Motivation: Secure Network Coding

We discuss in this section the notion of Secure Network Coding, and show how it can be modeled by Definition 4.2.1.

Anetworkis a directed, acyclic and connected multigraphGwithsourcenodes (having in-degree 0) and destination nodes (with out-degree 0); for simplicity, we will only consider networks with a single source node. Theconnectivity(or

min cut)Cof a networkG is defined as the minimum number of edges whose removal disconnects the source node from the destination nodes.

A network can be used to transmit information from the source to the desti- nation nodes: inNetwork Routing, this is done by simply allowing each node to read the data received via the incoming edges and send it via the outbound edges (the source node will simply produce and send data). In contrast to this approach,(Linear) Network Coding allows nodes to perform operations on the received data, and to send the results over the outbound edges.

More precisely, the source node will produce messagesx:= (x1,· · · ,xn), where

each xi belongs to the alphabet Fmq for a finite field Fq; elements ofFmq are

called packets. Each node will compute linear combinations over _Fq of the

packets received via the input edges (or of the inputsxiin the case of the source

node) and send the results on the outbound edges; these linear combinations form the network code. We assume that the code is feasible, i.e. that each destination node can compute xas a linear function of the received packets. It is well-known that a feasible network code for G exists if q is sufficiently large andn≤C (whereC denotes the connectivity of the network), while no feasible network code exists if n > C[2, 47, 43].

Secure Network Coding adds an adversarial component to this setting: for the sake of clarity, assume that the source node is controlled by asender (who

decides which messagexthe node will produce) and that each destination node is controlled by areceiver,that can read the data received by the node. A first adversarial model for this situation was introduced by Cai and Yeung [10], where an adversary Eve can eavesdrop ontedges of the network (see also [30] and [29]); subsequently, Silva and Kschischang [63] introduce a more general adversarial model, where the adversary Eve gains full control oftedges of her choice, meaning she can read the symbols transmitted over these edges and replace them by symbols of her choice.

In case there is a single receiver, we can identify the sender with Alice and the receiver with Bob. It is then readily seen that the communication from Alice to Bob is affected by the adversary precisely as in Definition 4.2.1: each edge

iunder Eve’s control carries a linear combination λ(₁i)x1+· · ·+λ (i)

n xn of the

input packets x1, . . . ,xn, where the coefficients λ

(i)

j depend on the network

code; similarly, any error ∆(i) _{that Eve injects in edge i propagate to the}

networks, so that eventually the output value would be affected by a linear combination Pt

i=1∆

(i)_⊗µ(i) _{of the errors, where again the coefficientsµ}(i)

j

depend on the network code. As a worst-case scenario, we may assume that Eve is free to select which subset of edges to control; this is modeled by letting her choose the eavesdropping and tampering vectors in Definition 4.2.1. Furthermore, if the network also allows for communication from the receiver to the sender, then the adversary again affects the communication as in Defi- nition 4.2.1. One has to be careful, however, since our generalized adversary is “symmetric”, i.e. his eavesdropping and tampering vectors do not change for the communication from Alice to Bob and from Bob to Alice; this is not neces- sarily the case for a Network-Coding scenario. Nevertheless, the protocols we present actually do not require this symmetry of the adversarial powers, and can thus be used to provide security in a Network-Coding scenario, as long as communication is also possible from the receiver to the sender.

Hence the protocols that we present in the following sections provide the fol- lowing contribution to Secure Network Coding:

• the generalization of Protocol 4.1.1 can be used to provide security for a Network Coding scenario with a single receiver, as long as communica- tion is also possible from the receiver to the sender; notice that though Network Coding was originally introduced in a multicast scenario [2, 47], it has since been proved useful in single sender – single receiver scenarios as well [48, 70].

• the three-round protocol we present also works in a multicast scenario. We stress the fact that just as the most recent works on Secure Network

Coding [63], both our protocols are universal, namely they are defined and secure regardless of the network code.

We remark that Jaggi et al. [42] studied a similar case, where the adversary controls vertices instead of edges of the network; their protocol lets the ad- versary inject up to n/2 errors, but with a weaker notion of security in that it must drop the privacy requirement and the reconstruction process admits a positive error probability.

How feedback improves security. Until very recently, existing work on Secure Network Coding assumes that information can only flow from sender to receiver. Notably, the work of Silva and Kschischang [63] presents a one-round protocol that is secure as long ast < n/3; this is in fact optimal if no feedback is allowed.

On the other hand, both our protocols are secure for any t < n/2, thanks to the possibility to convey data in both senses. Notice that two-ways com- munication has strengthened resistance against the adversary also in alter- native information-theoretic scenarios, such as PSMT (which we covered in Section 4.1) and Secret Key Agreement [52] (where the sender and a single receiver communicate over a noisy channel in the presence of a wiretapper). We give here some intuition on how two-ways communication strengthens resis- tance in our case. A common approach for communication in Secure Network Coding is to use rank-metric codes, a variant of block codes that can correct from errors of limited rank; the properties of rank-metric codes mirrors those of classical codes: for instance, we can speak of minimum distance d, a code can be corrected from errors of rank at most b(d−1)/2c, and the Singleton bound still holds.

Assume that communication is only possible from the sender to the receivers, and assume that a codeword x∈ Cis sent by the sender to the receivers, for a given (rank-metric) code C. Then to ensure that the receivers can recoverx,

C must have minimum rank-distance at least 2t+ 1; furthermore, to prevent Eve from recoveringx,C must have dimension at leastt+ 1. Thusdmin(C) +

dim(C)≥3t+ 2; by the Singleton bound, we thus obtain 3t < n.

Now if feedback is allowed, the situation improves: the feedback information can contain critical information on the errors introduced by the adversary (namely, the pseudo-basis of the received values); this basically allows us to recover the support of the errors and hence only requires the code C to have minimum distance at least t+ 1 for correction. We thus obtain security for any t < n/2.