Hash-then-Encode: A Modular Semantically Secure Wiretap Code

Abstract

We propose a modular construction of a semantically secure wiretap code that achieves secrecy capacity for a large class of wiretap channels. Security of the construction is proved by interpreting the construction as an instance of an invertible extractor, and use the framework in Bellare et al. [1] to complete the proof. The construction has computation for encoding and decoding equivalent to hashing, and the smallest effective transmission rate among known modular capacity achieving constructions. We also give a modular construction of invertible Universal Hash Functions (UHF) from an XOR Universal Hash Functions that is of independent interest.

Appendix

1.1 Proof of Lemma 4

Proof

According to Lemma 3, we only need to show that \(\{{h}_\mathbf {s}|\mathbf {s}\in {\mathcal {S}}\}\) is XOR-Universal, which is easily verified.

• When \({r}\ge {b}\), \({h}_\mathbf {s}({\mathbf {x}})\oplus {h}_\mathbf {s}({\mathbf {x}}^{'})=\mathbf {a}\) if and only if there exists an \(\mathbf {e}\in \{0,1\}^{{r}-{b}}\) satisfying \(s\odot ({\mathbf {x}}\oplus {\mathbf {x}}^{'})=(\mathbf {a}||\mathbf {e})\). Since we assume \({\mathbf {x}}\ne {\mathbf {x}}^{'}\), \(\mathbf {s}=(\mathbf {a}||\mathbf {e})\odot ({\mathbf {x}}\oplus {\mathbf {x}}^{'})^{-1}\) is uniquely determined by the right hand side. The number of s satisfying \({h}_\mathbf {s}({\mathbf {x}})\oplus {h}_\mathbf {s}({\mathbf {x}}^{'})=\mathbf {a}\) is exactly the number of \(\mathbf {e}\in \{0,1\}^{{r}-{b}}\), which is \(2^{{r}-{b}}\). The total number of seeds \(|{\mathcal {S}}|\) in this case is \(2^{r}\). Hence \(\text {Pr}[{h}_\mathbf {s}({\mathbf {x}})\oplus {h}_\mathbf {s}({\mathbf {x}}^{'})=\mathbf {a}]\le \frac{1}{2^{b}}\) for any \({\mathbf {x}}\ne {\mathbf {x}}^{'}\in {\mathcal {X}}\) and \(\mathbf {a}\in {\mathcal {Y}}\).

• When \({r}< {b}\), \({h}_\mathbf {s}({\mathbf {x}})\oplus {h}_\mathbf {s}({\mathbf {x}}^{'})=\mathbf {a}\) if and only if \(s\odot ({\mathbf {x}}\oplus {\mathbf {x}}^{'}||0^{{b}-{r}})=\mathbf {a}\). Since we assume \({\mathbf {x}}\ne {\mathbf {x}}^{'}\), \(\mathbf {s}=\mathbf {a}\odot ({\mathbf {x}}\oplus {\mathbf {x}}^{'}||0^{{b}-{r}})^{-1}\) is uniquely determined by the right hand side. The number of s satisfying \({h}_\mathbf {s}({\mathbf {x}})\oplus {h}_\mathbf {s}({\mathbf {x}}^{'})=\mathbf {a}\) is exactly 1. The total number of seeds \(|{\mathcal {S}}|\) in this case is \(2^{b}\). Hence \(\text {Pr}[{h}_\mathbf {s}({\mathbf {x}})\oplus {h}_\mathbf {s}({\mathbf {x}}^{'})=\mathbf {a}]\le \frac{1}{2^{b}}\) for any \({\mathbf {x}}\ne {\mathbf {x}}^{'}\in {\mathcal {X}}\) and \(\mathbf {a}\in {\mathcal {Y}}\).