Analysis of Short Blocklength Codes for Secrecy

In this paper we provide secrecy metrics applicable to physical-layer coding techniques with finite blocklengths over Gaussian and fading wiretap channel models. Our metrics go beyond some of the known practical secrecy measures, such as bit error rate and security gap, so as to make lower bound probabilistic guarantees on error rates over short blocklengths both preceding and following a secrecy decoder. Our techniques are especially useful in cases where application of traditional information-theoretic security measures is either impractical or simply not yet understood. The metrics can aid both practical system analysis, and practical system design for physical-layer security codes. Furthermore, these new measures fill a void in the current landscape of practical security measures for physical-layer security coding, and may assist in the wide-scale adoption of physical-layer techniques for security in real-world systems. We also show how the new metrics provide techniques for reducing realistic channel models to simpler discrete memoryless wiretap channel equivalents over which existing secrecy code designs may achieve information-theoretic security.

Abstract-In this paper we provide secrecy metrics applicable to physical-layer coding techniques with finite blocklengths over Gaussian and fading wiretap channel models. Our metrics go beyond some of the known practical secrecy measures, such as bit error rate and security gap, so as to make lower bound probabilistic guarantees on error rates over short blocklengths both preceding and following a secrecy decoder. Our techniques are especially useful in cases where application of traditional information-theoretic security measures is either impractical or simply not yet understood. The metrics can aid both practical system analysis, and practical system design for physical-layer security codes. Furthermore, these new measures fill a void in the current landscape of practical security measures for physicallayer security coding, and may assist in the wide-scale adoption of physical-layer techniques for security in real-world systems. We also show how the new metrics provide techniques for reducing realistic channel models to simpler discrete memoryless wiretap channel equivalents over which existing secrecy code designs may achieve information-theoretic security.

I. INTRODUCTION
Physical-layer security has attracted much attention of late as a means to provide a keyless layer of security using errorcontrol coding and other physical-layer techniques such as intentional jamming [1], [2]. While traditional informationtheoretic secrecy measures have been the preferred vehicles for proving the worth of physical-layer security coding schemes, some channel models remain elusive to this type of analysis [3]. In this paper, we provide two new security metrics that apply when blocklengths are finite (and especially when they are short), and when channel models are more representative of real-world environments.
Coding techniques exist that can achieve strong secrecy, and even semantic secrecy over the binary erasure wiretap channel [4], but in the face of fading, jamming, and otherwise Gaussian noise, there remains a dearth of useful secrecy metrics beyond simple bit-error rates (BER). The one exception is the security gap [5], which provides a measure on the required This work was partially funded by the iCIS project under grant CENTRO-07-ST24-FEDER-002003, and the project UID/EEA/50008/2013 -C00356 (WINCE -Wireless Interference and Coding for Secrecy) funded by the Fundação para a Ciência e Tecnologia (Portuguese Foundation for Science and Technology) and conducted at Instituto de Telecomunicações. signal-to-noise ratio (SNR) advantage over an eavesdropper to operate at acceptable error rates for friendly parties with an acceptable amount of security over illegitimate receivers. Our metrics go beyond security gap, so as to identify operable regions of SNR for which bit-error rates, even over a short number of bits, are guaranteed to be near 0.5. The basic premise of our techniques is to evaluate the distribution of error rates over a small number of bits, such as might be transmitted over a single packet, or within a single coded word, and to make guarantees not only on the mean of the distribution, but rather on, e.g., the 10th percentile or even the 1st percentile of the distribution. A proper tool that allows us to make these claims is the simple cumulative distribution function (CDF) of the error rate over short blocklengths. As one considers percentiles closer to zero, the guarantees of our secrecy metrics are such that every small block of transmitted data either fails to be decoded (for the first metric), or achieves decoder output bit-error rates greater than 0.5 − δ (for the second metric). These metrics fill a void in the current landscape of security measures for secrecy codes, and find immediate application in real-world environments.
Consider the wiretap setup as depicted in Fig. 1, where the receiver chains for both a legitimate receiver Bob and an eavesdropper Eve are pictured. We consider here a possibly concatenated coding system, where the outer code is for security (and may consist of any number of coding operations as indicated), and the inner code is for reliability. Based on early work over the wiretap channel [6], [7], we know that there exists a supremum of achievable rates such that both security and reliability can be attained. This rate is called the secrecy capacity C s . Unfortunately, the grand majority of all currently known explicit secrecy codes do not provide both reliability and security, but rather offer security as long as the legitimate receiver's channel is noiseless. Explicit code constructions that are exceptions to this rule require that the eavesdropper's channel is degraded from the main legitimate receiver's channel, and only work for discrete memoryless channels [1]. One possible framework for extending these results is to employ a concatenated coding scheme as we illustrate in Fig. 1. It should be noted that the inner code in this figure is marked as optional, and if it is removed, then the model reduces to the traditional wiretap channel model [6].
ii Thus, although we are considering our new metrics in cases where concatenated codes are used, they remain applicable to the general wiretap case. We note the transmitter Alice encodes a message through all stages of the encoder to produce a length-n codeword X n , which is transmitted over the wiretap channel. Bob and Eve observe their respective signals Y n and Z n , and both attempt to decode the message, perhaps producing respective message estimatesM andM .

A. An Example
As a simple example, consider the case where the outer code is just a scrambler, implemented by multiplying the binary length-k message M by a k ×k binary matrix that is invertible in GF (2) at the encoder and its inverse at the decoder. Let's assume that the inner code is a t-error correcting code, such as a BCH code. If the channel is a Gaussian or a fading channel, then an information-theoretic security analysis may prove difficult. The alternative is to simulate the concatenated coding scheme at the decoder so as to obtain some guarantee on BER. When this is done, simulations are typically averaged over thousands of runs to obtain an average BER, and although the analysis is simulation driven, the results still only hold asymptotically as blocklengths become very large, just as in an information-theoretic analysis (if it's even possible).
We wish to provide probabilistic guarantees of decoder failure and guarantees of low statistical dependence between the message M and an eavesdropper's decoder output messagẽ M . Despite the fact that BER has several shortcomings as a security metric, it can still be used effectively to estimate decoder outputs when the eavesdropper's attack strategy is known. Our metrics strengthen this approach by considering the entire distribution of possible error rates. In Fig. 2 we show the BER both before and after the scrambler in a receiver, and as expected the descrambling operation propagates errors into the message estimate. However, if we'd like to guarantee error rates close to 0.5 in all k-bit message estimates at the eavesdropper, it is necessary to consider the entire distribution of error rates over a blocklength of data. We see curves for Pr(P b > 0.5−δ) in the figure, whereP b can be used to model the proportion of bits in error over one block of k bits either at the input or at the output of the outer decoder, and is a point estimator of the true bit error rate P b . To be more specific, let B be a random variable that represents the number of bits in error over k bits either at the input or the output of the outer and is coincidentally the maximum likelihood estimator for the bit error rate P b given k independent observations [8]. While the errors in k received bits comprising a single transmitted codeword are likely not independent at the output of a decoder, we will address this concern later in Section V. Notice in Fig. 2 that if we want Pr(P b > 0.5−δ) after the decoder to get close to one, then we need to allow δ > 0.15 for this scheme, and somehow ensure that Eve's E b /N 0 is no better than 3 dB. Also note that we use this simple example to showcase the general applicability of the new metrics, as comparing error rates before and after the outer decoder gives one method for quantifying the contribution of the descrambler to the data received by the eavesdropper, but we are not proposing scrambling with BCH codes as a security solution.

B. Outline
Throughout this paper, we will let SNR designate the signalto-noise ratio as measured by the channel, meaning the energy per transmitted bit over the noise power spectral density N 0 . E b /N 0 will be the energy per information bit divided by N 0 . The two are related by the overall rate R of the concatenated coding scheme so that SNR = RE b /N 0 for BPSK transmission.
The rest of the paper is organized as follows. First, we survey the landscape of secrecy metrics for physical-layer security coding schemes in Section II. We then point out some shortcomings and motivate the need for additional practical metrics in Section III. Since the main contribution of this paper is the introduction of new secrecy metrics, these two sections are absolutely crucial. In Section III we also highlight the cases for which our metrics are superior to both informationtheoretic and BER-based existing metrics, and point out their limitations. Sections IV and V provide our new metrics BE-CDF bc and BER-CDF ac , respectively, with definitions and clarifying examples. Finally, we show a use case of these metrics in a more complicated concatenated coding scheme in Section VI, and indicate how the scheme may be used directly for secrecy, or used to provide a discrete memoryless wiretap channel equivalent over which additional secrecy codes may be used to achieve information-theoretic security. We offer some comments by way of conclusion in Section VII.

II. SECRECY METRICS
The secrecy metric space has progressively become more dense, particularly over the last few decades. The initial secrecy coding metric posed by Shannon in the late 1940's was that of perfect secrecy [9]. A code is said to achieve perfect secrecy if Shannon introduced the notion through the coding scheme of the one-time pad, and promptly proved that it was impossible to achieve perfect secrecy in a scheme where the entropy of a secret key is not at least as much as the entropy of the message itself, making the notion completely impractical.
In the mid-seventies, Wyner [6] introduced an additional metric for secrecy that is known today as weak secrecy. A scheme is said to achieve weak secrecy if This metric introduced the idea of coding for secrecy in earnest because the results indicated that it was actually possible to achieve weak secrecy in a practical system. After all, this criterion does not require that the coded message X n leaks no information about M , but rather that the eavesdropper's observation Z n must leak a sufficiently small amount of information about M such that the 1/n factor can still drive the quantity to zero. With this new notion of secrecy, came the idea of secrecy capacity C s which was originally defined as the supremum of coding rates that can achieve weak secrecy against a passive eavesdropper as a function of the wiretap channel parameters, while maintaining arbitrarily low probability of decoding error at the legitimate receiver. As long as the legitimate parties are able to leverage an advantage over the eavesdropper so that the effective main channel is less noisy [7] than the eavesdropper's channel, then C s > 0, which indicates that private communications are theoretically possible.
Weak secrecy was shown to be insufficient in many cases [10], and Maurer later defined a stronger metric known as strong secrecy [11], where a scheme is said to achieve strong secrecy if It was recently noted in [12] that even strong secrecy may not be sufficient for some applications because the assumption is often made that message symbols are random and uniformly distributed over the message alphabet. Of course, in cryptographic scenarios, the messages are never perfectly random and uniform, and it is known that in practice there really is no universal compression algorithm that can provide such messages at the input of secrecy encoders. Thus, we have an even stronger notion of secrecy called mutual information security which is achieved if Here we maximize I(M ; Z n ) over all possible message distributions p M . It is also shown in [12] that this notion of secrecy is equivalent to distinguishing security and semantic security.
Although it took over 30 years after Wyner introduced weak secrecy for an explicit code design to emerge that could achieve it [13], it has already been shown that codes exist that can achieve both strong and semantic secrecy, albeit over simple wiretap channel models [4], [12], and surprisingly, the secrecy capacity defined using strong or semantic security is provably the same as that defined by the weak secrecy metric [14], [4].
Although this list of information-theoretic measures is impressive, there remain several wiretap channel models that have proved elusive to explicit code designs where information-theoretic security can be guaranteed. Thus, over channels that are more representative of real world communications, such as the Gaussian wiretap channel or fading channel scenarios, there have been additional security metrics developed. For example, the authors in [5], [15] used bit-error rate (BER) at the output of a decoder as a more practical means of security measure. This metric can be simulated in a straightforward manner, just as is done for traditional error-correcting codes. The authors in [5] developed a new secrecy metric by identifying a target BER for the legitimate receiver, as well as a target BER for an eavesdropper, and found the SNRs that would achieve each of these targets. The security gap was then defined as the difference between these two SNR values in dB (or a ratio of the two linear values). The security gap tells a designer what the required advantage is for obtaining the desired security and reliability performance, and threshold operating points for achieving both.
Authors in [16] studied coding mechanisms that provided degrees of freedom in an eavesdropper's decoder output, where no information about certain bits could be obtained, forcing an attacker to guess the bits associated with the degrees of freedom in the decoder. This notion was similar to an information-theoretic security approach in the sense that the information could not be attained through any degree of processing, but was also very much unlike an informationtheoretic security approach because it restricted an attacker to a specific attack strategy.

III. SHORTCOMINGS OF CURRENT SECURITY METRICS
The metrics of the previous section give many techniques for analyzing the security achieved by specific coding schemes. Developing wiretap codes that are able to reach the envisioned secrecy capacity for more practical channel models remains a formidable challenge, and performing the information-theoretic analysis is oftentimes deemed intractable. The information-theoretic measures are still the most desirable where possible to apply, but they also have another weakness in the sense that they lead to codes that are designed to meet a secrecy criterion in an asymptotic blocklength regime only, thus limiting their applicability in real systems that require short blocklength codes.
On the other hand, one should be careful when performing security analysis that relies only on BER-based measures, because high error rates do not necessarily indicate that some information has not been leaked. In fact, modern cryptography is based on computational security that does leak the information about the message. These systems work not because of an information-theoretic guarantee, but rather due to there being no known computationally efficient algorithm that can find the solution in any reasonable amount of time with any realistic amount of computing power unless the key is known. Thus we see that despite not achieving an information-theoretic security measure, cryptosystems remain useful because they attain security in a more practical/applied sense. In a similar way, BER security analysis assumes the best known decoder/attack, and makes calculations assuming an eavesdropper uses that attack. While BER may provide some useful information about the quality of the received data or the decoder output at the eavesdropper, BER calculations are still made by averaging large amounts of data, and are therefore only reliable as blocklengths get large.
The metrics we introduce over the next two sections of this paper take a BER approach, but rather than calculating simple averages, make use of our knowledge of the CDF of bit error rates over small blocks of data to provide lower bounds on error rates through the receiver decoder chain. Making this fundamental change in how BER is used to analyze security in a system, allows us to make stronger guarantees about the performance of secrecy codes in the short blocklength regime. This is something that none of the metrics in Section II can provide due to the way the analysis is completed either as blocklength goes to infinity, or as simulations are averaged over thousands of independent runs. Using the new metrics, we also maintain the ease of simulation-based characterization of security (which is particularly helpful when realistic channel models are considered, where it is not known how to provide an information-theoretic analysis). Table I  of each currently known physical-layer security metric, and indicates the contribution of our new metrics lies in ease of computation and providing the strongest guarantee yet for analyzing finite blocklength code designs.

IV. THE BIT ERROR-CUMULATIVE DISTRIBUTION FUNCTION
Let us consider an AWGN channel with BPSK modulation, for which the BER (depicted in Fig. 3) is given by [17] A t-error correcting code of length 127 that is able to correct up to 10 errors can recover from a BER of 10 127 ≈ 0.079 assuming uniform error distribution, but errors over short blocks of data are not guaranteed to occur so uniformly. Let E be the number of bit errors in a block of n bits. For a transmitted word of size n with independent bit errors, the probability of having fewer than or equal to t errors, Pr(E ≤ t) can be straightforwardly obtained from (6) as Let us now consider two operating points of Fig. 3: (a) SNR = 0 dB that leads to a BER close to the 0.079 that the code supports, and (b) SNR = −3 dB, that leads to a BER ≈ 0.16. Looking at Pr(E ≤ 10) in the same figure, for SNR = 0 dB we have Pr(E ≤ 10) ≈ 0.58, meaning that the code would still succeed more than half of the time. For SNR = −3 dB, we get Pr(E ≤ 10) ≈ 0.006, which indicates that the decoder will fail over 99% of the time, yet with a BER far from 0.5. Also note that the curve for Pr(E ≤ 10) approaches zero for low SNR values, with the BER still far from the idealized 0.5 value. With this in mind, the question arises of how close to BER= 0.5 is close enough for security purposes?
To address this issue, we look to the distribution of errors of transmitted data and propose the first of two new secrecy metrics.  t or less errors, Pr(E ≤ t), as a function of the SNR for a message of size S m , encoded with a code C i (refers to the optional inner code).
From this metric we can deduce the probability of having more than t errors in a block of data, giving us the power to predict the likelihood of decoder failure when the code is a terror correcting code such as a BCH code. This information is useful for identifying acceptable SNR operating points for both friendly parties and eavesdroppers [18]. Notice from Fig. 1 that we measure this metric before the outer code (hence the superscript bc) in a concatenated coding scheme, i.e. prior to the secrecy code. Because of this, we choose to use SNR, rather than E b /N 0 to show the results, although the conversion can be made if desired.

A. Analysis
This metric can also be used to fine tune the security and reliability levels of a coding scheme that relies on terror correcting codes. For example, if we assume no inner code and set the outer code to a BCH(127, 64) code that corrects up to 10 errors, and if we want a reliability level of Pr(E ≤ 10) > 0.99, Bob would have to operate at an SNR above 1.95 dB as indicated in Fig. 3. For a confidentiality level of 0.99, i.e. Pr(E ≤ 10) < 0.01, Eve would need to operate at SNR below −2.78 dB.
While relevant reliability and confidentiality levels with a reasonable SNR gap between Bob and Eve may seem illusive with simple coding schemes such as the mentioned BCH code, this metric enables the selection of t-error correcting codes that can be used in more evolved concatenated coding schemes combined with the generation of interference [18] to provide desired levels of reliability and confidentiality, as will be described in Section VI.

V. THE BIT ERROR RATE-CUMULATIVE DISTRIBUTION FUNCTION
The BE-CDF bc allows us to guarantee failed decoding with high probability over certain SNR regions for t-error correcting codes. However, a failed decoder does not necessarily imply that the eavesdropper cannot obtain most of the message bits at the output. Hence, in this section we introduce a metric that can guarantee decoder failure with BER close to 0.5 in the estimated message bits to strengthen the security guarantee. For this section, letP b be the measured proportion of bit errors at the output of an error-correcting decoder measured over S b decoded message bits. For the case where the code being used is a block (n, k) code, it makes sense to let S b be an integer multiple of k. The metric we propose in this section allows a user to specify a required error rate at the output of the eavesdropper's error-control decoder over S b bits using the probability thatP b > 0.5 − δ for any δ desired.

Definition 2 (Bit Error Rate-Cumulative Distribution Function). The Bit Error Rate-Cumulative Distribution Function
calculated over S b estimated message bits for a code C as a function of E b /N 0 , where C may be the concatenation of an (optional) inner code C i and an outer code C o .
We note that the ac exponent indicates that the metric is measured after the code. Since the inner code is shown to be optional in Fig. 1, this is referring to the outer (secrecy) code. Also, because we are calculating this metric after the decoder, it makes sense to use E b /N 0 , rather than SNR. Finally, we should note that this metric is actually the complement to the CDF, but we choose to use a consistent nomenclature to that of the BE-CDF bc . These two metrics packaged in a pair provide valuable design information so as to achieve both reliability and secrecy.

A. Analysis
The BER-CDF ac allows us to guarantee decoder failure with high probability in addition to high BER over short blocks of S b bits at the output of the decoder. Although the metric is not information-theoretic, it comes much closer to the information-theoretic definitions of secrecy than the BE-CDF bc by limiting the amount of useful information to an eavesdropper (as tends to happen with high BER). That is, for a scheme that guarantees high BER using the BER-CDF ac metric, it is unlikely that the decoder will fail and yet provide small BER at the output. Notice that this metric is also much more robust than simply considering the average BER, and examples are shown in the following section of the paper. Similarly as with our BE-CDF bc metric, we now ensure that  Notice that for some δ values, the BER-CDF ac approaches one, where other curves appear to be bounded away from one. the entire distribution of BER values for a specific length of text S b is within an acceptable security region.
Recall thatP b is the estimator of the error rate P b at the output of the final decoder over a short blocklength of S b bits. If we assume that each bit at the output of the decoder is in error independently with probability P b , then the random variable P n = S bPb models the number of errors in a block of S b bits, and is distributed according to the binomial distribution with parameters µ = P b , and This means we can calculate the metric exactly as Although the exact expression can be derived in this case, the assumption of i.i.d. errors is not likely to hold in practice, P b may be unknown, and the calculation itself would be time intensive, or require approximation using the Gaussian distribution [8]. Thus, in practice, it makes more sense to calculate the metric using straightforward Monte Carlo simulations. By way of example, consider Pr(P b > 0.5 − δ) as plotted for a BCH(127, 92) code as the outer code with several varying sets of parameters as portrayed in Fig. 4. Each case presented uses S b = 92 × 2 = 184 so as to allow a L = 4 order modulation scheme without zero-padding. The modulation scheme was chosen arbitrarily to be differential phase shift keying (DPSK), and is either binary or quaternary as indicated in the legend. Beyond this, we consider different δ values as shown. Although there exist E b /N 0 values for which the decoder fails with probability close to one, unless the resultant BER is greater than (0.5 − δ) with high probability, the metric will not approach one in the limit as E b /N 0 → −∞.
Notice that the value the BER-CDF ac approaches as E b /N 0 → −∞ is strongly linked to δ, which makes perfect sense. As δ grows, it is more possible to fit the entire distribution of BER above the (0.5 − δ) threshold. This observation indicates that for any particular coding scenario, there may in fact exist a minimum δ for which the BER-CDF ac can be made to go to one as E b /N 0 → −∞. Also notice in Fig. 4 that increasing the order of the digital modulation scheme can bring about an effective shift towards better security. When Pr(P b > 0.5 − δ) is bounded away from one, we are viewing the random corrective capabilities of the code even when the signal is completely overwhelmed by noise. Certainly, we can do better by increasing S b or the dimensions of the code as well, but the utility of this metric is that we can get a clear picture for what happens when S b is small, thus providing small blocklength security analysis in practical physical-layer security system designs. Let us consider the limiting value of the BER-CDF ac as E b /N 0 → −∞. Clearly this quantity is a function of δ and S b , and can be calculated by recognizing thatP b is a sample mean of Bernoulli random variables X i where Let Pr(X i = 1) = P b as before. Then specifically, and by the central limit ). Clearly, this is true in the limit as S b gets large, but even for small and moderate blocklength sizes, the central limit theorem still provides a good approximate distribution.
In the limit as E b /N 0 → −∞, we also have P b → 0.5, and P b ∼ N (0.5, 0.25 S b ). Using the classic Gaussian standardization technique [8], we find that This limiting value of the BER-CDF ac is shown in Fig. 5 over a range of δ and S b values. These results can aid system designers in choosing S b (or k) in outer codes appropriately so as to supply a desired BER-CDF ac . Once S b is chosen, we also have a best possible value for the metric over which any coding scheme can be compared. One characteristic of good secrecy codes is that they will transition from zero to the limiting value in this metric over a very short range of In this section, we show how the concatenated coding system from [18] measures up using the two new metrics, and discuss the utility of the system as a result of its BE-CDF bc and its BER-CDF ac curves. It should also be noted that [18] goes through a design process based on the BE-CDF bc for this coding scheme. Although we do briefly outline the scheme and one possible design process here, the interested reader is directed to the original work for further details. Finally, we indicate how our new metrics may be combined with this coding scheme to provide effective discrete memoryless wiretap channel equivalents over which other secrecy coding schemes may be implemented to achieve information-theoretic security.

A. System Setup
The system analyzed in this section follows the general concatenated coding framework outlined in Fig. 1. The outer code can actually be considered as two encodings, where the message is interleaved according to a secret key K (drawn from the space of possible permutations on S m input message bits), and the key is encoded separately from the message using a BCH(127, 64) code that is capable of correcting 10 errors. The interleaved message and the encoded key are then appended together, and this constitutes the outer code. An LDPC(1056, 880) code is then used as the inner code, which is applied to the appended message and key to form a codeword suitable for transmission over a noisy channel. Recall from Fig. 1 that the general concatenated framework is such that the outer code is intended to achieve the secrecy requirements of the system, while the inner code is used to achieve reliability for Bob.
In this system, however, there is more at play than just the coding schemes. When the encoded data that are associated with the key K are transmitted over the channel they are intentionally jammed by some friendly network user with jamming power equal to a fraction α of Alice's transmit power. The idea is to give Bob an advantage because of his location or knowledge of the jamming signal so that the jamming affects him only minimally, while an eavesdropper has no information about the jamming signal and/or is positioned in a geographic location that does not afford her the same advantage as Bob [18], [19], [20]. Since the jamming is only applied to the encoded bits associated with the interleaving key, reliability in the system also stems from Bob being able to recover the key for deinterleaving, while security in the system depends on Eve being unable to recover the interleaving key. Data are transmitted over a Gaussian wiretap channel using BPSK modulation.
The receiving decoders at Bob and Eve apply a softdecoding algorithm for the LDPC code, and the BCH decoder can then correct no more than 10 errors in the key bits. The goal is to reliably keep the errors at the output of the LDPC decoder at no more than 10 for Bob, and above 10 for Eve for each transmitted key block, as the key bits must be used to deinterleave the message bits at the final step of the decoder. The mapping of keys to interleavers is such that any errors in the estimated key result in high error rates in the deinterleaved message, even when the interleaved message bits are recovered exactly [18].

B. Direct Results
Our two new metrics paint a complete picture of how this system will respond for both Bob and Eve, thus providing security analysis and system design constraints. The BE-CDF bc will show us the operating point for Bob to attain any desired level of reliability, and will also show us how Eve's decoding capability breaks down. The BER-CDF ac will then further enlighten us as to where we truly wish Eve to operate so as to guarantee (with probability essentially one) high BER at the output of her decoder. Coincidentally, this analysis also allows us to identify the jamming power advantage required during key transmission for the system to be successfully deployed [18].
Let us assume that the effective jamming to Bob is α B = 0.2, while the effective jamming to Eve is α E = 0.7 (we also include α = 1 in the figures for instructional purposes). The BE-CDF bc results apply to the BCH-encoded key bits and are given in Fig. 6, where we see that if Bob wishes to attain an overall BER around 10 −3 , the system must be designed to guarantee a BE-CDF bc value no lower than 0.9975. The interpretation of this value is that less than 1/4 of 1% of the transmitted key blocks should be decoded in error for Bob. Also according to Fig. 6, Bob achieves this performance if the SNR over his Gaussian channel is 6.5 dB or greater. We also note that the BE-CDF bc for Eve at an SNR of 4 dB is equal to 0.0048, meaning less than 1/2 of 1% of the time Eve will receive a key block for which she can correct all the errors if this BE-CDF bc value can be maintained.
To get the true feel for how Eve is affected by this scheme, however, we need to track the distribution of error proportion in Eve's guess of the message bits as a function of E b /N 0 using the BER-CDF ac as depicted in Fig. 7. Here we see that for δ = 0.05, we can attain Pr(P b > 0.5 − δ) = 0.995 at roughly E b /N 0 = 4.7 dB, which corresponds to an SNR value of approximately 4 dB. These results indicate that for this

C. Creating a Discrete Memoryless Channel
Explicit secrecy code constructions exist that can provide information-theoretic security; however, only for discrete memoryless wiretap channels. As mentioned previously, currently known designs require either a noiseless main channel for legitimate communication or a degraded wiretap channel for the eavesdropper [1]. Thus, we have two possible research directions for making these designs more practical to real end users. First, effort can be placed to design secrecy codes that operate over more realistic channels; and second, coding and/or signaling techniques may be leveraged to produce an effective wiretap channel [21] over which we already know how to code for secrecy. In this section, we outline how our new metrics and the coding scheme explained in Section VI-A can be used to produce an effective discrete memoryless wiretap channel.
Consider again the results shown in Fig. 7 that indicate an eavesdropper experiencing jamming power α E = 0.7 and E b /N 0 = 4.7 dB over a Gaussian channel can expect error rates over 753-bit messages to have BER greater than 0.45 with probability very close to one. Since the analysis was conducted over short block lengths, we offer not just an average BER, but rather a low estimate of the BER over the channel. We now consider applying one more code on the outside of the entire scheme described in Section VI-A, as depicted in Fig. 8, and modeling the remaining blocks as an effective binary symmetric channel (BSC). The additional code added is one that can leverage this effective channel to bring about an information-theoretic security result (e.g., [22]).
In order to claim that the interior blocks in Fig. 8 can truly be modeled as a BSC, we need to verify three main properties of the BSC in our system: (1) each bit should be erased independently from all other bits; (2) the probability p of flipping each bit over the channel should be identical, and we need to identify its value; and (3) we need to ensure that soft information about the bit is either not available or impossible to use at the secrecy decoder.
To ensure that bits within message blocks retain their independence of being in error, as required by the BSC model, we need to apply an inter-block interleaver as the first subcode in the Outer Coder block in Fig. 8 to spread information around as in [16], [21] and many other works. Although there may exist some correlations between flipped bits over the same transmitted packet, since all bits from every secrecy codeword are transmitted in different packets over the channel we effectively deliver independence between the bits at the secrecy codeword level, which is where we need independence for the secrecy code to work properly.
In terms of identifying the probability p that corresponds to the flipping of each bit over the channel, we'll use the lower bound given by BER-CDF ac as indicated above. By so doing, we provide an even stronger guarantee than identifying an average probability, since even short blocklengths maintain this probability of bit error with probability close to one. Bit error locations within secrecy codewords are kept uniformly random as a byproduct of the inter-codeword interleaving at the output of the secrecy encoder.
Finally, we need to address this issue of soft information at the input of the secrecy decoder. Although soft information is technically available here, we must deduce whether or not the information is actually worth anything. In other words, what do log-likelihood ratios (LLRs) look like when the overall bit error rates at the output of an LDPC decoder are close to 0.5? LLRs can be approximated by Gaussian distributions with means centered at positive values if the bits should have a value of zero, and at negative values if the bits should have a value of one. The Gaussian approximation rule-ofthumb stems from the central limit theorem for likelihood ratios, where sums of random variables are calculated to give the ratio's next iteration [17], [23]. The distribution of LLRs corresponding to bits in error is always symmetric and centered at zero since the decision threshold at the end of the soft iterative decoding algorithm is positioned directly between the distributions of LLRs corresponding to differing bit values. When the SNR is small enough that the code doesn't correct all the errors, distributions corresponding to bits in error and correct bits start to look very similar. In fact, when the noise completely overwhelms the coding scheme, each of these distributions tends to an approximate Gaussian distribution with mean zero and identical variances. It is this property that supplies an effective decoding threshold for iteratively decodable codes [17]. Finally, as the bit error rate (BER) approaches 0.5, the statistical difference between the distributions of LLRs for correct bits and bits in error becomes   Fig. 9. Kullback-Leibler divergence between distributions of LLRs that correspond to bits in error and LLRs that correspond to correct bits at the output of an LDPC soft decoder, as a function of the hard-decision BER at the output of the decoder. As the BER approaches 0.5, the distributions become more alike, to the point where detecting a correct bit or a bit in error is impossible, even with soft information.
negligible. To demonstrate this, we show through simulation that the Kullback-Leibler (K-L) divergence [24] between the two distributions approaches zero as the BER approaches 0.5, where the K-L divergence is given as and p(x) represents the distribution of LLRs for correct bits while q(x) represents the distribution of LLRs for bits in error at the output of a soft-information LDPC decoder. These results are given in Fig. 9, where we observe D(p||q) going to zero with increasing BER. Recognize that D(p||q) = 0 implies that there is no statistical difference between p(x) and q(x), or that the distance between the two distributions is zero. It can be argued then, that as long as D(p||q) is small enough, soft information at the output of an iterative decoder is unusable as it doesn't accurately depict any type of relationship between a bit's likelihood of being correct or in error.
The end result is that our new metrics mixed with the scheme from [18] can provide the effective channel model necessary for these information-theoretic designs to succeed. We see in [1] that one type of secrecy code that may be able to offer secrecy over this channel is that given in [22], where known advantageous (good for Bob, and bad for Eve) polarizations of bits in polar codes are used to transmit secret information over a symmetric eavesdropper's channel. This coding scheme is known to achieve strong secrecy at information rates approaching the secrecy capacity when the legitimate channel can be modeled as noiseless. For our case (where we've assumed that α E = 0.7, α B = 0.2, Bob's SNR ≥ 6.5 dB, and Eve's SNR ≤ 4 dB), supplying a probability of a flipped bit p = 0.45 over an effective BSC to an eavesdropper while maintaining an effectively noiseless main channel results in secrecy capacity C s = C m − C w = p bits per channel use, where C m and C w signify the channel capacities of the main and wiretap channel, respectively [6], [7], [24].
The approach outlined here, where we manufacture a wiretap channel over which additional secrecy codes can be utilized, can be extended to produce other effective discrete memoryless wiretap channels as well that may form ideal backdrops for other code designs to operate in more realistic environments.

VII. CONCLUSIONS
In this paper we have discussed the landscape of physicallayer security coding metrics. We note that most measures in use today rely on information-theoretic analysis as blocklengths tend to infinity, or use mean BER, both of which give asymptotic results that have limited meaning for short blocklength codes. We have proposed two new metrics that effectively employ CDFs to provide a lower bound on the security levels based on BER. Such an approach provides a stronger guarantee of secrecy over realistic channel models than simply using mean BER to estimate performance, and yet our metrics retain their simplicity of calculation making them x directly adaptable to real-world communication systems. We have also shown how these new metrics may be used to reduce realistic channel model environments to simpler models over which known secrecy codes may be implemented to achieve information-theoretic security.