Network Coding and Information Security

Raymond W. YeungThe Chinese University of Hong Kong

Joint work with

Ning Cai, Xidian University

Outline

• Introduction to Network Coding• The Max-flow Bound• Secure Network Coding• Concluding Remarks

Introduction toNetwork Coding

A Network Coding Example

The Butterfly Network

b1 b2

b1

b1b1

b2

b2

b2

b2

b1

b1 b2

b1

b1

b2

b2b1+b2

b1+b2b1+b2

A Network Coding Example

with Two Sources

b1b2

b1 b2

b1 b2 b2b1

b1 b2

b2b1

b1+b2

b1+b2

b1+b2

Wireless/Satellite Application

b1 b2

t = 1b1

t = 2

t = 3b1+b2

b2

b1+b2

50% saving for downlink bandwidth!

Two Themes of Network Coding

• When there is 1 source to be multicast in a network, store-and-forward may fail to optimize bandwidth.

• When there are 2 or more independent sources to be transmitted in a network (even for unicast), store-and-forward may fail to optimize bandwidth.

In short, Information is NOT a commodity!

Model of a Point-to-Point Network

• A network is represented by a directed graph G = (V,E) with node set V and edge (channel) set E.

• A symbol from an alphabet F can be transmitted on each channel.

• There can be multiple edges between a pair of nodes.

Single-Source Network Coding

• The source node S generates an information vector

x = (x1 x2 … xk) Fk.• What is the condition for a node T to be able to

receive the information vector x?• Max-Flow Bound. If maxflow(T) < k, then T

cannot possibly receive x.

The Basic Results

• If network coding is allowed, a node T can receive the information vector x iff

maxflow(T) ≥ki.e., the max-flow bound can be achieved simultaneously by all such nodes T. (ACLY00)

• Moreover, this can be achieved by linear network coding for a sufficiently large base field. (LYC03, KM03)

Secure Network Coding

Cai and Y, 2002(discussed with Ueli Maurer, ISIT 2000)

Problem Formulation

• The underlying model is the same as network multicast using network coding except that some sets of channels can be wiretapped.

• Let A be a collection of subsets of the edge set E.• A subset in A is called a wiretap set.• Each wiretap set may be fully accessed by a wiretapper.• No wiretapper can access more than one wiretap set.• The network code needs to be designed in a way such

that no matter which wiretap set the wiretapper has access to, the multicast message is information-theoretically secure.

Our Coding Scheme

• The multicast message is (s,w), where• s is the secure message

• w is the randomness

• Both s and w are generated at the source node.

A Example of a Secure Network Code

s-w s+w

s-w

s-w

s+w

s+ww

wwOne of the 3 One of the 3 red channelsred channels can can be wiretappedbe wiretappeds is the secure messages is the secure messagew is the randomnessw is the randomness

Another Example of Secure Network Coding

The (1,2)-threshold Secret Sharing Scheme

wws+ws+w

s-ws-w

One of the 3 One of the 3 red channelsred channels can can be wiretappedbe wiretappeds is the secure messages is the secure messagew is the randomnessw is the randomness

Construction of Secure Network Codes

• Let n = minT maxflow(T).• We have obtained a sufficient condition under which a

secure linear network code can be constructed. • In particular, if A consists of all the r-subsets of E, where r <

n, then we can construct a secure network code with multicast message (s,w) such that |s|=n-r and |w|=r.

• For this case, the condition is also necessary.• Interpretation: For a sink node T, if r channels in the network

are wiretapped, the number of “secure paths” from the source node to T is still at least n-r. So n-r symbols can go through securely.

Global Encoding Kernels of a Linear Network Code

• Recall that x = (x1 x2 … xk) is the multicast message.

• For each channel e, assign a column vector fe such that the symbol sent on channel e is x fe. The vector fe is called the global encoding kernel of channel e.

• The global encoding kernel of a channel is analogous to a column in the generator matrix of a classical block code.

• The global encoding kernel of an output channel at a node must be a linear combination of the global encoding kernels of the input channels.

An Example

k = 2, let x = (b1, b2)

b1 b2

b1

b1

b2

b2b1+b2

b1+b2b1+b2

1

0

1

0

0

1

1

1

1

1

1

1

1

0

0

1

0

1

Idea of Code Construction

• Start with a linear network code for multicasting n symbols.

• For all wiretap set A A, let fA = { fe : e A }, the set of global encoding kernels of the channels in A.

• Let dim(span(fA)) r for all A A. [sufficient condition]

• When the base field F is sufficiently large, we can find b1, b2, …, bn-r Fn such that

b1, b2, …, bn-r are linearly independent of fA

for all A A.

• Let the multicast message be (s,w), with |s| = n-r and |w| = r.

• Take a suitable linear transformation of the given linear network code to obtain the desired secure network code.

Recent Work (Cai and Y, ISIT 2007)

• We obtained a necessary and sufficient condition for the security of linear network codes.

• This condition applies in the cases when • There are more than one information source

nodes in the network.• The random keys are not uniformly distributed.

• This condition also shows that the security of a linear network code does not depend on the source distribution.

Resources

• Network Coding Homepage

http://www.networkcoding.info• R. W. Yeung, S.-Y. R. Li, N. Cai and Z. Zhang,

Network Coding Theory, now Publishers, 2005 (Foundation and Trends in Communications and Information Theory).

• N. Cai and R. W. Yeung, “Secure network coding,” preprint.

Concluding Remarks

• Secure network coding is a generalization of both (regular) network coding and secret sharing.

• The subject is still in its infancy, and a lot of basic questions are yet to be answered.