Achieving the Secrecy Capacity of Wiretap Channels Using Polar Codes

Suppose that Alice wishes to send messages to Bob through a communication channel $C_1$ but her transmissions also reach an adversary Eve through another channel $C_2$. This is the wiretap channel model introduced by Wyner in 1975. The goal is to design a coding scheme that makes it possible to communicate eliably and securely. Reliability is measured in terms of Bob's probability of error in recovering the message, while security is measured in terms of Eve's equivocation ratio. Wyner showed that the situation is characterized by a single constant $C_s$, called the secrecy capacity, which has the following meaning: for all $\epsilon > 0$, there exist coding schemes of rate $R \geq \C_s - \epsilon$ that asymptotically achieve both the reliability and the security objectives. However, his proof is based upon a nonconstructive random coding argument. To date, despite a considerable research effort, the only case where we know how to construct codes that achieve secrecy capacity is when Eve's channel is an erasure channel, or a combinatorial variation thereof. Polar codes were recently introduced by Arikan. They achieve the capacity of symmetric binary-input discrete memoryless channels with low decoding complexity. In this paper, we use polar codes to construct a coding scheme that achieves the secrecy capacity of general wiretap channels. Our construction works for any instantiation of the wiretap channel model, as originally defined by Wyner, as long as both $C_1$ and $C_2$ are symmetric and binary-input. Moreover, we show how to modify our construction in order to guarantee strong security, in the sense defined by Maurer, directly -- without the need for privacy amplification. We do not know whether the modified construction also achieves the secrecy capacity $C_s$, although we conjecture that it does.