network coding and information security raymond w. yeung the chinese university of hong kong joint...

Network Coding and Information Security

Raymond W. YeungThe Chinese University of Hong Kong

Joint work with

Ning Cai, Xidian University

Outline

• Introduction to Network Coding• The Max-flow Bound• Secure Network Coding• Concluding Remarks

Introduction toNetwork Coding

A Network Coding Example

The Butterfly Network

b1 b2

b1

b1b1

b2

b2

b2

b2

b1

b1 b2

b1

b1

b2

b2b1+b2

b1+b2b1+b2

A Network Coding Example

with Two Sources

b1b2

b1 b2

b1 b2 b2b1

b1 b2

b2b1

b1+b2

b1+b2

b1+b2

Wireless/Satellite Application

b1 b2

t = 1b1

t = 2

t = 3b1+b2

b2

b1+b2

50% saving for downlink bandwidth!

Two Themes of Network Coding

• When there is 1 source to be multicast in a network, store-and-forward may fail to optimize bandwidth.

• When there are 2 or more independent sources to be transmitted in a network (even for unicast), store-and-forward may fail to optimize bandwidth.

In short, Information is NOT a commodity!

Model of a Point-to-Point Network

• A network is represented by a directed graph G = (V,E) with node set V and edge (channel) set E.

• A symbol from an alphabet F can be transmitted on each channel.

• There can be multiple edges between a pair of nodes.

Single-Source Network Coding

• The source node S generates an information vector

x = (x1 x2 … xk) Fk.• What is the condition for a node T to be able to

receive the information vector x?• Max-Flow Bound. If maxflow(T) < k, then T

cannot possibly receive x.

The Basic Results

• If network coding is allowed, a node T can receive the information vector x iff

maxflow(T) ≥ki.e., the max-flow bound can be achieved simultaneously by all such nodes T. (ACLY00)

• Moreover, this can be achieved by linear network coding for a sufficiently large base field. (LYC03, KM03)

Secure Network Coding

Cai and Y, 2002(discussed with Ueli Maurer, ISIT 2000)

Problem Formulation

• The underlying model is the same as network multicast using network coding except that some sets of channels can be wiretapped.

• Let A be a collection of subsets of the edge set E.• A subset in A is called a wiretap set.• Each wiretap set may be fully accessed by a wiretapper.• No wiretapper can access more than one wiretap set.• The network code needs to be designed in a way such

that no matter which wiretap set the wiretapper has access to, the multicast message is information-theoretically secure.

Our Coding Scheme

• The multicast message is (s,w), where• s is the secure message

• w is the randomness

• Both s and w are generated at the source node.

A Example of a Secure Network Code

s-w s+w

s-w

s-w

s+w

s+ww

wwOne of the 3 One of the 3 red channelsred channels can can be wiretappedbe wiretappeds is the secure messages is the secure messagew is the randomnessw is the randomness

Another Example of Secure Network Coding

The (1,2)-threshold Secret Sharing Scheme

wws+ws+w

s-ws-w

One of the 3 One of the 3 red channelsred channels can can be wiretappedbe wiretappeds is the secure messages is the secure messagew is the randomnessw is the randomness

Construction of Secure Network Codes

• Let n = minT maxflow(T).• We have obtained a sufficient condition under which a

secure linear network code can be constructed. • In particular, if A consists of all the r-subsets of E, where r <

n, then we can construct a secure network code with multicast message (s,w) such that |s|=n-r and |w|=r.

• For this case, the condition is also necessary.• Interpretation: For a sink node T, if r channels in the network

are wiretapped, the number of “secure paths” from the source node to T is still at least n-r. So n-r symbols can go through securely.

Global Encoding Kernels of a Linear Network Code

• Recall that x = (x1 x2 … xk) is the multicast message.

• For each channel e, assign a column vector fe such that the symbol sent on channel e is x fe. The vector fe is called the global encoding kernel of channel e.

• The global encoding kernel of a channel is analogous to a column in the generator matrix of a classical block code.

• The global encoding kernel of an output channel at a node must be a linear combination of the global encoding kernels of the input channels.

An Example

k = 2, let x = (b1, b2)

b1 b2

b1

b1

b2

b2b1+b2

b1+b2b1+b2

1

0

1

0

0

1

1

1

1

1

1

1

1

0

0

1

0

1

Idea of Code Construction

• Start with a linear network code for multicasting n symbols.

• For all wiretap set A A, let fA = { fe : e A }, the set of global encoding kernels of the channels in A.

• Let dim(span(fA)) r for all A A. [sufficient condition]

• When the base field F is sufficiently large, we can find b1, b2, …, bn-r Fn such that

b1, b2, …, bn-r are linearly independent of fA

for all A A.

• Let the multicast message be (s,w), with |s| = n-r and |w| = r.

• Take a suitable linear transformation of the given linear network code to obtain the desired secure network code.

Recent Work (Cai and Y, ISIT 2007)

• We obtained a necessary and sufficient condition for the security of linear network codes.

• This condition applies in the cases when • There are more than one information source

nodes in the network.• The random keys are not uniformly distributed.

• This condition also shows that the security of a linear network code does not depend on the source distribution.

Resources

• Network Coding Homepage

http://www.networkcoding.info• R. W. Yeung, S.-Y. R. Li, N. Cai and Z. Zhang,

Network Coding Theory, now Publishers, 2005 (Foundation and Trends in Communications and Information Theory).

• N. Cai and R. W. Yeung, “Secure network coding,” preprint.

Concluding Remarks

• Secure network coding is a generalization of both (regular) network coding and secret sharing.

• The subject is still in its infancy, and a lot of basic questions are yet to be answered.