# Security for Wiretap Networks via

Rank-Metric Codes

###### Abstract

The problem of securing a network coding communication system against a wiretapper adversary is considered. The network implements linear network coding to deliver packets from source to each receiver, and the wiretapper can eavesdrop on arbitrarily chosen links. A coding scheme is proposed that can achieve the maximum possible rate of packets that are information-theoretically secure from the adversary. A distinctive feature of our scheme is that it is universal: it can be applied on top of any communication network without requiring knowledge of or any modifications on the underlying network code. In fact, even a randomized network code can be used. Our approach is based on Rouayheb-Soljanin’s formulation of a wiretap network as a generalization of the Ozarow-Wyner wiretap channel of type II. Essentially, the linear MDS code in Ozarow-Wyner’s coset coding scheme is replaced by a maximum-rank-distance code over an extension of the field in which linear network coding operations are performed.

## I Introduction

The paradigm of network coding [1, 2, 3] has provided a rich source of new problems that generalize traditional problems in communications. One such problem, introduced in [4] by Cai and Yeung, is that of securing a multicast network against a wiretapper adversary.

Formally, consider a multicast network with unit capacity edges implementing linear network coding over the finite field . Each link in the network is assumed to carry a packet of symbols in . We assume that the maxflow from source to each receiver is at least and that the network code is feasible for the multicasting of packets, that is, each receiver is able to recover the packets originated at the source. Now, suppose there is a wiretapper that can listen to transmissions on arbitrarily chosen links of the network. The secure network coding problem is to design a network code and an outer encoder at the source such that a message can be transmitted from the source to each receiver without leaking any information to the wiretapper (i.e., security in the information-theoretic sense).

The work of Cai and Yeung [4] shows that a solution to this problem exists if the message consists of at most packets and is sufficiently large. Their solution involves changing the network code such that certain security conditions are met and requires a field of size at least , where is the number of links in the network. Feldman et al. [5] simplified the conditions in [4] and showed that it is possible to achieve security by carefully designing the outer code, while leaving the network code unchanged. They also show that, if a linear outer code is used and the network topology is arbitrary, then there are instances of the problem where a very large field size is necessary to achieve capacity.

Recently, Rouayheb and Soljanin [6] have shown that the problem of secure network coding can be regarded as a network generalization of the Ozarow-Wyner wiretap channel of type II [7, 8]. Their observation provides an important connection with a classical problem in information theory and yields a much more transparent framework for dealing with network coding security. In particular, they show that the same technique used to achieve capacity of the wiretap channel II—a coset coding scheme based on a linear MDS code—can also provide security for a wiretap network. Unfortunately, in their approach, the network code has to be modified to satisfy certain constraints imposed by the outer code.

Note that, in all the previous works, either the network code has to be modified to provide security [4, 6], or the outer code has to be designed based on the specific network code used [5]. In all cases, the field size required is significantly larger than the minimum required for conventional multicasting.

The present paper is motivated by Rouayheb and Soljanin’s formulation of a wiretap network and builds on their results. Our main contribution is a coset coding scheme that neither imposes any constraints on, nor requires any knowledge of, the underlying network code. In other words, for any linear network code that is feasible for multicast, secure communication at the maximum possible rate can be achieved with a fixed outer code. In particular, the field size can be chosen as the minimum required for multicasting. An important consequence of our result is that the problems of information transport—designing a feasible network code—and security against a wiretapper can be completely separated from each other. Such a feature of our scheme allows it to be seamlessly integrated with random network coding.

The essence of our approach is to use a “nonlinear” outer code that is, however, linear over an extension field . Taking advantage of this extension field, we can then replace the linear MDS code in Ozarow-Wyner coset coding scheme by a maximum-rank-distance (MRD) code, which is essentially a linear code over that is optimal in the rank metric. Codes in the rank metric were studied by a number of authors [9, 10, 11, 12] and have been recently proposed for error control in random network coding [13, 14]. Here, we show that the fact that the wiretapper observes a linear transformation of the transmitted symbols is exactly what suggests the use of a rank-metric code.

The remainder of the paper is organized as follows. In Section II we review the models of a wiretap channel II and a wiretap network, together with their corresponding security conditions. In Section III we review rank-metric codes and present our solution to the security problem in a wiretap network. In Section IV, we provide a brief discussion of our main result and, in Section V, we present our conclusions.

## Ii Wiretap Model

### Ii-a Wiretap Channel II

Consider a communication system consisting of a source, a destination and a wiretapper. The source produces a message , where the symbols are drawn from an alphabet , and encodes this message as a vector , . This vector is transmitted over a noiseless channel and received by the destination. The wiretapper has access to symbols of , represented as the vector , where . The goal of the system is for the source to communicate the message to the destination in such a way that the wiretapper cannot obtain any information about from any possible set of intercepted symbols. More precisely, the conditions for secure communication are

(1) | ||||

(2) |

Condition (1) implies that must be a deterministic function of . The question is then how to design a (probabilistic) encoding of into such that conditions (1) and (2) are satisfied.

Note that, by expanding , we have

(3) | ||||

so the maximum number of symbols that can be securely communicated is upper bounded by .

This maximum rate can be achieved by using Ozarow-Wyner coset coding scheme [8], which operates as follows. Assume is a finite field of sufficiently large cardinality. Let and let be an linear MDS code over with parity-check matrix . Encoding is performed by randomly choosing some such that ; in other words, each message is viewed as a syndrome specifying a coset of , and the transmitted vector is chosen uniformly at random among the elements of that coset. Upon reception of , decoding is performed by simply computing the syndrome .

With respect to security, it is immediate that condition (1) is satisfied in this scheme. Since is a linear code, the probabilistic encoding ensures that , and thus . On the other hand, since is an MDS code, knowledge of and is sufficient to determine , so . These two facts applied in (3) imply that condition (2) is satisfied, and therefore secure communication can be achieved.

### Ii-B Wiretap Networks

Consider a communication network represented by a directed multigraph with unit capacity edges, a single source node and multiple destination nodes. The source node produces a message consisting of symbols from an alphabet , and this message is requested by each of the destination nodes. Each link in the network is assumed to transport a symbol in free of errors. When network coding is used, each node in the network produces symbols to be transmitted by performing arbitrary operations on the received symbols (or on the message symbols in the case of the source node). We say that the network code is feasible (and multicast communication is achieved) if each destination node is able to recover the source message.

Let be a finite field and assume that is a vector space over . In this case, an element of may also be called a packet. When linear network coding is used, each packet transmitted by a node is an -linear combination of received (or message) packets. Let be the minimum value of the mincut from the source node to any destination node. It is a well-known result that a feasible linear network code exists if and is sufficiently large, but no feasible network code exists if [1, 2, 3].

The wiretap problem of Section II-A can be generalized to the network scenario above by introducing a wiretapper who can eavesdrop on links, represented by the set , and by assuming that the source message is given by , , which is then encoded into for transmission over the network. We assume that linear network coding is used, so the packets observed by the wiretapper can be represented as a vector , where is an matrix over consisting of the global coding vectors associated with the edges in .

Assume that , is sufficiently large, and that a feasible network code is selected, i.e., each destination node is able to recover . The conditions for secure communication remain the same as before, namely

(4) | ||||

(5) |

The question is then how to design an encoding from to and a feasible linear network code such that (4) and (5) are satisfied.

Considering , Rouayheb and Soljanin showed in [6] that secure communication is possible using the coset coding scheme of Sec. II-A if the network code is chosen to satisfy certain constraints. The development is similar to that of Sec. II-A, where we choose and let be the parity-check matrix of an linear MDS code over . Equations (4) and are automatically satisfied by coset encoding, but to satisfy we must ensure that the matrix is nonsingular for all such that is full-rank. (Note that the case where is not full-rank reduces to a similar instance with a full-rank and a smaller .) This condition is equivalent to constraining the network code such that no linear combination of or fewer coding vectors belongs to the space spanned by the rows of .

It follows from this result that secure multicast communication can be achieved in two steps: first, designing a coset coding scheme based on an MDS code, and then designing a linear network code so as to satisfy the above constraint.

In the following, we show that this undesirable coupling between the coset coding scheme and the network code design can be avoided.

## Iii Rank-Metric Codes for Wiretap Networks

### Iii-a Rank-Metric Codes

We first present a brief review of rank-metric codes.

Let be the set of all matrices over . A natural distance measure between elements and of is given by the rank distance . As observed in [9], the rank distance is indeed a metric.

A rank-metric code is a nonempty subset of used in the context of the rank metric. The minimum rank distance of a rank-metric code is the minimum rank distance among all pairs of distinct codewords. The Singleton bound for the rank metric (see [14, 12] and references therein) states that every rank-metric code with minimum rank distance must satisfy

Codes that achieve this bound are called maximum-rank-distance (MRD) codes.

The usual way to construct rank-metric codes is via the correspondence between and an extension field . By fixing a basis for as an -dimensional vector space over , any element of can be regarded as a row vector of length over and, similarly, any column vector of length over can be regarded as an matrix over . The rank of a vector is the rank of as an matrix over , and the same applies for the rank distance. Under this correspondence, a rank-metric code in is simply a block code of length over used in the context of the rank metric.

It is useful to consider linear codes over with minimum rank distance . For such codes, the Singleton bound becomes

Note that the classical Singleton bound can be achieved only when . For this case, a class of MRD codes with any specified was described in [9] by Gabidulin.

We now restate some results from [9] which relate the minimum rank distance of a linear code with properties of its parity-check matrix. To avoid confusion, the rank of a matrix over is denoted by .

###### Theorem 1

Let be a linear code over with parity-check matrix . Then has minimum rank distance if and only if

for any full-rank matrix and

for some full-rank matrix .

###### Corollary 2

Assume . A linear code over with parity-check matrix is an MRD code if and only if

for any full-rank matrix .

### Iii-B A Universal Coding Scheme for Wiretap Networks

We now present our solution to the wiretap problem of Section II-B. Following [6], we use a coset coding scheme similar to that of Section II-A; however, we set the symbol alphabet to be , while the field for the linear network coding operations remains . Note that, since coset encoding/decoding is performed only at source/destination nodes, setting to be an extension field of does not interfere with the underlying network code.

Let and let be the parity-check matrix of a linear code over . Encoding and decoding of the source message is performed as described in Section II-A. With respect to security, Rouayheb and Soljanin’s analysis carries out unchanged, and we arrive at the same security condition: the matrix must be nonsingular for all such that is full-rank. Note that, while is defined over , the matrix has only entries in . This fact is the fundamental distinction of our approach and will allow us to satisfy the security condition regardless of the network code used.

Our main result is a consequence of the following lemma.

###### Lemma 3

Let be the parity-check matrix of a linear MRD code over . For any full-rank matrix , the matrix

is nonsingular over .

###### Proof:

Consider the system of equations

in the unknown . We will show that is the only solution to this system, which implies that .

First, choose some matrix over such that is nonsingular, and let . We have that

Moreover, if is the (full-rank) matrix corresponding to the last columns of , then .

Now, . By Corollary 2, the matrix is nonsingular over . Thus, we must have and hence .

The following theorem summarizes the results of this section.

###### Theorem 4

Consider a multicast communication network that transports packets of length over , subject to the presence of a wiretapper who can eavesdrop on at most links. The maximum number of source packets that can be securely communicated to each destination, in such a way that the wiretapper obtains no information about the source packets, is . This rate can be achieved by using any feasible -linear network code in conjunction with a fixed end-to-end coset coding scheme based on any linear MRD code over .

The following example illustrates the above results.

###### Example 1

Let , , and . Let be generated by a root of , which we denote by . According to [9], one possible MRD code over has parity-check matrix .

To form , we can choose uniformly at random and set to satisfy

Note that can be transmitted over any network that uses a feasible linear network code. The specific network code used is irrelevant as long as each destination node is able to recover .

Now, suppose that the wiretapper intercepts , where

Then

This is a linear system with variables and equations over . Note that, given , there is exactly one solution for for each value of . Thus, , , from which follows that and are independent.

## Iv Discussion

Theorem 4 shows that the problem of ensuring communication security against a wiretapper can be treated independently from that of multicasting information, in effect turning network coding design back into a much easier and already satisfactorily solved problem [15]. A byproduct of this result is that, to incorporate security, we no longer need to enlarge the field of network coding operations more than what is strictly required for multicasting—although the network does need to transport packets of size larger than a single element. In practice, packet lengths are much larger than , at least 10 times larger for typical parameters, so the constraint is not really a concern.

As pointed out in the previous section, encoding and decoding of the source message require operations to be performed in the extension field . We mention that each encoding or decoding procedure can be performed in operations in by using a parity-check matrix in systematic form. More precisely, if and , where has rows, then , so can be encoded by randomly generating and then setting . Encoding thus amounts essentially to a matrix multiplication over . Decoding can be performed similarly.

It is worth to mention that our security scheme can be seamlessly integrated with random network coding. We simply require that each packet transports a header of length containing the global coding vector associated with the packet; thus, the total packet length must be at least symbols in . Note that, since a random linear network code is feasible with high probability, the only parameter pertaining to the network that we need to estimate is the effective mincut , in order to decide on , and the coset coding scheme.

## V Conclusion

We consider the problem of providing information-theoretic security in a communication network subject to the presence of a wiretapper. We propose a coset coding scheme similar to that of Ozarow-Wyner, but defined over the extension field . For this reason, we assume that packets of length are transmitted rather than individual symbols. We show that transmission at the maximum possible rate (the network secure capacity) is possible irrespectively of the underlying network code. As a consequence, the sub-problems of information transport and information security can be treated independently of each other: a feasible linear network code can be designed (perhaps, randomly) with only throughput in mind, while a fixed outer code can be used to provide security whenever it is needed. Our proposed scheme is based on MRD codes and can be efficiently encoded and decoded.

## References

- [1] R. Ahlswede, N. Cai, S.-Y. R. Li, and R. W. Yeung, “Network information flow,” vol. 46, no. 4, pp. 1204–1216, Jul. 2000.
- [2] S.-Y. R. Li, R. W. Yeung, and N. Cai, “Linear network coding,” vol. 49, no. 2, pp. 371–381, Feb. 2003.
- [3] R. Koetter and M. Médard, “An algebraic approach to network coding,” vol. 11, no. 5, pp. 782–795, Oct. 2003.
- [4] N. Cai and R. W. Yeung, “Secure network coding,” in Proc. IEEE Int. Symp. Information Theory, Lausanne, Switzerland, Jun. 30–Jul. 5, 2002, p. 323.
- [5] J. Feldman, T. Malkin, C. Stein, and R. A. Servedio, “On the capacity of secure network coding,” in Proc. 42nd Annual Allerton Conf. on Commun., Control, and Computing, Sep. 2004.
- [6] S. Y. E. Rouayheb and E. Soljanin, “On wiretap networks II,” in Proc. IEEE Int. Symp. Information Theory, Nice, France, Jun. 24–29, 2007, pp. 551–555.
- [7] L. H. Ozarow and A. D. Wyner, “Wire tap channel II,” AT&T Bell Labs. Tech. J., vol. 63, no. 10, pp. 2135–2157, Dec. 1984.
- [8] ——, “Wire-tap channel II,” in Proc. EUROCRYPT 84 workshop on Advances in cryptology: theory andapplication of cryptographic techniques. New York, NY, USA: Springer-Verlag New York, Inc., 1985, pp. 33–51.
- [9] E. M. Gabidulin, “Theory of codes with maximum rank distance,” Probl. Inform. Transm, vol. 21, no. 1, pp. 1–12, 1985.
- [10] R. M. Roth, “Maximum-rank array codes and their application to crisscross error correction,” vol. 37, pp. 328–336, 1991.
- [11] G. Richter and S. Plass, “Error and erasure decoding of rank-codes with a modified Berlekamp-Massey algorithm,” in Proc. ITG Conf. on Source and Channel Coding, Erlangen, Germany, Jan. 2004.
- [12] M. Gadouleau and Z. Yan, “Properties of codes with the rank metric,” in Proc. IEEE Globecom 2006, San Francisco, CA, Nov. 27–Dec. 1, 2006.
- [13] D. Silva and F. R. Kschischang, “Using rank-metric codes for error correction in random network coding,” in Proc. IEEE Int. Symp. Information Theory, Nice, France, Jun. 24–29, 2007, pp. 796–800.
- [14] D. Silva, F. R. Kschischang, and R. Koetter, “A rank-metric approach to error control in random network coding,” 2007, submitted for publication. [Online]. Available: http://arxiv.org/abs/0711.0708
- [15] S. Jaggi, P. Sanders, P. Chou, M. Effros, S. Egner, K. Jain, and L. Tolhuizen, “Polynomial time algorithms for multicast network code construction,” vol. 51, no. 6, pp. 1973–1982, Jun. 2005.