Local-Encoding-Preserving Secure Network Coding---Part I: Fixed Security Level
aa r X i v : . [ c s . I T ] N ov Local-Encoding-Preserving Secure NetworkCoding—Part I: Fixed Security Level
Xuan Guang,
Member, IEEE,
Raymond W. Yeung,
Fellow, IEEE, and Fang-Wei Fu,
Member, IEEE
Abstract
Information-theoretic security is considered in the paradigm of network coding in the presence ofwiretappers, who can access one arbitrary edge subset up to a certain size, also referred to as the security level . Secure network coding is applied to prevent the leakage of the source information tothe wiretappers. In this two-part paper, we consider the problem of secure network coding when theinformation rate and the security level can change over time. In the current paper (i.e., Part I of thetwo-part paper), we focus on the problem for a fixed security level and a flexible rate. To efficientlysolve this problem, we put forward local-encoding-preserving secure network coding, where a family ofsecure linear network codes (SLNCs) is called local-encoding-preserving if all the SLNCs in this familyshare a common local encoding kernel at each intermediate node in the network. We present an efficientapproach for constructing upon an SLNC that exists a local-encoding-preserving SLNC with the samesecurity level and the rate reduced by one. By applying this approach repeatedly, we can obtain a familyof local-encoding-preserving SLNCs with a fixed security level and multiple rates. We also develop apolynomial-time algorithm for efficient implementation of this approach. Furthermore, it is proved thatthe proposed approach incurs no penalty on the required field size for the existence of SLNCs in termsof the best known lower bound by Guang and Yeung. The result in this paper will be used as a buildingblock for efficiently constructing a family of local-encoding-preserving SLNCs for all possible pairs ofrate and security level, which will be discussed in the companion paper (i.e., Part II of the two-partpaper) [36].
I. I
NTRODUCTION
In 1949, Shannon in his celebrated paper [1] put forward the well-known
Shannon cipher system . Inthis system, a sender wishes to transmit a private message to a receiver via a “public” channel whichis eavesdropped by a wiretapper, and it is required that this wiretapper cannot obtain any informationabout the message. For this purpose, the sender applies a random key to encrypt the message and thentransmit this encrypted message via the “public” channel. The random key is shared with the receiver via
November 7, 2018 DRAFT a “secure” channel that is inaccessible by the wiretapper. The receiver can recover the private messagefrom the encrypted message and the random key, while the wiretapper cannot obtain any informationabout the private message. This is referred to as information-theoretic security in the literature.In 1979, Blakley [2] and Shamir [3] independently put forward another well-known cipher systemwith information-theoretic security, called secret sharing , which subsumes the Shannon cipher system.In this system, a secret is encoded into shares which are distributed among a set of participants, and itis required that only the qualified subsets of participants can recover the secret, while no information atall about the secret can be obtained from the shares of any unqualified set of participants.Another related model called wiretap channel II was proposed by Ozarow and Wyner [4], in whichthe sender is required to transmit the message to the receiver through a set of noiseless point-to-pointchannels without leaking any information about the message to a wiretapper who can fully access anyone but not more than one subset of the channels up to a certain size. Logically, wiretap channel II is aspecial case of secret sharing.In 2000, Ahlswede et al. [5] formally put forward the concept of network coding that allows theintermediate nodes in a noiseless network to process the received information. They proved that if codingis applied at the nodes, rather than routing only, the source node can multicast messages to each sinknode at the theoretically maximum rate, i.e., the smallest minimum cut capacity between the sourcenode and the sink nodes, as the alphabet size of both the information source symbol and the channeltransmission symbol tends to infinity. Subsequently, Li et al. [6] proved that linear network coding witha finite alphabet is sufficient for optimal multicast by means of a vector space approach. Independently,Koetter and M´edard [7] developed an algebraic characterization of linear network coding by means ofa matrix approach. The above two approaches correspond to the global and local descriptions of linearnetwork coding, respectively. Jaggi et al. [8] further proposed a deterministic polynomial-time algorithmfor constructing a linear network code. We refer the reader to [9]–[13] for comprehensive discussions ofnetwork coding.
A. Related Works
In the paradigm of network coding, information-theoretic security is naturally considered in the presenceof a wiretapper. This problem, called secure network coding problem, was introduced by Cai and Yeung in[14], [15]. In the model of secure network coding over a wiretap network, i) the source node multicasts thesource message to all the sink nodes which as legal users are required to decode the source message withzero error; and ii) the wiretapper, who can access any one wiretap set of edges, is not allowed to obtainany information about the source message. The foregoing three classical information-theoretically secure
November 7, 2018 DRAFT models [1]–[4] can be formulated as special cases of the above wiretap network model. In particular, awiretap network is called a r -wiretap network if the wiretapper can fully access any one edge subset ofsize up to r , where r is a nonnegative integer, called the security level .Similar to the coding for the foregoing classical information-theoretically secure models [1]–[4], insecure network coding, it is necessary to randomize the source message to guarantee information-theoretic security. Cai and Yeung [15] presented a code construction for r -wiretap networks. Subsequently,El Rouayheb et al. [16] showed that the Cai-Yeung code construction can be viewed as a networkgeneralization of the code construction for wiretap channel II in [4]. Motivated by El Rouayheb et al. ,Silva and Kschischang [17] proposed a universal design of secure network codes via rank-metric codes,in which the design of the linear network code for information transmission and the design of the codeat the source node for information-theoretic security are over a finite field and its extension, respectively,so that the design of two codes can be separated. For secure network coding, the existing bounds on therequired alphabet size in [15]–[17] are roughly equal to the number of all wiretap sets, which is typicallytoo large for implementation in terms of computational complexity and storage requirement. Recently,Guang and Yeung [18] developed a systematic graph-theoretic approach to improve the required alphabetsize for the existence of secure network codes and showed that the improvement in general is significant.Secure network coding has also been investigated from different perspectives. Cheng and Yeung [19]studied the fundamental performance bounds for secure network coding in a wiretap network modelwhere the collection of wiretap sets is arbitrary. Cui et al. [20] investigated the secure network codingproblem in a single-source single-sink network with unequal channel capacities, where randomness isallowed to be generated at the non-source nodes. Furthermore, multi-source (multi-wiretapper) securenetwork coding problem was also investigated in the literature, such as [21]–[23].For secure network coding, besides information-theoretic security discussed above, some other notionsof security had also been considered in the literature. Bhattad and Narayanan [24] introduced weaklysecure network coding , in which “weak security” is defined as the requirement that the wiretapper cannotrecover any part of the source message. They also showed that we can use a weakly secure network codewithout trading off the rate, implying that a random key is not needed for weakly secure network coding.Another notion called strong security was introduced by Harada and Yamamoto [25], where a networkcode is called r -strongly secure if the wiretapper cannot obtain any information about any subset ∆ ofthe ω source symbols by accessing any edge subset of size up to ω + r − | ∆ | . Subsequently, Cai [26]proposed strongly generic linear network codes and proved that such codes are r -strongly secure.Another line of research follows the so-called Byzantine attacks [27]–[29], in which an adversaryis able to modify the messages transmitted on the edges of a network. Another related model is the
November 7, 2018 DRAFT combination of secure network coding with network error correction coding, e.g., [17], [30]–[32], wherethe source message is required to be protected from both wiretapping and (random or malicious) errors.For an overview of secure network coding, we refer the reader to the two survey papers [33], [34].
B. Our Work
In a secure network coding system, the requirements for information transmission and informationsecurity may vary. The information rate can change over time. For instance, the information sourcegenerated at the source node may have different rates at different times. The required security level canalso change over time. For instance, the information source may be of different nature at different times,and so is the confidentiality associated with it. It is desirable to transmit a less confidential informationsource by using a secure network code with a lower security level, because a secure network code witha high security level requires more randomness for the key. Note that in a cipher system, randomnessis a resource that needs to be optimized. Also as discussed above, there is an inherent tradeoff betweenthe information rate and the security level of a secure network code. With all these considerations, theinformation rate and the security level of the system may need to be chosen differently at different times.The straightforward approach is to use the existing code constructions to obtain a secure linearnetwork code (SLNC) for each pair of rate and security level. However, this approach has a numberof shortcomings. The construction of SLNCs for all the individual pairs of rate and security level incursa high computation cost. Each node on the network needs to store the local encoding kernels for all theSLNCs, which incurs a high storage cost. The use of different SLNCs also causes an implementationoverhead. To be specific, in using the SLNCs, the source node needs to inform each non-source nodewhich rate and security level to use, and then each intermediate node needs to search for and apply thecorresponding local encoding kernel for local encoding. This solution not only is cumbersome but alsoinefficient in terms of computation cost, storage cost, and implementation overhead.To avoid the shortcomings of the above solution, in this paper we put forward local-encoding-preservingsecure network coding , where a family of SLNCs is called local-encoding-preserving if all the SLNCsin this family share a common local encoding kernel at each intermediate node in the network. In otherwords, the same local encoding kernel is used at each intermediate node regardless of which SLNC inthis family used. With this setup, the source node only needs to inform the sink nodes which SLNC inthe family is in use, and there is no need to change the coding operations at the intermediate nodes.Our idea is to build a new SLNC on an existing SLNC so that not only both SLNCs are local-encoding-preserving but also the new SLNC achieves another rate and security-level pair. To implementthe local-encoding-preserving property, we consider two structures of SLNC constructions in the literature.
November 7, 2018 DRAFT
One structure is to design an appropriate linear pre-coding operation at the source node upon a linearnetwork code, where the linear pre-coding operation is designed for information security and the linearnetwork code is constructed in advance for information transmission, e.g., [15], [35]; and the other is todesign an appropriate linear network code upon a linear pre-coding operation (regarded as a secure code)at the source node, e.g., [16], [17]. The later structure is seemly infeasible for implementing the local-encoding-preserving property because for this structure, once the secure code is changed for a differentrate and/or a different security level, the linear network code which depends on the secure code has to becompletely redesigned. In contrast, the former structure is feasible for implementing the local-encoding-preserving property. For this structure, since the linear pre-coding operation at the source node is builtupon the linear network code constructed in advance, it is possible to only modify the linear pre-codingoperation at the source node to adjust to the change of the rate and/or security level while preservingthe local encoding kernels at the intermediate nodes. Besides, it has been proved in [15], [35] that forthis structure, the amount of randomness (entropy of the random key) required at the source node is theminimum possible for the required security level.We divide the presentation of the results into two parts. In the current paper (i.e., Part I), we design(i) a family of local-encoding-preserving SLNCs for a fixed security level and a flexible rate.In the companion paper [36] (i.e., Part II), we design(ii) a family of local-encoding-preserving SLNCs for a fixed rate and a flexible security level;(iii) a family of local-encoding-preserving SLNCs for a fixed dimension (equal to the sum of rate andsecurity level) and a flexible pair of rate and security level.It was proved in [15] that there exists an n -dimensional SLNC with rate ω and security level r (here n = ω + r ) on the network G if and only if ω + r ≤ C min , where C min is the smallest minimum cutcapacity between the source node and each sink node. The set of all such rate and security-level pairsforms the rate and security-level region , as depicted in Fig. 1. By combining the constructions of the 3families of local-encoding-preserving SLNCs described above in suitable ways, we can design a familyof local-encoding-preserving SLNCs that can be applied to all the pairs in the rate and security-levelregion. This will be discussed at the end of Part II of the current paper [36]. C. Organization and Contributions of this Paper
The organization and main contributions of the paper are given as follows: • In Section II, we formally present the network model, linear network coding, and secure networkcoding with a construction of SLNC over a finite field of a reduced size. The necessary notationand definitions are also introduced.
November 7, 2018 DRAFT r ωC min C min Fig. 1: The rate and security-level region. • Section III is devoted to designing a family of local-encoding-preserving SLNCs for a fixed securitylevel and a flexible rate. We present an efficient approach, which, upon any SLNC that exists, canconstruct a local-encoding-preserving SLNC with the same security level and the rate reduced byone. Then, starting with an SLNC with any fixed security level r and the allowed maximum rate C min − r and applying the proposed approach repeatedly, we can obtain a family of local-encoding-preserving SLNCs with the fixed security level r and multiple rates from C min − r to . • Although this approach gives the prescription for designing a local-encoding-preserving SLNC withthe security level fixed and the rate reduced by one, it does not provide a method for efficientimplementation. To tackle this problem, in Section IV we develop a polynomial-time algorithmfor the efficient implementation of the approach. We also prove that the proposed approach andalgorithm do not incur any penalty on the required field size for the existence of SLNCs in termsof the best known lower bound [18]. • We conclude in Section V with a summary of our results in the paper and an overview of thecompanion paper [36]. II. P
RELIMINARIES
A. Network Model
Let G = ( V, E ) be a finite directed acyclic network with a single source s and a set of sink nodes T ⊆ V \ { s } , where V and E are the sets of nodes and edges of G , respectively. For a directed edge e from node u to node v , the node u is called the tail of e and the node v is called the head of e , denoted November 7, 2018 DRAFT by tail( e ) and head( e ) , respectively. Further, for a node u , define In( u ) as the set of incoming edgesof u and Out( u ) as the set of outgoing edges of u . Formally, In( u ) = { e ∈ E : head( e ) = u } and Out( u ) = { e ∈ E : tail( e ) = u } . Without loss of generality, assume that there are no incoming edges forthe source node s and no outgoing edges for any sink node t ∈ T . For convenience sake, however, we let In( s ) be a set of n imaginary incoming edges , denoted by d i , ≤ i ≤ n , terminating at the source node s but without tail nodes, where the nonnegative integer n is equal to the dimension of the network code indiscussion. This will become clear later (see Definition 1). Then, we see that In( s ) = (cid:8) d i : 1 ≤ i ≤ n (cid:9) .An index taken from an alphabet can be transmitted on each edge e in E . In other words, the capacityof each edge is taken to be . Parallel edges between two adjacent nodes are allowed.In a network G , a cut between the source node s and a non-source node t is defined as a set of edgeswhose removal disconnects s from t . The capacity of a cut between s and t is defined as the number ofedges in the cut, and the minimum of the capacities of all the cuts between s and t is called the minimumcut capacity between them, denoted by C t . A cut between s and t is called a minimum cut if its capacityachieves the minimum cut capacity between them.These concepts can be extended from a non-source node t to an edge subset of E . We first need toconsider a cut between s and a set of non-source nodes T in the network G as follows. We create a newnode t T , and for every node t in T , add a new “super-edge” of infinite capacity from t to t T (whichis equivalent to adding infinite parallel edges from t to t T ). A cut of finite capacity between s and t T isconsidered as a cut between s and T . We can naturally extend the definitions of the capacity of a cut,the minimum cut capacity, and the minimum cut to the case of T . Now, we consider an edge subset A ⊆ E . For each edge e ∈ A , we introduce a node t e which splits e into two edges e and e with tail( e ) = tail( e ) , head( e ) = head( e ) , and head( e ) = tail( e ) = t e . Let T A = { t e : e ∈ A } . Then a cut between s and A is defined as a cut between s and T A , where, if e or e appears in the cut, replaceit by e . Similarly, the minimum cut capacity between s and A , denoted by mincut( s, A ) , is defined asthe minimum cut capacity between s and T A , and a cut between s and A achieving the minimum cutcapacity mincut( s, A ) is called a minimum cut . B. Linear Network CodingLinear network coding over a finite field is sufficient for achieving C min , min t ∈ T C t , the theoreticalmaximum information rate for multicast [6], [7]. We give the formal definition of a linear network codeas follows. Infinite symbols in the alphabet can be transmitted by one use of the edge.
November 7, 2018 DRAFT
Definition 1.
Let F q be a finite field of order q , where q is a prime power, and n be a nonnegativeinteger. An n -dimensional F q -valued linear network code C n on the network G = ( V, E ) consists of an F q -valued | In( v ) | × | Out( v ) | matrix K v = [ k d,e ] d ∈ In( v ) ,e ∈ Out( v ) for each non-sink node v in V , i.e., C n = (cid:8) K v : v ∈ V \ T (cid:9) , where K v is called the local encoding kernel of C n at v , and k d,e ∈ F q is called the local encodingcoefficient for the adjacent edge pair ( d, e ) . For a linear network code C n , the local encoding kernels K v at all the non-sink nodes v ∈ V \ T induce an n -dimensional column vector ~f ( n ) e for each edge e in E , called the global encoding kernel of e , which can be calculated recursively according to a given ancestral order of edges in E by ~f ( n ) e = X d ∈ In(tail( e )) k d,e · ~f ( n ) d , (1)with the boundary condition that ~f ( n ) d , d ∈ In( s ) form the standard basis of the vector space F nq . Theset of global encoding kernels for all e ∈ E , i.e., (cid:8) ~f ( n ) e : e ∈ E (cid:9) , is also used to represent this linearnetwork code C n . However, we remark that a set of global encoding kernels (cid:8) ~f ( n ) e : e ∈ E (cid:9) maycorrespond to more than one set of local encoding kernels (cid:8) K v : v ∈ V \ T (cid:9) .In using of this linear network code C n , let x = (cid:0) x x · · · x n (cid:1) ∈ F nq be the input of the sourcenode s . We assume that the input x is transmitted to s through the n imaginary incoming channels of thesource node s . Without loss of generality, x i is transmitted on the i th imaginary channel d i , ≤ i ≤ n .We use y e to denote the message transmitted on e , ∀ e ∈ E . Then y e can be calculated recursively bythe equation y e = X d ∈ In(tail( e )) k d,e · y d (2)according to the given ancestral order of edges in E , with y d i , x i , ≤ i ≤ n . We see that y e in fact isa linear combination of the n symbols x i , ≤ i ≤ n of x . It is readily seen that y d i = x · ~f ( n ) d i (= x i ) , ≤ i ≤ n . Then it can be shown by induction via (1) and (2) that y e = x · ~f ( n ) e , ∀ e ∈ E. (3)Furthermore, for each sink node t ∈ T , we define the matrix F ( n ) t = h ~f ( n ) e : e ∈ In( t ) i . The sink node t can decode the source message with zero error if and only if F ( n ) t is full rank, i.e., Rank (cid:0) F ( n ) t (cid:1) = n .We say that an n -dimensional linear network code C n is decodable if for each sink node t in T , the rankof the matrix F ( n ) t is equal to the dimension n of the code, i.e., Rank (cid:0) F ( n ) t (cid:1) = n , ∀ t ∈ T . We refer thereader to [9]–[13] for comprehensive discussions of linear network coding. November 7, 2018 DRAFT
C. Secure Network Coding
Now, we present the secure network coding model. We assume that the source node s generates arandom source message M taking values in the message set F ωq according to the uniform distribution,where the nonnegative integer ω is called the information rate . The source message M needs to bemulticast to each sink node t ∈ T , while being protected from a wiretapper who can access one but notmore than one arbitrary edge subset of size not larger than r , where the nonnegative integer r is calledthe security level . The network G with a required security level r is called an r - wiretap network . Similarto the other information-theoretically secure models, in our wiretap network model, it is necessary torandomize the source message to combat the wiretapper. The randomness available at the source node,called the key , is a random variable K that takes values in a set of keys F rq according to the uniformdistribution.We consider secure linear network codes (SLNCs) on an r -wiretap network G . Let n = ω + r , the sumof the information rate ω and the security level r . An F q -valued n -dimensional SLNC on the r -wiretapnetwork G is an F q -valued n -dimensional linear network on G such that the following decoding condition and security condition are satisfied: • decoding condition : every sink node can decode the source message M with zero error; • security condition : the mutual information between Y A and M is , i.e., I ( Y A ; M ) = 0 , for anyedge subset A ⊆ E with | A | ≤ r , where we denote by Y e the random variable transmitted on theedge e that is a linear function of the random source message M and the random key K , and denote ( Y e : e ∈ A ) by Y A for an edge subset A ⊆ E .The nonnegative integers ω and r are also referred to as the information rate and security level of this F q -valued SLNC, respectively. The sum of the rate ω and security level r is the dimension n of this F q -valued SLNC. In particular, it was proved in [35] that F rq is the minimum set of keys to guaranteethe security level of r for any valid information rate ω for ≤ ω ≤ C min − r . When r = 0 , the securenetwork coding model reduces to the original network coding model. D. SLNC Construction
We present the SLNC construction of Cai and Yeung [15]. Let ω and r be the information rate andthe security level, respectively, and n = ω + r ≤ C min . Let C n be an n -dimensional linear network codeover a finite field F q on the network G , of which all global encoding kernels are ~f ( n ) e , e ∈ E . November 7, 2018 DRAFT0
We use E r to denote the set of the edge subsets of size not larger than r , i.e., E r = { A ⊆ E : | A | ≤ r } .Let ~b ( n )1 , ~b ( n )2 , · · · , ~b ( n ) ω be ω linearly independent column vectors in F nq such that (cid:10) ~b ( n ) i : 1 ≤ i ≤ ω (cid:11) \ (cid:10) ~f ( n ) e : e ∈ A (cid:11) = { ~ } , ∀ A ∈ E r . (4)Let ~b ( n ) ω +1 , ~b ( n ) ω +2 , · · · , ~b ( n ) n be another n − ω column vectors in F nq such that ~b ( n )1 , ~b ( n )2 , · · · , ~b ( n ) n arelinearly independent, and then let Q ( n ) = h ~b ( n )1 ~b ( n )2 · · · ~b ( n ) n i .Let m , a row ω -vector in F ωq , be the value of the source message M , and k , a row r -vector in F rq ,be the value of the random key K . Then x = (cid:0) m k (cid:1) is the input of the source node s . At the sourcenode s , x is first linearly encoded to x ′ = x · (cid:0) Q ( n ) (cid:1) − , and then apply the linear network code C n tomulticast x ′ through the network G to all the sink nodes. With this setting, it was proved in [15] thatthis coding scheme not only multicasts the source message M to all the sink nodes at the rate ω butalso achieves the security level r . According to Theorem 1 subsequently, this n -dimensional SLNC withthe rate ω and security level r is denoted by (cid:0) Q ( n ) (cid:1) − · C n , and all the global encoding kernels of thisSLNC are (cid:0) Q ( n ) (cid:1) − · ~f ( n ) e , e ∈ E . E. Field Size Reduction of the SLNC Construction
Let A ⊆ E be an edge subset. If A satisfies | A | = mincut( s, A ) , then we say that A is regular .Consider an arbitrary edge subset A (not necessarily regular) with | A | ≤ r , and replace A by a minimumcut CUT A between s and A . Apparently, CUT A is regular and still satisfies | CUT A | ≤ r . A securenetwork code which is secure for CUT A is also secure for A , namely that I ( Y CUT A ; M ) = 0 implies I ( Y A ; M ) = 0 , since Y A is a deterministic function of Y CUT A by the mechanism of network coding.Thus, for the foregoing security condition, it suffices to consider all the regular edge subsets A ⊆ E with | A | ≤ r . Furthermore, for any regular edge subset A ⊆ E with | A | < r , there must exist a regular edgesubset B with | B | = r such that A ( B . By the same argument discussed above, it in fact suffices toconsider all the regular edge subsets A ⊆ E with | A | = r for the security condition.Let A and A ′ be two regular edge subsets with | A | = | A ′ | = r . Define a binary relation “ ∼ ” between A and A ′ : A ∼ A ′ if and only if there exists an edge set CUT which is a minimum cut between s and A and also between s and A ′ , that is, A and A ′ have a common minimum cut between the source node s and each of them. It was proved in Guang et al. [37] that “ ∼ ” is an equivalence relation. With the relation“ ∼ ”, the collection of all the regular edge subsets of size r can be partitioned into equivalence classes.Guang and Yeung [18] proved that each equivalence class contains a unique common minimum cut of Here we use h L i to denote the subspace spanned by the vectors in a set L of vectors. Furthemore, we always use ~ to denotean all-zero column vector in the paper, whose dimension is clear from the context. November 7, 2018 DRAFT1 all the edge subsets inside. Moreover, this common minimum cut is the primary minimum cut between s and any edge subset in this equivalence class, where a minimum cut between s and an edge subset A is primary if it separates s and all the minimum cuts between s and A . Such a primary minimum cut isunique and can be found in polynomial time.Furthermore, we say an edge subset is primary if this edge subset is the primary minimum cut between s and itself. By using the foregoing argument again, we see that for the security condition, it suffices toconsider all the primary edge subsets of size r . Precisely, we can replace (4) by the following: we use A r to denote the set of the primary edge subsets of size r , i.e., A r = { A ⊆ E : A is primary and | A | = r } , and let ~b ( n )1 , ~b ( n )2 , · · · , ~b ( n ) ω be ω linearly independent column vectors in F nq such that (cid:10) ~b ( n ) i : 1 ≤ i ≤ ω (cid:11) \ (cid:10) ~f ( n ) e : e ∈ A (cid:11) = { ~ } , ∀ A ∈ A r . (5)It was also showed in [18] that | A r | , as a new lower bound on the field size for the existence of SLNCs,improves the previous one (cid:0) | E | r (cid:1) ( ≤ | E r | clearly), and the improvement can be significant.III. S ECURE N ETWORK C ODING FOR F IXED S ECURITY L EVEL AND F LEXIBLE R ATE
In this section, we consider the problem of designing a family of local-encoding-preserving SLNCsfor a fixed information rate and a security level.
A. Decoding Condition
We first consider in this subsection the decoding condition under the preservation of the local encodingmappings. Let n be a nonnegative integer not larger than C min = min t ∈ T C t , and C n be an n -dimensionallinear network code over a finite field F q on the network G . First, we show the existence of a family oflocal-encoding-preserving decodable linear network codes in which the linear network codes have distinctdimensions. Theorem 1.
Let C n = (cid:8) K v : v ∈ V \ T (cid:9) be an n -dimensional decodable linear network code over afinite field F q on the network G = ( V, E ) , of which the global encoding kernels are ~f ( n ) e , e ∈ E . Let Q be an m × n ( m ≤ n ) matrix over F q and Q · C n = (cid:8) K ( Q ) v : v ∈ V \ T (cid:9) with K ( Q ) s = Q · K s and K ( Q ) v = K v for all v ∈ V \ ( { s } ∪ T ) . Then Q · C n is an m -dimensional linear network code over F q on G , of which the global encoding kernels are Q · ~f ( n ) e , e ∈ E . This linear network code Q · C n is called We refer the reader to Example 1 in Section IV for illustrations of A r . November 7, 2018 DRAFT2 the transformation of C n by the matrix Q . In particular, Q · C n is decodable provided that Q is full rowrank, i.e., Rank (cid:0) Q (cid:1) = m .Proof: Clearly, Q · C n is an m -dimensional linear network code over F q on G by Definition 1. Let (cid:8) ~f ( m ) e ( Q ) : e ∈ E (cid:9) be the set of all the global encoding kernels with respect to the linear network code Q · C n . It suffices to prove that ~f ( m ) e ( Q ) = Q · ~f ( n ) e , ∀ e ∈ Out( v ) (6)for all non-sink nodes v , because for any e ∈ E , we have e ∈ Out( v ) for some non-sink node v . Thiswill be done by induction on the non-sink nodes according to any given ancestral order of the nodesin V . First, consider the source node s and obtain h ~f ( m ) e ( Q ) : e ∈ Out( s ) i = K ( Q ) s = Q · K s = h Q · ~f ( n ) e : e ∈ Out( s ) i . Now, consider an intermediate node u in V \ ( { s } ∪ T ) and assume that (6) is satisfied for all non-sinknodes v before u according to the given ancestral order of the nodes. By the induction hypothesis, wehave h ~f ( m ) e ( Q ) : e ∈ Out( u ) i = h ~f ( m ) d ( Q ) : d ∈ In( u ) i · K ( Q ) u = h Q · ~f ( n ) d : d ∈ In( u ) i · K u = Q · h ~f ( n ) d : d ∈ In( u ) i · K u = Q · h ~f ( n ) e : e ∈ Out( u ) i = h Q · ~f ( n ) e : e ∈ Out( u ) i . We thus proved that ~f ( m ) e ( Q ) = Q · ~f ( n ) e for all edges e in E .On the other hand, for each sink node t , the matrix F ( n ) t in C n becomes the matrix h Q · ~f ( n ) e : e ∈ In( t ) i = Q · F ( n ) t in Q · C n . The decodability of C n implies that Rank (cid:0) F ( n ) t (cid:1) = n . Hence, we see that Rank (cid:0) Q · F ( n ) t (cid:1) = m provided that the matrix Q is full row rank, i.e., Rank (cid:0) Q (cid:1) = m . The theorem is proved.The following corollary is a straightforward application of Theorem 1. Corollary 2.
Let C n be an n -dimensional decodable linear network code over the finite field F q on thenetwork G = ( V, E ) , of which the global encoding kernels are ~f ( n ) e , e ∈ E . Let ~ℓ be an arbitrary column ( n − -vector in F n − q and I n − stand for the ( n − × ( n − identity matrix. Then C n − , h I n − ~ℓ i · C n November 7, 2018 DRAFT3 is an ( n − -dimensional decodable linear network code over F q on G with the same local encodingkernels at the intermediate nodes as the original code C n , and all the global kernels of C n − are ~f ( n − e ( ~ℓ ) , h I n − ~ℓ i · ~f ( n ) e , ∀ e ∈ E. (7) Remark 3.
Corollary 2 is essentially the same as Fong and Yeung [38, Lemma 1], in which this resultwas proved by using global encoding kernels. A similar but more complicated result in network errorcorrection coding is Lemma 3 in [39], which correspondingly was proved by using the extended globalencoding kernels.B. Security Condition
In this subsection, we focus on how to guarantee the fixed security level for a family of local-encoding-preserving SLNCs with multiple rates.Based on Corollary 2 and the construction of an SLNC in Sections II-D and II-E, we can construct afamily of local-encoding-preserving SLNCs with the same security level r and information rates ω from to C min − r as follows. Let C C min be a C min -dimensional decodable linear network code over F q on G .Such a linear network code can be constructed in polynomial time (e.g., [8]). By Corollary 2, we canobtain a family of local-encoding-preserving linear network codes (cid:8) C n : n = C min , C min − , · · · , r + 1 (cid:9) of dimensions from C min to r + 1 , all of which are decodable. Next, for each n -dimensional linearnetwork code C n in this family, construct an n × n invertible matrix Q ( n ) satisfying (5). Thus, we canobtain a family of SLNCs (cid:8) ( Q ( n ) ) − · C n : n = C min , C min − , · · · , r + 1 (cid:9) of the same security level r and rates from C min − r to , and all of them have the same local encoding kernels at all the non-sourcenodes by Theorem 1. However, this approach not only requires the construction of the matrix Q ( n ) foreach n , incurring a high computational complexity, but also requires the source node s to store all thematrices Q ( n ) for each n . To avoid these shortcomings, in the following we give a more efficient approach to solve the problem.We consider an n -dimensional linear network code C n , of which all the global encoding kernels are ~f ( n ) e , e ∈ E . For any fixed column ( n − -vector ~ℓ , let C n − = h I n − ~ℓ i · C n = (cid:8) ~f ( n − e ( ~ℓ ) : e ∈ E (cid:9) . Under the requirement of the security level r , the allowed maximum information rate is C min − r . The computational complexity of the construction of Q ( n ) is shown to be O (cid:0) ωn | A r | + ωn | A r | + rn (cid:1) in Appendix A,and the storage cost is O (cid:0) n (cid:1) . November 7, 2018 DRAFT4
By Corollary 2, C n − is an ( n − -dimensional linear network code and has the same local encodingkernels as C n at all the non-source nodes. On the other hand, by the construction of an SLNC inSections II-D and II-E, the ω linearly independent column n -vectors ~b ( n )1 , ~b ( n )2 , · · · , ~b ( n ) ω satisfying (5)guarantee the security level r . Our idea is to design an appropriate column ( n − -vector ~ℓ to obtain ω column ( n − -vectors ~b ( n − i ( ~ℓ ) = h I n − ~ℓ i · ~b ( n ) i , ≤ i ≤ ω, such that ( ω − vectors among them, e.g., ~b ( n − i ( ~ℓ ) , ≤ i ≤ ω − , are linearly independent, and thecorresponding condition (5) for the rate ω − is satisfied, i.e., (cid:10) ~b ( n − i ( ~ℓ ) : 1 ≤ i ≤ ω − (cid:11) \ (cid:10) ~f ( n − e ( ~ℓ ) : e ∈ A (cid:11) = { ~ } , ∀ A ∈ A r . (8)With this, we can construct an ( n − -dimensional SLNC that achieves a security level of r and the lowerinformation rate ω − , and has the same local encoding kernels as ( Q ( n ) ) − · C n at all the non-sourcenodes. Note that K s (of size ω × | Out( s ) | ), the local encoding kernel at the source node s , needs to beupdated to K ( n − s ( ~ℓ ) (of size ( ω − × | Out( s ) | ). This will be discussed later.Before presenting our approach, we first give some notations to be used frequently throughout the paper.Let C n be an n -dimensional decodable linear network code over a finite field F q on the network G , ofwhich all the global encoding kernels are ~f ( n ) e , e ∈ E . Let Q ( n ) = h ~b ( n )1 ~b ( n )2 · · · ~b ( n ) n i be an n × n invertible matrix satisfying (5), i.e., ( Q ( n ) ) − · C n is an SLNC over F q on G with information rate ω andsecurity level r .Define two types of vector spaces as follows: L ( n ) A = (cid:10) ~f ( n ) e : e ∈ A (cid:11) , A ⊆ E B ( n ) i = (cid:10) ~b ( n ) j : 1 ≤ j ≤ i (cid:11) , ≤ i ≤ n. Furthermore, for a column ( n − -vector ~ℓ ∈ F n − q , recall that ~f ( n − e ( ~ℓ ) = h I n − ~ℓ i · ~f ( n ) e , e ∈ E,~b ( n − i ( ~ℓ ) = h I n − ~ℓ i · ~b ( n ) i , ≤ i ≤ n, and define two types of vector spaces similarly: L ( n − A ( ~ℓ ) = (cid:10) ~f ( n − e ( ~ℓ ) : e ∈ A (cid:11) , A ⊆ E, B ( n − i ( ~ℓ ) = (cid:10) ~b ( n − j ( ~ℓ ) : 1 ≤ j ≤ i (cid:11) , ≤ i ≤ n. In particular, for ~ℓ = ~ , let ~f ( n − e = ~f ( n − e ( ~
0) = h I n − ~ i · ~f ( n ) e , e ∈ E, (9) November 7, 2018 DRAFT5 ~b ( n − i = ~b ( n − i ( ~
0) = h I n − ~ i · ~b ( n ) i , ≤ i ≤ n, (10)i.e., ~f ( n − e (resp. ~b ( n − i ) is the sub-vector of ~f ( n ) e (resp. ~b ( n ) i ) containing the first ( n − components,and L ( n − A = (cid:10) ~f ( n − e : e ∈ A (cid:11) , A ⊆ E, (11) B ( n − i = (cid:10) ~b ( n − j : 1 ≤ j ≤ i (cid:11) , ≤ i ≤ n. (12)Now, we present our approach in detail. By (10), we first compute h ~b ( n − ~b ( n − · · · ~b ( n − ω i = h I n − ~ i · h ~b ( n )1 ~b ( n )2 · · · ~b ( n ) ω i , (13)which, together with the linear independence of ~b ( n )1 , ~b ( n )2 , · · · , ~b ( n ) ω , implies that Rank (cid:16) h ~b ( n − ~b ( n − · · · ~b ( n − ω i (cid:17) ≥ ω − . In other words, there must exist ω − vectors out of ~b ( n )1 , ~b ( n )2 , · · · , ~b ( n ) ω are linearly independent. Withoutloss of generality, we assume that ~b ( n − , ~b ( n − , · · · , ~b ( n − ω − are linearly independent.Furthermore, with the global encoding kernels ~f ( n ) e , e ∈ E of C n , we partition A r into the followingtwo disjoint subsets: A ′ r = { A ∈ A r : the n − vectors ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A, are linearly dependent } , and A ′′ r = { A ∈ A r : the n − vectors ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A, are linearly independent } . The following two lemmas give the prescriptions of designing the column ( n − -vectors ~ℓ for A ′ r and A ′′ r , respectively. Lemma 4.
Let ~b ( n − , ~b ( n − , · · · , ~b ( n − ω − be ω − linearly independent column ( n − -vectors overa finite field F q , where n = ω + r . For any column ( n − -vector ~ℓ ∈ F n − q such that ~ℓ ∈ F n − q \ [ A ∈ A ′ r (cid:16) B ( n − ω − + L ( n − A (cid:17) , (14) then the following are satisfied: • the column ( n − -vectors ~b ( n − i ( ~ℓ ) , ≤ i ≤ ω − , are linearly independent; • B ( n − ω − ( ~ℓ ) T L ( n − A ( ~ℓ ) = { ~ } , ∀ A ∈ A ′ r . November 7, 2018 DRAFT6
Proof:
Let ~ℓ be an arbitrary column ( n − -vector satisfying (14). We first prove that ~b ( n − ( ~ℓ ) , ~b ( n − ( ~ℓ ) , · · · , ~b ( n − ω − ( ~ℓ ) are linearly independent. Let ~b ( n ) i = (cid:2) b i, b i, · · · b i,n (cid:3) ⊤ , ≤ i ≤ ω − .Assume that α , α , · · · , α ω − are ω − elements in F q such that ~ ω − X i =1 α i ~b ( n − i ( ~ℓ ) = ω − X i =1 α i ( ~b ( n − i + b i,n ~ℓ ) , (15)or equivalently, ω − X i =1 α i ~b ( n − i = − (cid:16) ω − X i =1 α i b i,n (cid:17) · ~ℓ, (16)where we note that b i,n is the last component of ~b ( n ) i . By (14), we have ~ℓ / ∈ B ( n − ω − , which, together with(16), implies that P ω − i =1 α i b i,n = 0 and P ω − i =1 α i ~b ( n − i = ~ . Thus, we obtain ω − X i =1 α i ~b ( n ) i = ω − X i =1 α i ~b ( n − i b i,n = ~ , which implies that α i = 0 for all ≤ i ≤ ω − since ~b ( n )1 , ~b ( n )2 , · · · , ~b ( n ) ω − are linearly independent. Wethus have proved that ~b ( n − ( ~ℓ ) , ~b ( n − ( ~ℓ ) , · · · , ~b ( n − ω − ( ~ℓ ) are linearly independent.Next, we prove that B ( n − ω − ( ~ℓ ) T L ( n − A ( ~ℓ ) = { ~ } for all A ∈ A ′ r . We assume the contrary that thereexists a wiretap set A ∈ A ′ r such that B ( n − ω − ( ~ℓ ) \ L ( n − A ( ~ℓ ) = { ~ } . (17)Let ~v ∈ F n − q be a nonzero vector in this intersection. Then, we have β , β , · · · , β ω − in F q , not allzero, such that ~v = ω − X i =1 β i ~b ( n − i ( ~ℓ ) = ω − X i =1 β i ( ~b ( n − i + b i,n ~ℓ ) , (18)and another r elements in F q , denoted by γ e , e ∈ A , which are not all zero, such that ~v = X e ∈ A γ e ~f ( n − e ( ~ℓ ) = X e ∈ A γ e ( ~f ( n − e + f e,n ~ℓ ) , (19)where f e,n is the last component of ~f ( n ) e . By (18) and (19), we immediately obtain ω − X i =1 β i ~b ( n − i − X e ∈ A γ e ~f ( n − e ! + ω − X i =1 β i b i,n − X e ∈ A γ e f e,n ! · ~ℓ = ~ . Together with ~ℓ / ∈ B ( n − ω − + L ( n − A from (14) (which implies ~ℓ = ~ ), we further have ω − X i =1 β i b i,n − X e ∈ A γ e f e,n = 0 and ω − X i =1 β i ~b ( n − i − X e ∈ A γ e ~f ( n − e = ~ , (20) November 7, 2018 DRAFT7 or equivalently, ω − X i =1 β i b i,n = X e ∈ A γ e f e,n and ω − X i =1 β i ~b ( n − i = X e ∈ A γ e ~f ( n − e . (21)Now, we can write (21) in vector form as ω − X i =1 β i ~b ( n − i b i,n = X e ∈ A γ e ~f ( n − e f e,n , (22)namely, ω − X i =1 β i ~b ( n ) i = X e ∈ A γ e ~f ( n ) e . (23)Together with the linear independence of ~b ( n )1 , ~b ( n )2 , · · · , ~b ( n ) ω − , we obtain ~ = ω − X i =1 β i ~b ( n ) i = X e ∈ A γ e ~f ( n ) e , (24)since β , β , · · · , β ω − are not all zero. This implies that B ( n ) ω − T L ( n ) A = { ~ } , a contradiction to (5).The lemma is proved. Lemma 5.
Let ~b ( n − , ~b ( n − , · · · , ~b ( n − ω − be ω − linearly independent column ( n − -vectors overa finite field F q , where n = ω + r . For each wiretap set A ∈ A ′′ r , define a set of column ( n − -vectorsas follows: K A = n ~k = ω − X i =1 α i ~b ( n − i + X e ∈ A β e ~f ( n − e : ∀ (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) ∈ F n − q s.t. ω − X i =1 α i b i,n + X e ∈ A β e f e,n = − o , (25) where ~f ( n ) e , e ∈ A , are r n -dimensional global encoding kernels of the r edges in A , and f e,n is thelast component of ~f ( n ) e . Then, for any column ( n − -vector ~ℓ ∈ F n − q \ S A ∈ A ′′ r K A , the following aresatisfied: • the column ( n − -vectors ~b ( n − i ( ~ℓ ) , ≤ i ≤ ω − , are linearly independent; • B ( n − ω − ( ~ℓ ) T L ( n − A ( ~ℓ ) = { ~ } , ∀ A ∈ A ′′ r .Proof: Let A be an arbitrary edge subset in A ′′ r . In order to find a column vector ~ℓ ∈ F n − q suchthat ~b ( n − i ( ~ℓ ) , ≤ i ≤ ω − , are linearly independent and B ( n − ω − ( ~ℓ ) T L ( n − A ( ~ℓ ) = { ~ } , it suffices tofind a column vector ~ℓ such that the ω − r vectors ~b ( n − i ( ~ℓ ) , ≤ i ≤ ω − , ~f ( n − e ( ~ℓ ) , e ∈ A , arelinearly independent, or equivalently ω − X i =1 α i ~b ( n − i ( ~ℓ ) + X e ∈ A β e ~f ( n − e ( ~ℓ ) = ~ , (26) November 7, 2018 DRAFT8 for any nonzero vector (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) ∈ F n − q (here n = ω + r ). Further, we write (26)as: ω − X i =1 α i (cid:16) ~b ( n − i + b i,n ~ℓ (cid:17) + X e ∈ A β e (cid:16) ~f ( n − e + f e,n ~ℓ (cid:17) = ~ , or equivalently, − (cid:16) ω − X i =1 α i b i,n + X e ∈ A β e f e,n (cid:17) · ~ℓ = ω − X i =1 α i ~b ( n − i + X e ∈ A β e ~f ( n − e . (27)Based on (27), we consider the following two cases: Case 1:
Consider those nonzero vectors (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) ∈ F n − q such that ω − X i =1 α i b i,n + X e ∈ A β e f e,n = 0 . (28)By (28), the LHS in (27) is always a zero vector. On the other hand, since (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) is nonzero, and the vectors ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A , are linearly independent, the RHS in(27) is nonzero. Thus, (27) always holds for any ~ℓ in Case 1. Case 2:
Consider those nonzero vectors (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) ∈ F n − q such that ω − X i =1 α i b i,n + X e ∈ A β e f e,n = 0 . Clearly, (27) holds for Case 2 if and only if: ~ℓ = − (cid:16) ω − X i =1 α i b i,n + X e ∈ A β e f e,n (cid:17) − · (cid:16) ω − X i =1 α i ~b ( n − i + X e ∈ A β e ~f ( n − e (cid:17) . Now we let K A = n ~k = − ω − X i =1 α i b i,n + X e ∈ A β e f e,n ! − · ω − X i =1 α i ~b ( n − i + X e ∈ A β e ~f ( n − e ! : ∀ (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) ∈ F n − q \ { ~ } s.t. ω − X i =1 α i b i,n + X e ∈ A β e f e,n = 0 o . (29)Combining the two cases above, we have proved that for any ~ℓ ∈ F n − q \ K A , the ω − column ( n − -vectors ~b ( n − i ( ~ℓ ) , ≤ i ≤ ω − , are linearly independent, and B ( n − ω − ( ~ℓ ) T L ( n − A ( ~ℓ ) = { ~ } . Uponproving that K A = K A and considering all the edge subsets A ∈ A ′′ r , the lemma is proved.We now prove that K A = K A (cf. (25) for K A ). Clearly, we have K A ⊆ K A . To prove K A ⊆ K A , weconsider any column ( n − -vector ~k in K A . For this ~k , there exists a row ( n − -vector (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) in F n − q such that P ω − i =1 α i b i,n + P e ∈ A β e f e,n = 0 and ~k = − ω − X i =1 α i b i,n + X e ∈ A β e f e,n ! − · ω − X i =1 α i ~b ( n − i + X e ∈ A β e ~f ( n − e ! . November 7, 2018 DRAFT9
Let α ′ i = − ω − X i =1 α i b i,n + X e ∈ A β e f e,n ! − · α i , ≤ i ≤ ω − , and β ′ e = − ω − X i =1 α i b i,n + X e ∈ A β e f e,n ! − · β e , ∀ e ∈ A. Then we have ~k = ω − X i =1 α ′ i ~b ( n − i + X e ∈ A β ′ e ~f ( n − e , and ω − X i =1 α ′ i b i,n + X e ∈ A β ′ e f e,n = − ω − X i =1 α i b i,n + X e ∈ A β e f e,n ! − · ω − X i =1 α i b i,n + X e ∈ A β e f e,n ! = − . This implies ~k ∈ K A , proving that K A ⊆ K A . We thus have proved that K A = K A .The following theorem gives the prescription for designing the vector ~ℓ . Theorem 6.
Let ~b ( n − , ~b ( n − , · · · , ~b ( n − ω − be ω − linearly independent column ( n − -vectors overa finite field F q of order q > | A r | , where n = ω + r . Then, the set F n − q \ " [ A ∈ A ′ r (cid:16) B ( n − ω − + L ( n − A (cid:17) [ A ∈ A ′′ r K A (30) is nonempty, and for any column ( n − -vector ~ℓ in this set, the following are satisfied: • the column ( n − -vectors ~b ( n − i ( ~ℓ ) , ≤ i ≤ ω − , are linearly independent; • B ( n − ω − ( ~ℓ ) T L ( n − A ( ~ℓ ) = { ~ } , ∀ A ∈ A r , i.e., the security condition in (8) .Proof: We only need prove that the set (30) is nonempty if the field size q > | A r | . The rest of thetheorem are immediate consequences of Lemmas 4 and 5.First, for an edge subset A ∈ A ′ r , the n − column ( n − -vectors ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A , are linearly dependent. Then we have dim (cid:0) B ( n − ω − + L ( n − A (cid:1) ≤ ( ω − r ) − n − , and consequently, (cid:12)(cid:12)(cid:12) B ( n − ω − + L ( n − A (cid:12)(cid:12)(cid:12) ≤ q n − . Now, for an edge subset A in A ′′ r , we consider any two vectors (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) and (cid:0) α ′ i , ≤ i ≤ ω − , β ′ e , e ∈ A (cid:1) in F n − q such that ω − X i =1 α i b i,n + X e ∈ A β e f e,n = − and ω − X i =1 α ′ i b i,n + X e ∈ A β ′ e f e,n = − . (31) November 7, 2018 DRAFT0
Let ~k = ω − X i =1 α i ~b ( n − i + X e ∈ A β e ~f ( n − e (32)and ~k ′ = ω − X i =1 α ′ i ~b ( n − i + X e ∈ A β ′ e ~f ( n − e . (33)We will prove that ~k = ~k ′ if and only if (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) = (cid:0) α ′ i , ≤ i ≤ ω − , β ′ e , e ∈ A (cid:1) . The “if” part is evident. For the “only if” part, since ~k = ~k ′ , it follows from (32) and (33) that ω − X i =1 α i ~b ( n − i + X e ∈ A β e ~f ( n − e = ω − X i =1 α ′ i ~b ( n − i + X e ∈ A β ′ e ~f ( n − e . (34)Note that the n − column ( n − -vectors ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A , are linearly independent(since A ∈ A ′′ r ), and so they form a basis of the vector space F n − q . Therefore, by (34), we immediatelyobtain that (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) and (cid:0) α ′ i , ≤ i ≤ ω − , β ′ e , e ∈ A (cid:1) are equal.Therefore, the cardinality of K A is equal to the number of the vectors (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) ∈ F n − q such that ω − X i =1 α i b i,n + X e ∈ A β e f e,n = − , (35)that is, |K A | = q n − .Thus, we have proved that (cid:12)(cid:12) B ( n − ω − + L ( n − A (cid:12)(cid:12) ≤ q n − , ∀ A ∈ A ′ r ; |K A | = q n − , ∀ A ∈ A ′′ r . So, if q > | A r | , we have (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) F n − q \ [ A ∈ A ′ r (cid:16) B ( n − ω − + L ( n − A (cid:17) [ A ∈ A ′′ r K A (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) = (cid:12)(cid:12)(cid:12) F n − q (cid:12)(cid:12)(cid:12) − (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) [ A ∈ A ′ r (cid:16) B ( n − ω − + L ( n − A (cid:17) [ A ∈ A ′′ r K A (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≥ q n − − (cid:16) X A ∈ A ′ r q n − + X A ∈ A ′′ r q n − (cid:17) = q n − − | A r | · q n − = q n − ( q − | A r | ) November 7, 2018 DRAFT1 > . The theorem is proved.Now, by Theorem 6, the column ( n − -vector ~ℓ can be taken to be any vector in the set in (30). Let Q ( n − ( ~ℓ ) = h I n − ~ℓ i · Q ( n ) = h ~b ( n − ( ~ℓ ) ~b ( n − ( ~ℓ ) · · · ~b ( n − n ( ~ℓ ) i . Then we have
Rank (cid:0) Q ( n − ( ~ℓ ) (cid:1) = n − since Rank (cid:0) Q ( n ) (cid:1) = n . Furthermore, together with the linearindependence of ~b ( n − ( ~ℓ ) , ~b ( n − ( ~ℓ ) , · · · , ~b ( n − ω − ( ~ℓ ) from Theorem 6, there exist r column vectors inthe last r + 1 column vectors of Q ( n − ( ~ℓ ) , say ~b ( n − ω ( ~ℓ ) , ~b ( n − ω +1 ( ~ℓ ) , · · · , ~b ( n − n − ( ~ℓ ) , such that ~b ( n − ( ~ℓ ) , ~b ( n − ( ~ℓ ) , · · · , ~b ( n − n − ( ~ℓ ) are linearly independent. Immediately, we obtain an ( n − × ( n − invertiblematrix Q ( n − = h ~b ( n − ( ~ℓ ) ~b ( n − ( ~ℓ ) · · · ~b ( n − n − ( ~ℓ ) i . Therefore, we have constructed an ( n − -dimensional SLNC ( Q ( n − ) − · C n − = ( Q ( n − ) − · h I n − ~ℓ i · C n = n ( Q ( n − ) − · ~f ( n − e ( ~ℓ ) : e ∈ E o , which not only achieves the information rate ω − and security level of r , but also has the same localencoding kernels as the original n -dimensional SLNC ( Q ( n ) ) − · C n at all the non-source nodes.IV. A N A LGORITHM FOR C ODE C ONSTRUCTION
In the last section, we have presented an approach for designing a family of local-encoding-preservingSLNCs for a fixed security level and multiple rates. In particular, Theorem 6 gives the prescription fordesigning an appropriate vector ~ℓ that is crucial for constructing a local-encoding-preserving SLNC withrate reduced by one. However, Theorem 6 does not provide a method to find ~ℓ readily. The followingAlgorithm 1 provides an efficient method to find ~ℓ and gives a polynomial-time implementation forconstructing an ( n − -dimensional SLNC with rate ω − and security level r (here n = ω + r ) from an n -dimensional SLNC with rate ω and security level r , and the two SLNCs have the same local encodingkernel at each intermediate node.Starting with an SLNC with a security level r and accordingly the maximum rate C min − r and thenusing Algorithm 1 repeatedly, we can obtain a family of local-encoding-preserving SLNCs with the fixedsecurity level r and rates from C min − r to . This procedure is illustrated in Fig. 2. November 7, 2018 DRAFT2
Algorithm 1:
Construction of a rate- ( ω − and security-level- r SLNC from a rate- ω and security-level- r SLNC, both of which have the same local encoding kernels at all the non-source nodes.
Input: An n -dimensional linear network code C n of global encoding kernels ~f ( n ) e , e ∈ E over a finite field F q of order q > | A r | , and an F q -valued n × n invertible matrix Q ( n ) = h ~b ( n )1 ~b ( n )2 · · · ~b ( n ) n i such that ( Q ( n ) ) − · C n is an n -dimensional SLNC with rate ω and security level r , where n = ω + r . Output:
Matrices Q ( n − and K ( n − s ( ~ℓ ) corresponding to the linear encoding operation and the localencoding kernel at the source node, respectively. // The linear encoding operation corresponding to Q ( n − at the source node, the updated local encodingkernel K ( n − s ( ~ℓ ) at the source node, and the unchanged local encoding kernels at all the non-source nodestogether constitute an ( n − -dimensional SLNC of rate ω − and security level r . begin choose ω − linearly independent vectors in ~b ( n − , ~b ( n − , · · · , ~b ( n − ω , say ~b ( n − , ~b ( n − , · · · , ~b ( n − ω − without loss of generality; partition A r into A ′ r and A ′′ r ; choose a column ( n − -vector ~h ∈ F n − q \ S A ∈ A ′ r (cid:0) B ( n − ω − + L ( n − A (cid:1) ; for each A ∈ A ′′ r do calculate the unique row ( n − -vector (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) ∈ F n − q such that ~h = P ω − i =1 α i ~b ( n − i + P e ∈ A β e ~f ( n − e ; compute θ A = P ω − i =1 α i b i,n + P e ∈ A β e f e,n ; end choose a nonzero element θ in F q such that θ · θ A = − , ∀ A ∈ A ′′ r ; calculate the vector ~ℓ = θ~h ; // ~ℓ ∈ F n − q \ (cid:2) S A ∈ A ′ r (cid:0) B ( n − ω − + L ( n − A (cid:1) S A ∈ A ′′ r K A (cid:3) . compute K ( n − s ( ~ℓ ) = h I n − ~ℓ i · K s ; // K ( n − s ( ~ℓ ) = h ~f ( n − e ( ~ℓ ) : e ∈ Out( s ) i . compute Q ( n − ( ~ℓ ) = h I n − ~ℓ i · Q ( n ) ; // Q ( n − ( ~ℓ ) = h ~b ( n − ( ~ℓ ) ~b ( n − ( ~ℓ ) · · · ~b ( n − n ( ~ℓ ) i . remove a column vector from the last r + 1 (here r = n − ω ) vectors of Q ( n − ( ~ℓ ) , i.e., ~b ( n − i ( ~ℓ ) , ω ≤ i ≤ n , such that the remaining ( n − × ( n − matrix, denoted by Q ( n − , is invertible; return Q ( n − and K ( n − s ( ~ℓ ) . // Now, ( Q ( n − ) − · C n − is an F q -valued SLNC with security level r and rate ω − , and has the same localencoding kernels as ( Q ( n ) ) − · C n at all the non-source nodes. However, note that the calculation of all the globalencoding kernels of C n − , i.e., ~f ( n − e ( ~ℓ ) , e ∈ E , is not necessary. Instead, we only need to compute K ( n − s ( ~ℓ ) ,the new local encoding kernel at the source node s , and continue to use the original local encoding coefficients ateach non-source node for encoding. end November 7, 2018 DRAFT3 r ωC min C min r Fig. 2: Local-encoding-preserving SLNCs for a fixed security-level and a flexible rate.
Verification of Algorithm 1:
For the purpose of verifying Algorithm 1, it suffices to verify that the column ( n − -vector ~ℓ chosenin Line 8 is in the set in (30), i.e., ~ℓ ∈ F n − q \ " [ A ∈ A ′ r (cid:16) B ( n − ω − + L ( n − A (cid:17) [ A ∈ A ′′ r K A . (36)First, let ~h be the column ( n − -vector in F n − q \ S A ∈ A ′ r (cid:0) B ( n − ω − + L ( n − A (cid:1) that has been chosen inLine 5. Note that ~ℓ = θ~h ∈ F n − q \ [ A ∈ A ′ r (cid:0) B ( n − ω − + L ( n − A (cid:1) , (37)where θ is as chosen in Line 7.Now, consider any wiretap set A ∈ A ′′ r . It follows that ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A , are n − linearly independent column ( n − -vectors, and thus form a basis of the vector space F n − q . Sothere exists the unique row ( n − -vector (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) such that ~h = ω − X i =1 α i ~b ( n − i + X e ∈ A β e ~f ( n − e . We prove in the following that the vector ~ℓ = θ~h calculated in Line 8 is not equal to any vector ~k ′ ∈ S A ∈ A ′′ r K A . Fix any A ∈ A ′′ r and consider any ~k ′ ∈ K A . Let ~k ′ = ω − X i =1 α ′ i ~b ( n − i + X e ∈ A β ′ e ~f ( n − e , November 7, 2018 DRAFT4 where (cid:0) α ′ i , ≤ i ≤ ω − , β ′ e , e ∈ A (cid:1) is a row ( n − -vector such that ω − X i =1 α ′ i b i,n + X e ∈ A β ′ e f e,n = − . (38)Note that (cid:0) α ′ i , ≤ i ≤ ω − , β ′ e , e ∈ A (cid:1) is unique because ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A , forma basis of F n − q (since A ∈ A ′′ r ). Case 1: (cid:0) α ′ i , ≤ i ≤ ω − , β ′ e , e ∈ A (cid:1) and (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) are linearly independent.By the linear independence of ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A , the column ( n − -vectors ~h and ~k ′ are linearly independent, and immediately we have ~ℓ = θ~h = ~k ′ for any nonzero element θ in F q . Case 2: (cid:0) α ′ i , ≤ i ≤ ω − , β ′ e , e ∈ A (cid:1) and (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) are linearly dependent. Let θ A = ω − X i =1 α i b i,n + X e ∈ A β e f e,n . We now prove ~ℓ = θ~h = ~k ′ , where θ is as chosen in Line 7. Note that ω − X i =1 ( θα i ) b i,n + X e ∈ A ( θβ e ) f e,n = θ · ω − X i =1 α i b i,n + X e ∈ A β e f e,n ! = θ · θ A = − . Together with (38), this implies that θ (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) and (cid:0) α ′ i , ≤ i ≤ ω − , β ′ e , e ∈ A (cid:1) are not equal (but linearly dependent). By the linear independence of ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A , this further implies θ~h = ω − X i =1 ( θα i ) ~b ( n − i + X e ∈ A ( θβ e ) ~f ( n − e = ω − X i =1 α ′ i ~b ( n − i + X e ∈ A β ′ e ~f ( n − e = ~k ′ . Combining the above two cases, we have proved that ~ℓ / ∈ K A for all A ∈ A ′′ r . Together with (37), wehave verified that ~ℓ is in the set in (30).We now give an example to illustrate Algorithm 1. Example 1.
Consider the network G = ( V, E ) depicted in Fig. 3. Let C = n K s = h i , K = K = K = [ ] , K = (cid:2) (cid:3)o (39) be a -dimensional linear network code over the field F on G , where we use K s and K i to denote thelocal encoding kernels at the source node s and the intermediate nodes v i , ≤ i ≤ , respectively. Weuse ~f (3) i to denote the global encoding kernels of the edges e i for all ≤ i ≤ , which according to (1) are calculated as follows: ~f (3)1 = h i , ~f (3)2 = ~f (3)5 = ~f (3)6 = h i , ~f (3)3 = ~f (3)7 = ~f (3)8 = h i ,~f (3)4 = h i , ~f (3)9 = ~f (3)10 = ~f (3)11 = h i . (40) November 7, 2018 DRAFT5 sv v v v t t e e e e e e e e e e e Fig. 3: The network G = ( V, E ) . Consider rate ω = 2 and security level r = 1 . The set of the primary edge subsets of size is A = (cid:8) { e } , { e } , { e } , { e } , { e } (cid:9) . Let Q (3) = h ~b (3)1 ~b (3)2 ~b (3)3 i = h i , which is clearly invertible. Furthermore, we see that the following are satisfied: (cid:10) ~b (3)1 , ~b (3)2 (cid:11) \ (cid:10) ~f (3) i (cid:11) = { ~ } , ∀ i = 1 , , , , , i.e., ∀ A ∈ A . Thus, ( Q (3) ) − · C = C is an F -valued -dimensional SLNC with security level and rate .In the following, we will use Algorithm 1 to construct an F -valued SLNC with the fixed security level and a lower rate ω − , which also has the same local encoding kernels as the SLNC ( Q (3) ) − · C at all the non-source nodes. Note that ~b (2)1 = (cid:2) (cid:3) is nonzero and so itself is linearly independent. ByAlgorithm 1, we partition A into the following two disjoint subsets A ′ and A ′′ : A ′ = (cid:8) { e i } ∈ A : ~b (2)1 , ~f (2) i are linearly dependent (cid:9) = (cid:8) { e } , { e } , { e } (cid:9) , A ′′ = (cid:8) { e i } ∈ A : ~b (2)1 , ~f (2) i are linearly independent (cid:9) = (cid:8) { e } , { e } (cid:9) . November 7, 2018 DRAFT6
First, for each A ∈ A ′ , note that L ( n − A = L (2) A (cf. (11) ) is either a -dimensional subspace spannedby (cid:2) (cid:3) ( L (2) { e } and L (2) { e } ) or a null space ( L (2) { e } ). Thus, we arbitrarily choose an F -valued column -vector ~h ∈ F n − q \ [ A ∈ A ′ r (cid:0) B ( n − ω − + L ( n − A (cid:1) = F \ (cid:10)(cid:2) (cid:3)(cid:11) , say ~h = . Next, for all A ∈ A ′′ , i.e., { e } and { e } , we respectively calculate ~h = = α e ~b (2)1 + β e ~f (2)1 = 0 · + 1 · , i.e., ( α e , β e ) = (0 , , and ~h = = α e ~b (2)1 + β e ~f (2)4 = 0 · + 1 · , i.e., ( α e , β e ) = (0 , . According to ( α e , β e ) = (0 , and ( α e , β e ) = (0 , , we calculate θ { e } = α e b , + β e f e , = 1 · , and θ { e } = α e b , + β e f e , = 1 · . Consequently, we choose θ = 3 (since θ · θ { e } = 3 = − and θ · θ { e } = 1 = − ), and let ~ℓ = θ · ~h = . In fact, the sets K { e } and K { e } (see (25) ) are K { e } = n(cid:2) (cid:3) , (cid:2) (cid:3) , (cid:2) (cid:3) , (cid:2) (cid:3) , (cid:2) (cid:3)o , K { e } = n(cid:2) (cid:3) , (cid:2) (cid:3) , (cid:2) (cid:3) , (cid:2) (cid:3) , (cid:2) (cid:3)o , and thus we see that ~ℓ = ∈ F n − q \ [ A ∈ A ′ r (cid:0) B ( n − ω − + L ( n − A (cid:1) [ A ∈ A ′′ r K A = F \ h(cid:10)(cid:2) (cid:3)(cid:11) [ K { e } [ K { e } i . With the vector ~ℓ we have chosen, we compute K (2) s ( ~ℓ ) = h I ~ℓ i · K s = h ~f (2)1 ( ~ℓ ) ~f (2)2 ( ~ℓ ) ~f (2)3 ( ~ℓ ) ~f (2)4 ( ~ℓ ) i = (cid:2) (cid:3) ,Q (2) ( ~ℓ ) = h I ~ℓ i · Q (3) = h ~b (2)1 ( ~ℓ ) ~b (2)2 ( ~ℓ ) ~b (2)3 ( ~ℓ ) i = (cid:2) (cid:3) . We further let Q (2) = h ~b (2)1 ( ~ℓ ) ~b (2)2 ( ~ℓ ) i = I . Then, we obtain a -dimensional SLNC ( Q (2) ) − · C withsecurity level and rate , where C = h I ~ℓ i · C = n K (2) s ( ~ℓ ) = (cid:2) (cid:3) , K = K = K = [ ] , K = (cid:2) (cid:3)o November 7, 2018 DRAFT7 (cf. Theorem 1). Clearly, ( Q (2) ) − · C has the same local encoding kernels as ( Q (3) ) − · C at all thenon-source nodes. In the use of ( Q (2) ) − · C , i) at the source node s , we use Q (2) to linearly encode thesource message and the key and then use K (2) s ( ~ℓ ) to encode the linearly-encoded message at the sourcenode s ; and then ii) at each the intermediate node v , v , v , v , use the unchanged local encoding kernelfor encoding. Field Size of Algorithm 1:
Algorithm 1 requires the field size | F q | > | A r | , and thus a base field F q of order q > max n(cid:12)(cid:12) T (cid:12)(cid:12) , (cid:12)(cid:12) A r (cid:12)(cid:12)o (41)is sufficient for constructing a family of local-encoding-preserving SLNCs with the fixed security level r and rates from C min − r to . In addition, we note that max (cid:8) | T | , | A r | (cid:9) is also the best known lowerbound on the required field size for the existence of an SLNC with rate ω and security level r (cf. [18]).Therefore, we see that there is no penalty at all on the field size (in terms of the best known lower bound)for constructing such a family of local-encoding-preserving SLNCs. Complexity of Algorithm 1:
For the purpose of determining the time complexity of Algorithm 1, we do not differentiate an additionfrom a multiplication over a finite field, although in general the time needed for a multiplication is muchlonger than that needed for an addition. We further assume that the time complexity of each operation,i.e., an addition or a multiplication, is O (1) regardless of the finite field.Now, we discuss the complexity of Algorithm 1. • For Line 1, in order to find ω − linearly independent vectors in ~b ( n − , ~b ( n − , · · · , ~b ( n − ω , itsuffices to transform the ( n − × ω matrix h ~b ( n − ~b ( n − · · · ~b ( n − ω i into one in row echelonform by a sequence of elementary row operations. By Gaussian elimination, this transformationtakes at most O (cid:0) ω ( n − (cid:1) operations. • For Line 2, in order to determine the linear relationship between the n − vectors ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A , for each edge subset A in A r , it suffices to compute the rank of the ( n − × ( n − matrix h ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A i , which takes at most O (cid:0) ( n − (cid:1) operations by Gaussian elimination. By considering all the edge subsets A in A r , the complexityfor partitioning A r into A ′ r and A ′′ r (i.e., Line 2) is at most O (cid:0) | A r | ( n − (cid:1) . The reason for requiring q > | T | here is to guarantee the existence of a C min -dimensional linear network code C C min on G . Here, we still assume that ~b ( n − i , ≤ i ≤ ω − , are chosen to be linearly independent. November 7, 2018 DRAFT8 • For Line 3, we need to find a vector ~h such that ~h ∈ F n − q \ [ A ∈ A ′ r (cid:0) B ( n − ω − + L ( n − A (cid:1) . By [40, Lemma 11], such a vector can be found with O (cid:0) ( n − | A ′ r | · (cid:2) ( n − + | A ′ r | (cid:3)(cid:1) operations. • We now consider the “for” loop (Lines 4–6). For Line 5, note that ~b ( n − i , ≤ i ≤ ω − , ~f ( n − e , e ∈ A , are n − linearly independent ( n − -dimensional vectors for any A ∈ A ′′ r , and thusthey together form a basis of the vector space F n − q . So, for the vector ~h we have chosen, for each A ∈ A ′′ r , we can find the unique row ( n − -vector (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) ∈ F n − q suchthat ~h = ω − X i =1 α i ~b ( n − i + X e ∈ A β e ~f ( n − e (42)with O (cid:0) ( n − (cid:1) operations, since finding this row ( n − -vector is equivalent to solving the systemof linear equations (42), which takes at most O (cid:0) ( n − (cid:1) operations by Gaussian elimination. Withthe ( n − -row vector (cid:0) α i , ≤ i ≤ ω − , β e , e ∈ A (cid:1) ∈ F n − q , we compute θ A = P ω − i =1 α i b i,n + P e ∈ A β e f e,n in Line 6, which takes at most O (cid:0) n − (cid:1) operations. Thus, the total complexity ofdetermining θ A for all A ∈ A ′′ r is at most O (cid:0) | A ′′ r | ( n − (cid:1) . • For Line 7, to choose a nonzero element θ in F q such that θ · θ A = − for all A ∈ A ′′ r , thecomplexity is O (cid:0) | A ′′ r | (cid:1) . • For Line 8, the calculation of the vector ~ℓ = θ~h takes at most O (cid:0) n − (cid:1) operations. • Clearly, the complexity of Lines 9 and 10 are at most O (cid:0) ( n − | Out( s ) | (cid:1) (that is O ( n − because | Out( s ) | is fixed) and O (cid:0) n ( n − (cid:1) , respectively. • The complexity analysis of Line 11 is similar to that of Line 1. To obtain Q ( n − , it suffices totransform the ( n − × n matrix Q ( n − ( ~ℓ ) into one in row echelon form, which takes at most O (cid:0) ( n − · n (cid:1) operations by Gaussian elimination.Therefore, by combining all the foregoing complexity analyses of Lines 1–11, the total complexity ofAlgorithm 1 is at most O (cid:0) ( n − | A r | + ( n − | A ′ r | (cid:1) . (43)For the approach we proposed at the beginning of Section III-B, which, by totally redesigning a linearpre-coding operation at the source node, can also construct a local-encoding-preserving SLNC with thefixed security level r and rate ω − , the complexity is O (cid:16) ( ω − n (cid:12)(cid:12) A r (cid:12)(cid:12) + ( ω − n − (cid:12)(cid:12) A r (cid:12)(cid:12) + r ( n − (cid:17) (44) November 7, 2018 DRAFT9 (cf. the 5th footnote or Appendix A). Upon comparing (43) and (44), we see that the complexity ofAlgorithm 1 is considerably smaller than one ω th of that of the approach described immediately above.On the other hand, for Algorithm 1, in order to store the matrix Q ( n ) at the source node s , it suffices tostore the column ( n − -vector ~ℓ only. This implies that the storage cost is O (cid:0) n − (cid:1) , which is considerablysmaller than the storage cost O (cid:0) n (cid:1) of the approach proposed at the beginning of Section III-B (cf. the 5thfootnote). Thus, our approach reduces considerably the complexity and storage cost further.V. C ONCLUSIONS
In a secure network coding system, the requirements for information transmission and informationsecurity may vary over time. We investigate the problem of secure network coding under the aboveconsideration in this two-part paper. To efficiently solve this problem, we put forward local-encoding-preserving secure network coding, where a family of SLNCs is called local-encoding-preserving if all theSLNCs in this family share a common local encoding kernel at each intermediate node in the network. Thisapproach can avoid all the shortcomings, in terms of computation cost, storage cost, and implementationoverhead, of the straightforward but cumbersome approach that uses the existing code constructions toobtain an SLNC for each pair of rate and security level.In this paper (i.e., Part I of the two-part paper), we consider local-encoding-preserving secure networkcoding for a fixed security level. We have developed an approach that can construct a family of local-encoding-preserving SLNCs with a fixed security level and the rate ranging from 1 to the maximumpossible. We also presented a polynomial-time algorithm for efficient implementation. Our approachnot only guarantees the local-encoding-preserving property for the family of SLNCs as constructed, butalso incurs no penalty on the required field size in the construction of such a family of local-encoding-preserving SLNCs for the existence of SLNCs in terms of the best known lower bound by Guang andYeung [18].In Part II [36], we will continue the studies in this paper by tackling first local-encoding-preservingsecure network coding for a fixed rate, and then local-encoding-preserving secure network coding for afixed dimension (equal to the sum of rate and security level). The approaches in the current paper andthe companion paper will be combined to solve the ultimate problem of local-encoding-preserving securenetwork coding for the whole rate and security-level region.
November 7, 2018 DRAFT0 A PPENDIX AC OMPLEXITY A NALYSIS OF C ONSTRUCTING A R EQUIRED M ATRIX Q ( n ) Let ω be the fixed rate and r be the security level. Let n = ω + r ≤ C min . For a given n -dimensional linear network code C n = (cid:8) ~f ( n ) e : e ∈ E (cid:9) over a finite field F q on the network G , we consider in the following the complexity of constructing an F q -valued n × n invertible matrix Q ( n ) = h ~b ( n )1 ~b ( n )2 · · · ~b ( n ) n i using the method in [15] such that ( Q ( n ) ) − · C n is a rate- ω andsecurity-level- r SLNC on G , i.e., i) ~b ( n )1 , ~b ( n )2 , · · · , ~b ( n ) n are linearly independent and ii) (cid:10) ~b ( n ) i : 1 ≤ i ≤ ω (cid:11) \ (cid:10) ~f ( n ) e : e ∈ A (cid:11) = { ~ } , ∀ A ∈ A r . (45)In order to constructing a matrix Q ( n ) , we in turn choose n vectors ~b ( n ) i , ≤ i ≤ n , as follows: ~b ( n )1 ∈ F nq \ [ A ∈ A r L ( n ) A , (46) ~b ( n ) i ∈ F nq \ [ A ∈ A r (cid:0) B ( n ) i − + L ( n ) A (cid:1) , ≤ i ≤ ω, (47) ~b ( n ) i ∈ F nq \ B ( n ) i − , ω + 1 ≤ i ≤ n, (48)where B ( n ) i = (cid:10) ~b ( n ) j : 1 ≤ j ≤ i (cid:11) and L ( n ) A = (cid:10) ~f ( n ) e : e ∈ A (cid:11) . Clearly, the chosen ~b ( n ) i , ≤ i ≤ n , arelinearly independent and satisfy the security condition (45) for security level r .By [40, Lemma 11], the vectors ~b ( n ) i , ≤ i ≤ ω satisfying (46) or (47) can be found in time O (cid:0) ωn (cid:12)(cid:12) A r (cid:12)(cid:12) + ωn (cid:12)(cid:12) A r (cid:12)(cid:12) (cid:1) , and the vectors ~b ( n ) i , ω + 1 ≤ i ≤ n satisfying (48) can be found in O (cid:0) r ( n + n ) (cid:1) operations. Therefore,the total complexity is O (cid:16) ωn (cid:12)(cid:12) A r (cid:12)(cid:12) + ωn (cid:12)(cid:12) A r (cid:12)(cid:12) + rn (cid:17) . R EFERENCES [1] C. E. Shannon, “Communication theory of secrecy systems,”
Bell Sys. Tech. J. , vol. 28, pp. 656–715, 1949.[2] G. R. Blakley, “Safeguarding cryptographic keys,” in
Proc. National Computer Conference , 1979, vol. 48, pp. 313–317.[3] A. Shamir, “How to share a secret,”
Communications of the ACM , vol. 22, 612–613, 1979.[4] L. H. Ozarow and A. D. Wyner, “Wire-tap channel II,”
AT&T Bell Labs. Tech. J. , vol. 63, pp. 2135–2157, 1984.[5] R. Ahlswede, N. Cai, S.-Y. R. Li, and R. W. Yeung, “Network information flow,”
IEEE Trans. Inf. Theory , vol. 46, no. 4,pp. 1204–1216, Jul. 2000. Here, we assume the size of F q sufficiently large to guarantee the existence of an n -dimensional linear network code andan n -dimensional SLNC with rate ω and security level r on the network G . November 7, 2018 DRAFT1 [6] S.-Y. R. Li, R. W. Yeung, and N. Cai, “Linear network coding,”
IEEE Trans. Inf. Theory , vol. 49, no. 2, pp. 371–381, Jul.2003.[7] R. Koetter and M. M´edard, “An algebraic approach to network coding,”
IEEE/ACM Trans. Netw. , vol. 11, no. 5, pp. 782–795,Oct. 2003.[8] S. Jaggi, P. Sanders, P. A. Chou, M. Effros, S. Egner, K. Jain, and L. M. G. M. Tolhuizen, “Polynomial time algorithmsfor multicast network code construction,”
IEEE Trans. Inf. Theory , vol. 51, no. 6, pp. 1973–1982, Jun. 2005.[9] R. W. Yeung,
Information Theory and Network Coding . New York: Springer, 2008.[10] R. W. Yeung, S.-Y. R. Li, N. Cai, and Z. Zhang, “Network coding theory,”
Foundations and Trends in Communicationsand Information Theory , vol. 2, nos.4 and 5, pp. 241–381, 2005.[11] C. Fragouli and E. Soljanin, “Network coding fundamentals,”
Foundations and Trends in Networking , vol. 2, no.1, pp.1–133, 2007.[12] C. Fragouli and E. Soljanin, “Network coding applications,”
Foundations and Trends in Networking , vol. 2, no.2, pp.135–269, 2007.[13] T. Ho and D. S. Lun,
Network Coding: An Introduction . Cambridge, U.K.: Cambridge Univ. Press, 2008.[14] N. Cai and R. W. Yeung, “Secure network coding,” IEEE Int. Symp. Inf. Theory, Lausanne, Switzerland, Jun. 30-Jul. 5,2002.[15] N. Cai and R. W. Yeung, “Secure network coding on a wiretap network,”
IEEE Trans. Inf. Theory , vol. 57, no. 1, pp.424–435, Jan. 2011.[16] S. El Rouayheb, E. Soljanin, and A. Sprintson, “Secure network coding for wiretap networks of type II,”
IEEE Trans. Inf.Theory , vol. 58, no. 3, pp. 1361–1371, March 2012.[17] D. Silva and F. R. Kschischang, “Universal secure network coding via rank-metric codes,”
IEEE Trans. Inform. Theory ,vol. 57, no. 2, pp. 1124–1135, Feb. 2011.[18] X. Guang and R. W. Yeung, “Alphabet size reduction for secure network coding: a graph theoretic approach,”
IEEE Trans.Inf. Theory , vol. 64, no. 6, pp. 4513–4529, June 2018.[19] F. Cheng and R. W. Yeung, “Performance bounds on a wiretap network with arbitrary wiretap sets,”
IEEE Trans. Inf.Theory , vol. 60, no. 6, pp. 3345–3358, June 2014.[20] T. Cui, T. Ho, and J. Kliewer, “On secure network coding with nonuniform or restricted wiretap sets,”
IEEE Trans. Inf.Theory , vol. 59, no. 1, pp. 166–176, Jan. 2013.[21] N. Cai and R. W. Yeung, “A security condition for multi-source linear network coding,” IEEE Int. Symp. Inf. Theory,Nice, France, Jun. 24-29, 2007.[22] T. Chan and A. Grant, “Capacity bounds for secure network coding,” Austral. Commun. Theory Workshop, Christchurch,New Zealand, Jan. 30-Feb. 1, 2008.[23] Z. Zhang and R. W. Yeung, “A general security condition for multisource linear network coding,” IEEE Int. Symp. Inf.Theory, Seoul, Korea, Jun. 28-Jul. 3, 2009.[24] K. Bhattad and K. R. Narayanan, “Weakly secure network coding,”
Proc. Network Coding (NetCod) , Apr. 2005.[25] K. Harada and H. Yamamoto, “Strongly secure linear network coding,”
IEICE Trans. Fundament. , vol. E91-A, no. 10, pp.2720–2728, Oct. 2008.[26] N. Cai “Valuable messages and random outputs of channels in linear network coding,” in
Proc. IEEE Int. Symp. InformationTheory , Seoul, Korea, Jun. 2009, pp. 413–417.[27] T. Ho, B. Leong, R. Koetter, M. Medard, M. Effros, and D. Karger, “Byzantine modification detection in multicast networksusing randomized network coding,” IEEE Int. Symp. Inf. Theory, Jun. 2004, p. 143.
November 7, 2018 DRAFT2 [28] S. Jaggi, M. Langberg, T. Ho, and M. Effros, “Correction of adversarial errors in networks,” IEEE Int. Symp. Inf. Theory,Nice, France, Jun. 24–29, 2007.[29] S. Jaggi, M. Langberg, S. Katti, T. Ho, D. Katabi, M. Medard, and M. Effros, “Resilient network coding in the presenceof byzantine adversaries,”
IEEE Trans. Inf. Theory , vol. 54, no. 6, pp. 2596–2603, Jun. 2008.[30] C.-K. Ngai and R. W. Yeung, “Secure error-correcting (SEC) network codes,”
Proc. Network Coding (NetCod) , Lausanne,Switzerland, 2009.[31] H. Yao, D. Silva, S. Jaggi, M. Langberg, “Network codes resilient to jamming and eavesdropping,”
IEEE/ACM Trans.Netw. , vol. 22, no. 6, pp. 1978–1987, June 2014.[32] Z. Zhuang, Y. Luo, and A. J. H. Vinck, “Secure error-correcting network codes with side information from source,” in
Proc. Int. Conf. Commun. Intell. Inf. Security , 2010, pp. 55–59.[33] N. Cai and T. Chan, “Theory of secure network coding,”
Proceedings of the IEEE , vol. 99, no. 3, pp. 421–437, March2011.[34] C. Fragouli and E. Soljanin, “(Secure) linear network coding multicast,”
Designs, Codes and Cryptography , vol. 78, no.1, pp. 269–310, 2016.[35] X. Guang, J. Lu, and F.-W. Fu, “On the optimality of secure network coding,”
IEEE Commun. Lett. , vol. 19, no. 7, pp.1165–1168, July 2015.[36] X. Guang, R. W. Yeung, and F.-W. Fu, “Local-Encoding-Preserving Secure Network Coding—Part II: Flexible Rate andSecurity Level,” submitted.[37] X. Guang, J. Lu, and F.-W. Fu, “Small field size for secure network coding, ”
IEEE Commun. Lett. , vol. 19, no. 3, pp.375–378, March 2015.[38] S. L. Fong and R. W. Yeung, “Variable-rate linear network coding,”
IEEE Trans. Inf. Theory , vol. 56, no. 6, pp. 2618–2625,June 2010.[39] X. Guang, F.-W. Fu, and Z. Zhang, “Variable-rate linear network error correction MDS codes,”
IEEE Trans. Inf. Theory ,vol. 62, no. 6, pp. 3147–3164, June 2016.[40] S. Yang, R. W. Yeung, and C. K. Ngai, “Refined coding bounds and code constructions for coherent network errorcorrection,”
IEEE Trans. Inf. Theory , vol. 57, no. 3, pp. 1409–1424, Mar. 2011., vol. 57, no. 3, pp. 1409–1424, Mar. 2011.