INAUGURAL ARTICLE

Wireless physical layer security

H. Vincent Poora,1 and Rafael F. Schaeferb
a
Department of Electrical Engineering, Princeton University, Princeton, NJ 08544; and b Information Theory and Applications Chair, Department of Electrical
Engineering and Computer Science, Technische Universität Berlin, 10587 Berlin, Germany

This contribution is part of the special series of Inaugural Articles by members of the National Academy of Sciences elected in 2011.

Contributed by H. Vincent Poor, November 2, 2016 (sent for review June 1, 2016; reviewed by Matthieu R. Bloch and Gregory W. Wornell)

Security in wireless networks has traditionally been considered able progress has been made in understanding the fundamental
to be an issue to be addressed separately from the physical radio ability of the physical layer to support secure communications
transmission aspects of wireless systems. However, with the emer- and in determining the consequent limits of this ability (3, 4). In
gence of new networking architectures that are not amenable to particular, it has been shown that the two principal properties
traditional methods of secure communication such as data encryp- of radio transmission—namely, diffusion and superposition—
tion, there has been an increase in interest in the potential of the can be exploited to provide data confidentiality through several
physical properties of the radio channel itself to provide commu- mechanisms that degrade the ability of potential eavesdroppers
nications security. Information theory provides a natural frame- to gain information about confidential messages. These mecha-
work for the study of this issue, and there has been considerable nisms include the exploitation of fading, interference, and path
recent research devoted to using this framework to develop a diversity (through the use of multiple antennas), all of which
greater understanding of the fundamental ability of the so-called also lead to potential techniques for implementation in practi-
physical layer to provide security in wireless networks. Moreover, cal wireless systems. Moreover, the random nature of wireless
this approach is also suggestive in many cases of coding tech- channels provides sources of common randomness that can be

ENGINEERING
niques that can approach fundamental limits in practice and of used to extract shared secret keys from the physical layer, thereby
techniques for other security tasks such as authentication. This allowing more traditional methods of data protection to be
paper provides an overview of these developments. applied.
This paper reviews these developments, beginning with a brief
information theory | wireless networks | security historical account of the use of information theory to char-
acterize secrecy more generally and then discussing the main
results for the principal channel models of interest in modern
W ireless communication is one of the most ubiquitous of
modern technologies. Cellular communication alone is
accessible to an estimated 5 billion people, and this is but one
wireless networks. General information theoretic concepts are
defined briefly as needed; these are explained in greater depth
of an array of wireless technologies that have emerged in recent in ref. 5.
decades. Wireless networks are increasingly used for a very
wide range of applications, including banking and other finan- Shannon’s Cipher System
cial transactions, social networking, and environmental monitor- Shannon was the first person who studied, in ref. 1, the prob-
ing, among many others. For this reason, the security of wireless lem of secure communication from an information theoretic per-
networks is of critical societal interest. Security has traditionally spective. He considered a noiseless cipher system as illustrated in
been implemented at the higher, logical layers of communica- Fig. 1. A transmitter (Alice) wishes to convey a message M to a
tion networks, rather than at the level of the physical transmis- legitimate receiver (Bob) while keeping it secret from an eaves-
sion medium. For data confidentiality, encryption is the primary dropper (Eve), who intercepts the transmission. Alice and Bob
method of ensuring secrecy, a method that works well in most share a common secret key K that is unknown to Eve. To estab-
current situations. However, in some emerging networking archi- lish the secrecy of the message, Alice uses this key to encrypt
tectures, issues of key management or computational complexity the message M into a codeword X , which is then transmitted.
make the use of data encryption difficult. Examples include ad
hoc networks, in which messages may pass through many inter-
Significance
mediate terminals on the way from source to destination, and
sensor or radio-frequency identification (RFID) networks such
as might arise in the envisioned Internet of Things, in which the Security is a very important issue in the design and use of
end devices are of very low complexity. For these and other rea- wireless networks. Traditional methods of providing security
sons, there has been considerable recent interest in developing in such networks are impractical for some emerging types of
methods for secure data transmission that are based on the phys- wireless networks due to the light computational abilities of
ical properties of the radio channel (the so-called wireless physi- some wireless devices [such as radio-frequency identification
cal layer). These results are based on information theoretic char- (RFID) tags, certain sensors, etc.] or to the very large scale
acterizations of secrecy, which date to some of Claude Shannon’s or loose organizational structure of some networks. Physical
early work on the mathematical theory of communication (1). layer security has the potential to address these concerns by
Whereas Shannon’s work focused on symmetric key encryption taking advantage of the fundamental ability of the physics
systems, perhaps a more relevant development in this area was of radio propagation to provide certain types of security. This
Aaron Wyner’s work on the wiretap channel, which introduced paper provides a review of recent research in this field.
the idea that secrecy can be imparted by the communication
channel itself without resorting to the use of shared secret keys Author contributions: H.V.P. and R.F.S. designed research, performed research, and wrote
the paper.
(2). Although not focusing on wireless networks per se, this work
nevertheless lays the mathematical groundwork for the study of Reviewers: M.R.B., Georgia Institute of Technology; and G.W.W., Massachusetts Institute
of Technology.
this issue on a much broader scale and particularly in the context
The authors declare no conflict of interest.
of wireless networks.
For the reasons noted above, wireless physical layer security Freely available online through the PNAS open access option.

has become a major research topic in recent years, and consider- 1

To whom correspondence should be addressed. Email: [email protected].

www.pnas.org/cgi/doi/10.1073/pnas.1618130114 PNAS | January 3, 2017 | vol. 114 | no. 1 | 19–26

 having received Y n , can reliably recover the message; i.e.,

P{M̂ 6=M } −→ 0.
n→∞
Note that a codeword of length n makes use of the channel n
times; i.e., X n = (X1 , ..., Xn ), where Xi is sent in the ith channel
use. Similarly, Y n = (Y1 , ..., Yn ) and Z n = (Z1 , ..., Zn ) describe
corresponding channel outputs at the legitimate receiver and
eavesdropper, respectively.
At the same time, the message must be kept secret from Eve.
An issue then is how to specify secrecy in this setting, which is
Fig. 1. Shannon’s cipher system. discussed next.

Secrecy Criterion. Shannon’s cipher system considered the cri-

terion of perfect secrecy. This is a very stringent criterion as
Accordingly, Bob uses K to decrypt the received codeword X to it requires strict statistical independence between the message
recover M . M and the channel output Z n at Eve. In particular, when the
A communication scheme is considered to be secure if communication channel is noisy, this is hard to realize and it is
the mutual information between the message M and the reasonable to relax the criterion by requiring statistical indepen-
codeword X , which is overheard by Eve, is exactly zero, dence only asymptotically in the block length n.
i.e., I (M ; X ) = 0. Mutual information is defined in terms of Having in mind that the channel output at Eve should
(Shannon) entropies as P I (M ; X ) = H (M ) − H (M |X ), where not reveal any information about the confidential message,
the entropy H (M ) = − p(m) log p(m) describes the uncer- Wyner defined secrecy in terms of equivocation, or conditional
tainty about the random variable M , where p(m) is the entropy (2). Specifically, he required that the conditional entropy
probability with which M takes on the value m, whereas 1
H (M |Z n ) ≈ n1 H (M ) so that the knowledge of the channel
n
the conditional entropy H (M |X ) describes remaining uncer- output Z n does not decrease the uncertainty rate about the mes-
tainty in M after X has been observed. I (M ; X ) = 0 thus sage M ; in other words, it does not provide any information
implies that the uncertainty H (M ) about the message M about M . This criterion is known as weak secrecy and is often
is equal to the uncertainty H (M |X ) when the codeword X equivalently written in terms of mutual information as
is given. In other words, the message and the codeword must
be statistically independent. This condition is termed perfect 1
I (M ; Z n ) −→ 0.
secrecy and implies that the codeword X reveals no informa- n n→∞
tion about the message M . As a consequence, even if Eve
has unbounded computational capabilities, the best strategy of This quantity describes the information leaked about M to Eve
Eve to infer the confidential information is to throw away the in terms of a rate due to the normalization by the block length n.
observed codeword and to simply guess the transmitted mes- This definition of secrecy has its vulnerabilities (8) and can be
sage. Shannon showed that perfect secrecy can be achieved, but strengthened by dropping the division by n to
only if the entropy H (K ) of the secret key K is at least as large
as the entropy H (M ) of the confidential message M (1); i.e., I (M ; Z n ) −→ 0.
H (K ) ≥ H (M ). n→∞
Assuming the message and the secret key to be sequences This condition is termed strong secrecy and the intuition is to
of binary numbers, perfect secrecy is achieved by the so-called have the total amount of information leaked to Eve vanish as
one-time pad approach (6), where the codeword is simply the n → ∞. Strong secrecy for the wiretap channel was first consid-
binary addition [exclusive or (XOR) operation] of the message ered in refs. 9 and 10. Recently, different approaches to achieve
and the secret key; i.e., X = M ⊕ K . This idea extends beyond strong secrecy were presented in refs. 11–15. One might question
the binary case and the result holds in a much more general set- whether this definition for secrecy is meaningful. And indeed,
ting, which is known as the crypto lemma (7). strong secrecy ensures that the decoding error approaches one
The observation that Alice and Bob must share a secret key exponentially fast for any decoding strategy Eve may use (16).
of the same length as the message they want to exchange seems This demonstrates the usefulness of the strong secrecy criterion
discouraging at first. But this mainly stems from the fact that and establishes a desirable and practically relevant operational
the communication channel is assumed to be noiseless so that meaning.
Eve observes exactly the same as Bob. However, the physical Recently, this criterion was further strengthened by consid-
layer especially in wireless communication systems is anything ering semantic security (17). Here, Eve is not only not able to
but noiseless. In the following we will see that this imperfec- decode the transmitted message, but also not able to obtain any
tion of the communication channel can be explicitly exploited to information about it at all.
establish secrecy by physical layer methods without the need of a
shared secret key.

Wyner’s Wiretap Channel

The wiretap channel was introduced by Wyner (2) and its com-
munication task is similar to Shannon’s cipher system: Alice
wants to transmit a confidential message to Bob while keeping
it secret from Eve. The wiretap channel generalizes the previ-
ous scenario by considering noisy communication channels as
shown in Fig. 2. However, no secret key is available to the
legitimate users.
Accordingly, the objective is now twofold: Alice must encode
the message M into a codeword X n of length n such that Bob, Fig. 2. Wyner’s wiretap channel.

20 | www.pnas.org/cgi/doi/10.1073/pnas.1618130114 Poor and Schaefer

 INAUGURAL ARTICLE
Secrecy Capacity. Recall that Alice must encode the message time-invariant multiplicative links corrupted by additive white
into a codeword such that it is useful for Bob to recover the Gaussian noise. When Alice transmits a signal Xi , the received
transmitted message (reliability) and at the same time the same signals YB,i at Bob and YE ,i at Eve at channel use i can then be
codeword is useless for Eve (security). These two requirements expressed as
seem to be conflicting and it is not obvious that it is possible to YB,i = hB Xi + NB,i and YE ,i = hE Xi + NE ,i , [2]
achieve both simultaneously.
Surprisingly, it is indeed possible and the so-called secrecy where hB and hE are the channel gains between Alice and Bob
capacity characterizes the maximal rate at which both require- and between Alice and Eve, respectively, and NB,i and NE ,i are
ments are met. For discrete memoryless channels, for which the additive white Gaussian noises, independent of the transmitted
relation between the transmitted input and received output sym- signals, with zero means and variances σB 2
and σE2 , respectively.
bols at each independent channel use can be described by a con- Here, white noise refers to a random process that is independent
ditional probability distribution of the channel output given the from channel use to channel use.
channel input, Wyner established the secrecy capacity in ref. 2 for Considering an average transmit power constraint of P , the
the case of degraded channels, i.e., channels for which X −Y −Z secrecy capacity of the Gaussian wiretap channel was established
form a Markov chain, which means that X and Z are statistically in ref. 20 and is given by
independent conditioned on Y . This result was subsequently
generalized by Csiszár and Körner to the general, nondegraded 1  P |hB |2  1  P |hE |2 
CS = log 1 + 2
− log 1 + .
case in ref. 18. 2 σB 2 σE2
The secrecy capacity of the discrete memoryless wiretap chan- The secrecy-capacity–achieving strategy is to transmit with full
nel is given by power P and to choose the input signals according to a Gaus-
CS = max


I (V ; Y ) − I (V ; Z ) , [1] sian distribution. This latter choice is by no means obvious, as
V −X −(Y ,Z ) Gaussian input maximizes the information flow to Bob, but at
the same time also to Eve. Interestingly, the secrecy capacity in
where the maximization is over all random variables V and X this case turns out to be equal to the difference between the

ENGINEERING
such that the Markov chain relationship V − X − (Y , Z ) is sat- main channel’s Shannon capacity and the eavesdropper chan-
isfied. (The prefixed V introduces artificial noise into the sys- nel’s Shannon capacity. From this it follows immediately that
tem and serves to make the eavesdropper channel noisier. This secure communication is possible if and only if Bob has a bet-
is known as channel prefixing.) Intuitively, the mutual informa- ter channel than Eve in the sense that the signal-to-noise ratio
tion term I (V ; Y ) represents the channel quality of the legit- of the main channel must be larger than that of the eaves-
imate link and describes the rate at which Alice can reliably dropper channel; i.e., |hB |2 /σB
2
> |hE |2 /σE2 . We return to this
transmit to Bob. Accordingly, the term I (V ; Z ) represents the point later.
channel quality of the eavesdropper link and the maximum trans-
mission rate is penalized exactly by this quantity. Another impor- Multiantenna Wiretap Channels. Systems with multiple transmit
tant observation is that to have a positive secrecy capacity, the and receive antennas, so-called multiple-input multiple-output
channel to Bob has to be “less noisy” than the channel to Eve; (MIMO) systems, can improve the performance of wireless
i.e., I (V ; Y ) > I (V ; Z ) for some V . This means Alice and Bob transmission significantly and hence form the basis of most mod-
must have an advantage over Eve at the physical layer itself. ern high-capacity wireless systems. Thus, the MIMO wiretap
The crucial idea for achieving the secrecy capacity is the channel is particularly of interest. Accordingly, Alice, Bob, and
following: Instead of using all of the available resources for Eve are assumed to have multiple transmit and receive antennas,
message transmission, a certain part of them are used for ran- respectively. Note that a multiantenna eavesdropper can also
domization by adding “dummy” messages unknown to Bob and be interpreted as multiple single-antenna eavesdroppers that
Eve. Specifically, for each confidential message Alice wants to cooperate.
transmit, there are multiple valid codewords and a stochastic When Alice transmits a vector-valued signal X i , the received
encoder chooses one of them uniformly at random. The key vector-valued signals Y B,i at Bob and Y E ,i at Eve can be
idea is now to choose the randomization rate for each confiden- expressed as
tial message roughly as I (V ; Z ), i.e., according to Eve’s channel
quality. Thus, Eve will be saturated with the useless information Y B,i = H B X i + N B,i and Y E ,i = H E X i + N E ,i ,
carried by the dummy variables, leaving no remaining resources where H B and H E are matrices containing multiplicative channel
for decoding the confidential message itself (19). Because the gains, and N B,i and N E ,i are independent (of each other and
channel quality to Bob supports reliable transmission roughly for different values of i) additive Gaussian noise vectors at Bob
at rate I (V ; Y ), the remaining rate available for secure trans- and Eve with zero means and identity covariance matrices. The
mission of the confidential message is I (V ; Y ) − I (V ; Z ) as transmission is subject to an average transmit power constraint
Bob usually has to decode both the confidential message and the tr (Q) ≤ P with Q = E[X i X T i ] being the covariance matrix of the
dummy variables to recover the correct message. transmitted signal.
The secrecy capacity of the MIMO Gaussian wiretap channel
Secure Communication over Wireless Channels
was established in refs. 21 and 22 and is given by
In this section, the information theoretic approaches to security 
discussed above for discrete memoryless channels are extended 1  
CS = max log det I + H B QH TB
to models for physical wireless channels. Wireless physical layer tr (Q)≤P 2
security is one of the key applications of these concepts, as a sig- 1  
nal broadcast over a wireless medium is not only received by its − log det I + H E QH T E . [3]
2
intended receiver but also easily eavesdropped upon by nonle-
gitimate receivers. As we have noted above, the imperfection of Similarly to the scalar case, capacity is achieved by transmit-
the wireless medium will help establish security by exploiting the ting with full power P and by choosing Gaussian-distributed
noisy channel. input symbols. Although, in principle, the secrecy capacity of
the MIMO wiretap channel is given by the above relation, it
Gaussian Wiretap Channels. The Gaussian wiretap channel is remains to find the optimal transmit covariance matrix Q that
the most basic model for a wireless channel, having linear maximizes the rate in [3]. Analytically, this is a nontrivial task as

Poor and Schaefer PNAS | January 3, 2017 | vol. 114 | no. 1 | 21

the corresponding optimization problem is nonconvex in general. example, the scenario in which an eavesdropper cannot approach
Accordingly, the optimal transmit covariance matrix has been the transmitter beyond a minimum protection distance. All such
characterized only for certain special cases. For example, the scenarios are covered by the concept of compound channels.
optimal transmit strategy is known for the general matrix power Assuming [4] and [5] to be the uncertainty sets for Bob’s and
constraint Q 4 S with S < 0 being a positive semidefinite matrix Eve’s channels yields a compound wiretap channel that reflects
(23), full-rank channels, or isotropic eavesdroppers (24). two practically relevant points: First, Eve’s desire is to be confi-
A scenario that is completely understood is the multiple-input dential so that only minimal CSI is available to Alice. It might be
single-output wiretap channel, in which Alice has multiple trans- known only that Eve is beyond a certain protection distance, as
mit antennas, Bob has a single receive antenna only, and Eve may noted above. And second, Bob on the other hand wants to max-
have multiple receive antennas. In this case, the optimal transmit imize the rate and, accordingly, is willing to share his CSI with
covariance matrix is known in closed form (21). Denoting the Alice. However, due to practical limitations only a channel esti-
channel to Bob by the vector hB and that to Eve by the matrix mate is available, resulting in additive uncertainty. This model is
H E , the solution of the secrecy rate maximization problem in studied in ref. 27.
[3] is Determining the secrecy capacity of the compound wiretap
1 channel is a challenging task and it is known only for certain
CS = log λmax (I + P hB hT T

B , I + P HE HE ) , special cases. For degraded channels, i.e., for which each poten-
2
tial eavesdropper channel realization is a degraded version of all
with λmax the largest generalized eigenvalue of the two matri- possible legitimate channel realizations, the secrecy capacity has
ces I + P hB hT T
B and I + P H E H E . The optimal transmit strategy been established in refs. 16 and 26 for discrete memoryless chan-
achieving the secrecy capacity is to form a beam in the direction nels and in ref. 26 for MIMO Gaussian channels. The compound
of the generalized eigenvector corresponding to λmax . MIMO wiretap channel above with uncertainty sets [4] and [5]
is not degraded and is one of the few examples for which the
Partial Channel State Information. The previous discussions have secrecy capacity has been established for the nondegraded case:
in common that knowledge of the gains of all channels (including 
those to eavesdroppers) is available to the legitimate users. This 1  
condition is termed perfect channel state information (CSI) and CS = max min log det I + H B QH T
B
tr (Q)≤P H B ∈HB 2
such idealized communication assumptions allow one to obtain 
important insights and to develop an understanding of the fun- 1 
T
− max log det I + H E QH E .
damental principles of wireless physical layer security. However, H E ∈HE 2

due to the nature of the wireless channel, but also due to practi-
cal limitations such as inaccurate channel state estimation or lim- The analysis reveals the characteristic structure of secure com-
ited feedback schemes, practical systems always have to deal with munication under channel uncertainty. The maximum transmis-
limited CSI. In particular, perfect eavesdropper CSI is question- sion rate is limited by the worst channel to Bob and by the
able unless the eavesdroppers are otherwise legitimate network best channel to Eve. This result confirms the intuition that for
participants, as malevolent eavesdroppers will not provide any guaranteeing reliable and secure communication, one has to
information about their channels or may even jam or otherwise be prepared for the worst channel conditions. This result fur-
influence the legitimate channel. A survey on secure communi- ther shows how the performance degrades because of channel
cation under channel uncertainty and adversarial attacks can be uncertainty.
found in ref. 25.
Fading Wiretap Channels. In the above discussion, the channel
A realistic model for the unpredictable nature of the wire-
has been considered to be fixed during the entire duration of
less channel and the imperfections of practical implementations
transmission. In particular, for the previously discussed Gaus-
is to assume that the actual realization of the channel gains is
sian wiretap channel, the multiplicative channel gains hB and hE
unknown to Alice and Bob but is known to lie in an uncer-
in [2] are constant. For wireless channels this is rarely the case
tainty set of possible channels. This is the concept of compound
because multipath propagation and interference usually result in
channels and it accordingly requires reliability and secrecy for
changing communication conditions, particularly for mobile net-
all possible channel realizations in this uncertainty set. Such a
works. This phenomenon is known as fading. In such an envi-
guaranteed performance criterion is particularly relevant for the
ronment, the input–output relations of the channels are typically
transmission of confidential information that must be kept secret
modeled as
regardless of the actual channel conditions.
The compound wiretap channel has been studied, for example, YB,i = hB,i Xi + NB,i and YE ,i = hE ,i Xi + NE ,i ,
in refs. 16, 26, and 27. In this scenario, the legitimate channel and
eavesdropper channel are not known, but belong to uncertainty where all hB,i , hE ,i , NB,i , and NE ,i are mutually independent.
sets HB and HE . Such channels can be studied abstractly, but Here, hB,i and hE ,i are fading coefficients that characterize the
there are also useful concrete versions of possible uncertainty communication conditions at channel useP i. The input signal is
sets. For example, due to limited channel estimation capability, subject to an average power constraint n1 ni=1 E[Xi2 ] ≤ P and
the true channel to Bob might be considered to be in a certain the noise processes, which are independent from channel use to
neighborhood of its estimated version. Accordingly, a reasonable 2
channel use, are Gaussian with zero means and variances σB and
uncertainty set is given by a (spherical) set σE2 respectively, as before.

HB = H B : H B = H 0 + ∆H, k∆Hk2 ≤ 

[4] For ergodic fading channels, the fading coefficients are inde-
pendent and identically distributed and are allowed to change
with k · k2 the spectral norm. Then,  describes the maximum from channel use to channel use. Thus, Alice, Bob, and Eve
estimation error ∆H around the estimated channel H 0 . Another might experience a different fading state for each channel use.
uncertainty model is to assume that the received channel gain for Assuming that all terminals have perfect CSI about the current
the eavesdropper is limited; i.e., fading state, so-called instantaneous CSI, the ergodic secrecy

HE = H E : kH E k2 ≤  .

[5] capacity has been studied in ref. 28 and is given as

γ|hB |2  1 γ|hE |2 
 
Here, kH E k2 corresponds to the largest channel gain, which is 1  
CS = max EA log 1 + − log 1 +
thus assumed to not exceed . Such an uncertainty set models, for EA [γ]≤P 2 2
σB 2 σE2

22 | www.pnas.org/cgi/doi/10.1073/pnas.1618130114 Poor and Schaefer

 INAUGURAL ARTICLE
with γ the power allocation (to be explained below) and
|hB |2 |hE |2
 
A = (hB , hE ) : 2
> [6]
σB σE2
so that the expectation is taken over all fading realizations in
which Bob experiences a better channel in terms of signal-
to-noise ratio than Eve; i.e., EA [·] denotes the expectation over
all (hB , hE ) ∈ A. Fig. 4. Multiple-access channel with confidential messages.
The key idea behind this result is that the instantaneous CSI
allows one to decompose the fading channel into a set of parallel
and time-invariant channels. Now, each fading realization corre- R1 for the confidential message. The secrecy capacity region has
sponds to a particular wiretap channel and it remains to deter- been established and is given by all rate pairs (R0 , R1 ) that satisfy
mine the optimal power allocation γ between all these parallel
wiretap channels. Obviously, power is allocated only to those fad- R0 ≤ min{I (U ; Y1 ), I (U ; Y2 )}
ing realizations in which Bob experiences a better channel than R1 ≤ I (V ; Y1 |U ) − I (V ; Z |U )
Eve [6]. The fading wiretap channel has been intensively dis-
cussed in refs. 28–30. In ref. 31 a layered decoding and secrecy for random variables U − V − X − (Y1 , Y2 ). The basic coding
approach is discussed, which adapts to the channel quality with- idea for achieving this rate region is based on a combination of
out requiring perfect CSI. superposition coding and wiretap coding. The common message
Having a closer look at the secrecy capacity of the (static) M0 designated for both receivers is encoded first and represented
wiretap channel and the fading wiretap channel, one observes by the auxiliary random variable U . As M0 must be decoded at
the following. Whereas for the (static) wiretap channel secure both receivers, the corresponding rate is limited by the weaker of
communication is possible only if Bob has a better channel than the channel qualities to Bob 1, i.e., I (U ; Y1 ), and to Bob 2, i.e.,
Eve, i.e., |hB |2 /σB
2
> |hE |2 /σE2 , for the fading wiretap channel I (U ; Y2 ). Then, superimposed on that, the confidential message

ENGINEERING
it suffices to have P{|hB |2 /σB 2
> |hE |2 /σE2 } > 0 to have a posi- M1 is encoded in V according to the same principle as for the
tive secrecy capacity. Thus, interestingly, fading is actually bene- wiretap channel discussed above. Accordingly, the confidential
ficial for communicating confidential information. Even if Eve’s rate is limited by a similar difference of both channel qualities
channel is better than Bob’s on average, the ergodic secrecy but conditioned on U because the common message is known at
capacity is positive, because whenever Bob experiences a better both receivers.
channel than Eve instantaneously (which will happen infinitely In a similar way to that for the wiretap channel, the broad-
often), this fading realization can be exploited for secure cast channel with confidential messages has been subsequently
communication. extended into several directions as well, including MIMO Gaus-
sian channels (32), channels with partial CSI (33), and fading
Physical Layer Security in Wireless Networks channels (28).
There has been considerable effort in extending and generaliz-
ing concepts and results for the wiretap channel to more com- Multiple-Access Channel. The multiple-access channel is the coun-
plex multiuser scenarios as well. We briefly discuss the practically terpart to the broadcast channel: Multiple senders transmit
relevant models of the broadcast channel, multiple access chan- information to a single receiver. An example of where this occurs
nel, interference channel, and relay channel. These channels give is in the uplink phase of a cellular system in which several mobile
insight into the properties of more complex networks. users transmit data to a base station.
In a multiple-access channel with confidential messages two
Broadcast Channel. The broadcast channel describes the commu- senders Alice 1 and Alice 2 transmit confidential messages M1
nication scenario in which one sender transmits information to and M2 to a single receiver Bob. Each transmitter overhears the
several receivers. For example, this channel describes the down- transmission of the other one so that Alice 1 and Alice 2 must
link phase of a cellular communication system in which a base send their confidential messages such that they are decodable
station transmits data to several mobile users. by Bob but leak no information to the other transmitter. This
The broadcast channel with confidential messages models the situation is visualized in Fig. 4. Again, we have a region of secret
communication scenario in which one transmitter Alice trans- rates for the two users’ messages. Inner and outer bounds on this
mits a common message M0 to two receivers Bob 1 and Bob 2 region have been derived in ref. 34, although the secrecy capacity
and a confidential message M1 to one receiver, say Bob 1, which region itself remains unknown.
must be kept secret from the other one. Thus, Bob 2 is a legiti- A slightly different setting is given by the multiple-access wire-
mate receiver for the common message M0 and, at the same time, tap channel in which both transmitters are trustworthy but their
an eavesdropper for the confidential message M1 . This scenario communication must be secured from an external eavesdropper.
models situations, for example, in which some (basic) content is This situation has been studied, for example, in refs. 35 and 36.
multicast while other (premium) content is unicast. It was intro- Similar to the multiple-access channel with confidential messages
duced by Csiszár and Körner (18) and is depicted in Fig. 3. Here, the secrecy capacity region is unknown and only inner and outer
instead of a single secrecy capacity, we have a region of possi- bounds have been established so far.
ble reliable rates R0 for the common message and secrecy rates
Interference Channel. The interference channel describes the
communication scenario in which multiple transmitter–receiver
pairs interfere with each other. Each sender is interested only
in transmitting information to its designated receiver. However,
due to the open nature of the wireless medium, the transmitted
signals are received not only by the intended receivers but also
by the other users.
The interference channel with confidential messages considers
two transmitters Alice 1 and Alice 2 who wish to transmit their
Fig. 3. Broadcast channel with confidential messages. confidential messages M1 and M2 to their respective receivers

Poor and Schaefer PNAS | January 3, 2017 | vol. 114 | no. 1 | 23

 The aim is now to determine the secret-key capacity, which
characterizes the maximal rate at which secret keys can be gen-
erated. In refs. 45 and 46 it has been shown that for the case of
unlimited public communication, the secret-key capacity is
CK = I (YA ; YB ). [7]
Moreover, it has been shown that this rate can be achieved by a
single one-way communication from Alice to Bob.
Fig. 5. Interference channel with confidential messages. The crucial idea for generating a uniformly distributed secret
key of rate [7] is based on Slepian–Wolf coding (5) and can
Bob 1 and Bob 2. Because both transmissions interfere with each be outlined as follows. All sequences YAn that can be observed
other, each transmitter must encode and transmit its message in by, say, Alice are divided into bins, with each one containing
such a way that it is kept secure from the counterpart receiver. 2nI (YA ;YB ) sequences. Now, when Alice observes YAn , she sets
This is shown in Fig. 5. Inner and outer bounds on the secrecy the secret key to the index of the particular sequence and sends
capacity region for this channel have been established in refs. 37 only the bin index (but not the index of the sequence itself) over
and 38. the noiseless channel to Bob. Based on the Slepian–Wolf cod-
A different communication scenario is given by the cogni- ing idea, having observed YBn this bin index is sufficient for Bob
tive interference channel with one common and one confiden- to infer the other observation YAn . Thus, Bob is able to choose
tial message. Here, the common message is known to both the same secret key as Alice. As the bin index and the sequence
transmitters and must be conveyed to both receivers whereas index are independent, no information about the secret key is
the confidential message is known only at one transmitter and leaked to Eve.
must be conveyed to its respective receiver, keeping the other In the previous model, Eve was able to eavesdrop upon
receiver ignorant of it. Unlike the other interference scenarios, the public communication only over the noisy channel. This
the secrecy capacity region is known in this case (39). has been extended by allowing Eve to further observe its own
correlated observation YEn of the common random source as
Relay Channel. The aim of a relay is to support the communica- depicted in Fig. 6. Whereas for the previous scenario the
tion between a transmitter and a receiver. Relays are used, for secret-key capacity is known, this is no longer the case when
example, for coverage and range extension or to increase the Eve has observed her own realization. Only upper and lower
maximal transmission rate. bounds on the secret-key capacity CK are known: I (YA ; YB ) −
The relay channel with confidential messages considers the min{I (YA ; YE ), I (YB ; YE )} ≤ CK ≤ min{I (YA ; YB ), I (YA ;
scenario in which the sender Alice wishes to transmit a confi- YB |YE )}. Although arbitrary information exchange between
dential message to receiver Bob. The transmission is supported Alice and Bob is allowed in principle, the lower bound is
by an untrusted relay so that Alice must encode and transmit the achieved by a one-way communication from Alice to Bob
message in such a way that the relay is able to help the communi- or Bob to Alice only. Comparing this rate with the rate in
cation, but does not get any information about the message. This [7], it can be interpreted as the maximum secret-key rate
has been studied in refs. 40 and 41. I (YA ; YB ) that can be generated minus some information leak-
The relay channel with an external eavesdropper differs from age min{I (YA ; YE ), I (YB ; YE )} to Eve. This reveals the same
the previous scenario by having a trusted relay, but the confiden- structure as that for the secrecy capacity of the wiretap channel
tial transmission must be secured against an external eavesdrop- in [1]. However, it is possible to control whether information is
per. This situation is considered in ref. 42. leaked from Alice, I (YA ; YE ), or from Bob, I (YB ; YE ).
In the above setting, the public communication was unlimited
Secret-Key Generation in the sense that no restrictions on the corresponding commu-
In the previous discussions we saw how information theoretic nication rate have been made. In practical applications, how-
approaches can be used to secure a confidential message trans- ever, there might be such restrictions that then result in a certain
mission over a wireless channel. We now discuss how these infor- degradation in secret-key capacity (47).
mation theoretic approaches can be used to generate secret keys
based on public discussion and subsequently with the help of Wireless Channels. Now we extend the previous discussion on
wireless channels. Surveys of the use of the wireless physical layer secret-key generation based on public discussion to the practi-
for secret-key generation can be found in refs. 43 and 44.

Public Discussion. Secret-key generation using public discussion

was first considered simultaneously by Ahlswede and Csiszár (45)
and Maurer (46). In this setting the two terminals Alice and Bob
observe correlated versions YAn and YBn of a common random
source. Based on these observations both terminals want to agree
on the same secret key; i.e., P{KA 6= KB } → 0 as n → ∞, where
KA and KB are secret keys generated at Alice and Bob, respec-
tively. To do so, they are allowed to exchange unlimited infor-
mation (in multiple iterations) via a noiseless public channel.
However, this channel is eavesdropped upon so that whatever is
exchanged via public discussion must not reveal any information
about the secret key itself. This condition is modeled similarly to
the wiretap channel by adopting a strong secrecy criterion,
I (Φ; KA , KB ) −→ 0,
n→∞

where Φ denotes the public discussion over the public channel.

In other words, the secret key must be independent of the public
discussion. This scenario is shown in Fig. 6. Fig. 6. Secret-key generation.

24 | www.pnas.org/cgi/doi/10.1073/pnas.1618130114 Poor and Schaefer

 INAUGURAL ARTICLE
cally relevant case of wireless channels. We will see that wireless coding. Then a secret key of rate
channels themselves can serve as sources of common random-
1 1  σ14 P 2 T 2 
ness, making previous concepts applicable (43, 48, 49). RK = I (h̃AB ; h̃BA ) = log 1 + 2
[8]
T 2T 4 2
4(σ + σ σ1 PT )
The scenario is the same: Two terminals Alice and Bob want to
generate a secret key, keeping an eavesdropper Eve in the dark. can be generated. The expression [8] reveals that the secret-key
Both terminals can transmit over a wireless fading channel and rate depends on the transmit power P as well as the coherence
can further use a noiseless public channel for public discussion. time T of the channel. As expected, with increasing power P
Eve overhears the transmissions over the wireless channel and the secret-key rate increases as well. However, with increasing
also eavesdrops upon the public discussion. The crucial idea is coherence time T the secret-key rate decreases and approaches
to exploit the reciprocity of the wireless channel to obtain corre- zero. Thus, from a secrecy perspective, a rapidly varying channel
lated observations of the common fading channel. Then the key is beneficial whereas a slowly varying channel or a channel that is
can be generated as discussed above. almost constant results in a low key rate.
When Alice transmits a signal XA over the wireless channel,
the received signals YB at Bob and YE at Eve are Conclusion
In this paper, we have reviewed recent research in the field
YB = hAB XA + NB and YE = hAE XA + NE of wireless physical layer security, which exploits the physical
properties of radio channels, notably diffusion and superposi-
with hAB and hAE the channel gains between Alice and Bob and tion, to provide security in wireless data transmission. By using
Eve, respectively. NA and NB are additive Gaussian noise terms an information theoretic formalism, we have seen that, in all of
with zero means and variances σ 2 . Alternatively, when Bob trans- the principal channel models of wireless networking, the physi-
mits a signal XB , the received signals YA at Alice and YE at Eve cal layer can in principle support reliable data transmission with
are YA = hBA XB + NA and YE = hBE XB + NE . perfect secrecy under realistic conditions. Note that a common
If both transmissions happen in the same frequency band and theme of these results is a reliance on accurate channel modeling.
within the coherence time of the channel, it is reasonable to Although this is a common approach in the design and analysis

ENGINEERING
assume that the channel between Alice and Bob is reciprocal; of communication systems, it nevertheless means that robustness
i.e., hAB = hBA . Even if the channel is not perfectly recipro- to the model used is a factor that needs to be considered in prac-
cal, it suffices to obtain correlated versions that are useful for tice. We have discussed this issue in the context of channel state
the following secret-key generation process. Moreover, as Eve’s information, but it is in general an important issue for further
location is assumed to be different from Alice’s and Bob’s, the research.
transmitted signals experience different transmission conditions, Although we have focused here primarily on the fundamen-
resulting in channel observations hAE and hBE at Eve that are tal issue of secrecy capacity, practical issues such as code design
independent of hAB and hBA . (50), authentication (51), and medium access control (52) have
In a first phase, Alice and Bob send training signals that allow been considered in this context as well. Moreover, these basic
each terminal to estimate its channel h̃AB and h̃BA . If the train- ideas have been applied in other settings, such as optical com-
ing symbols are sent within the channel coherence time T , Alice munication (53, 54) and situations with adversarial attacks (25),
and Bob are able to obtain correlated versions of the common and in other application areas, such as biometric identification
channel gain. This allows both terminals to use the same pro- systems (55, 56) and smart electricity grids (57).
tocol: They can agree on a secret key by using the correlated ACKNOWLEDGMENTS. This work was supported in part by the US National
versions of the common channel gain and by using the pub- Science Foundation under Grants CMMI-1435778 and ECCS-1647198 and in
lic channel for exchanging information based on Slepian–Wolf part by the German Research Foundation under Grant WY 151/2-1.

1. Shannon CE (1949) Communication theory of secrecy systems. Bell Syst Tech J 28: 14. Hayashi M (2006) General nonasymptotic and asymptotic formulas in channel resolv-
656–715. ability and identification capacity and their application to the wiretap channel. IEEE
2. Wyner AD (1975) The wire-tap channel. Bell Syst Tech J 54:1355–1387. Trans Inf Theory 52:1562–1575.
3. Liang Y, Poor HV, Shamai (Shitz) S (2009) Information theoretic security. 15. Hou J, Kramer G (2014) Effective secrecy: Reliability, confusion, and stealth. Proceed-
Foundation and Trends in Communications and Information Theory 5:355– ings of the IEEE International Symposium on Information Theory (IEEE, New York), pp
580. 601–605.
4. Bloch M, Barros J (2011) Physical-Layer Security: From Information Theory to Security 16. Bjelaković I, Boche H, Sommerfeld J (2013) Secrecy results for compound wiretap
Engineering (Cambridge Univ Press, Cambridge, UK). channels. Probl Inf Transm 49:73–98.
5. Cover TM, Thomas JA (2006) Elements of Information Theory (Wiley-Interscience, 17. Bellaire M, Tessaro S, Vardy A (2012) A cryptographic treatment of the wiretap chan-
Hoboken, NJ). nel. Proceedings of Advances in Cryptology (CRYPTO), eds Safavi-Naini R, Canetti R
6. Vernam GS (1926) Cipher printing telegraph systems for secret wire and radio tele- (Springer, Berlin), pp 1–31.
graphic communications. Trans Am Inst Electr Eng XLV:295–301. 18. Csiszár I, Körner J (1978) Broadcast channels with confidential messages. IEEE Trans
7. Forney GD, Jr (2003) On the role of MMSE estimation in approaching the information- Inf Theory 24:339–348.
theoretic limits of linear Gaussian channels: Shannon meets Wiener. Proceedings of 19. Massey JL (1983) A simplified treatment of Wyner’s wire-tap channel. Proceedings
the 41st Allerton Conference on Communication, Control, and Computing (IEEE, Pis- of the 21st Allerton Conference on Communication, Control and Computing (IEEE,
cataway, NJ), pp 430–439. Piscataway, NJ), pp 268–276.
8. Maurer UM (1994) The strong secret key rate of discrete random triples. Communi- 20. Leung-Yan-Cheong SK, Hellman ME (1978) The Gaussian wire-tap channel. IEEE Trans
cation and Cryptography – Two Sides of One Tapestry, eds Blahut RE, Costello DJ, Inf Theory 24:451–456.
Maurer U, Mittelholzer T (Springer, Boston), pp 271–285. 21. Khisti A, Wornell GW (2010) Secure transmission with multiple antennas I: The
9. Csiszár I (1996) Almost independence and secrecy capacity. Probl Peredachi Inf 32: MISOME wiretap channel/Part II: The MIMOME wiretap channel. IEEE Trans Inf Theory
48–57. 56:5515–5532.
10. Maurer U, Wolf S (2000) Information-theoretic key agreement: From weak to strong 22. Oggier F, Hassibi B (2011) The secrecy capacity of the MIMO wiretap channel. IEEE
secrecy for free. Proceedings of EUROCRYPT 2000 on Advances in Cryptography, Trans Inf Theory 57:4961–4972.
Lecture Notes in Computer Science, ed Preneel B (Springer, Berlin), Vol 1807, pp 23. Bustin R, Liu R, Poor HV, Shamai(Shitz) S (2009) An MMSE approach to the secrecy
351–368. capacity of the MIMO Gaussian wiretap channel. EURASIP J Wirel Commun Netw
11. Bloch MR, Laneman JN (2013) Strong secrecy from channel resolvability. IEEE Trans 2009:370970.
Inf Theory 59:8077–8098. 24. Loyka S, Charalambous CD (2013) Further results on optimal signaling over secure
12. Devetak I (2005) The private classical capacity and quantum capacity of a quantum MIMO channels. Proceedings of the IEEE International Symposium on Information
channel. IEEE Trans Inf Theory 51:44–55. Theory (IEEE, Piscataway, NJ), pp 2019–2023.
13. Han TS, Endo H, Sasaki M (2014) Reliability and secrecy functions of the wiretap chan- 25. Schaefer RF, Boche H, Poor HV (2015) Secure communication under channel uncer-
nel under cost constraint. IEEE Trans Inf Theory 60:6819–6843. tainty and adversarial attacks. Proc IEEE 103:1796–1813.

Poor and Schaefer PNAS | January 3, 2017 | vol. 114 | no. 1 | 25

26. Liang Y, Kramer G, Poor HV, Shamai (Shitz) S (2009) Compound wiretap channels. 43. Lai L, Liang Y, Poor HV, Du W (2014) Key generation from wireless channels. Physical
EURASIP J Wirel Commun Netw 2009:142374. Layer Security in Wireless Communications, eds Zhou X, Song L, Zhang Y (CRC, Boca
27. Schaefer RF, Loyka S (2015) The secrecy capacity of compound MIMO Gaussian chan- Raton, FL).
nels. IEEE Trans Inf Theory 61:5535–5552. 44. Narayan P, Tyagi H (2016) Multiterminal secrecy by public discussion. Foundation and
28. Liang Y, Poor HV, Shamai(Shitz) S (2008) Secure communication over fading channels. Trends in Communications and Information Theory 13:129–275.
IEEE Trans Inf Theory 54:2470–2492. 45. Ahlswede R, Csiszár I (1993) Common randomness in information theory and
29. Gopala PK, Lai L, El Gamal H (2008) On the secrecy capacity of fading channels. IEEE cryptography-Part I: Secret sharing. IEEE Trans Inf Theory 39:1121–1132.
Trans Inf Theory 54:4687–4698. 46. Maurer UM (1993) Secret key agreement by public discussion from common informa-
30. Khisti A, Tchamkerten A, Wornell GW (2008) Secure broadcasting over fading chan- tion. IEEE Trans Inf Theory 39:733–742.
nels. IEEE Trans Inf Theory 54:2453–2469. 47. Csiszár I, Narayan P (2000) Common randomness and secret key generation with a
31. Zou S, Liang Y, Lai L, Poor HV, Shamai (Shitz) S (2015) Broadcast networks with layered helper. IEEE Trans Inf Theory 46:344–366.
decoding and layered secrecy: Theory and applications. Proc IEEE 10:1841–1856. 48. Wilson R, Tse D, Scholtz RA (2007) Channel identification: Secret sharing
32. Ly HD, Liu T, Liang Y (2010) Multiple-input multiple-output Gaussian broadcast chan- using reciprocity in ultrawideband channels. IEEE Trans Inf Forensics Secur
nels with common and confidential messages. IEEE Trans Inf Theory 56:5477–5487. 2:364–375.
33. Schaefer RF, Boche H (2014) Robust broadcasting of common and confidential mes- 49. Ye C, Mathur S, Reznik A, Trappe W, Mandayam N (2010) Information-
sages over compound channels: Strong secrecy and decoding performance. IEEE Trans theoretic key generation from wireless channels. IEEE Trans Inf Forensics Secur
Inf Forensics Secur 9:1720–1732. 5:240–254.
34. Liang Y, Poor HV (2008) Multiple-access channels with confidential messages. IEEE 50. Bloch M,Hayashi M, Thangaraj A (2015) Error-control coding for physical-layer secrecy.
Trans Inf Theory 54:972–1002. Proc IEEE 103:1725–1746.
35. Tang X, Liu R, Spasojevic P, Poor HV (2007) Multiple access channels with general- 51. Lai L, El Gamal H, Poor HV (2009) Authentication over noisy channels. IEEE Trans Inf
ized feedback and confidential messages. Proceedings of the IEEE Information Theory Theory 55:906–916.
Workshop (IEEE, Piscataway, NJ), pp 608–613. 52. Liang Y, Poor HV, Ying L (2011) Secure communications over wireless broadcast
36. Tekin E, Yener A (2008) The Gaussian multiple access wire-tap channel. IEEE Trans Inf networks: Stability and utility maximization. IEEE Trans Inf Forensics Secur 6:682–
Theory 54:5747–5755. 692.
37. Koyluoglu OO, El Gamal H, Lai L, Poor HV (2011) Interference alignment for secrecy. 53. Guan K, Winzer PJ, Soljanin E (2012) Information-theoretic security in space-division
IEEE Trans Inf Theory 57:3323–3332. multiplexed fiber optic networks. Proceedings of the European Conference and Exhi-
38. Liu R, Maric I, Spasojevic P, Yates R (2008) Discrete memoryless interference and broad- bition on Optical Communication (Optical Society of America, Washington, DC),
cast channels with confidential messages: Secrecy rate regions. IEEE Trans Inf Theory p Tu.3.C.4.
54:2493–2507. 54. Song EC, Soljanin E, Cuff P, Poor HV, Guan K (2014) Rate-distortion-based physical
39. Liang Y, Somekh-Baruch A, Poor HV, Shamai (Shitz) S, Verdú S (2009) Capacity of layer secrecy in multimode fiber. IEEE Trans Commun 62:1080–1090.
cognitive interference channels with and with out secrecy. IEEE Trans Inf Theory 55: 55. Ignatenko T, Willems FMJ (2012) Biometric security from an information-theoretical
604–619. perspective. Foundations and Trends in Communications and Information Theory
40. He X, Yener A (2010) Cooperation with an untrusted relay: A secrecy perspective. IEEE 7:135–316.
Trans Inf Theory 56:3801–3827. 56. Lai L, Ho S-W, Poor HV (2011) Privacy-security tradeoff in biometric security sys-
41. Oohama Y (2007) Relay channels with confidential messages. Proceedings of the IEEE tems part I: Single uses case/part II: Multiple uses case. IEEE Trans Inf Forensics Secur
International Symposium on Information Theory (IEEE, Piscataway, NJ), pp 926–930. 1:122–151.
42. Lai L, El Gamal H (2008) The relay-eavesdropper channel: Cooperation for secrecy. 57. Sankar L, Rajagopalan SR, Mohajer S, Poor HV (2013) Smart meter privacy: A theoret-
IEEE Trans Inf Theory 54:4005–4019. ical framework. IEEE Trans Smart Grid 2:837–846.

26 | www.pnas.org/cgi/doi/10.1073/pnas.1618130114 Poor and Schaefer