Universal Secure Network Coding
via RankMetric Codes
Abstract
The problem of securing a network coding communication system against an eavesdropper adversary is considered. The network implements linear network coding to deliver packets from source to each receiver, and the adversary can eavesdrop on arbitrarily chosen links. The objective is to provide reliable communication to all receivers, while guaranteeing that the source information remains informationtheoretically secure from the adversary. A coding scheme is proposed that can achieve the maximum possible rate of packets. The scheme, which is based on rankmetric codes, has the distinctive property of being universal: it can be applied on top of any communication network without requiring knowledge of or any modifications on the underlying network code. The only requirement of the scheme is that the packet length be at least , which is shown to be strictly necessary for universal communication at the maximum rate. A further scenario is considered where the adversary is allowed not only to eavesdrop but also to inject up to erroneous packets into the network, and the network may suffer from a rank deficiency of at most . In this case, the proposed scheme can be extended to achieve the rate of packets. This rate is shown to be optimal under the assumption of zeroerror communication.
I Introduction
The paradigm of network coding [1, 2, 3] has provided a rich source of new problems that generalize traditional problems in communications. One such problem, introduced in [4] by Cai and Yeung, is that of securing a multicast network against an eavesdropper adversary.
Formally, consider a multicast network with unit capacity edges implementing linear network coding over a finite field . It is assumed that each link in the network carries a packet consisting of symbols in and that the network is capable of reliably transporting packets from the source to each destination. Now, suppose there is an eavesdropper that can listen to transmissions on arbitrarily chosen links^{1}^{1}1We consider a model where network links rather than nodes are eavesdropped; eavesdropping on a node is equivalent to eavesdropping on all links incoming to it. of the network. The secure network coding problem is to design an outer code (and possibly also the underlying network code) such that a message can be communicated to each receiver without leaking any information to the eavesdropper (i.e., security in the informationtheoretic sense).
The work of Cai and Yeung [4] shows that the maximum achievable rate (i.e., the secrecy capacity) for this problem is given by packets, achievable if the field size is sufficiently large. They presented a construction of an outer code that achieves this capacity provided that . Their construction takes steps and requires that the outer code meet certain security conditions imposed by the underlying network code. Later, Feldman et al. [5] showed that, by slightly reducing the rate, it is possible to efficiently construct an outer code that is secure with high probability using a much smaller field size. On the other hand, they also showed that, under the assumption of a scalar linear outer code, there are instances of the problem where a very large field size is strictly necessary to achieve capacity.
More recently, Rouayheb and Soljanin [6] showed that the secure network coding problem can be regarded as a network generalization of the OzarowWyner wiretap channel of type II [7, 8]. Their observation provides an important connection with a classical problem in information theory and yields a much more transparent framework for dealing with network coding security. In particular, they show that the same technique used to achieve capacity of the wiretap channel II—a coset coding scheme based on a linear MDS code—can also provide security for a wiretap network. Unfortunately, in their approach, the network code has to be modified to satisfy certain constraints imposed by the outer code.
Note that, in all the previous works, either the network code has to be modified to provide security [6], or the outer code has to be designed based on the specific network code used [4, 5]. In all cases, the network code must be known beforehand, and the field size required is significantly larger than the minimum required for conventional multicasting.
The present paper is motivated by Rouayheb and Soljanin’s formulation of a wiretap network and builds on their results. Our first main contribution is a coset coding scheme that neither imposes any constraints on, nor requires any knowledge of, the underlying network code. In other words, for any linear network code that is feasible for multicast, secure communication at the maximum possible rate can be achieved with a fixed outer code. In particular, the field size can be chosen as the minimum required for multicasting. In this paper, such networkcodeindependent schemes are called universal. An important consequence of our result is that, if universal schemes are assumed, then the problem of information transport (i.e., designing a feasible network code) and the problem of security against an eavesdropper can be completely separated from each other. In particular, universal schemes can be seamlessly integrated with random network coding.
The essence of our approach is to use a vector linear outer code. More precisely, we regard packets as elements of an extension field , and use an outer code that is linear over . Taking advantage of this extension field, we can then replace the linear MDS code in OzarowWyner coset coding scheme by a linear maximumrankdistance (MRD) code, which is essentially a linear code over that is optimal for the rank metric. Codes in the rank metric were studied by a number of authors [9, 10, 11] and have been proposed for error control in random network coding [12, 13]. Here, we show that, since the channel to the eavesdropper is a linear transformation channel (rather than an erasure channel), rankmetric codes are naturally suitable to the problem (as opposed to classical codes designed for the Hamming metric).
Another main contribution of this paper is the design of universal schemes that can provide both security and protection against errors. More precisely, we assume that the adversary is able not only to eavesdrop on arbitrarily chosen links, but also to inject erroneous packets anywhere in the network. We also assume that the network may suffer from a rank deficiency of at most packets. Previous work on this topic includes [14] and [15], which propose secureerrorcorrecting schemes achieving a rate . However, these schemes are not universal and suffer from the same issues as the CaiYeung scheme discussed above.
Note that the naive approach to this problem would be simply to concatenate a secrecy encoder with an error control encoder. However, the security of such a scheme is not guaranteed because the error control encoder can potentially “undo” part of the secrecy encoding. On the other hand, if secrecy encoding is applied after error control encoding, then, due to the same reason, the concatenated scheme is not guaranteed to provide error control.
Our approach to this problem is to design a single scheme that simultaneously provides security and error control, by leveraging the corresponding properties of rankmetric codes. Our proposed scheme is universal and achieves the rate of packets. We show that this rate is indeed optimal, under the assumption of zeroerror communication^{2}^{2}2If this assumption is relaxed to vanishingly small error probability, then higher rates may be achieved in some cases. See [16].. This result (whose proof allows arbitrary packet lengths) generalizes a similar bound in [15] that assumed packet length (i.e., a scalar linear outer code).
All the universal schemes proposed in this paper have a single limitation: the packet length must satisfy . While this requirement is usually easily satisfied in the practice of random network coding (see, e.g., [17]), we show that it is also strictly necessary for universal communication. In other words, universal schemes that provide security and/or error control at the maximum rate do not exist if . Thus, our proposed schemes are optimal also in the sense of requiring the smallest packet size among all universal schemes.
The remainder of the paper is organized as follows. Section II presents a brief review of rankmetric codes and the basic model of linear network coding. In Section III, we formulate the problem of universal secure and reliable communication over a wiretap network, following the basic setup of the wiretap channel. In Section IV, we start by addressing the special case where only error control is required. We prove a few auxiliary results that extend the results of [18]. Then, in Section V, we address the special case where only security is required. The complete scenario of both security and error control is addressed in Section VI. In Section VII, we discuss the practical application of our proposed schemes, and show that they can be implemented in a convenient and very efficient manner. Finally, Section VIII presents our conclusions.
Ii Preliminaries
Iia Notation
Let denote the set of all matrices over , and set (i.e., the elements of are always seen as column vectors). For and , let denotes the submatrix of consisting of the rows indexed by . Let denote the row space of matrix .
IiB RankMetric Codes
A matrix code is a nonempty set of matrices. The rank distance between matrices is defined as
As observed in [9, 10], the rank distance is indeed a metric. The minimum rank distance of a matrix code , denoted , is the minimum rank distance among all pairs of distinct codewords of .
Let be a degree extension of the finite field . Recall that is also a vector space over . Let be a vector space isomorphism. More concretely, expands an element of as a row vector over according to some fixed basis for over . Similarly, for all , let be the isomorphism defined by applying entrywise, i.e.,
We will remove the superscript from when the dimensions of the argument are clear from the context. The rank distance between vectors and the minimum rank distance of a block code are defined, respectively, as and .
The size of a matrix code (or of a block code over ) is bounded by the Singleton bound for the rank metric, which states that every with minimum rank distance must satisfy
(1) 
Codes that achieve this bound are called maximumrankdistance (MRD) codes and they are known to exist for all choices of parameters , , and [9].
For the case of an linear block code over with minimum rank distance , the Singleton bound (1) becomes
(2) 
Note that, for , (2) coincides with the classical Singleton bound for the Hamming metric. Indeed, when , every MRD code is also MDS.
Note that, differently from classical coding theory, block codes are represented in this paper using column vectors. However, to avoid confusion, the generator and paritycheck matrices of a linear code will always be given in the standard orientation. Thus, if and are, respectively, the generator and paritycheck matrices of an linear code , then .
We now describe an important family of rankmetric codes proposed by Gabidulin [9]. Assume . A Gabidulin code is an linear code over defined by the generator matrix
(3) 
where the elements are linearly independent over . It is shown in [9] that the minimum rank distance of a Gabidulin code is , so the code is MRD.
IiC Linear Network Coding
A linear network coding system is described as follows. Consider a communication network represented by a directed multigraph with unit capacity edges, a single source node, and multiple destination nodes. Each link in the network is assumed to transport, free of errors, a packet consisting of symbols from the finite field (that is, a vector in ). At every network use, the source node produces packets, represented as the rows of a matrix , and transmits evidence about these packets over the network. More precisely, for each of its outgoing links, the source node transmits a packet that is some linear combination of the rows of . Each of the remaining nodes behaves similarly, computing its outgoing packets as linear combinations of its incoming packets. It follows that, for every link , the packet transmitted over can be expressed (uniquely) as a linear combination of the rows of , say . The coefficient vector is called the (global) coding vector of . Let denote the set of all network links, ordered according to some fixed ordering. A (global) coding matrix is defined such that, for all , is the row of indexed by .
For analytical purposes, a receiver can be specified, without loss of generality, by the set of incoming links of the corresponding destination node. Let denote the collection of all receivers. Note that is a subset of the powerset of . For , let denote the matrix whose rows are the packets received by receiver . Then
The network code is said to be feasible for a receiver if , otherwise it is rankdeficient. The rank deficiency of a network code is defined as
i.e., it is the maximum columnrank deficiency of among all receivers. Since, in a network coding context, rank deficiency is analogous to packet loss, a rank deficiency of may also be referred to as packet erasures.
The system described above is referred to as an linear coded network. We may also call it an linear coded network if its rank deficiency is .
We can extend the above model to incorporate packet errors. More precisely, we assume that each packet transmitted on a link may be subject to the addition of an error packet before reception by the corresponding node. This is useful to model both internal adversaries (malicious nodes that inject erroneous packets) as well as external adversaries (unauthorized transmitters that intentionally create interference with the transmitted signals). Similarly as above, this communication model can be described more concisely using a matrix framework. Suppose the packet transmitted on link changes from to . Then, due to linearity of the network, the packet transmitted on link changes from to , for some . Let be the matrix whose entry is . Then the matrix received by receiver is given by
where is the matrix corresponding to the error packets injected on all links.
Note that the above model is applicable even if the network contains cycles and/or delays.
Iii Problem Formulation
We start by describing a generic wiretap channel. Let , , and be sets. A transmitter wishes to communicate a message reliably to a receiver but secretly from an eavesdropper. There is a channel among the three parties that takes from the transmitter and delivers to the receiver and to the eavesdropper. The channel is specified by some distribution . The transmitter generates by a stochastic encoding of , according to some distribution . Upon reception of , the receiver makes a guess that the transmitted message is , according to some decoding function . The eavesdropper, on the other hand, attempts to obtain information about based on the observation . Together, the encoder and the decoder specify the coding scheme. Note that and are assumed to be conditionally independent given .
Iiia Communication Requirements
We now describe the requirements that a coding scheme must satisfy, for the purposes of this paper.
IiiA1 Zeroerror communication
For all , let the fanout set
denote the set of all channel outputs that could possibly occur when the channel input is . Similarly, for all , let
(4) 
The scheme is said to be zeroerror if
(5) 
that is, the receiver can always uniquely determine the message^{3}^{3}3Our focus on zeroerror communication is motivated by the goal of guaranteeing reliability in the presence of adversarial jammers. Since an adversary will attempt to disrupt communication whenever such a possibility exists, requiring zeroerror (“foolproof”) communication appropriately captures the worstcase nature of the problem.. We may also refer simply to the encoder and consider it zeroerror if there exists some decoding function satisfying (5). It is easy to see that an encoder is zeroerror if and only if the sets , , are all pairwise disjoint.
Note that condition (5) differs from the more usual notion of reliability where the probability of decoding error gets arbitrarily close to zero as the number of channel uses increases. Here, not only the probability of error must be exactly zero (as in zeroerror information theory [22]), but also the channel can be used only once. While the constraint on a single channel use may seem restrictive, note that in many practical situations, in particular in network coding, a single message may already be large enough to encompass the whole communication session, so that further channel uses are not allowed.
IiiA2 Perfect secrecy
The scheme is said to be perfectly secret if absolutely no information is leaked to the eavesdropper, i.e.,
(6) 
Equivalently, the uncertainty about the message is not reduced by the eavesdropper’s observation.
Throughout the paper, we will use the word secure as a synonym for secret. We will also refer to a perfectly secure scheme simply as secure.
Note that condition (6) corresponds to perfect secrecy in the Shannon sense [23] and is stronger than the usual notion of secrecy in the informationtheoretic security literature [24], where the average information leakage (per channel use) gets arbitrarily close to zero as the number of channel uses increases.
IiiB Wiretap Networks
We now consider the case where the wiretap channel is a linear network coding system potentially subject to errors. Consider an linear coded network specified by matrices and and a set of receivers , where denotes the set of network edges. The network is used to communicate a message to each receiver, which is done by encoding into an input matrix for transmission over the network.
As described in Section IIC, the output matrix at a receiver is given by
where denotes the matrix of error packets. Let
denote the set of all possible values for when the input matrix is . Then the set of all possible given is obtained as
Since there are multiple receivers, a coding scheme for such a network consists of not only an encoder but also a decoding function for each receiver. Accordingly, we say that the scheme is zeroerror if it is zeroerror for each individual receiver .
For the remainder of the paper, we will focus on the case where has at most nonzero rows, i.e.,
where denotes the number of nonzero rows of . In this case, a zeroerror scheme is said to be a errorerasurecorrecting scheme, where denotes the rank deficiency of the linear coded network. Note that even when , a errorerasurecorrecting scheme must still be able to guarantee reliable (zeroerror) communication for all receivers, i.e., it must able to make up for the rank deficiency experienced by the receivers.
Suppose there is an eavesdropper who can observe the packets transmitted on a subset of links . The corresponding matrix observed by the eavesdropper is given by
Here, we assume the worst case where the eavesdropper has access to the matrix (possibly because was selected by the eavesdropper), so we define the eavesdropper observation as
Consider the case where the eavesdropper is allowed to arbitrarily choose any with . Since the eavesdropper may choose in a worstcase or adversarial fashion, this situation may be modeled mathematically by assuming that there are multiple eavesdroppers, each with one of the allowed subsets . Accordingly, we say that the scheme is secure under observations if it is perfectly secure for all such that .
Under this model, may be viewed as a security parameter, while may be viewed as a reliability parameter.
IiiC Universal Schemes
The specification of a wiretap network requires the specification of , and , as well as , and . As a consequence, the properties of a coding scheme designed for a network are tied to the particular network code used; there is no guarantee that the scheme will work well over other networks.
In this paper, we are interested in universal schemes, i.e., schemes that share the same property (i.e., errorerasurecorrecting, secure under observations) for all possible network codes. As we shall see, this approach not only has practical benefits but also greatly simplifies the theoretical analysis.
Definition 1
A coding scheme for an linear coded network is universally errorerasurecorrecting if it is zeroerror under the fanout set
(7) 
Note that, to incorporate the fact that the matrix is known at receiver , we have to include the matrix as part of the channel output. Contrasted with the models in [18], the model in Definition 1 may be interpreted as a worstcase coherent network coding channel.
Proposition 1
A universally errorerasurecorrecting scheme for an network is errorerasurecorrecting for any network regardless of the network code or the set of receivers.
We will show that, for any with , any , and any with , a receiver that knows and can successfully decode using a universal decoder. First, since , there exists, regardless of , some matrix such that . Now, since and , we have that . Thus, the receiver can successfully decode by applying the universal decoder on .
Definition 2
Consider an linear coded network with input matrix . A coding scheme is universally secure under observations if it is perfectly secure for each eavesdropper observation , for all .
Clearly, a universally secure scheme is always secure regardless of the network code.
Focusing on universal schemes immediately offers the analytical advantage of not having to specify the network topology and the network code, except for the parameters , , , . These parameters provide an interface between the problems of network code design and endtoend code design, which then become completely independent.
Of course, the rates achieved by a universal scheme could potentially be smaller than those of nonuniversal schemes; equivalently, to achieve an optimal rate, a universal scheme may impose certain constraints on the interface parameters. Our goal in this paper is to determine exactly what rates are achievable by universal schemes, as well as to construct computationally efficient schemes that achieve these rates.
Iv Universal Error Correction
We start by considering the case where , i.e., there is no eavesdropper (or security is not a concern).
Below we show a result that, while similar to the results in [18], is not available there, as model considered here is slightly different.
Theorem 2
Consider a deterministic encoder , where , and let . Then the encoder is universally errorerasurecorrecting if and only if .
The correction guarantee has been proved in [18]. We now prove the converse. Suppose and let be such that and . Let be a matrix whose right null space is a subspace of with dimension . Let . Then and . Let be such that , , and . Then , and therefore . Since the encoder is deterministic, and must correspond to distinct messages, which implies that the scheme is not zeroerror.
Theorem 2 shows that, in the case of a deterministic encoder, the correction capability of a scheme is characterized precisely by the minimum rank distance of the image of the encoder. Thus, the problem can be solved by (and only by) a rankmetric code with sufficiently large minimum rank distance. While Theorem 2 is concerned only with the encoder, computationally efficient decoders (for a Gabidulin code) have been proposed in [13] (see also [25, 20]) for all values of and .
The theorem also shows a tradeoff between errors and erasures that is analogous to that of classical coding theory; namely, an error can be traded for two erasures, and viceversa, with the “exchange currency” being the minimum rank distance of the code.
It is important to note that the characterization in Theorem 2 is valid only for deterministic encoding. In the case of stochastic encoding, it is conceivable that the same message could give rise to two distinct codewords and with small rank distance (so that they would be indistinguishable at the receiver), yet the message itself could be successfully decoded. Thus, while the direct part of the theorem still holds (as long as ), the converse does not. Surprisingly, however, the same interplay between errors and erasures that exists for a deterministic encoder (namely, one error is equivalent to two erasures) still remains for a stochastic encoder, as shown in the next result.
Theorem 3
Consider an linear coded network. An encoder that is universally errorerasurecorrecting is also universally errorerasurecorrecting for all such that .
See the Appendix.
The result of Theorem 3 will be crucially used in Section VIB to prove a converse theorem for networks subject to errors and observations.
A consequence of Theorem 3 is that we could safely restrict attention to encoders that are universally erasurecorrecting (that is, universally errorerasurecorrecting), since erasurecorrection capability can be naturally traded for errorcorrection capability. However, as before, note that the result of Theorem 3 applies only to the encoder, i.e., it is in principle not trivial to obtain a decoder for one scheme given a decoder for the other.
V Perfect Secrecy for Noiseless Networks
In this section we treat the case of an linear coded network subject to observations but no errors—so that the channel from the transmitter to each receiver is noiseless. Thus, each receiver can correctly recover the channel input .
From now on, unless otherwise mentioned, we assume that the message space is , so that the message is a matrix. The rows of , denoted , may then be viewed as packets. All logarithms are taken to the base , so that information is measured in ary units, or packets.
Va Preliminaries
We start by reviewing the basic idea of coset coding, which was proposed by Ozarow and Wyner for the special case of the type II wiretap channel [7], and later applied to the general case by Rouayheb and Soljanin [6]. The scheme requires each packet to be an element of a finite field, i.e., must be a field. In the following, we assume that .
Let be an linear code over with paritycheck matrix . The transmitter encodes into by choosing uniformly at random some such that . In other words, each message is viewed as a syndrome specifying a coset of , and the transmitted word is randomly chosen among the elements of that coset. Upon reception of , decoding is performed by simply computing the syndrome . Thus, the scheme is always zeroerror.
For the special case of a type II wiretap channel, it can be shown [7] that the scheme is perfectly secure if is an MDS code and . In general, however, this may not be sufficient. The following result is shown in [6].
Theorem 4 ([6])
In the coset coding scheme described above, assume that the eavesdropper observes , where . If , then . Moreover, if , then
(8) 
The above result can be used to design a network code based on a given paritycheck matrix [6]. More precisely, the network code (i.e., the global coding matrix ) must be constructed in such a way that, for all with , the matrix satisfies (8) for the given . Note that, since there is always some violating (8), the scheme is not universal.
Although the case is not considered in [6], it is easy to see that any scheme for can immediately be extended to by applying the scheme times in a componentwise fashion. Encoding is performed identically, by randomly choosing such that (where and are now matrices), and the same holds for the decoding. Clearly, the resulting scheme retains exactly the same properties of the original one (in particular, nonuniversality).
VB A Universal Scheme
As we have seen above, in order to directly apply OzarowWyner’s coset coding scheme, packets must be elements of a finite field, and one way to achieve this is to assume . Another approach, the one we propose in this paper, is to make use of the vector space isomorphism . In other words, we regard packets as elements of a finite field ; this is still compatible with linear network coding since is a vector space over .
Theorem 4 holds unchanged, provided we replace with (note that we can regard as a matrix over , since ). However, all the entries of still lie in the subfield . Since , we can regard as a matrix over . After replacing with , Theorem 4 follows unchanged.
Under this interpretation, the variables , , are now viewed as column vectors over . For the purposes of Theorem 4, we can regard as a matrix over (since ). Then the theorem follows unchanged after replacing with . Note, however, that all the entries of still lie in the subfield . As the number of possibilities for is now much larger as compared to (for ), it is conceivable that some exists satisfying (8) for all . This can be seen as the crucial ingredient that enables universal security. A suitable choice of is given in the next theorem.
Theorem 5
Let be an linear code over with paritycheck matrix . If and , then
(9) 
Conversely, if , then (9) holds only if .
Suppose that, for some , there exists some matrix such that
Let , let be some fullrank matrix such that , and let be some fullrank matrix such that the matrix
is fullrank. We have that
Let
Since , there must exist some nonzero such that . But this implies that , i.e., , and , i.e., . Thus, .
For the converse statement, suppose that . Then there exists some nonzero such that . This implies that there exists some fullrank such that . Note also that . Thus,
In order to state our main result in full generality, we first present a generalization of Theorem 4.
Lemma 6
Let and . Let , and be random variables. Let and, for all , let .

If is uniform over given , then

If is uniform over , then
See the Appendix.
We can now state the main result of this section.
Theorem 7
Consider an linear coded network. Let be an linear code over with paritycheck matrix . A coset coding scheme based on is universally secure under observations if , and is MRD. Conversely, in the case of a uniformly distributed message, the scheme is universally secure under observations only if is an MRD code with .
The achievability follows from item 1) of Lemma 6, Theorem 5, and the definition of an MRD code. The partial converse follows from item 2) of Lemma 6, Theorem 5, and the Singleton bound (2).
The following example illustrates the constructive part of Theorem 7.
Example 1
Let , , and . Let be generated by a root of , which we denote by . According to [9], one possible linear MRD code over has paritycheck matrix .
To form given a source message , we can choose uniformly at random and set to satisfy
Note that can be transmitted over any linear coded network. The specific network code used is irrelevant as long as each destination node is able to recover .
Now, suppose that the eavesdropper intercepts , where
Then
This is a linear system with variables and equations over . Note that, given , there is exactly one solution for for each value of . Thus, , , from which follows that and are independent.
VC Encoder Structure
In this subsection, we develop a more concrete encoder structure for the coset coding scheme proposed above.
Let be the paritycheck matrix of an linear code over . Let be an invertible matrix such that
for some . Consider the following encoder. Given a message , the encoder chooses uniformly at random and independently from , and produces by computing
Proposition 8
The encoder described above is universally secure under observations if the code defined by is MRD with .
Note that and . Then Theorem 7 holds if we can prove that is uniform given , i.e., if . By expanding in two ways, we have
Note that this equivalence between the two encoders has been previously shown in [6] for the case of with nonuniversal security (i.e., when satisfies the conditions of Theorem 4 for a specific network).
We now give a security condition based directly on the matrix rather than its inverse.
Proposition 9
The encoder described above is universally secure under observations if the last rows of form a generator matrix of an linear MRD code over with .
Let and be such that
Then
Thus, . Since both and are fullrank, it follows that and are generator and paritycheck matrices, respectively, for exactly the same code.
VD Converse Results
We now prove that our scheme is optimal with respect to packet length, i.e., the scheme minimizes the required packet length among all universal schemes. For generality, in the following theorem we revert to the notation of Section III (with matrices over the base field ).
Theorem 10
Consider a noiseless linear coded network. Assume that the source message has entropy of packets. There exists a zeroerror scheme that is universally secure under observations only if .
By assumption of zeroerror communication (and of a noiseless network), there is a function such that . Thus, we may write . Now,
(10)  
(11)  
(12)  
(13) 
where (10) follows since is a function of and (11) follows since . Since (13) holds with equality for all fullrank , we must have and for all such . By the chain rule of entropy, it is not hard to see that the latter condition implies that is uniform (for instance, by choosing each as a submatrix of an identity matrix, as in the wiretap channel II). Thus, . Since , we have that . Thus, there must be some such that , which implies that . On the other hand, the fact that for all fullrank implies that must be uniquely determined given and the indication that . From Theorem 5, this implies that each must be a rankmetric code with . In particular, . From the Singleton bound (1), we see that this can only happen if .
As Theorem 10 shows, if , universal schemes do not exist. For , not only do universal schemes exist, but also they achieve exactly the same rates as the best nonuniversal schemes. It should be noted, however, that these results assume the requirements of perfect secrecy and zeroerror communication. If these conditions are relaxed to asymptotically perfect secrecy and vanishing error probability (over multiple channel uses), then it is possible to construct universal schemes even for [26].
Vi Perfect Secrecy for Noisy Networks
In this section, we treat the general case of an linear coded network subject to errors and observations.
Via A Universal Scheme
Consider the encoder described on Section VC. Assume that the input variable for the encoder is (rather than ). Given , the encoder produces
where is chosen uniformly at random and independently from , and is an invertible matrix. Suppose that , and let denote the last rows of . It follows from Proposition 9 that, if is a generator matrix for an linear MRD code over , then the scheme is universally secure under observations, regardless of the distribution of .
Suppose we choose
where is the “true” message, and . Then the scheme remains universally secure under observations. On the other hand, the redundancy in may be useful to provide error correction.
Let us define an auxiliary variable
Then the encoder effectively maps into via the deterministic mapping
where denotes the last rows of . In particular, the set of all possible is given by
Then, it follows from Theorem 2 that, when is transmitted over an network subject to errors, the receiver can uniquely determine (and therefore ) if . This condition is satisfied if is an linear MRD code over and .
The above analysis proves the following result.
Theorem 11
Consider an linear coded network. In the encoder described above, assume that is the generator matrix of an linear MRD code over such that the last rows of form a generator matrix of an linear MRD code over . The scheme is universally errorerasurecorrecting and universally secure under observations if and .
Whenever an error control encoder satisfies the secrecy conditions of Theorem 11, we will say it is secrecycompatible.
ViB Converse Results
In this section, we prove that our proposed scheme is optimal, both in the sense of achieving the maximum possible rate and in the sense of requiring the minimum possible packet length among all schemes that achieve this maximum rate. As in Theorem 10, we use the generic notation of Section II.
Theorem 12
Consider an linear coded network. Assume that the source message has entropy of packets. There exists a scheme that is universally errorerasurecorrecting and universally secure under observations only if . Moreover, this maximum rate can be attained only if .
Let . Let be a fullrank matrix and let be a fullrank matrix such that for some (necessarily fullrank) . Let and . If the encoder is universally errorerasurecorrecting then, by Theorem 3, it is also universally erasurecorrecting. Thus, there is a function such that . In particular, there is also a function such that . Thus, we may write . Now,
(14)  
(15)  
(16)  
(17) 
where (14) follows since is a function of and (15) follows since . This proves the first statement. Now consider the second statement. Since (17) holds with equality, we must have and . Note that these conditions hold for all fullrank and all