Solutions to Wiretapping Attacks

A network coding system can be represented by a tuple (G, α, U ). In the tuple, G = (V, E) is a directed acyclic graph, and V and E are the set of nodes and edges of G. The capacity of each edge e ∈ E denotes the maximum average rate of information that can be transmitted on this edge. α is the single source that generates and sends out a message vector X = (x1, x2, · · · , xn)T ∈ Fqn every time unit. U is the set of users (can be more than one) that

receive and recover the multicast information. In linear coding systems, the message (symbol) on any outgoing edge of a node is a linear combination of the messages (symbols) on its incoming edges, thus, the message (symbol) on any edge is eventually a linear combination of the source messages (symbols). We denote the message (symbol) transmitted on edge e by TeX, where Te,

named the global encoding vector on edge e, is a row vector over Fq. (Note: When we discuss

the solutions to wiretapping attacks, we may use message and symbol interchangeablly.) In wiretapping attacks, adversaries can wiretap or eavesdrop on any of a collection of sets of edges, where the collection is denoted as A = {A1, A2, · · · , A|A|} and |A| denotes the number

of sets in the collection. Each Ai is a subset of all edges in the network. It is assumed that

an eavesdropper can access any member but no more than one member of A. Let Mi denote

an eavesdropping matrix of dimension ki × n for each Ai, where ki is the maximum number

of linearly independent encoding vectors of the edges in Ai. All the eavesdropping matrixes

corresponding to A = {A1, · · · , A|A|} are M = {M1, · · · , M|A|}. Hence, the information

available to the eavesdropper is a set of linear equations MiX = Bi for any Mi ∈ M. Some

other model also assumes that the eavesdropper has access to at most k edges of the network. This is actually a special case of the first model in which the collection A contains all non-empty subsets of at most k edges of all the edges in the graph.

Suppose a feasible network coding solution already exists that enables the source to mul- ticast the message vector X = (x1, x2, · · · xn)T to all receivers. The goal is to transform this

insecure coding solution into a secure one that allows no information leakage to the eaves- dropper. The solutions can be Shannon-secure and weakly-secure [6] depending on the extend to which the system can tolerate information leakage. Shannon-secure requires that for all i ∈ {1, · · · , |A|}, the eavesdropper gains no information about the source. However, weakly- secure requires that the eavesdropper receives no meaningful information about the source. For example, if the eavesdropper knows the sum of x1+ x2, where x1 and x2 are i.i.d. information

symbols generated at the source, then she gets some information about the combinations of the source symbols, but no meaningful information about the value of either x1 or x2 alone.

The system is weakly-secure but not Shannon-secure.

2.3.2.2 Shannon-secure Network Coding Schemes

Cai & Yeung [13] studied the problem of how to make a linear network coding system to transmit information ”securely” in the presence of a wiretapper(or eavesdropper) who can eavesdrop on a bounded number of network links. They gave the definition of secure (i.e., Shannon-secure) network code, proposed a method to transform a given linear network code into a secure one, and presented the sufficient condition that guarantees the existence of such a secure transformation.

The basic idea of Cai & Yeung’s method is to insert some random symbols into the message vector sent by the source, such that the symbols transmitted on all edges are “randomized”, i.e., are the combination of the information symbols and the random symbols. More specifically, the input vector at the source is divided into two portions, the first r = n − k symbols are information symbols and the remaining k = max{ki} symbols are random symbols chosen

uniformly from Fq, i.e., X = (S, W ) = ((s1, · · · , sr)T, (w1, · · · , wk)T). When properly designed,

a linear network code is ”secure”, i.e., the eavesdropper cannot eliminate the randomness or learn any combinations of solely the information symbols.

Definition of security: The secure network code defined by Cai & Yeung is Shannon-secure, that is,

H(S|MiX = Bi) = H(S), ∀Mi∈ M . (2.1)

This definition is equivalent to that the eavesdropper cannot learn any linear combinations of the first r information symbols, namely, ∀(t1, t2, · · · , tki) 6= 0 and ∀(β1, β2, · · · , βr) 6= 0,

(t1, t2, · · · , tki)MiX 6= (β1, β2, · · · , βr, 0 · · · 0)X . (2.2)

Cai and Yeung also proved that a network code is secure, if ∀Bi ∈ Fqki and ∀S ∈ Fqr, there

exists |C(Bi) ∗ \ (S)| = qk−ki _{, (2.3)} where C(Bi) = {X ∈ Fqn : MiX = Bi}, ∀b ∈ Fqn and C∗(S) = {X ∈ Fqn : X = (S, W )}, ∀S ∈ F_qr.

Transformation matrix: Let C denote an n × n secure transformation matrix. Cai & Yeung’s method is to apply this matrix to an insecure network code and transform it into a secure one. More specifically, for any edge e ∈ E of encoding vector Te, the transformed

encoding vector is T_e0 = TeC. Thus, the symbol transmitted on edge e becomes Te0X = TeCX.

The properties that matrix C should satisfy such that the transformed network code is both feasible and secure, are given as follows:

Theorem 1 The matrix C is full-rank i.f.f. the transformed network code is feasible, i.e., all receivers can recover the information symbols S = (x1, · · · , xr)T.

Theorem 2 The first r row vectors of matrix C−1 and all row vectors of matrix Mi are

linearly independent i.f.f. the transformed network code is secure.

Lower bound: To guarantee the existence of a secure transformation matrix C, the larger field size is required. Cai & Yeung proved that a lower bound of q > |A| is sufficient (but not necessary).

Feldman et al. [26] generalized and simplified Cai & Yeung’s method, and showed that making a linear network code secure is equivalent to finding a code with certain generalized distance properties. They also presented a necessary (but not sufficient ) condition that guar- antees the existence of a secure transformation.

Definition of security: Feldman et al. defined that a secure network code should satisfy that ∀Bi ∈ Fqki and ∀S, S0∈ Fqr,

|R(S, B_i)| = |R(S0, Bi)| , (2.4)

where R(S, Bi) = {W ∈ Fqk: Mi(S, W ) = Bi}, ∀S ∈ Fqr. R(S, Bi) is the set of all possible ran-

dom vectors W , such that when message vector X = (S, W ) is sent, the observed information on the linearly independent edges in Ai is Bi. This definition shows that when W is chosen

randomly, whatever information Bi that an eavesdropper observes gives no information about

the transmitted S.

Transformation matrix: Unlike Cai & Yeung, Feldman applied the transformation matrix C to the message vector sent by the source, while keeping the code unchanged. Thus, the message vector sent by the source is X0 = CX. For any edge e ∈ E of encoding vector Te, the

symbol transmitted on edge e becomes TeX0 = TeCX. This transformation is equivalent in

power to that of Cai & Yeung, but it is simpler because it does not need to change the code. Feldman et al. also proved that finding a secure transformation matrix is equivalent to solving some generalized coding problem. Let N be the number of all edges in the network. Let ZG be an n × N matrix whose columns are the encoding vectors of all edges in the graph

G. Since ZG has rank n (i.e., the message vector can be decoded by the receivers), thus the

Theorem 3 Given an (N − n) × N matrix Z_G0 , a r × N matrix F that satisfies the Hamming distance δ(Z_G0 , F ) > n − r exists i.f.f. an n × n secure transformation matrix C exists.

Based on this theorem, the existence of matrix C is equivalent to the existence of matrix F , while finding the latter one is a generalized coding problem, i.e., Span Distance Problem. When solving the Span Distance Problem, the following result can be derived:

Theorem 4 If n = log N_{log q} −logVolq(d,N )

log q + 2 log N + log q + log ln q and d ≤ n − r, then there is

an (N − n) × N matrix Z_G0 , such that for any r × N matrix F , the Hamming distance δ(Z_G0 , F ) > n − r cannot be satisfied.

Volq(d, N ) denotes the number of vectors in a ball of radius d around x, where given x ∈ FqN,

the ball is the set of all vectors in F_qN which differ from x in at most d coordinates. In this theorem, let q = NΩ(

q

n−r

logN)_{. It can be seen that as long as r takes any value within the range}

r < (NΩ(

q

n−r

log N)_{− 3) log N , the inequality d ≤ n − r is held.}

Lower bound: Based on Theorem 3 and Theorem 4, the necessary lower bound of field size, i.e., q > NΩ(

q

n−r

logN)_{, can be obtained for the existence of a secure transformation matrix C.}

2.3.2.3 Weakly-secure Network Coding Schemes

Bhattad & Narayanan [6] observed that the security requirement [13] can be relaxed in prac- tice. They believe that it is suffice if no meaningful information is leaked to the eavesdropper. For example, a network code is secure if the eavesdropper only get x1 + x2, but is unaware

of x1 and x2, where x1 and x2 are two information symbols sent by the source. They defined

a weakly-secure model, proposed a secure transformation to convert an insecure code into a secure one, and proved the sufficient condition for the existence of a secure transformation.

Definition of security: They defined that a weakly-secure network code should satisfy, H(xj|MiX = Bi) = H(xj) ∀xj ∈ X . (2.5)

Transformation matrix: Unlike the Shannon-secure code, a weakly-secure code does not require any random symbols inserted into the message vector. A secure transformation matrix C can be applied either to the message vector sent from the source or to the encoding vectors

of all edges. After transformation, the message available to the eavesdropper is M_i0X = MiCX

for all Mi∈ M.

Theorem 5 The matrix C is full-rank iff the transformed coding solution is feasible; any row vector of the matrix C−1 and all row vectors of matrix Mi are linearly independent i.f.f. the

transformed encoding solutions is weak-secure.

Lower bound: Bhattad & Narayanan proved that if qn > |A|qk+ qn−1, then the secure transformation matrix C must exist.