}{cc}\hfill & A^{\perp }=\left[\begin{array}{cccccc}1& 1& 0& 0& 0& 0\\ 0& 4& 5& 1& 0& 0\\ 0& 0& 5& 9& 5& 1\end{array}\right].\hfill \end{array}$$

(28)

Figure 2 illustrates the equivocation curves of all unique nested linear codes in this specific size. It should be noted that the number of green equivocation curves is greater than the number of red equivocation curves because in this example we assume that two of the three overhead bits are assigned to security $(l=2)$ and just one bit is assigned to reliability $(\alpha =1)$. If we evaluate nested linear codes in the dual space when $l=1$ and $\alpha =2$, we can see that the number of equivocation curves for nested codes that provide an error-correction capability is greater than the number for nested codes that offer a security capability (green equivocation curves). Figure 3 shows the equivocation curves for dual nested linear codes.

We now aim to determine how we can identify the optimal nested linear secrecy code $({\mathcal{C}}_0,{\mathcal{C}}_1)$ at this specific size using the algorithm outlined in Algorithm 1. To start, we need to build the generator matrix $H_0$ for code ${\mathcal{C}}_0^{\perp }$ with the worst rank properties. We know that $H_0$ must be a full-rank matrix with the most zero columns, which results in a zero rank in most collections of columns. Hence, $H_0$ is

$$H_0=\left[10000\right].$$

(29)

In general,

$$H_0=\left[V_{\alpha \times \alpha }{\underset{¯}{0}}_{\alpha \times n-\alpha }\right],$$

(30)

where V and $\underset{¯}{0}$ are the identity and zero matrices, respectively. Then, we need to generate $H^{\prime }$ by searching k random vectors from ${\mathbb{F}}_2^n$, with the consideration of the specific criteria as mentioned in Algorithm 1. Let

$$H_1=\left[\begin{array}{c}{H}^{\prime }\\ H_0\end{array}\right]=\left[\begin{array}{ccccc}0& 1& 1& 0& 1\\ 1& 1& 0& 1& 0\\ 1& 0& 0& 0& 0\end{array}\right].$$

(31)

In the second phase, we can generate $G_1$ from the dual space of $H_1$, which is equal to

$$G_1=\left[\begin{array}{ccccc}0& 1& 1& 1& 0\\ 0& 0& 1& 0& 1\end{array}\right].$$

(32)

Now, we need to select k rows from the basis of the dual space of $H_0$ as follows:

$$\left[\begin{array}{ccccc}0& 1& 0& 0& 0\\ 0& 0& 1& 0& 0\\ 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 1\end{array}\right],$$

(33)

Additionally, we must be sure that $G_0$ is a full-rank matrix and

$$\mathrm{rank}\left({\left(G_0\right)}_{r\left(z^n\right)}\right)=\mathrm{rank}\left({\left(G_1\right)}_{r\left(z^n\right)}\right)$$

(34)

as much as possible for most patterns of $r\left(z^n\right)$, so

$$G_0=\left[\begin{array}{c}{G}^{\prime }\\ G_1\end{array}\right]=\left[\begin{array}{ccccc}0& 1& 0& 0& 0\\ 0& 0& 1& 0& 0\\ 0& 1& 1& 1& 0\\ 0& 0& 1& 0& 1\end{array}\right].$$

(35)

The generator matrix $G_0$ outperforms other generator matrices in terms of security performance. The equivocation matrix of this example is equal to (26), and Figure 4 depicts the equivocation curves of the worst nested linear secrecy codes in the dual space and the best nested linear secrecy codes in the code space.

In the following section, we will analyze the computational complexity of our proposed algorithm for finding the optimal nested linear secrecy code and compare it with the computational complexity of traditional approaches (the brute-force method).

7. Computational Complexity Analysis

The number of distinct generator matrices $G_0$ that can be chosen such that the resulting matrix is full-rank can be calculated as

$$\prod _{i=0}^{(n-\alpha )-1}(2^n-2^i),$$

(36)

where n is the number of codeword bits and $\alpha$ is the number of overhead bits allocated to the reliability. This equation gives the total number of different nested linear codes (${\mathcal{C}}_0,{\mathcal{C}}_1$) for a given size, which for the example explored in Section 6 is 624,960. However, not all of these nested linear codes are unique. Based on Lemma 1, some nested linear codes may be equivalent and have the same performance, while others are unique and cannot be transformed into each other through equivalent operations on generator matrices. Therefore, the total number of unique nested linear codes can be lower than the total number of different nested linear codes. For the example in the previous section, the number of unique generator matrices $G_0$ is 256, which is much smaller than the total number of different nested linear codes. However, finding equivalent codes itself is a complex problem, and it is not guaranteed that we can always identify all equivalent codes.

The traditional approach to finding the best nested linear secrecy codes involves a brute-force search over all possible generator matrices $G_0$, which are $(k+l)\times n$. This means that for a given size of nested linear code, all possible generator matrices must be formed and their performance calculated. Then, all codes must be compared based on their equivocation to find the best nested linear secrecy code. Using this approach, $2^{(k+l)n}$ generator matrices must be formed. Lemma 1 can be used to identify equivalent generators, but all of them must be examined at some level. In contrast, our proposed approach fixes the matrix $H_0$ in the dual space and only requires a search for different patterns of the matrix $H^{\prime }$, which is $k\times n$, with the consideration of the two restrictions explained in Algorithm 1. We can throw out a number of $H^{\prime }$ candidates due to the fixed form of $H_0$, e.g., $H^{\prime }$ matrices with any number of zero columns and/or $H^{\prime }$ matrices that do not result in a full-rank $H_1$. This significantly reduces the search space and computational complexity compared to the traditional approach. Fewer than $2^{kn}$$H^{\prime }$ matrices must be compared.

In summary, our proposed approach of searching for the worst code instead of the best code was shown to be easier and more efficient, requiring fewer resources. This is because the generator matrix of the worst linear code ${\mathcal{C}}_0^{\perp }$ has as many zero columns as possible, making it easier to construct. This improvement in efficiency compared to the full brute-force search method could have important implications for the design of reliable and secure communication systems in practical settings.

On a personal laptop, it is possible to find best codes up to blocklength 12 with little issue, and we show in Figure 5 the results for the best and worst nested linear secrecy codes with $n=12$, $k=6$, $l=3$, and $\alpha =3$. The best and worst equivocation matrices for this example are given in Figure 6.

Note that although there is a marked increase in efficiency for identifying best codes by first finding worst codes in the dual space, Algorithm 1 still requires a brute-force search in choosing the elements of $H^{\prime }$. Thus, for larger code sizes, we still have limitations in finding best codes. In Figure 7, we present performance curves for one set of candidate codes when $n=40$, $k=20$, $l=10$, and $\alpha =10$. The candidate was found by choosing random columns to fill out $H^{\prime }$ and checking for full rank, as depicted in Algorithm 1. We leave the identification of large optimal codes as an open problem.

8. Conclusions and Future Study

In this study, we analyzed the properties of nested linear codes in the presence of a noisy wiretap channel model and derived a new expression for the relative generalized Hamming weight of these codes. We showed that there are three distinct behaviors in terms of equivocation in this coding scheme. Moreover, we proposed a code design algorithm to find the worst nested linear secrecy code, which is constructed by identifying the code with the lowest security in the dual space. Our results demonstrated that this approach is more efficient and quicker in producing optimal nested linear secrecy codes compared to brute-force methods.

Overall, the findings of this paper contribute to the development of reliable and secure communication systems in practical settings. The ability to efficiently design secure nested linear codes can enhance the privacy and security of communication channels, which is of great importance in various applications, such as wireless communication, network security, and cryptography. Future work could explore the applicability of our proposed algorithm to larger blocklengths and investigate its performance in other channel models.