Two-Way Physical Layer Security Protocol for Gaussian Channels

In this paper we propose a two-way protocol of physical layer security using the method of privacy amplification against eavesdroppers. First we justify our proposed protocol by analyzing the physical layer security provided by the classic wiretap channel model (i.e. one-way protocol). In the Gaussian channels, the classic one-way protocol requires Eve's channel to be degraded w.r.t. Bob's channel. However, this channel degradation condition depends on Eve's location and whether Eve's receiving antenna is more powerful than Bob's. To overcome this limitation, we introduce a two-way protocol inspired in IEEE TIT (1993) that eliminates the channel degradation condition. In the proposed two-way protocol, on a first phase, via Gaussian channel, Bob sends randomness to Alice, which is partially leaked to Eve. Then, on a second phase, Alice transmits information to Bob over a public noiseless channel. We derive the secrecy capacity of the two-way protocol when the channel to Eve is also Gaussian. We show that the capacity of the two-way protocol is always positive. We present numerical values of the capacities illustrating the gains obtained by our proposed protocol. We apply our result to simple yet realistic models of satellite communication channels.


I. INTRODUCTION
Physical layer security for wireless communications has become a major research topic in recent years because it does not need the computational assumption [1], [2], [3].Different properties of the wireless channel can be exploited using information theoretical tools to prevent leakage of information towards potential eavesdroppers.The classic wiretap model as first proposed by Wyner [4] and then generalised by I. Csiszár and J. Körner [5] was later strengthened to meet cryptographic security standards in [6] and [7], the latter framed within spectrum information-theoretic methods [8].We adopt such approach here: we assume the physical layer security realized by a stochastic wiretap encoder [9], [10], [11] based on the privacy amplification method [12], [13].This method decouples reliability and secrecy, enabling the implementation of different security protocols.
In its simplest implementation, the wiretap channel model using privacy amplification can be realized as a one-way security protocol whereby Alice sends a keyless secret message to Bob protected with universal 2 hash functions [14], [15], [16].In the Gaussian wiretap channel, secrecy capacity is positive as long as Eve's channel has a worse signal to noise ratio than the channel between Alice and Bob, i.e., Eve's channel is degraded w.r.t the main channel between Alice and Bob [17].The same holds to ensure positive secrecy rate in the finitelength [18], [19].However, when the channel between Alice and Bob has a worse signal to noise ratio than the channel to Eve, we cannot realize secure communication in this scenario [20], [21], [22].For example, in the satellite communication, Eve's satellite usually stays in lower orbit than the orbit of Bob's satellite like in the example scenario in Fig. 1, which implies that Eve has better signal to noise ratio than Bob.That is, it is hard to realize secure satellite communication with the above proposals of wiretap codes if we cannot identify Eve's spatial locations.This type of attack is often called passive man-in-the-middle attack [44].To resolve this problem, the papers [23], [24], [25], [26] introduced two-way protocols, in which, the channels of both directions are noisy Gaussian channels.However, when both channels are noisy Gaussian channels, there still exists a possibility that we cannot realize secure communication dependently of Eve's and Bob's spatial locations.To overcome this limitation, Maurer [27] proposed a two-way protocol based on the binary symmetric channel.In this paper, inspired by Maurer's idea, we propose a two-way protocol with Gaussian wiretap channel and public noiseless feedback, in which, the feedback channel is given as a public noiseless channel with discrete variable.This paper assumes that the noise in the channel of the initial transmission from Bob to Alice is independent of the noise in that to Eve while the paper [29] considers the case when these two noises are correlated.Under this assumption, unless the channel of the initial transmission to Eve is noiseless, this protocol always has positive secure transmission rate regardless Eve's and Bob's spatial locations.In particular, we focus on the simple but realistic (for fixed user terminals) Gaussian-channel satellite system scenarios.Our results demonstrate that our two-way protocol greatly outperforms state-of-the-art one-way and twoway protocols because our two-way protocol always realize secure communication under passive man-in-the-middle attack independently of Eve's spatial location.Note that extension of our results to channels with fading is straightforward, but we take this purely averaging calculation problem out of the scope of our paper, here we focus on the protocols for the Gaussian channel without fading.More specifically, on the application to the Gaussian with BPSK satellite channel, which is considered in current satellite communication standards [41] Further, we can equip authentication in our protocol by attaching universal 2 hash function [14], [15].This protocol can prevent active man-in-the-middle attack.Therefore, the advantages of our protocol are summarized as follows.
Contribution 1) We address wiretap channel security problem (i.e.eavesdropping) and propose for the first time a novel practical Gaussian wiretap protocol implementing theoretical ideas in Maurer's paper [27].
Contribution 2) Our novel two-way protocol greatly outperforms state-of-the-art one-way protocol because our protocol shows always positive secrecy capacity independently of Eve's location (i.e. it does not require channel degradation condition of one-way wiretap channel).This is our main technical result based on novel and rigorous information theoretical proof.
Contribution 3) Our practical two-way protocol outperforms other proposals of two-way protocols [23], [24], [25] in the following sense.First, because while other two-way protocols require several communication rounds, our protocol only requires two rounds.Second, because other two-way protocols while outperforming one-way protocol, they still may have negative secrecy capacity.Finally, because our protocol only requires two rounds, our protocol is highly suitable to secure communication channels with large delay, e.g.satellite channels.
Contribution 4) We show the performance of our protocol with meaningful numerical results for the realistic Gaussian BPSK modulated satellite channel, which is included in current satellite communication standards [41].For this, we use our system modeling which allows to evaluate the security capacity as a function of the system parameters.Hence, our method and results are useful for secure communication design.
One might consider that the real feedback channel is also a noisy channel.However, if we choose sufficiently strong intensity and a suitable error correcting code, the information transmission of the feedback channel can be regarded as a noiseless channel.In this case, we can regard the feedback channel as a noiseless public channel with discrete variable.In contrast, the noise of the initial Gaussian channel is essential because its presence makes the difference between mutual informations from Alice to Bob and Eve.Furthermore, the information leakage in the channel during the second phase needs not be considered because information leakage is only relevant on the first phase.Hence, it is allowed to make the power of the transmission signal very strong in the second phase while we cannot use such a strong power in the first phase to control the secrecy.Since the information transmission rate with the strong power is much larger than that with the weak power, the consuming time of the first phase is dominant in comparison with that of the second phase is dominant.That is, the first phase is the bottleneck in this setting.Therefore, this paper optimizes the amount of noise in the initial Gaussian channel to maximize the wiretap capacity in this model.
In fact, the paper [31] considers a similar topic.It is a follow up of this submission with practical focus.Hence, it contains only the brief description of the two-way protocol without proper proof.Also, the analysis of the secure satellite communication in [31] is different from our analysis in Sections IV and V.That is, it did not consider the optimization while the analysis in this paper is based on the optimization given in Section IV.
Relations to other studies are summarized as follows.While the paper [26] discusses two-way wiretap channels, it considers a new scheme cooperative jamming.The scheme in [26] has several users that are cooperative while this paper has only two cooperative users, the legitimate sender and the legitimate receiver.Therefore, the method in this paper cannot be compared with [26].In the paper [45], Bob feeds back some randomness that is used as a secret key, exactly like the present manuscript.However, it assumes that the feedback is noiseless and secure, so Eve does not observe it, which is different from here.In the paper [46], unlike the present work, Bob does not control the feedback link.However, it allows all players to observe everything.Hence, the method in this paper cannot be compared with the results [45], [46].
Our work is structured as follows.In Section II, we review the results of one-way standard protocol.In Section III, we propose our two-way protocol.In Section IV, we make numerical optimization for our obtained secret capacities.In Section V, we apply our result to simple realistic models of satellite communication.Finally in Section VI we discuss the protocol and draw some conclusions.

II. ONE-WAY PHYSICAL LAYER SECURITY PROTOCOLS A. Signal and channel Model
First, we review the results of one-way standard protocol with Gaussian channels, which model wireless channels in relevant realistic communication scenarios such as satellite radiofrequency communication channels.The signal variables received by Bob and Eve can be modeled as where V is a variable modeling the transmitted signal and E s is the energy per symbol expressed in Joules.Y is the random variable representing the signal received at the legitimate receiver, Z the random variable representing the signal received at the eavesdropper's receiver and N 1 and N 2 are zero-mean circular complex Gaussian random variables with unit variance.n B is the noise spectral density power of Bob's receiver expressed in Joules per Hertz.The coefficient γ g models the amplitude attenuation of the wiretapper's channel w.r.t. the legitimate channel.The analytical expression of γ g will depend on the system under analysis as well as the channel assumptions and corresponding time scale.The multiplicative coefficient γ n expresses wiretapper's receiver noise with respect to Bob's receiver noise.Denote the signalto-noise ratio (SNR) for Bob as where P and N B are the system and noise power at Bob's receiver, respectively both expressed in Watts.We can then rewrite the signal model as where Hence, N 1 and N 2 are zero-mean circular complex Gaussian random variables with unit variance.

B. Secrecy capacity with BPSK modulation and soft decision
In the one-way model, Alice sends the encoded information to Bob via channel (2) as Fig. 2. Now, we assume the BPSK modulation, in which, Alice encodes her binary information A ∈ F 2 to V = (−1) A .In this scenario, the secrecy capacity C OW soft (γ B , η B ) for the one-way protocol is given as [19, (46)] where u(x) := −x log x when Also, when the condition (3) does not hold, the capacity is zero.In this case, we cannot realize secure communication in this scheme.Here, Bob and Eve are assumed to store the sequence of the received continuous signals and apply the decoder to them.This type of information processing is called soft decision decoding [42].

C. Secrecy capacity with BPSK modulation and hard decision
To save the cost of decoding, the receiver converts the received continuous signal to a binary signal in the reception and apply the decoder to the sequence of the binary signals.This type of information processing is called hard decision decoding [42].When the receiver applies this method, it is sufficient to store only binary signals, which saves the memory of the receiver.Here, as another scenario, we consider the case when Bob and Eve obtain B and E using hard decision detection on their received signals Y and Z as defined in the previous sections, respectively.The crossover probability between Alice and Bob induced by the Bernoulli random variable X 1 is given as * B = 0.5erfc( η B /2) and the crossover probability between Alice and Eve induced by the Bernoulli random variable X 2 is given as In this scenario, by using the binary entropy function h(x) , the secrecy capacity for the oneway protocol is given as which is positive only when * E > * B , which is equivalent to (3).

III. TWO-WAY PHYSICAL LAYER SECURITY PROTOCOL WITH GAUSSIAN CHANNELS AND BPSK MODULATION A. Signal and channel Model
One-way model requires the condition that the mutual information between the sender and the legitimate receiver is larger than that between the sender and the eavesdropper.This assumption does not hold when the eavesdropper performs passive man-in-the-middle attack.To resolve this problem, we consider two-way protocol for the Gaussian channel and BPSK modulation as follows.In an initial step, Bob sends a random variable V to Alice.In this case, Alice and Eve obtain the variables Y and Z, respectively, as follows.
where N 1 and N 2 are zero-mean circular complex Gaussian random variables with unit variance and the coefficient γ A models the amplitude attenuation of the wiretapper's channel w.r.t. the legitimate channel (which is now between Bob and Alice and not between Alice and Bob).Notice that the transmitter of the noisy Gaussian channel ( 6) is not Alice who is the sender of the secret message of this protocol.Therefore η A is now where n A is the noise spectral density power of Alice's receiver expressed in Joules per Hertz.
Bob generates the binary variable B ∈ F 2 subject to the binary uniform distribution, and sends V = (−1) B via the above RF channel.Applying hard decision decoding to Y , Alice obtains the binary variable A. In the next step, Alice prepares another binary variable X, and sends X := X ⊕ A to Bob via a public channel.When X is regarded as the channel input information, the legitimate receiver's output is B and X while the eavesdropper's output is Z and X .The overall process along with the generated random variables is shown in Fig. 3.

B. Protocol
Based on the above discussion, we fully describe our concrete protocol.For this aim, we fix an error correction code, i.e., the pair of the encoder φ e,n and the decoder φ d,n with block length n.Then, combining the error correction code and universal 2 hash functions [14], [15], [16], we employ the wiretap code given in [19, Appendix A] using random seed S and we have the wiretap encoder φ e,n |S and the wiretap decoder φ d,n |S .This code construction achieves the strong secrecy even in the continuous system [9], [18], [19].
Then, we propose the following two way protocol.
(1) Bob generates the binary data sequence B 1 , . . ., B n ∈ F 2 .Then, sends (−1) B 1 , . . ., (−1) B n via the channel described in ( 6). ( 2) Alice makes the hard decision.Then, she obtains the binary data A 1 , . . ., A n .In this case, A i and B i are connected via the binary symmetric channel with crossover probability A , whose mathematical expression will be given later.(3) To send the secret message M, using an auxiliary variable L, Alice applies the code Then, Alice sends X n = (X 1 , . . ., X n ) to Bob via public channel, where Here, an auxiliary variable L is a variable independent of the message M, and is used to realize the secrecy of M.
To realize the public channel from Alice to Bob in the second phase, they employ the RF channel (2) with an error correcting code ( φe, n, φd, n) different from the error correction φ e,n |S so that the decoding error probability of the code ( φe, n, φd, n) is close to zero (i.e., the bit error rate is e.g.below 10 −6 ).Here, if the coding rate of the code ( φe, n, φd, n) is R, they use the RF channel (2) n = n/ R times in Step (3) physically.That is, in Step (3), Alice sends X n = φe, n(X n ) to Bob via the RF channel (2) of coefficient η B .Also, in Step (4), to get X n , Bob applies the decoder φd, n to the received n symbols via the RF channel (2) of coefficient η B .Indeed, when the bit error rate of the public channel (i.e., the bit error rate of the code ( φe, n, φd, n)) is e.g.below 10 −6 , it can be negligible in comparison with the bit error rate between A and B. Hence, we can consider that the bit error rate of the channel from X i to X i given in Steps ( 3) and ( 4) almost equals that between A and B, in practice.
The above description has no authentication.However, it is possible by attaching using universal 2 hash function [14], [15], which prevents active man-in-the-middle attack [44], while it is difficult to avoid active man-in-the-middle attacks without authentication [43].The detail is discussed in [28] and the arXiv version of [29].

C. Secrecy capacity when Eve uses hard decision
When Eve has limited memory, it is natural that Eve uses hard detection decoding when receiving Z so that Eve obtains the binary variable E.
Indeed, the first phase can be regarded as a preparation step for the secure communication.In order to prevent Eve to make soft decision, Alice and Bob can consider the following strategy.Before starting the second phase, Alice and Bob continue the first phase so that the length of their obtained random numbers A 1 , . . ., A n and B 1 , . . ., B n is close to the limitation of their memory.In this case, the length of their obtained random numbers is across several coding blocks.Since satellite has a limitation of size of memory due to the limitation of physical space.it is natural that the size of Eve's memory is similar to that of Alice and Bob.In this case, it is difficult for Eve to keep the all the outcomes of soft decision, i.e., Eve needs to choose hard decision in this case.For example, the preceding paper [47], which is oriented to an application side, analyzed the security for the Poisson wiretap channel when Eve has limited memory, i.e., Eve uses hard detection decoding.
Using two independent Bernoulli random variables X 1 and X 2 on F 2 , we have The crossover probability between A and B is A = 0.5erfc( η A /2) and the crossover probability between E and , where erfc(t) is defined in (4).
Hence, the problem is reduced to the case with BSC channels, which was discussed by Maurer [27].Hence, the capacity C TW hard (γ A , η A ) when Eve uses hard detection is calculated to ) and the probability of because h(

D. Secrecy capacity when Eve uses soft decision
When Eve has sufficient size of memory and her computation power is unlimited, she can employ soft decision decoding.That is, to consider Eve's best strategy, we need to address the case when Eve uses the variables Z and X .To analyze this case, we use the Markov chain A − B − Z.We focus on the wiretap channel composed of the main channel W B := P B,X |X and the eavesdropper channel Thus, the channel W E is a degraded channel of the channel W B .Further, the channels W B and W E are symmetric, the wiretap capacity is attained when P X is the binary uniform distribution, and the wiretap capacity where (a) follows from the independence of X from A, B, Z, which can be shown by the uniformity of the conditional distribution P X | A .Therefore, the wiretap capacity C TW soft is always positive regardless of γ A , regardless the condition γ A < 1 does not hold.The wiretap capacity expresses the limit of the secure transmission rate when we use a proper coding under the condition that the mutual information between the message and Eve's information goes to zero.
Further, the probability P Z and the conditional probability P B |Z are calculated as Hence, due to the Markov chain Z − B − A, we can calculate the conditional mutual information; Notice that I(A; B|Z = z) = 0 if and only if P B |Z (0|z) is 0 or 1.Hence, the capacity C TW soft (γ A , η A ) with Eve's soft decision is calculated as a function of η A , γ by Thus, unless P B |Z (0|z) is 0 or 1 for all z, (14) is strictly positive.That is, when γ A is a finite value, P B |Z (0|z) is an intermediate value between 0 and 1 for all z.Hence, the capacity C TW soft (γ A , η A ) is strictly positive.Even in this scenario, when X is also subject to the uniform distribution, B ⊕ X is Bob's sufficient statistics with respect to X. Hence, we have I(X; X ⊕ B) − I(X; X Z) = I(X; X B) − I(X; X Z) = C TW soft (γ A , η A ). Therefore, even when Bob uses only B ⊕ X for his decoding while Eve uses the two variables Z and X , the capacity C TW soft (γ A , η A ) can be attained.Consequently, the channel W B can be modeled as a computation channel as illustrated in Fig. 4.
where the subscripts TW and OW of the random variables express the protocol to be considered.This opposite inequality is caused by the hard decision on Alice's received signal Y in the two way protocol.Therefore, when γ is smaller than a certain threshold, C TW soft (γ, η) is smaller than C OW soft (γ, η).That is, the one-way protocol may have greater capacity than the two-way protocol for some threshold of γ.We have computed the value of such threshold as a function of the SNR, which is shown in Fig. 5.

IV. OPTIMIZATION
Here, to extract a higher communication speed, we consider how to optimize the channel parameters in the RF channel (6).When the power of transmitting antenna of Bob increases, the coefficient η A increases and the ratio between the coefficients of signal in Alice's and Eve's sides is not changed.For simple analysis, we first assume that Alice and Bob can know the value of η A by using test transmission, and control it by changing the power of transmitting antenna of Bob, where other components (e.g., the receiving antenna gains of Alice and Eve, the directions of antennas etc) are fixed.In practice, it is not so easy to know the value of the ratio γ A because it depends on Eve's position.However, if we know the type of Eve's orbit, we know the range G of possible values of γ A .In this case, we consider the worst case for Alice and Bob, i.e., γ A,max := max γ A ∈ G γ A .In fact, when we have two possible values γ A,1 > γ A,2 for the ratio, the channel to Eve with γ A,2 is a degraded channel of the channel to Eve with γ A,1 .Hence1 , a secure code for the channel to Eve with γ A,1 is also secure for the channel to Eve with γ A,2 .Therefore, it is sufficient to prepare a code with the largest value γ A,max .We optimize C TW hard (γ A,max , η A ) and C TW soft (γ A,max , η A ) by changing η A .Here, the parameter η A = P/N A can be changed by changing the power P. The optimum secret capacities are given as Hence, we need to find suitable value for η A dependently of γ A,max .η TW soft (γ A,max ) := argmax η A C TW soft (γ A,max , η A ) and η TW hard (γ A,max ) := argmax η A C TW hard (γ A,max , η A ) are the optimal intensities of η A .
In fact, we can apply a similar optimization to the one way case.In this case, we consider the following optimum secret capacities;  ).The vertical axis expresses these optimal capacities.The horizontal axis expresses γ A,max and γ B,max with log scale, which runs from 10 −3 to 10 2 .Fig. 6 shows the comparison among the optimum secret capacities C TW soft (γ A,max ), C TW hard (γ A,max ), C OW soft (γ B,max ), and C OW hard (γ B,max ).We can observe that while for the one-way protocol the capacity is zero whenever the eavesdropper has higher SNR than Bob, in the two-way protocol the capacity is always positive and greater than zero.We have computed the difference between optimal secrecy capacities C OW soft (γ B,max ) and C TW soft (γ A,max ) for γ B,max = γ A,max = γ max as Fig. 7.We observe that as obtained theoretically in (15), the OW secrecy capacity is slightly bigger than the TW secrecy capacity when the channel to Bob is advantageous over that to Eve.However, also in agreement with the theoretical derivations, the TW secrecy capacity starts to be bigger than the OW when the channel to Bob is not so advantageous over that to Eve.In Fig. 7, we observe in the zoom plot that this occurs at γ max = 0.3185.
Fig. 8 shows the optimal intensities η TW soft (γ A,max ), η TW hard (γ A,max ), η OW soft (γ B,max ), and η OW hard (γ B,max ).These values are the optimal choices for the intensity η A or η B in the respective cases.

V. APPLICATION TO REAL SATELLITE COMMUNICATION
Now, we apply our analysis to the following two types of real satellite communication scenarios. (I) The transmitter is the earth station and the legitimate receiver is the GEO satellite in the noisy Gaussian channels ( 2) and ( 6).That is, Alice is the earth station and Bob is the GEO satellite in the OW, and Bob is the earth station and Alice is the GEO satellite in the TW.Notice that the noiseless public channel from the GEO satellite to the earth station is also required by using a proper combination of wireless communication and outer error correcting code in the TW.The noisy Gaussian channels ( 2) and ( 6) of these scenarios are explained in the two figures on the top in Fig 9, which describe the case when the Earth station is the information data communication source in the noisy Gaussian channel.In this case, the eavesdropper, Eve is a low Earth orbit (LEO) satellite or a medium Earth orbit (MEO) satellite.(II) The transmitter is the GEO satellite and the legitimate receiver is the earth station in the noisy Gaussian channels (2) and ( 6).That is, Alice is the GEO satellite and Bob is the earth station in the OW, and Bob is the GEO satellite and Alice is the earth station in the TW.The noisy Gaussian channels (2) and ( 6) of these scenarios are explained in the two figures on the down in Fig 9, which describe the case when the GEO satellite is the information data communication source in the noisy Gaussian channel.In this case, Eve is an LEO satellite, an MEO satellite, or a GEO satellite.Let α(θ) be the normalised transmitter's antenna radiation's pattern of the earth station in response to the angle θ from the boresight axis directed to the GEO satellite to account for spatial attenuation.The function α(θ) can be considered exactly in case the (normalized) antenna pattern is known, or otherwise it can be considered in terms of the allowed emission of radiation according to space regulations.A typical analytical expression for α(θ) is where k = 2.0712/sin(θ 3dB ), with θ 3dB being the one-sided half-power angular beamwidth and J 1 and J 3 are the Bessel functions of the first kind, of order one and three respectively.Our interest is the parameter α(θ E ) in the specific angle θ E between Bob's and Eve's directions.g L and g E are legitimate and eavesdropper's receiver's antenna gains towards Earth station.Now we introduce a model for the coefficient that gives Eve's signal strength relative to Bob's signal in ( 2) and (6) (see [18][19] [31]).We first introduce the parameter µ to account for the relative antenna gain, i.e., µ := g L /g E .We also define β (r, ρ E ) to account for relative propagation losses between Bob and Eve as The exponent r accounts for the power attenuation decay that affects eavesdropper's propagation channel.Different values of the exponent model correspond to different assumptions about eavesdropper.Specifically, the eavesdropper can be modeled as a terrestrial, aerial or satellite station.For example, while for the satellite case r = 2, in case of aerial eavesdropper, a good assumption is to consider a large scale two-ray ground multipath model,with r > 2.Then, we discuss the parameter γ B in the OW (2) and the parameter γ A in the TW (6) because the channel (2) in the OW case is the same as the channel (6) in the TW case in each scenario (I) or (II).These parameters are given as where, γ n is the ratio between the powers of the noises in legitimate receiver's and eavesdropper's detectors.In doing a secrecy analysis, we assume in which orbit Eve is, but we don't make any assumption on which angle she is (since she is orbiting).In this case, to guarantee the security, we need to consider the worst case.For this aim, we consider the possible range R of the value (θ E , ρ E ).Then, the maximums of γ B and γ A are calculated to Now, we assume representative values for Eve's possible orbits according to basic orbital mechanics [30] and usual low or medium orbit terminology.In Case (I), when Eve is MEO (LEO), we assume that the height of Eve's orbit runs from ρ MEO min = 5000 to ρ MEO max = 20000 km (ρ LEO min = 150 to ρ LEO max = 2000 km).Also, we assume that the height of our GEO orbit is ρ GEO = 36000 km.Since the maximum of α (θ E ) is realized by θ E = 0 • , when Eve is MEO (LEO), we have γ(0 ).For illustration, we now assume Eve equally powerful than the legitimate receiver, i.e. µ = 1 and γ n = 1.Also, we have r = 2 for both LEO and MEO.Hence, the maximum γ B,max = γ A,max is given as γ (I) MEO := ρ GEO ρ MEO min = 36000/5000 = 7.2 for the case when Eve is MEO, and it is given as γ (I) LEO := ρ GEO ρ LEO min = 36000/150 = 240 for the case when Eve is LEO.Then, we have the capacities of the worst case as Table I.While these capacities are small in comparison with the conventional communication, we see that the secure communication is possible in these scenarios only in the TW case.
Applying same reasoning in Case (II), when Eve is MEO, the minimum of ρ E is ρ GEO − ρ MEO max at θ E = 0 • and the maximum of α (θ E ) is realized by θ E = 0 • .The same observation holds when Eve is LEO or GEO.In this case, it seems reasonable to assume the legitimate receiver having a more powerful antenna gain and less detector noise than the eavesdropper.Hence, we can again assume µ = 1 and γ n = 1.Again, we also have r = 2. Therefore, when Eve is MEO, the maximum γ B,max = γ A,max is calculated to be γ (II) MEO := ρ GEO (ρ GEO −ρ MEO max ) = 36000/(36000 − 20000) = 9/4.When Eve is LEO, it is calculated to be γ (II) LEO := ρ GEO (ρ GEO −ρ LEO max ) = 36000/(36000 − 2000) = 18/17.When Eve is GEO, the minimum distance between the transmitter of the initial transmission and Eve is 1km.Hence, it is calculated as γ (II) GEO := ρ GEO 1 = 36000.

VI. CONCLUSIONS AND FURTHER IMPROVEMENTS
We have introduced a two-way protocol for the BPSK modulation to overcome the limitations of the classic (oneway) wiretap physical layer security protocol.While the secrecy capacity of the one-way protocol is negative when Eve's channel is better than Bob's channel (i.e γ B > 1), we show that the two-way protocol always provides positive capacity with higher gains even for γ A ≥ 1 and γ B ≥ 1 when the noises exist and are independent.We have shown that the one-way protocol cannot realize secure communication in realistic scenarios of satellite communication, while our two-way protocol can realize secure communication in these realistic scenarios.Notice that this conclusion does not change whenever the maximum of possible values of γ A and γ B is greater than 1.
For example, in the scenario (I), we have the transmission rate 3.6×10 −4 with the worst case analysis in the two-way protocol with Eve's soft decision while the eavesdropper has an extremely stronger power in the detection process than the legitimate receiver, i.e., the eavesdropper has 240 times power in the receiving signal as the legitimate receiver.The conventional one-way method cannot realize secure communication in this case.This numerical analysis shows that even in this case, we can realize secure communication with the same physical device if we accept approximately e.g. one thousandth reduction of the speed of the conventional communication without secrecy (e.g., 1 Gbps is reduced to 1 Mbps).While this cost seems very large, the cost is still much smaller than quantum key distribution (QKD) [32] due to the following reason.Since QKD requires expensive devices, it is available only for extremely limited users (big governments and/or big military organizations).However, since the proposed method is based on the conventional satellite system, even though the transmission speed is very low, it is available for ordinary users.In fact, the user can use the proposed system when the size of communication is reduced, e.g., the user uses only email instead of video.On the other hand, in the scenario (II), we assume that the receiving antenna of the earth station has almost same performance as that of Eve.Under such a worst case assumption, we obtain very small transmission speed.To improve this, the receiving antenna of the earth station needs to be more powerful than that of Eve.However, to realize this condition, the earth station needs to prepare an expensive receiving device, which may or may not imply to restrict ordinary users since such higher cost is shared by all service/users sharing the earth station.In this sense, the scenario (II) may seem less practical for ordinary users.In any case, to realize secure communication, it is sufficient to share secure keys between two users.because one-time use of shared secure key realizes secure communication with both directions.Hence, it is sufficient to establish secure communication only with one direction.Therefore, the scenario (I) of TW is enough for our purpose.
However, in the scenario (I) of TW, if Eve is an eavesdrop-ping terrestrial node, e.g., a drone near the terrestrial earth station, she has better performance than LEO/MEO satellite.In this case, the secure transmission rate is worse than 3.6×10 −4 when the angle θ E is set to be 0.However, the possible minimum angle θ E of this case in practice is larger than that in the case with an eavesdropping LEO/MEO satellite.Therefore, it is needed to evaluate the secure transmission rate with an eavesdropping terrestrial node and the possible minimum angle θ E .However, it is not so easy to find the minimum angle θ E among practically possible values.Therefore, this type of analysis is remained as a future study.
As the price to pay, the protocol requires higher delay to establish the secure channel when compared to the one-way.However, this cost is much cheaper than the previous twoway protocols in the papers [23], [24], [25], [26] because they require many rounds of communication while our protocol requires only two rounds of communication.On the other hand, the transmission of information can be over a public channel while for randomness sharing, the channel needs to be previously authenticated like [29], [28].As discussed in [29], [28], the required amount of the random numbers shared between Alice and Bob in advance is the logarithm order of the size of intended secure communication.Also, this cost is much cheaper than the realization of quantum key distribution.Therefore, considering the cost-benefit performance, we find that our two-way method is useful.Furthermore, the bias of the variable B may reduce the effectiveness of the protocol and reduce the secrecy capacity gains.To improve this problem, we often distill uniform random numbers from the thermal noise.It is known that it is possible to distill uniform random numbers by applying a hash function to a biased random numbers [12], [13], [9], [10].To obtain the ultimate secure uniform random number, we may employ quantum random number generator [33], [34], [35], which requires much cheaper cost than quantum key distribution because it does not need quantum communication.
Unfortunately, this paper discusses only the asymptotic performance.Since the implemented communication system has finite-length codes, we need to evaluate the security of finite-length codes for its practical application [36], [37], [38], [39], [40].Since the finite-length analysis depends on the choice of the security criterion, we need to be careful of its choice [7], [10].As such a study is beyond the focus on this paper, it is considered as a future study.Furthermore, it is well known that a good model for the land mobile satellite (LMS) channel model is a Markov model [48].Hence, it is a completely different channel from (6).Therefore, follow up studies also include considering different satellite channel models such as fading models accounting for frequencydependent atmospheric effects and for the case of mobile (legitimate) users.

Fig. 2 .
Fig. 2. Graphical illustration of the one way protocol with Gaussian channels.N B and N E are noise powers at Bob's and Eve's receivers.

Fig. 3 .
Fig. 3. Graphical illustration of the two-way protocol with Gaussian channels.Phase 1 is shown in red and Phase 2 is shown in black.
Hence, the Markov chain A − B − Z condition guarantees that P Z,X |X (z, x |x) = b P Z |B (z|b)P B | A (b|x ⊕ x)P A (x ⊕ x) = b P Z |B (z|b)P B,X |X (b, x |x).

Fig. 4 .
Fig. 4. Bob's computation channel model for the two-way protocol.Independently of whether Eve uses hard or soft detection, two-way secrecy capacity can be attained with this computation model.Now, we compare C TW soft (γ A , η A ) and C OW soft (γ B , η B ) when γ A = γ B = γ and η A = η B = η.For this comparison, we fix η and change γ.Due to the above discussion, when γ > 1, C TW soft (γ, η) is larger than C OW soft (γ, η).In contrast, under the limit γ → 0, we have lim γ→0 C TW soft (γ, η) = log 2 − h( A ) = I(B TW ; A TW ) < I(B TW ; Y TW )
where γ B,max is the maximum value among possible values of γ B .η OW soft (γ B,max ) := argmax η B C OW soft (γ B,max , η B ) and η OW hard (γ B,max ) := argmax η B C OW hard (γ B,max , η B ) are the optimal intensities of η B .Now we show numerical calculations to compare the capacities of the one-way protocol and the two-way protocol.For easy visualization, we calculate numerical values assuming η B = η A and γ A = γ B .

Fig. 6 .
Fig. 6.Comparison among the optimum secret capacities C TW soft (γ A,max ), C TW hard (γ A,max ), C OW soft (γ B,max ), and C OW hard (γ B,max).The vertical axis expresses these optimal capacities.The horizontal axis expresses γ A,max and γ B,max with log scale, which runs from 10 −3 to 10 2 .

Fig. 9 .
Fig. 9. Geometry considered to illustrate the real satellite communication secrecy analysis.The two figures on the top describe Case (I), in which the Earth station is the source in the noisy Gaussian channels (2) and (6).The two figures on the bottom describe Case (II), in which the satellite is the source in the noisy Gaussian channels (2) and (6).The geometries for OW (left) and TW (right) cases illustrate LEO and MEO orbit heights.The dashed line expresses the noiseless public channel from Alice to Bob in the TW case.The eavesdropper can be at any LEO or MEO orbit while the legitimate transmitter and receiver are either the earth station of the GEO satellite.