Next Article in Journal
Multi-Task Time Series Forecasting Based on Graph Neural Networks
Next Article in Special Issue
Efficient Communications in V2V Networks with Two-Way Lanes Based on Random Linear Network Coding
Previous Article in Journal
Hybrid Threshold Denoising Framework Using Singular Value Decomposition for Side-Channel Analysis Preprocessing
Previous Article in Special Issue
Design and Analysis of Systematic Batched Network Codes
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Multiple Linear-Combination Security Network Coding

1
School of Mathematical Sciences and LPMC, Nankai University, Tianjin 300071, China
2
Institute of Network Coding and the Department of Information Engineering, The Chinese University of Hong Kong, Hong Kong SAR, China
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Entropy 2023, 25(8), 1135; https://doi.org/10.3390/e25081135
Submission received: 29 May 2023 / Revised: 11 July 2023 / Accepted: 20 July 2023 / Published: 28 July 2023
(This article belongs to the Special Issue Information Theory and Network Coding II)

Abstract

:
In this paper, we put forward the model of multiple linear-combination security multicast network coding, where the wiretapper desires to obtain some information about a predefined set of multiple linear combinations of the source symbols by eavesdropping any one (but not more than one) channel subset up to a certain size r, referred to as the security level. For this model, the security capacity is defined as the maximum average number of source symbols that can be securely multicast to all sink nodes for one use of the network under the linear-combination security constraint. For any security level and any linear-combination security constraint, we fully characterize the security capacity in terms of the ratio of the rank of the linear-combination security constraint to the number of source symbols. Also, we develop a general construction of linear security network codes. Finally, we investigate the asymptotic behavior of the security capacity for a sequence of linear-combination security models and discuss the asymptotic optimality of our code construction.

1. Introduction

In 2000, Ahlswede et al. [1] proposed the general concept of network coding. In particular, they investigated the single-source multicast network coding problem, where the source symbols generated by a single source node are required to multicast to multiple sink nodes through a noiseless network while the nodes in the network are allowed to process the received information. It was proven in [1] that if coding is applied at the intermediate nodes (rather than routing only), the source node can multicast source symbols to all the sink nodes at the theoretically maximum rate, i.e., the smallest minimum cut capacity separating a sink node from the source node, as the alphabet size of both the information source and the channel transmission symbol tends toward infinity. In 2003, Li et al. [2] proved that linear network coding over a finite alphabet is sufficient for optimal multicast by means of a vector space approach. Independently, Koetter and Médard [3] developed an algebraic characterization of linear network coding by means of a matrix approach. Jaggi et al. [4] further presented a deterministic polynomial-time algorithm for constructing a linear network code. For comprehensive discussions of network coding, we refer the reader to [5,6,7,8,9,10].
In the paradigm of network coding, information-theoretic security in the presence of a wiretapper is naturally considered (cf. [11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28]), called the secure network coding problem. In the model of secure network coding over a wiretap network, (i) the source node multicasts the source symbols to all the sink nodes, which, as legal users, are required to correctly decode the source symbols; and (ii) the wiretapper, who can access any one but not more than one wiretap set of communication channels, is not allowed to obtain any information about the source symbols. The classical information-theoretically secure models, e.g., Shannon’s cipher system [29], secret sharing [30,31] and the wiretap channel II [32], can be regarded as special cases of the secure network coding model. In particular, a wiretap network is called an r-wiretap network if the wiretapper can fully access an arbitrary subset of, at most, r edges, where the non-negative integer r is called the security level.
In the model of secure network coding, to guarantee the required information-theoretic security, it is necessary to randomize the source symbols to combat the wiretapper. Cai and Yeung [11] presented a code construction for the r-wiretap network. El Rouayheb et al. [12] further showed that the Cai–Yeung code construction can be viewed as a network generalization of the code construction for wiretap channel II in [32]. Motivated by El Rouayheb et al., Silva and Kschischang [13] proposed a universal design of security network codes based on rank-metric codes. For the construction of security network codes in [11,12,13]. However, the existing upper bounds on the minimum required alphabet size may be too large for implementation for certain applications in terms of computational complexity and storage requirement. Feldman et al. [33] showed that for a given security level, the alphabet size can be reduced by sacrificing a small fraction of the information rate. However, if the information rate is not sacrificed, whether it is possible to reduce the required alphabet size is considered an open problem [12,17]. Recently, Guang and Yeung [18] developed a systematic graph-theoretic approach to improve the upper bound on the minimum required alphabet size for the existence of secure network codes, achieving an improvement of general significance. Subsequently, in order to tackle the problem of secure network coding when the information rate and the secure level may vary over time, Guang et al. [19] put forward local-encoding-preserving secure network coding, where a family of secure linear network codes is called local-encoding-preserving if all the codes in this family use a common local encoding operation at each intermediate node in the network. They also constructed a family of local-encoding-preserving secure linear network codes applicable for all possible pairs of rate and security level. We note that the variable-rate linear network coding problem without security consideration was previously investigated by Fong and Yeung [34].
In this paper, we put forward the model of multiple linear-combination security network coding, where multiple linear combinations (containing single linear combination as a special case) of the source symbols are required to be protected from the wiretapper. More precisely, in this model over an r-wiretap network, (i) the single source node generates source symbols over a finite field F, and all the source symbols are required to be correctly decoded at all the sink nodes; and (ii) for a predefined set of linear combinations of the source symbols, the wiretapper, who can fully access any channel subset of a size not larger than r, is not allowed to obtain any information about these linear combinations. For the above security model with security level r, the (linear-combination) security capacity is defined as the maximum average number of source symbols that can be securely multicast to all the sink nodes for one use of the network under the above linear-combination security constraint. A model related to the current work is that considered by Bhattad and Narayanan [23], which contains weakly secure network coding as a special case. The relation between the current work and that of Bhattad and Narayanan [23] is discussed in Appendix A.
In this paper, we investigate the security capacity and the code construction for this model and analyze the asymptotic behavior of the security capacity and code construction for a sequence of linear-combination security models. The main contributions and organization of this paper are as follows:
  • In Section 2, we formally present the model of linear-combination security network coding and the preliminaries, including the necessary notation and definitions.
  • In Section 3, we characterize the security capacity by considering different cases of the security level r. We first prove that C min 1 is the maximum security level such that the source symbols can be securely multicast to all sink nodes with a positive rate, where C min is the smallest minimum cut capacity separating a sink node from the source node. Therefore, the security capacity is zero for r C min . For any nontrivial security level 1 r C min 1 , we prove upper bounds on the security capacity in terms of the ratio τ of the rank of the linear-combination security constraint to the number of source symbols.
    We further develop a systematic construction of linear security network codes, which is applicable to an arbitrary linear-combination security model. Based on the obtained upper bounds and the developed code construction, we fully characterize the security capacity for any possible pair of the number of the source symbols and the linear-combination security constraint. We also determine the threshold value τ 0 such that there is no penalty on the security capacity compared with the capacity without any security consideration when the ratio τ is not larger than τ 0 .
  • In Section 4, we fully characterize the asymptotic behavior of the security capacity for a sequence of linear-combination security models and prove that our code construction is asymptotically optimal.
  • We conclude in Section 5 with a summary of our results.

2. Preliminaries

Consider a communication network whose communication channels are point-to-point. The network is represented by a directed acyclic graph G = ( V , E ) , where V and E are finite sets of nodes and edges, respectively. Here, an edge in the graph G corresponds to a point-to-point channel in the network. In the graph G , multiple edges between two nodes are allowed. We assume that an element in a finite field F can be reliably transmitted on each edge for each use. We use tail ( e ) and head ( e ) to denote the tail node and the head node of an edge e, respectively. For a node v V , we let In ( v ) = { e E : head ( e ) = v } and Out ( v ) = { e E : tail ( e ) = v } , i.e., In ( v ) and Out ( v ) are the set of input edges and the set of output edges, respectively. Furthermore, a sequence of edges ( e 1 , e 2 , , e m ) is called a (directed) path from the node tail ( e 1 ) to the node head ( e m ) if tail ( e i ) = head ( e i 1 ) for i = 2 , 3 , , m . For two nodes u and v with u v , an edge subset C E is called a cut separating v from u if no path exists from u to v upon removing the edges in C. The capacity of a cut separating v from u is defined as the size of this cut. A cut C separating v from u is called a minimum cut separating v from u if there does not exist a cut C separating v from u such that | C | < | C | . The capacity of a minimum cut separating v from u is called the minimum cut capacity separating v from u, as denoted by mincut ( u , v ) . There is a single source node  s V and a set of sink nodes  T V { s } on the graph G . Without loss of generality, we assume that the source node s has no input edges and that every sink node t T has no output edges, i.e., In ( s ) = Out ( t ) = , t T . The graph G , together with s and T, forms a network  N denoted by N = ( G , s , T ) .
The source node s generates Lsource symbols  B 1 , B 2 , , B L that are independent and identically distributed (i.i.d.) random variables with a uniform distribution on the finite field F. All the source symbols are required to be multicast to every sink node t in T by using the network N multiple times, i.e., transmitting multiple elements in F on each edge by using the edge multiple times. There is a wiretapper who can eavesdrop any edge subset of a size up to the security level r, while, for a positive integer m L , the m L linear combinations of the source symbols
i = 1 L a i , j · B i , j = 1 , 2 , , m L
over the finite field F are required to be protected from the wiretapper, where a i , j , 1 i L , 1 j m L are constants in F; that is, the wiretapper is not allowed to obtain any information about the multiple linear combinations of the source symbols given in (1). Furthermore, we let B = ( B 1 , B 2 , , B L ) , and
M L = a i , j 1 i L , 1 j m L ,
is an L × m L matrix. Then, the m L linear combinations in (1) can be written as B · M L . Without loss of generality, we assume that m L L and that the matrix M L has full column rank, i.e.,
Rank ( M L ) = m L .
In this model, the security level r is known by the source node and sink nodes, but which edge subset is eavesdropped by the wiretapper is unknown. It suffices to consider only the wiretap sets of a size exactly equal to r. Then, we let
W r { W E : | W | = r } ,
where each edge subset W W r is called a wiretap set. We use { ( L , M L ) , r } to denote the above linear-combination security model.
Next, we define a (linear-combination) security network code for the security model { ( L , M L ) , r } . In order to combat the wiretapper, we may need randomness to randomize the source symbols. However, as we show, it is not always necessary to randomize the source symbols. As part of the code to be defined, we assume that the key  K is a random variable uniformly distributed over a finite set K , which is available only at the source node s. The key K and the source symbols B i , i = 1 , 2 , , L are assumed to be mutually independent. A ( L , M L ) security network code is defined as follows. First, we let b i F and k K be arbitrary outputs of the source symbol B i and the key K , respectively, i = 1 , 2 , , L . We further let b = ( b 1 , b 2 , , b L ) , which is the output of the vector of source symbols B = ( B 1 , B 2 , , B L ) . A ( L , M L ) security network code C ^ consists of:
  • A local encoding function  θ ^ e for each edge e E , where
    θ ^ e : F L × K Im ( θ ^ e ) , if tail ( e ) = s ; d In ( tail ( e ) ) Im ( θ ^ d ) Im ( θ ^ e ) , otherwise ;
    with Im ( θ ^ e ) denoting the image set of θ ^ e ;
  • A decoding function for each sink node t T :
    φ ^ t : e In ( t ) Im ( θ ^ e ) F L
    to decode the source symbols b 1 , b 2 , , b L at t.
Furthermore, we use y e Im ( θ ^ e ) to denote the message transmitted on each edge e E by using the code C ^ under b and k . With the encoding mechanism described in (2), we readily see that y e is a function of b and k , as denoted by h ^ e b k (i.e., y e = h ^ e b k ), where h ^ e can be obtained by recursively applying the local encoding functions θ ^ e , e E according to any ancestral order of the edges in E . More precisely, for each e E , we have
h ^ e b k = θ ^ e b k , if tail ( e ) = s ; θ ^ e h ^ In ( u ) ( b k ) , otherwise ;
where u = tail ( e ) and h ^ E ( b k ) h ^ e ( b k ) : e E for an edge subset E E so that h ^ In ( u ) ( b k ) = h ^ e ( b k ) : e In ( u ) . We call h ^ e the global encoding function of the edge e for the code C ^ .
For the security model { ( L , M L ) , r } , a ( L , M L ) security network code C ^ = { θ ^ e : e E ; φ ^ t : t T } is admissible if the following decoding and security conditions are satisfied:
  • Decoding condition: All the source symbols are correctly decoded for each sink node t T , i.e., for each t T ,
    φ ^ t h ^ In ( t ) ( b k ) = b , b F L and k K ;
  • Security condition: for each wiretap set, W W r ,
    I Y W ; B · M L = 0 ,
    where Y W ( Y e : e W ) , and Y e h ^ e ( B , K ) is the random variable transmitted on the edge e.
For an admissible ( L , M L ) security network code C ^ = { θ ^ e : e E ; φ ^ t : t T } , we let
n e = log | F | | Im ( θ ^ e ) |
for each edge e in E , which is regarded as the number of times the edge e is used for transmission when applying the code C ^ . We further let n ( C ^ ) max e E n e . Then, the rate of C ^ is defined by
R ( C ^ ) = L n ( C ^ ) ,
which is the average number of source symbols that can be securely multicast to all the sink nodes for one use of the network using the code C ^ .
Furthermore, the security capacity for this model { ( L , M L ) , r } is defined as the maximum rate of all admissible ( L , M L ) security network codes, i.e.,
C = max R ( C ^ ) : C ^ is an admissible ( L , M L ) sec urity network code for { ( L , M L ) , r } .
According to the definition of the rate in (5), characterizing the security capacity C is equivalent to determining the minimum n ( C ^ ) over all the admissible ( L , M L ) security network codes, i.e.,
n * min n ( C ^ ) : C ^ is an admissible ( L , M L ) security network code for { ( L , M L ) , r } .
For instance, a special case of the linear-combination security model { ( L , M L ) , r } is algebraic-sum security network coding, as elaborated below. In this model, the source node s generates L source symbols B 1 , B 2 , , B L , which are required to be multicast to every sink node t T , and the wiretapper, who can eavesdrop any edge subset of size r, is not allowed to obtain any information about the m algebraic sums of the source symbols:
i [ L ] : i j ( mod m ) B i , j = 1 , 2 , , m ,
where 1 m L , and [ L ] { 1 , 2 , , L } . For this algebraic-sum security model, when m = 1 , we adopt the convention that i 1 ( mod 1 ) for all i = 1 , 2 , , L . Then, Equation (6) becomes i = 1 L B i , i.e., the algebraic sum i = 1 L B i of all the L source symbols is required to be protected from the wiretapper. When m = L , we have i i ( mod m ) , i , i [ L ] , where i i ; thus, all the source symbols B 1 , B 2 , , B L are required to be protected from the wiretapper. This is the standard model of secure network coding, which has been widely studied in the literature, e.g., [11,12,13,14,15,16,17,18,19,20,21,22,23,24].
An example scenario for the application of the linear-combination security model is as follows. A predefined set of linear combinations of the source symbols is required to be protected from the wiretapper, while other linear combinations are unprotected. The source node s generates L source symbols B 1 , B 2 , , B L in the finite field F, which are required to be multicast to every sink node t T . The L × m L matrix M L is regarded as an F-valued parity-check matrix. We denote the solution space of the system of linear equations b · M L = 0 over F as V ( 0 ) , i.e.,
V ( 0 ) = b F L : b · M L = 0 ,
where 0 is the zero row m L -vector. According to the value of b · M L , for every output b F L of B = ( B 1 , B 2 , , B L ) , the vector space F L can be partitioned into | F | m L cosets of the solution space given by V ( a ) : a F m L , where V ( a ) b F L : b · M L = a . In this scenario, we desire to protect the information as to which coset V ( a ) the vector b lies in, which may contain some useful information for the wiretapper. In other words, the information about the specified linear combinations B · M L needs to be protected from the wiretapper, while other linear combinations are unprotected.

3. Characterization of the Capacity ofthe Security Model { ( L , M L ) , r }

3.1. Upper Bounds on the Security Capacity

Consider a linear-combination security model { ( L , M L ) , r } . We first consider the trivial case of r C min , where C min min t T mincut ( s , t ) . In this case, for a sink node t T such that mincut ( s , t ) = C min , the wiretapper is able to decode the source symbols, provided that the sink node t correctly decodes them. This shows that the security capacity is C = 0 for r C min , which implies that C min 1 is an upper bound on the maximum security level for which the source symbols can be multicast with a positive rate. For another trivial case r = 0 , the security model { ( L , M L ) , 0 } becomes a single-source multicast network coding problem without any security consideration. Given the fact that the maximum rate at which the source symbols can be correctly multicast to all the sink nodes is C min (cf. [1,6]), we thus obtain that
n * = L C min ,
or, equivalently,
C = L n * = L L / C min .
Next, we consider 0 < r < C min . We readily see that an admissible ( L , M L ) security network code C ^ is also a network code such that all the L source symbols can be correctly decoded at each t T . This immediately implies that n * can be lower-bounded by L / C min for any security level 0 < r < C min , i.e.,
n * L C min .
Furthermore, we present the following lemma, which asserts a non-trivial lower bound on n * .
Lemma 1. 
Consider a linear-combination security model { ( L , M L ) , r } with a security level of 0 < r < C min , where Rank ( M L ) = m L . Let τ = m L / L . Then,
n * τ L C min r .
Proof. 
First, we claim that
H ( B · M L ) = τ L · log | F | ,
where τ L = m L . To see this, we consider an arbitrary row vector x F τ L and obtain
Pr B · M L = x = b F L : b · M L = x Pr B = b = # b F L : b · M L = x · 1 | F | L = 1 | F | τ L ,
where the equality Pr B = b = 1 | F | L holds because the source symbols B i , 1 i L are i.i.d. with the uniform distribution on F.
We now consider an arbitrary admissible ( L , M L ) security network code: C ^ = { θ ^ e : e E ; φ ^ t : t T } . For an edge subset C that separates a sink node t T from the source node s, it follows from the decoding condition (3) that H ( B | Y C ) = 0 . This immediately implies that
H B · M L | Y C = 0 .
Furthermore, for any wiretap set W W r with W C , it follows from the security condition (4) that
H B · M L = H B · M L | Y W .
Combining (11) and (12), we obtain
H B · M L = H B · M L | Y W H B · M L | Y C = I B · M L ; Y C W | Y W H Y C W | Y W H Y C W e C W H ( Y e )
e C W log | Im ( θ ^ e ) |
e C W n e · log | F |
n ( C ^ ) · | C W | · log | F | ,
where the inequality (13) holds because Y e takes values in Im ( θ ^ e ) , and the inequality (14) follows from
n e = log | F | | Im ( θ ^ e ) | log | F | | Im ( θ ^ e ) | ,
and the inequality (15) follows from n ( C ^ ) = max e E n e .
Combining (9) and (15), we obtain
n ( C ^ ) H B · M L | C W | · log | F | = τ L | C W | .
Note that the above inequality is true for each sink node t T and all the pairs ( C , W ) of the cut C separating t from s and the wiretap set W W r such that W C . We thus obtain
n ( C ^ ) max t T max ( W , C ) W r × Λ t : W C τ L | C W | ,
where Λ t C E : C is a cut separating t from s . For each t T , we have
| C W | C min r , ( W , C ) W r × Λ t with W C .
According to the definition of C min , this lower bound is achievable for some t T and ( W , C ) W r × Λ t such that W C . It then follows that
n ( C ^ ) τ L C min r .
Furthermore, since n ( C ^ ) is an integer, we have
n ( C ^ ) τ L C min r .
In addition, because the above lower bound (16) on n ( C ^ ) is valid for any admissible ( L , M L ) security network code C ^ , we obtain
n * τ L C min r .
The lemma is thus proven. □
The lower bounds in (7) and (8) on n * apply to all 0 < r < C min . For a specific value of τ , one of them can be tighter than the other. By comparing these bounds, we can readily obtain the upper bounds on the security capacity C as stated in the following theorem.
Theorem 1. 
Consider a linear-combination security model { ( L , M L ) , r } with a security level of 0 < r < C min , where Rank ( M L ) = m L . Let
τ = m L L and τ 0 = C min r C min .
  • If 0 τ τ 0 , then
    C L L / C min .
  • If τ 0 < τ 1 , then
    C L τ L / ( C min r ) .
Proof. 
By comparing the lower bounds ((7) and (8)) on n * , we immediately obtain
  • if 0 τ τ 0 , then
    n * L C min τ L C min r
    implying that
    C L L / C min ;
  • If τ 0 < τ 1 , we have
    n * τ L C min r L C min
    implying that
    C L τ L / C min .
We have thus proven the theorem. □

3.2. Characterization of the Security Capacity

Next, we present a code construction for the security model { ( L , M L ) , r } with 0 < r < C min , which shows that the upper bounds in Theorem 1 for both cases of τ are tight. We thus obtain a full characterization of the security capacity for the security model { ( L , M L ) , r } , as stated in the following theorem.
Theorem 2. 
Consider a linear-combination security model { ( L , M L ) , r } over a finite field F, where 0 < r < C min and | F | > max | T | , | E | r . Let
τ = m L L and τ 0 = C min r C min .
  • If 0 τ τ 0 , then
    C = L L / C min .
  • If τ 0 < τ 1 , then
    C = L τ L / ( C min r ) .
This theorem reveals the somewhat surprising fact that for the case of 0 τ τ 0 , there is no penalty on the security capacity compared with the capacity without any security consideration. In Section 4, we further investigate the asymptotic behavior of the security capacity for a sequence of the security models as L tends toward infinity. We not only characterize the asymptotic behavior of the security capacity but also show the asymptotic optimality of our construction.
We first define a linear security network code for the security model { ( L , M L ) , r } . Briefly, a ( L , M L ) security network code C ^ is linear if the local encoding functions for all the edges are linear. Specifically, we recall that b = ( b 1 , b 2 , , b L ) F L is an arbitrary output of the vector of source symbols B = ( B 1 , B 2 , , B L ) . Let K = F z , where the non-negative integer z is specified later. Then, the key K is a random row vector uniformly distributed on F z . We further let k F z be an arbitrary output of K . Consequently, for a ( L , M L ) linear security network code C ^ , all the global encoding functions h ^ e , e E are linear functions of b and k . Therefore, there exists an F-valued ( L + z ) × n matrix H e = h e ( 1 ) h e ( 2 ) h e ( n ) for each e E such that
h ^ e ( b k ) = ( b k ) · H e ,
where n n ( C ^ ) , and H e is called the global encoding matrix of the edge e for the code C ^ . In particular, if n ( C ^ ) = 1 , then the code C ^ is called a ( L , M L )  scalar-linear security network code.
In the following, for the nontrivial case of a security model { ( L , M L ) , r } with a security level of 0 < r < C min , we develop a construction of admissible ( L , M L ) linear security network codes that can be applied to any pair ( L , M L ) . This code construction shows that the upper bounds in Theorem 1 for both cases of τ are tight, which we state in the following theorem.
Theorem 3. 
Consider a linear-combination security model { ( L , M L ) , r } over a finite field F, where Rank ( M L ) = m L , 0 < r < C min and | F | > max | T | , | E | r . Let
τ = m L L and τ 0 = C min r C min .
Then, there exists an admissible ( L , M L ) linear security network code C ^ such that
  • If 0 τ τ 0 , then
    n ( C ^ ) = L C min ;
  • if τ 0 < τ 1 , then
    n ( C ^ ) = τ L C min r .

3.3. Proof of Theorem 3

In this subsection, we provide the proof of Theorem 3, which includes three parts: code construction, verification of the decoding condition and verification of the security condition.
Code construction:
We consider a linear-combination security model { ( L , M L ) , r } over a finite field F, where 0 < r < C min and | F | > max | T | , | E | r . In the following, we construct an admissible ( L , M L ) linear security network code such that the L source symbols can be securely multicast to all the sink nodes by transmitting n symbols on each edge, i.e., using the network n times, where
n = L C min , if 0 τ τ 0 , τ L C min r . if τ 0 < τ 1 ,
(cf. (21) and (22)). For any 0 τ 1 , we let
z = 0 , if L n r + τ L , n r + τ L L , if L < n r + τ L ,
i.e.,
K = , if L n r + τ L , F n r + τ L L , if L < n r + τ L .
According to (24), when L n r + τ L , it is unnecessary to randomize the source symbols to guarantee linear-combination security. Furthermore, for any pair ( L , z ) satisfying (24), we observe that
n r + τ L L + z n C min .
The first inequality in (25) is straightforward. To prove the second inequality, we consider two cases below.
Case 1: 
L n r + τ L .
According to (24) we have z = 0 , and thus:
L + z = L .
Furthermore, it follows from (23) that for 0 τ τ 0 ,
n = L C min L C min ;
and for τ 0 < τ 1 ,
n = τ L C min r L C min L C min
(cf. (18) for the first inequality in the above equation). Together with (26), we immediately prove that L + z = L n C min for this case.
Case 2: 
L < n r + τ L .
According to (24), we have
L + z = n r + τ L .
Furthermore, it follows from (23) that for 0 τ τ 0 ,
n = L C min τ L C min r τ L C min r
(cf. (17) for the first inequality in the above equation), and for τ 0 < τ 1 ,
n = τ L C min r τ L C min r .
Together with (27), we immediately obtain that L + z = n r + τ L n C min for this case. Combining the two cases, we have proven the second inequality in (25).
According to (25), we have L + z n C min . This implies that the L + z symbols in F generated by the source node s, which contain the L source symbols and the key of z symbols, can be multicast to all the sink nodes in T by using the network n times. To elaborate this, we first claim that
L + z > ( n 1 ) C min .
  • When 0 τ τ 0 , it follows from (23) that
    ( n 1 ) C min = L C min 1 · C min < L C min · C min = L L + z .
  • When τ 0 < τ 1 , according to (23), we obtain
    ( n 1 ) C min = τ L C min r 1 · C min < τ L C min r · C min = τ L + τ L C min r · r τ L + n r L + z ,
    where the last two inequalities follow from (23) and (25), respectively.
Thus, we have proven (28).
Now, we let b 1 , b 2 , , b L + z be the L + z source symbols, and divide them into n groups b 1 , b 2 , , b n 1 and b n , where for i = 1 , 2 , , n 1 , b i contains C min source symbols, and b n contains the remaining L + z ( n 1 ) C min source symbols. Here, we note from (25) and (28) that
1 L + z ( n 1 ) C min C min .
Thus, it suffices to construct, at most, 2 scalar-linear network codes of dimensions C min and ω L + z ( n 1 ) C min , respectively, to multicast the L + z source symbols to all the sink nodes.
Let C 1 be a C min -dimensional scalar-linear network code in the network N , of which the global encoding vectors are column vectors f e in F C min for all e E , and let C 2 be an ω -dimensional scalar-linear network code on N , of which the global encoding vectors are column vectors f e in F ω for all e E (cf. [1,2] and [6]). We use two codes C 1 and C 2 to construct an ( L + z ) -dimensional (vector-) linear network code C on the network N such that n symbols are transmitted on each edge e E . Specifically, for each e E , we let
G e = g e ( 1 ) g e ( 2 ) g e ( n ) = f e 0 0 0 0 f e 0 0 0 0 f e 0 0 0 0 f e ,
which is an F-valued ( L + z ) × n matrix regarded as the global encoding matrix for the code C .
Next, for an edge e E , we use G e to denote the vector space spanned by the column vectors of the matrix G e , i.e.,
G e g e ( 1 ) , g e ( 2 ) , , g e ( n ) .
Furthermore, for a wiretap set W W r , we use G W to denote the ( L + z ) × n r matrix whose column vectors are the column vectors of G e for all the edges e W , i.e.,
G W = G e : e W = g e ( 1 ) g e ( 2 ) g e ( n ) : e W ,
Then, similarly, we use G W to denote the vector space spanned by the column vectors of the matrix G W , i.e.,
G W g e ( 1 ) , g e ( 2 ) , , g e ( n ) : e W .
Hence, we readily see that
G W = e W G e .
Now, we claim that there exist F-valued column ( L + z ) -vectors u i , i = 1 , 2 , , τ L such that
u i : 1 i τ L G W = { 0 } , W W r .
To show this, we prove by induction on 1 j τ L that if we have j 1 linearly independent column vectors u 1 , u 2 , , u j 1 in F L + z such that
u i : 1 i j 1 G W = { 0 } , W W r ,
then we can choose a column vector u j F L + z u i : 1 i j 1 such that
u i : 1 i j G W = { 0 } , W W r ,
provided that | F | > | E | r . We consider
| F L + z W W r G W , u 1 , u 2 , , u j 1 |
| F | L + z | W r | · | F | n r + j 1
| F | n r + τ L | W r | · | F | n r + τ L 1
| F | n r + τ L 1 · | F | | W r | > 0 ,
where the inequality (30) follows because
dim G W , u 1 , u 2 , , u j 1 dim G W + j 1 n | W | + j 1 = n r + j 1 , W W r ;
inequality (31) follows from L + z n r + τ L according to (25) and inequality (32) follows from
| F | > | E | r = | W r | .
Thus, we have proven the existence of such vectors u i , 1 i τ L that satisfy the condition (29).
With the vectors u i , 1 i τ L , we let U be an F-valued ( L + z ) × ( L + z ) invertible matrix such that u i , 1 i τ L are the first τ L column vectors of U. Furthermore, we consider an ( L + z ) × τ L matrix
M ^ L M L 0 ,
where 0 is the z × τ L zero matrix. In particular, when z = 0 (cf. (24)), M ^ L = M L . Recalling that M L has full column rank, we readily see that M ^ L also has full column rank. With the full-column-rank matrix M ^ L , we let Γ be an F-valued ( L + z ) × ( L + z ) invertible matrix such that the column vectors of M ^ L are the first τ L column vectors of Γ . Then, we define the matrix
Q Γ · U 1 ,
which is of size ( L + z ) × ( L + z ) and also invertible over F.
Now, we consider the transformation Q · C of the code C by the matrix Q, i.e., Q · C is an F-valued ( L + z ) -dimensional linear network code on the network N , of which all the global encoding matrices are
H e Q · G e , e E ,
(cf. the transformation of a scalar-linear network code in [6], Section 19.3.1 and [19], Theorem 2). Next, we show that C ^ Q · C is an admissible F-valued ( L , M L ) linear security network code for the security model { ( L , M L ) , r } by verifying the decoding and security conditions.
Remark 1. 
We now discuss the computational complexity of our code construction. Our code construction consists of two parts: (i) constructing the two linear network codes C 1 and C 2 of different dimensions, which are used to multicast all the L + z symbols to the sink nodes; and (ii) constructing the transformation matrix Q, or equivalently, constructing the τ L column ( L + z ) -vectors u i , 1 i τ L that satisfy the condition (29). We analyze the complexity of the two parts as follows.
  • The linear network codes C 1 and C 2 can be constructed in polynomial time (cf. [4,6,7]);
  • To obtain the column ( L + z ) -vectors u i , 1 i τ L that satisfy (29), we, in turn, choose τ L vectors u i as follows:
    u i F L + z W W r G W , u 1 , u 2 , , u i 1 .
    According to ([35], Lemma 11), the vectors u i , 1 i τ L can be found in
    O τ L ( L + z ) 3 | W r | + τ L ( L + z ) | W r | 2 .
By combining the above analysis, our code construction can be implemented in polynomial time.
Verification of the decoding condition:
We continue to consider the output of the source ( b , k ) , where b F L is the vector of source symbols, and k F z is the key. In using the code C ^ , the implementation of the global encoding matrices H e , e E is equivalent to linearly transforming ( b k ) into x ( b k ) · Q , then using the code C to multicast x to all the sink nodes in T.
Since the vector x can be correctly decoded at each t T when applying the code C , ( b k ) can be also correctly decoded at each t T , as can the vector b of source symbols. Thus, we have verified the decoding condition.
Verification of the security condition:
In order to verify the security condition (4), we need the next lemma, which plays a crucial role in our code construction. This lemma provides a necessary and sufficient condition for a linear security network code to satisfy the security condition (4). For an edge e E , H e denotes the vector space spanned by the column vectors of H e , i.e.,
H e h e ( 1 ) , h e ( 2 ) , , h e ( n ) .
Furthermore, for a wiretap set W W r , we let H W be the ( L + z ) × n r matrix that contains all the column vectors of the global encoding matrices H e for all the edges e W , i.e.,
H W = H e : e W = h e ( 1 ) h e ( 2 ) h e ( n ) : e W .
We let
H W h e ( 1 ) , h e ( 2 ) , , h e ( n ) : e W
be the vector space spanned by the column vectors of H W . Evidently,
H W = e W H e .
Lemma 2. 
For the security model { ( L , M L ) , r } over a finite field F with 0 < r < C min , let C ^ be an F-valued ( L , M L ) linear security network code, of which the global encoding matrices are ( L + z ) × n matrices H e = h e ( 1 ) h e ( 2 ) h e ( n ) , e E . Then, for the code C ^ , the security condition (4) is satisfied if and only if
M ^ L H W = { 0 } , W W r ,
where M ^ L = M L 0 is an ( L + z ) × τ L matrix as defined in (33).
Proof. 
See Appendix B. □
Now, we start to verify the security condition for our code construction. Toward this end, according to Lemma 2, it suffices to verify (35). For the constructed ( L , M L ) linear security network code C ^ , we have
u i : 1 i τ L G W = { 0 } , W W r
(cf. (29)). We recall (34) that Q = Γ · U 1 is an ( L + z ) × ( L + z ) invertible matrix. Then, according to (36), we immediately obtain
Q · u i : 1 i τ L Q · G W = { 0 } , W W r .
We note that
H W = H e : e W = Q · G e : e W = Q · G W , W W r .
Furthermore, we write
u 1 u 2 u τ L = U · I τ L 0 ,
where we recall that u i , 1 i τ L are the first τ L column vectors of U, I τ L is the τ L × τ L identity matrix and 0 is the ( L + z τ L ) × τ L zero matrix. Then, we can see that
Q · u 1 u 2 u τ L = Q · U · I τ L 0
= Γ · U 1 · U · I τ L 0 = Γ · I τ L 0
= M ^ L ,
where (39) follows from Q = Γ · U 1 (cf. (34)), and (40) follows because the column vectors of M ^ L are the first τ L column vectors of Γ . Combining (38) and (40) with (37), we immediately prove that
M ^ L H W = { 0 } , W W r .
Thus, according to Lemma 2, we have verified the security condition. Combining all the above, Theorem 3 has been proven.

3.4. An Example to Illustrate Our Code Construction

Let N = ( G , s , T = { t 1 , t 2 } ) be the butterfly network as depicted in Figure 1. For the security model r = 1 , we consider two linear-combination security models { ( 2 , M 2 ) , 1 } and { ( 3 , M 3 ) , 1 } over the field F 3 = { 0 , 1 , 2 } , where
M 2 = 1 1 and M 3 = 1 0 1 1 0 1 .
Namely, in the { ( 2 , M 2 ) , 1 } security model, the algebraic sum B 1 + B 2 of the two source symbols is required to be protected from the wiretapper, and in the { ( 3 , M 3 ) , 1 } security model, the algebraic sums B 1 + B 2 and B 2 + B 3 of the source symbols are required to be protected from the wiretapper.
  • The security model: { ( 2 , M 2 ) , 1 } .
In this model, the source node s generates two source symbols b 1 and b 2 in F 3 , and the algebraic sum b 1 + b 2 needs to be protected. According to (41), we have
m 2 = Rank ( M 2 ) = 1 , and τ = m 2 2 = 1 2 = τ 0 = C min r C min .
Therefore, we have 0 τ τ 0 , i.e., the first case in Theorem 2. Next, we construct an optimal F 3 -valued ( 2 , M 2 ) linear security network code for the { ( 2 , M 2 ) , 1 } security model, which achieves a security capacity of 2.
According to our code construction, it follows from (23) and (24) that we take
n = L C min = 1
and z = 0 because L = 2 n r + τ L = 2 . We first consider an F 3 -valued two-dimensional scalar-linear network code C 1 on the network N , which is used to multicast two source symbols b 1 and b 2 in F 3 to sink nodes t 1 and t 2 . The global encoding matrices (vectors) of C 1 are
G e 1 = G e 3 = G e 8 = 1 0 , G e 2 = G e 4 = G e 9 = 0 1 , and G e 5 = G e 6 = G e 7 = 1 1 .
Clearly, the code C 1 is not secure for the algebraic sum b 1 + b 2 because the wiretapper can obtain b 1 + b 2 by accessing the edge e 5 on which b 1 + b 2 is transmitted. Based on the code C 1 , we now construct a ( 2 , M 2 ) scalar-linear security network code for the { ( 2 , M 2 ) , 1 } security model.
Next, we let u 1 = 1 2 , an F 3 -valued column 2-vector such that u 1 G e i , 1 i 9 (cf. (29)). Then, let U = 1 0 2 1 , a 2 × 2 invertible matrix on F 3 such that u 1 is the first column vector of U. Furthermore, since z = 0 , we have M ^ 2 = M 2 = 1 1 (cf. (33)) and let Γ = 1 0 1 1 , which is a 2 × 2 invertible matrix on F 3 such that 1 1 is the first column vector of Γ . According to (34), we calculate Q = Γ · U 1 = 1 0 2 1 . Now, we obtain an admissible F 3 -valued ( 2 , M 2 ) scalar-linear security network code C ^ 1 = Q · C 1 , of which the global encoding matrices (vectors) are H e i = Q · G e i , 1 i 9 . Specifically,
H e 1 = H e 3 = H e 8 = 1 2 , H e 2 = H e 4 = H e 9 = 0 1 , and H e 5 = H e 6 = H e 7 = 1 0 .
We use y e i , which takes values in F 3 , to denote the message transmitted on each edge e i , 1 i 9 . According to the above global encoding matrices of C ^ 1 , the messages y e i ( = ( b 1 , b 2 ) · H e ) transmitted on the edges e i , 1 i 9 are
y e 1 = y e 3 = y e 8 = b 1 + 2 b 2 , y e 2 = y e 4 = y e 9 = b 2 , and y e 5 = y e 6 = y e 7 = b 1 ,
as depicted in Figure 2. We can readily verify the decoding and security conditions for the code C ^ 1 . In particular, in this case, we see that although no randomness is used to randomize the source symbols, the wiretapper cannot obtain any information about the algebraic sum b 1 + b 2 when any one edge is eavesdropped.
  • The security model: { ( 3 , M 3 ) , 1 } .
In this model, the source node s generates three source symbols b 1 , b 2 and b 3 in F 3 , and two algebraic sums b 1 + b 2 and b 2 + b 3 need to be protected. According to (41), we note that m 3 = Rank ( M 3 ) = 2 ; thus,
τ = m 3 3 = 2 3 > τ 0 = C min r C min = 1 2 .
Therefore, we have τ 0 < τ 1 , i.e., the second case in Theorem 2. Next, we construct an optimal F 3 -valued ( 3 , M 3 ) linear security network code for the { ( 3 , M 3 ) , 1 } security model, which achieves a security capacity of 3 / 2 .
According to our code construction, it follows from (23) and (24) that we take
n = τ L C min r = 2
and z = 1 because L < n r + τ L according to L = 3 and n r + τ L = 4 . We consider an F 3 -valued four-dimensional (where 4 = L + z ) linear network code C 2 of rate 2, which is used to multicast the three source symbols b 1 , b 2 and b 3 and a key k in F 3 to the sink nodes t 1 and t 2 . The 4 × 2 global encoding matrices of C 2 are
G e 1 = G e 3 = G e 8 = 1 0 0 0 0 1 0 0 , G e 2 = G e 4 = G e 9 = 0 0 1 0 0 0 0 1 , and G e 5 = G e 6 = G e 7 = 1 0 1 0 0 1 0 1 .
We note that the code C 2 is not secure because the wiretapper can obtain some information about b 1 + b 2 by accessing the edge e 5 on which b 1 + b 2 and b 3 + k are transmitted. Based on the code C 2 , we now construct a linear secure network code for the { ( 3 , M 3 ) , 1 } security model.
Let
u 1 = 1 2 0 0 and u 2 = 0 0 1 2
be two F 3 -valued column 4-vectors such that u 1 , u 2 G e i = { 0 } , 1 i 9 (cf. (29)). Then, let
U = 1 0 0 0 2 0 1 0 0 1 0 0 0 2 0 1
be a 4 × 4 invertible matrix on F 3 such that u 1 and u 2 are the first two column vectors of U. Furthermore, since z = 1 , as mentioned above, we have
M ^ 3 = 1 0 1 1 0 1 0 0
(cf. (33)). Also let
Γ = 1 0 0 0 1 1 0 0 0 1 1 0 0 0 0 1
be a 4 × 4 invertible matrix on F 3 such that the column vectors of M ^ L are the first two column vectors of Γ . According to (34), we calculate
Q = Γ · U 1 = 1 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1 ,
Now, we obtain an admissible F 3 -valued ( 3 , M 3 ) linear security network code C ^ 2 = Q · C 2 , of which the 4 × 2 global encoding matrices are H e i = Q · G e i , 1 i 9 ; specifically,
H e 1 = H e 3 = H e 8 = 1 0 1 1 1 1 0 1 , H e 2 = H e 4 = H e 9 = 0 0 0 0 1 0 0 1 , and H e 5 = H e 6 = H e 7 = 1 0 1 1 2 1 0 2 .
We use y e i , which takes values in F 3 2 , to denote the message transmitted on each edge e i , 1 i 9 . According to the above global encoding matrices of C ^ 2 , the messages y e i ( = ( b 1 , b 2 , b 3 , k ) · H e ) transmitted on the edges e i , 1 i 9 are
y e 1 = y e 3 = y e 8 = ( b 1 + b 2 + b 3 , b 2 + b 3 + k ) , y e 2 = y e 4 = y e 9 = ( b 3 , k ) , and y e 5 = y e 6 = y e 7 = ( b 1 + b 2 + 2 b 3 , b 2 + b 3 + 2 k ) ,
as depicted in Figure 3.
For the { ( 2 , M 2 ) , 1 } and { ( 3 , M 3 ) , 1 } security models, as discussed in the above example, according to Theorem 3, admissible linear security network codes with rates of 2 and 3 / 2 , respectively, can be constructed if the field size is | F | > max | T | , | E | r = 9 . However, we see in the example that the field F 3 , of size 3 is sufficient for our code construction. This implies that the max | T | , | E | r bound in Theorem 3 on the field size is only sufficient but not necessary for our code construction.

4. Asymptotic Behavior of the Security Capacity

In this section, we investigate the asymptotic behavior of the security capacity. For a fixed network N and a security level r, we consider a sequence of the { ( L , M L ) , r } , L = 1 , 2 , security models. The following theorem characterizes the asymptotic behavior of the security capacity for a sequence of security models { ( L , M L ) , r } , L = 1 , 2 , .
Theorem 4. 
Consider a sequence of linear-combination security models { ( L , M L ) , r } over a finite field F for L = 1 , 2 , , where 0 < r < C min and | F | > max | T | , | E | r . C L , M L denotes the security capacity for each model { ( L , M L ) , r } . Let
τ L = m L L , L = 1 , 2 , and τ 0 = C min r C min ,
where m L = Rank ( M L ) for L = 1 , 2 , .
  • If τ L τ 0 + o ( 1 ) , then,
    lim L C L , M L = C min .
  • If τ L = κ + o ( 1 ) , with κ satisfying τ 0 < κ 1 , then,
    lim L C L , M L = κ 1 · ( C min r ) .
Proof. 
We first consider the case of τ L τ 0 + o ( 1 ) . Then, there exists a non-negative sequence, a L , L = 1 , 2 , with lim L a L = 0 , such that
τ L τ 0 + a L , L = 1 , 2 , .
We now use Theorem 2 to show that
C L , M L L ( τ 0 + a L ) · L / ( C min r ) .
To show this, consider the following two cases:
  • If 0 τ L τ 0 , it follows from (19) that
    C L , M L = L L / C min = L τ 0 · L / ( C min r ) L ( τ 0 + a L ) · L / ( C min r ) ;
  • If τ 0 < τ L 1 , then we obtain
    C L , M L = L τ L · L / ( C min r ) L ( τ 0 + a L ) · L / ( C min r ) ,
    where the equality follows from (20), and the inequality follows from (42).
Combining (43) and (7) with Lemma 1, we further obtain that for each pair ( L , M L ) ,
L ( τ 0 + a L ) · L / ( C min r ) C L , M L L L / C min C min .
We note that
lim L L ( τ 0 + a L ) · L / ( C min r ) = C min .
Together with (44), we have thus proven that
lim L C L , M L = C min .
Next, we consider a case in which τ L = κ + o ( 1 ) , where τ 0 < κ 1 . Then, there exists a sequence b L , L = 1 , 2 , satisfying lim L b L = 0 such that
τ L = κ + b L , L = 1 , 2 , .
Here, we note that b L may be negative. Together with κ > τ 0 and lim L b L = 0 , there exists a positive integer L 0 such that for each L L 0 ,
| b L | < κ τ 0 , i . e . , τ 0 κ < b L < κ τ 0 ,
which implies that
τ L = κ + b L > τ 0 , L L 0 .
According to (20) in Theorem 2, we have
C L , M L = L ( κ + b L ) · L / ( C min r ) ,
so that
lim L C L , M L = κ 1 · ( C min r ) .
Thus, the theorem is proven. □
According to Theorem 4, we can see that for a sequence of security models { ( L , M L ) , r } , L = 1 , 2 , that satisfies τ L τ 0 + o ( 1 ) or τ L = κ + o ( 1 ) , where τ 0 < κ 1 , our code construction is asymptotically optimal, i.e.,
lim L R ( C ^ L , M L ) = lim L C L , M L ,
where C ^ L , M L is the code constructed for each model { ( L , M L ) , r } by our code construction. To illustrate this, in the following, we consider several specific sequences of security models.
First, we consider a sequence of security models { ( L , M L ) , r } , L = 1 , 2 , in which all the ranks Rank ( M L ) , L = 1 , 2 , are upper-bounded by a constant, such as m, e.g., the security constraint of multiple algebraic sums,
i [ L ] : i j ( mod m ) B i , j = 1 , 2 , , m
as discussed in the last paragraph of Section 2. With this, we have
lim L m L L = 0 ,
which implies the inequality τ L = m L / L τ 0 + o ( 1 ) . It then follows from the first case of Theorem 4 that
lim L C L , M L = C min .
Next, we show that our code construction is asymptotically optimal. We first note that
τ L = m L L C min r C min = τ 0 , L C min · m C min r .
Together with the first case of Theorem 3 (cf. (21)), the constructed code C ^ L , M L achieves a rate of R ( C ^ L , M L ) = L L / C min . This immediately implies that the equality (45) is satisfied, namely that our code construction is asymptotically optimal for this example.
Next, we consider a sequence of security models { ( L , M L ) , r } , L = 1 , 2 , in which all the ranks m L = Rank ( M L ) satisfy
m L = κ · L , L = 1 , 2 , .
We note that the sequence of m L , L = 1 , 2 , is not upper-bounded. According to Theorem 4, we can obtain the asymptotic behavior of the security capacity for the sequence of models { ( L , M L ) , r } , L = 1 , 2 , as follows:
lim L C L , M L = C min , if 0 < κ τ 0 , κ 1 · ( C min r ) , if τ 0 < κ < 1 .
Furthermore, it follows from Theorem 3 that
lim L R ( C ^ L , M L ) = C min , if 0 < κ τ 0 , κ 1 · ( C min r ) , if τ 0 < κ < 1 ,
where C ^ L , M L is the code constructed for each model { ( L , M L ) , r } by the code construction. Comparing (46) and (47), we immediately see that the equality (45) holds, which shows that our code construction is asymptotically optimal for this example.
Finally, we consider the special sequence of security models { ( L , M L ) , r } for L = 1 , 2 , , where m L = L , i.e., τ L = m L / L = 1 for all L = 1 , 2 , . This linear-combination security constraint is equivalent to protecting all the source symbols from the wiretapper, so each model { ( L , M L ) , r } is equivalent to the standard secure-network coding model. Thus, we have
lim L C L , M L = C min r .
On the other hand, for each pair ( L , M L ) , it follows from τ L = 1 and Theorem 3 that the ( L , M L ) linear security network code C ^ L , M L constructed by our code construction has a rate of
R ( C ^ L , M L ) = L L / ( C min r ) .
This implies that
lim L R ( C ^ L , M L ) = C min r .
Combining (48) and (49), we see that the equality (45) holds, and thus, our code construction is also asymptotically optimal for this example.

5. Conclusions

In this paper, we put forward the model of multiple linear-combination security network coding, which is specified by the security level, the number of source symbols and the linear-combination security constraint. We fully characterized the security capacity for any such security model in terms of the ratio τ of the rank of the linear-combination security constraint to the number of source symbols. Also, we developed a construction of linear security network codes. The code construction is applicable to any security model, and the constructed code achieves the security capacity. We also determined a threshold value τ 0 such that there is no penalty on the security capacity compared with the capacity without any security consideration when the ratio τ is not larger than τ 0 . Finally, we analyzed the asymptotic behavior of the security capacity for a sequence of linear-combination security models and fully characterized the asymptotic behavior of the security capacity. We also showed that our code construction is asymptotically optimal.

Author Contributions

All authors contributed equally to this work. All authors have read and agreed to the published version of the manuscript.

Funding

The work of Y. Bai and X. Guang was supported in part by the National Key Research and Development Program of China (grant number 2022YFA1005000), the Natural Science Foundation of China (grant number 12141108), the Natural Science Foundation of Tianjin, China (grant number 20JCYBJC01390), and the Fundamental Research Funds for the Central Universities of China (grant number NKU 050-63233070). The work of R. W. Yeung was supported in part by a fellowship award from the Research Grants Council of the Hong Kong Special Administrative Region, China (grant number CUHK SRFS2223-4S03).

Institutional Review Board Statement

Not applicable.

Data Availability Statement

Not applicable.

Acknowledgments

A special case of the results presented in this paper was discussed in our submission to the 2023 IEEE Information Theory Workshop. We thank an anonymous reviewer for pointing out the relation between our submission and the work of Bhattad and Narayanan [23].

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A. A Related Work by Bhattad and Narayanan

A model related to the current work is that considered by Bhattad and Narayanan [23], the general case of which is given as follows. On the network N , the single source node s generates L  L C min source symbols, as denoted by X 1 , X 2 , , X L , over a finite field F, which are required to be multicast to all the sink nodes in T. Let U p , 1 p P be P subsets of the L source symbols and G p , 1 p P be another P subsets of the L source symbols. The security requirement is specified by the P pairs ( U p , G p ) , 1 p P as follows. The wiretapper, who can access any one wiretap set W in a collection W of wiretap sets, is not allowed to obtain any information about U p , given G p for each p = 1 , 2 , , P , i.e., for each p = 1 , 2 , , P ,
I U p ; Y W | G p = 0 or H U p | G p = H U p | Y W , G p , W W ,
where Y W = ( Y e : e W ) , with Y e being the random variable transmitted on the edge e. In particular, when taking P = L , U p = { X p } and G p = for 1 p P , the security requirement (A1) becomes
I X p ; Y W = 0 , 1 p P and W W .
This type of security requirement is called weak security in [23].
For the above model, the main focus in [23] is on how to find a suitable linear transformation of the L source symbols for a given linear network code to obtain a secure linear network code such that the security requirement (A1) is satisfied. Theorem 3 in [23], the most general result presented in the paper, asserts the existence of such a linear transformation when a given condition is satisfied. We state this theorem as follows.
Theorem A1 
([23], Theorem 3). Consider an L-dimensional L C min network code C over a finite field F and a collection of wiretap sets W in which r = max W W | W | . Let ( U p , G p ) , 1 p P be P pairs of subsets U p and G p of the L source symbols, which specify the security requirement. If
max 1 p P | U p | + | G p | L r ,
then there exists a linear transformation of the source symbols as a precoding on the linear network code C such that the security requirement (A1) is satisfied.
We now go back to the linear-combination security model { ( L , M L ) , r } discussed in the current paper. Consider the first case 0 τ τ 0 in Theorem 2, where we recall that τ = m L / L , where m L = Rank ( M L ) and τ 0 = ( C min r ) / C min . Then, we can apply the approach of the linear transformation in Theorem A1 (cf. [23] for details) to obtain a ( L , M L ) linear security network code, provided that the following two additional conditions on the model parameters are satisfied:
0 τ L r L ( τ 0 ) and L C min .
Specifically, we consider a linear-combination security model { ( L , M L ) , r } satisfying the conditions (A3), where the L source symbols B 1 , B 2 , , B L are required to be multicast to all the sink nodes in T, and the multiple linear combinations B · M L , where B = ( B 1 , B 2 , , B L ) are required to be protected from the wiretapper. We first linearly transform B = ( B 1 , B 2 , , B L ) to ( X 1 , X 2 , , X L ) using an L × L invertible matrix M whose left L × m L submatrix is equal to M L . Then, we have
( X 1 , X 2 , , X L ) = ( B 1 , B 2 , , B L ) · M ,
where
( X 1 , X 2 , , X m L ) = ( B 1 , B 2 , , B L ) · M L .
We now apply Theorem A1 as follows. Take X 1 , X 2 , , X L as the source symbols. Let U = { X 1 , X 2 , , X m L } , G = and W = W r . According to τ ( L r ) / L , we see that | U | + | G | = m L L r , which satisfies the condition (A2) in Theorem A1. It therefore follows from Theorem A1 that we can construct a linear secure network code such that X 1 , X 2 , , X L can be multicast to all the sink nodes in T, and the wiretapper cannot obtain any information about U, i.e.,
I X 1 , X 2 , , X m L ; Y W = 0 , W W r ,
or, equivalently,
I B · M L ; Y W = 0 , W W r .
Hence, we obtain an admissible ( L , M L ) linear security network code for the security model { ( L , M L ) , r } .
However, the second case τ 0 < τ 1 in Theorem 2 cannot be handled by the approach proposed in [23]. Specifically, according to τ > τ 0 , we have
m L L = τ > τ 0 = C min r C min L r L .
This implies that | U | + | G | = m L > L r , which does not satisfy the condition (A2) in Theorem A1. Hence, we cannot apply the linear transformation approach for the case of τ 0 < τ 1 .

Appendix B. Proof of Lemma 2

We first prove the “only if” part by contradiction. Suppose, on the contrary, that there exists a wiretap set W W r such that
M ^ L H W { 0 } .
In the following, we prove that
I B · M L ; Y W > 0 ,
which contradicts the security condition (4) for the code C ^ .
According (A4), there exist two non-zero column vectors w F n | W | ( = F n r ) and u F τ L such that
H W · w = M ^ L · u 0 ,
where 0 is the zero-column ( L + z ) -vector. Then, we obtain
I B · M L ; Y W = I B · M L ; ( B K ) · H W = H B · M L H B · M L | ( B K ) · H W
= H B · M L H B · M L · | ( B K ) · H W , ( B K ) · H W · w H B · M L H B · M L | ( B K ) · H W · w = I B · M L ; ( B K ) · H W · w = I B · M L ; ( B K ) · M ^ L · u = I B · M L ; B · M L · u = H B · M L · u H B · M L · u | B · M L
= H B · M L · u > 0 ,
where the equality in (A7) follows from Y W = ( B K ) · H W , the equality in (A8) follows from (A6), the equality in (A9) follows from H B · M L · u | B · M L = 0 and the inequality in (A9) follows from M L · u 0 because u 0 , and M L has full column rank. Thus, the inequality in (A5) is proven.
Next, we prove the “if” part. According to the security condition (4), we prove that
H B · M L | Y W = H B · M L , W W r
if the condition in (35) is satisfied. To prove (A10), it suffices to show that for each W W r , the equality
Pr B · M L = x | Y W = y = Pr B · M L = x
is satisfied for any x F τ L row vector and any y F n r row vector such that Pr Y W = y > 0 , i.e., there exists a pair ( b k ) of a vectors of source symbols b F L and a key k F z such that ( b k ) · H W = y .
We recall that
Pr B · M L = x = 1 | F | τ L , x F τ L
(cf. (10)). Thus, we only need to prove that for each W W r ,
Pr B · M L = x | Y W = y = 1 | F | τ L
for any x F τ L and y F n r such that Pr Y W = y > 0 . We now consider
Pr B · M L = x | Y W = y = Pr B · M L = x , Y W = y Pr Y W = y = Pr ( B K ) · M ^ L = x , ( B K ) · H W = y Pr ( B K ) · H W = y = Pr ( B K ) · M ^ L H W = ( x y ) Pr ( B K ) · H W = y = ( b k ) F L × F z : ( b k ) [ M ^ L H W ] = ( x y ) Pr B = b , K = k ( b k ) F L × F z : ( b k ) H W = y Pr B = b , K = k = # ( b k ) F L × F z : ( b k ) · M ^ L H W = ( x y ) # ( b k ) F L × F z : ( b k ) · H W = y ,
where we use “ # { · } ” to denote the cardinality of the set, and the equality (A12) follows because B and K are independently and uniformly distributed on F L and F z , respectively. Furthermore,
  • For the denominator in (A12), we have
    # ( b k ) F L × F z : ( b k ) · H W = y = | F | L + z Rank ( H W ) ;
  • For the numerator in (A12), we have
    # ( b k ) F L × F z : ( b k ) · M ^ L H W = ( x y ) = | F | L + z Rank M ^ L H W = | F | L + z Rank ( H W ) τ L ,
    where the equality (A14) follows from the following condition: M ^ L H W = { 0 } (cf. (35)).
Combining (A13) and (A14) with (A12), we immediately prove that
Pr B · M L = x | Y W = y = 1 | F | τ L ,
which implies the equality in (A11). The “if” part is also proven. We have thus proven the lemma.

References

  1. Ahlswede, R.; Cai, N.; Li, S.-Y.; Yeung, R.W. Network Information Flow. IEEE Trans. Inf. Theory 2000, 46, 1204–1216. [Google Scholar] [CrossRef]
  2. Li, S.-Y.R.; Yeung, R.W.; Cai, N. Linear Network Coding. IEEE Trans. Inf. Theory 2003, 49, 371–381. [Google Scholar] [CrossRef] [Green Version]
  3. Koetter, R.; Médard, M. An Algebraic Approach to Network Coding. IEEE/ACM Trans. Netw. 2003, 11, 782–795. [Google Scholar] [CrossRef] [Green Version]
  4. Jaggi, S.; Sanders, P.; Chou, P.A.; Effros, M.; Egner, S.; Jain, K.; Tolhuizen, L.M. Polynomial Time Algorithms for Multicast Network Code Construction. IEEE Trans. Inf. Theory 2005, 51, 1973–1982. [Google Scholar] [CrossRef] [Green Version]
  5. Ho, T.; Lun, D. Network Coding: An Introduction; Cambridge University Press: Cambridge, UK, 2008. [Google Scholar]
  6. Yeung, R.W. Information Theory and Network Coding; Springer Science & Business Media: Berlin/Heidelberg, Germany, 2008. [Google Scholar]
  7. Yeung, R.W.; Li, S.-Y.R.; Cai, N.; Zhang, Z. Network Coding Theory Part I: Single Source. Found. Trends Commun. Inf. Theory 2006, 2, 241–329. [Google Scholar] [CrossRef]
  8. Yeung, R.W.; Li, S.-Y.R.; Cai, N.; Zhang, Z. Network Coding Theory Part II: Multiple Source. Found. Trends Commun. Inf. Theory 2006, 2, 330–381. [Google Scholar] [CrossRef]
  9. Fragouli, C.; Soljanin, E. Network Coding Fundamentals. Found. Trends Netw. 2007, 2, 1–133. [Google Scholar] [CrossRef] [Green Version]
  10. Fragouli, C.; Soljanin, E. Network Coding Applications. Found. Trends Netw. 2008, 2, 135–269. [Google Scholar] [CrossRef]
  11. Cai, N.; Yeung, R.W. Secure Network Coding on a Wiretap Network. IEEE Trans. Inf. Theory 2011, 57, 424–435. [Google Scholar] [CrossRef]
  12. El Rouayheb, S.; Soljanin, E.; Sprintson, A. Secure Network Coding for Wiretap Networks of Type II. IEEE Trans. Inf. Theory 2012, 58, 1361–1371. [Google Scholar] [CrossRef] [Green Version]
  13. Silva, D.; Kschischang, F.R. Universal Secure Network Coding via Rank-Metric Codes. IEEE Trans. Inf. Theory 2011, 57, 1124–1135. [Google Scholar] [CrossRef] [Green Version]
  14. Cai, N.; Chan, T. Theory of Secure Network Coding. Proc. IEEE 2011, 99, 421–437. [Google Scholar]
  15. Cui, T.; Ho, T.; Kliewer, J. On Secure Network Coding With Nonuniform or Restricted Wiretap Sets. IEEE Trans. Inf. Theory 2013, 59, 166–176. [Google Scholar] [CrossRef] [Green Version]
  16. Cheng, F.; Yeung, R.W. Performance Bounds on a Wiretap Network with Arbitrary Wiretap Sets. IEEE Trans. Inf. Theory 2014, 60, 3345–3358. [Google Scholar] [CrossRef] [Green Version]
  17. Fragouli, C.; Soljanin, E. (Secure) Linear Network Coding Multicast. Des. Codes Cryptogr. 2016, 78, 269–310. [Google Scholar] [CrossRef]
  18. Guang, X.; Yeung, R.W. Alphabet Size Reduction for Secure Network Coding: A Graph Theoretic Approach. IEEE Trans. Inf. Theory 2018, 64, 4513–4529. [Google Scholar] [CrossRef] [Green Version]
  19. Guang, X.; Yeung, R.W.; Fu, F.-W. Local-Encoding-Preserving Secure Network Coding. IEEE Trans. Inf. Theory 2020, 66, 5965–5994. [Google Scholar] [CrossRef]
  20. Cai, N.; Yeung, R.W. A Security Condition for Multi-Source Linear Network Coding. In Proceedings of the 2007 IEEE International Symposium on Information Theory, Nice, France, 24–29 June 2007; pp. 561–565. [Google Scholar]
  21. Chan, T.; Grant, A. Capacity Bounds for Secure Network Coding. In Proceedings of the 2008 Australian Communications Theory Workshop, Christchurch, New Zealand, 30 January–1 February 2008; pp. 95–100. [Google Scholar]
  22. Zhang, Z.; Yeung, R.W. A General Security Condition for Multi-Source Linear Network Coding. In Proceedings of the 2009 IEEE International Symposium on Information Theory, Seoul, Republic of Korea, 28 June–3 July 2009; pp. 1155–1158. [Google Scholar]
  23. Bhattad, K.; Narayanan, K.R. Weakly Secure Network Coding. In Proceedings of the First Workshop on Network Coding, Theory and Applications, Riva del Garda, Italy, 7 April 2005; pp. 8–20. [Google Scholar]
  24. Harada, K.; Yamamoto, H. Strongly Secure Linear Network Coding. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 2008, 91, 2720–2728. [Google Scholar] [CrossRef]
  25. Cai, N.; Hayashi, M. Secure Network Code for Adaptive and Active Attacks with No-randomness in Intermediate Nodes. IEEE Trans. Inf. Theory 2020, 66, 1428–1448. [Google Scholar] [CrossRef] [Green Version]
  26. Hayashi, M.; Cai, N. Secure Non-Linear Network Code over A One-Hop Relay Network. IEEE Trans. Inf. Theory 2021, 2, 296–305. [Google Scholar] [CrossRef]
  27. Agarwal, G.K.; Cardone, M.; Fragouli, C. On Secure Network Coding for Multiple Unicast Traffic. IEEE Trans. Inf. Theory 2020, 66, 5204–5227. [Google Scholar] [CrossRef]
  28. Zhou, H.; El Gamal, A. Network Information Theoretic Security With Omnipresent Eavesdropping. IEEE Trans. Inf. Theory 2021, 67, 8280–8299. [Google Scholar] [CrossRef]
  29. Shannon, C.E. Communication Theory of Secrecy Systems. Bell Syst. Tech. J. 1949, 28, 656–715. [Google Scholar] [CrossRef]
  30. Blakley, G.R. Safeguarding Cryptographic Keys. In Proceedings of the Managing Requirements Knowledge, International Workshop on, New York, NY, USA, 4–7 June 1979; p. 313. [Google Scholar]
  31. Shamir, A. How to Share a Secret. Commun. ACM 1979, 22, 612–613. [Google Scholar] [CrossRef]
  32. Ozarow, L.H.; Wyner, A.D. Wire-Tap Channel II. AT&T Bell Lab. Tech. J. 1984, 63, 2135–2157. [Google Scholar]
  33. Feldman, J.; Malkin, T.; Servedio, R.A.; Stein, C. On the Capacity of Secure Network Coding. In Proceedings of the 42nd Annual Allerton Conference on Communication, Control, and Computing, Monticello, VA, USA, 29 September–1 October 2004. [Google Scholar]
  34. Fong, S.-L.; Yeung, R.W. Variable-Rate Linear Network Coding. IEEE Trans. Inf. Theory 2010, 56, 2618–2625. [Google Scholar] [CrossRef]
  35. Yang, S.; Yeung, R.W.; Ngai, C.K. Refined Coding Bounds and Code Constructions for Coherent Network Error Correction. IEEE Trans. Inf. Theory 2011, 57, 1409–1424. [Google Scholar] [CrossRef] [Green Version]
Figure 1. The butterfly network: N = ( G , s , T = { t 1 , t 2 } ) .
Figure 1. The butterfly network: N = ( G , s , T = { t 1 , t 2 } ) .
Entropy 25 01135 g001
Figure 2. An F 3 -valued ( 2 , M 2 ) scalar-linear security network code for { ( 2 , M 2 ) , 1 } .
Figure 2. An F 3 -valued ( 2 , M 2 ) scalar-linear security network code for { ( 2 , M 2 ) , 1 } .
Entropy 25 01135 g002
Figure 3. An F 3 -valued ( 3 , M 3 ) linear-security network code for { ( 3 , M 3 ) , 1 } .
Figure 3. An F 3 -valued ( 3 , M 3 ) linear-security network code for { ( 3 , M 3 ) , 1 } .
Entropy 25 01135 g003
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Bai, Y.; Guang, X.; Yeung, R.W. Multiple Linear-Combination Security Network Coding. Entropy 2023, 25, 1135. https://doi.org/10.3390/e25081135

AMA Style

Bai Y, Guang X, Yeung RW. Multiple Linear-Combination Security Network Coding. Entropy. 2023; 25(8):1135. https://doi.org/10.3390/e25081135

Chicago/Turabian Style

Bai, Yang, Xuan Guang, and Raymond W. Yeung. 2023. "Multiple Linear-Combination Security Network Coding" Entropy 25, no. 8: 1135. https://doi.org/10.3390/e25081135

APA Style

Bai, Y., Guang, X., & Yeung, R. W. (2023). Multiple Linear-Combination Security Network Coding. Entropy, 25(8), 1135. https://doi.org/10.3390/e25081135

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop