# Semantically Secure Lattice Codes for Compound MIMO Channels

We consider code construction for compound multi-input multi-output (MIMO) wiretap channels where minimal channel state information at the transmitter (CSIT) is assumed. Using the flatness factor for MIMO channels, we propose lattice codes universally achieving the secrecy capacity of compound MIMO wiretap channels up to a constant gap (measured in nats) that is equal to the number of transmit antennas. The proposed approach improves upon existing works on secrecy coding for MIMO wiretap channels from an error probability perspective, and establishes information theoretic security (in fact semantic security). We also give an algebraic construction to reduce the code design complexity, as well as the decoding complexity of the legitimate receiver. Thanks to the algebraic structures of number fields and division algebras, our code construction for compound MIMO wiretap channels can be reduced to that for Gaussian wiretap channels, up to some additional gap to secrecy capacity.

## Authors

• 2 publications
• 18 publications
• 4 publications
• ### Positive Covert Capacity of the MIMO AWGN Channels

Covert communication, i.e., communication with a low probability of dete...
10/30/2019 ∙ by Ahmed Bendary, et al. ∙ 0

• ### Semantic Security for Quantum Wiretap Channels

We determine the semantic security capacity for quantum wiretap channels...
01/16/2020 ∙ by Holger Boche, et al. ∙ 0

• ### Artificial Noisy MIMO Systems under Correlated Scattering Rayleigh Fading -- A Physical Layer Security Approach

The existing investigations on artificial noise (AN) security systems as...
06/10/2019 ∙ by Yiliang Liu, et al. ∙ 0

• ### Design and Practical Decoding of Full-Diversity Construction A Lattices for Block-Fading Channels

Block-fading channel (BF) is a useful model for various wireless communi...
07/09/2020 ∙ by Hassan Khodaiemehr, et al. ∙ 0

• ### Algebraic lattice codes for linear fading channels

In the decades following Shannon's work, the quest to design codes for t...
12/19/2017 ∙ by Laura Luzzi, et al. ∙ 0

• ### On the Separability of Ergodic Fading MIMO Channels: A Lattice Coding Approach

08/17/2018 ∙ by Ahmed Hindy, et al. ∙ 0

• ### Low Complexity Secure Code (LCSC) Design for Big Data in Cloud Storage Systems

In the era of big data, reducing the computational complexity of servers...
04/06/2018 ∙ by Mohsen Karimzadeh Kiskani, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## I Introduction

Due to the open nature of the wireless medium, wireless communications are inherently vulnerable to eavesdropping attacks. Information theoretic security offers additional protection for wireless data, since it only relies on the physical properties of wireless channels, thus representing a competitive/complementary approach to security compared to traditional cryptography.

The fundamental wiretap channel model was first introduced by Wyner [1]. In this seminal paper, Wyner defined the secrecy capacity and presented the idea of coset coding to encode both data and random bits to mitigate eavesdropping. In recent years, the quest for the secrecy capacity of many classes of channels has been one of the central topics in wireless communications [2, 3, 4, 5, 6, 7, 8].

In the information theory community, a commonly used secrecy notion is strong secrecy: the mutual information between the confidential message and the channel output should vanish when the code length

. This common assumption of uniformly distributed messages was relaxed in

[9], which considered the concept of semantic security: for any message distribution, the advantage obtained by an eavesdropper from its received signal vanishes for large block lengths. This notion is motivated by the fact that the plaintext can be fixed and arbitrary.

For the Gaussian wiretap channel, [10] introduced the secrecy gain of lattice codes while [11]

proposed semantically secure lattice codes based on the lattice Gaussian distribution. To obtain semantic security, the

flatness factor of a lattice was introduced in [11] as a fundamental criterion which implies that conditional outputs are indistinguishable for different input messages. Using a random coding argument, it was shown that there exist families of lattice codes which are good for secrecy, meaning that their flatness factor vanishes. Such families achieve semantic security for rates up to nat from the secrecy capacity.

Compared to the Gaussian wiretap channel, the cases of fading and multi-input multi-output (MIMO) wiretap channels are more technically challenging. The fundamental limits of fading wireless channels with secrecy constraints have been investigated in [12, 13, 2], where the achievable rates and the secrecy outage probability were given. The secrecy capacity of the MIMO wiretap channel was derived in [14, 15, 16, 17], assuming full channel state information at the transmitter (CSIT). A code design in this setting was given in [18] by reducing to scalar Gaussian codes. Although CSIT is sometimes available for the legitimate channel, it is hardly possible that it would be available for the eavesdropping channel. An achievability result was given in [19] for varying MIMO wiretap channels with no CSI about the wiretapper, under the condition that the wiretapper has less antennas than the legitimate receiver. Schaefer and Loyka [20] studied the secrecy capacity of the compound MIMO wiretap channel, where a transmitter has no knowledge of the realization of the eavesdropping channel, except that it remains fixed during the transmission block and belongs to a given set (the compound set). The compound model represents a well-accepted reasonable approach to information theoretic security, which assumes minimal CSIT of the eavesdropping channel [21, 22, 23]. It can also model a multicast channel with several eavesdroppers, where the transmitter sends information to all legitimate receivers while keeping it secret from all eavesdroppers [21].

When it comes to code design for fading and MIMO wiretap channels, an error probability criterion was used in several prior works [24, 25, 26], while information theoretic security was only addressed recently with the help of flatness factors [27, 28]. In particular, [28] established strong secrecy over MIMO wiretap channels for secrecy rates that are within a constant gap from the secrecy capacity.

### I-a Main Contributions

In this paper, we propose universal codes for compound Gaussian MIMO wiretap channels [20] that complement the recent work reported in [28]. The key method is discrete Gaussian shaping and a “direct” proof of the universal flatness of the eavesdropper’s lattice. Note that [28] used an “indirect” proof, which was based on an upper bound on the smoothing parameter in terms of the minimum distance of the dual lattice. Besides considering different channel models ([28] is focused on ergodic stationary channels although it also briefly addresses compound channels), the code constructions of this paper and [28] are also different: the construction of [28] is based on a particular sequence of algebraic number fields with increasing degrees, while the algebraic construction of this work combines algebraic number fields of fixed degree and random error correcting codes of increasing lengths. The proposed construction enjoys a significantly smaller gap to secrecy capacity, as well as lower decoding complexity, than [28], over compound MIMO wiretap channels.

For a compound channel formed by the set of all matrices with the same white-input capacity, our lattice coding scheme universally achieves rates (in nats) up to , where is the capacity of the legitimate channel, is the capacity of the eavesdropper channel, is the number of transmit antennas and . We believe the -nat gap is an artifact of our proof technique based on the flatness factor, which may be removed by improving the flatness-factor method. This is left as an open problem for future research.

We also show how to extend the analysis in order to accommodate number-of-antenna mismatch, i.e., security is valid regardless of the number of antennas at the eavesdropper111Previous works [24, 28] required that the number of the eavesdropper’s antennas be greater than or equal to .. This is a very appealing property, since the number of receive antennas of an eavesdropper may be unknown to the transmitter.

We present two techniques to prove universality of the proposed lattice codes. The first technique is based on (generalized) Construction A and the usual argument for compound channels, which combines fine quantization of the channel space with mismatch encoding for quantized states. This method is a generic proof of the existence of good codes which potentially incurs large blocklengths and performance loss. The second technique is based on algebraic lattices and assumes that the codes admit an “algebraic reduction” and can absorb the channel state. In fact, any code which is good for the Gaussian wiretap channel can be coupled with this second technique, as long as it also possesses an additional algebraic structure (for precise terms see Definition 6). It is inspired by previous works on algebraic reduction for fading and MIMO channels [29], [30], which are revisited here in terms of secrecy.

### I-B Relation to Previous Works

An idea of approaching the secrecy capacity of fading wiretap channels using nested lattice codes was outlined in [31]. Code construction for compound wiretap channels has been further developed in [32], which leads to the current work where proof details are given.

The technique for establishing universality of the codes in [20] over the compound MIMO channel with (uncountably) infinite uncertainty sets consists of quantizing the channel space and designing a (random Gaussian) codebook for the quantized channels. This method is similar to the proof of Theorem 1 in the present paper.

Compound MIMO channels without secrecy constraints have been considered earlier in [33, 34, 35] for random codebooks. Lattice codes are shown to achieve the optimal diversity-multiplexing tradeoff for MIMO channels in [36]. More recently it was proven that precoded integer forcing [37] achieves the compound capacity up to a gap, while algebraic lattice codes [38] achieve the compound capacity with ML decoding and a gap to the compound capacity of MIMO channels with reduced decoding complexity.

### I-C Organization

The technical content of this paper is organized as follows. In Section II we discuss the main problem and notions of security. In Section III, we introduce the main notation on lattices and discrete Gaussians, stating generalized versions of known results for correlated Gaussian distributions. In Section IV we give an overview of the main coding scheme and analyze the information leakage and reliability. The proof of universality, however, is postponed until Section V, where we show that lattice codes can achieve vanishing information leakage under semantic security through the two aforementioned techniques. Section VI concludes the paper with a discussion of other compound models and future work.

### I-D Notation

Matrices and column vectors are denoted by upper and lowercase boldface letters, respectively. For a matrix

, its Hermitian transpose, inverse, determinant and trace are denoted by , , and , respectively. We denote the Frobenius norm of a matrix by and the spectral norm (i.e., -norm) by , where

is the largest eigenvalue of

.

denotes the identity matrix. We write

for a symmetric matrix if it is positive semi-definite. Similarly, we write if . We use the standard asymptotic notation when , when , when , and when . Finally, in this paper, the logarithm is taken with respect to base (where is the Neper number) and information is measured in nats.

## Ii Problem Statement

Consider the following wiretap model. A transmitter (Alice) sends information through a MIMO channel to a legitimate receiver (Bob) and is eavesdropped by an illegitimate user (Eve). The channel equations for Bob and Eve read:

 Ybnb×T=Hbnb×naXna×T+Wbnb×TYene×T=Hene×naXna×T+Wene×T, (1)

where is the number of transmit antennas, (, resp.) is the number of receive antennas for Bob (Eve, resp.), is the coherence time, and (

, resp.) has circularly symmetric complex Gaussian i.i.d. entries with variance

(, resp.) per complex dimension. We can vectorize (1) in a natural way:

 ybnbT×1=HbnbT×naTxnaT×1+wbnbT×1yeneT×1=HeneT×naTxnaT×1+weneT×1, (2)

where and are the block diagonal matrices

 Hb=IT⊗Hb=⎛⎜ ⎜ ⎜ ⎜ ⎜⎝HbHb⋱Hb⎞⎟ ⎟ ⎟ ⎟ ⎟⎠,
 He=IT⊗He=⎛⎜ ⎜ ⎜ ⎜ ⎜⎝HeHe⋱He⎞⎟ ⎟ ⎟ ⎟ ⎟⎠.

For convenience, we denote the transmit signal-to-noise ratio (SNR) in Bob and Eve’s channels by

 ρb≜Pσ2b and ρe≜Pσ2e,

respectively, where is the power constraint, i.e., the transmitted signal satisfies .

We assume that the channel realizations are unknown to Alice but belong to a compound set . From the security perspective, we further make the conservative assumption that Eve knows both and . Under this general scenario the (strong) secrecy capacity is bounded by [20]:

 Cs≥maxRminHb,He(log|I+σ−1bH†bHbR|−log∣∣I+σ−1eH†eHeR∣∣)+,

where the minimum is over all realizations in and the maximum over the matrices such that . Suppose that and are the set of channels with the same isotropic mutual information, i.e.,

 Sb={Hb∈Cnb×na:|I+ρbH†bHb|=eCb},Se={He∈Cne×na:∣∣I+ρeH†eHe∣∣=eCe}, (3)

for fixed . In this case, the bound gives . The worst case is achieved by taking a specific “isotropic” realization , , where and are such that and belong to and , respectively. From this we conclude that . The goal of this paper is to construct universal lattice codes that approach the secrecy capacity with semantic security. As a corollary, the semantic security capacity and the strong secrecy capacity of the compound set coincide.

A practical motivation to consider the compound model (3) is the following. Firstly, notice that the secrecy capacity is the same if we replace the equality in the definition of and with upper/lower bounds; more precisely the secrecy capacity of the channel with compound set , where

 ¯¯¯¯Sb={Hb∈Cnb×na:|I+ρbH†bHb|≥eCb},¯¯¯¯Se={He∈Cne×na:|I+ρeH†eHe|≤eCe}, (4)

is the same as for . Note that the sets , and are compact whereas is not. In other words, universal codes are robust, in the sense that only a lower bound on the legitimate channel capacity and an upper bound on the eavesdropper channel are needed. From the security perspective, this is a safe strategy in the scenario where the capacities are not known precisely. Even if Bob and Eve’s channels are random, an acceptable secrecy-outage probability can be guaranteed by setting and properly. Then, the problem still boils down to the design of universal codes for the compound model (3).

### Ii-a Notions of Security

A secrecy code for the compound MIMO channel can be formally defined as follows.

###### Definition 1.

An -secrecy code for a compound MIMO channel with set consists of

• A set of messages (the secret message rate is measured in nats and is assumed to be an integer for convenience).

• An auxiliary (not necessarily uniform) source taking values in with entropy .

• A stochastic encoding function satisfying the power constraint

 1T{tr}(E[fT(m,U)†fT(m,U)]])≤naP, (5)

for any .

• A decoding function with output .

A pair is referred to as a channel state (or channel realization). To ensure reliability for all channel states we require a sequence of codes whose error probability for message vanishes uniformly:

 Perr|M≜P(^M≠M)→0,∀sb∈Sb, as T→∞. (6)

Let be a message distribution over . For strong secrecy, is usually assumed to be uniform; however, this assumption is not sufficient from the viewpoint of semantic security, which is the standard notion of security in modern cryptography. Let be the output of the channel to the eavesdropper, who is omniscient. The following security notions are adapted from [9, 11] and should hold in the limit :

• Mutual Information Security (MIS): Unnormalized mutual information

 I(M;Ye)→0 (7)

for any message distribution and .

 supf,pM{maxm′P(f(M)=f(m′)|Ye)−maxm′′P(f(M)=f(m′′))}→0

for any function from to finite sequences of bits in , and all .

• Distinguishing Security (DistS): The maximum variational distance

 maxm′,m′′∈MTV(pYe|m′,pYe|m′′)→0 for all se∈Se.

We stress that all three notions require a sequence of codes to be universally secure for all channel states. Treating these notions as classes, we have the inclusions , i.e., the sequences of codes satisfying DistS are the same as the ones satisfying SemanticS and also include those satisfying MIS [11, Prop. 1]. Moreover, if in the above notions we require that the convergence rate is , the three sets coincide. We thus define universally secure codes as follows.

###### Definition 2.

A sequence of codes of rate is universally secure for the MIMO wiretap channel if for all , it satisfies the reliability condition (6) and mutual information security (7) uniformly.

Then, semantic security follows as a corollary:

###### Corollary 1.

The sequence of codes given in Definition 2 is semantically secure for the compound MIMO wiretap channel.

In what follows we proceed to construct universally secure codes for the MIMO wiretap channel using lattice coset codes.

## Iii Correlated Discrete Gaussian Distributions

In this subsection, we exhibit essential results and concepts for the definition and analysis of our lattice coding scheme.

### Iii-a Preliminary Lattice Definitions

A (complex) lattice with generator matrix is a discrete additive subgroup of given by

 Λ=L(Bc)={Bcx:x∈Z2n}. (8)

A complex lattice has an equivalent real lattice generated by the matrix obtained by stacking real and imaginary parts of matrix :

 Br=(R(Bc)I(Bc))∈R2n×2n.

A fundamental region for is any interior-disjoint region that tiles through translates by vectors of . For any we say that iff . By convention, we fix a fundamental region and denote by the unique representative such that . The volume of is defined as the volume of a fundamental region for the equivalent real lattice, given by

Throughout this text, for convenience, we also use the matrix-notation of lattice points. If is a full-rank lattice, the matrix form representation of is

 X=⎛⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜⎝x1x2⋯xTxT+1xT+2⋯x2Tx2T+1x2T+2⋯x3T⋮⋮⋱⋮x(n−1)T+1x(n−1)T+2⋯xnT⎞⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟⎠.

The dual of a complex lattice is defined as

 Λ∗={x∈Cn:R⟨x,y⟩∈Z for all y∈Λ}.

### Iii-B The Flatness Factor

The flatness factor has been introduced in [11], and will be used here to bound the information leakage of information transmission of our coding scheme.

The p.d.f. of the complex Gaussian centered at is defined as

 fσ,c(x)=1(πσ2)ne−(x−c)†(x−c)/σ2.

We write for the sum of over . The flatness factor of a lattice quantifies the distance between and the uniform distribution over and, as we will see, bounds the amount of leaked information in a lattice coding scheme.

###### Definition 3 (Flatness factor for spherical Gaussian distributions).

For a lattice  and a parameter , the flatness factor is defined by:

 ϵΛ(σ)≜maxx∈R(Λ)|V(Λ)fσ,Λ(x)−1|

where is a fundamental region of .

For a complex lattice , let be the volume-to-noise ratio (VNR). We recall the formulas of the flatness factor and smoothing parameter, adapted to complex lattices. The flatness factor can be written as [11, Prop. 2]:

 ϵΛ(σ)=(γΛ(σ)π)nΘΛ(1πσ2)−1=ΘΛ∗(πσ2)−1, (9)

where is the theta series of the lattice .

###### Definition 4 (Smoothing parameter [39]).

For a lattice and , the smoothing parameter is defined by the function , for the smallest such that .

When we have a correlated Gaussian distribution with covariance matrix

 f√Σ,c(x)=1πn|Σ|exp{−(x−c)TΣ−1(x−c)}, (10)

the flatness factor is similarly defined.

###### Definition 5 (Flatness factor for correlated Gaussian distributions).
 ϵΛ(√Σ)≜maxx∈R(Λ)|V(Λ)f√Σ,Λ(x)−1|

where is a fundamental region of .

The usual smoothing parameter in Definition 4 is a scalar. To extend its definition to matrices, we say if . This induces a partial order because if .

When we ignore the index and write . For a covariance matrix we define the generalized-volume-to-noise ratio as

 γΛ(√Σ)=V(Λ)1/n|Σ|1/n.

Clearly, the effect of correlation on the flatness factor may be absorbed if we use a new lattice , i.e., . From this, and from the expression of the flatness factor, we have

 ϵΛ(√Σ)=V(Λ)πn|Σ|∑λ∈Λe−λ†Σ−1λ−1=⎛⎝γ√Σ−1Λ(σ2)π⎞⎠nΘ√Σ−1Λ(1πσ2)−1. (11)

In our applications, the matrix will be determined by the channel realization (1). Figure 1 shows the effect of fading on the lattice Gaussian function. A function (10) which is flat over the Gaussian channel (corresponding to ) need not be flat for a channel in deep fading (corresponding to an ill-conditioned ), in which case an eavesdropper could clearly distinguish one dimension of the signal.

### Iii-C The Discrete Gaussian Distribution

In order to define our coding scheme, we need a last element, which is the distribution of the sent signals. To this end, we define the discrete Gaussian distribution as the distribution assuming values on , such that the probability of each point is given by

 DΛ+c,√Σ(λ+c)=f√Σ(λ+c)f√Σ,Λ(c).

Its relation to the continuous Gaussian distribution can be shown via the smoothing parameter or the flatness factor. For instance, a vanishing flatness factor guarantees that the power per dimension of is approximately [11, Lemma 6].

The next proposition says that the sum of a continuous Gaussian and a discrete Gaussian is approximately a continuous Gaussian, provided that the flatness factor is small. The proof can be found in [28, Appendix I-A]:

###### Lemma 1.

Given sampled from the discrete Gaussian distribution and sampled from the continuous Gaussian distribution . Let and let . If for , then the distribution of is close to :

 g(x)∈f√Σ0(x)[1−4ε,1+4ε].

## Iv Coding Scheme and Analysis

### Iv-a Overview

Given a pair of nested lattices such that

 1Tlog|ΛTb/ΛTe|=R,

the transmitter maps a message to a coset of in quotient , then samples a point from that coset. Concretely, one can use a a one-to-one map such that , where is a representative of the coset and then samples the signal broadcasting it to the channels. A block diagram for the transmission until the front-end receivers Bob and Eve is depicted in Figure (a)a.

In order to find pairs of sequences of nested lattices and we employ constructions of lattices from error-correcting codes. The analysis and full construction are explained in Section V. Essentially, the lattice controls reliability and has to be chosen in such a way that it is universally good for the legitimate compound channel. The lattice controls the information leakage to the eavesdropper, and has to be chosen in such a way that the flatness factor vanishes universally for any eavesdropper realization (universally good for secrecy). The main result of this section is the following theorem, stating the existence of schemes with vanishing probability of error and vanishing information leakage for all pairs of realizations in the compound set .

###### Theorem 1.

There exists a sequence of pairs of nested lattices , such that as , the lattice coding scheme universally achieves any secrecy rate

 R<(Cb−Ce−na)+.

Moreover, we show that both the probability of error and information leakage in Theorem 1 vanishes uniformly for all realizations.

### Iv-B The Eavesdropper Channel: Security

For a fixed realization , the key element for bounding the information leakage is the following lemma [11, Lem 2]:

###### Lemma 2.

Suppose that there exists a probability density function

taking values in such that for all . Then, for all message distributions, the information leakage is bounded as:

 I(M;Ye)≤2neTεTR−2εTlog2εT. (12)

We will show that if the distribution is sufficiently flat, then is statistically close to a multivariate Gaussian for any . Let us assume for now that is an invertible square matrix (we next show how to reduce the other cases to this one). In this case, given a message , we have

 Hex∼DHe(ΛTe+λm),√(HeH†e)σ2s.

According to Lemma 1, the distribution of is within variational distance

from the normal distribution

, where and

 (13)

We thus have the following bound for the information leakage ((12) with replaced by ):

 I(M;Ye)≤8neTεTR−8εTlog8εT. (14)

Therefore, if , the leakage vanishes as increases for the specific realization . To achieve strong secrecy universally, we must, however, ensure the existence of a lattice with vanishing flatness factor for all possible . We postpone the universality discussion to Section V where it is proven that a vanishing flatness factor is possible simultaneously for all and . This condition implies that semantic security is possible for any VNR,

 γHeΛTe(√Σ3)=|H†eHe|1/naTV(ΛTe)1/naT|Σ3|1/naT<π, (15)
 V(ΛTe)1/naT<∣∣I+ρeH†eHe∣∣−1/naπσ2s=(πσ2s)e−Ce/na. (16)

Number-of-Antenna Mismatch. The above analysis assumed that , i.e., the number of eavesdropper receive antennas is equal to the the number of transmit antennas. Although analytically simpler, this assumption is not reasonable in practice, since we expect a compound scheme to perform well for any number of eavesdropper antennas. We show next how to reduce the other cases to the square case.

(i) : Recall that the signal received by the eavesdropper is given in matrix form by

 Ye=HeX+We.

Let be a completion of such that

 ¯¯¯¯¯He=(Heβ~He),

is a full-rank sqaure matrix and is some small number. Let be a matrix corresponding to circularly symmetric Gaussian noise. Consider the following surrogate MIMO channel:

 (Ye~Ye)=(Heβ~He)X+ (We~We),

where is scaled so that the capacity of the new channel is arbitrarily close to the original one. Indeed for any full rank completion , from the matrix determinant lemma, we have

 |I+ρe¯¯¯¯¯H†e¯¯¯¯¯He|=|I+ρeH†eHe|×|I+β2~He(|I+ρeH†eHe|)−1~H†e|≥eCe. (17)

Therefore, by letting , the left-hand side tends to . For any signal , the information leakage of the surrogate channel is strictly greater than the original one. Indeed, the the eavesdropper’s original channel is stochastically degraded with respect to the augmented one, thus A universally secure code for the MIMO compound channel will have vanishing information leakage for the surrogate channel (for any completion) and therefore will also be secure for the original channel.

(ii) : Performing a rectangular factorization of we have:

 He=Q(^R0),

where and are square matrices. Therefore the eavesdropper’s received signal is equivalent to

 Ye=Q(^R0)X+(W(1)eW(2)e)⟺Q†Ye=(^R0)X+⎛⎝~W(1)e~W(2)e⎞⎠,

where the components of the noise matrices are i.i.d. Gaussian. The leakage is therefore the same as for the square channel and a universal code will also achieve vanishing leakage for the non-square channel.

### Iv-C The Legitimate Channel: Reliability

It was shown in [38] that if , then the maximum-a-posteriori (MAP) decoder for the signal is equivalent to lattice decoding of , where is the MMSE-GDFE matrix to be defined in the sequel. We cannot claim directly that , since the message distribution in need not be uniform. Nonetheless, we show that reliability is still possible for all individual messages.

The full decoding process is depicted in Figure (b)b. Bob first applies a filtering matrix so that

 ~Yb=FbYb=RbX+Wb,eff,

where and , and the effective noise is

The next step is to decode in , in order to obtain which is then remapped into the element of the coset through the operation

. We can then invert the linear transformation associated to

(notice that has full rank) in order to obtain the coset in and re-map it to the message space through .

In the first step, from Lemma 1, the effective noise is statistically close to a Gaussian noise with covariance:

 Σb,eff = σ2s(FbHb−Rb)(FbHb−Rb)†+σ2bFbF†b = ρ−2bσ2sR−†bR−1b+σ2bρ−2bR−†bH†bHbR−1b = σ2bR−†b(ρ−1bI+H†bHb)R−1b=σ2bI.

provided that is small, where

 Σ−1b,inv=(σ2s(FbHb−Rb)(FbHb−Rb)†)−1+(σ2bFbF†b)−1. (19)

The probability of error given any message is thus bounded by

 Perr|m≤(1+4ε(FbHb−Rb)ΛTe(Σb,inv))P(~Wb,eff∉V(RbΛTb)), (20)

where each entry of is i.i.d. normal with variance . Therefore, if we guarantee that is bounded and if we choose a universally good lattice, the probability vanishes for all possible . This is possible [38] provided that

 γRbΛTb(σb)>πe, (21)

namely,

 V(ΛTb)1/naT>∣∣I+ρbH†bHb∣∣−1/naπeσ2s=(πeσ2s)e−Cb/na. (22)

However, the evaluation of is cumbersome and implies an extra condition for the flatness of . Next we show, instead, how to circumvent this problem by using the fact that that the effective noise is “asymptotically” sub-Gaussian with covariance matrix . We say that a centred random vector is sub-Gaussian with (proxy) parameter if

 logE[et⟨w,u⟩]≤t2σ22

for all and all unit norm vectors .

###### Lemma 3 ([28]).

Let be a random vector with distribution , and let For any matrix and any vector , we have:

 E[eR{x†Au}]≤(1+ε′1−ε′)eσ2s4∥Au∥2.

Notice that the average power per dimension of a sub-Gaussian random variable is always less than or equal to its parameter

. Moreover, the sum of two sub-Gaussians is also a sub-Gaussian (for more properties, the reader is referred to [28]). The above lemma, along with (IV-C), allows us to establish that is almost sub-Gaussian with parameter . Therefore, as long as the probability of error tends to zero if we choose to be universally AWGN-good.

### Iv-D Proof of Theorem 1: Achievable Secrecy Rates

From the previous subsections, semantic security is achievable if and satisfy:

1. Reliability (21):

2. Secrecy (15):

3. Sub-Gaussianity of equivalent noise and power constraint: .

From and (22), the first two conditions can be satisfied for rates up to

 log|I+ρbH†bHb|−log|I+ρeH†eHe|−na

nats per channel use, but the last conditions may, a priori, limit these rates to certain SNR regimes. Fortunately, if condition is satisfied, we automatically satisfy the condition for , since

 V(ΛTe)1/naTσ2s≤V(ΛTe)1/naTe−Ce/naσ2s<π.

Therefore, if is a sequence of nested lattices, where

1. is universally good for the compound channel with set ,

2. is universally secure for the compound channel with set ,

then nested lattice Gaussian coding achieves any secrecy rate up to

 R≤(Cb−Ce−na)+.

The existence of such nested pairs is proved subsequently in Section V and Appendix B, which concludes the proof of Theorem 1.

In fact using a method in [40] we can further reduce the gap to approximately