Noncoherent Capacity of Secret-Key Agreement With Public Discussion

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 3, SEPTEMBER 2011 565

Noncoherent Capacity of Secret-Key AgreementWith Public Discussion

Anurag Agrawal, Zouheir Rezki, Member, IEEE, Ashish J. Khisti, Member, IEEE, andMohamed-Slim Alouini, Fellow, IEEE

Abstract—We study the noncoherent capacity of secret-keyagreement with public discussion over independent identicallydistributed (i.i.d.) Rayleigh fading wireless channels, where nei-ther the sender nor the receivers have access to instantaneouschannel state information (CSI). We present two results. At highsignal-to-noise ratio (SNR), the secret-key capacity is boundedin SNR, regardless of the number of antennas at each terminal.Second, for a system with a single antenna at both the legitimateand the eavesdropper terminals and an arbitrary number oftransmit antennas, the secret-key capacity-achieving input distri-bution is discrete, with a finite number of mass points. Numericallywe observe that at low SNR, the capacity achieving distributionhas two mass points with one of them at the origin.

Index Terms—Discrete input distribution, information theoreticsecurity, Karush–Kuhn–Tucker (KKT) condition, noncoherent ca-pacity, Rayleigh fading channels, secret-key agreement.

I. INTRODUCTION

I NFORMATION theoretic secret-key agreement providesprovably secure mechanisms for generating secret-keys

between two or more legitimate terminals. In such protocols,the legitimate terminals need to have access to a source ofcorrelated randomness, e.g., communication channels or cor-related sources [1], [2]. Furthermore, a discussion channel ofunlimited capacity is also available for communication, butis public to the wiretapper. The legitimate terminals distill acommon secret-key that satisfies an equivocation constraintwith respect to the eavesdropper.

Manuscript received September 13, 2010; revised March 13, 2011; acceptedMarch 25, 2011. Date of publication June 09, 2011; date of current version Au-gust 17, 2011. This work will be presented at the IEEE International Conferenceon Communications (ICC) 2011, Workshop on Physical Layer Security, Kyoto,Japan. The associate editor coordinating the review of this manuscript and ap-proving it for publication was Dr. João Barros.A. Agrawal was with the Electrical and Computer Engineering Department,

University of Toronto, Toronto, ON, M5A 2N4, Canada. He is now with theDepartment of Electrical Engineering, Indian Institute of Technology Bombay,Mumbai 400076, India (e-mail: [email protected]).Z. Rezki was with the Electrical and Computer Engineering Department, Uni-

versity of Toronto, Toronto, ON, M5A 2N4, Canada. He is now with King Ab-dullah University of Science and Technology (KAUST), Thuwal, KSA, SaudiArabia (e-mail: [email protected]).A. J. Khisti is with the Electrical and Computer Engineering Depart-

ment, University of Toronto, Toronto, ON, M5A 2N4, Canada (e-mail:[email protected]).M.-S. Alouini is with King Abdullah University of Science and Technology

(KAUST), Thuwal, KSA, Saudi Arabia (e-mail: [email protected]).Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TIFS.2011.2158999

The present paper studies capacity limits of secret-key agree-ment when the underlying channel from the sender to the re-ceiver and the eavesdropper are modeled as independent iden-tically distributed (i.i.d.) Rayleigh fading. We further assumethe noncoherent model, i.e., the instantaneous channel state in-formation (CSI) is not known to either of the terminals. Thechannel statistics are, however, globally known.Note that for our proposed channel model the outputs at the

legitimate receiver and the eavesdropper are conditionally in-dependent given the channel input. A class of discrete memo-ryless channel models with this property was studied in [1] and[2] and a single-letter capacity expression was characterized.In particular a source-emulation strategy was shown to be op-timal—the sender generates a discrete memoryless source, thentransmits it over the channel to generate correlated sources at thetwo terminals and then the legitimate terminals distill a commonkey as in the source model. While their result can be extendedusing standard techniques to the (continuous-valued) Rayleighfading channels studied in this work, finding the optimizing dis-tribution is difficult in general. In the present work, we showthe following two properties: 1) Unlike the case without se-crecy constraint where the capacity scales as at highsignal-to-noise ratio (SNR), the secret-key capacity is boundedin SNR, regardless of the number of antennas at each terminal;and 2) the capacity achieving distribution is discrete with a fi-nite number of mass points, for themultiple-input–single-output(MISO) case.In related works, [3] studies the secret-key agreement

over Rayleigh fading channels for the case of receiver CSIand establishes that a Gaussian input distribution maximizesthe secret-key capacity. References [4]–[10] also approachsimilar problems in different settings. Reference [11] studiesthe problem of generating shared secret keys using channelreciprocity instead of public discussion. This approach is notconsidered in the present paper. Related work can also be foundin [12]–[18].

II. THE CHANNEL MODEL

In this paper, we consider the channel-type model with wire-tapper [1 , Sec. III]. The sender and receiver communicate overa discrete memoryless channel (DMC). In addition they can alsoaccess a public discussion channel of unlimited capacity. In ourcase of interest, the DMC consists of an i.i.d. multi-input–multi-output (MIMO) fading channel where the sender and receiverand eavesdropper have , , and antennas, respectively.We have closely followed [19] and [20] while proposing ourmodel. The outputs at both the legitimate destination and the

1556-6013/$26.00 © 2011 IEEE

566 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 3, SEPTEMBER 2011

eavesdropper, at time , are expressed, respectively,by

(1)

where is the transmitted signal, and, represent the main channel and

the eavesdropper channel transfer matrices, respectively; and, are circularly symmetric white

Gaussian noises with covariance matricesand . We assume that and havei.i.d. Gaussian entries with zero-mean and unit-variance. Weassume that the CSI is not available at any terminal. That is, thetransmitter, the legitimate receiver, and the eavesdropper do nothave access to the instantaneous channel realizations and

, but are aware of their statistic. The source is constrainedaccording to a short-term average power constraint

(2)

for all . Given the normalization of the fading chan-nels and the additive noise in our channel model, in (2) maybe interpreted as an SNR per receive antenna. Since the channeldefined in (1) is i.i.d., we may drop the time index in the se-quel for convenience. The sender and receiver can interactivelycommunicate over the discussion channel between each succes-sive use of the channel. We refer to the reader to [1] for a formaldescription of the protocol. Furthermore, we are interested inthe secret-key capacity between the sender and the receiver. Weagain refer to the reader to [1] for a formal description and def-inition of key capacity.

III. SECRET-KEY CAPACITY

In [1 , Th. 2], a single-letter formula of key capacity has beenestablished and is given by

(3)

where is the set of all possible distribution functionsthat satisfy the average power constraint. Note that in our modelof interest, and are conditionally independent given andthe distribution is given by [21]

(4)

(5)

where denotes the Euclidean norm of a vector. We note thatand depend on , , and only through their norms.

We next define new random variables: , ,and . Following [22, Appendix VI], we see that theprobability density function (pdf) of the conditional distributionassociated with the norms is given by

(6)

or equivalently

(7)

where

(8)

are the Jacobian coordinate transformation factors applied indimensions. We also note that and are chi-squared randomvariables with and degrees of freedom when condi-tioned on . Then, from (4) and (5)

(9)

Also,

(10)

Now, can be formulated as follows:

(11)

Equation (11) followed from the fact that and de-pend only on the norms and . A detailed derivation ap-pears in Appendix A. The result is summarized in the followinglemma.Lemma 1: The noncoherent secret-key capacity of the

channel model (1) described above is given by

(12)

Lemma 1 states that secret-key communication is conveyedover the norms , , and . This property will be used inthe sequel. As verified in Appendix B, the capacity can beexpressed as

(13)

AGRAWAL et al.: NONCOHERENT CAPACITY OF SECRET-KEY AGREEMENT WITH PUBLIC DISCUSSION 567

IV. CAPACITY RESULTS AT A HIGH-SNR REGIME

In this section, we analyze the noncoherent secret key ca-pacity asymptotically at high-SNR. The reader is referred to [20]and [19] for details regarding high-SNR asymptotic analysis.Our result is rather negative as it establishes the nonefficiencyof communication over this channel at high-SNR. Theorem 1below formalizes this result.Theorem 1: At high-SNR, the noncoherent secret-key ca-

pacity of the channel model (1) described above is given by

(14)

where denotes a term that remains constant as .Proof: Keeping in mind the result given by Lemma 1 and

equations given by 9, we define two new random variablesand such that

(15)

where it follows via (9) that and are Gamma-distributedrandom variables, mutually independent and also independentof , and with pdfs

(16)

(17)

Equation (15) can be viewed as a multiplicative channel modelwhich is equivalent from a capacity perspective to our originalmodel by Lemma 1.Now, by letting , , ,

, and , and by applying the logfunction on both sides of (15), the following channel is obtained:

(18)

Since the log function is a one-to-one transformation that doesnot entail any capacity loss, the secret-key capacity can bebounded as follows:

(19)

(20)

Hence, it remains to show that the right-hand side (RHS) of (20)is bounded.First note that using (16), the pdf of can be easily derived

as

(21)

thus, the second term on the RHS of (20) can be upper boundedas follows:

(22)

(23)

where (22) follows from Jensen inequality and (23) holds be-cause .To show that is upper bounded, it suffices to show

thatis bounded, since a Gaussian distribution with same varianceupper bounds the differential entropy of any continuous distri-bution. In other words, it suffices to show that and

(24)

(25)

In the above derivation, (24) follows from the fact thatfor any and for any

, whereas (25) holds when becausefollows inverse Gamma distribution with parameters and

. For , we can see that the random variable ,being the log of an exponential random variable, has densityfunction with finite mean and variance. Bya similar argument, is finite, and thus isalso finite. Now, we have an upper bound on that isitself bounded irrespective to the power . We conclude that thesecret-key capacity is asymptotically bounded at high-SNR.

V. THE KARUSH–KUHN–TUCKER (KKT) CONDITION

In this section, following [19], a necessary and sufficient con-dition for optimality in secret-key agreement settings is estab-lished. Our proof relies on two steps. First, we show that thesupremum in (13) is achieved (Lemma 2). Next, we argue that

is also weak differentiable in over (Lemma 3).The KKT follows then by the concavity of a modified objectivefunction that includes the power constraint. In our proof, we arefocussing on the MISOSE case, i.e., .Lemma 2: The supremum in (13) is achievable by at least

one , say , belonging to , where is the set of allnonnegative input distributions that meet the power constraint.


Proof: A sufficient condition for the supremum in (13) toexist, is that the mutual information be weak contin-uous in and the set be weak compact. That is weakcompact follows from [19, Appendix 1.A]. The proof of weakcontinuity of in is reported in Appendix C.Lemma 3: is weak differentiable and concave inover .Proof: The proof of weak differentiability is presented in

Appendix D. The concavity of in , follows from[23, Fact 2].Now, from Lemma 2 and Lemma 3, a necessary and sufficient

condition for optimality, referred to as the KKT condition, canbe obtained as stated below. Here, we denote asthe conditional distribution of given induced by the inputdistribution function .Proposition 2: For the channel given by (1) described above,

where , an input random variable with dis-tribution function achieves the secret-key capacity if andonly if there exists a such that

(26)

for all , with equality if belongs to the support of .Proof: The proof is presented in Appendix E.

Using (16) and (17) and letting with ,(26) can be expressed as

(27)

VI. CHARACTERIZATION OF

Here we follow [19] and [24] to use the Kuhn–Tucker condi-tion (26) to prove that is discrete. Although our frameworkparallels these previous works, several modifications are nec-essary to account for the conditional mutual information. Theexistence of a secret-key capacity achieving input implies that

should satisfy one of the following properties:1) its support contains an interval;2) it is discrete, with an infinite number ofmass points in somebounded interval;

3) it is discrete and infinite, but with only a finite number ofmass points on any bounded interval;

4) it is discrete with a finite number of mass points.Now, let us assume that 1) or 2) holds and define the function

by

(28)

for all belonging to the set of complex numbers, whereis the principal branch of the logarithm. We note that isanalytic over the domain defined by . We nowmake the following observations:

• From our assumption, it is evident that there exists ansuch that the support of contains infinitely many pointsin or equivalently the support of contains an in-finite set of distinct points in .

• The interval is compact, hence byBolzano–Weierstrass theorem has an accumulationpoint in .

• From the Kuhn–Tucker condition (27), on thesupport of and thus on .

Hence we have an analytic function over that vanishes on aset having an accumulation point of . From the identity the-orem [25], we conclude that over the whole andin particular, over . Consequently, (28) can bewritten as

(29)

where . We next show that there cannot be a valid con-ditional pdf that satisfies (29). This is done by multi-plying both sides of (29) by and by taking the limitwe show that while the RHS diverges, the left-hand side (LHS)remains bounded. Towards this end we show the following.Lemma 4: For each with , we have that

(30)where and denote the Laplace transforms of the fol-lowing:

(31)

(32)

where we define

(33)

(34)

Furthermore and are well defined for all with.

Proof: The proof of Lemma 4 is provided in Appendix F.Note that and in (31) and (32) are infinitely differen-

tiable decreasing functions over the positive real axis. Further-more,

(35)

Similarly, we have

(36)

(37)


Finally, multiplying both sides of (29) by and taking thelimit as , we show that the RHS of (29) goes to infinitywhereas the LHS of (29) is finite. To see this, we first recall that

(38)

Then, the limit of the second term on the RHS of (38) is equalto

(39)

(40)

where (39) follows by the initial value theorem [26] and(40) is obtained from (35). Next, we note that the secondderivative exists for all positive , that

and that. Hence, applying the identity (from [26])

(41)

to the function and taking the limit as onboth sides of (41) yield

(42)

which confirms that is finite too. There-fore, the limit in (38) exists and is finite. This implies that (29)does not hold for all . But, this contradicts our initialassumption that either 1) or 2) holds. Consequently, neither 1)nor 2) can happen. We are then left with 3) and 4) as the onlypossibilities.Let us assume that 3) holds. In this case, we argue that the

Lagrange multiplier in the KKT condition (27) is zero and inturn obtain a contradiction. Since has infinitely many masspoints and only finitely many in any bounded interval, hasan accumulation point only at zero and its support can thus bewritten as a sequence converging to zero. Let

. Then we have

(43)

(44)

Note that the denominator of (44) is smaller than whichis less than 1 [c.f. (35)]. This implies that

for all and all . Conse-quently, we have

(45)

(46)

Now, using (46), bound the LHS of (27) as follows:

(47)

(48)

where the term applies when for a fixed . Now, ifthen (48) goes to infinity as , but the LHS of

(27) should be zero on the support of which by our initialassumption, contains a point of accumulation at 0. Hence,. As this is true for all , and , we see that . As

the Lagrange multiplier is nonnegative, we conclude that .Then from (27) we get

(49)for all . Now taking the limit at on both sides of (49),we see that the integrand on the LHS tends toward 0, whichimplies that

(50)

and consequently the capacity goes to , which contradicts. Hence, the assumption 3) is ruled out as well. Therefore,

the optimum input distribution must be discrete with a finitenumber of mass points which is what we wanted to prove.We conclude the section by enumerating the key differences

in the results obtained in [19] with those obtained in this paper.These differences primarily arise because we are dealing withthe conditional version of the mutual information compared to[19]:1) To eliminate the conditions 1) and 2) in [19, Sec. IV], theauthors obtain a unique distribution function that sat-isfies the Kuhn–Tucker condition and claim that this func-tion fails to satisfy the properties of a probability distribu-tion function. On the contrary, (29) of this paper may haveinfinite solutions for but we prove that none ofthem is a valid solution because (29) does not hold good as

.2) To disprove 3) in [19, Sec. IV], the authors establish theimpossibility of by proposing a family of distribu-tions with strictly monotonically increasing mutual infor-mation, whereas to disprove (49), we exploit the fact thatthe capacity is nonnegative.

3) In [19], the authors establish that the mutual information isstrictly concave in . Our result on concavity relies on [23]which does not establish strict concavity. Consequently,we do not pursue the problem of establishing uniquenessof the input distribution in this work.

VII. NUMERICAL RESULTS

We employed the Gauss–Laguerre quadrature methodto evaluate all the concerned integrals in obtaining ca-pacity-achieving input distributions. We obtain some usefulinsights related to the variation of the number of mass pointsand their respective probabilities with the SNR. Furthermore,


Fig. 1. SISOSE secret-key capacity versus the SNR value .

Fig. 2. Value of the LHS of the KKT condition (26) versus at SNR .

we exploit the variation of KKT, a necessary and sufficient con-dition for optimality, with to exactly predict the location of anew mass point and to validate the optimal input distributionfor a given SNR value. It has been observed that there exists amass point at the origin for all SNR values. Fig. 1 representsthe noncoherent secret-key capacity in nats per channel use(npcu) in function of SNR (average power constraint in Joulesper second). As shown in Fig. 1, the secret-key capacity shownin solid blue is monotonically increasing in SNR. In this figure,discontinuities of the capacity plot can be observed. Indeed,these regions represent zones where a new mass point is aboutto appear and where numerical optimization becomes veryunstable to an extent that the results obtained in these zones donot fulfill the KKT condition. Furthermore, it may be seen inFig. 1, that the capacity is bounded at high-SNR in full agree-ment with Theorem 1. Also shown in Fig. 1 as a benchmark, isthe additive white Gaussian noise (AWGN) channel secret-keycapacity (dashed line). While the gap between the two plotsis marginal at very low SNR (below 0.5 J/s), the AWGNsecret-key capacity prevails remarkably as SNR increases.In Fig. 2, the LHS of the KKT condition (26) is plotted versusfor an SNR and where numerical optimization was set

to two mass point input distributions . From Fig. 2, itcan be seen that although the KKT is null in two points, theresults obtained are not optimal since the plot goes below zerofor a certain value of , suggesting that a newmass point is morelikely to appear. In order to confirm our claim, we setin our optimization problem and increase the power constraintaway from this unstable zone, to find that three mass point is infact optimal and that a new mass point shows up aroundat approximately . This explains the discontinuities inour capacity plot as depicted by Fig. 1. We conjecture that a newmass point shows up first at and then decreases as SNRincreases. Note that this peculiar behavior of the optimal input

Fig. 3. Optimal nonzero mass point locations versus the SNR value .

Fig. 4. Nonzero mass point probability versus the SNR value at very lowSNR region.

distribution has also been observed previously in noncoherentfading channels without secrecy [19].Fig. 3 depicts optimal nonzero mass point locations versus

SNR. Likewise in the Rayleigh fading channel without secrecy,two mass points is optimal at low SNR (below ). AsSNR increases, the number of mass points increases graduallyto be for below 0.9 and then for below 10.At high-SNR, we observe that the optimal distribution has threenonzero mass points and more interestingly as SNR increases,only the biggest of the three tends to increase whereas the twoothers of lower values tend to attain constant values of approx-imately 1.9 and 3.5, respectively.Finally, the nonzero mass point probability versus is shown

in Fig. 4 at low-SNR, where it can be seen that the nonzero masspoint probability seems to increase almost linearlywith SNR.Onthe other hand, the nonzero mass point location versus is alsodisplayed in Fig. 5 at low-SNR, where it can be observed that asSNR increases, the nonzero mass point decreases in magnitude.

VIII. CONCLUSION

The secret-key capacity under an average power constraintof a Rayleigh fading channel, where the instantaneous CSI isnot available at any terminal, has been studied. When the le-gitimate receiver and the eavesdropper have one antenna each,i.e., the MISOSE setting, it has been shownthat the capacity-achieving input distribution is discrete with afinite number of mass points. Although in this case we have fo-cused on theMISOSE case, our proof technique can be extendedin a straightforward manner to encompass a channel where thenumber of receive antennas at both the legitimate receiver andthe eavesdropper are arbitrary, using techniques similar to the


Fig. 5. Nonzero mass point location versus the SNR value at very low SNRregion.

ones discussed in [19, Appendix III]. At high-SNR, it is estab-lished that the secret-key capacity is bounded irrespective ofSNR, regardless of the number of antennas at each terminal. Atlow-SNR, it has been observed through numerical results thatan input distribution with two mass points, one of them at theorigin, is optimal.

APPENDIX A

To establish (11), here we prove that . Theproof of will follow on similar lines.The notion that has previously been usedin [19], [20], and [27]. Here we provide an explicit proof toestablish the claim

(51)

(52)

(53)

where (51) follows from (6) and (10). Equation (52) says thatis some function of the norms

of the two vectors. Equation (53) follows from (10).

APPENDIX BPROOF OF (13)

(54)

(55)

(56)

where to obtain (54), (55), and (56), we used the fact that given, , and are independent. Here signifies the

conditional distribution of given induced by .


APPENDIX CWEAK CONTINUITY OF THE CONDITIONAL MUTUAL

INFORMATION

From [28, Sec. V.10], we first note that if a function isweak continuous on a weak compact set , then achievesits maximum on . Since it has been established that isconvex and compact in [19, Appendix 1.A], we only need toshow that the mutual information is weak continuous on toprove the existence of a capacity achieving input distribution.Recall that from (11), we have

That and are weak continuous in followsalong similar lines as the proof in [19, Appendix 1.B]. We nowprove that is weak continuous in . Suppose thereexists a sequence that converges to , which will be re-

ferred to as . First, recall that

(57)

Since the integrand in (57) is a bounded continuous function of, then by the definition of weak topology, is a continuousfunction of for all . Moreover, is continuousand thus is also continuous in .Hence by the definition of weak continuity, we have

(58)

We now claim that

(59)

(60)

where (60) follows from (58). We next justify the interchangeof the limit and the integral in (59). To do this, we note that byLebesgue dominated convergence theorem, it suffices to find anintegrable function such that

(61)

for all . Let . First, note that bothand . Thus, by (57), we

also have for all , , and . Using

the fact that for all , the followingderivation holds:

Since is integrable over , (61) is true. Consequently,is weak continuous. By a similar argument, is

also weak continuous. Hence being a sum of weak continuousfunctions, is weak continuous in .

APPENDIX DWEAK DIFFERENTIABILITY OF THE CONDITIONAL MUTUAL

INFORMATION

The idea of weak differentiability has been previously usedin [19] in channels without secrecy constraint. Here, we extendthis idea to show that the conditionalmutual information is weakdifferentiable. Let us first define the mapping

from to , the set of real numbers. Note that is linearand hence convex in . Since (the mutual information asa function of ) is also convex, there exists a in suchthat

(62)

Moreover, since this capacity is achieved by some , then wenecessarily have

(63)

We next prove that the functions and are weak differentiablein . Let us define

Computing , we get


Next we see that

Then from the definition of weak differentiability [19,Appendix II-B], we have

(64)

which holds because both terms are finite due to the power con-straint. Similarly for we obtain

(65)

Since (64) and (65) are valid for any and in , we con-clude that and are weak differentiable and so is .

APPENDIX ETHE KKT CONDITION

By Lemma 3, is concave in . Furthermore, is linearin and hence is concave in . Now from [19, Th.3], a necessary and sufficient condition for to achieve thesupremum in (62) is

(66)

or equivalently

(67)

where (67) follows from or (63). Now we conclude the sectionby noting that from [19, Th. 4], (67) is also equivalent to

(68)

where is the set of points of increase of . From (68), theKKT condition (26) follows immediately.

APPENDIX FPROOF OF LEMMA 4

The probability can be written as

(69)

where it follows via (9) that when , the functionsand in (69) are defined by (33) and (34), respectively.

Thus we can split the LHS of (26) into two parts as stated in(30)

where and. Now, transforming the coordinate

system from to where , we findthat the Jacobian of the transformation is 1 and hence can bewritten as

(70)

(71)

(72)

On simplification of , we also get

(73)

Note that (72) and (73) represent the Laplace transforms ofand , respectively. Since the inte-

grands in (72) and (73) are integrable over the interval forall , then to prove that and are well-definedfor all , it suffices to show thatand are bounded by some integrable functionson . This can be established as follows:

(74)

(75)

(76)

Equation (74) holds because is a decreasing function overand [c.f., (36)]; (75) follows from Jensen in-

equality; (76) is true because and applying

Jensen inequality again. Since

exists for all , then so does . By a similar tech-nique, the following upper bound may be obtained:

(77)

to justify the convergence of the integral in (73). We concludethat is also well-defined for all .

REFERENCES

[1] R. Ahlswede and I. Csiszar, “Common randomness in informationtheory and cryptography—Part I: Secret sharing,” IEEE Trans. Inf.Theory, vol. 39, no. 4, pp. 1121–1132, Jul. 1993.


[2] U. Maurer, “Secret key agreement by public discussion from commoninformation,” IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733–742,May 1993.

[3] T. F. Wong, M. Bloch, and J. M. Shea, “Secret sharing over fast-fadingMIMO wiretap channels,” EURASIP J. Wirel. Commun. Netw., vol.2009, p. 1-1, 2009.

[4] M. Bloch, J. Barros, M. R. D. Rodrigues, and S. McLaughlin, “Wire-less information-theoretic security,” Special Issue on Information-The-oretic Security, IEEE Trans. Inf. Theory, vol. 54, no. 6, pp. 2515–2534,Jun. 2008.

[5] V. Prabhakaran, K. Eswaran, and K. Ramchandran, “Secrecy viasources and channels—A secret key—Secret message rate tradeoffregion,” IEEE Trans. Inf. Theory [Online]. Available: http://ieeex-plore.ieee.org/stamp/stamp.jsp?arnumber=04595139

[6] L. Xiao, L. Greenstein, N. Mandayam, and W. Trapp, “Fingerprints inthe ether: Using the physical layer for wireless authentication,” in Proc.IEEE Int. Conf. Commun., 2007, pp. 4646–4651.

[7] A. A. Gohari and V. Anantharam, “Information-theoretic key agree-ment of multiple terminals—Part I: Source model,” IEEE Trans. Inf.Theory, vol. 56, no. 8, pp. 3997–4010, Aug. 2010.

[8] A. E. Gamal and Y. H. Kim, Lecture Notes on Network InformationTheory [Online]. Available: http://arxiv.org/abs/1001.3404

[9] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka, “Wire-less secret key generation exploiting reactance-domain scalar responseof multipath fading channel,” IEEE Trans. Antennas Propag., vol. 53,no. 11, pp. 3776–3784, Nov. 2005.

[10] C. Ye, A. Reznik, and Y. Shah, “Extracting secrecy from jointlyGaussian random variables,” in Proc. Int. Symp. Inform. Theory, Jun.2006, pp. 2593–2597.

[11] R. Wilson, D. Tse, and R. Scholtz, “Channel identification: Secretsharing using reciprocity in ultrawideband channels,” IEEE Trans. Inf.Forensics Security, vol. 2, no. 3, pp. 364–375, Sep. 2007.

[12] Y. Liang, H. V. Poor, and S. S. Shitz, “Secrecy capacity region offading broadcast channels,” in Proc. IEEE Int. Symp. InformationTheory, Nice, France, Jun. 2007, pp. 1291–1295.

[13] A. O. Hero, “Secure space-time communication,” IEEE Trans. Inf.Theory, vol. 49, no. 12, pp. 3235–3249, Dec. 2008.

[14] A. Khisti and G. W. Wornel, “Secure transmission with multiple an-tennas I: The MISOME wiretap channel,” IEEE Trans. Inf. Theory,vol. 56, no. 7, pp. 3088–3104, Jul. 2010.

[15] M. H. Costa, “Writing on dirty paper,” IEEE Trans. Inf. Theory, vol.29, no. 3, pp. 439–441, May 1983.

[16] C. E. Shannon, “Channels with side information at the transmitter,”IBM J. Res. Devel., vol. 2, pp. 289–293, Oct. 1958.

[17] S. Mathur, W. Trappe, N. Mandayam, C. Ye, and A. Reznik, “Ra-diotelepathy: Extracting a secret key from an unauthenticated wirelesschannel,” in Proc. 14th ACM Int. Conf. Mobile Computing and Net-working, 2008, pp. 128–139.

[18] Y. Chia and A. E. Gamal, “Wiretap channel with causal state informa-tion,” in Proc. Int. Symp. Inform. Theory, Jun. 2010, pp. 2548–2552.

[19] I. C. Abou-Faycal, M. D. Trott, and S. Shamai Shitz, “The capacity ofdiscrete-time memoryless Rayleigh-fading channels,” IEEE Trans. Inf.Theory, vol. 47, no. 4, pp. 1290–1301, May 2001.

[20] R. Perera, T. Pollock, and T. Abhayapala, “Upper bound on non-co-herent MIMO channel capacity in Rayleigh fading,” in Proc. 2005 AsiaPacific Conf. Communications, 2005, pp. 72–76.

[21] T. Marzetta and B. Hochwald, “Capacity of a mobile multiple-antennacommunication link in Rayleigh flat fading,” IEEE Trans. Inf. Theory,vol. 45, no. 1, pp. 139–157, Jan. 1999.

[22] R. Perera, T. Pollock, and T. Abhayapala, “Performance of gaussiandistributed input in non-coherent Rayleigh fading MIMO channels,” inProc. 2005 Fifth Int. Conf. Information, Communications and SignalProcessing, 2005, pp. 791–795.

[23] A. Khisti, A. Tchamkerten, and G. W. Wornell, “Secure broadcastingover fading channels,” IEEE Trans. Inf. Theory vol. 54, no. 6, pp.2453–2469, Jun. 2008 [Online]. Available: http://dx.doi.org/10.1109/TIT.2008.921861

[24] S. Shamai and I. Bar-David, “The capacity of average and peak-power-limited quadrature gaussian channels,” IEEE Trans. Inf. Theory, vol.41, no. 4, pp. 1060–1071, Jul. 1995.

[25] H. Silverman, Complex Variables. Boston, MA: Houghton Mifflin,1975.

[26] D. Brian, Integral Transforms and Their Applications, 3rd ed. NewYork: Springer, 2002.

[27] G. Taricco and M. Elia, “Capacity of fading channel with no side in-formation,” Electron. Lett., vol. 33, no. 16, pp. 1368–1369, Jul. 1997.

[28] D. G. Luenberger, Optimization by Vector Space Methods. Hoboken,NJ: Wiley, 1969.

Anurag Agrawal was born and brought up in Ja-balpur, Madhya Pradesh, India. He received an un-dergraduate degree from the Department of ElectricalEngineering, Indian Institute of Technology Bombay,India.Currently, he is a graduate student at Stanford

University, Stanford, CA. His research areas includewireless communications and information theory.Mr. Agrawal is a recipient of the AIEEE Excel-

lence Scholarship, the National Talent Search Exam-ination Scholarship, and the State Science Olympiad

Scholarship. He has also received offers of the Jacobs fellowship from Cornell,MCD fellowship from UTAustin, and Departmental fellowship from UCSD forhis graduate studies.

Zouheir Rezki (S’04–M’07) was born inCasablanca, Morocco. He received the Diplomed’Ingenieur degree from the Ecole Nationale del’Industrie Minérale (ENIM), Rabat, Morocco, in1994, the M.Eng. degree from Ecole de TechnologieSupérieure, Montreal, Quebec, Canada, in 2003, andthe Ph.D. degree from Ecole Polytechnique, Mon-treal, Quebec, in 2008, all in electrical engineering.From October 2008 to September 2009, he was a

postdoctoral research fellow with Data Communica-tions Group, Department of Electrical and Computer

Engineering, University of British Columbia. He is now a postdoctoral researchfellow at King Abdullah University of Science and Technology (KAUST),Thuwal, Mekkah Province, Saudi Arabia. His research interests include:performance limits of communication systems, cognitive and sensor networks,information-theoretical security, and low-complexity detection algorithms.Dr. Rezki is the recipient of The ’Fonds Québécois de la recherche sur la

nature et les technologies’ Postdoctoral Research Fellowship Grant in 2009;the winner of the Best Paper Award, in Fundamentals and PHY Track at Inter-national Symposium on Personal, Indoor and Mobile Radio Communications(PIMRC), 2008; and the recipient of KAUST Collaboration Travel Fund (CTF)Award, 2010.

Ashish J. Khisti (S’01–M’08) received the B.A.Sc.degree in engineering sciences from the Universityof Toronto and the S.M. and Ph.D. degrees from theMassachusetts Institute of Technology (MIT), Cam-bridge, MA.He is an assistant professor in the Electrical and

Computer Engineering (ECE) Department, Univer-sity of Toronto, Toronto, ON, Canada. His researchinterests span the areas of information theory, wire-less physical layer security, and multimedia commu-nication systems. At the University of Toronto, he

heads the signals, multimedia and security laboratory.For his graduate studies, Dr. Khisti was a recipient of the NSERC postgrad-

uate fellowship, HP/MIT alliance fellowship, Harold H. Hazen Teaching award,and the Morris Joseph Levin Masterworks award.

Mohamed-Slim Alouini (S’93–A’98–SM’03–F’09)was born in Tunis, Tunisia. He received the Ph.D.degree in electrical engineering from the CaliforniaInstitute of Technology (Caltech), Pasadena, CA, in1998.He was with the Department of Electrical and

Computer Engineering, University of Minnesota,Minneapolis, MN, then with the Electrical andComputer Engineering Program at the Texas A&MUniversity at Qatar, Education City, Doha, Qatar.Since June 2009, he has been a Professor of Elec-

trical Engineering in the Division of Physical Sciences and Engineering atKAUST, Saudi Arabia, where his current research interests include the designand performance analysis of wireless communication systems.

Documents

Noncoherent Capacity of Secret-Key Agreement With Public Discussion