Random Linear Network Coding: A free cipher?
Abstract
We consider the level of information security provided by random linear network coding in network scenarios in which all nodes comply with the communication protocols yet are assumed to be potential eavesdroppers (i.e. “nice but curious”). For this setup, which differs from wiretapping scenarios considered previously, we develop a natural algebraic security criterion, and prove several of its key properties. A preliminary analysis of the impact of network topology on the overall network coding security, in particular for complete directed acyclic graphs, is also included.
security, information theory, graph theory, network coding.
I Introduction
Under the classical networking paradigm, in which intermediate nodes are only allowed to store and forward packets, information security is usually viewed as an independent feature with little or no relation to other communication tasks. In fact, since intermediate nodes receive exact copies of the sent packets, data confidentiality is commonly ensured by cryptographic means at higher layers of the protocol stack. Breaking with the ruling paradigm, network coding allows intermediate nodes to mix information from different data flows [ahlswede2000nif, koetter2003aan] and thus provides an intrinsic level of data security — arguably one of the least well understood benefits of network coding.
Previous work on this issue has been mostly concerned with constructing codes capable of spliting the data among different links, such that reconstruction by a wiretapper is either very difficult or impossible. In [cai2002snc], the authors present a secure linear network code that achieves perfect secrecy against an attacker with access to a limited number of links. A similar problem is considered in [feldman2004csn], featuring a random coding approach in which only the input vector is modified. [bhattad2005wsn] introduces a different informationtheoretic security model, in which a system is deemed to be secure if an eavesdropper is unable to get any decoded or decodable (also called meaningful) source data. Still focusing on wiretapping attacks, [jain2004sbn] provides a simple security protocol exploiting the network topology: an attacker is shown to be unable to get any meaningful information unless it can access those links that are necessary for the communication between the legitimate sender and the receiver, who are assumed to be using network coding. As a distributed capacityachieving approach for the multicast case, randomized network coding [ho2003bco, ho2003rnc] has been shown to extend naturally to packet networks with losses [lun2005crc] and Byzantine modifications (both detection and correction [ho2004bmd, jaggi2005cae, jaggi2006rnc, jaggiThesis]). [tan2006snc] adds a cost criterion to the secure network coding problem, providing heuristic solutions for a coding scheme that minimizes both the network cost and the probability that the wiretapper is able to retrieve all the messages of interest.
In this work, we approach network coding security from a different angle: our focus is not on the threat posed by external wiretappers but on the more general threat posed by intermediate nodes. We assume that the network consists entirely of “nice but curious” nodes, i.e. they comply with the communication protocols (in that sense, they are wellbehaved) but may try to acquire as much information as possible from the data that passes through them (in which case, they are potentially malicious). This notion is highlighted in the following example.
Example 1
Consider the canonical network coding example with nodes, shown in Figure 1. Node sends a flow to sinks and through intermediate nodes , , and . From the point of security, we can distinguish between three types of intermediate nodes in this setting: (1) those that only get a nonmeaningful part of the information, such as node ; (2) those that obtain all of the information, such as node ; and (3) those that get partial yet meaningful information, such as nodes and . Although this network code could be considered secure against singleedge external wiretapping — i.e. , the wiretapper is not able to retrieve the whole data simply by eavesdropping on a single edge — it is clearly insecure against internal eavesdropping by an intermediate node.
Motivated by this example, we set out to investigate the security potential of network coding. Our main contributions are as follows:

Problem Formulation: We formulate a secure network coding problem, in which all intermediate nodes are viewed as potential eavesdroppers and the goal is to characterize the intrinsic level of security provided by random linear network coding.

Algebraic Security Criterion: Based on the notion that the number of decodable bits available to each intermediate node is limited by the degrees of freedom it receives, we are able to provide a natural secrecy constraint for network coding and to prove some of its most fundamental properties.

Security Analysis for Complete Directed Acyclic Graphs: As a preliminary step towards understanding the interplay between network topology and security against eavesdropping nodes, we present a rigorous characterization of the achievable level of algebraic security for this class of complete graphs.
The remainder of this paper is organized as follows. First, a formal problem statement is in Section II, followed by a detailed analysis of the algebraic security of Randomized Linear Network Coding in Section III. In Section LABEL:sect:DAG, this analysis is carried out specifically for complete directed acyclic graphs. The paper concludes with Section LABEL:sect:ConcludingRemarks.
Ii Problem Setup
We adopt the network model of [koetter2003aan]: we represent the network as an acyclic directed graph , where is the set of nodes and is the set of edges. Edges are denoted by round brackets , in which and . The set of edges that end at a vertex is denoted by , and the indegree of the vertex is ; similarly, the set of edges originating at a vertex is denoted by , the outdegree being represented by .
Discrete random processes are observable at one or more source nodes. To simplify the analysis, we shall consider that each network link is free of delays and that there are no losses. Moreover, the capacity of each link is one bit per unit time, and the random processes have a constant entropy rate of one bit per unit time. Edges with larger capacities are modelled as parallel edges and sources of larger entropy rate are modelled as multiple sources at the same node. We shall consider multicast connections as it is the most general type of single connection; there are receiver nodes. The objective is to transmit all the source processes to each of the receiver nodes.
In linear network coding, edge carries the process , which is defined below:
The transfer matrix describes the relationship between an input vector and an output vector , ; , where and represent, respectively, the linear mixings of the input vector and of the output vector, and have sizes and . is the adjacency matrix of the directed labelled line graph corresponding to the graph . In this paper we shall not consider matrix , which only refers to the decoding at the receivers. Thus, we shall mainly analyse parts of the matrix , such that ; and denote column of and , respectively. We define the partial transfer matrix (also called auxiliary encoding vector [lun2005crc]) as the observable matrix at a given node , i.e. the observed matrix formed by the symbols received at a node . This is equivalent to the fraction of the data that an intermediate node has access to in a multicast transmission.
Regarding the coding scheme, we consider the random linear network coding scheme introduced in [ho2003bco]: and thus each coefficient of the matrices described above is chosen independently and uniformly over all elements of a finite field , .
Our goal is to evaluate the intrinsic security of random linear network coding, in multicast scenarios where all the intermediate nodes in the network are potentially malicious eavesdroppers. Specifically our threat model assumes that intermediate nodes perform the coding operations as outlined above, and will try to decode as much data as possible.
Iii Algebraic Security of Random Linear Network Coding
Iiia Algebraic security
The Shannon criterion for informationtheoretic security [shannon1949cta] corresponds in general terms to a zero mutual information between the cyphertext () and the original message (), i.e. . This condition implies that an attacker must guess symbols to be able to compromise the data. With network coding, on the other hand, if the attacker is capable of guessing symbols, additional observed symbols are required for decoding — by noting that each received symbol is a linear combination of the message symbols from the source, we can see that a receiver must receive coded symbols in order to recover one message symbol. Thus, as will be shown later, restricted rank sets of individual symbols do not translate into immediately decodable data with high probability. This notion is illustrated in Figure 2. In the scheme shown on top, each intermediate node can recover half of the transmitted symbols, whereas in the bottom scheme none of the nodes can recover any portion of the sent data.
Definition 1 (Algebraic Security Criterion)
The level of security provided by random linear network coding is measured by the number of symbols that an intermediate node has to guess in order to decode one of the transmitted symbols. From a formal point of view,
where represents the number of partially diagonalizable lines of the matrix (i.e. the number of message symbols that can be recovered by Gaussian elimination).
Notice that the previous definition is equivalent to computing the difference between the global rank of the code and the local rank in each intermediate node . Moreover, as more and more symbols become compromised of security criteria, the level of security tends to , since as we shall show in this section, with high probability the number of individually decodable symbols goes to zero as the size of the field goes to infinity.
IiiB Security Characterization
We are now ready to solve the problem of characterizing the algebraic security of random linear network coding. The key to our proofs is to analyze the properties of the partial transfer matrix at each intermediate node. Recall that there are two cases in which the intermediate node can gain access to relevant information: (1) when the partial transfer matrix has full rank and (2) when the partial transfer matrix has diagonalizable parts. Thus, we shall carry out independent analyzes in terms of rank and in terms of partially diagonalizable matrices.
The following lemmas will be useful.