Information Theoretic Security S ennur Ulukus Department of ECE - PowerPoint PPT Presentation

Achievability of the Secrecy Capacity-IV • Equivocation calculation. • We have the following: H ( W s | Z n ) = H ( W s , ˜ W s | Z n ) − H ( ˜ W s | W s , Z n ) W s ; Z n ) − H ( ˜ W s | W s , Z n ) = H ( W s , ˜ W s ) − I ( W s , ˜ W s ) − I ( X n ; Z n ) − H ( ˜ W s | W s , Z n ) ≥ H ( W s , ˜ W s ) − I ( X n ; Z n ) − H ( ˜ W s | W s , Z n ) = H ( W s )+ H ( ˜ which is I ( W s ; Z n ) ≤ I ( X n ; Z n )+ H ( ˜ W s | W s , Z n ) − H ( ˜ W s ) • We treat each term separately 21

Achievability of the Secrecy Capacity-V • We have H ( ˜ W s ) = n ˜ R s = nI ( X ; Z ) • We have n I ( X n ; Z n ) ≤ ∑ I ( X i ; Z i ) ≤ n ( I ( X ; Z )+ γ n ) i = 1 • Finally, we consider W s | W s , Z n ) H ( ˜ W s ) can take 2 n ˜ R s values where ˜ • Given W s = w s , x n ( w s , ˜ R s = I ( X ; Z ) • Thus, the eavesdropper can decode ˜ W s given W s = w s by looking for the unique ˜ w s such that ( x n ( w s , ˜ w s ) , Z n ) is jointly typical. • Hence, from Fano’s lemma: W s | W s , Z n ) ≤ n β n H ( ˜ 22

Achievability of the Secrecy Capacity-VI • Combining all these findings yields 1 nI ( W s ; Z n ) ≤ β n + γ n • Since β n , γ n → 0 when n → ∞ , we have 1 nI ( W s ; Z n ) = 0 lim n → ∞ i.e., perfect secrecy is achieved. • Thus, R s = I ( X ; Y ) − I ( X ; Z ) is an achievable perfect secrecy rate 23

Achievability of the Entire Rate-Equivocation Region-I • So far, we showed the achievability of R s = I ( X ; Y ) − I ( X ; Z ) R = I ( X ; Y ) − I ( X ; Z ) • We will now show the achievability of R s = I ( X ; Y ) − I ( X ; Z ) R = I ( X ; Y ) • In the perfect secrecy case, each secret message W s is associated with many codewords X n ( W s , ˜ W s ) • Legitimate user decodes both W s and ˜ W s • There is a rate for ˜ W s which does not carry any information content • ˜ W s can be replaced with some information on which there is no secrecy constraint, i.e., it does not need to be confidential: – Rate-equivocation region 24

Achievability of the Entire Rate-Equivocation Region-II • Each message W is divided into two parts: – Secret message W s – Public message W p • We have doubly indexed codewords X n ( W s , W p ) • We need to show – Rate R = R s + R p can be delivered to Bob – Rate R s can be kept hidden from Eve 25

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Achievability of the Entire Rate-Equivocation Region-III • Codebook used to show achievability nR 2 p nR 1,1 1, j 1, 2 p 1,2 . . . . . . 2,1 2,2 2, j nR 2,2 p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . nR 2 s , nR i j i ,1 i ,2 i ,2 p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . nR nR nR nR nR 2 ,1 2 ,2 2 , j 2 ,2 p s s s s . . . . . . R I X Y ; I X Z ; , R I X Z ; s p 26

Achievability of the Entire Rate-Equivocation Region-IV • R = R s + R p can be delivered to Bob as long as R s + R p ≤ I ( X ; Y ) • We set R p as R p = I ( X ; Z ) • Equivocation calculation: H ( W | Z n ) = H ( W s , W p | Z n ) = H ( W s , W p ) − I ( W s , W p ; Z n ) ≥ H ( W s , W p ) − I ( X n ; Z n ) = H ( W s )+ H ( W p ) − I ( X n ; Z n ) • As n → ∞ , ( X n ( w s , w p ) , Z n ) will be jointly typical with high probability: I ( X n ; Z n ) ≤ nI ( X ; Z )+ n γ n 27

Achievability of the Entire Rate-Equivocation Region-V • Equivocation computation proceeds as follows H ( W | Z n ) ≥ H ( W s )+ H ( W p ) − nI ( X ; Z ) − n γ n = H ( W s ) − n γ n = n [ I ( X ; Y ) − I ( X ; Z )] − n γ n • Thus, we have 1 nH ( W | Z n ) ≥ I ( X ; Y ) − I ( X ; Z ) lim n → ∞ i.e., I ( X ; Y ) − I ( X ; Z ) is an achievable equivocation rate. • Therefore, rate R = I ( X ; Y ) can be achieved with equivocation R e = I ( X ; Y ) − I ( X ; Z ) . 28

� � � � � Stochastic Encoding: 64-QAM Example-I Bob’s Noise Eve’s Noise Bob’s Constellation Eve’s Constellation C � log 64 6 b/s C � log 16 4 b/s B 2 E 2 C C C 2 b/s s B E 29

Stochastic Encoding: 64-QAM Example-II Message 1 Message 2 Message 3 Message 4 30

Stochastic Encoding: 64-QAM Example-III Message 1 Message 2 Message 3 Message 4 31

Stochastic Encoding: 64-QAM Example-IV Message 1 Message 2 Message 3 Message 4 32

Stochastic Encoding: 64-QAM Example-V Message 1 Message 2 Message 3 Message 4 33

� � General Wiretap Channel • Csiszar and Korner considered the general wiretap channel in 1978. • They extended Wyner’s model in two ways – Eve’s signal is not necessarily a degraded version of Bob’s signal. – There is a common message for both Eve and Bob Y ˆ W Bob W X V Alice n H W Z | Z Eve 34

General Wiretap Channel: Capacity-Equivocation Region • Capacity-equivocation region is obtained as union of rate triples ( R 0 , R 1 , R e ) satisfying R 0 ≤ min { I ( U ; Y ) , I ( U ; Z ) } R 0 + R 1 ≤ I ( V ; Y | U )+ min { I ( U ; Y ) , I ( U ; Z ) } R e ≤ I ( V ; Y | U ) − I ( V ; Z | U ) for some ( U , V ) such that U → V → X → Y → Z • New ingredients in the achievable scheme: – Superposition coding to accommodate the common message – Channel prefixing 35

Outline of Achievability • Achievability of the following region is shown R 0 ≤ min { I ( U ; Y ) , I ( U ; Z ) } R 0 + R 1 ≤ I ( X ; Y | U )+ min { I ( U ; Y ) , I ( U ; Z ) } R e ≤ I ( X ; Y | U ) − I ( X ; Z | U ) for some ( U , X ) such that U → X → Y → Z • Channel prefixing, i.e., introduction of a hypothetical channel between U and X by means of V , gives the capacity region 36

General Capacity-Equivocation Region (for R 0 = 0 ) • When there is no common message, capacity-equivocation region R ≤ I ( V ; Y ) R e ≤ I ( V ; Y | U ) − I ( V ; Z | U ) for some ( U , V ) such that U → V → X → Y → Z • Even if common message is not present, we still need two auxiliary rv.s – V : channel prefixing – U : rate splitting • In other words, we still need superposition coding 37

General Capacity-Equivocation Region (for R 0 = 0 ): Achievability • Divide message W into three parts: W ′ p , W ′′ p , W s • W ′ p , W ′′ p are public messages on which there is no secrecy constraint • W s is the confidential part which needs to be transmitted in perfect secrecy • W ′ p is transmitted by the first layer, i.e., U • W ′′ p , W s are transmitted by the second layer, i.e., V • Similar to Wyner’s scheme, W ′′ p has two roles – Carries part of the public information on which there is no secrecy constraint – Provides protection for W s 38

� � Secrecy Capacity for General Wiretap Channel • Secrecy capacity is C s = U → V → X → ( Y , Z ) I ( V ; Y | U ) − I ( V ; Z | U ) max U → V → X → ( Y , Z ) ∑ = p U ( u ) I ( V ; Y | U = u ) − I ( V ; Z | U = u ) max u = V → X → ( Y , Z ) I ( V ; Y ) − I ( V ; Z ) max Y ˆ W Bob W X V Alice n H W Z | Z Eve 39

Secrecy Capacity for General Wiretap Channel: Channel Prefixing • The secrecy capacity: C s = V → X → YZ I ( V ; Y ) − I ( V ; Z ) max • The new ingredient: channel prefixing through the introduction of V . • No channel prefixing is a special case of channel prefixing by choosing V = X . 40

� � Channel Prefixing • A virtual channel from V to X . • Additional stochastic mapping from the message to the channel input: W → V → X . • Real channel: X → Y and X → Z . Constructed channel: V → Y and V → Z . ˆ Y W Bob X W V Alice Z n | H W Z Eve • With channel prefixing: V → X → Y , Z . • From DPI, both mutual informations decrease, but the difference may increase. • The secrecy capacity: C s = V → X → YZ I ( V ; Y ) − I ( V ; Z ) max 41

Converse-I • Csiszar sum lemma is crucial: Lemma 1 Let T n , U n be length-n random vectors, and G be a random variable. We have n n i + 1 ; T i | G , T i − 1 ) = I ( T i − 1 ; U i | G , U n I ( U n ∑ ∑ i + 1 ) i = 1 i = 1 • Due to secrecy condition, we have I ( W s ; Z n ) ≤ n γ n where γ n → 0 as n → ∞ . • Fano’s lemma implies H ( W s | Y n ) ≤ n ε n where ε n → 0 as n → ∞ . 42

Converse-II • Thus, we have nR s = H ( W s ) ≤ I ( W s ; Y n )+ n ε n ≤ I ( W s ; Y n ) − I ( W s ; Z n )+ n ( ε n + γ n ) n I ( W s ; Y i | Y i − 1 ) − I ( W s ; Z i | Z n ∑ = i + 1 )+ n ( ε n + γ n ) i = 1 n I ( W s ; Y i | Y i − 1 ) − I ( W s ; Z i | Z n i + 1 ; Y i | W s , Y i − 1 ) − I ( Y i − 1 ; Z i | W s , Z n i + 1 )+ I ( Z n ∑ = i + 1 )+ n ( ε n + γ n ) i = 1 n i + 1 ; Y i | Y i − 1 ) − I ( W s , Y i − 1 ; Z i | Z n I ( W s , Z n ∑ = i + 1 )+ n ( ε n + γ n ) i = 1 n I ( W s ; Y i | Y i − 1 , Z n i + 1 , Y i − 1 )+ I ( Z n i + 1 ; Y i | Y i − 1 ) − I ( Y i − 1 ; Z i | Z n ∑ i + 1 ) − I ( W s ; Z i | Z n = i + 1 )+ n ( ε n + γ n ) i = 1 n I ( W s ; Y i | Y i − 1 , Z n i + 1 , Y i − 1 )+ n ( ε n + γ n ) i + 1 ) − I ( W s ; Z i | Z n ∑ = i = 1 where the underlined terms are equal due to Csiszar sum lemma. 43

Converse-III • We define U i = Y i − 1 Z n i + 1 V i = W s U i which satisfy U i → V i → X i → Y i , Z i • Thus, we have n ∑ nR s ≤ I ( V i ; Y i | U i ) − I ( V i ; Z i | U i )+ n ( ε n + γ n ) i = 1 • After single-letterization R s ≤ I ( V ; Y | U ) − I ( V ; Z | U ) • Thus, we have C s ≤ U → V → X → Y , Z I ( V ; Y | U ) − I ( V ; Z | U ) max = V → X → Y , Z I ( V ; Y ) − I ( V ; Z ) max 44

Reduction to the Degraded Case • If the channel is degraded, i.e., X → Y → Z we have I ( X ; Y | V ) − I ( X ; Z | V ) = I ( X ; Y , Z | V ) − I ( X ; Z | V ) = I ( X ; Y | V , Z ) ≥ 0 where V is such that V → X → Y → Z . • Hence, for degraded wiretap channel, we have C s = V → X → Y , Z I ( V ; Y ) − I ( V ; Z ) max ≤ V → X → Y , Z I ( V ; Y ) − I ( V ; Z )+ I ( X ; Y | V ) − I ( X ; Z | V ) max = V → X → Y , Z I ( V , X ; Y ) − I ( V , X ; Z ) max = V → X → Y , Z I ( X ; Y ) − I ( X ; Z )+ I ( V ; Y | X ) − I ( V ; Z | X ) max ≤ max X → Y , Z I ( X ; Y ) − I ( X ; Z ) 45

� � Gaussian Wiretap Channel • Leung-Yang-Cheong and Hellman considered the Gaussian wire-tap channel in 1978. Y = X + N Y Z = X + N Z Y ˆ W Bob W X Alice n H W Z | Z Eve • Key observation: Capacity-equivocation region depends on the marginal distributions p ( y | x ) and p ( z | x ) , but not the joint distribution p ( y , z | x ) • Gaussian case: Capacity-equivocation region does not depend on the correlation between N Y and N Z 46

Gaussian Wiretap Channel is Degraded • Eve’s signal is Bob’s signal plus Gaussian noise, or vice versa: a degraded wiretap channel: – If σ 2 Y ≥ σ 2 Z , Y = Z + ˜ N X → Z → Y – If σ 2 Z ≥ σ 2 Y , Z = Y + ˜ N X → Y → Z • No channel prefixing is necessary and Gaussian signalling is optimal. • The secrecy capacity: C s = X → Y → Z I ( X ; Y ) − I ( X ; Z ) max (1) • We know that Gaussian X maximizes both I ( X ; Y ) and I ( X ; Z ) . • What maximizes the difference? 47

Gaussian Wiretap Channel – Secrecy Capacity • Secrecy capacity can be obtained in three ways: – Entropy-power inequality e 2 h ( U + V ) ≥ e 2 h ( U ) + e 2 h ( V ) – I-MMSE formula � snr I ( X ; √ snr X + N ) = 1 √ mmse ( X / tX + N ) dt 2 0 – Conditional maximum entropy theorem h ( V | U ) ≤ h ( V G | U G ) 48

Gaussian Wiretap Channel Secrecy Capacity via EPI • Using entropy-power inequality: I ( X ; Y ) − I ( X ; Z ) = I ( X ; Y ) − I ( X ; Y + ˜ N ) 2 log σ 2 N ) − 1 = h ( Y ) − h ( Y + ˜ Y σ 2 Z 2 log σ 2 ≤ h ( Y ) − 1 Y )) − 1 2 log ( e 2 h ( Y ) + 2 π e ( σ 2 Z − σ 2 Y σ 2 Z 2 log σ 2 ≤ 1 Y ) − 1 Y )) − 1 2 log ( 2 π e )( P + σ 2 2 log (( 2 π e )( P + σ 2 Y )+( 2 π e )( σ 2 Z − σ 2 Y σ 2 Z � � � � = 1 1 + P − 1 1 + P 2 log 2 log σ 2 σ 2 Y Z = C B − C E which can be achieved by Gaussian X . • The secrecy capacity: X → Y → Z I ( X ; Y ) − I ( X ; Z ) = [ C B − C E ] + C s = max i.e., the difference of two capacities. 49

� � � � Caveat: Need Channel Advantage The secrecy capacity: C s = [ C B − C E ] + Bob’s channel is better Eve’s channel is better Y ˆ W Y ˆ W Bob Bob W X X W Alice Alice n H W Z | n H W Z | Z Z Eve Eve positive secrecy no secrecy C s = C B − C E C s = 0 50

Outlook at the End of 1970s and Transition into 2000s • Information theoretic secrecy is extremely powerful: – no limitation on Eve’s computational power – no limitation on Eve’s available information – yet, we are able to provide secrecy to the legitimate user – unbreakable, provable, and quantifiable (in bits/sec/hertz) secrecy • We seem to be at the mercy of the nature: – if Bob’s channel is stronger, positive perfect secrecy rate – if Eve’s channel is stronger, no secrecy • We need channel advantage. Can we create channel advantage? • Wireless channel provides many options: – time, frequency, multi-user diversity – cooperation via overheard signals – use of multiple antennas – signal alignment 51

� � Fading Wiretap Channel • In the Gaussian wiretap channel, secrecy is not possible if C B ≤ C E • Fading provides time-diversity: Can it be used to obtain/improve secrecy? Y ˆ W Bob W X Alice n | H W Z Z Eve 52

� � MIMO Wiretap Channel • In SISO Gaussian wiretap channel, secrecy is not possible if C B ≤ C E • Multiple antennas improve reliability and rates. How about secrecy? ˆ Y W . W X . . Bob Alice . . . Z n H W Z | Eve 53

� � Broadcast (Downlink) Channel • In cellular communications: base station to end-users channel can be eavesdropped. • This channel can be modelled as a broadcast channel with an external eavesdropper. Y ˆ 1 W 1 Bob 1 X , W W 1 2 Y ˆ W 2 2 Alice Bob 2 Z n H W W , | Z 1 2 Eve 54

Internal Security within a System • Legitimate users may have different security clearances. • Some legitimate users may have paid for some content, some may not have. • Broadcast channel with two confidential messages. Y 1 ˆ , n W H W ( | Y ) 1 2 1 Bob\Eve 1 W W , X 1 2 Alice Y 2 ˆ , n ( | ) W H W Y 2 1 2 Bob\Eve 2 55

� � Multiple Access (Uplink) Channel • In cellular communications: end-user to the base station channel can be eavesdropped. • This channel can be modelled as a multiple access channel with an external eavesdropper. W X 1 1 Y Alice ˆ ˆ W W , 1 2 X W 2 Bob 2 Charles Z n H W W , | Z 1 2 Eve 56

� � Cooperative Channels • Overheard information at communicating parties: – Forms the basis for cooperation – Results in loss of confidentiality • How do cooperation and secrecy interact? • Simplest model to investigate this interaction: relay channel with secrecy constraints. – Can Charles help without learning the messages going to Bob? Charles\Eve n H W Y | 1 X Y 2 1 X Y ˆ 1 W W Bob Alice 57

� � Fading Wiretap Channel-I • In the Gaussian wiretap channel, secrecy is not possible if C B ≤ C E • Fading provides a time-diversity: It can be used to obtain/improve secrecy. Y ˆ W Bob W X Alice n | H W Z Z Eve • Two scenarios for the ergodic secrecy capacity: – CSIT of both Bob and Eve: Liang-Poor-Shamai, Li-Yates-Trappe, Gopala-Lai-El Gamal. – CSIT of Bob only: Khisti-Tchamkerten-Wornell, Li-Yates-Trappe, Gopala-Lai-El Gamal. 58

� � Fading (i.e., Parallel) Wiretap Channel-II • Fading channel model: Y = h Y X + N Y Z = h Z X + N Z • Assume full CSIT and CSIR. • Parallel wiretap channel provides the framework to analyze the fading wiretap channel Y Bob 1 Y ˆ 2 W X 1 Y 3 X Z 2 1 W n n n | , , H W Z Z Z Z 1 2 3 X 2 3 Alice Eve Z 3 59

Fading Wiretap Channel-III • Secrecy capacity of the parallel wiretap channel can be obtained as follows [Liang-Poor-Shamai, 2008] C s = V → X L → ( Y L , Z L ) I ( V ; Y 1 ,..., Y L ) − I ( V ; Z 1 ,..., Z L ) max L I ( V ; Y l | Y l − 1 ) − I ( V ; Z l | Z L ∑ = l + 1 ) max V → X L → ( Y L , Z L ) l = 1 L l + 1 ; Y l | Y l − 1 ) − I ( V , Y l − 1 ; Z l | Z L l + 1 ; Y l | Y l − 1 , V ) ∑ I ( V , Z L l + 1 )+ I ( Z L = max V → X L → ( Y L , Z L ) l = 1 − I ( Y l − 1 ; Z l | Z L l + 1 , V ) L l + 1 ; Y l | Y l − 1 ) − I ( V , Y l − 1 ; Z l | Z L ∑ I ( V , Z L = l + 1 ) max V → X L → ( Y L , Z L ) l = 1 where underlined terms are identical due to Csiszar sum lemma. 60

Fading Wiretap Channel-IV L I ( V , Z L l + 1 ; Y l | Y l − 1 ) − I ( V , Y l − 1 ; Z l | Z L ∑ C s = l + 1 ) max V → X L → ( Y L , Z L ) l = 1 L I ( V ; Y l | Y l − 1 , Z L l + 1 ) − I ( V ; Z l | Z L l + 1 , Y l − 1 )+ I ( Z L l + 1 ; Y l | Y l − 1 ) − I ( Y l − 1 ; Z l | Z L ∑ = l + 1 ) max V → X L → ( Y L , Z L ) l = 1 L I ( V ; Y l | Y l − 1 , Z L l + 1 , Y l − 1 ) ∑ l + 1 ) − I ( V ; Z l | Z L = max V → X L → ( Y L , Z L ) l = 1 L I ( V , Y l − 1 , Z L l + 1 ; Y l | Y l − 1 , Z L l + 1 ) − I ( V , Y l − 1 , Z L l + 1 , Y l − 1 ) l + 1 ; Z l | Z L ∑ = max V → X L → ( Y L , Z L ) l = 1 L ∑ = I ( V l ; Y l | Q l ) − I ( V l ; Z l | Q l ) max { Q l → V l → X l → ( Y l , Z l ) } L l = 1 l = 1 L ∑ = Q l → V l → X l → ( Y l , Z l ) I ( V l ; Y l | Q l ) − I ( V l ; Z l | Q l ) max l = 1 � � L L ∑ ∑ = V l → X l → ( Y l , Z l ) I ( V l ; Y l ) − I ( V l ; Z l ) = max C sl l = 1 l = 1 61

Fading Wiretap Channel-V • Each realization of ( h Y , h Z ) can be viewed as a sub-channel occurring with some probability • Averaging over all possible channel realizations gives the ergodic secrecy capacity � 1 � � � �� 1 + h 2 1 + h 2 Y P ( h Y , h Z ) Z P ( h Y , h Z ) − 1 C s = max E 2 log 2 log σ 2 σ 2 Y Z where the maximization is over all power allocation schemes P ( h Y , h Z ) satisfying constraint E [ P ( h Y , h Z )] ≤ P • If h 2 Y ≤ h 2 Y Z Z , term inside the expectation is negative: σ 2 σ 2 if h 2 ≤ h 2 Y Z P ( h Y , h Z ) = 0 σ 2 σ 2 Y Z • Optimal power allocation is water-filling over the states ( h Y , h Z ) satisfying h 2 ≥ h 2 Y Z σ 2 σ 2 Y Z 62

� � Gaussian MIMO Wiretap Channel-I • Gaussian MIMO wiretap channel: Y = H Y X + N Y Z = H Z X + N Z ˆ Y W . W X . . Bob Alice . . . Z n H W Z | Eve • As opposed to the SISO case, MIMO channel is not necessarily degraded • As opposed to fading SISO, it cannot be expressed as a parallel channel 63

Gaussian MIMO Wiretap Channel-II • Secrecy capacity [Shafiee-Liu-Ulukus, Khisti-Wornell, Oggier-Hassibi, Liu-Shamai]: C S = V → X → Y , Z I ( V ; Y ) − I ( V ; Z ) max � � � � 1 � − 1 � H M KH ⊤ � H E KH ⊤ � � � � = M + I E + I max 2 log 2 log � K :tr ( K ) ≤ P • No channel prefixing is necessary and Gaussian signalling is optimal. • As opposed to the SISO case, C S � = C B − C E . • Multiple antennas improve reliability and rates. They improve secrecy as well. 64

Gaussian MIMO Wiretap Channel – Finding the Capacity • Secrecy capacity of any wiretap channel is known as an optimization problem: C s = max ( V , X ) I ( V ; Y ) − I ( V ; Z ) • MIMO wiretap channel is not degraded in general. – Therefore, V = X is potentially suboptimal. • There is no general methodology to solve this optimization problem, i.e., find optimal ( V , X ) . • The approach used by [Shafiee-Liu-Ulukus, Khisti-Wornell, Oggier-Hassibi]: – Compute an achievable secrecy rate by using a potentially suboptimal ( V , X ) : ∗ Jointly Gaussian ( V , X ) is a natural candidate. – Find a computable outer bound. – Show that these two expressions (achievable rate and outer bound) match. 65

Gaussian MIMO Wiretap Channel – Finding the Capacity (Outer Bound) • Using Sato’s approach, a computable outer bound can be found: – Consider the enhanced Bob with observation ˜ Y = ( Y , Z ) – This new channel is degraded, no need for channel prefixing: X I ( X ; ˜ Y ) − I ( X ; Z ) = max X I ( X ; Y | Z ) max – And, optimal X is Gaussian. • This outer bound can be tightened: – The secrecy capacity is the same for channels having the same marginal distributions – We can correlate the receiver noises. • The tightened outer bound is: X I ( X ; Y | Z ) min max where the minimization is over all noise correlations. • The outer bound so developed matches the achievable rate. 66

Insights from the Outer Bound • Sato-type outer bound is tight • This outer bound constructs a degraded wiretap channel from the original non-degraded one • Secrecy capacity of the constructed degraded channel is potentially larger than the original non-degraded one • However, they turn out to be the same • Indeed, these observations are a manifestation of channel enhancement: – Liu-Shamai provide an alternative proof for secrecy capacity via channel enhancement 67

Secrecy Capacity via Channel Enhancement • Aligned Gaussian MIMO wiretap channel Y = X + N Y Z = X + N Z where N Y ∼ N ( 0 , Σ Y ) , N Z ∼ N ( 0 , Σ Z ) . • Channel input X is subject to a covariance constraint � XX ⊤ � � S E • Covariance constraint has advantages – A rather general constraint including total power and per-antenna power constraints as special cases – Yields an easier analysis 68

Secrecy Capacity of Degraded Gaussian MIMO Wiretap Channel • Channel is degraded if it satisfies X → Y → Z which is equivalent to have Σ Y � Σ Z • In other words, we have N Z = N Y + ˜ N where ˜ N is Gaussian with covariance matrix Σ Z − Σ Y • Corresponding secrecy capacity C s = max p ( x ) I ( X ; Y ) − I ( X ; Z ) 2 log | Σ Y | p ( x ) h ( Y ) − h ( Z ) − 1 = max | Σ Z | 2 log | Σ Y | N ) − 1 p ( x ) h ( Y ) − h ( Y + ˜ = max | Σ Z | 2 log | Σ Y | N ) − 1 p ( x ) − I ( ˜ N ; Y + ˜ = max | Σ Z | 2 log | K + Σ Y | 2 log | Σ Y | 1 | K + Σ Z | − 1 = max | Σ Z | 0 � K � S 2 log | S + Σ Y | 2 log | S + Σ Z | = 1 − 1 | Σ Y | | Σ Z | 69

Secrecy Capacity via Channel Enhancement-I • The following secrecy rate is achievable 2 log | K + Σ Y | 2 log | K + Σ Z | 1 − 1 C s ≥ max | Σ Y | | Σ Z | 0 � K � S • Optimal covariance matrix K ∗ needs to satisfy ( K ∗ + Σ Y ) − 1 + M = ( K ∗ + Σ Z ) − 1 + M S K ∗ M = MK ∗ = 0 ( S − K ∗ ) M S = M S ( S − K ∗ ) = 0 • We enhance the legitimate user as follows � − 1 = ( K ∗ + Σ Y ) − 1 + M � K ∗ + ˜ Σ Y which also implies � − 1 = ( K ∗ + Σ Z ) − 1 + M S K ∗ + ˜ � Σ Y • Thus, ˜ Σ Y satisfies ˜ ˜ Σ Y � Σ Y Σ Y � Σ Z and 70

� � � Secrecy Capacity via Channel Enhancement-II • Enhanced channel: ˆ Y W Bob X Y W Enhanced Bob Alice n H W Z | Z Eve 71

Secrecy Capacity via Channel Enhancement-III • Enhanced wiretap channel Y = X + ˜ ˜ N Y Z = X + N Z where ˜ N Y ∼ N ( 0 , ˜ Σ Y ) . • Since ˜ Σ Y � { Σ Y , Σ Z } , we have X → ˜ Y → { Y , Z } • Thus, the enhanced channel is degraded and ˜ C s ≥ C s 2 log | S + ˜ Σ Y | 2 log | S + Σ Z | C s = 1 − 1 ˜ | ˜ | Σ Z | Σ Y | 72

Secrecy Capacity via Channel Enhancement-IV • Although secrecy capacity is potentially improved through the enhancement, indeed, there is a rate preservation ( K ∗ + ˜ Σ Y ) = ( K ∗ + Σ Z ) − 1 ( S + Σ Z ) Σ Y ) − 1 ( S + ˜ ( K ∗ + ˜ Σ Y = ( K ∗ + Σ Y ) − 1 Σ Y Σ Y ) − 1 ˜ • These identities imply 2 log | K ∗ + Σ Y | 2 log | K ∗ + Σ Z | 2 log | K ∗ + ˜ 2 log | K ∗ + Σ Z | Σ Y | 1 − 1 = 1 − 1 | ˜ | Σ Y | | Σ Z | | Σ Z | Σ Y | 2 log | S + ˜ Σ Y | 2 log | S + Σ Z | = 1 − 1 | ˜ | Σ Z | Σ Y | 73

Secrecy Capacity via Channel Enhancement-V • We can obtain the secrecy capacity of the original channel as follows [Liu-Shamai, 2009] C s ≤ ˜ C s I ( X ; ˜ = Y ) − I ( X ; Z ) max X → ˜ Y , Z E [ XX ⊤ ] � S 2 log | S + ˜ Σ Y | 2 log | S + Σ Z | = 1 − 1 | ˜ | Σ Z | Σ Y | 2 log | K ∗ + ˜ 2 log | K ∗ + Σ Z | Σ Y | = 1 − 1 | ˜ | Σ Z | Σ Y | 2 log | K ∗ + Σ Y | 2 log | K ∗ + Σ Z | = 1 − 1 | Σ Y | | Σ Z | 2 log | K + Σ Y | 2 log | K + Σ Z | 1 − 1 = max | Σ Y | | Σ Z | 0 � K � S 74

� � Multiple Access Wiretap Channel • An external eavesdropper listens in on the communication from end-users to the base station. W X 1 1 Y Alice ˆ ˆ , W W 1 2 X W 2 Bob 2 Charles Z n H W W , | Z 1 2 Eve • Introduced by Tekin-Yener in 2005: – Achievability of positive secrecy rates is shown. – Cooperative jamming is discovered. • Secrecy capacity is unknown in general 75

� � An Achievable Rate Region for Multiple Access Wiretap Channel-I • Introduce two independent auxiliary random variables V 1 and V 2 . W V X 1 1 1 ˆ ˆ W W , Y Alice 1 2 X W V 2 2 2 Bob Charles Z n , | H W W Z 1 2 Eve • An achievable secrecy rate region with channel pre-fixing: R 1 ≤ I ( V 1 ; Y | V 2 ) − I ( V 1 ; Z ) R 2 ≤ I ( V 2 ; Y | V 1 ) − I ( V 2 ; Z ) R 1 + R 2 ≤ I ( V 1 , V 2 ; Y ) − I ( V 1 , V 2 ; Z ) where p ( v 1 , v 2 , x 1 , x 2 , y , z ) factors as p ( v 1 ) p ( v 2 ) p ( x 1 | v 1 ) p ( x 2 | v 2 ) p ( y , z | x 1 , x 2 ) . 76

An Achievable Rate Region for Multiple Access Wiretap Channel-II 2 n ˜ R 1 � � 1 , 2 n ˜ R 1 (1 , 1) (1 , j ) . . . . . . . . . . . . . . . . . . . . . � � i, 2 n ˜ 2 nR 1 ( i, 1) R 1 ( i, j ) . . . . . . . . . . . Legitimate User . . . . . . . . . . � � 2 nR 1 , 2 n ˜ R 1 (2 nR 1 , 1) (2 R 1 , j ) . . . . . . 2 n ˜ R 2 � � 1 , 2 n ˜ R 2 (1 , 1) (1 , k ) . . . . . . . Eavesdropper . . . . . . . . . . . . . . � � l, 2 n ˜ 2 nR 2 ( l, 1) ( l, k ) R 2 . . . . . . . . . . . . . . . . . . . . . � � 2 nR 2 , 2 n ˜ R 2 (2 nR 2 , 1) (2 R 1 , k ) . . . . . . 77

An Achievable Rate Region for Multiple Access Wiretap Channel-III • Achievability can be shown in two steps. • Show that the following region is achievable: R 1 ≤ I ( X 1 ; Y | X 2 ) − I ( X 1 ; Z ) R 2 ≤ I ( X 2 ; Y | X 1 ) − I ( X 2 ; Z ) R 1 + R 2 ≤ I ( X 1 , X 2 ; Y ) − I ( X 1 , X 2 ; Z ) where p ( x 1 , x 2 , y , z ) = p ( x 1 ) p ( x 2 ) p ( y | x 1 ) p ( z | x 2 ) . • Use channel prefixing at both users: V 1 → X 1 V 2 → X 2 78

An Achievable Rate Region for Multiple Access Wiretap Channel-IV • Each user generates a codebook independently and uses stochastic encoding: X n j ( w j , ˜ w j ) , j = 1 , 2 where – w j is the j th message with rate R j w j is the confusion message with rate ˜ – ˜ R j . • Total rate sent through by the j th user is R j + ˜ R j • Legitimate transmitter decodes both w j and ˜ w j for both j : R 1 + ˜ R 1 ≤ I ( X 1 ; Y | X 2 ) R 2 + ˜ R 2 ≤ I ( X 2 ; Y | X 1 ) R 1 + R 2 + ˜ R 1 + ˜ R 2 ≤ I ( X 1 , X 2 ; Y ) 79

An Achievable Rate Region for Multiple Access Wiretap Channel-V • W 1 and W 2 should be transmitted in perfect security: 1 nI ( W 1 , W 2 ; Z n ) = 0 lim n → ∞ which is ensured if ˜ R 1 and ˜ R 2 satisfy ˜ R 1 ≤ I ( X 1 ; Z | X 2 ) ˜ R 2 ≤ I ( X 2 ; Z | X 1 ) R 1 + ˜ ˜ R 2 = I ( X 1 , X 2 ; Z ) • Total rate of confusion messages is equal to the decoding capability of eavesdropper • Individual rates can vary as long as total rate is fixed 80

An Achievable Rate Region for Multiple Access Wiretap Channel-VI • Hence, the following rate region is achievable R 1 + ˜ R 1 ≤ I ( X 1 ; Y | X 2 ) R 2 + ˜ R 2 ≤ I ( X 2 ; Y | X 1 ) R 1 + R 2 + ˜ R 1 + ˜ R 2 ≤ I ( X 1 , X 2 ; Y ) ˜ R 1 ≤ I ( X 1 ; Z | X 2 ) ˜ R 2 ≤ I ( X 2 ; Z | X 1 ) R 1 + ˜ ˜ R 2 = I ( X 1 , X 2 ; Z ) • Eliminate ˜ R 1 and ˜ R 2 by Fourier-Moztkin elimination • Use channel prefixing at each user 81

� � Gaussian Multiple Access Wiretap Channel: Gaussian Signalling • Tekin-Yener 2005: Gaussian multiple access wiretap channel W V X 1 1 1 ˆ ˆ W W , Y Alice 1 2 X W V 2 2 Bob 2 Charles Z n H W W , | Z 1 2 Eve • Achievable secrecy region with no channel prefixing, X 1 = V 1 , X 2 = V 2 , Gaussian signals: � � R 1 ≤ 1 2 log ( 1 + h 1 P 1 ) − 1 g 1 P 1 1 + 2 log 1 + g 2 P 2 � � R 2 ≤ 1 2 log ( 1 + h 2 P 2 ) − 1 g 2 P 2 1 + 2 log 1 + g 1 P 1 R 1 + R 2 ≤ 1 2 log ( 1 + h 1 P 1 + h 2 P 2 ) − 1 2 log ( 1 + g 1 P 1 + g 2 P 2 ) 82

Cooperative Jamming • Tekin-Yener, 2006: cooperative jamming technique. • Cooperative jamming is a form of channel pre-fixing: X 1 = V 1 + U 1 X 2 = V 2 + U 2 and where V 1 and V 2 carry messages and U 1 and U 2 are jamming signals. • Achievable secrecy rate region with cooperative jamming: � � � � R 1 ≤ 1 h 1 P 1 − 1 g 1 P 1 1 + 1 + 2 log 2 log 1 + h 1 Q 1 + h 2 Q 2 1 + g 1 Q 1 + g 2 ( P 2 + Q 2 ) � � � � R 2 ≤ 1 h 2 P 2 − 1 g 2 P 2 1 + 1 + 2 log 2 log 1 + h 1 Q 1 + h 2 Q 2 1 + g 1 ( P 1 + Q 1 )+ g 2 Q 2 � � � � h 1 P 1 + h 2 P 2 g 1 P 1 + g 2 P 2 R 1 + R 2 ≤ 1 − 1 1 + 1 + 2 log 2 log 1 + h 1 Q 1 + h 2 Q 2 1 + g 1 Q 1 + g 2 Q 2 where P 1 and P 2 are the powers of V 1 and V 2 and Q 1 and Q 2 are the powers of U 1 and U 2 . 83

Weak Eavesdropper Multiple Access Wiretap Channel • For the weak eavesdropper case, Gaussian signalling is nearly optimal [Ekrem-Ulukus]. ≤ 0.5 bits/use R 2 ≤ 0.5 bits/use R 2 ≤ 0.5 bits/use R 1 R 1 Case I Cases II, III R 2 ≤ 0.5 bits/use R 1 Case IV • In general, Gaussian signalling is not optimal: – He-Yener showed that structured codes (e.g., lattice codes) outperform Gaussian codes. – Structured codes can provide secrecy rates that scale with logSNR. • The secrecy capacity of the multiple access wiretap channel is still open. 84

� � Fading Multiple Access Wiretap Channel-I • Introduced by Tekin-Yener in 2007. • They provide achievable secrecy rates based on Gaussian signalling. • Main assumption: channel state information is known at all nodes. W X 1 1 ˆ ˆ Y W W , Alice 1 2 X W 2 2 Bob Charles Z n H W W , | Z 1 2 Eve 85

Fading Multiple Access Wiretap Channel-II • Achievable rates without cooperative jamming: � � �� R 1 ≤ 1 log ( 1 + h 1 P 1 ) − 1 g 1 P 1 1 + 2 E h , g 2 log 1 + g 2 P 2 � � �� R 2 ≤ 1 log ( 1 + h 2 P 2 ) − 1 g 2 P 2 1 + 2 E h , g 2 log 1 + g 1 P 1 � � R 1 + R 2 ≤ 1 log ( 1 + h 1 P 1 + h 2 P 2 ) − 1 2 log ( 1 + g 1 P 1 + g 2 P 2 ) 2 E h , g • Achievable rates with cooperative jamming: � � � � �� R 1 ≤ 1 h 1 P 1 − 1 g 1 P 1 1 + 1 + 2 E h , g log 2 log 1 + h 1 Q 1 + h 2 Q 2 1 + g 1 Q 1 + g 2 ( P 2 + Q 2 ) � � � � �� R 2 ≤ 1 h 2 P 2 − 1 g 2 P 2 1 + 1 + 2 E h , g log 2 log 1 + h 1 Q 1 + h 2 Q 2 1 + g 1 ( P 1 + Q 1 )+ g 2 Q 2 � � � � �� h 1 P 1 + h 2 P 2 g 1 P 1 + g 2 P 2 R 1 + R 2 ≤ 1 − 1 1 + 1 + 2 E h , g log 2 log 1 + h 1 Q 1 + h 2 Q 2 1 + g 1 Q 1 + g 2 Q 2 • In both cases: No scaling with SNR. 86

� � Scaling Based Alignment (SBA) – Introduction W X 1 1 h 1 ˆ ˆ Y W W , Alice 1 2 h X W 2 2 2 Bob g 1 Charles Z g n H W W , | Z 2 1 2 Eve Y = h 1 X 1 + h 2 X 2 + N Z = g 1 X 1 + g 2 X 2 + N ′ 87

� � Scaling Based Alignment (SBA) – Introduction • Scaling at the transmitter: – Alice multiplies her channel input by the channel gain of Charles to Eve. – Charles multiplies his channel input by the channel gain of Alice to Eve. W X 1 1 h 1 ˆ ˆ Y W W , Alice 1 2 h X W 2 2 2 Bob g 1 Charles Z g n H W W , | Z 2 1 2 Eve Y = h 1 X 1 + h 2 X 2 + N Z = g 1 X 1 + g 2 X 2 + N ′ 88

� � Scaling Based Alignment (SBA) – Introduction • Scaling at the transmitter: – Alice multiplies her channel input by the channel gain of Charles to Eve. – Charles multiplies his channel input by the channel gain of Alice to Eve. W g X 1 2 1 h 1 ˆ ˆ Y W W , Alice 1 2 g X W h 1 2 2 2 Bob g 1 Charles g Z n H W W , | Z 2 1 2 Eve Y = h 1 g 2 X 1 + h 2 g 1 X 2 + N Z = g 1 g 2 X 1 + g 2 g 1 X 2 + N ′ 89

� � Scaling Based Alignment (SBA) – Introduction • Scaling at the transmitter: – Alice multiplies her channel input by the channel gain of Charles to Eve. – Charles multiplies his channel input by the channel gain of Alice to Eve. W g X 1 2 1 h 1 ˆ ˆ Y W W , Alice 1 2 g X W h 1 2 2 2 Bob g 1 Charles Z g n H W W , | Z 2 1 2 Eve Y = h 1 g 2 X 1 + h 2 g 1 X 2 + N Z = g 1 g 2 X 1 + g 2 g 1 X 2 + N ′ • Repetition: Both Alice and Charles repeat their symbols in two consecutive intervals. 90

Scaling Based Alignment (SBA) – Analysis • Received signal at Bob (odd and even time indices): Y o = h 1 o g 2 o X 1 + h 2 o g 1 o X 2 + N o Y e = h 1 e g 2 e X 1 + h 2 e g 1 e X 2 + N e • Received signal at Eve (odd and even time indices): Z o = g 1 o g 2 o X 1 + g 2 o g 1 o X 2 + N ′ o Z e = g 1 e g 2 e X 1 + g 2 e g 1 e X 2 + N ′ e • At high SNR (imagine negligible noise): – Bob has two independent equations. – Eve has one equation. to solve for X 1 and X 2 . 91

Scaling Based Alignment (SBA) – Analysis • Received signal at Bob (odd and even time indices): Y o = h 1 o g 2 o X 1 + h 2 o g 1 o X 2 Y e = h 1 e g 2 e X 1 + h 2 e g 1 e X 2 • Received signal at Eve (odd and even time indices): Z o = g 1 o g 2 o X 1 + g 2 o g 1 o X 2 Z e = g 1 e g 2 e X 1 + g 2 e g 1 e X 2 • At high SNR (imagine negligible noise): – Bob has two independent equations. – Eve has one equation. to solve for X 1 and X 2 . 92

Scaling Based Alignment (SBA) – Achievable Rates • Following rates are achievable: � �� ( | g 1 o g 2 o | 2 + | g 1 e g 2 e | 2 ) P 1 � R 1 ≤ 1 � 1 +( | h 1 o g 2 o | 2 + | h 1 e g 2 e | 2 ) P 1 � − log 1 + 2 E h , g log 1 +( | g 1 o g 2 o | 2 + | g 1 e g 2 e | 2 ) P 2 � �� ( | g 1 o g 2 o | 2 + | g 1 e g 2 e | 2 ) P 2 � R 2 ≤ 1 � 1 +( | h 2 o g 1 o | 2 + | h 2 e g 1 e | 2 ) P 2 � − log 1 + 2 E h , g log 1 +( | g 1 o g 2 o | 2 + | g 1 e g 2 e | 2 ) P 1 � � R 1 + R 2 ≤ 1 � | h 1 o g 2 o | 2 + | h 1 e g 2 e | 2 � � | h 2 o g 1 o | 2 + | h 2 e g 1 e | 2 � 1 + P 1 + 2 E h , g log P 2 � + | h 1 e h 2 o g 1 o g 2 e − h 1 o h 2 e g 1 e g 2 o | 2 P 1 P 2 �� � | g 1 o g 2 o | 2 + | g 1 e g 2 e | 2 � � − log 1 + ( P 1 + P 2 ) where �� | g 2 o | 2 + | g 2 e | 2 � � ≤ ¯ E P 1 P 1 �� | g 1 o | 2 + | g 1 e | 2 � � ≤ ¯ E P 2 P 2 • P 1 and P 2 should be understood as P 1 ( h , g ) and P 2 ( h , g ) . 93

Scaling Based Alignment (SBA) – Scaling with SNR and Secure DoF • Secrecy sum rate achievable by the SBA scheme: � � R s = 1 | h 1 o g 2 o | 2 + | h 1 e g 2 e | 2 � | h 2 o g 1 o | 2 + | h 2 e g 1 e | 2 � � � 1 + P 1 + 2 E h , g log P 2 � + | h 1 e h 2 o g 1 o g 2 e − h 1 o h 2 e g 1 e g 2 o | 2 P 1 P 2 �� � � | g 1 o g 2 o | 2 + | g 1 e g 2 e | 2 � − log 1 + ( P 1 + P 2 ) • A total of 1 2 secure DoF is achievable. 94

Ergodic Secret Alignment (ESA) • Instead of repeating at two consecutive time instances, repeat at well-chosen time instances. • Akin to [Nazer-Gastpar-Jafar-Vishwanath, 2009] ergodic interference alignment. • At any given instant t 1 , received signal at Bob and Eve is,          Y t 1  h 1 h 2  X 1  N t 1  =  +   N ′ Z t 1 g 1 g 2 X 2 t 1 • Repeat at time instance t 2 , and the received signal at Bob and Eve is,         − h 2  Y t 2  h 1  X 1  N t 2  =  +   N ′ Z t 2 g 1 g 2 X 2 t 2 • This creates orthogonal MAC to Bob, but a scalar MAC to Eve. 95

Ergodic Secret Alignment (ESA) – Achievable Rates • Following rates are achievable: � � �� 2 | g 1 | 2 P 1 R 1 ≤ 1 � � 1 + 2 | h 1 | 2 P 1 − log 1 + 2 E h , g log 1 + 2 | g 2 | 2 P 2 � � �� 2 | g 2 | 2 P 2 R 2 ≤ 1 � � 1 + 2 | h 2 | 2 P 2 − log 1 + 2 E h , g log 1 + 2 | g 1 | 2 P 1 � R 1 + R 2 ≤ 1 � � � � 1 + 2 | h 1 | 2 P 1 1 + 2 | h 2 | 2 P 2 + log 2 E h , g log �� � 1 + 2 ( | g 1 | 2 P 1 + | g 2 | 2 P 2 ) − log where E [ P 1 ] ≤ ¯ P 1 and E [ P 2 ] ≤ ¯ P 2 . • P 1 and P 2 should be understood as P 1 ( h , g ) and P 2 ( h , g ) . • Rates scale with SNR as in the SBA scheme: A total of 1 2 secure DoF is achievable. • Rates achieved here are larger than those with our first scheme. • Using cooperative jamming on the top of the ESA scheme achieves even larger secrecy rates. 96

Fading Multiple Access Wiretap Channel – Achievable Rates 5 4.5 GS/CJ scheme SBA scheme 4 ESA scheme 3.5 Sum rate (bits/channel use) 3 2.5 2 1.5 1 0.5 0 0 5 10 15 20 25 30 35 40 45 Average SNR (dB) • Rates with Gaussian signalling (with or without cooperative jamming) do not scale. • Rates with scaling based alignment (SBA) and ergodic secret alignment (ESA) scale. • ESA performs better than SBA. 97

� � Broadcast Channel with an External Eavesdropper • In cellular communications: base station to end-users channel can be eavesdropped. • This channel can be modelled as a broadcast channel with an external eavesdropper • In general, the problem is intractable for now. • Even without an eavesdropper, optimal transmission scheme is unknown. Y ˆ 1 W 1 Bob 1 X W W , 1 2 Y ˆ W 2 2 Alice Bob 2 Z n , | H W W Z 1 2 Eve 98

� � Degraded Broadcast Channel with an External Eavesdropper-I • Observations of receivers and the eavesdropper satisfy a certain order. • This generalizes Wyner’s model to a multi-receiver (broadcast) setting. Y Y X Z 1 2 W W , n , | H W W Z 1 2 1 2 Eve Bob 1 Bob 2 Alice • Gaussian multi-receiver wiretap channel is an instance of this channel model. • Plays a significant role in the Gaussian MIMO multi-receiver wiretap channel. • The secrecy capacity region is obtained by Bagherikaram-Motahari-Khandani for K = 2 and by Ekrem-Ulukus for arbitrary K . 99

Degraded Broadcast Channel with an External Eavesdropper-II • Capacity region for degraded broadcast channel: R 1 ≤ I ( X ; Y 1 | U ) R 2 ≤ I ( U ; Y 2 ) where U → X → Y 1 , Y 2 • Capacity region is achieved by superposition coding • Using superposition coding with stochastic encoding, the secrecy capacity region of the degraded broadcast channel with an external eavesdropper can be obtained: R 1 ≤ I ( X ; Y 1 | U ) − I ( X ; Z | U ) R 2 ≤ I ( U ; Y 2 ) − I ( U ; Z ) where U → X → Y 1 , Y 2 , Z 100