Universal Secure Network Codingvia Rank-Metric Codes

# Universal Secure Network Coding via Rank-Metric Codes

Danilo Silva and Frank R. Kschischang The work of D. Silva was supported in part by CAPES Foundation (Brazil) and by FAPESP (Brazil) grant 2009/15771-7. The material in this paper was presented in part at the IEEE International Symposium on Information Theory, Toronto, Canada, July 2008, and in part at the IEEE International Symposium on Information Theory, Austin, TX, June 2010.D. Silva was with The Edward S. Rogers Sr. Department of Electrical and Computer Engineering, University of Toronto, Toronto, ON M5S 3G4, Canada. He is now with the School of Electric and Computer Engineering, State University of Campinas, Campinas, SP 13083-970, Brazil (e-mail: danilo@decom.fee.unicamp.br).F. R. Kschischang is with The Edward S. Rogers Sr. Department of Electrical and Computer Engineering, University of Toronto, Toronto, ON M5S 3G4, Canada (e-mail: frank@comm.utoronto.ca).
###### Abstract

The problem of securing a network coding communication system against an eavesdropper adversary is considered. The network implements linear network coding to deliver packets from source to each receiver, and the adversary can eavesdrop on arbitrarily chosen links. The objective is to provide reliable communication to all receivers, while guaranteeing that the source information remains information-theoretically secure from the adversary. A coding scheme is proposed that can achieve the maximum possible rate of packets. The scheme, which is based on rank-metric codes, has the distinctive property of being universal: it can be applied on top of any communication network without requiring knowledge of or any modifications on the underlying network code. The only requirement of the scheme is that the packet length be at least , which is shown to be strictly necessary for universal communication at the maximum rate. A further scenario is considered where the adversary is allowed not only to eavesdrop but also to inject up to erroneous packets into the network, and the network may suffer from a rank deficiency of at most . In this case, the proposed scheme can be extended to achieve the rate of packets. This rate is shown to be optimal under the assumption of zero-error communication.

## I Introduction

The paradigm of network coding [1, 2, 3] has provided a rich source of new problems that generalize traditional problems in communications. One such problem, introduced in [4] by Cai and Yeung, is that of securing a multicast network against an eavesdropper adversary.

Formally, consider a multicast network with unit capacity edges implementing linear network coding over a finite field . It is assumed that each link in the network carries a packet consisting of symbols in and that the network is capable of reliably transporting packets from the source to each destination. Now, suppose there is an eavesdropper that can listen to transmissions on arbitrarily chosen links111We consider a model where network links rather than nodes are eavesdropped; eavesdropping on a node is equivalent to eavesdropping on all links incoming to it. of the network. The secure network coding problem is to design an outer code (and possibly also the underlying network code) such that a message can be communicated to each receiver without leaking any information to the eavesdropper (i.e., security in the information-theoretic sense).

The work of Cai and Yeung [4] shows that the maximum achievable rate (i.e., the secrecy capacity) for this problem is given by packets, achievable if the field size is sufficiently large. They presented a construction of an outer code that achieves this capacity provided that . Their construction takes steps and requires that the outer code meet certain security conditions imposed by the underlying network code. Later, Feldman et al. [5] showed that, by slightly reducing the rate, it is possible to efficiently construct an outer code that is secure with high probability using a much smaller field size. On the other hand, they also showed that, under the assumption of a scalar linear outer code, there are instances of the problem where a very large field size is strictly necessary to achieve capacity.

More recently, Rouayheb and Soljanin [6] showed that the secure network coding problem can be regarded as a network generalization of the Ozarow-Wyner wiretap channel of type II [7, 8]. Their observation provides an important connection with a classical problem in information theory and yields a much more transparent framework for dealing with network coding security. In particular, they show that the same technique used to achieve capacity of the wiretap channel II—a coset coding scheme based on a linear MDS code—can also provide security for a wiretap network. Unfortunately, in their approach, the network code has to be modified to satisfy certain constraints imposed by the outer code.

Note that, in all the previous works, either the network code has to be modified to provide security [6], or the outer code has to be designed based on the specific network code used [4, 5]. In all cases, the network code must be known beforehand, and the field size required is significantly larger than the minimum required for conventional multicasting.

The present paper is motivated by Rouayheb and Soljanin’s formulation of a wiretap network and builds on their results. Our first main contribution is a coset coding scheme that neither imposes any constraints on, nor requires any knowledge of, the underlying network code. In other words, for any linear network code that is feasible for multicast, secure communication at the maximum possible rate can be achieved with a fixed outer code. In particular, the field size can be chosen as the minimum required for multicasting. In this paper, such network-code-independent schemes are called universal. An important consequence of our result is that, if universal schemes are assumed, then the problem of information transport (i.e., designing a feasible network code) and the problem of security against an eavesdropper can be completely separated from each other. In particular, universal schemes can be seamlessly integrated with random network coding.

The essence of our approach is to use a vector linear outer code. More precisely, we regard packets as elements of an extension field , and use an outer code that is linear over . Taking advantage of this extension field, we can then replace the linear MDS code in Ozarow-Wyner coset coding scheme by a linear maximum-rank-distance (MRD) code, which is essentially a linear code over that is optimal for the rank metric. Codes in the rank metric were studied by a number of authors [9, 10, 11] and have been proposed for error control in random network coding [12, 13]. Here, we show that, since the channel to the eavesdropper is a linear transformation channel (rather than an erasure channel), rank-metric codes are naturally suitable to the problem (as opposed to classical codes designed for the Hamming metric).

Another main contribution of this paper is the design of universal schemes that can provide both security and protection against errors. More precisely, we assume that the adversary is able not only to eavesdrop on arbitrarily chosen links, but also to inject erroneous packets anywhere in the network. We also assume that the network may suffer from a rank deficiency of at most packets. Previous work on this topic includes [14] and [15], which propose secure-error-correcting schemes achieving a rate . However, these schemes are not universal and suffer from the same issues as the Cai-Yeung scheme discussed above.

Note that the naive approach to this problem would be simply to concatenate a secrecy encoder with an error control encoder. However, the security of such a scheme is not guaranteed because the error control encoder can potentially “undo” part of the secrecy encoding. On the other hand, if secrecy encoding is applied after error control encoding, then, due to the same reason, the concatenated scheme is not guaranteed to provide error control.

Our approach to this problem is to design a single scheme that simultaneously provides security and error control, by leveraging the corresponding properties of rank-metric codes. Our proposed scheme is universal and achieves the rate of packets. We show that this rate is indeed optimal, under the assumption of zero-error communication222If this assumption is relaxed to vanishingly small error probability, then higher rates may be achieved in some cases. See [16].. This result (whose proof allows arbitrary packet lengths) generalizes a similar bound in [15] that assumed packet length (i.e., a scalar linear outer code).

All the universal schemes proposed in this paper have a single limitation: the packet length must satisfy . While this requirement is usually easily satisfied in the practice of random network coding (see, e.g., [17]), we show that it is also strictly necessary for universal communication. In other words, universal schemes that provide security and/or error control at the maximum rate do not exist if . Thus, our proposed schemes are optimal also in the sense of requiring the smallest packet size among all universal schemes.

The remainder of the paper is organized as follows. Section II presents a brief review of rank-metric codes and the basic model of linear network coding. In Section III, we formulate the problem of universal secure and reliable communication over a wiretap network, following the basic setup of the wiretap channel. In Section IV, we start by addressing the special case where only error control is required. We prove a few auxiliary results that extend the results of [18]. Then, in Section V, we address the special case where only security is required. The complete scenario of both security and error control is addressed in Section VI. In Section VII, we discuss the practical application of our proposed schemes, and show that they can be implemented in a convenient and very efficient manner. Finally, Section VIII presents our conclusions.

Previous versions of this work appeared in [19, 20, 21].

## Ii Preliminaries

### Ii-a Notation

Let denote the set of all matrices over , and set (i.e., the elements of are always seen as column vectors). For and , let denotes the submatrix of consisting of the rows indexed by . Let denote the row space of matrix .

### Ii-B Rank-Metric Codes

A matrix code is a nonempty set of matrices. The rank distance between matrices is defined as

 dR(X,Y)≜rank(Y−X).

As observed in [9, 10], the rank distance is indeed a metric. The minimum rank distance of a matrix code , denoted , is the minimum rank distance among all pairs of distinct codewords of .

Let be a degree extension of the finite field . Recall that is also a vector space over . Let be a vector space isomorphism. More concretely, expands an element of as a row vector over according to some fixed basis for over . Similarly, for all , let be the isomorphism defined by applying entry-wise, i.e.,

 ϕ(n×ℓ)m(X)=⎡⎢ ⎢⎣ϕm(X11)⋯ϕm(X1ℓ)⋮⋮ϕm(Xn1)⋯ϕm(Xnℓ))⎤⎥ ⎥⎦.

We will remove the superscript from when the dimensions of the argument are clear from the context. The rank distance between vectors and the minimum rank distance of a block code are defined, respectively, as and .

The size of a matrix code (or of a block code over ) is bounded by the Singleton bound for the rank metric, which states that every with minimum rank distance must satisfy

 |C|≤qmax{n,m}(min{n,m}−d+1). (1)

Codes that achieve this bound are called maximum-rank-distance (MRD) codes and they are known to exist for all choices of parameters , , and [9].

For the case of an linear block code over with minimum rank distance , the Singleton bound (1) becomes

 d≤min{1,mn}(n−k)+1. (2)

Note that, for , (2) coincides with the classical Singleton bound for the Hamming metric. Indeed, when , every MRD code is also MDS.

Note that, differently from classical coding theory, block codes are represented in this paper using column vectors. However, to avoid confusion, the generator and parity-check matrices of a linear code will always be given in the standard orientation. Thus, if and are, respectively, the generator and parity-check matrices of an linear code , then .

We now describe an important family of rank-metric codes proposed by Gabidulin [9]. Assume . A Gabidulin code is an linear code over defined by the generator matrix

 G=⎡⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢⎣gq00gq01⋯gq0n−1gq10gq11⋯gq1n−1⋮⋮⋱⋮gqk−10gqk−11⋯gqk−1n−1⎤⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥⎦ (3)

where the elements are linearly independent over . It is shown in [9] that the minimum rank distance of a Gabidulin code is , so the code is MRD.

### Ii-C Linear Network Coding

A linear network coding system is described as follows. Consider a communication network represented by a directed multigraph with unit capacity edges, a single source node, and multiple destination nodes. Each link in the network is assumed to transport, free of errors, a packet consisting of symbols from the finite field (that is, a vector in ). At every network use, the source node produces packets, represented as the rows of a matrix , and transmits evidence about these packets over the network. More precisely, for each of its outgoing links, the source node transmits a packet that is some -linear combination of the rows of . Each of the remaining nodes behaves similarly, computing its outgoing packets as -linear combinations of its incoming packets. It follows that, for every link , the packet transmitted over can be expressed (uniquely) as a linear combination of the rows of , say . The coefficient vector is called the (global) coding vector of . Let denote the set of all network links, ordered according to some fixed ordering. A (global) coding matrix is defined such that, for all , is the row of indexed by .

For analytical purposes, a receiver can be specified, without loss of generality, by the set of incoming links of the corresponding destination node. Let denote the collection of all receivers. Note that is a subset of the powerset of . For , let denote the matrix whose rows are the packets received by receiver . Then

 Y(R)=CRX.

The network code is said to be feasible for a receiver if , otherwise it is rank-deficient. The rank deficiency of a network code is defined as

 ρ=n−minR∈RrankCR

i.e., it is the maximum column-rank deficiency of among all receivers. Since, in a network coding context, rank deficiency is analogous to packet loss, a rank deficiency of may also be referred to as packet erasures.

The system described above is referred to as an linear coded network. We may also call it an linear coded network if its rank deficiency is .

We can extend the above model to incorporate packet errors. More precisely, we assume that each packet transmitted on a link may be subject to the addition of an error packet before reception by the corresponding node. This is useful to model both internal adversaries (malicious nodes that inject erroneous packets) as well as external adversaries (unauthorized transmitters that intentionally create interference with the transmitted signals). Similarly as above, this communication model can be described more concisely using a matrix framework. Suppose the packet transmitted on link changes from to . Then, due to linearity of the network, the packet transmitted on link changes from to , for some . Let be the matrix whose entry is . Then the matrix received by receiver is given by

 Y(R)=CRX+FRZ

where is the matrix corresponding to the error packets injected on all links.

Note that the above model is applicable even if the network contains cycles and/or delays.

## Iii Problem Formulation

We start by describing a generic wiretap channel. Let , , and be sets. A transmitter wishes to communicate a message reliably to a receiver but secretly from an eavesdropper. There is a channel among the three parties that takes from the transmitter and delivers to the receiver and to the eavesdropper. The channel is specified by some distribution . The transmitter generates by a stochastic encoding of , according to some distribution . Upon reception of , the receiver makes a guess that the transmitted message is , according to some decoding function . The eavesdropper, on the other hand, attempts to obtain information about based on the observation . Together, the encoder and the decoder specify the coding scheme. Note that and are assumed to be conditionally independent given .

### Iii-a Communication Requirements

We now describe the requirements that a coding scheme must satisfy, for the purposes of this paper.

#### Iii-A1 Zero-error communication

For all , let the fan-out set

 Yx≜{y∈Y:P(y|x)>0}

denote the set of all channel outputs that could possibly occur when the channel input is . Similarly, for all , let

 Xs ≜{x∈X:P(x|s)>0} Y(s) ≜{y∈Y:P(y|s)>0}=⋃x∈XsYx. (4)

The scheme is said to be zero-error if

 D(y)=s,for all y∈Y(s) and all s∈S (5)

that is, the receiver can always uniquely determine the message333Our focus on zero-error communication is motivated by the goal of guaranteeing reliability in the presence of adversarial jammers. Since an adversary will attempt to disrupt communication whenever such a possibility exists, requiring zero-error (“foolproof”) communication appropriately captures the worst-case nature of the problem.. We may also refer simply to the encoder and consider it zero-error if there exists some decoding function satisfying (5). It is easy to see that an encoder is zero-error if and only if the sets , , are all pairwise disjoint.

Note that condition (5) differs from the more usual notion of reliability where the probability of decoding error gets arbitrarily close to zero as the number of channel uses increases. Here, not only the probability of error must be exactly zero (as in zero-error information theory [22]), but also the channel can be used only once. While the constraint on a single channel use may seem restrictive, note that in many practical situations, in particular in network coding, a single message may already be large enough to encompass the whole communication session, so that further channel uses are not allowed.

#### Iii-A2 Perfect secrecy

The scheme is said to be perfectly secret if absolutely no information is leaked to the eavesdropper, i.e.,

 I(S;W)=0. (6)

Equivalently, the uncertainty about the message is not reduced by the eavesdropper’s observation.

Throughout the paper, we will use the word secure as a synonym for secret. We will also refer to a perfectly secure scheme simply as secure.

Note that condition (6) corresponds to perfect secrecy in the Shannon sense [23] and is stronger than the usual notion of secrecy in the information-theoretic security literature [24], where the average information leakage (per channel use) gets arbitrarily close to zero as the number of channel uses increases.

### Iii-B Wiretap Networks

We now consider the case where the wiretap channel is a linear network coding system potentially subject to errors. Consider an linear coded network specified by matrices and and a set of receivers , where denotes the set of network edges. The network is used to communicate a message to each receiver, which is done by encoding into an input matrix for transmission over the network.

As described in Section II-C, the output matrix at a receiver is given by

 Y(R)=CRX+FRZ

where denotes the matrix of error packets. Let

 Zx≜{z∈F|E|×mq:P(z|x)>0}

denote the set of all possible values for when the input matrix is . Then the set of all possible given is obtained as

 Yx(R)={y∈F|R|×mq:y=CRx+FRz,z∈Zx}.

Since there are multiple receivers, a coding scheme for such a network consists of not only an encoder but also a decoding function for each receiver. Accordingly, we say that the scheme is zero-error if it is zero-error for each individual receiver .

For the remainder of the paper, we will focus on the case where has at most nonzero rows, i.e.,

 Zx≜{z∈F|E|×mq:wt(z)≤t}

where denotes the number of nonzero rows of . In this case, a zero-error scheme is said to be a -error--erasure-correcting scheme, where denotes the rank deficiency of the linear coded network. Note that even when , a -error--erasure-correcting scheme must still be able to guarantee reliable (zero-error) communication for all receivers, i.e., it must able to make up for the rank deficiency experienced by the receivers.

Suppose there is an eavesdropper who can observe the packets transmitted on a subset of links . The corresponding matrix observed by the eavesdropper is given by

 CIX+FIZ.

Here, we assume the worst case where the eavesdropper has access to the matrix (possibly because was selected by the eavesdropper), so we define the eavesdropper observation as

 W(I)=CIX.

Consider the case where the eavesdropper is allowed to arbitrarily choose any with . Since the eavesdropper may choose in a worst-case or adversarial fashion, this situation may be modeled mathematically by assuming that there are multiple eavesdroppers, each with one of the allowed subsets . Accordingly, we say that the scheme is secure under observations if it is perfectly secure for all such that .

Under this model, may be viewed as a security parameter, while may be viewed as a reliability parameter.

Remark: As observed in [6], the type II wiretap channel of [7] can be viewed as the special case of a two-node network with a single receiver , where , and is an identity matrix.

### Iii-C Universal Schemes

The specification of a wiretap network requires the specification of , and , as well as , and . As a consequence, the properties of a coding scheme designed for a network are tied to the particular network code used; there is no guarantee that the scheme will work well over other networks.

In this paper, we are interested in universal schemes, i.e., schemes that share the same property (i.e., -error--erasure-correcting, secure under observations) for all possible network codes. As we shall see, this approach not only has practical benefits but also greatly simplifies the theoretical analysis.

###### Definition 1

A coding scheme for an linear coded network is universally -error--erasure-correcting if it is zero-error under the fan-out set

 Yx={(A,y)∈Fn×nq×Fn×mq∣∣y=Ax+Z,rankA≥n−ρ,rankZ≤t,Z∈Fn×mq}. (7)

Note that, to incorporate the fact that the matrix is known at receiver , we have to include the matrix as part of the channel output. Contrasted with the models in [18], the model in Definition 1 may be interpreted as a worst-case coherent network coding channel.

###### Proposition 1

A universally -error--erasure-correcting scheme for an network is -error--erasure-correcting for any network regardless of the network code or the set of receivers.

{proof}

We will show that, for any with , any , and any with , a receiver that knows and can successfully decode using a universal decoder. First, since , there exists, regardless of , some matrix such that . Now, since and , we have that . Thus, the receiver can successfully decode by applying the universal decoder on .

###### Definition 2

Consider an linear coded network with input matrix . A coding scheme is universally secure under observations if it is perfectly secure for each eavesdropper observation , for all .

Clearly, a universally secure scheme is always secure regardless of the network code.

Focusing on universal schemes immediately offers the analytical advantage of not having to specify the network topology and the network code, except for the parameters , , , . These parameters provide an interface between the problems of network code design and end-to-end code design, which then become completely independent.

Of course, the rates achieved by a universal scheme could potentially be smaller than those of non-universal schemes; equivalently, to achieve an optimal rate, a universal scheme may impose certain constraints on the interface parameters. Our goal in this paper is to determine exactly what rates are achievable by universal schemes, as well as to construct computationally efficient schemes that achieve these rates.

## Iv Universal Error Correction

We start by considering the case where , i.e., there is no eavesdropper (or security is not a concern).

Below we show a result that, while similar to the results in [18], is not available there, as model considered here is slightly different.

###### Theorem 2

Consider a deterministic encoder , where , and let . Then the encoder is universally -error--erasure-correcting if and only if .

{proof}

The correction guarantee has been proved in [18]. We now prove the converse. Suppose and let be such that and . Let be a matrix whose right null space is a subspace of with dimension . Let . Then and . Let be such that , , and . Then , and therefore . Since the encoder is deterministic, and must correspond to distinct messages, which implies that the scheme is not zero-error.

Theorem 2 shows that, in the case of a deterministic encoder, the correction capability of a scheme is characterized precisely by the minimum rank distance of the image of the encoder. Thus, the problem can be solved by (and only by) a rank-metric code with sufficiently large minimum rank distance. While Theorem 2 is concerned only with the encoder, computationally efficient decoders (for a Gabidulin code) have been proposed in [13] (see also [25, 20]) for all values of and .

The theorem also shows a tradeoff between errors and erasures that is analogous to that of classical coding theory; namely, an error can be traded for two erasures, and vice-versa, with the “exchange currency” being the minimum rank distance of the code.

It is important to note that the characterization in Theorem 2 is valid only for deterministic encoding. In the case of stochastic encoding, it is conceivable that the same message could give rise to two distinct codewords and with small rank distance (so that they would be indistinguishable at the receiver), yet the message itself could be successfully decoded. Thus, while the direct part of the theorem still holds (as long as ), the converse does not. Surprisingly, however, the same interplay between errors and erasures that exists for a deterministic encoder (namely, one error is equivalent to two erasures) still remains for a stochastic encoder, as shown in the next result.

###### Theorem 3

Consider an linear coded network. An encoder that is universally -error--erasure-correcting is also universally -error--erasure-correcting for all such that .

{proof}

See the Appendix.

The result of Theorem 3 will be crucially used in Section VI-B to prove a converse theorem for networks subject to errors and observations.

A consequence of Theorem 3 is that we could safely restrict attention to encoders that are universally -erasure-correcting (that is, universally -error--erasure-correcting), since erasure-correction capability can be naturally traded for error-correction capability. However, as before, note that the result of Theorem 3 applies only to the encoder, i.e., it is in principle not trivial to obtain a decoder for one scheme given a decoder for the other.

## V Perfect Secrecy for Noiseless Networks

In this section we treat the case of an linear coded network subject to observations but no errors—so that the channel from the transmitter to each receiver is noiseless. Thus, each receiver can correctly recover the channel input .

From now on, unless otherwise mentioned, we assume that the message space is , so that the message is a matrix. The rows of , denoted , may then be viewed as packets. All logarithms are taken to the base , so that information is measured in -ary units, or packets.

### V-a Preliminaries

We start by reviewing the basic idea of coset coding, which was proposed by Ozarow and Wyner for the special case of the type II wiretap channel [7], and later applied to the general case by Rouayheb and Soljanin [6]. The scheme requires each packet to be an element of a finite field, i.e., must be a field. In the following, we assume that .

Let be an linear code over with parity-check matrix . The transmitter encodes into by choosing uniformly at random some such that . In other words, each message is viewed as a syndrome specifying a coset of , and the transmitted word is randomly chosen among the elements of that coset. Upon reception of , decoding is performed by simply computing the syndrome . Thus, the scheme is always zero-error.

For the special case of a type II wiretap channel, it can be shown [7] that the scheme is perfectly secure if is an MDS code and . In general, however, this may not be sufficient. The following result is shown in [6].

###### Theorem 4 ([6])

In the coset coding scheme described above, assume that the eavesdropper observes , where . If , then . Moreover, if , then

 I(S;W)=0⟺⟨H⟩∩⟨B⟩=0. (8)

The above result can be used to design a network code based on a given parity-check matrix [6]. More precisely, the network code (i.e., the global coding matrix ) must be constructed in such a way that, for all with , the matrix satisfies (8) for the given . Note that, since there is always some violating (8), the scheme is not universal.

Although the case is not considered in [6], it is easy to see that any scheme for can immediately be extended to by applying the scheme times in a component-wise fashion. Encoding is performed identically, by randomly choosing such that (where and are now matrices), and the same holds for the decoding. Clearly, the resulting scheme retains exactly the same properties of the original one (in particular, non-universality).

### V-B A Universal Scheme

As we have seen above, in order to directly apply Ozarow-Wyner’s coset coding scheme, packets must be elements of a finite field, and one way to achieve this is to assume . Another approach, the one we propose in this paper, is to make use of the vector space isomorphism . In other words, we regard packets as elements of a finite field ; this is still compatible with -linear network coding since is a vector space over .

Theorem 4 holds unchanged, provided we replace with (note that we can regard as a matrix over , since ). However, all the entries of still lie in the subfield . Since , we can regard as a matrix over . After replacing with , Theorem 4 follows unchanged.

Under this interpretation, the variables , , are now viewed as column vectors over . For the purposes of Theorem 4, we can regard as a matrix over (since ). Then the theorem follows unchanged after replacing with . Note, however, that all the entries of still lie in the subfield . As the number of possibilities for is now much larger as compared to (for ), it is conceivable that some exists satisfying (8) for all . This can be seen as the crucial ingredient that enables universal security. A suitable choice of is given in the next theorem.

###### Theorem 5

Let be an linear code over with parity-check matrix . If and , then

 rank[HB]=rankH+rankB,for all B∈Fμ×nq. (9)

Conversely, if , then (9) holds only if .

{proof}

Suppose that, for some , there exists some matrix such that

 rank[HB]

Let , let be some full-rank matrix such that , and let be some full-rank matrix such that the matrix

 B′=[TBD]∈F(n−k)×nq

is full-rank. We have that

 rank[HB′] ≤rank[HB]+rankD

Let

 M=[HB′].

Since , there must exist some nonzero such that . But this implies that , i.e., , and , i.e., . Thus, .

For the converse statement, suppose that . Then there exists some nonzero such that . This implies that there exists some full-rank such that . Note also that . Thus,

 rank[HB]

In order to state our main result in full generality, we first present a generalization of Theorem 4.

###### Lemma 6

Let and . Let , and be random variables. Let and, for all , let .

1. If is uniform over given , then

2. If is uniform over , then

{proof}

See the Appendix.

We can now state the main result of this section.

###### Theorem 7

Consider an linear coded network. Let be an linear code over with parity-check matrix . A coset coding scheme based on is universally secure under observations if , and is MRD. Conversely, in the case of a uniformly distributed message, the scheme is universally secure under observations only if is an MRD code with .

{proof}

The achievability follows from item 1) of Lemma 6, Theorem 5, and the definition of an MRD code. The partial converse follows from item 2) of Lemma 6, Theorem 5, and the Singleton bound (2).

The following example illustrates the constructive part of Theorem 7.

###### Example 1

Let , , and . Let be generated by a root of , which we denote by . According to [9], one possible linear MRD code over has parity-check matrix .

To form given a source message , we can choose uniformly at random and set to satisfy

 S=HX=X1+αX2+α2X3.

Note that can be transmitted over any linear coded network. The specific network code used is irrelevant as long as each destination node is able to recover .

Now, suppose that the eavesdropper intercepts , where

 B=[101011].

Then

 W =B⎡⎢⎣X1X2X3⎤⎥⎦=[101011]⎡⎢⎣S+αX2+α2X3X2X3⎤⎥⎦ =[10]S+[α1+α211][X2X3].

This is a linear system with variables and equations over . Note that, given , there is exactly one solution for for each value of . Thus, , , from which follows that and are independent.

### V-C Encoder Structure

In this subsection, we develop a more concrete encoder structure for the coset coding scheme proposed above.

Let be the parity-check matrix of an linear code over . Let be an invertible matrix such that

 T−1=[HH1]

for some . Consider the following encoder. Given a message , the encoder chooses uniformly at random and independently from , and produces by computing

 X=T[SV].
###### Proposition 8

The encoder described above is universally secure under observations if the code defined by is MRD with .

{proof}

Note that and . Then Theorem 7 holds if we can prove that is uniform given , i.e., if . By expanding in two ways, we have

 H(X|S) =H(V|S)+H(X|V,S)−H(V|X,S) =H(V|S)+H(X|V,S) =H(V|S) =H(V) =n−k.

Note that this equivalence between the two encoders has been previously shown in [6] for the case of with non-universal security (i.e., when satisfies the conditions of Theorem 4 for a specific network).

We now give a security condition based directly on the matrix rather than its inverse.

###### Proposition 9

The encoder described above is universally secure under observations if the last rows of form a generator matrix of an linear MRD code over with .

{proof}

Let and be such that

 TT=[G1G].

Then

 [I00I]=T−1T=[HH1][GT1GT]=[HGT1HGTH1GT1H1GT].

Thus, . Since both and are full-rank, it follows that and are generator and parity-check matrices, respectively, for exactly the same code.

### V-D Converse Results

We now prove that our scheme is optimal with respect to packet length, i.e., the scheme minimizes the required packet length among all universal schemes. For generality, in the following theorem we revert to the notation of Section III (with matrices over the base field ).

###### Theorem 10

Consider a noiseless linear coded network. Assume that the source message has entropy of packets. There exists a zero-error scheme that is universally secure under observations only if .

{proof}

By assumption of zero-error communication (and of a noiseless network), there is a function such that . Thus, we may write . Now,

 k =H(S) =H(S|X,W)+I(S;X,W) =I(S;X,W) (10) =I(S;W)+I(S;X|W) =I(S;X|W) (11) =H(X|W)−H(X|S,W) ≤H(X|W) (12) ≤n−rankB. (13)

where (10) follows since is a function of and (11) follows since . Since (13) holds with equality for all full-rank , we must have and for all such . By the chain rule of entropy, it is not hard to see that the latter condition implies that is uniform (for instance, by choosing each as a submatrix of an identity matrix, as in the wiretap channel II). Thus, . Since , we have that . Thus, there must be some such that , which implies that . On the other hand, the fact that for all full-rank implies that must be uniquely determined given and the indication that . From Theorem 5, this implies that each must be a rank-metric code with . In particular, . From the Singleton bound (1), we see that this can only happen if .

As Theorem 10 shows, if , universal schemes do not exist. For , not only do universal schemes exist, but also they achieve exactly the same rates as the best non-universal schemes. It should be noted, however, that these results assume the requirements of perfect secrecy and zero-error communication. If these conditions are relaxed to asymptotically perfect secrecy and vanishing error probability (over multiple channel uses), then it is possible to construct universal schemes even for [26].

## Vi Perfect Secrecy for Noisy Networks

In this section, we treat the general case of an linear coded network subject to errors and observations.

### Vi-a A Universal Scheme

Consider the encoder described on Section V-C. Assume that the input variable for the encoder is (rather than ). Given , the encoder produces

 X=T[S′V]

where is chosen uniformly at random and independently from , and is an invertible matrix. Suppose that , and let denote the last rows of . It follows from Proposition 9 that, if is a generator matrix for an linear MRD code over , then the scheme is universally secure under observations, regardless of the distribution of .

Suppose we choose

 S′=[0S]

where is the “true” message, and . Then the scheme remains universally secure under observations. On the other hand, the redundancy in may be useful to provide error correction.

Let us define an auxiliary variable

 U=[SV].

Then the encoder effectively maps into via the deterministic mapping

 X=GTU

where denotes the last rows of . In particular, the set of all possible is given by

 C={GTu,u∈F(k+μ)qm}.

Then, it follows from Theorem 2 that, when is transmitted over an network subject to errors, the receiver can uniquely determine (and therefore ) if . This condition is satisfied if is an linear MRD code over and .

The above analysis proves the following result.

###### Theorem 11

Consider an linear coded network. In the encoder described above, assume that is the generator matrix of an linear MRD code over such that the last rows of form a generator matrix of an linear MRD code over . The scheme is universally -error--erasure-correcting and universally secure under observations if and .

Whenever an error control encoder satisfies the secrecy conditions of Theorem 11, we will say it is secrecy-compatible.

As mentioned in Section IV, decoding can be performed using the methods in [13, 20] if is a Gabidulin code. In this case, if is given in the form (3), then it is easy to see that any consecutive rows of (in particular the last ones) indeed form a generator matrix of an MRD sub-code.

### Vi-B Converse Results

In this section, we prove that our proposed scheme is optimal, both in the sense of achieving the maximum possible rate and in the sense of requiring the minimum possible packet length among all schemes that achieve this maximum rate. As in Theorem 10, we use the generic notation of Section II.

###### Theorem 12

Consider an linear coded network. Assume that the source message has entropy of packets. There exists a scheme that is universally -error--erasure-correcting and universally secure under observations only if . Moreover, this maximum rate can be attained only if .

{proof}

Let . Let be a full-rank matrix and let be a full-rank matrix such that for some (necessarily full-rank) . Let and . If the encoder is universally -error--erasure-correcting then, by Theorem 3, it is also universally -erasure-correcting. Thus, there is a function such that . In particular, there is also a function such that . Thus, we may write . Now,

 k =H(S) =H(S|YA,WB)+I(S;YA,WB) =I(S;YA,WB) (14) =I(S;WB)+I(S;YA|WB) =I(S;YA|WB) (15) =H(YA|WB)−H(YA|S,WB) ≤H(YA|WB) (16) ≤n′−rankP=n′−μ (17)

where (14) follows since is a function of and (15) follows since . This proves the first statement. Now consider the second statement. Since (17) holds with equality, we must have and . Note that these conditions hold for all full-rank and all