Polar Coding for Confidential Broadcasting

A polar coding scheme is proposed for the Wiretap Broadcast Channel with two legitimate receivers and one eavesdropper. We consider a model in which the transmitter wishes to send the same private (non-confidential) message and the same confidential message reliably to two different legitimate receivers, and the confidential message must also be (strongly) secured from the eavesdropper. The coding scheme aims to use the optimal rate of randomness and does not make any assumption regarding the symmetry or degradedness of the channel. This paper extends previous work on polar codes for the wiretap channel by proposing a new chaining construction that allows to reliably and securely send the same confidential message to two different receivers. This construction introduces new dependencies between the random variables involved in the coding scheme that need to be considered in the secrecy analysis.


Introduction
Information-theoretic security over noisy channels was introduced by Wyner in [1], which characterized the secrecy-capacity of the degraded wiretap channel. Later, Csiszár and Körner in [2] generalized Wyner's results to the general wiretap channel. In these settings, one transmitter wishes to reliably send one message to a legitimate receiver, while keeping it secret from an eavesdropper, where secrecy is defined based on a condition of some information-theoretic measure that is fully quantifiable. One of these measures is the information leakage, defined as the mutual information I(W; Z n ) between a uniformly distributed random message W and the channel observations Z n at the eavesdropper, n being the number of uses of the channel. Based on this measure, the most common secrecy conditions required to be satisfied by channel codes are the weak secrecy, which requires lim n→∞ 1 n I(W; Z n ) = 0, and the strong secrecy, requiring lim n→∞ I(W; Z n ) = 0. Although the second notion of security is stronger, surprisingly both conditions result in the same secrecy-capacity [3].
In the last decade, information-theoretic security has been extended to a large variety of contexts, and polar codes have become increasingly popular in this area, due to their easily provable secrecy capacity achieving property. Polar codes were originally proposed by Arikan in [4] to achieve the capacity of binary-input, symmetric, and point-to-point channels under Successive Cancellation (SC) decoding. Secrecy capacity achieving polar codes for the binary symmetric degraded wiretap channel were introduced in [5,6], satisfying the weak and the strong secrecy condition, respectively. Recently, polar coding has been extended to the general wiretap channel in [7][8][9][10] and to different multiuser scenarios (for instance, see [11,12]). Indeed, [9,10] generalize their results providing polar codes for the broadcast channel with confidential messages.
This paper provides a polar coding scheme that allows to transmit strongly confidential common information to two legitimate receivers over the Wiretap Broadcast Channel (WTBC). Although [13] provided an obvious lower-bound on the secrecy-capacity of this model, no constructive polar coding scheme has already been proposed so far. Our polar coding scheme is based mainly on the one introduced by [10] for the broadcast channel with confidential messages. Therefore, the proposed polar coding scheme aims to use the optimal amount of randomness in the encoding. Moreover, in order to construct an explicit polar coding scheme that provides strong secrecy, the distribution induced by the encoder must be close in terms of the statistical distance to the original one considered for the code construction, and transmitter and legitimate receivers need to share a secret key of negligible size in terms of rate. Nevertheless, the particularization for the model proposed in this paper is not straightforward. Specifically, we propose a new chaining construction [14] (transmission will take place over several blocks) that is crucial to secretly transmit common information to different legitimate receivers. Indeed, this model generalizes, in part, the one described in [10], where the confidential message is intended only for one legitimate receiver, and the one in [15], which considers only the transmission of non-confidential messages intended for two different receivers. The proposed chaining introduces new bidirectional dependencies between encoding random variables of adjacent blocks that must be considered carefully in the secrecy analysis. Indeed, we need to make use of an additional secret key of negligible size in terms of rate that is privately shared between transmitter and legitimate receivers, which will be used to prove that dependencies between blocks can be broken and, therefore, the strong secrecy condition will be satisfied.

Notation
Throughout this paper, let [n] = {1, . . . , n} for n ∈ Z + , a n denotes a row vector (a(1), . . . , a(n)). We write a 1:j for j ∈ [n] to denote the subvector (a(1), . . . , a(j)). Let A ⊂ [n], then we write a[A] to denote the sequence {a(j)} j∈A , and we use A C to denote the set complement with respect to the universal set [n], that is, A C = [n] \ A. If A denotes an event, then A C also denotes its complement. We use ln to denote the natural logarithm, whereas log denotes the logarithm base 2. Let X be a random variable taking values in X , and let q x and p x be two different distributions with support X , then D(q x , p x ) and V(q x , p x ) denote the Kullback-Leibler divergence and the total variation distance respectively. Finally, h 2 (p) denotes the binary entropy function, i.e., h 2 (p) = −p log p − (1 − p) log(1 − p).

Organization
The remainder of this paper is organized as follows. Section 2 introduces the channel model formally. In Section 3, the fundamental theorems of polar codes are revisited. Section 4 describes the proposed polar coding scheme, and Section 5 proves that this polar coding scheme achieves the best known inner-bound on the secrecy-capacity of this model. Finally, the concluding remarks are presented in Section 6.

Channel Model and Achievable Region
Formally, a WTBC (X , p Y (1) Y (2) Z|X , Y (1) × Y (2) × Z ) with 2 legitimate receivers and an external eavesdropper is characterized by the probability transition function p Y (1) Y (2) Z|X , where X ∈ X denotes the channel input, Y (k) ∈ Y (k) denotes the channel output corresponding to the legitimate Receiver k ∈ [1,2], and Z ∈ Z denotes the channel output corresponding to the eavesdropper. We consider a model, namely Common Information over the Wiretap Broadcast Channel (CI-WTBC), in which the transmitter wishes to send a private message W and a confidential message S to both legitimate receivers. A code 2 nR W , 2 nR S , 2 nR R , n for the CI-WTBC consists of a private message set W 1, 2 nR W , a confidential message set S 1, 2 nR S , a randomization sequence set R 1, 2 nR R (needed to confuse the eavesdropper about the confidential message S), an encoding function f : W × S × R → X n that maps (w, s, r) to a codeword x n , and two decoding functions g (1) and g (2) such that g (k) : Y n (k) → W × S (k ∈ [1, 2]) maps the k-th legitimate receiver observations y n to the estimates (ŵ (k) ,ŝ (k) ). The reliability condition to be satisfied by this code is measured in terms of the average probability of error and is given by The strong secrecy condition is measured in terms of the information leakage and is given by This model is graphically illustrated in Figure 1. A triple of rates (R W , R S , R R ) ∈ R 3 + will be achievable for the CI-WTBC if there exists a sequence of ( 2 nR W , 2 nR S , 2 nR R , n) codes such that satisfy the reliability and secrecy conditions (1) and (2), respectively. The achievable rate region is defined as the closure of the set of all achievable rate triples (R W , R S , R R ). The following proposition defines an inner-bound on this region. Proposition 1 (Adapted from [13,16]). The region R CI-WTBC defined by the union over the triples of rates where the union is taken over all distributions p VX such that V − X − (Y (1) , Y (2) , Z) forms a Markov chain, defines an inner-bound on the achievable region of the CI-WTBC.
In this model, the private message W introduces part of the randomness required to confuse the eavesdropper about the confidential message S, and the randomization sequence R denotes the additional randomness that is required for channel prefixing.

Review of Polar Codes
Let (X × Y, p XY ) be a Discrete Memoryless Source (DMS), where X ∈ {0, 1} (Throughout this paper, we assume binary polarization. Nevertheless, an extension to q-ary alphabets is possible [10,17,18]) and Y ∈ Y. The polar transform over the n-sequence X n , n being any power of 2, is defined as U n X n G n , where G n 1 1 1 0 ⊗n is the source polarization matrix [19]. Since G n = G −1 n , then X n = U n G n . The polarization theorem for source coding with side information [19] (Th. 1) states that the polar transform extracts the randomness of X n in the sense that, as n → ∞, the set of indices j ∈ [n] can be divided practically into two disjoint sets, namely H (n) X|Y and L (n) X|Y , such that U(j) for j ∈ H (n) X|Y is practically independent of (U 1:j−1 , Y n ) and uniformly distributed, i.e., H(U(j)|U 1:j−1 , Y n ) → 1, and U(j) for j ∈ L (n) X|Y is almost determined by (U 1:j−1 , Y n ), i.e., H(U(j)|U 1:j−1 , Y n ) → 0. Formally, let where δ n 2 −n β for some β ∈ (0, 1 2 X|Y | = 0, i.e., the number of elements that have not been polarized is asymptotically negligible in terms of rate. Furthermore, Th. 2 of [19] states that given U[(L (n) X|Y ] can be reconstructed using SC decoding with error probability in O(nδ n ). Alternatively, the previous sets can be defined based on the Bhattacharyya parameters {Z(U(j) U 1:j−1 , Y n )} n j=1 because both parameters polarize simultaneously Proposition 2 of [19]. It is worth mentioning that both the entropy terms and the Bhattacharyya parameters required to define these sets can be obtained deterministically from p XY and the algebraic properties of G n [20][21][22].
Similarly to H X can be defined by considering that observations Y n are absent. A discrete memoryless channel (X , p Y|X , Y ) with some arbitrary p X can be seen as a DMS (X × Y, p X p Y|X ). In channel polar coding, first we define H X from the target distribution p X p Y|X (polar construction). Then, based on the previous sets, the encoder somehow constructs (since the polar-based encoder will construct random variables that must approach the target distribution of the DMS, throughout this paper we use tilde above the random variables to emphazise this purpose)Ũ n and applies the inverse polar transformX n =Ũ n G n with distributionq X n . Afterwards, the transmitter sendsX n over the channel, which inducesỸ n ∼q Y n . If V(q X n Y n , p X n Y n ) → 0, then the receiver can reliably reconstructŨ[L
If H(V|Y (1) ) < H(V|Y (2) ), one can simply exchange the role of Y (1) and Y (2) in the polar coding scheme described in Section 4. We propose a polar coding scheme that achieves the following rate triple, which corresponds to the one of the region in Proposition 1 such that the private and the confidential message rate are maximum and the amount of randomness is minimum. For the input random variable V, we define the polar transform A n V n G n and the sets For the input random variable X, we define T n X n G n and the associated sets We have p A n T n (a n , t n ) = p V n X n (a n G n , t n G n ), due to the invertibility of G n , and we write p A n T n (a n , t n ) = n ∏ j=1 p A(j)|A 1:j−1 (a(j)|a 1:j−1 ) n ∏ j=1 p T(j)|T 1:j−1 V n (t(j)|t 1:j−1 , a n G n ) .
Consider that the encoding takes place over L blocks indexed by i ∈ [1, L]. At the i-th block, the encoder will constructÃ n i , which will carry the private and the confidential messages intended for both legitimate receivers. Additionally, the encoder will store intoÃ n i some elements fromÃ , so that both legitimate receivers are able to reliably reconstruct A n 1:L . Then, givenṼ n i =Ã n i G n , the encoder will perform the polar-based channel prefixing to construct T n i . Finally, it will obtainX n i =T n i G n , which will be transmitted over the WTBC, inducing the channel output observations (Ỹ n (1),i ,Ỹ n (2),i ,Z n i ).
Moreover, we also define the following partition of the set G (n) : and the following partition of the set C (n) : These sets are graphically represented in Figure 2. Roughly speaking, A[H V|Z ] is almost independent of Z n and, hence,Ã i [G (n) ] is suitable for storing information to be secured from the eavesdropper, whereasÃ i [C (n) ] is not. Sets in (12)- (19) with subscript 1 (sets inside the red curve in Figure 2) form H   C . From Th. 2 of [19,23], recall that ) C is the nearly uniformly distributed part of the sequenceÃ n i required by legitimate Receiver k to reliably reconstruct the entire sequence by performing SC decoding.
Graphical representation of the sets in (10)- (19). The indices inside the soft and dark gray area form G (n) and C (n) respectively. The indices that form H (1) ) C are those inside the red curve, while those inside the blue curve form H For sufficiently large n, assumption (3) imposes the following restriction on the size of the previous sets: The left-hand inequality in (20) holds from the fact that where the positivity holds by Lemma 4 of [10] because, for any k ∈ [1, 2], we have Similarly, the right-hand inequality in (20) holds by Lemma 4 of [10] and the fact that Thus, according to (20), we must consider four cases:

General Polar-Based Encoding
The generic encoding process for all cases is summarized in Algorithm 1. For i ∈ [1, L], let W i be a uniformly distributed vector of length |C (n) | that represents the private message. The encoder forms 1,2 ] is required by legitimate Receiver 2 to reliably estimatẽ A n i and, thus, the encoder will repeat [Ψ (the function form_A G is responsible of the chaining construction and is described later). On the other hand, 1,2 ] is required by legitimate Receiver 1. Nevertheless, in order to satisfy the strong secrecy condition in (2) 1,2 | respectively that are privately shared between transmitter and both legitimate receivers. For any i ∈ [2, L], we define the sequences Since these secret keys are reused in all blocks, their size becomes negligible in terms of rate for L large enough. The need of these secret keys may not be obvious at this point, but a further discussion of this question can be found in Section 5.4. Indeed, they are required to prove independence between an eavesdropper's observations of adjacent blocks (see Lemma 3), which is crucial to prove that the polar coding scheme satisfies the strong secrecy condition in (2).
The function form_A G in Algorithm 1 constructs sequencesÃ 1:L [G (n) ] differently depending on which case, among cases A, B, C or D described before, characterizes the given CI-WTBC. This part of the encoding is described in detail in Section 4.2 and Algorithm 2.
Then, givenÃ i [C (n) ∪ G (n) ], the encoder forms the remaining entries ofÃ n i , i.e.,Ã i [(H (n) deterministically by using SC encoding [24], and onlyÃ i [(H (n) V ] is constructed randomly. Finally, givenṼ n i =Ã n i G n , a randomization sequence R i and a uniformly distributed random sequence Λ (V) 0 , the encoder performs polar-based channel prefixing (function pb_ch_pref in Algorithm 1) to obtainX n i , which is transmitted over the WTBC inducing Ỹ n (1),i ,Ỹ n (2),i ,Z n i . This part of the encoding is described in detail in Section 4.3.
Furthermore, the encoder obtains the sequence for any k ∈ [1, 2] and i ∈ [1, L], which is required by legitimate Receiver k to reliably estimateÃ n i entirely. Since Φ (V) (k),i is not nearly uniform, the encoder cannot make it available to the legitimate Receiver k by means of the chaining structure. Furthermore, the encoder obtains (k) is required by legitimate Receiver k ∈ [1, 2] to initialize the decoding process. Therefore, the transmitter additionally sends Υ is a uniformly distributed key with size C that is privately shared between transmitter and the corresponding receiver. In Section 5.1 we show that the length of κ (V) ΥΦ (1) and κ (V) ΥΦ (2) is asymptotically negligible in terms of rate.

Algorithm 1 Generic encoding scheme
Require: Private and confidential messages W 1:L and S 1:L ; randomization sequences R 1:L ; random sequence Λ (X) 0 ; and secret keys κ (1) and κ 18: end for 19: i+1 (depending on the case) 8: The function form_A G encodes the confidential messages S 1:L and builds the chaining construction.
Based on the sets in (10) 1,2 will depend on the particular case (among A to D), while For i ∈ [1, L], let S i denote a uniformly distributed vector that represents the confidential message. The message S 1 has size I (n) ∪ G and R 1,2 exist. Furthermore, by (20), the set I (n) exists, and so will R These sets that form the partition of G (n) in Case A can be seen in Figure 3, which also displays the encoding process that aims to constructÃ 1 Λ are those areas filled with yellow squares, blue circles, blue and yellow diamonds, pink crosses, and gray pentagons, respectively, and the set I (n) is the green filled area. At Block i ∈ [1, L], W i is represented by symbols of the same color (e.g., red symbols at Block 2), and Θ (2) are those entries inside the red at Block 1 and the blue curve at Block L, respectively. (2) . Thus, the sequence Ψ is needed by legitimate Receiver 2 to reliably reconstructÃ n i−1 , but can be reliably inferred by legitimate Receiver 1 (1) ) C . Hence, according to Algorithm 2, the encoder repeats the entire sequence (1) . Similarly, from (17), we have C is needed by Receiver 1 to formÃ n i+1 but can be inferred by Receiver 2 givenÃ i+1 (L (n) V|Y (2) ) C . Hence, the encoder repeats the sequenceΘ 1,2 are needed by both receivers to formÃ n i−1 andÃ n i+1 respectively. Hence, the encoder repeats Γ (2) . Indeed, both sequences are repeated in the same entries ofÃ is replicated in all blocks.

Case B
In this case, G Obviously, R Indeed, since I (n) ⊆ G (n) 2 , notice that R (n) S = I (n) . These sets that form the partition of G (n) in Case B can be seen in Figure 4, which also displays the encoding process that aims to construct  In this case, for any i ∈ [1, L], Ψ

Case C
In this case, recall that G In this case, for i ∈ [1, L], we define Ψ

Case D
In this case, recall that G 1,2 . The sets that form the partition of G (n) in Case D are defined below and can be seen in Figure 6, which also displays the encoding process that aims to construct ofÃ 1:L H which exists because, by the assumption in (20), we have In this case, for i ∈ [1, L], we set Γ 2,i+1 denotes part of those elements ofΘ . Furthermore, as in X|VZ . The channel prefixing aims to constructX n i =T n i G n and is summarized in Algorithm 3. H T(j) T 1:j−1 V n ≤ δ n , it constructsT i (j) deterministically by using SC encoding [24]. Otherwise,

Algorithm 3 Function pb_ch_pref
X|V , the encoder randomly drawsT i (j) from distribution p T(j)|T 1:j−1 V n .

Decoding
Consider that Υ (k),1:L , for all k ∈ [1,2], is available to the k-th legitimate receiver. In the decoding process, both legitimate receivers form the estimatesÂ n 1:L ofÃ n 1:L and then obtain the messages Ŵ 1:L ,Ŝ 1:L .

Legitimate Receiver 1
This receiver forms the estimatesÂ n 1:L by going forward, i.e., fromÂ n 1 toÂ n L , and this process is summarized in Algorithm 4.

•
In Case D, Receiver 1 getsΘ (e.g., yellow squares with a line through them at Block 2 in Figure 6) andΨ (yellow squares with a line through them overlapped by blue circles). SinceΨ (V) 2,i−1 ⊂Â n i−1 (blue circles) has already been estimated, Receiver 1 obtainsΘ (yellow squares with a line through them).

•
Otherwise, in other cases, Receiver 1 obtainsΘ directly (yellow squares with a line through them at Block 2 in Figures 3-5).
Then, givenΘ 2,i+1 , in all cases Receiver 1 recoversΘ Θ . FromÂ n i , Receiver 1 also obtainsΓ i+1 as follows. At Block 1, in all cases it getsΓ directly (e.g., all red triangles with a line through them at Block 1 in Figures 3-6). At Block i ∈ [2, L − 1], in all cases it obtainsΓ 1,2 (e.g., blue and yellow diamonds with a line through them at Block 2). SinceΓ 1,i−1 (yellow triangles with a line through them). Only in Case B, Receiver 1 obtainsΓ (remaining yellow triangles with a line through them at Block 2 in Figure 4). Then, givenΓ 2,i+1 , in all cases Receiver 1 recoversΓ Γ . Lastly, only in Case A and Case B, Receiver 1 obtainsΠ (e.g., purple crosses at Block 2 in Figures 3 and 4).

Legitimate Receiver 2
This receiver forms the estimatesÂ n 1:L by going backward, i.e., fromÂ n L toÂ n 1 , and this process is summarized in Algorithm 5.

•
In Case D, Receiver 2 obtainsΨ (e.g., red circles at Block 3 in Figure 6) and 1,2 (cyan squares with a line through them overlapped by red circles).

Performance of the Polar Coding Scheme
The analysis of the polar coding scheme of Section 4 leads to the following theorem.
be an arbitrary WTBC, such that X ∈ {0, 1}. The polar coding scheme described in Section 4 achieves the corner point in Equation (4) of the region R CI-WTBC defined in Proposition 1.
The proof of Theorem 1 follows in four steps and is provided in the following subsections. In Section 5.1 we show that the polar coding scheme approaches the rate tuple in (4). In Section 5.2 we prove that the joint distribution of (Ṽ n i ,X n i ,Ỹ n (1),i ,Ỹ n (2),i ,Z n i ), for all i ∈ [1, L], is asymptotically indistinguishable of the one of the original DMS that is used for the polar code construction. Finally, in Sections 5.3 and 5.4 we show that the polar coding scheme satisfies the reliability and the secrecy conditions (1) and (2) respectively.

Transmission Rates
We prove that the polar coding scheme described in Section 4 approaches the rate tuple in Equation (4). Furthermore, we show that the overall length of the secret keys κ (1) and κ (V) ΥΦ (2) , and the additional randomness used in the encoding (besides the randomization sequences) are asymptotically negligible in terms of rate.

Private Message Rate
For i ∈ [1, L], we have W i =Ã i C (n) . According to the definition of C (n) in (11), and since where the limit holds by Lemma 4 of [10]. Therefore, the private message rate achieved by the polar coding scheme is R W = I(V; Z), as in (4).

Confidential Message Rate
From Section 4.2, in all cases we have where (a) holds by the definition of I (n) in (24); (b) holds because, in all cases, we have R  (1) ) ≥ H(V|Y (2) ), which means that L (n) V|Y (1) C ≥ L (n) V|Y (2) C (by Lemma 4 of [10]); and the limit when n goes to infinity holds also by Lemma 4 of [10]. Hence, the polar coding scheme operates as close to the rate R S in (4) as desired by choosing a sufficiently large L.

Randomization Sequence Rate
where the limit holds by Lemma 4 of [10]. Thus, the randomization sequence rate used by the polar coding scheme is R R = I(X; Z|V) as in (4).

Private-Shared Sequence Rate
Transmitter and legitimate Receiver k ∈ [1, 2] must privately share the keys κ .
Hence, the overall rate is where (a) follows from the definition of C where the limit when n approaches to infinity follows from applying Lemma 4 of [10].

Distribution of the DMS after the Polar Encoding
For i ∈ [1, L], letq A n i T n i denote the distribution of (Ã n i ,T n i ) after the encoding. The following lemma proves thatq A n i T n i and the marginal distribution p A n T n of the original DMS are nearly statistically indistinguishable for sufficiently large n and, consequently, so areq V n i X n i Y n (1),i Y n (2),i Z n i and p V n X n Y n (1) Y n (2) Z n . This result is crucial for the reliability and secrecy performance of the polar coding scheme.
Proof. Omitted because it follows similar reasoning as in Lemma 3 of [11].

Reliability Analysis
In this section we prove that both legitimate receivers can reliably reconstruct the private and the confidential messages (W 1:L , S 1:L ) with arbitrary small error probability. For (2) Z n respectively, and define an optimal coupling Proposition 4.7 of [25] . Additionally, define the error event (2),L legitimate Receiver 2 knowsÃ L L (n) V|Y (2) C . Moreover, due to the chaining structure, in Section 4.4 we have seen Similarly, due to the chaining construction, we have seen thatÃ i H (n) Hence, the probability of incorrectly decoding (W i , S i ) at the Receiver k ∈ [1, 2] is where (a) holds by Th. 2 of [19]; (b) follows from the optimal coupling and Lemma 1; and (c) holds by induction and Equations (35) and (36). Therefore, by the union bound we obtain P (W 1:L , S 1:L ) = (Ŵ 1:L ,Ŝ 1: and for sufficiently large n the polar coding scheme satisfies the reliability condition in (1).

Secrecy Analysis
Since encoding in Section 4 takes place over L blocks of size n, we need to prove that lim n→∞ I(S 1:L ,Z n 1:L ) = 0.
For clarity and with slight abuse of notation, for any Block i ∈ [1, L] let which denotes the entire sequence depending onÃ n i that is repeated at Block i + 1. Furthermore, let which represents the sequence depending onÃ n i that is repeated at Block i − 1. Furthermore, we define κ Then, a Bayesian graph describing the dependencies between all the variables involved in the polar coding scheme of Section 4 is given in Figure 7. Despite Γ as two separate nodes in the Bayesian graph because, by crypto lemma [26], Γ are statistically independent. Furthermore, for convenience, we have considered that dependencies only take place forward (from Block i to Block i + 1), which is possible by reformulating the encoding as follows. According to Section 4.1, for any i ∈ [1, L] we haveÃ i C (n) = W i . Consequently, we can write W i as an independent random sequence generated at Block i − 1 that is stored properly into some part ofÃ i−1 [G (n) ]. Then, we consider that the encoder obtains where δ (S) n 2nδ n + 2δ Proof. For n sufficiently large, we have X|VZ ; (c) holds because, for n large enough, we obtain where we have used the chain rule of entropy and the triangle inequality, ( [27], Lemma 30), the fact that the function x → x log x is decreasing for x > 0 small enough and Lemma 1; and, lastly, (d) holds because where we have used the fact that conditioning does not increase entropy, the invertibility of G n , and the definition of H Next, the following lemma shows that eavesdropper observationsZ n i are asymptotically statistically independent of observationsZ n 1:i−1 from previous blocks.  where (a) holds by independence between S i+1:L and any random variable from Blocks 1 to i; (b) holds by Lemma 2; (c) follows from applying d-separation [28] over the Bayesian graph in Figure 7 to obtain thatZ n i and (S 1:i−1 ,Z n 1:i−1 ) are conditionally independent given (S i , Ξ i−1 ) and any random variable from Block 1 to (i − 2), and because from applying crypto-lemma [26] we obtain thatΩ Therefore, we obtain where (a) follows from applying the chain rule; (b) holds by Lemma 3; (c) holds by independence between S 2:L and any random variable from Block 1; and (d) holds by Lemma 2. Thus, for sufficiently large n the polar coding scheme satisfies the strong secrecy condition in (2).

Remark 1.
We conjecture that the use κ (V) Ω is not needed for the polar coding scheme to satisfy the strong secrecy condition. However, the key is required in order to prove this condition by means of analyzing a causal Bayesian graph similar to the one in Figure 7.

Remark 2.
Although backward dependencies between random variables of different blocks appear in [12], a secret seed as κ (V) Ω is not necessary for the polar coding scheme to provide strong secrecy. This is because random sequences that are repeated in adjacent blocks are stored only into those corresponding entries whose indices belong to the "high entropy set given eavesdropper observations", i.e., the equivalent sets of H

Concluding Remarks
A strongly secure polar coding scheme is proposed for the WTBC with two legitimate receivers and one eavesdropper. This polar code achieves the best known inner-bound on the achievable region of the CI-WTBC model, where a transmitter wants to send common information (private and confidential) to both receivers. Due to the non-degradedness assumption of the channel, the encoder builds a chaining construction that induces bidirectional dependencies between adjacent blocks, which need to be taken carefully into account in the secrecy analysis.
These bidirectional dependencies involve elements from adjacent blocks whose indices belong to the "low entropy sets given eavesdropper observations". Consequently, in order to prove that the polar coding scheme satisfies the strong secrecy condition, we have introduced a secret-key whose length becomes negligible in terms of rate as the number of blocks grows indefinitely. In the proposed polar coding scheme, this key has been used to randomize part of these elements from any block that are repeated in the previous (or next) one. In this way, we can analyze the dependencies between all random variables involved in the secrecy analysis by means of a causal Bayesian graph and apply d-separation to prove that the polar coding scheme induces eavesdropper's observations that are statistically independent of one another.
Despite the good performance of the polar coding schemes, some issues still persist. First, it is worth saying that the additional secret transmission (that is negligible in terms of rate) required to initialize the decoding algorithms at both receivers can be omitted by using a similar approach as in [29], where an initialization phase to generate a secret-key can be performed without worsening the communication rate. On the other hand, how to replace the random decisions entirely by deterministic ones in SC encoding is a problem that still remains unsolved. Additionally, we conjecture that the previous secret-keys that are used to prove independence between blocks are not necessary. However, how to prove this independence without using them seems a difficult problem to address at this point.