On Secure Network Coding for Multiple Unicast Traffic
11 On Secure Network Coding for MultipleUnicast Traffic
Gaurav Kumar Agarwal (cid:63) , Martina Cardone † , Christina Fragouli (cid:63)(cid:63) University of California Los Angeles, Los Angeles, CA 90095, USAEmail: { gauravagarwal, christina.fragouli } @ucla.edu † University of Minnesota, Minneapolis, MN 55404, USA, Email:[email protected]
Abstract
This paper investigates the problem of secure communication in a wireline noiseless scenario wherea source wishes to communicate to a number of destinations in the presence of a passive externaladversary. Different from the multicast scenario, where all destinations are interested in receiving thesame message, in this setting different destinations are interested in different messages. The mainfocus of this paper is on characterizing the secure capacity region, when the adversary has unboundedcomputational capabilities, but limited network presence. First, an outer bound on the secure capacityregion is derived for arbitrary network topologies and general number of destinations. Then, securetransmission schemes are designed and analyzed in terms of achieved rate performance. In particular,for the case of two destinations, it is shown that the designed scheme matches the outer bound, hencecharacterizing the secure capacity region. It is also numerically verified that the designed scheme matchesthe outer bound for a special class of networks with general number of destinations, referred to ascombination network. Finally, for an arbitrary network topology with general number of destinations, atwo-phase polynomial time in the network size scheme is designed and its rate performance is comparedwith the capacity-achieving scheme for networks with two destinations.
I. I
NTRODUCTION
Secure network coding [1] considers the communication from a source to a number ofdestinations in the presence of a passive external adversary, with unbounded computational
The results in this paper were presented in part at the 2016 IEEE International Symposium on Information Theory, at the2016 IEEE Globecom Workshop, and at the 10th International Conference on Information Theoretic Security. a r X i v : . [ c s . I T ] J a n capabilities, but limited network presence. The authors in [1] showed that the source can securelymulticast to all destinations at a rate of M − k , where M is the min-cut capacity between thesource and each destination, and k is the number of edges eavesdropped by the adversary. Insuch a multicast scenario, all destinations are interested in receiving the same message.In this paper, we focus on multiple unicast traffic, where a source wishes to securely com-municate to a number of destinations, each interested in an independent message. Our primalobjective lies in characterizing the secure capacity region, by means of derivation of novel outerbounds as well as transmission schemes. A. Related Work
Network coding was pioneered by the seminal work of Ahlswede et al. [2]. The authorsproved that, if M is the min-cut capacity from the source to each destination, then the source canmulticast at a rate M to all the destinations. This result implies that, even if a single destinationwith min-cut capacity M has access to the entire network resources, this destination can onlyreceive at most at a rate equal to M . Moreover, this result shows that multiple destinationssharing some of the network resources, can still receive at a rate M if they are interested inthe exact same information. Later, Li et al. [3] proved that it suffices to use random linearcoding operations to characterize the multicast capacity. Jaggi et al. [4] designed polynomialtime deterministic algorithms aimed to achieve the multicast capacity. While for the case ofsingle unicast and multicast traffic the capacity is well-known, the same is not true for thecase of networks where multiple unicast sessions take place simultaneously and share someof the network resources. For instance, even though the cut-set bound was proved to be tightfor some special cases, such as single source with non-overlapping demands and single sourcewith non-overlapping demands and a multicast demand [5], in general it is not tight [6]. It wasalso recently showed by Kamath et al. [7] that characterizing the capacity of a general networkwhere two unicast sessions take place simultaneously is as hard as characterizing the capacityof a network with general number of unicast sessions. For the case of single source and twodestinations with a non-overlapping demand and a multicast demand, Ramamoorthy et. al [8]proposed a nice graph theory based approach to characterize the capacity region.Information theoretic security, pioneered by Shannon [9], aims at ensuring a reliable and securecommunication among trusted parties inside a network such that a passive external eavesdropperdoes not learn anything about the content of the information exchanged. For point-to-point channels, information theoretic security can be achieved provided that the communicating trustedparties have a pre-shared key of entropy at least equal to the length of the message [9]. Wyner [10]showed that, if the adversary’s channel is a degraded version of the channel to the legitimatedestination, then an information theoretic secure communication can be guaranteed even withoutthe pre-shared keys. Moreover, if public feedback is available, Czap et. al. [11] showed that securecommunication can be ensured over erasure networks even when the adversary has a channel ofbetter quality than the legitimate receiver. In [1], Cai et al. characterized the information theoreticsecure capacity of a noiseless network with unit capacity edges and with multicast traffic. Inthis work, which was followed by several others [12], [13], a source wishes to multicast thesame information to a number of destinations in the presence of a passive external adversaryeavesdropping any k edges of her choice. In [14], Cui et al. studied networks with non-uniformedge capacities when the adversary is allowed to eavesdrop only some specific subsets of edges.Over the past few years, others notions of information theoretic security have been analyzed, suchas the case of weak information theoretic security [15], [16], [17]. Moreover, several differentscenarios have been studied, that include: (i) the case of an active adversary, who can indeedcorrupt the communication rather than just passively eavesdropping it [18], [19], [20]; (ii) erasurenetworks where a public feedback is available [21], [22], [23]; (iii) wireless networks [24], [25]. B. Contributions
In this paper, we study the problem of characterizing the secure capacity region in a wirelinenoiseless multiple unicast scenario with uniform edge capacities. In particular, we focus onnetworks where a source wishes to securely communicate to a number of destinations, eachinterested in a different message. Our main contributions can be summarized as follows:1) We derive an outer bound on the secure capacity region for networks with arbitrarytopology and arbitrary number of destinations. Similar to the multicast scenario [1], thisouter bound depends on the number of edges that the adversary eavesdrops and on themin-cut capacities between the source and different subsets of destinations.2) We characterize the secure capacity region for networks with arbitrary topology and withtwo destinations. Towards this end, we design a secure transmission scheme whose achievedrate region is proved to match the derived outer bound. In particular, we leverage a keyproperty, referred to as separability [8], in order to select the parts of the network overwhich: (i) common keys should be multicast, and (ii) encrypted private messages should be communicated. Our analysis shows that coding across different unicast sessions helpsin characterizing the secure capacity even in scenarios where coding was not required inthe absence of an adversary.3) We design a secure transmission scheme for combination networks with a two-layertopology and arbitrary number of destinations. A key feature of such networks is that theysatisfy the separability property over graphs. In particular, through extensive numericalevaluations, we observed that the designed scheme achieves a secure rate region thatmatches our derived outer bound, hence suggesting that the proposed scheme could becapacity achieving.4) We design a secure transmission scheme for networks with arbitrary topology and arbitrarynumber of destinations. This scheme is sub-optimal, but has a polynomial time complexityin the number of edges and nodes in the network. In particular, our scheme works in twophases: in the first phase, we multicast keys using the entire network resources, and in thesecond phase we communicate encrypted private message packets using again the entirenetwork resources. For the case of two destinations, we also compare the secure rate regionachieved by this two-phase with the secure capacity region.5) We draw several observations on the derived secure capacity results. For instance, weshow that the secure capacity region for two destinations is non-reversible, which is a keydifference with respect to the case when there is no adversary. Specifically, we show that,if we switch the role of the source and destinations and we reverse the directions of theedges, then the new secure capacity region differs from the original one. Moreover, for thecase of two destinations, we compare the secure capacity region with the capacity regionwhen the adversary is absent. The goal of this analysis is to quantify the rate loss that isincurred to guarantee security.6) We consider other instances of multiple unicast traffic, that include: (i) networks witherasure links, and (ii) noiseless networks with two sources and two destinations. In par-ticular, for some specific network topologies, we derive the secure capacity region. Thisanalysis strengthens our previous observation that coding across different unicast sessionsis beneficial to ensure a secure communication, even for cases when it is not required inthe absence of an adversary.
C. Paper Organization
Section II formally defines the setup, that is the multiple unicast wireline noiseless networkwith single source and arbitrary number of destinations, and formulates the problem. Section IIIderives an outer bound on the secure capacity region. Section IV provides a capacity-achievingsecure transmission scheme for networks with two destinations and arbitrary topology. Section Vdesigns a secure transmission scheme for combination networks with a two-layer topologyand arbitrary number of destinations. Section VI provides a two-phase achievable scheme fornetworks with arbitrary number of destinations and arbitrary topology. Finally, Section VII drawssome observations on the derived results, discusses some properties and analyzes other instancesof multiple unicast traffic. II. S
ETUP AND PROBLEM FORMULATION
Throughout the paper we adopt the following notation convention. Calligraphic letters indicatesets; ∅ is the empty set and |A| is the cardinality of A ; for two sets A , A , A ⊆ A indicatesthat A is a subset of A , A ∪ A indicates the union of A and A , A (cid:116) A indicates thedisjoint union of A and A , A ∩ A is the intersection of A and A and A \A is the set ofelements that belong to A but not to A ; [ n : n ] is the set of integers from n to n ≥ n ; [ n ] is the set of integers from to n ≥ ; [ x ] + := max { , x } for x ∈ R ; for a vector a , a T isits transpose vector; dim ( A ) is the dimension of the subspace A ; i × j is the all-zero matrix ofdimension i × j ; I j is the identity matrix of dimension j .We represent a wireline noiseless network with a directed acyclic graph G = ( V , E ) , where V isthe set of nodes and E is the set of directed edges. The edges represent orthogonal communicationlinks, which are interference-free. In particular, these links are discrete noiseless memorylesschannels over a common alphabet F q , i.e., they are of unit capacity over a q -ary alphabet. If anedge e ∈ E connects a node i to a node j , we refer to node i as the tail and to node j as thehead of e , i.e., tail ( e ) = i and head ( e ) = j . For each node v ∈ V , we define I ( v ) as the set ofall incoming edges of node v and O ( v ) as the set of all outgoing edges of node v .In this network, there is one source node S and m destination nodes D i , i ∈ [ m ] . The sourcenode does not have any incoming edges, i.e., I ( S ) = ∅ , and each destination node does not haveany outgoing edges, i.e., O ( D i ) = ∅ , ∀ i ∈ [1 : m ] . Source S has a message W i for destination D i , i ∈ [1 : m ] . These m messages are assumed to be independent. Thus, the network consistsof multiple unicast traffic, where m unicast sessions take place simultaneously and share the network resources. In particular, each message W i , i ∈ [ m ] , is of q -ary entropy rate R i . A passiveeavesdropper Eve is also present in the network and can wiretap any k edges of her choice. Wehighlight that Eve is an external eavesdropper, i.e., it is not one of the destinations.The symbol transmitted over n channel uses on edge e ∈ E is denoted as X ne . In addition, for E t ⊆ E we define X n E t = { X ne : e ∈ E t } . We assume that the source node S has infinite sourcesof randomness Θ , while the other nodes in the network do not have any randomness.Over this network, we are interested in finding all possible feasible m -tuples ( R , R , . . . , R m ) such that each destination D i , i ∈ [ m ] , reliably decodes the message W i (with zero error) andEve receives no information about the content of the messages. In particular, we are interested inensuring perfect information theoretic secure communication, and hence we aim at characterizingthe secure capacity region, which is next formally defined. Definition 1 (Secure Capacity Region) . A rate m -tuple ( R , R , . . . , R m ) is said to be securelyachievable if there exist a block length n and a set of encoding functions f e , ∀ e ∈ E , with X ne = f e (cid:0) W [ m ] , θ (cid:1) if tail ( e ) = S,f e ( { X n(cid:96) : (cid:96) ∈ I ( tail ( e )) } ) otherwise , such that each destination D i can reliably decode the message W i i.e., H ( W i |{ X ne : e ∈ I ( D i ) } ) =0 , ∀ i ∈ [ m ] . Moreover, ∀ E Z ⊆ E , |E Z | ≤ k , I (cid:0) W [ m ] ; X n E Z (cid:1) = 0 (perfect secrecy requirement).The secure capacity region is the closure of all such feasible rate m -tuples. Definition 2 (Min-cut) . A cut is an edge set E A ⊆ E , which separates the source S from a setof destinations D A := { D i , i ∈ A} . In a network with unit capacity edges, the minimum cut or min-cut is a cut that has the minimum number of edges. III. O
UTER BOUND
In this section, we derive an outer bound on the secure capacity region of a multiple unicastwireline noiseless network with a single source and m destinations. In particular, as stated inTheorem 1, this region depends on the min-cut capacities between the source and differentsubsets of destinations, and on the number of edges that the adversary eavesdrops. The nexttheorem provides the outer bound region. Theorem 1.
An outer bound on the secure capacity region for the multiple unicast traffic overnetworks with a single source and m destinations is given by R A ≤ [ M A − k ] + , ∀A ⊆ [ m ] , (1) where R A := (cid:80) i ∈A R i and M A is the min-cut capacity between the source S and the set ofdestinations D A := { D i : i ∈ A} .Proof. Let E A be a min-cut between the source S and D A and E Z ⊆ E A be the set of k edgeswiretapped by Eve, and define I ( D A ) := (cid:83) i ∈A I ( D i ) . If |E A | < k , let E Z = E A . We have, nR A = H ( W A ) (a) = H ( W A ) − H ( W A | X n I ( D A ) ) (b) = H ( W A ) − H ( W A | X n E A ) (c) = I ( W A ; X n E Z , X n E A \E Z )= I ( W A ; X n E Z ) + I ( W A ; X n E A \E Z | X n E Z ) (d) = I ( W A ; X n E A \E Z | X n E Z ) (e) ≤ H ( X n E A \E Z ) (f) ≤ n [ M A − k ] + , where W A = { W i , i ∈ A} and where: (i) the equality in (a) follows because of the decodabilityconstraint (see Definition 1); (ii) the equality in (b) follows because X n I ( D A ) is a deterministicfunction of X n E A ; (iii) the equality in (c) follows from the definition of mutual informationand since E A = E Z ∪ E A\Z ; (iv) the equality in (d) follows because of the perfect secrecyrequirement (see Definition 1); (v) the inequality in (e) follows since the entropy of a discreterandom variable is a non-negative quantity and because of the ‘conditioning reduces the entropy’principle; (vi) finally, the inequality in (f) follows since each link is of unit capacity and since |E A \ E Z | = [ M A − k ] + . By dividing both sides of the above inequality by n we obtain that R A in (1) is an outer bound on the secure capacity region of the multiple unicast traffic overnetworks with single source and m destinations. This concludes the proof of Theorem 1. Remark 1.
Since the eavesdropper Eve wiretaps any k edges of her choice, intuitively Theorem 1states that, if she wiretaps k edges of a cut with capacity M , we can at most hope to reliablytransmit at rate M − k . However, this holds only for the case of single source; indeed, as we will see in Section VII-B through an example, higher rates can be achieved for networks havinga single destination and multiple sources. IV. C
APACITY ACHIEVING SCHEME FOR NETWORKS WITH TWO DESTINATIONS
In this section, we prove that the outer bound in Theorem 1 is indeed tight for the case of m = 2 destinations. Towards this end, we design a secure transmission scheme whose achievablerate region matches the outer bound in Theorem 1. In particular, our main result is stated in thefollowing theorem. Theorem 2.
The outer bound in (1) is tight for the case m = 2 , i.e., the secure capacity regionof the multiple unicast traffic over networks with single source and m = 2 destinations is R ≤ [ M { } − k ] + , (2a) R ≤ [ M { } − k ] + , (2b) R + R ≤ [ M { , } − k ] + . (2c) Proof.
Clearly, from the result in Theorem 1, the rate region in (2) is an outer bound on thesecure capacity region. Hence, we now need to prove that the rate region in (2) is also achievable.Towards this end, we start by providing the following definition of separable graphs, which wewill leverage in the design of our scheme.
Definition 3 (Separable Graph) . A graph G = ( V , E ) with a single source and m destinationsis said to be separable if its edge set E can be partitioned as E = (cid:116) m − (cid:96) =1 E (cid:48) (cid:96) such that G (cid:48) (cid:96) =( V , E (cid:48) (cid:96) ) , ∀ (cid:96) ∈ [2 m − and M A = (cid:88) J ⊆ [ m ] J ∩A(cid:54) = ∅ M (cid:63) J , ∀A ⊆ [ m ] , (3) where M A is the min-cut capacity between the source S and the set of destinations D A := { D i : i ∈ A} in G and M (cid:63) J is the min-cut capacity between the source S and the set of destinations D B := { D b : b ∈ B} , ∀B ⊆ J for the graph G (cid:48) (cid:96) with (cid:96) ∈ [1 : 2 m − being the decimalrepresentation of the binary vector of length m that has a one in all the positions indexed by j ∈ J and zero otherwise, with the least significant bit in the first position. To better understand the above definition, consider a graph G with m = 2 destinations. Then,the graph G is separable if it can be partitioned into graphs such that: • G (cid:48) has the following min-cut capacities: M (cid:63) { } from S to D and zero from S to D , • G (cid:48) has the following min-cut capacities: zero from S to D and M (cid:63) { } from S to D , • G (cid:48) has the following min-cut capacities: M (cid:63) { , } from S to D , M (cid:63) { , } from S to D and M (cid:63) { , } from S to { D , D } ,where the quantities M (cid:63) { } , M (cid:63) { } and M (cid:63) { , } can be computed using the following set of equations: M { } = M (cid:63) { } + M (cid:63) { , } , (4a) M { } = M (cid:63) { } + M (cid:63) { , } , (4b) M { , } = M (cid:63) { } + M (cid:63) { } + M (cid:63) { , } . (4c)We now state the following lemma, which is a consequence of [8, Theorem 1] and we will useto prove the achievability of the rate region in (2). Lemma 3.
Any graph with a single source and m = 2 destinations is separable. For completeness we report the proof of Lemma 3 in Appendix A. By leveraging the result inLemma 3, we are now ready to prove Theorem 2. In particular, we consider two cases dependingon the value of k (i.e., the number of edges that the eavesdropper wiretaps). Without loss ofgenerality, we assume that k < min i ∈ [2] M i , as otherwise secure communication to the set ofdestinations { D i : k ≥ M i } is not possible at any rate, and hence we can just remove this setof destinations from the network.1) Case 1: k ≥ M (cid:63) { , } . In this case, by substituting the quantities in (4) into (2), we obtain thatthe constraint in (2c) is redundant. Thus, we will now prove that the rate pair ( R , R ) =( M { } − k, M { } − k ) is securely achievable, which along with the time-sharing argumentproves the achievability of the entire rate region in (2).We denote with K , K , . . . , K k the k key packets and with W (1) i , W (2) i , . . . , W ( R i ) i (with i ∈ [2] ) the R i message packets for D i . With this, our scheme is as follows: • We multicast K i , ∀ i ∈ [ M (cid:63) { , } ] , to both D and D using G (cid:48) , which has edges denotedby E (cid:48) . This is possible since G (cid:48) has a min-cut capacity M (cid:63) { , } to both D and D (seeDefinition 3). • We unicast K (cid:96) , ∀ (cid:96) ∈ [ M (cid:63) { , } + 1 : k ] , to D i , ∀ i ∈ [2] , using k − M (cid:63) { , } paths out ofthe M (cid:63) { i } disjoint paths in G (cid:48) i . We denote by ˆ E i the set that contains all the first edges of these paths. Clearly, | ˆ E i | = k − M (cid:63) { , } , ∀ i ∈ [2] . Notice that ˆ E i ⊆ E (cid:48) i , ∀ i ∈ [2] (seeDefinition 3). • We send the R i , ∀ i ∈ [2] , encrypted message packets (i.e., encoded with the keys)of D i on the remaining M (cid:63) { i } − k + M (cid:63) { , } disjoint paths in G (cid:48) i . We denote by ¯ E i theset that contains all the first edges of these paths in G (cid:48) i . Clearly, | ¯ E i | = R i , ∀ i ∈ [2] , ¯ E i ⊆ E (cid:48) i and ¯ E i ∩ ˆ E i = ∅ (see Definition 3).This scheme achieves R i = M (cid:63) { i } − k + M (cid:63) { , } = M { i } − k, ∀ i ∈ [1 : 2] , where the secondequality follows by using the definitions in (4). Now we prove that this scheme is alsosecure. We start by noticing that, thanks to Definition 3, the edges E (cid:48) , ˆ E i and ¯ E i , with i ∈ [2] , do not overlap. We write these transmissions in a matrix form (with G and U being the encoding matrices) and we obtain X E (cid:48) X ˆ E X ˆ E = g g . . . g k g g . . . g k ... ... . . . ... g (cid:96) g (cid:96) . . . g (cid:96)k (cid:124) (cid:123)(cid:122) (cid:125) G K K ... K k , (cid:96) = |E (cid:48) | + 2 (cid:0) k − M (cid:63) { , } (cid:1) , X ¯ E X ¯ E = u u . . . u k u u . . . u k ... ... . . . ... u r u r . . . u rk (cid:124) (cid:123)(cid:122) (cid:125) U K K ... K k ⊕ W (1)1 ... W ( R )1 W (1)2 ... W ( R )2 , r = R + R . The eavesdropper Eve wiretaps k ≤ k edges from the collection of edges {E (cid:48) , ˆ E , ˆ E } , overwhich the linear combinations X E (cid:48) , X ˆ E and X ˆ E of keys are transmitted, and k = k − k edges from the collection of edges { ¯ E , ¯ E } over which the messages encoded with the keys X ¯ E and X ¯ E are transmitted. We here note that on the other edges E \{E (cid:48) ∪ ˆ E ∪ ¯ E ∪ ˆ E ∪ ¯ E } of the network, we either do not transmit any symbol or simply route the symbols from { X ¯ E , X ¯ E , X ˆ E , X ˆ E } (corresponding to the symbols transmitted on disjoint paths). Thus,without loss of generality, we can assume that Eve does not wiretap any of these edges.Since the first |E (cid:48) | rows of G (i.e., those that correspond to multicasting the keys) are determined by the network coding scheme for multicasting [2], we assume that we do nothave any control over the construction of G .Thus, we would like to construct the code matrix U such that all the linear combinationsof the keys used to encrypt the messages on k edges are mutually independent and areindependent from the linear combinations of the keys wiretapped on the k edges (noticethat this makes the symbols wiretapped by the eavesdropper completely independent fromthe messages). In particular, since in the worst case Eve wiretaps k edges which areindependent linear combinations, we would like that any matrix formed by k independentrows of the matrix G and k rows of the matrix U is full rank. Since there is a finitenumber of such choices and the determinant of each of these possible matrices can bewritten in a polynomial form – which is not identically zero – as a function of the entriesof U , then we can choose the entries of U such that all these matrices are invertible. Thus,we can always construct the code matrix U such that the edges wiretapped by Eve haveindependent keys and hence Eve does not get any information about the message packets,i.e., the scheme is secure. This implies that the rate pair ( R , R ) = ( M { } − k, M { } − k ) is securely achievable.2) Case 2: k < M (cid:63) { , } . By substituting the quantities in (4), the rate region in (2) becomes R i ≤ M { i } − k = M (cid:63) { i } + M (cid:63) { , } − k, ∀ i ∈ [2] , (5a) R + R ≤ M { , } − k = M (cid:63) { } + M (cid:63) { } + M (cid:63) { , } − k . (5b)We now show that we can achieve the following two corner points i.e., the rate pair ( R , R ) = (cid:0) α ( M { , } − M { } ) + (1 − α )( M { } − k ) ,α ( M { } − k ) + (1 − α )( M { , } − M { } ) (cid:1) (a) = ( M (cid:63) { } + α ( M (cid:63) { , } − k ) , M (cid:63) { } + (1 − α )( M (cid:63) { , } − k )) , (6)for α ∈ { , } , where the equality in (a) follows by using the definitions in (4). This alongwith the time-sharing argument proves the achievability of the entire rate region in (5). Werecall that we denote with K , K , . . . , K k the k key packets and with W (1) i , W (2) i , . . . , W ( R i ) i (with i ∈ [2] ) the R i message packets for D i . With this, our scheme is as follows: • Using the graph G (cid:48) we multicast to both destinations D and D : (i) K i , ∀ i ∈ [ k ] , (ii) α ( M (cid:63) { , } − k ) encrypted message packets (i.e., encoded with the keys) for D and (iii) (1 − α )( M (cid:63) { , } − k ) encrypted message packets for D . Recall that the edges ofthe graph G (cid:48) are denoted by E (cid:48) (see Definition 3). We also highlight that the messagepackets multicast to the two destinations are encrypted using the key packets, wherethe encryption is based on the secure network coding result on multicasting [1], whichensures perfect security from an adversary wiretapping any k edges. • We send M (cid:63) { i } encrypted message packets of D i on the M (cid:63) { i } disjoint paths to D i inthe graph G (cid:48) i , and denote by ˆ E i the set that contains all the first edges of these pathsfor i ∈ [2] .This scheme achieves the rate pair in (6). Now we prove that this scheme is also secure.For ease of representation, in what follows we let R (cid:63) = α ( M (cid:63) { , } − k ) and R (cid:63) = (1 − α )( M (cid:63) { , } − k ) . We again notice that, thanks to Definition 3, the edges E (cid:48) , ˆ E and ˆ E do notoverlap. We write these transmissions in a matrix form (with G , U and S being encodingmatrices) and we obtain, X E (cid:48) = g g . . . g k g g . . . g k ... ... . . . ... g (cid:96) g (cid:96) . . . g (cid:96)k (cid:124) (cid:123)(cid:122) (cid:125) G K K ... K k ⊕ s s . . . s k s s . . . s k ... ... . . . ... s (cid:96) s (cid:96) . . . s (cid:96)k (cid:124) (cid:123)(cid:122) (cid:125) S W (1)1 ... W ( R (cid:63) )1 W (1)2 ... W ( R (cid:63) )2 , (cid:96) = |E (cid:48) | , X ˆ E X ˆ E = u u . . . u k u u . . . u k ... ... . . . ... u r u r . . . u rk (cid:124) (cid:123)(cid:122) (cid:125) U K K ... K k ⊕ m ( R (cid:63) +1)1 ... W ( R )1 W ( R (cid:63) +1)2 ... W ( R )2 , r = R + R − ( M (cid:63) { , } − k ) . The eavesdropper Eve wiretaps k ≤ k edges from E (cid:48) , over which the linear combinations X E (cid:48) of key packets and message packets are sent, and k = k − k edges from the collectionof edges { ˆ E , ˆ E } over which the messages encoded with the keys X ˆ E and X ˆ E aretransmitted. Similar to Case , on the other edges E \{E (cid:48) ∪ ˆ E ∪ ˆ E } of the network, we eitherdo not transmit any symbol or simply route the symbols from { X ˆ E , X ˆ E } (correspondingto the symbols transmitted on disjoint paths). Thus, without loss of generality, we can SD D SD D SD D SD D (a) (b) (c) (d) G G G G i Fig. 1: A -destination separable network G in (a) and its partition graphs G (cid:48) i , i ∈ [3] in (b)-(d).assume that the eavesdropper does not wiretap any of these edges. Since the matrices G and S are determined by the secure network coding scheme for multicasting [1], we donot have any control over their construction. Thus, we would like to construct the codematrix U in order to ensure security. Again, similar to the argument used in Case , wecan create U such that any subset of k rows of U are linearly independent and not in thespan of any subset of k rows of G . With this, the keys used to encrypt the messages overany k edges of { ˆ E , ˆ E } are mutually independent and independent from the keys usedover any k edges of E (cid:48) . This, together with the fact that the messages transmitted using G (cid:48) are already secure, makes our scheme secure. This implies that the rate pair ( R , R ) in (6) is securely achievable.This concludes the proof of Theorem 2.We next illustrate the above described scheme for the network G in Fig. 1(a). We first notethat G has min-cut capacities M { } = M { } = 3 and M { , } = 4 , and it can be partitioned intothree graphs G (cid:48) i , i ∈ [3] , as shown in Figs. 1(b)-(d), with min-cut capacities equal to M (cid:63) { } = M (cid:63) { } = 1 and M (cid:63) { , } = 2 , respectively. We assume that the adversary eavesdrops any k = 2 edges of her choice. For this case, the source should be able to securely communicate at a rate ( R , R ) = (1 , towards the m = 2 destinations. This rate pair can be achieved as follows:1) Over the set of edges in G (cid:48) , the source transmits W ⊕ K ⊕ K ; the intermediate nodesimply routes this transmission to D ;2) Over the set of edges in G (cid:48) , the source transmits W ⊕ K ⊕ K ; the intermediate nodesimply routes this transmission to D ; SD D D Fig. 2: Example of a non-separable graph.3) Over the set of edges in G (cid:48) , the source transmits K to one intermediate node and K tothe other intermediate node. The intermediate node denoted as i in Fig. 1(d) receives K and K and transmits K ⊕ K on its outgoing edges. Note that with this strategy D and D receives K and K . It therefore follows that D i , i ∈ [2] , can successfully recover W i .We conclude this section with an observation on separable graphs. In particular, we show that,although for the case of m = 2 destinations any graph is separable, in general the same doesnot hold for m ≥ . Remark 2.
Consider the network in Fig. 2, which consists of m = 3 destinations and hasthe following min-cut capacities: M { } = 1 , M { } = 1 , M { } = 1 , M { , } = 2 , M { , } = 2 , M { , } = 2 and M { , , } = 2 . With this, we can find M (cid:63) J , J ⊆ [3] , by solving (3) . In particular,we obtain: M (cid:63) { } = M (cid:63) { } = M (cid:63) { } = 0 , M (cid:63) { , } = M (cid:63) { , } = M (cid:63) { , } = 1 and M (cid:63) { , , } = − . Sincea graph can not have a negative min-cut capacity, we readily conclude that a separation of theform defined in Definition 3 is not possible. V. S
ECURE SCHEME FOR COMBINATION NETWORKS
In this section, we focus on a special class of networks, referred to as combination networks,and design a secure transmission scheme. Before delving into the study of such networks, we notethat the capacity-achieving scheme for m = 2 destinations described in Section IV uses somepart of the network to multicast the keys and the remaining part to communicate the encryptedmessages (i.e., messages encoded with the keys). Therefore, we now ask the following question: SD D D Fig. 3: Network example to show that using different parts of the network to transmit the keysand the encrypted messages is not optimal.can we extend this idea to get a capacity-achieving scheme for networks with arbitrary numberof destinations? In other words, can we separate, over different parts of the network, the keytransmissions and the message transmissions? We next show that this is not possible throughan example. Consider the network shown in Fig. 3, which consists of m = 3 destinations,and where the adversary can eavesdrop any k = 3 edges of her choice. For this network wehave the following min-cut capacities: M { } = M { } = M { } = 4 , M { , } = M { , } = M { , } = M { , , } = 6 . We would like to show that the triple ( R , R , R ) = (1 , , – obtained fromthe outer bound in Theorem 1 – can not be achieved when the key packets and the encryptedmessages are transmitted over different parts of the network. It is not difficult to see that, out ofthe outgoing edges from the source, multicasting keys requires a number of edges strictlygreater than . Thus, we would be left with strictly less than edges, which are not sufficientto transmit message packets, i.e., one for each destination. It therefore follows that, with thisstrategy, the rate triple ( R , R , R ) = (1 , , can not be securely achieved.However, we now design a transmission scheme, where the messages and the keys are encodedjointly and show that the rate triple ( R , R , R ) = (1 , , can indeed be securely achieved. Inwhat follows, we let: (i) W i , i ∈ [3] , be the message for D i , (ii) K i , i ∈ [3] , be the three random Note that keys are required since the adversary eavesdrops k = 3 edges of her choice. packets transmitted by the source to guarantee security (recall that the eavesdropper wiretapsany k = 3 edges of her choice), and (iii) X i , i ∈ [6] , be the symbols transmitted by the source onits outgoing edges (enumerated from left to right with reference to Fig. 3). Intermediate nodessimply route the received symbols on their outgoing edges, i.e., there is no coding operation atthe intermediate nodes. With this, we now define our scheme in matrix form as follows, X X X X X X = (cid:124) (cid:123)(cid:122) (cid:125) B W W W K K K , (7)where B ∈ F is the encoding matrix. We start by noting that, for every set of edges, wehave linearly independent keys added to the linear combinations of messages, and hence thescheme is secure. Moreover, the destinations can successfully recover their message by usingthe following decoding scheme: • Destination 1: W = 6 X + 3 X + 4 X + X , • Destination 2: W = 6 X + 4 X + 3 X + X , • Destination 3: W = 5 X + 6 X + X + 2 X .Thus, the rate triple ( R , R , R ) = (1 , , can be securely achieved. This example showsthat using different parts of the network to transmit the keys and the encrypted messages, ingeneral is not optimal. This is partially due to the fact that destinations do not need to decodeeach key individually, as long as they can successfully recover their message. A. Secure Transmission Scheme
We now leverage the observations drawn for the network in Fig. 3 to design a secure transmis-sion scheme for a class of networks, referred to as combination networks. As formally definedin Definition 4, these networks have a two-layer topology, they are separable (see Definition 3)and they can have an arbitrary number of destinations.
Definition 4 (Combination Network) . A combination network parameterized by ( t, m, {M i , ∀ i ∈ [ m ] } ) is defined as follows. The source node S is connected to t intermediate nodes that form D D D S Fig. 4: An example of a combination network with t = 6 and m = 3 . the first layer of the network. Each intermediate node has one incoming edge from the source.On the second layer, there are m destination nodes D , D , . . . , D m , such that D i , i ∈ [ m ] , isconnected to a subset of intermediate nodes given by M i ⊆ [ t ] . Each destination has at mostone incoming edge from intermediate node i ∈ [ t ] . An example of combination network is shown in Fig. 4, for which t = 6 , m = 3 , and M = { , , } , M = { , , , } and M = { , } .The rate region achieved by our designed secure transmission scheme depends on m carefullyconstructed null spaces. We observe that each receiver D i will use R i vectors to “decode” (wewill refer to these as “decoding vectors”), to retrieve the R i messages it requests. These vectorsneed to enable to cancel out the keys, need to be linearly independent, and need to use onlythe encoded transmissions of the source that the receiver has access to. The intuition behind ourscheme design is to construct the null spaces where these decoding vectors reside. We nowshow the construction of such null spaces. Consider a Vandermonde matrix V with k rows and t columns as shown in (8), where α i ∈ F q , ∀ i ∈ [ t ] , are all distinct. V = . . . α α . . . α t ... α k − α k − . . . α k − t . (8)Note that t > k , otherwise secure communication is not possible, i.e., if k ≥ t , then the adversarywiretaps the entire communication from the source. Since V is a Vandermonde matrix, it hasthe property that any any k × k submatrix is full rank, i.e., any set of k columns are linearlyindependent. Moreover, the right null space of V is of dimension t − k . This matrix will be usedto encode the keys. For each destination D i , i ∈ [ m ] , we consider the following matrix V i : V i = VC i , (9)where C i is a matrix having t − |M i | rows and t columns. The rows of C i are given by { c j , j ∈ [ t ] \ M i } , where c j is a vector of length t with a one in the j -th position and zeroseverywhere else. The role of the matrix C i is to restrict receiver D i to only use the sourceencoded transmissions it actually has access to. For instance, with reference to the example inFig. 4, we would have C = , C = , C = . With this construction, we have that: (i) all rows of V are linearly independent ( because of theproperty of the Vandermonde matrix in (8)); (ii) all rows of C i are linearly independent; (iii) anyvector in the span of the rows of V has a weight of at least t − k + 1 (because V is the generatormatrix of a ( t, k, t − k + 1) Maximum Distance Separable (MDS) code); (iv) any vector in thespan of the rows of C i has a weight of at most t − |M i | . Thus, as long as t − k + 1 > t − |M i | ,i.e., |M i | ≥ k , then all rows of V i are linearly independent. Let N i be the right null space of V i , then N i will be of dimension t − ( k + t − |M i | ) , i.e., |M i | − k if |M i | ≥ k . For the casewhen |M i | < k , V i will be a full rank matrix of rank t and N i will be an empty space. Thus,dim ( N i ) = [ |M i | − k ] + , ∀ i ∈ [ m ] . (10) TABLE I: Notation used for the secure transmission scheme over combination networks.
Quantity Definition e i Edge from the source S to the intermediate node i ∈ [ t ] X e i Symbols transmitted on edge e i , i ∈ [ t ] W i Message packet for D i , i ∈ [ m ] such that W i := [ W (1) i , W (2) i , . . . , W ( R i ) i ] K i , i ∈ [ k ] Random packet to ensure secure communication, with K := [ K , K , . . . , K k ] With the definition of the null spaces N i , i ∈ [ m ] , above, we are now ready to present ourachievable rate region for combination networks. Proposition 4.
For the combination network ( t, m, {M i , ∀ i ∈ [ m ] } ) , assume that, for all i ∈ [ m ] ,we can select R i vectors from N i such that the selected m (cid:80) i =1 R i vectors are linearly independent.Then, the rate tuple ( R , R , . . . , R m ) is securely achievable and the convex hull of all thesefeasible rate tuples is the achievable region.Proof. We next describe the different encoding/decoding operations of our scheme for a specifictuple ( R , R , . . . , R m ) that satisfies the condition in Proposition 4 . Towards this end, we usethe notation summarized in Table I. • Encoding.
The source S transmits the following symbols on its outgoing edges (cid:104) X e X e . . . X e t (cid:105) T = (cid:104) E V T (cid:105) (cid:104) W W . . . W m K (cid:105) T , (11)where E is a matrix of t rows and (cid:80) mi =1 R i columns, and V is the Vandermonde matrixdefined in (8). Upon receiving a transmission from the source S , the intermediate node i ∈ [ t ] simply routes this transmission on its outgoing edges, i.e., there is no coding operation atthe intermediate nodes. • Security.
Since any k rows of V T are linearly independent, then any set of k symbolstransmitted on the first layer – and similarly on the second layer, since each intermediatenode simply routes the received transmission on its outgoing edges – are encoded withindependent keys. Thus, the adversary that eavesdrops k edges will not be able to obtainany information about the messages, i.e., the scheme is secure. We assume that the R i s with i ∈ [ m ] are all integers. This assumption is without loss of generality since: (i) rational R i scan be characterized by time-sharing the network with integer values of achievable rate tuples; (ii) rate tuples over real numberscan be approximated with rational rate tuples. • Decoding.
Each receiver D i will use the R i linearly independent vectors to multiply thevector (cid:104) X e X e . . . X e t (cid:105) T , and retrieve the R i private messages it requests. Note that,because of the null spaces construction, each receiver only observes the symbols it actuallyhas access to, and each receiver is able to cancel out the keys. In Appendix B, we provethat there exists a choice of the matrix E in (11), which ensures that all the destinationsreliably decode their intended messages. B. On the Optimality of the Designed Secure Transmission Scheme
We now conclude this section with a discussion on the rate performance achieved by theproposed secure transmission scheme. Towards this end, we start by noting that, for a combinationnetwork with parameters ( t, m, {M i , ∀ i ∈ [ m ] } ) , the min-cut capacity between the source S andthe set of destinations D A := { D i : i ∈ A} is given by M A = (cid:12)(cid:12)(cid:12)(cid:12) (cid:83) i ∈A M i (cid:12)(cid:12)(cid:12)(cid:12) . By substituting thisinside (1) in Theorem 1, we get the following outer bound, Corollary 5.
An outer bound on the secure capacity region for the multiple unicast traffic overthe combination network with parameters ( t, m, {M i , ∀ i ∈ [ m ] } ) is given by R A ≤ (cid:34)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) (cid:91) i ∈A M i (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) − k (cid:35) + , ∀A ⊆ [ m ] , (12) where R A := (cid:80) i ∈A R i . We now prove that our designed secure transmission scheme is indeed optimal for the case of m = 2 destinations. In other words, we show that the outer bound in Corollary 5 is achievablewhen m = 2 . Formally, we have Proposition 6.
For the combination network with parameters ( t, , {M i , ∀ i ∈ [2] } ) , the securecapacity region is given by R ≤ [ |M | − k ] + , (13a) R ≤ [ |M | − k ] + , (13b) R + R ≤ [ |M ∪ M | − k ] + . (13c) Proof.
Clearly, from the result in Corollary 5, the rate region in (13) is an outer bound onthe secure capacity region. Hence, we now need to prove that the rate region in (13) is alsoachievable. This proof can be found in Appendix C.Although we could prove the optimality of our designed secure transmission scheme onlyfor the case of m = 2 destinations, we performed extensive numerical evaluations that indeedsuggest that the scheme could be optimal even for the case of larger values of m . In particular,in our simulations we considered up to m = 8 destinations and, for all the considered networkconfigurations, we verified that the rate region achieved by our designed scheme coincides withthe outer bound in (12).VI. P OLYNOMIAL TIME SCHEME FOR NETWORKS WITH ARBITRARY TOPOLOGIES ANDARBITRARY NUMBER OF DESTINATIONS
We now propose the design of a secure transmission scheme for networks with arbitrarytopologies and arbitrary number of destinations. This scheme consists of two phases, namelythe key generation phase (in which secret keys are generated between the source and the m destinations) and the message sending phase (in which the message packets are first encodedusing the secret keys and then transmitted to the m destinations). The corresponding achievablerate region is presented in Theorem 7. Theorem 7.
Let ( ˆ R , ˆ R , . . . , ˆ R m ) be an achievable rate m -tuple in the absence of the eaves-dropper. Then, the rate m -tuple ( R , R , . . . , R m ) with R i = ˆ R i (cid:18) − kM (cid:19) , ∀ i ∈ [ m ] , (14) where M is the minimum min-cut between the source and any destination, is securely achievablein the presence of an adversary who eavesdrops any k edges of her choice.Proof. Let M { i } be the min-cut capacity between the source and the destination D i with i ∈ [ m ] . We define M as the minimum among all these individual min-cut capacities, i.e., M =min i ∈ [ m ] M { i } . Let ( ˆ R , ˆ R , . . . , ˆ R m ) ∈ R m be the unsecure rate m -tuple achieved in the absenceof the eavesdropper. We start by approximating this rate m -tuple with rational numbers; noticethat this is always possible since the set of rationals Q is dense in R . Moreover, an informationflow through the network (from the source S to an artificial destination D (cid:48) connected to all thedestinations D i , i ∈ [ m ] – see also Appendix D) that achieves this rate m -tuple might involve fractional flows over the edges since the rate m -tuple may be fractional. To make the rate m -tuple integer and thereby also the flow over each edge, we multiply the capacity of each edgeby a common factor T , which is the least common multiple among the denominators of all thefractional flows. This implies that to achieve ( ˆ R , ˆ R , . . . , ˆ R m ) , then ( T ˆ R , T ˆ R , . . . , T ˆ R m ) hasto be achieved over T instances of the network after which the flow over each edge is an integer.In what follows, we describe our coding scheme and show that ( R , R , . . . , R m ) = (cid:18) − kM (cid:19) ( ˆ R , ˆ R , . . . , ˆ R m ) (15)is securely achievable. This particular scheme consists of the following two phases. • Key generation.
This first phase – in which secure keys are generated between the sourceand the destinations – consists of k subphases. In each subphase, the source multicasts M − k random packets securely to all destinations. This is possible thanks to the securenetwork coding result of [1], since the minimum min-cut capacity is M and Eve has accessto k edges. Thus, at the end of this phase, a total of T k ( M − k ) secure keys are generated,since in each phase we use the network T times. • Message sending.
We choose
T k packets out of the
T k ( M − k ) securely shared (in the keygeneration phase) random packets. For each choice of T k packets, we convert the unsecurescheme achieving ( T ˆ R , T ˆ R , . . . , T ˆ R m ) to a secure scheme achieving the same rate m -tuple. Towards this end, we expand the T k shared packets into (cid:80) mj =1 T ˆ R j packets using anMDS code matrix. With this, we have the same number of random packets as the messagepackets. We then encode the message packets with the random packets and transmit themas it was done in the corresponding unsecure scheme. We repeat this process until we runout of the shared random packets, i.e., we repeat this process M − k times by using T instances of the network each time. Proof of security.
We know that, in the absence of security considerations, a time-sharing basedscheme is optimal (i.e., capacity achieving) for the multiple unicast traffic over networks withsingle source, i.e., network coding is not beneficial [5] (see also Appendix D). Given that weare not using network coding operations and since each edge carries an integer information flow,then the eavesdropper will be able to wiretap at most
T k different messages each encoded withan independent key. Hence, the eavesdropper will not be able to obtain any information aboutany of the m messages. Analysis of the achieved rate m -tuple. The secure scheme described above requires a total of M phases. In particular, in the first k phases we generate the secure keys and in the remaining M − k phases we securely transmit at rates of ( T ˆ R , T ˆ R , . . . , T ˆ R m ) , over T network instances.Thus, the achieved secure message rate ( R , R , . . . , R m ) is R j = M − kM ˆ R j = (cid:18) − kM (cid:19) ˆ R j , ∀ j ∈ [ m ] . (16)This concludes the proof of Theorem 7.We now compare our two-phase scheme with the optimal scheme for networks with twodestinations. We also analyze and discuss potential reasons behind the sub-optimality of thetwo-phase scheme. A. Complexity of the two phase scheme and a comparison with the optimal scheme
The capacity achieving scheme for m = 2 destinations that we have proposed (see Section IV)first requires that we edge-partition the original graph G into three graphs (i.e., an edge in G appears in only one of these three graphs). At this stage, this step requires an exhaustive searchover all possible paths in the network, which requires an exponential number of operations inthe number of nodes. It therefore follows that the scheme proposed in Section IV, even thoughit allows to characterize the secure capacity region, could be of exponential complexity.Differently, the two-phase scheme proposed in this section runs in polynomial time in thenetwork size. This is because all the operations that it requires (i.e., finding a T such that over T instances all flows are integer, multicasting the keys in the key generation phase, encryptingmessages at the source (i.e., encoding the messages with the keys) and routing the encryptedmessages) can be performed in polynomial time in the number of edges and nodes in the network.The two-phase scheme described in this section is sub-optimal and does not achieve the outerbound in (1). However, this scheme offers a guarantee on the secure rate region that can alwaysbe achieved as a function of any rate m -tuple that is achievable in the absence of the eavesdropperEve (see (14) in Theorem 7). In what follows, we seek to identify some of the reasons for whichthis scheme is sub-optimal.One reason behind the sub-optimality is that in the key generation phase some edges in thenetwork are not used. Indeed, when we multicast the M random packets to generate the keys(where M is the minimum of the min-cut capacities and k is the number of edges wiretappedby the eavesdropper) – out of which M − k linear combinations are secure keys – it might SD D W K K K K K K K (a) R Unsecure Capacity Region21 1 / / R Secure Capacity RegionSecure Rate RegionTwo-Phase Scheme (b) Rate region for the network in Fig. 5(a).
Fig. 5: Network example for which the two-phase scheme is not optimal.have been possible to use the other edges (i.e., those through which the random packets do notflow) to transmit some encrypted message packets. For instance, consider the network examplein Fig. 5(a), where the eavesdropper wiretaps k = 1 edge of her choice. Our two-phase schemewould multicast M = min i ∈ [2] M { i } = 2 random packets K and K ( K is transmitted over the solidedges and K over the dashed edges in Fig. 5(a)), out of which M − k = 1 is securely receivedby D and D . Hence, the combination K ⊕ K can be used to securely transmit the messagepackets. However, we see that in the first phase the dotted edge (i.e., the one that connects S directly to D ) is not used. This brings to a reduction in the achievable rate region since this edgecould have been used to securely transmit a message packet to D by using W ⊕ K as shown inFig. 5(a). Given this, we believe that one reason that makes the two-phase scheme suboptimal isthe fact that it does not fully leverage all the network resources. In Fig. 5(b), we plotted differentrate regions for the network in Fig. 5(a), which has min-cut capacities M { } = 2 , M { } = 3 and M { , } = 3 . In particular, the region contained in the solid curve is the unsecure capacity region(given by (17) in Lemma 8), the region inside the dashed curve is the secure capacity region(given by (2) in Theorem 2) and the region contained inside the dotted curve is the secure rateregion that can be achieved by the two-phase scheme (given by (14) in Theorem 7).Another reason behind the sub-optimality is that not all the edges are suitable for multicastingkeys. In particular, tree-like structures are more suitable to multicasting keys rather than disjoint SD D (a) R R / / (b) Rate region for the network in Fig. 6(a). Fig. 6: Network example for which the two-phase scheme is not optimal.paths to different destinations. To see this, we consider the network shown in Fig. 6(a) with twodestinations. This network has one tree structure (represented by the solid edges in Fig. 6(a))and one set of disjoint paths to both the destinations (represented by the two dashed edges inFig. 6(a)). In the two-phase scheme we use both the tree structure and the two disjoint pathsto transmit keys as well as messages, while in the optimal scheme we use the tree structureto transmit keys and the disjoint paths to transmit messages. In Fig. 6(b), we plotted differentrate regions for the network in Fig. 6(a), which has min-cut capacities M { } = 2 , M { } = 2 and M { , } = 3 . The region contained in the solid curve is the unsecure capacity region (givenby (17) in Lemma 8), the region inside the dashed curve is the secure capacity region (givenby (2) in Theorem 2) and the region contained inside the dotted curve is the secure rate regionthat can be achieved by the two-phase scheme (given by (14) in Theorem 7).From Fig. 5(b) and Fig 6(b), we indeed observe that the rate region achieved by the two-phasescheme is contained inside the secure capacity region. We can have a more complete comparisonfor networks with destinations. For instance, consider networks for which the min-cut capacitiesto both the destinations are the same. Then, depending on the number of edges that the adversaryis eavesdropping, the capacity region and the region achieved using the two-phase scheme areshown in Fig. 7. These figures are drawn by using Theorem 2 (regions inside the dashed curve) Unsecure Capacity RegionSecure Capacity RegionSecure Rate RegionTwo-Phase Scheme R R a = M { , } Mb = M kc = a kM Mabc c b a M
Case 1 : k M ? { , } (a) Case 1: When M (cid:63) { , } ≤ k . M M
Unsecure Capacity RegionSecure Capacity RegionSecure Rate RegionTwo-Phase Scheme a = M { , } Mb = M kc = a kM R abc c b a R Case 2 : k < M ? { , } (b) Case 2: When M (cid:63) { , } > k . Fig. 7: Comparison of secure capacity with the rate region achieved by the two-phase schemefor networks with two destinations.and Theorem 7 (regions inside the dotted curve). Unsecure capacity results (regions inside thesolid curve) are obtained from Lemma 8.VII. C
OMPARISONS , N ON - REVERSIBILITY AND A DDITIONAL I NSTANCES OF M ULTIPLE U NICAST T RAFFIC
In this section, we conclude the paper with some comparisons and analysis of other instancesof multiple unicast traffic. In particular, in Section VII-A, we compare the secure rate regionfor m = 2 destinations in Theorem 2 with the capacity region when the adversary is absent.The goal of this analysis is to quantify the rate loss that is incurred to guarantee security. InSection VII-B, we prove that the secure capacity region for m = 2 destinations is non-reversible.Specifically, we show that, if we switch the role of the source and destinations and we reversethe directions of the edges, then the new secure capacity region differs from the original one.This is a surprising result since it implies that – different from the unsecure case where non-reversible networks must necessary have non-linear network coding solutions [26], [27] – undersecurity constraints even networks with linear network coding solutions can be non-reversible ifthe traffic is multiple unicast. Finally, in Section VII-C, we consider other instances of multipleunicast traffic, such as networks with erasure links and noiseless networks with two sources and two destinations. For some specific network topologies, we derive the secure capacity region.This analysis sheds light on how coding should be performed across different unicast sessions. A. Comparison with the Unsecure Capacity Region
The unsecure capacity region (i.e., capacity in the absence of the eavesdropper) for a multipleunicast network with a single source and multiple destinations described in Section II, is wellknown [5, Theorem 9] and given by the following lemma. For completeness we report the proofof the following lemma in Appendix D.
Lemma 8.
The unsecure capacity region for the multiple unicast traffic over networks with singlesource node and m destination nodes is given by R A ≤ M A , ∀A ⊆ [ m ] , (17) where R A := (cid:80) i ∈A R i and M A is the min-cut capacity between the source S and the set ofdestinations D A := { D i : i ∈ A} . For networks with m = 2 destinations, we compare the secure capacity region in Theorem 2and the unsecure capacity region in Lemma 8. By comparing (2) with (17) (evaluated for thecase m = 2 ), we observe that in the presence of the eavesdropper we lose at most a rate k ineach dimension compared to the unsecure case. We notice that the same result holds for the caseof m = 1 destination and for the case of multicasting the same message to all destinations [1](i.e., we have a rate loss of k with respect to the min-cut capacity M ). However, here it is moresurprising since the messages to the m = 2 destinations (and potentially the keys) are different. B. Non-Reversibility of the Secure Capacity Region
In order to characterize the unsecure capacity region in (17), network coding is not necessaryand routing is sufficient (see also Appendix D). Thus, from the result in [27], it directly followsthat the capacity result in (17) is reversible. In particular, let G be a network with single sourceand m destinations with a certain capacity region (that can be computed from Lemma 8). Then,the reverse graph G (cid:48) is constructed by switching the role of the source and destinations and byreversing the directions of the edges. Thus, G (cid:48) will have m sources and one single destination.The result in [27] ensures that G and G (cid:48) will have the same capacity region, i.e., the result in Lemma 8 characterizes also the unsecure capacity region for the multiple unicast traffic overnetworks with m sources and single destination.We now focus on the secure case. In Section IV, we have characterized the secure capacityregion for a multiple unicast network with single source and m = 2 destinations. In particular,Theorem 2 implies that the secure capacity region does not depend on the specific topology of thenetwork and it can be fully characterized by the min-cut capacities M { } , M { } and M { , } andby the number k of edges eavesdropped by Eve. We now show that this result is non-reversible,i.e., the secure capacity region of the reverse network is not the same as the one of the originalnetwork. Moreover, we also show that the secure capacity region of networks with sourcesand single destination cannot anymore be characterized by only the min-cut capacities, i.e., itdepends on the specific network topology.Consider the three networks in Fig. 8 and assume k = 1 , i.e., Eve wiretaps one edge of herchoice. For the network in Fig. 8(a) we have min-cut capacities (cid:0) M { } , M { } , M { , } (cid:1) = (1 , , and hence from Theorem 2 it follows that the secure capacity for this network is given by ( R , R ) = (0 , . This point can be achieved by simply using the scheme shown in Fig. 8(a),where K represents the key and W the message for D . Now, consider the network in Fig. 8(b)that is obtained from Fig. 8(a) by switching the role of the source and destinations and byreversing the directions of the edges. For this network, which has the same min-cut capacities asthe network in Fig. 8(a), the rate pair ( R , R ) = (1 , is securely achievable using the schemeshown in Fig. 8(b) where W is the message of S and K and K are the keys generated by S and S , respectively. The rate pair ( R , R ) = (1 , , which is securely achieved by the networkin Fig. 8(b), cannot be securely achieved by the network in Fig. 8(a). This result implies that asecure rate pair that is feasible for one network might not be feasible for the reverse network,i.e., the secure capacity regions can be different and hence cannot be derived from one another.The achievability of the pair ( R , R ) = (1 , in Fig. 8(b) also shows that the outer boundin (1) does not hold for networks with single destination and multiple sources, in which case itis possible to achieve rates outside this region.Consider now the network in Fig. 8(c). This network has the same min-cut capacities asthe network in Fig. 8(b), i.e., (cid:0) M { } , M { } , M { , } (cid:1) = (1 , , . We now show that the rate pair ( R , R ) = (1 , , which can be securely achieved in the network in Fig. 8(b), cannot be securelyachieved in the network in Fig. 8(c). Let X i , i ∈ [1 : 4] , be the transmitted symbols as shown in SD D K K W K (a) ( R , R ) = (0 , is capacity. DS S K W K W K K K (b) ( R , R ) = (1 , is achievable. DS S X X X X (c) ( R , R ) = (1 , is not achievable. Fig. 8: Network examples for non-reversibility.Fig. 8(c). With this, we have R = H ( W ) (a) = H ( W ) − H ( W | X , X ) (b) ≤ H ( W ) − H ( W | X , X , X )= I ( W ; X , X , X ) = I ( W ; X ) + I ( W ; X , X | X ) (c) = I ( W ; X , X | X ) = H ( X , X | X ) − H ( X , X | W , X ) (d) = H ( X , X ) − H ( X , X ) = 0 , where: (i) the equality in (a) follows because of the decodability constraint; (ii) the inequalityin (b) follows because of the ‘conditioning reduces the entropy’ principle and since X isa deterministic function of ( X , X ) ; (iii) the equality in (c) follows because of the perfectsecrecy requirement; (iv) finally, the equality in (d) follows since ( X , X ) is independent of ( W , X ) . This result shows that the rate pair ( R , R ) = (1 , is not securely achievable inthe network in Fig. 8(c). This implies that, for a network with single destination and multiplesources, we cannot characterize the secure capacity region based only on the min-cut capacities (cid:0) M { } , M { } , M { , } (cid:1) , i.e., the result would depend on the specific network topology. C. Analysis on Other Instances of Multiple Unicast Traffic
In this paper, we have focused on noiseless networks with unit edge capacities having a singlesource and multiple destinations. We now consider other instances of multiple unicast traffic, and , , , , , , , , , , , (a) (b) (c) S S S S SD D D D I ID I I Fig. 9: (a) The Y-network, (b) The RY-network and (c) The X-network.provide secure capacity results for some specific configurations. The main goal of this analysisis to highlight the critical role of coding across different unicast sessions in order to ensure asecure communication, even for scenarios where it is not required in the absence of an adversary.
1) Erasure Networks:
In [28], we considered multiple unicast traffic over the three erasurenetworks shown in Fig. 9, referred to as the Y-network, the Reverse Y (RY)-network and theX-network. In the Y-network, two sources wish to communicate two independent messages to acommon destination. In the RY-network, one source aims to communicate two independent mes-sages to two different destinations. Finally, in the X-network two sources seek to communicatetwo independent messages to two different destinations. In all three cases, only the source(s)can generate randomness; while in Fig. 9(a) and Fig. 9(c) sources can generate randomnessat an infinite rate, in Fig. 9(b) the source can generate randomness only at a finite rate D .These assumption are motivated by the fact that one can construct the X-network by combiningthe Y-Network and the RY-network. Each edge e on these three networks models an erasurechannel where the legitimate receiver has an erasure probability of δ e and the adversary hasan erasure probability of δ e E . Public feedback, which in [29] was shown to increase the securecapacity, is used, i.e., each of the legitimate nodes involved in the communication sends anacknowledgment after each transmission; this is received by all nodes in the network as well asby the eavesdropper (who can wiretap any k = 1 channel of the network). In [28], we derivedthe secure capacity region for the three networks in Fig. 9, as the solution of some feasibilityprograms that, for completeness we report in Appendix E-A. In particular, our capacity-achievingsecure transmission schemes consist of two phases. In the first phase, a link by link key is shared, and in the second phase encrypted message packets (i.e., encoded with the keys thatwere generated in the first phase) are transmitted. The key sharing mechanism involves a mixof communicating random symbols using an MDS code and an Automated Repeat ReQuest(ARQ) based scheme. We start by noting that, in order to characterize the capacity regionof the three networks in Fig. 9 in the absence of the adversary, coding is not needed and asimple time-sharing approach among the two unicast sessions is capacity-achieving. However,under security considerations, coding becomes of fundamental importance. With the primal goalto show the benefits of coding across the two unicast sessions, we here compare the securecapacity performance of our schemes (see Propositions 10-12 in Appendix E-A) with respect totwo naive strategies, i.e., the path sharing and the link sharing . In the path sharing the wholecommunication resources, at each time instant, are used only by one session; for example, forthe X-network we have a time-sharing between S - I - I - D and S - I - I - D . Differently, inthe link sharing strategy only the shared communication link is time-shared among the twounicast sessions; for example, in the X-network only the I - I link is time-shared. For boththese strategies we do not allow the source node that does not participate to act as a source ofrandomness, e.g., for the X-network the random packets sent by S cannot be used to encode themessage packets of S . Fig. 10 shows the performance (in terms of secure capacity region) ofthese two time-sharing strategies and of our schemes (see Propositions 10-12 in Appendix E-A).From Fig. 10, we observe that our schemes (solid line) achieve higher rates compared to thetwo time-sharing strategies. In general, these gains follow since: (i) in the Y-network S and S transmit random packets to I and these can be mixed to create a key on the shared link; (ii)in the RY-network the same set of random packets can be used to generate keys for both the I - D and I - D links. These factors, which involve coding operations across the two sessions,decrease the number of random packets required to be sent from the source(s) and implies thatmore message packets can be carried. Finally, (iii) in the X-network we have the benefits ofboth the Y- and RY-network.
2) Arbitrary Edge Capacities:
In [30], we considered the four noiseless networks shown inFig. 11, which are derived from the celebrated butterfly network. In particular, the edges canhave arbitrary capacity, which represents a main difference with respect to the model analyzedin the previous sections. Over these networks, we assume that the passive eavesdropper canwiretap any k = 1 edge of her choice, and that only the source(s) can generate randomness atinfinite rate. In [30], we derived both the secure and the unsecure capacity regions for these R R TS (Path) Achievable RegionTS (Link) Achievable RegionSecure Capacity Region (a) Y-network: ( δ , δ E ) = (0 . , . , ( δ , δ E ) = (0 . , . , ( δ , δ E ) = (0 . , . . R R TS (Path) Achievable RegionTS (Link) Achievable RegionSecure Capacity Region (b) RY-network: ( δ , δ E ) = (0 . , . , ( δ , δ E ) = (0 . , . , ( δ , δ E ) = (0 . , . , D = 0 . . R R TS (Path) Achievable RegionTS (Link) Achievable RegionSecure Capacity Region (c) X-network: ( δ , δ E ) = (0 . , . , ( δ , δ E ) = (0 . , . , ( δ , δ E ) = (0 . , . , ( δ , δ E ) = (0 . , . , ( δ , δ E ) =(0 . , . . Fig. 10: Numerical evaluations for the three networks in Fig. 9.four networks, which for completeness we report in Appendix E-B. In particular, our capacity-achieving schemes show the critical importance of coding across the two unicast sessions, asopposite to a naive time-sharing approach. For instance, consider the butterfly network withsingle source in Fig. 11(b), with all edge capacities equal to C and R = R = R . Over thisnetwork, if we simply timeshare across the two sessions, then we get R ≤ C , i.e., the edgebetween I and I is the bottleneck. However, by using the coding operation (i.e., the samesecret key can be used by the two sessions), we obtain R ≤ C , i.e., we can transmit at a double C C C C C C C S S I I D D (a) Butterfly network 1. C C C C + C C C D D I I S (b) Butterfly network with single source. C C C C C C + C S S D I I (c) Butterfly network with singledestination. C C C C C C C S S I I D D (d) Butterfly network 2. Fig. 11: Networks derived from the butterfly network.rate (see (25) in Appendix E-B). When all edge capacities are equal to C and R = R = R ,we can also draw the following additional conclusions. • Secure communication can incur significant rate losses with respect to the unsecure case.The rate losses can be quantified as: (i) for butterfly network 1 (secure communicationis not possible); (ii) more than for the case of single source ( R ≤ C without securityand R ≤ C with security); (iii) more than for the case of single destination and butterflynetwork 2 ( R ≤ C without security and R ≤ C with security). • For unsecure communication, the butterfly networks with single source and single destinationachieve a rate gain of over butterfly network 1. This gain is due to an increase in themin-cut values, which are tight and evaluate to R ≤ C in the butterfly network 1 and to R ≤ C in the cases of single source and single destination. • Under security considerations, the case of single source (i.e., R ≤ C ) brings higher through-put gains than the single destination case ( R ≤ C ). This is because in the former case, codingopportunities arise, i.e., the same key can be used by the two sessions. Moreover, thanksto the multipath diversity, these two cases enable secure communication, which was notpossible over the butterfly network 1. Regarding the butterfly network 2 the case of singlesource brings secure rate advantages. Actually, for both the butterfly network 2 and the caseof single source, the min-cut values evaluate to R ≤ C , but the secure rate achieved in theformer case, i.e., R ≤ C , is half the one achieved in the latter case, i.e., R ≤ C .A PPENDIX AP ROOF OF L EMMA G with singlesource and m = 2 destinations is separable. The graph G has min-cut capacity M { i } , i ∈ [2] , towards destination D i and min-cut capacity M { , } towards { D , D } , from which M (cid:63) { i } , i ∈ [2] , and M (cid:63) { , } can be computed by using the expressions in (4). We represent these min-cut capacitiesby the triple (cid:0) M { } , M { } , M { , } (cid:1) = (cid:0) M (cid:63) { } + M (cid:63) { , } , M (cid:63) { } + M (cid:63) { , } , M (cid:63) { } + M (cid:63) { } + M (cid:63) { , } (cid:1) , where the equality follows by using (4). We now prove Lemma 3 in two steps. We first showthat the graph G can be separated into two graphs: G a with min-cut capacities (cid:16) M (cid:63) { } , , M (cid:63) { } (cid:17) and G b with min-cut capacities (cid:0) M (cid:63) { , } , M (cid:63) { } + M (cid:63) { , } , M (cid:63) { } + M (cid:63) { , } (cid:1) . Then, by applying the same principle we further separate the graph G b into two graphs: G c withmin-cut capacities (cid:16) , M (cid:63) { } , M (cid:63) { } (cid:17) and G d with min-cut capacities (cid:16) M (cid:63) { , } , M (cid:63) { , } , M (cid:63) { , } (cid:17) . Thiswould complete the proof of Lemma 3.We now prove that we can separate the graph G into the two graphs G a and G b . Towards thisend, from the original graph G , we create a new directed acyclic graph G (cid:48) where a new node D (cid:48) is connected to D through an edge of capacity M (cid:63) { } + M (cid:63) { , } and to D through an edgeof capacity M (cid:63) { } . By following similar steps as in the proof of the direct part (achievabiliy) ofLemma 8 (see Appendix D), it is not difficult to see that in G (cid:48) the min-cut capacity between S and D (cid:48) is M (cid:63) { } + M (cid:63) { , } + M (cid:63) { } = M { , } , where the equality follows from (4c). From themax-flow min-cut theorem, we can find M { , } edge-disjoint paths from S to D (cid:48) ; we color theedges in these paths green . We can also find M { } edge-disjoint paths from S to D ; we colorthe edges in these paths red . Notice that, at the end of this process, some of the edges can haveboth green and red colors. We also highlight that: • Out of the M { , } green paths from S to D (cid:48) , M (cid:63) { } + M (cid:63) { , } paths flow through D and M (cid:63) { } flow through D . • If a path is exclusively green , it flows through D since otherwise, in addition to the M { } red edge-disjoint paths from S to D , we would have also this path and thereby violate themin-cut capacity constraint to D .The second observation above implies that, if there are M (cid:63) { } exclusively green paths, thenwe can separate the graph G (cid:48) into two graphs: G (cid:48) a that contains all these M (cid:63) { } exclusively green paths and G (cid:48) b that contains all the edges of G (cid:48) that are not in G (cid:48) a . Given this, by simply removingthe node D (cid:48) and its incoming edges, we get G a and G b . We now show how we can obtain these M (cid:63) { } exclusively green paths. Towards this end, we denote with P the set of all green pathsfrom S to D (cid:48) (notice that these paths might have also some red edges). Then, until there existsa path p ∈ P such that either it is not exclusively green or it does not start with an edge that isboth red and green , we apply the two following steps:1) Let e be the first edge in p , which is both green and red and denote with g the red pathfrom S to D that contains the edge e . Recall that, since the M { } red paths are edge-disjoint, there is only one red path g passing through e . We split the path p into two partsas p − e − p and similarly we split the path g into g − e − g .2) We add the red color to p (that before was all green ) and we remove the red color from g , i.e., now each edge in g is either green or it does not have any color. Note that in thisway we replace the red path g − e − g with p − e − g from source S to D , which isalso disjoint from the rest of M { } − red paths.We note that this process will stop only when all the M { , } paths from S to D (cid:48) are eitherexclusively green or start with an edge that is both red and green . We also note that, since we did not remove any edge, clearly we also did not change any min-cut capacity during this process.Since initially there were M { } red edges coming out of S and, in the process of the algorithm,we replaced one red by another red , then the number of red edges outgoing from S still remainsthe same. Thus, among the M { , } paths from S to D (cid:48) , only at most M { } paths start with anedge that is both green and red and therefore, by using (4), at least M (cid:63) { } are exclusively green paths. This proves that the original graph G can be separated into the two graphs G a and G b .By using similar arguments, one can then show that the graph G b can be separated into the twographs G c and G d . This concludes the proof of Lemma 3.A PPENDIX BP ROOF OF EXISTENCE OF E IN (11) FOR A RELIABLE DECODING
The destination D i will receive symbols { X e j , j ∈ M i } . Further, since N i is the right nullspace of V i in (9), then any vector that belongs to N i will have non-zero components only inthe positions indexed by { i ∈ M i } . It therefore follows that an inner product between a vectorin N i and [ X e , . . . , X e m ] is a valid decoding scheme.Let d (1) i , d (2) i , . . . , d ( R i ) i be the R i column vectors, each of length t , selected from N i . Weassume that the selected { d ji , i ∈ [ m ] , j ∈ [ R i ] } are linearly independent – see our assumptionin Proposition 4. We can write the messages decoded at destination D i , denoted by ˆ W i , asfollows ˆ W i = (cid:104) X e X e . . . X e t (cid:105) (cid:104) d (1) i d (2) i . . . d ( R i ) i (cid:105) . (18)We can stack all the decoded messages at the m destinations together and obtain (cid:104) ˆ W ˆ W . . . ˆ W m (cid:105) = (cid:104) X e X e . . . X e t (cid:105) (cid:104) d (1)1 . . . d ( R )1 d (1)2 . . . d ( R )2 . . . d (1) m . . . d ( R m ) m (cid:105) (a) = W T W T ... W Tm K T T E T V (cid:104) d (1)1 . . . d ( R )1 d (1)2 . . . d ( R )2 . . . d (1) m . . . d ( R m ) m (cid:105) = W T W T ... W Tm K T T E T (cid:104) d (1)1 . . . d ( R )1 d (1)2 . . . d ( R )2 . . . d (1) m . . . d ( R m ) m (cid:105) V (cid:104) d (1)1 . . . d ( R )1 d (1)2 . . . d ( R )2 . . . d (1) m . . . d ( R m ) m (cid:105) (b) = W T W T ... W Tm K T T E T (cid:104) d (1)1 . . . d ( R )1 d (1)2 . . . d ( R )2 . . . d (1) m . . . d ( R m ) m (cid:105) t × (cid:80) mi =1 R i = W T W T ... W Tm T E T (cid:104) d (1)1 . . . d ( R )1 d (1)2 . . . d ( R )2 . . . d (1) m . . . d ( R m ) m (cid:105)(cid:124) (cid:123)(cid:122) (cid:125) D , where the equality in (a) follows by using the definition in (11) and the equality in (b) is dueto the fact that the vectors in { d ( j ) i } are in the null space N i , which is contained inside the nullspace of V . Since we assumed that the selected { d ji , i ∈ [ m ] , j ∈ [ R i ] } are linearly independent,then this implies that the matrix D has rank (cid:80) mi =1 R i . Then, since E T is a matrix of dimension (cid:80) mi =1 R i × t , one can always find a matrix E T such that, E T D = I (cid:80) mi =1 R i . Thus, we get, (cid:104) ˆ W ˆ W . . . ˆ W m (cid:105) = (cid:104) W W . . . W m (cid:105) . This concludes the proof that there exists a choice of the matrix E in (11), which ensures thatall the destinations reliably decode their intended messages.A PPENDIX CP ROOF THAT THE RATE REGION IN (13)
IS SECURELY ACHIEVABLE
In order to show that the rate region in (13) is securely achievable, we use a two-step proof.First, we determine all the feasible ( R , R ) pairs that can be selected from the null space N i , such that the assumption in Proposition 4 is satisfied, namely such that the R + R selectedvectors are linearly independent. Hence, the result in Proposition 4 implies that any point in thisregion is achievable. Then, we prove that the convex hull of these feasible rate pairs is indeedthe region in (13). The proposition below represents the first step of our proof. Proposition 9.
The convex hull of all ( R , R ) rate pairs such that we can select R vectorsfrom N and R vectors from N , with all of these vectors being linearly independent, is givenby the following region R ≤ dim ( N ) ,R ≤ dim ( N ) ,R + R ≤ dim ( N + N ) , where + denotes the sum of subspaces N and N .Proof. We first show that we can select dim ( N ) vectors from N and dim ( N + N ) − dim ( N ) vectors from N , such that all these vectors are linearly independent. We have: • N is of dimension dim ( N ) and so we select dim ( N ) independent vectors from this space.One feasible choice consists of selecting the basis of the subspace N . Thus, R = dim ( N ) . • In the basis of N + N there are dim ( N + N ) independent vectors. Moreover, note thatthe basis of N + N is a subset of the basis of N union with the basis on N . So we canselect vectors from the basis of N as long as we select an independent vector. Thus, wecan select dim ( N + N ) − dim ( N ) vectors from N , i.e., R = dim ( N + N ) − dim ( N ) .By symmetry, one can also first select dim ( N ) vectors from the null space N and thendim ( N + N ) − dim ( N ) vectors from the null space N . For this case, one would get R = dim ( N ) and R = dim ( N + N ) − dim ( N ) . This completes the proof since these are the onlynon-trivial corner points for the region given in Proposition 9.We now prove that the region given in Proposition 9 coincides with the region given inProposition 6. We start by noting that we can rewrite the rate region in (13) as R ≤ [ |M | − k ] + ,R ≤ [ |M | − k ] + ,R + R ≤ min (cid:0) [ |M | − k ] + + [ |M | − k ] + , [ |M ∪ M | − k ] + (cid:1) . Since, as we have proved in (10), dim ( N i ) = [ |M i | − k ] + , ∀ i ∈ [ m ] , then we only need toshow that dim ( N + N ) = min (cid:0) [ |M | − k ] + + [ |M | − k ] + , [ |M ∪ M | − k ] + (cid:1) . The dimension of the sum of two subspaces can be computed asdim ( N + N ) = dim ( N ) + dim ( N ) − dim ( N ∩ N ) . Thus, we now need to compute dim ( N ∩ N ) . We note that N ∩ N is the null space of thematrix V (cid:63) , = VC , where C = C C , with C and C being defined as in (9). Moreover, there will be t − |M ∩ M | distinct rowsin C , and following the argument based on V being the generator matrix of a ( t, k, t − k + 1) MDS code, then the number of independent rows in V (cid:63) , is min( t, k + t − |M ∩ M | ) . Thus,dim ( N ∩ N ) = t − min( t, k + t − |M ∩ M | ) = [ |M ∩ M | − k ] + , which leads todim ( N + N ) = [ |M | − k ] + + [ |M | − k ] + − [ |M ∩ M | − k ] + = min (cid:0) ( |M | − k ) + + ( |M | − k ) + , ( |M ∪ M | − k ) + (cid:1) . The last equality can be verified by considering all possible four cases, namely: (1) |M | ≥ k, |M | ≥ k , (2) |M | < k, |M | ≥ k , (3) |M | ≥ k, |M | < k and (4) |M | < k, |M | < k .This concludes the proof that the rate region in (13) is securely achievable.A PPENDIX DU NSECURE CAPACITY FOR SINGLE SOURCE MULTIPLE UNICAST TRAFFIC
We here give the proof of Lemma 8 (originally proved in [5, Theorem 9]). We start by notingthat, by setting k = 0 in the outer bound in (1), we readily obtain the rate region in (17). Ittherefore follows that (17) is an outer bound on the capacity region of a multiple unicast networkwith single source and m destinations. We now prove that the region in (17) is also achievable.Assume that a rate m -tuple ( R , R , . . . , R m ) satisfies the constraint in (17). We now prove thatthis m -tuple is achievable. Towards this end, from the original graph G , we create a new directed acyclic graph G (cid:48) where a new node D (cid:48) is connected to each D i , i ∈ [ m ] , through an edge E (cid:48) i ofcapacity R i . It is not difficult to see that in G (cid:48) , the min-cut capacity between S and D (cid:48) is m (cid:80) i =1 R i .This can be explained as follows. Suppose that the min-cut from S to D (cid:48) , in addition to a subsetof E (i.e., the set of edges in the original G ), also contains some edges E (cid:48)J , with J ⊆ [ m ] . Thisclearly implies that the subset of edges from E should form a cut between source S and D [ m ] \J ,otherwise we would not have a cut between S and D (cid:48) . Thus, the min-cut has a capacity of atleast (cid:80) i ∈ J R i + M { D [ m ] \J } and, since (cid:80) i ∈ [ m ] \J R i ≤ M { D [ m ] \J } (this follows from the outer boundproved above), the min-cut has a capacity of at least m (cid:80) i =1 R i . Then, since the set E (cid:48) [ m ] is a cut ofcapacity m (cid:80) i =1 R i , it follows that the min-cut has a capacity of at most m (cid:80) i R i . This implies thatthe min-cut capacity between S and D (cid:48) in G (cid:48) is m (cid:80) i =1 R i . With this, the achievability of the rate m -tuple ( R , R , . . . , R m ) that satisfies the constraint in (17) directly follows from the max-flowmin-cut theorem. Indeed, since one can communicate a total information of m (cid:80) i =1 R i from S to D (cid:48) in G (cid:48) , then this is possible only if an amount R i of information flows through D i , i ∈ [ m ] , in G . This concludes the proof of Lemma 8. Notice that in order to transmit m (cid:80) i =1 R i messagepackets from S to D (cid:48) (single unicast session) network coding is not needed. Thus, there is noneed of coding operations to characterize the capacity region of a network with single sourceand multiple destinations. A PPENDIX ES ECURE C APACITY R ESULTS ON O THER I NSTANCES OF M ULTIPLE U NICAST T RAFFIC
A. Erasure Networks
We here report the secure capacity region results that we derived in [28] for the three networksin Fig. 9. In particular, the secure capacity regions can be found as the solution of some feasibilityprograms. We refer an interested reader to [28] for the complete proof of these results.
Proposition 10.
The secure capacity region of the Y-network in Fig. 9(a) is given by k j ≥ R j − δ j E − δ j δ j E , j ∈ [2] , (19a) k ≥ ( R + R ) 1 − δ E − δ δ E , (19b) R j − δ j + k j (1 − δ j ) δ j E ≤ , j ∈ [2] , (19c) R + R − δ + k (1 − δ ) δ E ≤ , (19d) k ≤ (cid:18) k δ E + k δ E (cid:19) (1 − δ ) δ E − δ δ E , (19e) R i , k j ≥ , i ∈ [1 : 2] , j ∈ [3] , (19f) where: (i) the first and the second constraints ensure that enough keys are generated, i.e., thenumber of generated keys is larger than the amount of information received by the adversary;(ii) the third and the fourth inequalities are time constraints ensuring that the length of the keygeneration phase plus the length of the message sending phase do not exceed the total availabletime; (iii) finally, the fifth constraint follows since node I has zero randomness and so the keythat it can generate is constrained by the randomness received from S and S . Proposition 11.
The secure capacity region of the RY-network in Fig. 9(b) is given by k + e (1 − δ ) δ E − δ δ E ≥ ( R + R ) 1 − δ E − δ δ E , (20a) k j ≥ R j − δ j E − δ j δ j E , j ∈ [2] , (20b) R + R − δ + k (1 − δ ) δ E + e − δ ≤ , (20c) R j − δ j + k j (1 − δ j ) δ j E ≤ , j ∈ [2] , (20d) k ≤ ( D − e ) (1 − δ ) δ E − δ δ E , (20e) k j ≤ (cid:18) e + k δ E (cid:19) (1 − δ j ) δ j E − δ j δ j E , j ∈ [2] , (20f) R i , e, k j ≥ , i ∈ [1 : 2] , j ∈ [3] , (20g) where: (i) the first and the second constraints ensure that enough keys are generated, i.e., thenumber of generated keys is larger than the amount of information received by the adversary;(ii) the third and the fourth inequalities are time constraints ensuring that the length of the keygeneration phase plus the length of the message sending phase do not exceed the total availabletime; (iii) finally, the fifth (respectively, sixth) constraint is due to the fact that the key that node S (respectively, node I ) can create is constrained by its limited randomness (respectively, therandomness that it receives from S ). Proposition 12.
The secure capacity region of the X-network in Fig. 9(c) is given by k j ≥ R j − δ j E − δ j δ j E , j ∈ [2] , (21a) k + e (1 − δ ) δ E − δ δ E ≥ ( R + R ) 1 − δ E − δ δ E , (21b) k j ≥ R j − − δ j E − δ j δ j E , j ∈ [4 : 5] , (21c) R j − δ j + k j (1 − δ j ) δ j E ≤ , j ∈ [2] , (21d) R j − − δ j + k j (1 − δ j ) δ j E ≤ , j ∈ [4 : 5] , (21e) R + R − δ + k (1 − δ ) δ E + e − δ ≤ , (21f) k ≤ (cid:18) k δ E + k δ E − e (cid:19) (1 − δ ) δ E − δ δ E , (21g) k j ≤ (cid:18) e + k δ E (cid:19) (1 − δ j ) δ j E − δ j δ j E , j ∈ [4 : 5] , (21h) R i , e, k j ≥ , i ∈ [1 : 2] , j ∈ [5] , (21i) where: (i) the first, second and third constraints ensure that enough keys are generated, i.e., thenumber of generated keys is larger than the amount of information received by the adversary;(ii) the fourth, fifth and sixth inequalities are time constraints ensuring that the length of the keygeneration phase plus the length of the message sending phase do not exceed the total availabletime; (iii) finally, the seventh and the eight constraints are due to the fact that the key that anode can create is constrained by the randomness that it receives from previous nodes.B. Arbitrary Edge Capacities We here report the unsecure and secure capacity region results that we derived in [30] for thefour networks in Fig. 11. In particular, these results are shown in Table II. We refer an interestedreader to [30] for the complete proof of these results.R
EFERENCES [1] N. Cai and R. W. Yeung, “Secure network coding,” in
Proceedings IEEE International Symposium on Information Theory(ISIT), , July 2002, pp. 323–.[2] R. Ahlswede, N. Cai, S. Y. R. Li, and R. W. Yeung, “Network information flow,”
IEEE Transactions on InformationTheory , vol. 46, no. 4, pp. 1204–1216, Jul 2000. Unsecure capacity region Secure capacity region B u tt er fl y n e t w o r k R ≤ min { C , C , C } , (22a) R ≤ min { C , C , C } , (22b) R + R ≤ C + min { C , C } . (22c) Secure communication is not possible. S i n g l e s o u rce R ≤ C +min { C + C , C , C } , (24a) R ≤ C +min { C + C , C , C } , (24b) R + R ≤ C + C + min { C + C , C , C + C } . (24c) R ≤ min { C , C + C , C , C } , (25a) R ≤ min { C , C + C , C , C } . (25b) S i n g l e d e s t i n a t i o n R ≤ C +min { C , C , C + C } , (26a) R ≤ C +min { C , C , C + C } , (26b) R + R ≤ C + C + min { C + C , C , C + C } . (26c) R ≤ min { C , C } , (27a) R ≤ min { C , C } , (27b) R + R ≤ min { C , C + C } . (27c) B u tt er fl y N n e t w o r k R ≤ C + min { C , C , C } , (28a) R ≤ C + min { C , C , C } , (28b) R + R ≤ C + C + C . (28c) R ≤ min { C , C , C , C } , (29a) R ≤ min { C , C , C , C } , (29b) R + R ≤ C . (29c) TABLE II: Unsecure and secure capacity regions for the networks in Fig. 11. [3] S. Y. R. Li, R. W. Yeung, and N. Cai, “Linear network coding,”
IEEE Transactions on Information Theory , vol. 49, no. 2,pp. 371–381, February 2003.[4] S. Jaggi, P. Sanders, P. A. Chou, M. Effros, S. Egner, K. Jain, and L. M. G. M. Tolhuizen, “Polynomial time algorithmsfor multicast network code construction,”
IEEE Transactions on Information Theory , vol. 51, no. 6, pp. 1973–1982, June2005.[5] R. Koetter and M. Medard, “An algebraic approach to network coding,”
IEEE/ACM Transactions on Networking , vol. 11,no. 5, pp. 782–795, October 2003.[6] S. U. Kamath, D. N. C. Tse, and V. Anantharam, “Generalized network sharing outer bound and the two-unicast problem,”in
International Symposium on Networking Coding (NetCod) , July 2011, pp. 1–6. [7] S. Kamath, D. N. C. Tse, and C. C. Wang, “Two-unicast is hard,” in IEEE International Symposium on Information Theory(ISIT) , June 2014, pp. 2147–2151.[8] A. Ramamoorthy and R. D. Wesel, “The single source two terminal network with network coding,” arXiv:0908.2847 ,August 2009.[9] C. E. Shannon, “Communication theory of secrecy systems,”
Bell Labs Technical Journal , vol. 28, no. 4, pp. 656–715,1949.[10] A. D. Wyner, “The wire-tap channel,”
The Bell System Technical Journal , vol. 54, no. 8, pp. 1355–1387, 1975.[11] L. Czap, V. Prabhakaran, C. Fragouli, and S. Diggavi, “Secret message capacity of erasure broadcast channels withfeedback,” in
IEEE Inf. Theory Workshop (ITW) , 2011, pp. 65–69.[12] J. Feldman, T. Malkin, C. Stein, and R. Servedio, “On the capacity of secure network coding,” in
Proc. 42nd AnnualAllerton Conference on Communication, Control, and Computing , 2004, pp. 63–68.[13] S. Y. El Rouayheb and E. Soljanin, “On wiretap networks ii,” in
Information Theory, 2007. ISIT 2007. IEEE InternationalSymposium on . IEEE, 2007, pp. 551–555.[14] T. Cui, T. Ho, and J. Kliewer, “On secure network coding with nonuniform or restricted wiretap sets,”
IEEE Transactionson Information Theory , vol. 59, no. 1, pp. 166–176, Jan 2013.[15] K. Bhattad, K. R. Narayanan et al. , “Weakly secure network coding,”
NetCod, Apr , vol. 104, 2005.[16] D. Silva and F. R. Kschischang, “Universal weakly secure network coding,” in
Networking and Information Theory, 2009.ITW 2009. IEEE Information Theory Workshop on . IEEE, 2009, pp. 281–285.[17] Y. Wei, Z. Yu, and Y. Guan, “Efficient weakly-secure network coding schemes against wiretapping attacks,” in , June 2010, pp. 1–6.[18] S. Jaggi, M. Langberg, S. Katti, T. Ho, D. Katabi, and M. Medard, “Resilient network coding in the presence of byzantineadversaries,” in
IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications , May 2007,pp. 616–624.[19] T. Ho, B. Leong, R. Koetter, M. M´edard, M. Effros, and D. R. Karger, “Byzantine modification detection in multicastnetworks using randomized network coding,” in
Information Theory, 2004. ISIT 2004. Proceedings. InternationalSymposium on . IEEE, 2004, p. 144.[20] O. Kosut, L. Tong, and D. Tse, “Nonlinear network coding is necessary to combat general byzantine attacks,” in , Sept 2009, pp. 593–599.[21] A. Papadopoulos, L. Czap, and C. Fragouli, “LP formulations for secrecy over erasure networks with feedback,” in , June 2015, pp. 954–958.[22] L. Czap, V. M. Prabhakaran, S. Diggavi, and C. Fragouli, “Triangle network secrecy,” in , June 2014, pp. 781–785.[23] A. Papadopoulos, L. Czap, and C. Fragouli, “Secret message capacity of a line network,”
CoRR , vol. abs/1407.1922,2014. [Online]. Available: http://arxiv.org/abs/1407.1922[24] A. Mills, B. Smith, T. C. Clancy, E. Soljanin, and S. Vishwanath, “On secure communication over wireless erasurenetworks,” in , July 2008, pp. 161–165.[25] J. Dong, R. Curtmola, and C. Nita-Rotaru, “Secure network coding for wireless mesh networks: Threats, challenges, anddirections,”
Computer Communications , vol. 32, no. 17, pp. 1790–1801, 2009.[26] R. Koetter, M. Effros, and T. Ho, “Network codes as codes on graphs,” in
Conference on Information Sciences and Systems(CISS) , 2004.[27] S. Riis, “Reversible and irreversible information networks,”
IEEE Transactions on Information Theory , vol. 53, no. 11, pp.4339–4349, November 2007. [28] G. K. Agarwal, M. Cardone, and C. Fragouli, “Coding across unicast sessions can increase the secure message capacity,”in , Jul 2016, pp. 2134–2138.[29] U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE Trans. Inf. Theory, , vol. 39,no. 3, pp. 733–742, 1993.[30] G. K. Agarwal, M. Cardone, and C. Fragouli, “On secure network coding for two unicast sessions: Studying butterflies,”in