A Novel Lightweight Algorithm for Secure Network Coding
Xiao Wang, Wangmei Guo
State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an, China,
E-mail: {wangxiaoxiao,wangmeiguo}@mail.xidian.edu.cn
Abstract
In the practical network coding scenario, the adversary usually has full eavesdropping abilities. Hence, lightweight secure network coding is more suitable than the information-theoretic approach. We propose a novel coding scheme against a global eavesdropper in this paper. In our scheme, we utilize r mapping values to randomize original packets instead of r locked coefficients. It means that only one encrypted symbol is required for a packet, which rapidly reduces space overhead and encryption volume. Meanwhile, there is no additional requirement at intermediate nodes. Compared to the existing schemes, our scheme is more efficient in space overhead and encryption volume with appropriate computational complexity.
Keywords
: Network Coding, Lightweight Secure, Eavesdropping Attacks1. Introduction
Network coding [1] allows intermediate nodes to mix the incoming packets before sending out, which is different from the traditional store-forward mechanism. Linear network coding [2] showed that it could achieve the multicast capacity in a sufficient large field. For the operation convenience and simple algebraic structure, much of the research focuses on the linear network coding. Moreover, when the field size is larger than 2 or8 2 , random linear network coding (RLNC) [3] could also achieve 16 the multicast capacity with probability exponential approaching 1 with code length. In RLNC, the intermediate nodes independently select coding coefficients randomly over finite field q, which is a decentralized mechanism, and easy to implemented in practice. Koetter and Medard [4] proposed the algebraic framework for network coding and gave an algebraic characterization of the multicast problem. Network coding had many applications, such as wireless mesh network [5-6] and cooperative communication [7] etc.
Secure network coding was first considered in [8] to achieve perfect information-theoretic security, which is against that adversaries could only wiretap a limited number of network links. Feldman et al. [9] showed that making a secure linear network code is equivalent to finding a linear code with generalized distance properties and pointed that if we give up a small amount of overall capacity, then a random code achieves security by using a much smaller field. Rouayheb et al. [10] presented a construction of secure network codes by using secure codes for wiretap channel Ⅱ.Ngai et al. [11] extended the generalized Hamming weight [12] for linear error correction codes to linear network codes. Weakly secure network coding was proposed in [13] such that adversary is unable to get any “meaningful” information about the source messages, this is more practice than the perfect information-theoretic security. Strongly secure linear network coding is proposed by Harada and Yamamoto [14], they showed that strong security in fact contains weak security as a special case. Universal secure network coding was proposed in [15] based on rank-metric codes, and it has the universal property that can be applied on top of any network without priori knowledge or any modifications on the linear network code. Jain [16] studied the relation between security and network topology. A necessary and sufficient condition was derived under which source messages can be transmitted with perfect security.
In real scenarios, the wiretap capability is unlimited and computationally bounded. Moreover, network capacity and compute resource are precious. To solve the problem, the more practical scheme was proposed in [17-19] that combines cryptographic approaches with network coding to against global eavesdropper and keeps random network coding unchanged at intermediate nodes. A minimum overhead scheme (MOS) was proposed in [17] to achieve perfect security, but with high encryption volume because the whole message is encrypted. The scheme in [18] (P-Coding) utilized permutation encryption function to against eavesdropping attacks without overhead, but it is also with high
encryption volume. Lightweight secure scheme (SPOC) was presented in [19], which only encrypts a much shorter extra coding vector instead of the whole packet, so it reduced encryption volume but increased capacity overhead.
In this paper, we propose a more efficient scheme against global eavesdropper that achieves security with minimum overhead and encryption volume without changing the implement at the intermediate nodes or requiring a large field. The key idea of our novel scheme is to utilize some mapping values to generate a source precoding matrix instead of extra coding vectors, which reduce the length of the random keys.
2. Problem Formulation
We represent a communication network by an acyclic directed graph G
V E,
, where V and E denote the set of nodes and edges, respectively. Each edge in the network is able to transmit a packet over finite field q without error. Source node S wishes to send a large file M to all the receivers in a generation and M is splitted into r data packets by S . Each data packet is denoted by1 1 1 ( , , ) n i xi xin q x , 1 i r, where qr.
Intermediate nodes randomly choose coding coefficients over q for its input packets and forward a linear combination of input packets at each outgoing edge. Sink nodes can recover M with Gaussian elimination after receiving at least r linear independent packets.
There is a global eavesdropper in the network. We assume the adversary is able to choose a subset of independent edges, which means that the global coding vectors of wiretap edges are independent.
3. Proposed Scheme
In this section, we propose a precoding scheme for lightweight secure network coding with ignored space overhead.
3.1 Precoding at Source
As described in the previous section, a large file M was splitted into r packets, and we choose an appropriate mapping function h( ) :x qn1q for these packets, which maps r packets to r different values.
Then, we construct a precoding matrix P by r mapping values (h xi),1 i r.
1 2 2 2 2 1 2 1 2 ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) r r r r r r r r h h h h h h h h h x x x x x x P x x x (1)
Obviously, matrix P is a Vandermonde matrix and it is an invertible matrix that could be used to pre-encode original packets x1,xr.
1 1 2 2 1 1 r r n r r n x x x x P x x (2)
Then source S concatenates xi with corresponding mapping value (h xi) to be a pre-encoded packet xi (xi1,,xin1, (h xi)).
For security, S must hide the last symbol (h xi) of xi from adversary, so that the adversary can not get information about original packet by wiretapping attacks. We encrypt (h xi) using AES cryptosystem and obtain ( (E h xi)). Then we get a new packet xinew(xi1,,xin1, ( (E h xi))).
After that, S creates an augmented packet as follow,
(0, , 0,1, 0, , 0 , )1 ( ), 1, , . r new i i r n i i r m x (3) At last, the augmented packets are transmitted into the network and the intermediate nodes employee RLNC.
3.2 Decoding at Sinks
When a sink node receives at least r independent message packets, it can begin to decode as follows.
Step 1: Using Gaussian elimination to recover the new message packets [x1new,,xnew Tr ] . Step 2: We decrypt the last column of [x1new,,xrnew T] with AES to get [x1,,xr]T and (h xi). Step 3: Construct the precoding matrix P by (h xi), i1,,r. Compute the inverse matrix P1,
and remove
h(x1),, (h xr)
T from [x1,,xr]T to obtain [x1,,xr]T . Step 4: At last, we obtain the origin data packets by [x1,,xr]T P1[x1,,xr]T.3.3 Security Analysis
We assume the adversary has full knowledge about the structural characteristics of P, and mapping function ( )h is also known to it. However, it is computationally bounded, which means that given a mapping value b, it is computationally infeasible to find input a such that h a
b.The element of P is keep secret to adversary, since we randomize the original packets xi,1 i r by P. Equivalently, the original packets are encrypted by P. Therefore, the adversary only gets the linear combination of xinew,1 i r.
Furthermore, the adversary is able to eavesdrop at least r independent edges to decode
1 , ,
new new r
x x . The subset of wiretap edges is denoted by W , and R{ (h xi)i1,, }r denotes mapping value set. The adversary tries to obtain the origin packets x1,,xr from x1new,,xrnew by the following equation system,
1 1 1 1 11 2 21 1 11 1 1 2 2 1 1 1 2 2 1 1 1 ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) r r i i i j j r rj ij r r r n n r rn rn h x h x h x x h x h x h x x h x h x h x x x x x x x x x x x (4)
there are r (n 1) equations with r (n 1) unknown variables x11,,xrn1 and
h(x1),, (h xr)
in (4). It is easily known that
h(x1),, (h xr)
has Prq1 possibilities, because (h xi),1 i r has q i possibilities. So the number of total possibilities is (q 1) (q 2) (q r) Prq1. Therefore, the solution to (4) is an affine subspace with cardinality as follow,( 1) 1 1 ( 1) r n q q r r r n q P P q That means,
1
1 1 Pr , , r W q r Y P x x (5) where YW denotes the message packets which are carried in W . Hence, the adversary cannot recover
x1,,xr
without
h(x1),, (h xr)
. That is, the origin data packets are secure.3.4 Comparison
In our scheme, there are r origin data packets in a generation which are n1-length, and get n -length pre-encoded packets after source coding. That means the space overhead of one packet is 1. The last symbol of the pre-encoded packet is used to construct the locked coefficient, so that only one symbol is needed to be encrypted. As mentioned previously, the space overhead and encryption volume are independent of the packets, which are significant reduced by our scheme. However, SPOC encrypts r n r -length origin data packets with r r-length global encoding vectors. These global encoding vectors are encrypted by shared keys and placed in the header of the corresponding pre-encoded packets, which are called locked coefficients.
In order to give a simple comparison, we consider a field with size 2 , and there are 200 packets in 8 a generation. The maximum packet size is 1500 bytes as [19] mentioned. Our scheme results in a space overhead ratio of 0.0667%, because of only one symbol is placed in the header of a packet. However, there is 200-length locked coefficient placed in the header by SPOC, so that the space overhead ratio is 13.3% for SPOC. Furthermore, our scheme yields encryption volume of 200 bytes in a generation and corresponding to 40000 bytes by SPOC.
Table 1. Comparison with other schemes
Schemes Encryption Volume Space Overhead Computation Cost
Adeli [17] Zhang [18] Vilela [19] Ours 1 n nr r 1 1 0 r 1 0 0 3 (r ) 3 (r )
The comparison between our scheme and other schemes is given in Table.1 and Figure 1, the red curve in Figure 1 is our result. And the blue curve is overlapping to the purple curve, which means the encryption volume generated by Vilela scheme is almost same as traditional scheme. We can see from Table.1 that our scheme causes a tiny space overhead and Figure 1 shows that our scheme significantly reduces the encryption volume compared to others. In addition, the computational cost of our scheme is
3
(r )
, which is the same as SPOC. The main computational cost consists of the inverse of precoding matrix P and other matrix operation. The scheme proposed in this paper is an efficient algorithm which has smaller space overhead and lower encryption volume with appropriate computation cost.
0 1000 2000 3000 4000 5000 6000 7000 8000 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 Data size E n cr y p ti o n vo lu m e Traditional Vilela Our Zhang Adeli
Figure 1. The comparison of encryption volume
4. Conclusion
We proposed a novel lightweight scheme against eavesdropping attacks based on computational security in this paper. The basic idea of this scheme is to utilize r keys, which are respective to r origin data packets, to generate a Vandermonde matrix as precoding matrix. Since encrypted mapping value is embedded at the end of pre-encoded packets and then transmitted over the network, the space overhead is minimized, and the encryption volume is reduced as well. The security analysis shows that for the same security requirement, our scheme is more efficient.
5. Acknowledgements
This work is supported by the National Natural Foundation of China under Grants No.60832001 and 61271174. The authors also would like to thank all the reviewers for their hard works.
6. References
[1] Rudolf Ahlswede, Ning Cai, Shuo-Yen Robert Li, and Raymond W. Yeung, “Network information flow,” IEEE Trans. Inf. Theory, Vol. 46, No.4, pp. 1204–1216, July. 2000.
[2] Shuo-Yen Robert Li, Raymond W. Yeung and Ning Cai, “Linear network coding,” IEEE Trans. Inf. Theory, Vol. 49, No. 2, pp. 371-381, Feb. 2003.
[3] Tracey Ho, Muriel Medard, Ralf Koetter, David R. Karger, Michelle Effros, Jun Shi and Ben Leong, “A random linear network coding approach to multicaost,” IEEE Trans. Inf. Theory, Vol. 52, No. 10, pp. 4413–4430, Oct. 2006.
[4] Ralf Koetter and Muriel Medard, “An algebraic approach to network coding,” IEEE/ACM Transactions on Networking, Vol. 11, No. 5, pp. 782-795, Oct. 2003.
[5] Jin Qi, , Shunyi Zhang, Shujing Li, , Lu Cao, "A Random Linear Coding Algorithm for Cognitive Wireless Mesh Networks", JCIT, Vol. 7, No. 6, pp. 112-120, 2012.
[6] Yafei Hu, Fangmin Li, Xinhua Liu, "On Network Coding for Qos Improvement in Wireless Mesh Networks", AISS, Vol. 4, No. 17, pp. 100-113, 2012.
[7] Mingfeng Zhao, Yajian Zhou, , Yixian Yang, Wen Song, "An Improved Analog Network Coding Scheme for Cooperative Communication Systems", JCIT, Vol. 6, No. 9, pp. 200-209, 2011. [8] Ning Cai and Raymond W. Yeung, “Secure network coding,” in Proc. IEEE ISIT’02, Lausanne,
Switzerland, July 2002, pp. 323.
[9] Jon Feldman, Tal Malkin, Cliff Stein, and Rocco A. Servedio, “On the capacity of secure network coding,” in Proc. 42nd Annual Allerton Conf. Commun., Control and Comput., Sep. 2004.
[10] Salim El Rouayheb, Emina Soljanin, and Alex Sprintson, “Secure network coding for wiretap networks of type Ⅱ,” IEEE Transactions on Information Theory, Vol. 58, No. 3, pp. 1361-1371. Mar. 2012.
[11] Chi-Kin. Ngai, Raymond W. Yeung and Zhixue Zhang, “Network generalized hamming weight,” in Proc. Workshop on Netwrok Coding Theory and Application., Lausanne, Switzerland, 2009, pp. 48-53.
[12] Victor K. Wei, “Generalized hamming weight for linear codes,” IEEE Trans. Inf. Theory, Vol. 37, No. 5, pp. 1412–1418, Sep. 1991.
[13] Kapil Bhattad and Krishna R. Narayanan, “Weakly secure network coding,” in Proc. NETCOD’05, Riva del Garda, Italy, Apr. 2005.
[14] Kunihiko Harada and Hirosuke Yamamoto, “Strongly secure linear network coding,” IEICE Trans. Fund., Vol. E91-A, No. 10, pp. 2720-2728, Oct. 2008.
[15] Danilo Silva and Frank R. Kschischang, “Universal secure network coding via rank-metric codes,” IEEE Trans. Inf. Theory, Vol. 57, No. 2, pp. 1124-1135, Feb. 2011.
[16] Kamal Jain, “Security based on network topology against the wiretapping attack,” IEEE Wireless Commun., Vol. 11, No. 1, pp. 68-71, Feb. 2004.
[17] Majid Adeli and Huaping Liu, “Secure network coding with minimum overhead based on hash functions,” IEEE Commun. Lett., Vol. 13, No 12, pp. 956-958, Dec. 2009.
[18] Peng Zhang, Yinxin Jiang, Chuang Lin, Yanfei Fan and Xuemin Shen, “P-Coding: secure network coding against eavesdropping attacks,” in Proc. IEEE INFOCOM 2010, San Diego, CA, USA, Mar. 2010, pp. 1-9.
[19] Joao P. Vilela, Luisa Lima and Joao Barros, “Lightweight security for network coding,” in Proc. IEEE ICC08, Beijing, China, pp. 1750-1754, May 2008.
